Phishing Against Protected View

enigma0x3

Microsoft Office has a security feature called Protected View. This feature opens an Office document that originates from the internet in a restricted manner. The idea is that it will prevent automatic exploitation of things such as OLE, Flash and ActiveX by restricting Office components that are allowed to execute. In 2016, Microsoft Patched a bug in Protected View around Excel Add-in files via CVE-2016-4117. @HaifeiLi has done some great research in this area, which you can read about here. MWR Labs also has a great white paper on understanding the Protected View Sandbox, which you can read about here. In this post, I will highlight some techniques you can employ to circumvent Protected View while still having access to the techniques us red teamers have grown to know and love. 

In my experience, end users are less likely to exit Protected View than they are to…

View original post 881 more words

Penetration testing and webapp cheat sheets

I do not think I have collected them all yet, but here's what I have so far. Please suggest more. mobile application pentesting: https://www.peerlyst.com/posts/mobile-application-penetration-testing-cheat-sheet Pentesting https://github.com/jshaw87/Cheatsheets/blob/master/Cheatsheet_PenTesting.txt XSS Vectors https://sql--injection.blogspot.lu/p/blog-page_80.html and cookie stealing Penetration testing tools https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#port-scanning Penetration testing & exploit development https://imgur.com/Mr9pvq9 Printer security testing http://hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet Nmap (Printable, 2013): https://pen-testing.sans.org/blog/2013/10/08/nmap-cheat-sheet-1-0/ Nmap (Not printable, date unknown):…Read more Penetration testing and webapp cheat sheets

A cheat-sheet for password crackers

In this article I am going to share some bash scripting commands and regular expressions which I find useful in password cracking. Most of the time, we find hashes to crack via shared pastes websites (the most popular of them being Pastebin.) Isolating the hashes by hand can be a time consuming process; for that…Read more A cheat-sheet for password crackers

Manual pentesting cheatsheet (Windows)

StormSecurity

This is a list of commands that can be useful when you have a shell on a Windows box and you want to do local discovery, escalate privileges and pivot (without using tools as Metasploit):

View your current user:whoami
View information about the current user:net user myuser(for a local user)
net user myuser /domain (for a domain user)
View the local groups:net localgroup
View the local administrators:net localgroup Administrators
Add a new user:net user myuser mypass /add
Add a user in the local Administrators group:net localgroup Administrators myuser /add
View the domain name of current machine:net config workstation
net config server
View the name of the domain controller:reg query "HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionGroup Policy History" /v DCName
View the list of domain admins:net group "Domain Admins" /domain
View the list of started services (search for antivirus):net start
sc query
Stop a…

View original post 212 more words

COMPROMISING A WORDPRESS SITE AND PIVOTING TO THE INTERNAL NETWORK

PIVOTING TO THE INTERNAL NETWORK A few months ago I ran into WordPress on a penetration test. It was a generic web application security assessment, but in this case, I was able to compromise the server and most noteworthy to do pivoting thru the internal network. I thought I’d take the compromise walk-through and turn…Read more COMPROMISING A WORDPRESS SITE AND PIVOTING TO THE INTERNAL NETWORK

Using APT tactics and techniques in your pentests   APT tactics I have a student that has been asking me about internal network penetration testing. As a result, I figured I’d write a blog post about APT tactics. I was trying to explain to him that there is so much more to it than just…Read more

UAC Bypass – SDCLT

Penetration Testing Lab

SDCLT is a Microsoft binary that is used in Windows systems (Windows 7 and above) to allow the user to perform backup and restore operations. However it is one of the Microsoft binaries that has been configured to have the autoElevate setting to “true”. This can be verified by using the Sigcheck tool from sysinternals and exploring its manifest file:

sdclt - autoelevate set to true sdclt – autoelevate is set to true

Matt Nelson discovered two methods that can allow  a user to bypass UAC through this binary in Windows 10 environments. Both methods require to construct a specific registry structure however they differ from each other since one method can take command parameters while the other method the full path of a binary that will executed.

App Paths

The backup and restore operation is part of the control panel. This means that when the sdclt.exe process starts the control panel is starting as well…

View original post 359 more words

QR Code Attack Vector :: Spoofing, Poisoning and Phishing aplications with QR Codes

QR code is a structured code in an image that can be read by specific readers that reveal their content or perform redirect functions for pages and so on. This tool, which was created especially for parts catalog and inventory management, is now used in various posters, business cards, banners, manuals, flayers and etc, and…Read more QR Code Attack Vector :: Spoofing, Poisoning and Phishing aplications with QR Codes

Creating E-mail Bomber in 15 Minutes with Python

In this article I will demonstrate the operation of a spammer technique, used for continuous sending of e-mail messages to third parties, in order to fill inboxes, make specific providers blacklist and even can be used by trolling to fool friends, celebrities, companies And co-workers by Trolls and coding a simple example of a tool…Read more Creating E-mail Bomber in 15 Minutes with Python