I have a cracking box that was currently Running Win7 pro that I used with hashcat. I wanted to switch to Kali so it’s easier to manage wordlists etc.. and wanted to use a web frontend to manage the cracking. Trying out the new rolling 2017.1 I ran into an issue with usb keyboard/mouse not working when using the Kali graphical installer, on a Gigabyte GA-970A-D3P (rev. 2.x) motherboard with an AMD FX-8320, so I found if I enable iommu in the BIOS settings they work again , but then I had another issue with AMD-VI and other issues during install.
I got to the part where its looking for the CD drive (even though im installing from USB) I saw fixes online where it says to get to shell prompt and type something like:
mount -t vfat /dev/dsb1 /cdrom
or it said to remove the USB and reinsert and try to look for CD but neither worked for me.
Similar to this issue here, http://forums.debian.net/viewtopic.php?f=10&t=120746 , but since Kali wasn’t installed yet I couldn’t obviously edit GRUB. I found out the right fix, apparently this has been an issue for a few years on a different distros, not just Debian.
1. IOMMU should be enabled in the BIOS.
2. Boot from USB on splash screen go down to graphical installer & press tab (or if in UEFI mode press ‘e’) and append
iommu=soft to the boot option. The install process should give you no issues now and the keyboard and mouse should work.
3. When you reboot the machine after kali installation completes and reboot , Pressing ‘E’ on the menu item will enter edit mode, where
iommu=soft should be added to the end of the line which begins with linux. After this the kali should boot.
4. When finally booted into Kali Open a terminal, and make the change permanent by editing GRUB’s configuration file. Run vi /etc/default/grub and add this to the bottom:
save the file then
update-grub and hit enter
You should now be able reboot with no issues.
Saw something on twitter today about using the old standby program, iexpress.exe, which is still available in Win10, you can package your powershell scripts inside an executable. You can use it to run malicious powershell scripts etc…
SO I was thinking of some fun things to do with it, getting reverse shells, dumping passwords with mimikatz, compiling .cs files etc to evade AV and whitelisting. It’s fairly simple to do ,here’s an example of a powershell reverse shell: Continue reading
I was playing around with box in my lab earlier testing out ms16-032, which is a privilege escalation exploit that got patched earlier this year that affected windows versions vista,2k8,7,8.1,2k12, and 10. It was a bug in the Secondary Logon service that allows you to leak a handle opened in a privileged process into a lower privileged process. @FuzzySec made a powershell script to exploit this that works really well, but I wanted to make it into as easy 1-liner to paste into a cmd prompt. Continue reading
Bidirectional Unicode spoofing is not a new concept, malware has been using the technique for the last decade, but I was toying around with unicode earlier today for a phishing engagement, by default Win7 doesn’t allow you to create filenames with unicode chars unless you:
a. Open RegEdit
b. Navigate to HKey_Current_User/Control Panel/Input Method
c. Set REG_SZ “EnableHexNumpad” to be “1” (If there is no EnableHexNumpad, then add it and set its value to 1).
d. Reboot your system.
I didnt want to do this so I created a .vbs script that creates a .lnk file that spoofs the file extension with Unicode chars. This allows you to reverse the “.lnk” file extension, append “.txt” to the end and change the icon to notepad.exe’s icon to make it appear as a text file. When executed, the Target payload is a powershell webdl and execute. Continue reading
On a recent pen-test engagement we had come across a Tomcat server with default creds. Trying to old tried and true methods with Metasploit did not work to get a shell on the box , which was running proprietary IBM_AIX. The exploit would be successful but no connect-back. Because of the limited time instead of trying to test for egress (and later finding out theres no payloads for metasploit), we tried another method of uploading a JSP .war file to the box that once deployed, enabled us to browse and run commands. Continue reading
IF you’re quick enough you can catch a sneak preview of Mr. Robot here: https://twitter.com/whoismrrobot/status/752298872823697408
Along with the cool screenshots of them using Social Engineer Toolkit, during the episode Elliot was drawing a QR Code seen here: Continue reading
I’m posting this now because the hosting company has seem to finally fix the issues, I tried emailing and tweeting to them but got no response from any of the parties.
A few weeks ago there was some buzz on Rage Against the Machine’s site: Rage Against the Machine, Public Enemy & Cypress Hill member were forming a supergroup called Prophets of Rage. On the day of announcement they posted a mysterious webpage with just a countdown clock, http://prophetsofrage.com . Continue reading
Recently I was trying RDP from a Windows10 laptop through SSH on a Debian web-server to an internal Windows7 box that was on a different VLAN. I had only a Windows10 laptop with Putty to do it. So Basically Win10laptop>debianwebserver>win7through a secure ssh session and get to the internal Win7 without port forwarding on the router.
I had access to SSH account on the Debian web-server, so I was able to use this as a pivot point to get into the internal network. Luckily even though the Debian web-server and Win7 box were on different VLANs, the VLANs were able to talk to each other. The Debian web-server was on 10.0.10.21 , it could still ping Win7 on 192.168.0.146.
Just in case your head is spinning trying to read this, below is a diagram how I achieved this using Putty. Im posting it here so next time I need to do this I dont need to try to figure it out again.
ImageMagick reported today (CVE-2016–3714) allows image uploads to trick the ImageMagick software into running commands instead, leading to a remote code execution(RCE)bug. More info ::HERE::
A new heap memory corruption (Out-of-Bounds Read) that affects Microsoft Office Excel 2007,2010,2013 and 2016. This vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office Excel file (.xlsm).
Advisory & POC