Creeping on Users with WMI Events: Introducing PowerLurk

Introduction and Intent Since watching FireEye FLARE’s ‘WhyMI So Sexy?‘ at Derbycon last September, I have wanted to better understand WMI Events and apply them to offensive security operations. I saw the potential, but my comprehension was lacking and a comprehensive offensive WMI toolset did not exist. I was recently taken to school on WMI…

Getting Started: Powershell Empire

I decided to take some screenshots of Powershell Empire today while performing payload analysis. Below is a quick, down and dirty, walkthrough to get you going with Powershell Empire. Keep in mind I have only looked at the slideshow at this point. I really like the idea of using these instead of Meterpreter due to…

Metasploit ActiveRecord Error

Today, during a pentest, I encountered the following error when running the Psexec Metasploit module with local account credentials Exploit failed: ActiveRecord::RecordInvalid Validation failed: Value can’t be blank I was a little thrown off by this as I have never experienced it before. It is a Ruby error referring to an empty smbdomain field. Although the field is…

Powerview Caught By Symantec Endpoint Protection

It has finally happened, Matt Graeber‘s Powerview Powershell cmdlet was caught by Symantec Endpoint Protection (SEP) during a pentest this week. The cmdlet is SID 29038  in Symantec’s attack signature database. Scenario During testing I used the following one-liner to download import the powerview.ps1 script and then execute Invoke-FindLocalAdminAcess from a general user’s desktop: powershell…

Manually Brute Forcing Against Form Tokens.

Last week I ran into a situation where I needed to manually brute force a webapp login form that used form tokens to request authentication. Our client wanted to see how far we could get in a black box scenario. The unauthenticated portion of the webapp was nothing more than a typical login page complete with…

Change SSH port

I am changing the SSH port on my Kali box so that it will accept sessions on port 443. This way I can connect to it anywhere that port 443 is open. Enter the following and then restart the ssh service.   Source: http://www.liquidweb.com/kb/changing-the-ssh-port/