Tag: Metasploit
-
SideStep: Another AV Evasion Tool
A few years ago I was working on a basic penetration test and came across a remote code execution vulnerability. I tried using Metasploit to deliver a payload but it became evident that the host’s antivirus software was removing the executable. See this article as a reference. This was shortly after the initial release of…
Josh Berry
-
Manually Penetrating the Ektron Vulnerability – CVE-2012-5357
My posts are a little bit out of order here in that this was one of the first vulnerabilities that I came across in which the Metasploit modules failed due to a combination of DEP and AV. The result was researching AV bypass techniques that I began discussing here, and then here, and then figuring…
Josh Berry
-
Directory Traversal to Root
I’ve had some success in the past when finding directory traversal vulnerabilities on Linux/Unix hosts and thought I would share a little post on what I’ve found. The vulnerabilities are often found in the unauthenticated portions (convenient) of management applications such as Webmin or ColdFusion and are frequently running with elevated privileges. The first step…
Josh Berry
-
Follow Up on SYSTEM to Domain Admin Post
I learned a few new things and made a few updates to my script after the last post that I thought I would share. First things first, someone commented on the article on another site and mentioned that the Metasploit module auxiliary/scanner/smb/smb_enumusers_domain provides the same functionality over SMB by calling the Windows NetWkstaUserEnum function. Example…
-
SYSTEM to Domain Admin – Technique One
Today I am going to give a quick overview of one of my favorite ways to escalate from SYSTEM level privileges on a single host, to domain admin level and more on a Windows network. There are many ways and techniques to accomplish jumping from SYSTEM to domain admin, this just happens to be one…
Josh Berry
-
Manually Penetrating the FCKedit Vulnerability – CVE-2009-2265
I am seeing more and more scenarios where for whatever reason, the Metasploit modules, and modules from commercial solutions I use, aren’t successful against a known vulnerable host. This is often due to DEP or antivirus protections that I discussed here and again here. There can also be other security mechanisms at play from time…
Josh Berry
-
Follow Up on DEP and AV Bypass
This is a continuation of research based on my adventures on a penetration testing engagement described here. There were a few key features that I really wanted to add to enhance my DEP/AV bypass tool: Bypass a majority of AV systems Remove the dependency on the msvcr100d.dll file Combine the Metasploit payload in the shellcodeexec…
-
Adventures in Penetration Testing: Let’s Go Phishing – Update
Please see the original article for more information about this phishing script. This is just a minor update to some functionality that I added over the weekend. I haven’t hooked BeEF in yet, but I have added Metasploit, which can be nice. The updated version, which can be found here, can be tied into Metasploit’s…
-
Adventures in Penetration Testing: When DEP and AV Muck it Up
A while back I was performing a network penetration test and came across a remote code execution vulnerability in one of the web applications hosted at the site. It got me excited because I just knew it was going to result in some level of access to the host. It looked like a pretty simple…
CodeWatch 