Blog Posts Tagged with "Railgun"

5b4dab10939f37f8bee4017c584353fe

Metasploit Penetration Testing Cookbook

September 13, 2012 Added by:Philip Polstra

Singh provides an introduction to the widely used Metasploit framework in the form of seventy plus recipes for various penetration testing tasks, and goes beyond the basics of Metasploit and covers additional penetration testing tools such as various scanners and evasion tools...

Comments  (0)

D8853ae281be8cfdfa18ab73608e8c3f

Raising Zombies in Windows: Passwords

September 13, 2012 Added by:Rob Fuller

List the tokens available with Incognito, your new user will be there, steal it and you're done. You now have the ability to user that account/domain token on any of the hosts you've compromised on the network, not just the ones they happen to have left themselves logged in...

Comments  (0)

D8853ae281be8cfdfa18ab73608e8c3f

Netstat Post Module for Meterpreter

July 20, 2012 Added by:Rob Fuller

It's real simple, first we've gotta add the GetTcpTable function to Railgun, then gauge the size of the table, then it's all just parsing the result. Also pretty straight forward. First we get the number of entries which is held in the first 4 bytes, then just parse the MIB_TCPTABLE one MIB_TCPROW...

Comments  (0)

D8853ae281be8cfdfa18ab73608e8c3f

Integration of Mimikatz into Metasploit Stage One

July 10, 2012 Added by:Rob Fuller

One of the powers of Metasploit is its ability to stay memory resident through the use of reflective DLL injection, even keeping new functionalities the attack loads from ever touching disk. I want get to that same level with Mimikatz. Here is my first step to that end: A Railgun based Meterpreter script...

Comments  (0)

D8853ae281be8cfdfa18ab73608e8c3f

Developing the LNK Metasploit Post Module with Mona

March 20, 2012 Added by:Rob Fuller

One of Mona’s many and least well known functions is ‘header’, which outputs a ruby version of a file broken into ASCII and binary parts. The problem: I need to recreate a file in a way I can manipulate it in a post module without using the spec or Railgun to assist...

Comments  (0)

D8853ae281be8cfdfa18ab73608e8c3f

User Assisted Compromise (UAC)

February 09, 2012 Added by:Rob Fuller

You have to wait for the user to use UAC (this does not work if someone else does, it's only for the current user HKCU). But, as a side benefit, it's a very real form of sneaky persistence as well, as it will execute our evil binary every single time they use UAC...

Comments  (0)

D8853ae281be8cfdfa18ab73608e8c3f

IP Resolution Using Meterpreter’s Railgun

September 15, 2011 Added by:Rob Fuller

I saw a post back in June titled DNS Port Forwarding Con Meterpreter. It looked like hard work to set that up. I didn’t want to go through that every time I got onto a new network. So I made a simple meterpreter post module to just call a Windows API key called ‘gethostbyaddr’ using Railgun...

Comments  (4)

D8853ae281be8cfdfa18ab73608e8c3f

Railgun Error Checking

August 30, 2011 Added by:Rob Fuller

One important thing to note about Railgun is that you are querying the API, and just as if you were using C++, the API you are calling just might not be there on the system. So here is a quick trick to find out if a the function (API) that you are trying to call is available to you...

Comments  (0)

D8853ae281be8cfdfa18ab73608e8c3f

Remote DLL Injection with Meterpreter

June 09, 2011 Added by:Rob Fuller

What sets that method apart is the fact that the suspension (once the DLL injection occurs) comes from within the process, and it suspends all the child processes as well. Another way you can do this without the injection is just sending a suspend to all the threads in the process...

Comments  (0)