danielsauder

This is an article for usage with avet, my antivirus evasion tool you can find here: https://github.com/govolution/avet I had some trouble using mingw cross compiler. It should work fine, so I suggest you try that first. But if you want an alternative, here is how to use tdm for windows with wine in kali (2016.2).…

Here is a small bash script for extracting the text and media content from a docx file. Might be useful if you do not want to open the file with word. Works with cygwin, should work with linux. Github: https://github.com/govolution/stuff/blob/master/xtractdocx.sh Usage is pretty straight forward: $ bash xtractdocx.sh test.docx * extracting media files to ./test.docx1484702626/media…

A couple of days ago I started running a password honeypot based on heralding. Here is some first analysis and wordlists. Time frame of this analysis From: $ head heralding_activity.log -n 2 | cut -d “,” -f1 timestamp 2016-10-07 19:33:32.291966 To: $ tail heralding_activity.log -n 1 | cut -d “,” -f1 2016-10-22 16:51:06.616767 Password attacks…

During a pentest it might be possible to gain access to the DC of a windows network. The ntds.dit file is interesting, because all kind of information of the AD is stored here, as for example the user hashes. When looking for a howto crack NTDS databases I found: https://gist.github.com/ddouhine/018ac4a8c95498101e7f Not everything worked for me, so…

So why might this be relevant anyway? All management consoles should be in your separated management network anyway, right? Well, unfortunately that is not always the case: As you can see about 85.000 ports from the VMware Authentication Deamon are open over the internet. And you can even bruteforce accounts: https://www.rapid7.com/db/modules/auxiliary/scanner/vmware/vmauthd_login Further, during an onsite…

How cool is that: volatility standalone is running on esxi… (http://www.volatilityfoundation.org/#!releases/component_71401) This scenario is only if you have access to the ESXi server via ssh. [root@localhost:/tmp] wget http://downloads.volatilityfoundation.org/releases/2.5/volatility_2.5.linux.standalone.zip Connecting to downloads.volatilityfoundation.org (173.61.222.9:80) volatility_2.5.linux 100% |*******************************| 32039k  0:00:00 ETA [root@localhost:/tmp] unzip volatility_2.5.linux.standalone.zip Archive:  volatility_2.5.linux.standalone.zip    creating: volatility_2.5.linux.standalone/   inflating: volatility_2.5.linux.standalone/AUTHORS.txt   inflating: volatility_2.5.linux.standalone/CREDITS.txt   inflating: volatility_2.5.linux.standalone/LEGAL.txt…

– I installed ESXi 6 in VMWare Workstation 12 – for this download the ESXi image – choose “typical installation” when creating a new VM in VMWare Workstation – for learning and testing this is awesome Screenshot of ESXi running in VMWare Workstation. – I copied my Windows 7 VM from Workstation to ESXi. –…

The VM is running Windows 7. From the running machine take the snapshot: Now it is possible to perform the volatility stuff directly with the .vmem file from the snapshot: C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe -f “C:\Users\dax\Documents\Virtual Machines\Windows 7 x64\Windows 7 x64-Snapshot1.vmem” imageinfo Volatility Foundation Volatility Framework 2.5 INFO    : volatility.debug    : Determining profile based on KDBG…

For this part I’m using the standalone version of volatility for windows. The goal is dumping LM/NTLM hashes from a  windows memory image. When you have access to a host where virtual machines are running, but you do not have acces to the VMs itself, one possibility is to reboot the VM but starting an…

For this test I installed everything in a WinXP VM. I followed these instructions: http://michlstechblog.info/blog/security-install-mimikatz-offline-plugin-to-volatility-draft/ … with only small changes, because I had a win32 machine. First things first: The plugins seems to be PoC and supports Windows Vista & 7 with 32 & 64 Bit (Maybe works for Win Server 2008 too?). Here are…