danielsauder

Part 1 is simple. Dump the lsass.exe process and use mimikatz for getting the credentials as clear text and the hashes. You need admin or system rights for this. But as a short reminder first let’s have a look at the “normal” way for dumping credentials from the lsass.exe process with mimikatz: mimikatz # privilege::debug…

The last weeks I experimented with how to get user crendentials from memory dumps, and hopefully I will have the time to contiue this little “research” (I know, it is not really research when you just writup stuff 😉 ). There are many different ways to dump credentials as hashes or in cleartext from various…

Recently I started using IDA. For me it has a steep learning curve, and some people I talked to agreed. So here are a few links for the first steps if you want to get into IDA. I assume you already know assembly and know what reversing is. Of course there are many more on…

Last week I attended this years Brucon, where I had the chance to participate in the Malware Triage workshop by https://twitter.com/herrcore and https://twitter.com/seanmw. The workshop is awesome (look here to get the idea: http://herrcore.blogspot.de/2014/09/crowdsourced-malware-triage.html) and if you have the chance to take it go for it! The links here are from their slides and I…

Yesterday I had a talk at the OWASP meeting Cologne, here are the slides: owasp-meeting-cologne-30-09-2015 Unfortunately Evernote Presentation Mode does not support PDF export on Windows, so no working links in the PDF. Here is the link list: https://govolution.wordpress.com https://twitter.com/DanielX4v3r http://resources.infosecinstitute.com/shellcode-detection-emulation-libemu/ https://www.winitor.com/ https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/ http://codewhitesec.blogspot.de/2015/07/symantec-endpoint-protection.html http://googleprojectzero.blogspot.de/2015/09/kaspersky-mo-unpackers-mo-problems.html https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140508-0_AVG_Remote_Administration_Multiple_critical_vulnerabilities_v10.txt http://googleprojectzero.blogspot.de/2015/06/analysis-and-exploitation-of-eset.html http://www.heise.de/newsticker/meldung/Angreifer-koennen-Viren-Scanner-von-BullGuard-und-Panda-lahmlegen-2639307.html Click to access 2014-en-breakingavsoftware-joxeankoret.pdf https://funoverip.net/2013/12/turning-your-antivirus-into-my-botnet-owasp-benelux-2013-slides/ Click to…

Trivia: Shikata ga nai is Japanese and means something like “nothing can be done about it”. https://en.wikipedia.org/wiki/Shikata_ga_nai Learning is always fun and I was playing around with making ClamAV signatures. I wondered if it is possible to write a signature that matches the famous Shikata-Ga-Nai shellcode encoder shipping with metasploit. After all I succeeded to…

For testing security software and hardware I wrote a very simple keylogger (which is very noisy). Together with the winexec shellcode I wrote earlier it is possible to download and start the keylogger which simulates a very simple malware. My idea is it to have a some tools (when I will have more time to program…

Lately I was playing with my Raspberry Pi B with a Raspian GNU/Linux 7 and this is a short walkthrough with a hello world example. For a more in depth introduction for ARM shellcoding look here: http://shell-storm.org/blog/Shellcode-On-ARM-Architecture/ Adopted from that article here is the example: .section .text .global _start _start: .code 32 add r6, pc,…

Here is a short write-up about my first steps about Linux (Kali in my case) 64bit shellcoding. Mostly as a reminder for myself, but maybe it helps some folks to save a little time. Hello World First I searched for two examples for a hello world shellcode for comparing them. I adjusted the examples: Get…

Problem: I had a shellcode that I compiled and used in a .c program. The compiled .c program crashed, but the executable from the assembly file worked. Normally I use this line: # objdump -d hello32|grep ‘[0-9a-f]:’|grep -v ‘file’|cut -f2 -d:|cut -f1-6 -d’ ‘|tr -s ‘ ‘|tr ‘\t’ ‘ ‘|sed ‘s/ $//g’|sed ‘s/ /\\x/g’|paste -d…