Introduction to Metasploit

Metasploit is a suite of tools built into a framework which automates and tracks many of the tasks of a penetration test, plus it integrates nicely with other common Penetration Testing tools like Nessus and Nmap. Metasploit was acquired by Rapid-7 in 2009 and there are now commercial variants however the free framework does provide everything you need for a successful Penetration Test from a command-line interface. If you’re curious of the differences Rapid-7 has a page where you can compare the free version against the commercial version here. Metasploit includes port scanners, exploit code, post-exploitation modules – all sorts!#

Read More

PrivEsc: Insecure Service Permissions

/I’ve written a few articles recently about methods of escalating privileges on Windows machines, such as through DLL Hijacking and Unquoted Service Paths, so here I’m continuing the series with Privilege Escalation through Insecure Service configurations. This one’s  pretty simple issue really, generally speaking it’s simply a matter of altering the service so that it runs the executable and parameters you want it to, instead the default configuration allowing you to supply a command and privilege level for the execution. So you can simply run the add user command as local system and create your own local administrator account!

Read More

PrivEsc: Group Policy Preference Passwords

Group Policy Preferences (GPP) was an addition to Group Policy to extend its capabilities to, among other things, allow an administrator to configure: local administrator accounts (including their name and password), services or schedule tasks (including credentials to run as), and mount network drives when a user logs in (including connecting with alternative credentials). GPP are distributed just like normal group policy, meaning that an XML file is stored in the SYSLVOL share of the domain controllers and when a user logs in their system queries the share and pulls down the policy. This essentially means that a share exists …

Read More

Bypass RPC Portmapper Filtering

Portmapper is a registry of Remote Procedure Call services including RPC Services number, version number, TCP/UDP port and protocol. It generally runs on port 111 TCP/UDP. When a client wishes to connect to a service they first connect to the Portmapper, an administrator may filter this port beliving that it will prevent an attacker connecting to services offered, however this is not the case as an attacker may replicate the portmapper locally and proxy requests to the target machine.

Read More

Enumerating Unix Remote Procedure Call (RPC) Services

Several interesting unix daemons, such as Network Information Service+, Network File System, and Common Desktop Environment, run as RPC services on dynamically assigned high ports. Theportmapper service (aka rpcbind) runs on port TCP/UDP 111 or 32771 and can be queried using rpcinfo to discover the available services and their port number. The nmap documentation states that if portmapper is filtered, services can be identified directly using an nmap scan of high port ranges (TCP/UDP 32771-34000). RPC Grinding scan is done as part of an aggressive scan (-A) or can be called explicitly with -sR. Attempting to connect to an RPC service when portmapper is …

Read More

PrivEsc: Stealing Windows Access Tokens – Incognito

If an attacker is able to get SYSTEM level access to a workstation, for example by compromising a local administrator account, and a Domain Administrator account is logged in to that machine then it may be possible for the attacker to simply read the administrator’s access token in memory and steal it to allow them to impersonate that account. There’s a tool available to do this, it’s called Incognito.

Read More