PrivEsc: Dumping Passwords in Plaintext – Mimikatz

A tool exists for dumping plaintext passwords out of memory on Windows, it requires Local Administrator level privileges but it’s a great tool for privilege escalation from Local Admin to Domain Admin. There are Windows EXEs available but it’s also been rolled into Meterpreter! It can also inject a hash into memory to effectively perform a local pass-the-hash attack! If you want to run it on a remote machine remember to check out this post on running remote commands on Windows machines.

Read More

PrivEsc: Privilege Escalation in Windows Domains

During Penetration Testing engagements one of my favourite issues to exploit is a Domain User with Local Administrator permissions. It’s a pretty common issue to see and when speaking to IT Departments about the issue it seems that the risk is often under-estimated. So a user has been given administrative permission over one workstation – what’s the worst that can happen?

Read More

CSRF: What Is Cross-Site Request Forgery?

Often abbreviated to CSRF and often pronounced as “Sea-Surf” is an attack against a Web Application that abuses an application’s trust in the user. An attacker’s aim is to cause a function to execute on the application using the user’s authentication credentials simply by causing the user’s browser to request that function in the normal way, but from a malicious site.

Read More

Alternative ways to: Run Windows Commands Remotely

Most Penetration Testers will know and love Metasploit’s PsExec module for running commands on remote Windows machines, if you’re not familiar with it – it allows you to take a compromised Local Administrator account and use it to execute commands on the remote machine (or to upload Meterpreter of course! These methods all require the ability to write to Admin$ on the remote machine, which basically means a Local Administrator account.

Read More

Extracting Password Hashes from a Domain Controller

On a Penetration Test, once you’ve scored Domain Admin (DA) Access, it’s generally a good idea to take a look at the hashes stored in Active Directory (AD). Not least because it’ll point out all of the weak accounts that you missed on your journey to DA but also because password reuse across accounts may get you into other systems, such as Linux servers or the network infrastructure. There are a few methods of dumping hashes and every PenTester I expect knows one of these, but I’ve included a few as it’s always good to have a backup plan.

Read More