In case you missed it, I found a zero day vulnerability in Altiris which allows a low level user to elevate privileges to SYSTEM on any host governed by Altiris. For more information on the vulnerability check out the Nettitude labs post below. https://labs.nettitude.com/blog/cve-2018-5240-symantec-management-agent-altiris-privilege-escalation/ Symantec have released some notes on the vulnerability here: https://support.symantec.com/en_US/article.SYMSA1456.html
Speeding up Proxychains with Nmap / Xargs
So for a while now I’ve wanted a way to better use Nmap with proxychains and essentially I’ve resulted in a fairly simple one-liner that has worked for me for a while now on basic port scanning. It’s a trivial concept but really does speed up the process with no negative affect from what I… Continue reading Speeding up Proxychains with Nmap / Xargs
Clear Text Proxy Auth = Passwords
Quick blog, in response to a conversation I had. Where I was informed that this would be a cool thing to share. Recently, I was doing a simulated attack, playing the part of an individual who had gained access to a customer’s facilities. This customer had the usual stuff such as LLMNR spoofing etc which… Continue reading Clear Text Proxy Auth = Passwords
Service-Perms in Powershell
Updated my Service-Perms.exe to Powershell, grab a copy here: https://github.com/benpturner/h00k/blob/master/powershell/Service-Perms.ps1 Usage direct from the Internet within Powershell: IEX (new-object system.net.webclient).downloadstring(“https://raw.githubusercontent.com/benpturner/h00k/master/powershell/Service-Perms.ps1”); Get-ServicePerms Outputs an HTML
PoshC2 – Powershell C2
A new tool written by @benpturner (me) and @davehardy20! PoshC2 is a proxy aware C2 framework written completely in PowerShell to aid penetration testers with red teaming, post-exploitation and lateral movement. The tools and modules were developed off the back of our successful PowerShell sessions and payload types for the Metasploit Framework. PowerShell was chosen… Continue reading PoshC2 – Powershell C2
Password Generator – L337’r
Password Generation Tool For most organisations one of the most prevalent security concerns remains users selection of secure passwords. Even when restricted through a reasonable password policy, users seem to continue to select passwords with some relevance to the geography of the area, the name of the business or popular sporting/hobbyist interests specific to the… Continue reading Password Generator – L337’r
CVE2015-2342 and Some other stuff
Recently, well a while a go I had some vulnerabilities published. These were published elsewhere and due to extreme laziness I decided not to publish it here. Anyway, thought I would stick links in here to point back to the vulns. CVE2015-2342 7 Elements Advisory 7 Elements WriteUp VMWare Advisory 2 Others That we released… Continue reading CVE2015-2342 and Some other stuff
Brute-forcing Microsoft Lync via NTLM
Ok, so there is good reason why Lync should not be accessible over the Internet similarly to any single factor system. BRUTE-FORCE will usually prevail!!!! I installed burp’s certificate on my Windows host and attempted to login from Lync (From this I was an HTTP NTLM Login request to https://lyncwebact.customer.com/WebTicket/WebTicketService.svc). NTLM like many other services is… Continue reading Brute-forcing Microsoft Lync via NTLM
Parsing Nessus to find Java Remote Class Loading
On every internal pentest I perform I always find myself searching through lots of Nessus findings to actually get the output I want, so I wrote a script. This script is piggy backed of a cool python class called dotnessus_v2 parser (http://code.google.com/p/pynessus/). Basically my script takes a Nessus file as the input and parses the RMI… Continue reading Parsing Nessus to find Java Remote Class Loading
Malicious UNC Paths (SMB) / Bad Egress / No-Split VPN
When attempting social engineering or red teaming engagements I often choose to embed various HTTP/UNC paths inside an attachment, e.g. Word/Excel/PDF. The best thing about embedding this malicious URL is that it does not warn the user of any external content loading. You can also do this directly inside an email but the user will… Continue reading Malicious UNC Paths (SMB) / Bad Egress / No-Split VPN