Stay up to date on the latest tech trends, IT news, and cybersecurity threats with our educational blog.

shellntel

VPN over DNS

Overview For some time now, we've been using DNSCat as a means to covertly transmit data during engagements where clients IDS's or Firewalls might otherwise block us.  The DNS protocol is often overlooked by system's administrators and as a result this tool has been immensely useful. And while there are a other DNS tunneling solutions […]

Learn More
Websocket based egress buster

Problem It is common during a penetration test that a tester may run into the problem of figuring out which ports and maybe even which protocols are allowed out of an environment.  This is due to the need for a payload to successfully establish command and control.  With the adoption of layer 7 inspection for […]

Learn More
Abusing Exchange Web Service - Part 1

Outlook Web Access (OWA) has been one of the consistently viable attack vectors for pentesters and bad guys alike for many years. Frequently, an attacker will obtain valid credentials by brute forcing OWA portals exposed to the internet. Once credentials are obtained an attacker can then access the target network via any other single factor […]

Learn More
Assisted directory brute forcing

Very frequently during a web application assessment a pentester may begin by fingerprinting what web frameworks and libraries are used by a given application.  Possibly by running a tool such as blindelephant or whatweb.  Commonly though the tester may just notice a unique identifier in the web traffic or URL.  Consider the following: So simply […]

Learn More
crEAP - Harvesting Users on Enterprise Wireless Networks

With the demands of a mobile workforce, wireless networks in enterprise environments are quite common.  Typically, enterprise wireless networks employ WPA-Enterprise security features, which removes the need for preshared keys (WPA2-PSK) that float around between employees creating security concerns of sharing or unauthorized access upon termination, etc. These WPA-Enterprise (802.1x) wireless networks often make use of […]

Learn More
[UPDATE] Creating your own private botnet for scanning.

This is an update to an older post that can be found here.  Since createProxy's initial release, we've received some great feedback and, as a result, we made some improvements.   There were several shortcomings with the previous version, all of which rested on the use of ProxyChains.  ProxyChains is old, outdated, and failed to […]

Learn More
PowerShell Memory Scraping for Credit Cards

During the post exploitation phase of a penetration test, I like to provide the client with examples of what could happen if a breach were to take place.  One of the most common examples of this is credit card theft. To demonstrate this threat, I created a PowerShell memory scraper against whatever application (many times […]

Learn More
Intro To Active Directory Delegation

One of the most frequent questions I get from my CircleCityCon/DerbyCon Active Directory talk goes something like "You recommend that we delegate permissions in AD (as opposed to just dropping everything in Domain Admins), but I just inherited this domain and have no idea what delegation is. Help?" Well good news: 1) Delegation in AD isn't […]

Learn More
Using PowerShell & Unicorn to Get Persistence

Recently I was on an engagement where I received a meterpreter shell only to have it die within minutes before I could establish persistence. Talk about frustration! I've never had the best of luck with Metasploit's s4u_persistence module. Just to make sure, I did a quick test. I established a shell over tcp/53 on my Windows 7 […]

Learn More
Creating your own private botnet for scanning.

[ UPDATE]  The tool has been re-written.  New details can be found here: http://www.shellntel.com/blog/2015/9/9/update-creating-your-own-private-botnet-for-scanning Often while scanning a network with nmap or other similar tools, at some point a NIDS or firewall will detect and block me.  This is irritating.  I wondered, what would happen if I could route my scans/attacks through a series of proxy […]

Learn More
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram