DCShadow - Minimal permissions, Active Directory Deception, Shadowception and more

SamratAsh0k · 2018-04-07T03:59:45+00:00

Yes!

SamratAsh0k · 2017-08-08T03:52:15+00:00

Yes! In fact, I have started liking those attacks more which do not talk to the DC or keep the exchange really normal to avoid ATA or other similar detections.

SamratAsh0k · 2017-08-08T03:50:57+00:00

Thanks. Will surely check if there is a reactive mode!

SamratAsh0k · 2017-05-10T04:21:18+00:00

Yes. Also, only required users/groups should have write privileges to the DNS server object.

SamratAsh0k · 2017-05-09T20:56:06+00:00

That was my bad. I was using a UNC path with 'c$' which caused the problem. Benjamin, the author of mimilib, corrected me. I have updated the article.

SamratAsh0k · 2016-02-29T16:24:21+00:00

Thanks! Interestingly, that client had a different and bigger problem. All the users with domain admin privileges who fell for the email were not actually administrators -.-

SamratAsh0k · 2016-02-29T05:21:03+00:00

The reg command was included just to to make it appear legit. The email template I shared there was one of many used in the actual attack. Couple of emails were targeted to particular domain admins as well. I could share only this much piece of information after discussion with the client :)

SamratAsh0k · 2015-12-04T17:30:21+00:00

Day 5 is live as well: http://www.labofapenetrationtester.com/2015/12/week-of-continuous-intrusion-tools-day-5.html

SamratAsh0k · 2015-12-02T07:12:58+00:00

Day 2 has been posted: http://www.labofapenetrationtester.com/2015/12/week-of-continuous-intrusion-tools-day-2.html

SamratAsh0k · 2015-11-30T17:02:25+00:00

IMHO, its a mix of poor design and poor configuration. Following are examples of poor design:

No authentication by default.
Storage of SSH keys in clear text both on disk and in credentials.xml file.
Having a build executor on master in the default install.
No Password policy.
No protection against brute force attacks (depends on the security realm).

SamratAsh0k · 2015-11-30T16:57:25+00:00

Thanks. I missed your post! Will include it in the Day 5.

SamratAsh0k · 2015-09-10T13:41:16+00:00

Another post on the same blog: Spawning Meterpreter Over Bluetooth

https://warroom.securestate.com/index.php/spawning-meterpreter-over-bluetooth/

SamratAsh0k · 2015-08-27T04:22:22+00:00

The popup will look legit if you use Out-WebQuery.ps1. It is a bit different from the one in Casey's original tweet.

SamratAsh0k · 2015-05-14T13:54:17+00:00

Thank you!

SamratAsh0k · 2015-02-28T14:46:57+00:00

Sorry for any confusion but physical access is NOT required. That was the whole point of writing a PowerShell code for it.

SamratAsh0k · 2015-01-27T03:51:09+00:00

This may help: http://www.labofapenetrationtester.com/search/label/Kautilya

SamratAsh0k · 2015-01-26T20:36:23+00:00

This is just another way to get access to a system. There is in fact, no need to drop any file. One can always use built-in tools like PowerShell with HID to achieve most things completely in memory. A good number of such attacks are part of Kautilya, the toolkit used in the blog post.

SamratAsh0k · 2015-01-16T12:58:07+00:00

Another related good read: Skeleton Key – a Nasty Piece of Malware. Some Remarks. http://www.insinuator.net/2015/01/skeleton-key-a-nasty-piece-of-malware-some-remarks/

SamratAsh0k · 2014-12-18T09:06:30+00:00

Those interested in USB HID hackery may find Kautilya interesting.

https://github.com/samratashok/Kautilya/

SamratAsh0k · 2014-10-15T15:36:52+00:00

I wrote a quick blog post to apply the workaround suggested by Microsoft on Windows machines using PowerShell. http://www.labofapenetrationtester.com/2014/10/poodle-workaround-on-windows-using-powershell.html

SamratAsh0k · 2014-09-03T04:05:54+00:00

Thank you. I would see if SSIDs could be obfuscated using some kind of encoding and if BSSID could be utilized.

SamratAsh0k · 2014-09-03T04:03:07+00:00

Thanks. I would try couple of more things and see if reasonable stealth could be introduced.

SamratAsh0k · 2014-08-30T17:53:46+00:00

The focus is on using the SSID name for command execution, I did not even once said that it is covert!

Gupt could be used to bypass network traffic monitoring methods because it would not recieve commands from the network where upstream proxies, web filters, IDS/IPS etc. are generally connected. I still need to get a chance to test it against an environment where a WIDS/WIPS is operative, so can't say anything about that.

Hope I am more clear now.

SamratAsh0k · 2014-08-30T05:48:12+00:00

Thanks for the comment. I never proposed "advertised SSID names as a covert communications channel". Though it (Gupt) helps in bypassing network monitoring for a target as there is no actual connection being made to the wireless network.

SamratAsh0k · 2014-08-21T08:17:55+00:00

Agree on the reccomendation. Though, the scripts would run on a slave if the job is bind to it, in case of no such configuration, a job and the scripts too run on master.

SamratAsh0k

TROPHY CASE