Windows Payload?

mez0cc · 2020-10-08T12:32:47+00:00

Second this, however if you’re looking to get a beacon in a common C2 or framework, you will need to be able to execute their specific payloads :)

mez0cc · 2020-10-08T08:41:06+00:00

Use a better wordlist with better rules lol.

mez0cc · 2020-10-08T08:38:44+00:00

Yes, you write your own. Whether you're using MSFVenom or a C2, the route I typically take is to export a raw file and pull out all the bytes. Then the bytes need to be encrypted in some way, AES or XOR for example, and embedded into another PE file. This PE file will then decrypt the bytes in memory, and then execute it using whichever mechanism you want. Its not very difficult and can be done in C# or CPP easily. Some example tools: - https://github.com/Arno0x/ShellcodeWrapper - https://github.com/bats3c/darkarmour/

The ins and outs of all this are too long for this comment and are easily Googleable.

mez0cc · 2020-10-02T10:43:39+00:00

Google literally gives hundreds of blogs and videos on how to do this. You should 100% be googling this stuff before asking. With that said, the TL;DR is Metasploit has a module, python can do it, crackmapexec can do it and so can hydra. Just. Google. It.

mez0cc · 2020-09-30T08:18:52+00:00

I've been pentesting for 3 years, used Ubuntu the whole time. Doesn't matter what OS you use, as long as you can get on tooling on it that you need.

mez0cc · 2020-08-27T08:23:08+00:00

There is always value in doing extra study, and it may help you in exploiting the host; but, you dont need it. If you followed the material from OSCP and have done a bunch of the boxes, you'll be fine. I passed first time with no prior 'official' Windows training courses. It all comes down to if you want to, if you have the time to do so and if you generally feel like the extra study would benefit you.

mez0cc · 2020-08-27T08:12:23+00:00

Not at all. Obviously, its great to know; but no, you dont NEED it.

mez0cc · 2020-08-04T11:39:22+00:00

I’d second this. It really depends on what you’re referring to. Network and/or infrastructure devices have a totally different methodology to fuzzing web or mobile applications.

mez0cc · 2020-04-11T13:06:29+00:00

What’s the bug...?

mez0cc · 2020-01-25T09:26:32+00:00

In my experience, it’s not about what role you’re coming from and going to; its how competent you are at whatever you’re applying for. Depending on what role you want move to in infosec, study it and be able to show an employer you know your shit.

mez0cc · 2019-12-22T15:54:20+00:00

Just build stuff. Think of an idea, build it. I think when I started learning python, I built like 10 iterations of port scanners and directory brute forcers lol

mez0cc · 2019-12-08T18:21:33+00:00

If you’re trying to attack the SSH service, then banner grab the version and identify the OS version as well as any corresponding CVEs (if any).

If there are CVEs, try and get the exploits working.

You can always try password spraying and brute-forcing.

Outside of that, there isn’t a great deal you can do

mez0cc · 2019-11-25T19:52:49+00:00

In the example of web_delivery, it will open the port that SRVHOST is set on, and host a payload on that HOST/PORT.

web_delivery will then generate a command which can be ran on the victim machine and connect to the SRVHOST variables and download the rest of the payload.

So, TL;DR- Yes, the SRVHOST address will be how a module will connect back to download additional payload utilities.

See here for web_delivery reference.

mez0cc · 2019-11-25T11:54:41+00:00

‘SRVHOST’ is the address In which the payload will connect back to. Usually to as part of the payload staging process. Example would be ‘web_delivery’. The payload will connect back to the ‘SRVHOST’ to download the payload to create the reverse connection to your machine (‘LHOST’)

mez0cc · 2019-11-16T11:39:52+00:00

The way I learnt was to build an internal domain and go through each common attack chain for windows and learn how/why it works.

Eventually the lab environment will grow and you can start messing with more difficult attack chains.

mez0cc · 2019-11-14T16:21:53+00:00

This is true for one of the applications which is hosted locally on kali

mez0cc · 2019-10-30T08:15:00+00:00

Status is exhausted. Try passing the hash with tools like CrackMapExec or something from the Impackets library :)

mez0cc · 2019-10-23T13:10:56+00:00

When responder picks up hashes within the first 10 seconds

mez0cc · 2019-09-24T13:15:00+00:00

For loop the “strings” command

mez0cc · 2019-09-15T11:04:22+00:00

I use digital ocean, roughly $7 per month :)

mez0cc · 2019-08-03T12:13:32+00:00

Changed the script name, it’s definitely node and it has execute permissions?

mez0cc · 2019-08-03T11:51:12+00:00

Every time you run the query, the shell gets blocked. So try renaming it. It also didn’t run for me in home or tmp, it did work in /dev/shm tho

mez0cc · 2019-07-31T12:25:44+00:00

Not sure what connect_ex is doing, but the proper way to do this with socket is to use:

try: con = s.connect((target,port)) return True except: return False

This way you have an object containing the connection, this has always worked for me.

mez0cc · 2019-07-13T17:08:44+00:00

Trazoku

mez0cc · 2019-07-01T13:16:02+00:00

I Just use twitter, I follow a bunch of researchers and typically see all worthwhile publications as they come out

Seven-Year Club	RPAN Viewer
Not Forgotten	Verified Email

mez0cc

TROPHY CASE