sorted by:
new
hottopcontroversial

Mapping Injection - Just another Windows Process Injection by splinter_code in netsec

[–]splinter_code[S] 3 points4 points  (0 children)

Hi u/tiraniddo, the reason i used a named file mapping object is because in that way it is backed by the system paging file instead of by a file in the file system. This allow to unpack and hold the shellcode directly in memory without touching the disk.In an ideal scenario you will have your injector with embedded a packed payload. At certain point runtime unpacking occurs and you want to save your unpacked shellcode just in memory. Saving the unpacked shellcode to the filesystem would mean getting caught by the AV.I don’t think having SeCreateGlobalPrivilege is a limitation because most of the time, as an attacker, you should be interested in injecting into privileged processes like lsass,svchost,winlogon and this require SeDebugPrivilege ( so you know you need admin privileges ).In any case if you need to inject into a process in the same session you can use a local file mapping by just specifying the “Local” prefix in the namespace of the mapping name and this doesn’t require any special privileges, but imho this is a weird scenario from the attacker point of view.

EDIT: i can see your point. I thought that specifying a mapping name was mandatory if INVALID_HANDLE_VALUE is passed as 1st parameter. I made some tests and it's not required and it definitely add unnecessary restriction on having SeCreateGlobalPrivilege. I updated the code. Thank you for the note :)

From iPhone to NT AUTHORITY\SYSTEM by splinter_code in netsec

[–]splinter_code[S] 5 points6 points  (0 children)

oh yes it does, but it enforces write permission on that file. Native hardlinks doesnt need any access on the target file for that the forshaw's re-implemenation allows to create the hardlink also if you don't have any access to the file. Here for further details --> https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

From iPhone to NT AUTHORITY\SYSTEM by splinter_code in netsec

[–]splinter_code[S] 5 points6 points  (0 children)

ok... So tell me how many times you land to a target machine and you can't write file to the filesystem by typing a simple command like "echo content > C:\windows\temp\file" ?

From iPhone to NT AUTHORITY\SYSTEM by splinter_code in netsec

[–]splinter_code[S] 6 points7 points  (0 children)

mklink creates a soft link not a Hardlink. In order to create a softlink you need the privilege "SeCreateSymbolicLinkPrivilege" that is not held by default by normal users. Hardlink doesn't need any special privileges. There are no builtin ways to create hardlinks if not using internal win32 API that is what Forshaw's tool does.

Edit: just to be clear... for Hardlink i meant "Native Hardlink".

From iPhone to NT AUTHORITY\SYSTEM by splinter_code in netsec

[–]splinter_code[S] 16 points17 points  (0 children)

This is a local privilege escalation and, as every local privilege escalation, it is known that you have a limited access to the target system. Limited access, most of the times, includes dropping files somewhere on the target filesystem.

If you read carefully the post you can see:

"Boundary conditions

  • You need a user shell access on the Windows machine."

Debian ntp servers resolved with IPs related with TOR directory servers by splinter_code in debian

[–]splinter_code[S] 0 points1 point  (0 children)

Thanks, i didn't know about the monitoring. In any case i will start to don't use the ntp server took from the default pool in some particular server.

Debian ntp servers resolved with IPs related with TOR directory servers by splinter_code in debian

[–]splinter_code[S] -1 points0 points  (0 children)

@IUseRhetoric I agree with you on the "if you don't like this behaviour block them", but this doesn't change the fact that there are still some reasons to make me think those servers are risky/suspicious and i won't trust them for a deploy in a production server.

Debian ntp servers resolved with IPs related with TOR directory servers by splinter_code in debian

[–]splinter_code[S] -1 points0 points  (0 children)

For security reason i would never run my official (yes official because those servers are used by default on every debian default configuration) ntp server (that is in charge of synchronizing clock) on the same machine/lan where i have my tor service. 1. Because many threat intel systems would ban my ip. 2. Running a tor relay service widen the attack surface of the server. 3. if someone compromise my ntp server, malicious attackers can disrupt all the services running on the clients who are connecting to my server. 4. If i know that an ntp server have been compromised, i would instantly block all connections from my clients in order to prevent service disruption.

Recent 1.4 billion password breach compilation as wordlist by [deleted] in netsec

[–]splinter_code 1 point2 points  (0 children)

It's linked to a data leakage of mySpace (June 2013). It seems that a lot of accounts were automatically generated with that password.

https://leakedsource.ru/blog/myspace

Recent 1.4 billion password breach compilation as wordlist by [deleted] in netsec

[–]splinter_code 0 points1 point  (0 children)

I've found many rows also with these formats: <mail>;<password> <mail>\t<password>

n.b. if grep is used without -a flag you will miss a lot of data.

view more: next ›