Windows
Android Application Testing Using Windows 11 and Windows Subsystem for Android
With the release of windows 11, Microsoft announced the Windows Subsystem for Android or WSA. This following their previous release, Windows Subsystem for Linux or WSL. These enable you to run a virtual Linux or Android environment directly on your Windows Operating System, without the prerequisite compatibility layer provided by third-party software. In this post I’ll show you how to use WSA for Android mobile application pentesting, such that you can perform all of the usual steps using only Windows, with no physical Android device or emulator needed.
Building an offensive RPC interface
Using the Windows Remote Procedure Call (RPC) interface is an interesting concept when conssidering the fact that it allows you to call functions, over the network in a remote process. I wanted to better understand how RPC worked, and decided to build my own RPC interface to help with that. As a result, I wrote an RPC interface that will spawn a reverse shell given an IP address and a port. In this post I’ll show you how to do just that and what I learnt in a few sections:
Masquerading Windows processes like a DoubleAgent.
I’ve been spending some time building new content for our Introduction to Red Teaming course, which has been great for diving into AV/EDR bypass techniques again. In this blog post, I will demonstrate how to re-weaponise the old “DoubleAgent” technique, making endpoint security products do the hacking work for us.
One known vector to shimmy past AV solutions is to use process injections. At BlackHat 2019, a number of process injection techniques were presented by Itzik Kotler. A typical code injection implementation using known WINAPI functions, such as the combination of VirtualAlloc, WriteProcessMemory and CreateRemoteThread are well known by endpoint security solutions and will often raise alerts. Whether static or dynamic analysis kicks in, the chances of remaining undetected when using these functions are close to NULL. Alas, the cat and mouse game keeps going endlessly.
Attacking smart cards in active directory
Introduction Recently, I encountered a fully password-less environment. Every employee in this company had their own smart card that they used to login into their computers, emails, internal applications and more. None of the employees at the company had a password at all – this sounded really cool.
In this post I will detail a technique used to impersonate other users by modifying a User Principal Name (UPN) on an Active Directory domain that only uses smart cards.
Analysis of a 1day (CVE-2019-0547) and discovery of a forgotten condition in the patch (CVE-2019-0726) – Part 1 of 2
This post will cover my journey into the analysis of CVE-2019-0547 (Affecting the windows DHCP client), a vulnerability discovered by Mitch Adair of Microsoft Windows Enterprise Security Team and how I found a new issue in the same function.
Part 1Patch extractionPatch diffingProgram flow to the functionDHCP Options0x000x00Part 2Integer overflowNobody respects RFCs0xC0 “compression algorithm”Final conclusions Patch extraction Even though these first steps around patch downloading, extraction and diffing are already heavily documented over the internet, I will cover them here in any case.
recreating known universal windows password backdoors with Frida
tl;dr I have been actively using Frida for little over a year now, but primarily on mobile devices while building the objection toolkit. My interest in using it on other platforms has been growing, and I decided to play with it on Windows to get a feel. I needed an objective, and decided to try port a well-known local Windows password backdoor to Frida. This post is mostly about the process of how Frida will let you quickly investigate and prototype using dynamic instrumentation.
Abusing GDI Objects for ring0 Primitives Revolution
Exploiting MS17-017 EoP Using Color Palettes This post is an accompaniment to the Defcon 25 talk given by Saif. One of the core topics of the talk was the release of a new technique GDI object abuse technique, name Palette Objects. Saif presented a previously unreleased Windows 7 SP1 x86 exploit involving the abuse of a newly discovered GDI object abuse technique.
A complete white-paper on the topic was released and can be found here: Whitepaper
Intercepting passwords with Empire and winning!
This is my password,” said the King as he drew his sword. “The light is dawning, the lie broken. Now guard thee, miscreant, for I am Tirian of Narnia.
C.S. Lewis
tl;dr You are part of the red team who’s just compromised the entire AD infrastructure. The blue team quickly changes the password, which is always recommended, but is this effective in preventing the red team from still inflicting damage?
Prev
Page 2 of 2