Clik here to view.
8009, the forgotten Tomcat port
We all know about exploiting Tomcat using WAR files. That usually involves accessing the Tomcat manager interface on the Tomcat HTTP(S) port. The fun and forgotten thing is, that you can also access...
View ArticleClik here to view.
Cleaning up links
I’ve cleaned up all non-working links on the right, new ones will be added soon. If you think I’ve removed you by mistake please let me know, also let me know if you want me to link to you. Use my...
View ArticleClik here to view.
Encrypted JSP Shell with signed diffie-hellman key exchange
This is a follow up of my previous JSP Shell post. This JSP shell has the following functionality: Signed Diffie-Hellman key exchange Blowfish Encrypted commands Blowfish Encrypted result However the...
View ArticleClik here to view.
Credential Scavenger
Just because it’s discarded it doesn’t mean it’s useless. Nowadays it doesn’t really matter which Google dork you use, but you’ll always hit some username/password dump. There are some nice tools out...
View ArticleClik here to view.
Portable (secure) (pen)test virtual lab
I’ve always wanted like online ‘memo-to-self’ stuff to stop forgetting how to set things up, so I’ve decided to create a category for it. These posts will contain rambling, snippets and links on how to...
View ArticleClik here to view.
Making your own door opening shims
Not sure if shim is the right word, you’ll probably recognize it better if I call it “opening the door with a creditcard”. If you’ve never heard of it the following website explains it really nice:...
View ArticleClik here to view.
AV evasion: Recompiling & Optimizing FTW!
Lowering the detection rate of binaries can be done in two mayor ways like we all know: modify the binary modify the source The first option one has a lot of articles on the internet covering it, so...
View ArticleClik here to view.
Hash encapsulation to bypass AV
The previous entry was about lowering detection rates on AV by just simply recompiling and/or optimizing the source. This worked pretty well except for the really known tools like meterpreter. So let’s...
View ArticleClik here to view.
Evade antivirus convert shellcode to c
So another way to have a meterpreter stager bypass AV is to just port the shellcode to C instead of obfuscating it like I explained in my previous article, still assuming psexec like purposes here....
View ArticleClik here to view.
We bypassed antivirus, how about IDS/IPS?
So like we have seen in previous posts bypassing antivirus engines isn’t always as difficult as you would expect. Now how about bypassing IDS/IPS systems? After all, the only thing we have done is make...
View ArticleClik here to view.
finding sub domains with search engines
Finding sub domains using DNS is common practice, for example fierce does a pretty nice job. Additionally fierce presents a nice overview of the possible ranges that belong to your target. For some odd...
View ArticleClik here to view.
Verifying Nmap scans
So the other day while talking with Slurpgeit the following issue came up: During a scan nmap reported 1000 ports filtered for the host, but wireshark told us otherwise a RST was received for a few...
View ArticleClik here to view.
vbscript based interactive registry viewer
Sometimes (don’t ask me why) when you are hacking some terminal server it happens that an administrator has disabled regedit.exe and reg.exe, but forgot about visual basic script (vbs). I know, I know...
View ArticleClik here to view.
sslsniff howto dump the temporary key
sslsniff written by Moxie Marlinspike is a pretty nice tool to do SSL analysis. It has two modes of operation: Authority mode Dynamically generates certificates and signs them with the specified CA...
View ArticleClik here to view.
Alternative psexec: no wmi, services or mof needed
For me the fun in hacking still remains in finding new ways to achieve the same goal. On one of those days with splendid sun and people having their beer, I thought it would be a good idea to start...
View ArticleClik here to view.
Remote hash dumping: no processes or tool upload needed
So after my last article, in which I describe an alternative way to execute code on a remote machine if you have the local administrator’s password, I kept wondering what else could be done with the...
View ArticleClik here to view.
[QP] raw sockets & iptables
Funny how sometimes you don’t realize stuff until you actually try to interact with it instead of just observing it. I’ve used tcpdump many times behind a normal iptables ruleset, I’ve also used...
View ArticleClik here to view.
Encrypted Screenshots
You might be wondering why on earth you’d need to take encrypted screenshots, in that case here are a couple of reasons: The machine on which you take screenshots has different levels of classification...
View ArticleClik here to view.
Solving RogueCoder’s SQLi challenge
So I’m hanging around on #vulnhub (freenode) when RogueCoder silently drops a SQLi challenge, which you can find here: http://ethax.secnet.org/challenges/sqli-01.php?id=1 At first I ignored it since...
View ArticleClik here to view.
[old] VMware vSphere client XML External Entity attack
So this is a *really* old blog post that I wrote a while back when I discovered, or at least so I believed, an XXE bug in the VMware vSphere client. I reported this to the VMware security team but they...
View Article