Knowledge Base for Penetration Testing
Memory vulnerabilities are programmatic flaws in which the application improperly accesses or handles objects stored in memory. These vulnerabilities can result in memory corruption leading to arbitrary code execution or denial of service. Because memory exploits work outside the normal bounds of the operating system, many activities conducted during those exploits will not be logged. […]
Hacking misconfigured certificate templates to gain admin access within Active Directory.
Windows Patch Level Lists installed packages: Available Shares List open file shares: The default Windows shares are: C$, IPC$, ADMIN$ If these are present that is fine. If there are any more then investigate what they are and try to determine if they are sharing sensitive information. If you find it is sharing a CD-ROM […]
A walkthrough on how to dump hashes in the SAM file using Mimikatz and crack them into cleartext credentials with John the Ripper or Hashcat.
For this post, we will be deep-diving into the art of transferring files. We will go over various techniques on how to transfer files from our attacker machine onto a victim Windows 10 host (download), as well as from the victim Windows 10 host back onto our attacker machine (upload). As hackers, we constantly find […]
In this blog post we will look at how to perform AS-REP roasting in two different ways, how to use hashcat to crack a krbasrep5 hashes, and how to mitigate this type of attack. During kerberos pre-authentication, a user’s NTID is used to encrypt a timestamp and then the domain controller will attempt to decrypt […]
In this post we will take a look A LOT of tools and techniques that can be used to perform a pass-the-hash attack. First, we will dump the local SAM file hashes off our initial victim and extract the local administrator account’s hash. From there, we will use the local administrator hash to move laterally […]
In this Walkthrough, we will be hacking the machine Hutch from Proving Grounds Practice. To begin, we will utilize the ability to perform an anonymous LDAP search to dump account information where we will find a password. With valid credentials, we will run Bloodhound remotely to query the DC and find that our user has […]
If you are working in a medium to large company, you are probably interacting on a daily basis with LDAP. Whether this is on a Windows domain controller, or on a Linux OpenLDAP server, the LDAP protocol is very useful to centralize authentication. However, as your LDAP directory grows, you might get lost in all […]
Introduction: In this post we are going to have a look into the D/Invoke project by TheWover. He also wrote a really good blog post which you can read here where he demonstrates in detail how the whole project works. It covers some really cool aspects so its highly recommended to check it out. This […]
by