On a recent engagement, I came across Electronic Code Book (ECB) encrypted data. While there’s a plethora of documentation about performing bit flipping in ECB, I couldn’t find any decent writeups on how to perform adaptive chosen plaintext attacks to recover ciphertext. In ECB mode, each block of plaintext is encrypted independently with the key as illustrated by the diagram below. (Source: Wikipedia) Since each block of plaintext is encrypted with the key independently, identical blocks of plaintext will yield identical blocks of ciphertext.

The “sticky keys” backdoor method has been a favorite for hackers for years and it’s been gaining popularity as a malware-free persistence method. This backdoor method gives an attacker pre-authentication, SYSTEM-level access to a target remotely over RDP or locally via the console. The backdoor can be installed in one of two ways: Copy cmd.exe over sethc.exe or utilman.exe Set cmd.exe as the debugger for sethc.exe or utilman.exe The sethc.

Here’s a quick writeup of exploiting MS14-068 using PyKEK and Kali. Kali Prepwork Install and Configure Kerberos Install kerberos: apt-get install krb5-user krb5-config Create relevant kerberos config changes in /etc/krb5.conf: [libdefaults] default_realm = pwn3d.local [realms] pwn3d.local = { kdc = dc1.pwn3d.local admin_server = dc1.pwn3d.local default_domain = pwn3d.local } Point DNS to the DNS Server/domain controller so SRV records (e.g. _kerberos._tcp.*) will resolve correctly in /etc/resolv.conf. According to the TrustedSec blog, you’ll need to sync time with the domain controller.