17 Apr 2015

Attacking ECB
On a recent engagement, I came across Electronic Code Book (ECB) encrypted data. While there’s a plethora of documentation about performing bit flipping in ECB, I couldn’t find any decent writeups on how to perform adaptive chosen plaintext attacks to recover ciphertext. In ECB mode, each block of plaintext is encrypted independently with the key as illustrated by the diagram below. (Source: Wikipedia) Since each block of plaintext is encrypted with the key independently, identical blocks of plaintext will yield identical blocks of ciphertext.

23 Mar 2015

Hunting Sticky Keys Backdoors
The “sticky keys” backdoor method has been a favorite for hackers for years and it’s been gaining popularity as a malware-free persistence method. This backdoor method gives an attacker pre-authentication, SYSTEM-level access to a target remotely over RDP or locally via the console. The backdoor can be installed in one of two ways: Copy cmd.exe over sethc.exe or utilman.exe Set cmd.exe as the debugger for sethc.exe or utilman.exe The sethc.

14 Dec 2014

Exploiting MS14-068 with PyKEK and Kali
Here’s a quick writeup of exploiting MS14-068 using PyKEK and Kali. Kali Prepwork Install and Configure Kerberos Install kerberos: apt-get install krb5-user krb5-config Create relevant kerberos config changes in /etc/krb5.conf: [libdefaults] default_realm = pwn3d.local [realms] pwn3d.local = { kdc = dc1.pwn3d.local admin_server = dc1.pwn3d.local default_domain = pwn3d.local } Point DNS to the DNS Server/domain controller so SRV records (e.g. _kerberos._tcp.*) will resolve correctly in /etc/resolv.conf. According to the TrustedSec blog, you’ll need to sync time with the domain controller.