NetSPI Blog

Alexander Polce Leary
September 27th, 2018

Tokenvator: Release 2

What is Tokenvator? Tokenvator is a token manipulation utility that is primarily used to alter the privileges of a process. In the original release we primarily focused on elevating process privileges. In this release, in addition to the usual bug fixes and improving existing features, I added several new features: The ability to display additional […]

Alexander Polce Leary
July 25th, 2018

.Net Reflection without System.Reflection.Assembly

This is a quick blog to cover an alternative technique to load a .Net Assembly without having to call the suspicious Assembly.LoadFile() or Assembly.Load() Functions. Not too long ago I released a tool called RunDotNetDll32 to make it easier to execute methods from .Net DLLs without going through the process of loading them and executing […]

Alexander Polce Leary
June 19th, 2018

Tokenvator: A Tool to Elevate Privilege using Windows Tokens

Tokenvator: A Tool to Elevate Privilege using Windows Tokens WheresMyImplant is a mini red team toolkit that I have been developing over the past year in .NET. While developing and using it, I found that I consistently needed to alter my process access token to do such things as SYSTEM permissions or add debug privileges […]

Alexander Polce Leary
April 24th, 2018

Executing .NET Methods with RunDotNetDll32

This blog introduces RunDotNetDll32.exe, which is a new tool for reflectively enumerating and executing .NET methods. It’s syntactically very similar to RunDll32.exe.

Alexander Polce Leary
June 13th, 2017

Targeting RSA Emergency Access Tokencodes for Fun and Profit

A few months ago, one of my RSA soft token was on the fritz. It refused to work, and I was not able to remote into the client’s network to do an internal project for them. In fiddling with the RSA self-service console, and playing around with the troubleshooting section, I came across this feature called the Emergency Access Tokencode.

Alexander Polce Leary
May 9th, 2017

Expanding the Empire with SQL

The core of PowerUpSQL is now in Empire. Let’s quickly go over how these modules work in Empire as a few changes had to be made for it to be integrated.

Alexander Polce Leary
April 20th, 2017

Getting Started with WMI Weaponization – Part 6

Lets look at another practical example of weaponizing WMI using PowerShell. Earlier we went over how to create a custom WMI class. Using this class along with the Set-WmiInstance command we can create a class that we can then use to store files as Base64 Encoded strings.

Alexander Polce Leary
April 18th, 2017

Getting Started with WMI Weaponization – Part 5

Establishing Persistence with WMI Like SQL, WMI can be setup with a set of Triggers. We can use these triggers to maintain persistence on a system by launching commands after a specified event is detected. These are stored in the root/subscription namespace and fall into two broad categories, Intrinsic Events and Extrinsic Events. Intrinsic Events […]

Alexander Polce Leary
April 13th, 2017

Getting Started with WMI Weaponization – Part 4

Stealing the NTDS.dit File Remotely using the WMI Win32_ShadowCopy Class Dumping password hashes is a pretty common task during pentest and red team engagements. For domain controllers, it can be done a number of different ways including, but not limited to, DCSync (drsuapi), lsadump, and parsing the ntds.dit directly.  Sean Metcalf has already covered how […]