Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS

Kevin Robertson
July 10th, 2018

Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS

Exploiting weaknesses in name resolution protocols is a common technique for performing man-in-the-middle (MITM) attacks. Two particularly vulnerable name resolution protocols are Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBNS). Attackers leverage both of these protocols to respond to requests that fail to be answered through higher priority resolution methods, such as DNS. […]

Alexander Polce Leary
June 19th, 2018

Tokenvator: A Tool to Elevate Privilege using Windows Tokens

Tokenvator: A Tool to Elevate Privilege using Windows Tokens WheresMyImplant is a mini red team toolkit that I have been developing over the past year in .NET. While developing and using it, I found that I consistently needed to alter my process access token to do such things as SYSTEM permissions or add debug privileges […]

Thomas Elling
May 31st, 2018

Dumping Active Directory Domain Info – with PowerUpSQL!

This blog walks through some new Active Directory recon functions in PowerUpSQL. The PowerUpSQL functions use the OLE DB ADSI provider to query Active Directory for domain users, computers, and other configuration information through SQL Server queries.

Scott Sutherland
May 25th, 2018

Databases and Clouds: SQL Server as a C2

This blog will provide an overview of how to create and maintain access to an environment using SQL Server as the controller and the agent using a new PoC script called SQLC2.

Thomas Elling
April 17th, 2018

Dumping Active Directory Domain Info – in Go!

I’ve used NetSPI PowerShell tools and the PowerView toolset to dump information from Active Directory during almost every internal penetration test I’ve done. These tools are a great starting point for gaining insight into an Active Directory environment. Go seems to be gaining popularity for its performance and scalability, so I tried to replicate some […]

Scott Sutherland
July 31st, 2015

PowerShell Remoting Cheatsheet

I have become a big fan of PowerShell Remoting. I find my self using it for both penetration testing and standard management tasks. In this blog I’ll share a basic PowerShell Remoting cheatsheet so you can too.

Scott Sutherland
July 27th, 2015

Auto-Dumping Domain Credentials using SPNs, PowerShell Remoting, and Mimikatz

In this blog I’ll cover some Mimikatz history and share my script “Invoke-MassMimikatz-PsRemoting.psm1”, which tries to expand on other people’s work.

Ryan Gandrud
March 23rd, 2015

All You Need Is One – A ClickOnce Love Story

Although there are many legitimate advantages to using ClickOnce deployments, it also provides a vector for malicious actors to compromise user’s machines with just one click.

Karl Fosaaen
October 6th, 2014

LM Hash Cracking – Rainbow Tables vs GPU Brute Force

Lately, Eric Gruber and I have been speaking about the cracking box that we built at NetSPI. Every time we present, the same question always comes up. “What about Rainbow Tables?” Our standard response has been that we don’t need them anymore. I honestly haven’t needed (or heavily used) them for a while now, as […]