Evading EDR/AV software with Invoke-Mimikatz.ps1

I have done some research lately on running Mimikatz on modern systems having antivirus and EDR software installed and have found some cool resources you can see in the links section below.

Then, during a pentest I was involved in I came across an issue that may occur when invoking Mimikatz from within PowerShell script that results in returning tons of error messages that begin with:

Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."

and ends with:

VirtualAlloc failed to allocate memory for PE. If PE is not ASLR compatible, try running the script in a new PowerShell process (the new PowerShell process will have a different memory layout, so the address the PE wants might be free).

Continue reading →

Pentesting Microsoft Dynamics AX

I had a challenge lately to perform a penetration test of a Dynamics AX instance in a very limited time and have some thoughts that may become handy given the size of the solution and limited amount of howtos on the Internet about this topic. Yet I wanted to get my local admin account in the system and I eventually did, after some searches here and there.

Continue reading →

VirtualBox guest additions on Debian 9: VERR_INVALID_FUNCTION

I came across issues when installing VirtualBox guest additions on a Debian 9 host with Debian 9 guest. The following error appeared after the guest reboot:

VBoxClient: Failed to register resizing support, rc=VERR_INVALID_FUNCTION

Continue reading →

Windows-privesc-check in a corporate environment

Windows-privesc-check is a great tool that quickly performs multiple tests on system you may want to either audit or escalate your privileges within. I had to run that once on a system that I had no local admin rights nor could I disable an Endpoint Protection suite and had to figure a way around it. There are techniques to run certain files from memory and leave no files on the file system, but for purpose of this case, it was not necessary.

So, we have to bypass certain measures that lock our station down:

Applocker in place that disallows running pretty much anything unknown,
No admin rights that would allow installing additional tools in a traditional sense of installing software,
Antivirus and EDR software that would raise an alert should a malicious file appear on a hard drive.

How to bypass them?

Continue reading →

Windows SSH rsync equivalent

While rebuilding our lab and adjusting internal procedures, we had to reconsider methods we use for transmitting data from pentester computers to a corporate environment. So the source machine is a Linux box, transmitting data to the Linux server. This step is fairly simple since rsync works perfectly well in syncing data over SSH, however next step is to transmit data from Linux box do Windows workstation. This requires to retain rsync functionality that automates syncing all files and remove obsolete ones in the target tree.

Continue reading →

MAC-based dynamic VLAN assignment on a 2960-X Cisco switch

We were doing some adjustments in our lab network recently and had a discussion on how to make user have VLAN assigned basing on the type of device one connects to the switch. This results from the fact that each user has at least two computers that depending on one’s tasks, have to be separated from each other and the services in the network. We wanted a pretty simple solution that ideally could be deployed within a week and – if possible – would be hosted on the switch itself without any other services in the network. Continue reading →

Enforcing password complexity with pwquality.conf (libpam-pwquality)

I was working on creating methods that would ensure users’ passwords meet complexity standards on several boxes. I figured it was a fairly simple task and should take at most 5 minutes to finish but it eventually took a little longer.

Most of the howtos I found on this topic were outdated, some used cracklib or login.defs to ensure certain settings are in place. I am not saying it is wrong as they will most likely allow you to succeed, however some mentioned pam_pwquality as successor so I figured to try it out. Then I have got a little confused since my machine already had a /etc/security/pwquality.conf file but libpam-pwquality was missing from the system so…

Continue reading →

Windows 10 to Samba: security policies block unauthenticated guest access

If you happen to have problems with connecting to your Samba server from Windows 10 box and end up with error message like:

You can’t access this shared folder because your organization’s security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.

Continue reading →

Console mailer with remote MTA

I had some issues with local MTA on one of servers and had to create a dirty quick and “temporary” solution that uses remote mail system. It roughly resembles what mail commad does, in a very limited way though.

Continue reading →

TrueCrypt: Print (“WARNING: Using TrueCrypt is not secure”);

Some time after Heartbleed bug, the infosec world has another storm and topic to talk about: TrueCrypt closure. Aside from reasons and weirdnesses around the topic, some has come down to conclusion that the latest version TrueCrypt may contain some kind of backdoor.

Hovewer, a brief look at the source code reveals that some changes were made throughout the project indicating a regular maintenance work. The most important part and changes made, are that TrueCrypt in the newest version is actually limited to decryption of your, previously encrypted, containers only.

Continue reading →