A Core Impact module was released on January 14, 2020 to exploit an as-yet unpatched patch traversal flaw in Citrix Application Delivery Controller (ADC) and Gateway (formerly known as NetScaler ADC & NetScaler Gateway) identified as CVE-2019-19781.This critical vulnerability is a path traversal bug that can be exploited over the internet by an attacker. It can be exploited to remotely execute...

Here’s the scenario: You’ve compromised a system but it hasn’t been logged into recently by an administrator, so you’re quite disappointed by your Mimikatz results. You’ve got local system credentials but nothing that’s on the domain except the machine account. Your mission: do something with the system that will attract the attention of someone with administrator credentials and make them log...

What if I told you that in most networks these days, you don’t have to bother with cracking the passwords? With most networks with Active Directory, you can use the stored hash obtained via Mimikatz or a WPAD attack to authenticate. How, you may ask? It’s because of the wondrous bit of mis-engineering that is the Windows NT Login Challenge and Response. I’m going to dive into this a bit, so that...

Oftentimes after using Network Information Gathering, we are still left with a number of devices that may reflect an "Unknown" OS. With the saturation of these devices in the market today, there is a good chance there may be some located on your network. By identifying these devices we can also potentially expand our attack surface and gain other useful information. So, where do we start? We may...

In this installment, we’ll start diving into the anatomy of an Impact module where you'll get the opportunity to absorb some of the features and implications before we dive into building something real and useful. In the course of conducting penetration tests, we often come across password hashes of various types. We can sometimes use these without cracking them, but, it is often useful and...

In our last installment, I gave you a final hunk of code with several function calls and decided to let you stew for a week before revealing what was going on under the hood. Well, you’ve stewed for a week, so let’s review. while DoneWithCrack == False: if not self.getTasks(str(self.getHashCatPath()).split("\\")[-1]): DoneWithCrack=True if os.path.exists(outputFile): f...

Last week, we discussed exactly what we’ll be building and got some of the boilerplate done along the way. I’m sure that you dug into the modules that I strongly hinted that you take a look at for inspiration. To review, this module will need to: Know where the Hashcat executable lives Know what hashes we want cracked Know the minimum password length to brute force Know the maximum password...

Alfredo Ortega and Anibal Sacco presented their findings in Absolute Software’s Computrace “persistent agent” as part of their ongoing research on BIOS rootkits at Black Hat USA 2009. Before I dig into some technicalities of the findings of Alfredo and Anibal, let me dispel any doubts about the disclosure process that we followed. The vendor was made aware of the report and upcoming presentation...

The pen testing world is constantly changing and threat actors are continually finding new ways to exploit organizations of all industries and sizes. In order for pen testers to safely and efficiently test and expose security weaknesses, they enlist the help of different tools. This article series from cybersecurity expert Ricardo Narvaja provides tips and tricks on reversing and exploiting...

In part 6, we learned how to understand a shellcode and its resolver. Now, we will continue with the analysis and resolution of abo2 in GHIDRA. Download ABO2 executable. The latest version is on Google drive. You can find the 7zip compressed file the executable (.exe extension), the symbols (.pdb extension), and the source code (.c extension). ...

As you may already know, when a penetration test or Red Team exercise in being executed, it is important to define the objective of the project. Sometimes it is not enough to get Domain Admin privileges, so the objective may instead be defined as access to a particular network segment or a user’s workstation where credentials and sensitive information could be stored. For the purposes of this...

Authored by: Marcos Accossatto On August 5th, ethical hacker and cybersecurity professional Antoine Goichot posted on twitter that three vulnerabilities he had discovered on Cisco AnyConnect (CVE-2020-3433, CVE-2020-3434, and CVE-2020-3435) were now public. The next day, he published a follow-up blogpost on github. That lead to an investigation by the Core Security team to find additional...