Archive

Archive for the ‘Post Exploitation’ Category

Jumping from Corporate to Compromising Semi-Isolated Network

September 21, 2017 1 comment

Finding and attacking hosts in Semi-Isolated networks
The new script ‘hopandhack‘ can be used by attackers to automatically find and hunt down hosts that are not directly accessible from the attacker’s machine.  In some organizations, IT administrators have to use something called a ‘jump box’ or VPN to access the secure data centre or PCI network where sensitive data are stored .

The ‘hopandhack’ script automates the process of finding hosts with the necessary routes to these secure network and compromises them.  The functionality of hopandhack will be incorporated into Portia in the next week or so.

hopandhack script can be found at https://github.com/SpiderLabs/portia under the filename ‘hopandhack.py’.

Basic Workflow of how the attack works.

Below is a video demo as presented at Rootcon (2017).  In the video, the attacker is able to access one host (host A) but not the other host (host B) thats in the secure network.

Host A has an active route to host B.  In order to compromise host B, the attacker has to setup a relay from host A to host B and then use this relay to dump credentials/hashes from host B.

More functionalities will be added in future.

The tool is currently available as a standalone tool and its functionalities will be ported over to Portia in the following week.
https://github.com/SpiderLabs/portia/blob/master/hopandhack.py

The slides from Rootcon 2017 is available at https://www.slideshare.net/secret/tkQFhYeFY3zEi4

Advertisements

Windows Prefetch Folder Tool

October 19, 2009 Leave a comment

The inspiration of this tool came after listening to Pauldotcom Episode 171.
I wanted something that I can run in the form of a script to extract information from the windows prefetch folder.

Windows caches portions of frequently accessed programs in order to speed up program launches.  The prefetch folder reveals which programs you have been running recently, how many times you executed the program and when you last executed the program.

This is one place where forensic investigators should look at first when looking at a compromised/suspect machine.  <as heard on pauldotcom>

The tool can be download from http://code.google.com/p/prefetch-tool/

The below screenshot shows the options of the prefetch-tool

prefetch tool usage help

Below shows the results of running the prefetch-tool script.

example of prefetch-tool usage

Send me your comments and feedbacks to keith.lee2012[at]gmail.com

Categories: Post Exploitation