Earlier this year I submitted three sessions to the IT DEV CONNECTIONS conference and to my big surprise all of them was accepted. I was hoping that at least one of them was accepted, but all three was, and that is just incredible. I must admit at first that I was a bit scared, since […]
Posts in category Security
Defense-In-Depth write-up
TL;DR .BGI files can be sent on mail as attachment and can execute code when opened.Requires that BGinfo.exe has been run on the remote machine once. It will also bypass Outlook attachment protection (Fixed with Defense-in-depth patch from September 2017). PowerShell functions to generate BGI and VBSWebMeter here: https://github.com/api0cradle/BGInfo I was acknowledged on […]
Research on CMSTP.exe
Whenever I have a chance I use my time diving into Windows internal binaries to uncover hidden functionality. This blogpost is dedicated to things I have discovered with the CMSTP.exe binary file. I found a UAC Bypass using sendkeys and a way to load DLL files from a Webdav server. I know the bypass I […]
Accessing clipboard from the lock screen in Windows 10 #2
I received a lot of positive feedback on my previous post on accessing the clipboard from the lock screen using the wireless password field. https://msitpros.com/?p=3746 Just out of curiosity I tried other combinations on doing the same thing, and I found out another cool trick to do the same using the Narrator feature in Windows. […]
Accessing clipboard from the lock screen in Windows 10
I discovered something interesting that I wanted to be shared with the rest of the world. Before you read any further, I want you to know that I did send an email to MSRC (Microsoft Security Response Center) about this. The answer I got was this: <quote>«In general, MSRC does not consider issues that require […]
Creating Phishing bait with PowerShell
This post is all about how I created a PowerShell script to automate the process of generating USB sticks used in a Social engineering attack. The goal with the attack was to measure if the employees inserted the USB sticks and opened any documents. It was not a goal to exploit the users. The Manual way So […]
Compliance search – a pentesters dream
After watching «The Advanced Persistent Pentester (All Your Networks Are Belong 2 Us)» (http://www.irongeek.com/i.php?page=videos/derbycon6/416-the-advanced-persistent-pentester-all-your-networks-are-belong-2-us-beau-bullock-derek-banks-joff-thyer)and especially the release of mailsniper I was inspired to write about another method that I use to get access to all data from within mailboxes and Sharepoint sites during pentests. This is often an overlooked feature by pentesters and it is […]