TL;DR .BGI files can be sent on mail as attachment and can execute code when opened.Requires that BGinfo.exe has been run on the remote machine once. It will also bypass Outlook attachment protection (Fixed with Defense-in-depth patch from September 2017). PowerShell functions to generate BGI and VBSWebMeter here: https://github.com/api0cradle/BGInfo I was acknowledged on […]
Whenever I have a chance I use my time diving into Windows internal binaries to uncover hidden functionality. This blogpost is dedicated to things I have discovered with the CMSTP.exe binary file. I found a UAC Bypass using sendkeys and a way to load DLL files from a Webdav server. I know the bypass I […]
Jeg gleder meg virkelig til å holde høstkurs for Hackcon fra 18. til 21. september. Dersom du skal på høstkurset så kan du lese denne blogposten så skal jeg gi deg litt oversikt over hva kurset skal inneholde og hva du kan glede deg til. Dette er første gang (som jeg vet om) noen kjører […]
TL;DR You can run a remote shell through ICMP. ICMP can be used for bad. Many customers have asked me this question many times, and in general ICMP (ICMP is a lot more than just ping, but is often referred to as ping for simplicity) is a nice thing to use to verify if […]
I must say that NIC 2017 was an awesome event and I meet a lot of great people. Thanks to all the people working for NIC that made this such a great event. During my presentation, I did not get enough time to show all the things I wanted to (damn you demo gods), and […]
I received a lot of positive feedback on my previous post on accessing the clipboard from the lock screen using the wireless password field. https://msitpros.com/?p=3746 Just out of curiosity I tried other combinations on doing the same thing, and I found out another cool trick to do the same using the Narrator feature in Windows. […]
I discovered something interesting that I wanted to be shared with the rest of the world. Before you read any further, I want you to know that I did send an email to MSRC (Microsoft Security Response Center) about this. The answer I got was this: <quote>«In general, MSRC does not consider issues that require […]
This post is all about how I created a PowerShell script to automate the process of generating USB sticks used in a Social engineering attack. The goal with the attack was to measure if the employees inserted the USB sticks and opened any documents. It was not a goal to exploit the users. The Manual way So […]
After watching «The Advanced Persistent Pentester (All Your Networks Are Belong 2 Us)» (http://www.irongeek.com/i.php?page=videos/derbycon6/416-the-advanced-persistent-pentester-all-your-networks-are-belong-2-us-beau-bullock-derek-banks-joff-thyer)and especially the release of mailsniper I was inspired to write about another method that I use to get access to all data from within mailboxes and Sharepoint sites during pentests. This is often an overlooked feature by pentesters and it is […]
With the release of Microsoft ATA 1.7 today I was pretty excited. I got a hint that a feature request I made was implemented into the product. Prior to ATA 1.7 when configuring there was no good method of verifying mail and syslog alerting. To test and verify the alert configuration, I had to trigger […]