- 25
- 60 637
Pentest Laboratories
United Kingdom
เข้าร่วมเมื่อ 21 ม.ค. 2020
Official TH-cam Channel of Pentest Laboratories company.
Pentest Laboratories is a penetration testing company based in the United Kingdom with a mission to provide modern cyber security services. The videos uploaded in the channel are for education purposes only and Pentest Laboratories has not liability for any misuse.
All the uploaded videos are trademark of Pentest Laboratories and they cannot be used without Pentest Laboratories authorisation.
Pentest Laboratories is a penetration testing company based in the United Kingdom with a mission to provide modern cyber security services. The videos uploaded in the channel are for education purposes only and Pentest Laboratories has not liability for any misuse.
All the uploaded videos are trademark of Pentest Laboratories and they cannot be used without Pentest Laboratories authorisation.
Shadow Credentials
Microsoft has introduced a new technology in Windows Server 2016 and Windows 10 which allows authentication over a certificate key pair (Windows Hello for Business). Certificate information is stored in the active directory attribute msDS-KeyCredentialLink of a machine or user account.
Generating a new certificate and a key pair to a compromised machine account could allow a threat actor to re-establish access by obtaining a ticket granting ticket. This technique could be used as a domain persistence.
✍ 📝pentestlab.blog/2022/02/07/shadow-credentials/
Generating a new certificate and a key pair to a compromised machine account could allow a threat actor to re-establish access by obtaining a ticket granting ticket. This technique could be used as a domain persistence.
✍ 📝pentestlab.blog/2022/02/07/shadow-credentials/
มุมมอง: 2 069
วีดีโอ
Domain Persistence - Machine Account
มุมมอง 9363 ปีที่แล้ว
Any user on the network can create by default up to 10 machine accounts. Modification of the userAccountControl attribute will transform the machine account to a domain controller and therefore the DCSync technique could be used to retrieve domain password hashes by utilizing the credentials of that account. Article: pentestlab.blog/2022/01/17/domain-persistence-machine-account/
Domain Escalation - ShadowCoerce
มุมมอง 1.1K3 ปีที่แล้ว
Domain controllers which are running the VSS Agent Service could provide an opportunity for domain escalation. The File Server Remote VSS Protocol exposes two methods which rely on remote UNC paths. It is possible to invoke the domain controller machine account to authenticate with a UNC path in order to capture the Net-NTLMv2 hash and relay that authentication to the Certification Authority. T...
Domain Escalation - sAMAccountName Spoofing
มุมมอง 1.8K3 ปีที่แล้ว
During red team assessments it might be possible to modify the "sAMAccountName" attribute of a computer object in order to request a ticket for a high privilege machine account such as the domain controller. Using that ticket a red team operator can impersonate a domain administrator in order to request a service ticket and perform elevated operations.
Process Ghosting
มุมมอง 1.8K3 ปีที่แล้ว
Process Ghosting is an image tampering technique which can be used to evade endpoint security products. This is because the original image which creates the arbitrary process on the system is flagged for deletion. Therefore antivirus solutions cannot detect processes with malicious intent as the original image is deleted prior to process scanning which occurs when a thread is inserted and not w...
Domain Persistence - Golden Certificate
มุมมอง 1.6K3 ปีที่แล้ว
Retrieving the CA certificate could allow a threat actor to forge and sign certificates for any domain user on the domain including domain machine accounts for domain persistence. The most critical machine account is the the one the belongs to the Domain Controller. The forged certificate can then be used to request a Kerberos ticket from the KDC and utilize this ticket with pass the ticket on ...
Resource Based Constrained Delegation
มุมมอง 3.1K3 ปีที่แล้ว
Resource Based Constrained Delegation is a technique which combine NTLM Relay and creation of new computer accounts in order to escalate privileges to a target host. This is achieved by coercing the SYSTEM account to authenticate towards an attacker machine and then relay that authentication in the domain controller in order to give delegation permissions to a machine account. Kerberos tickets ...
PetitPotam - NTLM Relay to AD CS
มุมมอง 5K3 ปีที่แล้ว
PetitPotam attack attempts to force the DC$ machine account in order to authenticate with the Active Directory Certificate Services and request for a certificate. This certificate can be imported into the current session of the user in order to request an elevated TGT from Kerberos and therefore elevate privileges from standard user to domain admin. Article: pentestlab.blog/2021/09/14/petitpota...
Account Persistence - Certificates
มุมมอง 9703 ปีที่แล้ว
Certificate services by default are not secure. Red team operators could enroll for a certificate from the CA and request the password NTLM hash of the current user for the duration validity of the certificate. Cracking the password hash offline could allow persistence on the host. The video demonstrates the steps needed to perform the technique. Article: pentestlab.blog/2021/09/13/account-pers...
Universal Privilege Escalation and Persistence - Printer
มุมมอง 1.9K3 ปีที่แล้ว
In a system which elevated access has been achieved can be used to serve a network printer that will load an arbitrary driver in every host on the network that a user will attempt to connect. Since the Print Spooler service is running with SYSTEM level privileges , printer drivers and files will be copied locally from the network location of the printer and executed under the context of the ser...
Credentials Dumping - RDP
มุมมอง 7K3 ปีที่แล้ว
During a remote desktop connection associated processes such as svchost & mstsc can be targeted to harvest credentials during red team assessments. The svchost contains the credentials in memory while API hooking can be used for the mstsc process. The video demonstrates both techniques.
Persistence - AMSI
มุมมอง 1.5K3 ปีที่แล้ว
AMSI (Antimalware Scanning Interface) communicates with Windows Defender or any other endpoint that supports AMSI in order to scan scripts for the presence of malicious contents. During Red Team assessments if an administrator account has been compromised, AMSI could be used as a method of persistence by registering an arbitrary provider which will execute a payload when the trigger word is pas...
AMSI Bypass Methods
มุมมอง 5K3 ปีที่แล้ว
AMSI has been developed in order to prevent execution of malicious scripts. During red team assessments there are various evasions that could be used to bypass this control prior to any script execution. In this video the following AMSI Bypass Methods are being demonstrated: 1) AMSI Bypass - DLL Hijacking 2) AMSI Bypass - Registry Key Modification 3) AMSI Bypass - Forcing an Error 4) AMSI Bypas...
Remote Potato - From Domain User to Enterprise Admin
มุมมอง 2.9K3 ปีที่แล้ว
Remote Potato is a technique which can be used for elevation of privileges (Domain User to Enterprise Administrator). The Domain Administrator needs to be physically connected or via RDP on the host. A COM activation call is triggered which is sent to the host of the attacker. The traffic is forwarded back and this triggers a second authenticated call which is captured locally (RPC Server). Thi...
Process Herpaderping - Windows Defender Evasion
มุมมอง 3.2K4 ปีที่แล้ว
Process Herpaderping is a technique that could be used for arbitrary code execution and evasion of Windows Defender. A process object on the system is created for a given file. Contents of the file are modified and then the thread is inserted. Therefore when the process starts Windows Defender cannot determine whether the process is malicious since the image has changed and allows execution. Th...
WaitFor - Download and Execute Arbitrary Code
มุมมอง 1.3K4 ปีที่แล้ว
WaitFor - Download and Execute Arbitrary Code
"!] Error. Trigger DCOM failed with status: 0x80070776" I get this error when run remote potrato.exe . hoe solved it?
I understand there is SIF and RID on the end. Is the RID unique to windows computer or user accounts?
Sorry to bother you i tried to compile the forgecert.exe project usin the SLN file, no matter what .NET framework i used (2.0 to 4.8.1), and settings i can't build it neither DEBUG nor BUILD in VS, no error in the project very hard to troubleshoot . thanks in advance
It is better to create an issue and provide this information with any additional output + screenshot from Visual Studio in the official GitHub repository --> github.com/GhostPack/ForgeCert/issues
This channel is awesome. Short and useful videos, thank u
thank you for visiting and watching. We have some ideas to improve the knowledge sharing in our channel.
This is pretty cool, but if you need DA privileges to make the change to the machine account's userAccountControl attribute, what's the point if you already have DA? Can't stealing the krbtgt be a better way to have persistence?
There is a lot of focus from detection point of view on the creation of golden tickets. Using a computer account to act as a DC and dump hashes you might go undetected. On the video the account is used to access DC but on the article dumping hashes can be used using the arbitrary machine account. Imagine a SOC team to have high alerts for any changes on the DC but they don't monitor machine account creation etc. Furthermore, if you work in an internal security team it is beneficial for the SOC to know alternative ways of persistence.
Great content!
Thank you!
Hi! Can I know which Windows version are you using? And also, in my case this proc_ghost64.exe did not work with windows 10 2019 build it crashed it. Any solutions?
Hello! The version was Windows 10 Enterprise but I don't think the crash is related to the version. Do you have any crash error? Also is your Windows build 32bit or 64bit?
@@PentestLaboratories Hi. Win 10 64 bit. stop code received was "system_service_exception" it gave a blue screen error and crashed and restarted the Vm as soon as I ran proc_ghost64.exe
Thank you for the excellent content!
Glad you enjoy it!
very nice, I learn so much from your channel.
Glad to hear that!
So do you recommend not tu use Pasword Filters? I was thinking about the idea tu use the I have been pwed database in the AD to prevent weak passwords but with your video...I dont know what to do right now.
You can use Password Filters but make sure you monitor for registry changes on the following key to detect abuse: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Very interesting techniques and approaches to modern day securities.
Thank you! We appreciate the comment and for viewing our videos!
This is really great man, thank you
Glad you like it!
buen video
Thank you!
Thanks for the video...
Our pleasure!
Thank you for good content, keep up the good work!
Thanks, will do!
CMD ver 10.0.18363.418 RegSvr32 -> The module "AmsiProvider.dll" was loaded but the call to DllRegisterServer failed with error code 0x80070005. CMD needs to be opened in Priv mode.
any article about this poc ?
You can find the article here: pentestlab.blog/2021/08/02/universal-privilege-escalation-and-persistence-printer/
I wonder, how it would work (or not) with disabled WSH (lolbins) and removed PowerShell, removed not uninstalled. reg add "HKCU\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f reg add "HKLM\Software\WOW6432Node\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "10" /t REG_SZ /d "cscript.exe" /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "29" /t REG_SZ /d "powershell.exe" /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "30" /t REG_SZ /d "powershell_ise.exe" /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "47" /t REG_SZ /d "wscript.exe" /f taskkill /im PowerShell.exe /f taskkill /im PowerShell_ISE.exe /f takeown /s %computername% /u %username% /f "%ProgramFiles%\WindowsPowerShell" /r /d y icacls "%ProgramFiles%\WindowsPowerShell" /inheritance:r /grant:r %username%:(OI)(CI)F /t /l /q /c rd "%ProgramFiles%\WindowsPowerShell" /s /q takeown /s %computername% /u %username% /f "%ProgramFiles(x86)%\WindowsPowerShell" /r /d y icacls "%ProgramFiles(x86)%\WindowsPowerShell" /grant:r %username%:(OI)(CI)F /t /l /q /c rd "%ProgramFiles(x86)%\WindowsPowerShell" /s /q takeown /s %computername% /u %username% /f "%WinDir%\System32\WindowsPowerShell" /r /d y icacls "%WinDir%\System32\WindowsPowerShell" /grant:r %username%:(OI)(CI)F /t /l /q /c rd "%WinDir%\System32\WindowsPowerShell" /s /q takeown /s %computername% /u %username% /f "%WinDir%\SysWOW64\WindowsPowerShell" /r /d y icacls "%WinDir%\SysWOW64\WindowsPowerShell" /grant:r %username%:(OI)(CI)F /t /l /q /c rd "%WinDir%\SysWOW64\WindowsPowerShell" /s /q
Since 1 year I am searching tutorials to learn website hacking penetration testing and bug bounty hunting and now by chance I came to your channel. Alas DIAMONDS like you are always hidden... Brother, Please do grant us the knowledge about core website hacking and web bug bounty hunting programmes. Brother believe me MENTORS like you born in centuries. You are a living LEGEND for all H3ck3rs n new born bug bounty hunters. Love U Respect U Salute U 🤝❤💚💙🌺⚘🌷👌👍
Thank you for your kind words. Our philosophy is outside of bug bounty hunting and our focus is only to demonstrate red teaming techniques.
Nice
Thank you!
So pristine share! I had read most of your Persistence topic, please keep that!
We will continue to upload content! Thank you for your support!
I get that it hides it at runtime but how is mimikatz not flagged by defender even before executing?
Typically malicious executables are flagged during a scan or when the malicious item is browsed by the user in the folder.
Ahhhhhh..like @hermeticus just stated there is no way mimikatz , metasploit , cobalt strike or any other public payload is able to avoid deletion by AV (even if it is never clicked) unless you obfuscate or mangle the code in some type of fashion.
What is the difference of Source File and Target File when executing the ProcessHerpaderping.exe?
The source file is the original arbitrary binary (it can be mimikatz, a payload or any other tool that you want to execute etc.), the target file will be created on the disk based on the contents of the source file and after some code obfuscation happens. So the target file is actually what is executed on the system.
@@kilas2762 It looks like that the source file "demon.exe" might be already running on the system so it is locked. Your source file needs to be a binary which is not running as a process on the system.
github.com/Mr-Un1k0d3r/SCShell Reference for both script
Great thank you! We will update the description as well.
github.com/0xthirteen/SharpMove
Thank you!
Always a please to see your videos : )
There are a lot of hours spent in the process for these videos so a big thank you!
Wow! Very, VERY cool! Thank you!!!!
Thank you for the positive comment!
No sound?
You can read the technical details of the video here: pentestlab.blog/2020/05/20/persistence-com-hijacking/
@@PentestLaboratories Awesome, thank you!
Does this work with domain joined machine and changing the domain account password?
Yes it works with domain-joined systems as well. If you want to read more: pentestlab.blog/2020/02/10/credential-access-password-filter-dll/
Perfect
Thank you!
But your writing the change plaintexted password to c:/ first?
No you don't write anything. The DLL will write two files on the C: drive that will contain the plain-text password. When the DLL has been dropped into disk and registry modifications have been applied a reboot is required so the LSASS process to load the Password Filter DLL. Then when the user change his password the DLL will capture the new credentials and will write them in C:\ drive. Please visit pentestlab.blog/2020/02/10/credential-access-password-filter-dll/ for a step by step guide.
Mind sharing the code to compile that dll?
I have added the URL in the description!