From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here

Episode Media

[MP3 pt1]


PaulDotCom Security Weekly - Episode 343 for Thursday August 29th, 2013

  • We've released a book on Offensive Countermeasures! Visit tinyurl.com/OCM-Amazon to add this to your summer reading list.
  • We are looking for sponsors for our September webcast. Contact mike -at- hacknaked.tv for details!
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Thursday nights at 9:00PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here!

Intro on BruCON with Matt

Matt is a long time volunteer of BruCON and is going to let us know all the great things in store for 2013.

Here are just a couple of those things:

BruCON 2013 Schedule

BruCON 2013 Training

Guest Interview: Ira Winkler



Ira Winkler, CISSP is President of Secure Mentem. Ira is one of the foremost experts in the human elements of cyber security and is known for the extensive espionage and social engineering simulations that he has conducted for Fortune 500 companies globally, and has been named a “Modern Day James Bond” by the media.

  1. How did you get your start in information security?
  2. How do you recommend others get their start in the field?
  3. What was most attractive about the physical security and espionage aspect of our field?
  4. What is your opinion on certifications and education in the security field? What improvements would you make?
  5. In terms of severity, where do you rank insider threat? Do people often downplay the risk associated with insider threats?
  6. What are some of the most difficult companies to break into?
  7. What are the top mistakes companies make when it comes to physical security?
  8. What is the most important skill(s) someone needs to be successful, is it technical? Social skills? Mindset? or a combination of technical and interpersonal skills?
  9. Why are James Bond and Sydney Bristow are terrible spies?
  10. What are some of the most successful techniques when you are looking to target and steak company information?
  11. Have you ever been confronted during a test and been told what you are doing is illegal?
  12. How do you combine the physical aspects of testing with more traditional types of hacking? Is it a blended threat?
  13. What can companies do to improve physical security? Preventing inside threat?

Five Questions:

  • Three words to describe yourself
  • If you were a serial killer, what would be our weapon of choice?
  • In a game of ass grabby-grabby do you prefer to go first or second?
  • If you wrote a book about yourself, what would the title be?
  • Stranded on a desert island, which tablet would you bring with you if you could choose only one: Android, iPad or Surface?

Tech Segment: Carlos Perez



Also known as DarkOperator, He spends his time reverse engineering, and practicing PowerShell Kung-Fu. Known by his motto "Shell is only the Beginning".

  1. Enumerating a Domain using ADSI in PowerShell

I got a call from a friend that during a pentest that he had gotten access to a command shell thru a MS SQL Server using xp_cmdshell after brute forcing the SA account. Sadly the SQL server was running as Network Service and it was fully patched, this meant that a privilege escalation was very difficult. I recommended to make the most of it and enumerate the network thru the connection he had, but some ACLs where applied to binaries on the system making this difficult. After thinking about it I asked him to test PowerShell, when we found out that we could execute it I remembered that once on a machine joined to the domain one could enumerate the entire domain (computers, groups, users..etc) using ADSI (Active Directory Services Interfaces) so I started to look at writing a simple script to achieve this. First I created a ADSI Searcher object with a filter for objects of type computer and set a limit of 100 items.

PS C:\Windows\system32> $adsisearcher = [adsisearcher]'objectcategory=computer'
$adsisearcher.SizeLimit = 100

Path                                                                                  Properties                                                                           
----                                                                                  ----------                                                                           
LDAP://CN=DC01,OU=Domain Controllers,DC=acmelabs,DC=com                               {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, ridsetrefe...
LDAP://CN=DC02,OU=Domain Controllers,DC=acmelabs,DC=com                               {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, ridsetrefe...
LDAP://CN=WIN701,OU=HR,DC=acmelabs,DC=com                                             {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 
LDAP://CN=WIN702,OU=HR,DC=acmelabs,DC=com                                             {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 
LDAP://CN=WIN801,CN=Computers,DC=acmelabs,DC=com                                      {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 
LDAP://CN=WIN2K01,CN=Computers,DC=acmelabs,DC=com                                     {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 
LDAP://CN=WIN2K301,CN=Computers,DC=acmelabs,DC=com                                    {primarygroupid, iscriticalsystemobject, displayname, codepage...}                   
LDAP://CN=WIN2K302,CN=Computers,DC=acmelabs,DC=com                                    {primarygroupid, iscriticalsystemobject, displayname, codepage...}                   
LDAP://CN=ALBEXCH01,CN=Computers,DC=acmelabs,DC=com                                   {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 
LDAP://CN=ALABSCCM,CN=Computers,DC=acmelabs,DC=com                                    {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 
LDAP://CN=WIN802,CN=Computers,DC=acmelabs,DC=com                                      {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 
LDAP://CN=LOGCOLLECTOR,CN=Computers,DC=acmelabs,DC=com                                {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 
LDAP://CN=ALABSQL2K51,CN=Computers,DC=acmelabs,DC=com                                 {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 
LDAP://CN=ALABSQL2K8R2-01,CN=Computers,DC=acmelabs,DC=com                             {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 
LDAP://CN=ALABFS01,CN=Computers,DC=acmelabs,DC=com                                    {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 

Once I saw I could pull the data I re-wrote the script to this time pull the data, select only the information I wanted and using .Net API calls do a reverse lookup of each FQDN for each computer:

$adsisearcher = [adsisearcher]'objectcategory=computer'
$adsisearcher.SizeLimit = 100
$adsisearcher.FindAll() | ForEach-Object {
            $CompProps = @{}
            $CompProps.Add('HostName', "$($_.properties.dnshostname)")
            $CompProps.Add('OperatingSystem', "$($_.properties.operatingsystem)")
            $CompProps.Add('ServicePack', "$($_.properties.operatingsystemservicepack)")
            $CompProps.Add('Version', "$($_.properties.operatingsystemversion)")

            New-Object PSObject -Property $CompProps

Now the problem with PowerShell is that we can not use it in a regular plain vanilla shell because it will break our shell just like what WMIC does.But we can get around this by encoding our script by inserting null characters in between and Base64 encoding it. In fact the PowerShell.exe gives an example on this in their help message:

C:\Windows\system32> powershell.exe -h


    PowerShell -PSConsoleFile SqlSnapIn.Psc1
    PowerShell -version 1.0 -NoLogo -InputFormat text -OutputFormat XML
    PowerShell -Command {Get-EventLog -LogName security}
    PowerShell -Command "& {Get-EventLog -LogName security}"

    # To use the -EncodedCommand parameter:
    $command = 'dir "c:\program files" '
    $bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
    $encodedCommand = [Convert]::ToBase64String($bytes)
    powershell.exe -encodedCommand $encodedCommand

If you are on OS X or Linux you could use a script I wrote for this in python in my github.


infidel02:Desktop carlos$ ./ps_encoder.py -h
Version: 0.1
Usage: ./ps_encoder.py <options>

   -h, --help                  Show this help message and exit
   -s, --script                PowerShell Script.

If you have no shame and you are running XP or 2k there is an exe also you can use:


Also to make things easier my Posh-SecMod PowerShell module https://github.com/darkoperator/Posh-SecMod has an encode function:

:\Users\Carlos> gcm *post*

CommandType     Name                                               ModuleName

-----------     ----                                               ----------

Function        Compress-PostScript                                Posh-SecMod

Function        ConvertTo-PostBase64Command                        Posh-SecMod

Function        ConvertTo-PostFiletoHex                            Posh-SecMod

Function        ConvertTo-PostHextoFile                            Posh-SecMod

Function        Get-MSFPostCompatiblePayloads                      Posh-SecMod

Function        Get-MSFPostModule                                  Posh-SecMod

Function        Get-MSFSessionCompatPostModules                    Posh-SecMod

Function        Get-PostCopyNTDS                                   Posh-SecMod

Function        Get-PostHashdumpScript                             Posh-SecMod

Function        Get-PostReverTCPShell                              Posh-SecMod

Function        New-PostDownloadExecutePE                          Posh-SecMod

Function        New-PostDownloadExecuteScript                      Posh-SecMod

Function        Start-PostRemoteProcess                            Posh-SecMod

Application     RelPost.exe

C:\Users\Carlos> help ConvertTo-PostBase64Command




    Converts a given PowerShell command string in to an Encoded Base64 command.


    ConvertTo-PostBase64Command [-Command] <String> [<CommonParameters>]

    ConvertTo-PostBase64Command [-File] <String> [<CommonParameters>]


    Converts a given PowerShell command string in to an Encoded Base64 command.



    To see the examples, type: "get-help ConvertTo-PostBase64Command -examples".

    For more information, type: "get-help ConvertTo-PostBase64Command -detailed".

    For technical information, type: "get-help ConvertTo-PostBase64Command -full".

C:\Users\Carlos> help ConvertTo-PostBase64Command -full




    Converts a given PowerShell command string in to an Encoded Base64 command.


    ConvertTo-PostBase64Command [-Command] <String> [<CommonParameters>]

    ConvertTo-PostBase64Command [-File] <String> [<CommonParameters>]


    Converts a given PowerShell command string in to an Encoded Base64 command.


    -Command <String>

        Command to Encode

        Required?                    true

        Position?                    1

        Default value

        Accept pipeline input?       true (ByPropertyName)

        Accept wildcard characters?  false

    -File <String>

        PowerShell Script to Encode

        Required?                    true

        Position?                    1

        Default value

        Accept pipeline input?       false

        Accept wildcard characters?  false


        This cmdlet supports the common parameters: Verbose, Debug,

        ErrorAction, ErrorVariable, WarningAction, WarningVariable,

        OutBuffer and OutVariable. For more information, see

        about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).



    -------------------------- EXAMPLE 1 --------------------------

    C:\PS>Encoding a command

    PS C:\> ConvertTo-Base64Command -command "write-host 'hello world'"


    PS C:\> powershell.exe -encodedcommand


    hello world

So now that we know how to encode the script we can execute it:

nt authority\network service

C:\Windows\system32>powershell.exe -enc KABbAGEAZABzAGkAcwBlAGEAcgBjAGgAZQByAF0A

ServicePack     :
Version         : 6.2 (9200)
HostName        : DC01.acmelabs.com
IPAddress       : {fe80::10e9:a8b2:310:8fff%12,}
OperatingSystem : Windows Server 2012 Standard

ServicePack     : Service Pack 1
Version         : 6.1 (7601)
HostName        : DC02.acmelabs.com
IPAddress       : {}
OperatingSystem : Windows Server 2008 R2 Enterprise

ServicePack     : Service Pack 1
Version         : 6.1 (7601)
HostName        : WIN701.acmelabs.com
IPAddress       : {}
OperatingSystem : Windows 7 Enterprise

ServicePack     : Service Pack 1
Version         : 6.1 (7601)
HostName        : WIN702.acmelabs.com
IPAddress       : {}
OperatingSystem : Windows 7 Ultimate

ServicePack     :
Version         : 6.2 (9200)
HostName        : WIN801.acmelabs.com
IPAddress       : {}
OperatingSystem : Windows 8 Enterprise

ServicePack     :
Version         : 6.2 (9200)
HostName        : WIN2K01.acmelabs.com
IPAddress       : {}
OperatingSystem : Windows Server 2012 Standard

ServicePack     : Service Pack 2
Version         : 5.2 (3790)
HostName        : win2k301.acmelabs.com
IPAddress       : {}
OperatingSystem : Windows Server 2003

ServicePack     : Service Pack 2
Version         : 5.2 (3790)
HostName        : win2k302.acmelabs.com
IPAddress       : {}
OperatingSystem : Windows Server 2003

ServicePack     : Service Pack 1
Version         : 6.1 (7601)
HostName        : ALBEXCH01.acmelabs.com
IPAddress       : {}
OperatingSystem : Windows Server 2008 R2 Enterprise

ServicePack     :
Version         : 6.2 (9200)
HostName        : ALABSCCM.acmelabs.com
IPAddress       : {}
OperatingSystem : Windows Server 2012 Standard

ServicePack     :
Version         : 6.2 (9200)
HostName        : WIN802.acmelabs.com
IPAddress       : {}
OperatingSystem : Windows 8 Enterprise

ServicePack     : Service Pack 1
Version         : 6.1 (7601)
HostName        : LOGCOLLECTOR.acmelabs.com
IPAddress       : {}
OperatingSystem : Windows Server 2008 R2 Standard

ServicePack     : Service Pack 1
Version         : 6.1 (7601)
HostName        : ALABSQL2K51.acmelabs.com
IPAddress       : {}
OperatingSystem : Windows Server 2008 R2 Standard

ServicePack     : Service Pack 1
Version         : 6.1 (7601)
HostName        : ALABSQL2K8R2-01.acmelabs.com
IPAddress       : {}
OperatingSystem : Windows Server 2008 R2 Standard

ServicePack     :
Version         : 6.2 (9200)
HostName        : ALABFS01.acmelabs.com
IPAddress       : {}
OperatingSystem : Windows Server 2012 Standard

Some additional filters:

All security groups (local, global and universal):


All users:


All users (more effective):


All users with the account configuration 'Password never expires':


All domain controllers:



Paul's Stories

  1. Java 6 0-Day Exploit in the Wild – Updated
  2. Webantix: Webshot: Screenshot every web server during your pen test
  3. BYOD – How much do you love your corporate laptop?
  4. Want to break some Android apps?
  5. ISPs scramble to explain mouse-sniffing tool
  6. Tesla Model S REST API Authentication Flaws
  7. Poison Ivy RAT Becoming The AK-47 Of Cyber-Espionage Attacks
  8. Cisco cracks down on security vulnerability
  9. Talking Threats with Senior Management

Larry’s Stories

  1. Geolocation hacks - [Larry] - an app to spoof geolocation via fake APs. Why? Apparently many mobile devices rely more heavily on the WiFi location thatn GPS, because it is signifigantly faster. Uses aircrack-ng suite and mdk3. I wish I had access to Apple's WiFi geolocation database, a la WiGLE
  2. Off grid internet - [Larry] - I love this. Great opportunities to use wireless mesh networking, and build new, infrastructure without prying eyes.
  3. OSX Sudo bypass - [Larry] - If a user has successfully used sudo on OSX in the past, set the date back to unix epoch and do sudo -k. Instant privileged access. Or use Dave's script
  4. Fake IDs? - [Larry] - Yup, the RI one is correct. Quahog anyone? Hm, the market for these is interesting. The stundent IDs might be good for social engineering and/or student discounts.
  5. Learn to break android apps - [Larry] - Some nice places to get started to learn how to break Android moble apps.
  6. NY Times, Twitter - [Larry] - spear phishing FTW. Why? That is what allegedly led to the Syrian Electronic Army to gain control of domains for twitter and the NYT. People are and always will be the weakest link in the chain.
  7. Tesla hacks - [Larry] - According to a Dell engineer and Tesla owner, the Tesla API allows unauthenticated control of certain, limited functions of the automobile. Paging theKos…
  8. KALI of doom! - [Larry] - Based on the implementation of Kali via PXE, now they have a tutorial for you to build a remote pentest ISO, and o the ability to turn that into a pentest drop box with auto connect back via OpenVPN.

Jack's Stories

Allison's Stories