Security Lab


Nov 2016

Slack Shell Bot

By Russel Van Tuyl I really, really, really like shells. Nothing is better than that feeling you get when a shell comes in. There are many ways to get a shell, but some of them take a while to produce. A phishing campaign that leverages malicious payloads is a good example where there might be delayed gratification on receiving a shell. The emails might be...

Read More


Oct 2016

Multi-Tool Multi-User HTTP Proxy

Background Many of the popular Command and Control (C2) tools today operate over HTTP (i.e. Metasploit and Empire). One of the reasons why HTTP is an effective protocol for C2 is because it is allowed on nearly every network in existence and is expected behavior from every network device. Additionally, using HTTP over TLS adds an additional layer of security for these tools because it...

Read More


Aug 2016

PowerShell SMB Delivery

By Russel Van Tuyl The PowerShell IEX “Download Cradle” is one of the top techniques I leverage when I have the ability to execute code on a host. This code execution typically takes place with something like PSexec.exe using recovered credentials, a successful SMBRelay attack, a malicious macro, or the payload of Java deserialization attack. The Download Cradle leverages the PowerShell Invoke-Expression cmdlet that “Runs...

Read More


Oct 2015

It’s Midday. Do You Know Who Your Wireless Clients Are Talking To?

With the improvements to the security infrastructure of wireless networks, the major focus of wireless attacks against them is shifting from access points to the users of those access points: the wireless clients. In the past, attacks against the infrastructure were more fruitful. A lack of encryption or authentication on private networks was commonplace and, for the ones that did attempt to protect their networks,...

Read More


Oct 2015

Extracting Password Hashes from Large NTDS.DIT Files

Recently, the Sword & Shield pentest team made its annual pilgrimage to Louisville, Kentucky, to attend one of the best InfoSec conferences in United States, DerbyCon. They were not expecting to learn about extracting password hashes from large NTDS.DIT files.  Derbycon is a conference for hands-on security professionals by hands-on security professionals. Talks range from security 101 to advanced kernel exploitation techniques. Training plug: As a side note,...

Read More


Jul 2015

Getting Hashes from NTDS.dit File

Having completed many internal penetration tests for clients, we always want to collect the NTDS.dit file from a domain controller if we get access. The primary reason to pull this file from a Windows Domain Controller is to get a password for another account (to access the truly desired data). Generally, the coveted access is to a MSSQL Database or some application where the Domain Admins do...

Read More


May 2015

Dumping a Domain’s Worth of Passwords with Mimikatz Part 3

By Russel Van Tuyl Before you go any farther into this post, please note this entire attack depends on already having obtained a shared local admin or domain admin credentials. If you only have a shared local admin password, this can land you domain admin credentials. In my case, I already had domain admin credentials, this attack landed me forest admin creds. This method rides...

Read More