R4W Security

The art of persistence is ( and will be... ) a matter of concern when successfully exploitation is achieved. Sometimes is pretty tricky to maintain access on certain environments, specially when it is not possible to execute common vectors like creating or adding users to privileged groups, dumping credentials or hashes, deploying a persistent <bind/reverse> shell, or anything that could trigger an alert on the victim. This statement ratifies why it's necessary to use discrete and stealthy techniques to keep an open door right after obtaining a high privilege access on the target. What could be more convenient that only use OS resources in order to persist an access? This is the new post-exploitation technique which I have named RID Hijacking . The RID Hijacking Attack By using only OS resources, it is possible to hijack the RID of any existing account on the victim (even the 500 Administrator Built-in Account ), and assign it to another user account. This attack wil

Extracting what? One of the most tedious and long tasks a pentester has to do when assessing a company's domain, is the extraction of the NTDS.dit file, located ( usually ) in the Domain Controllers of the Active Directory . Retrieving the  hashes of all users from the  Active Directory is the first thing that a hacker ( well... I think ) should do after obtaining Domain Admin  privileges. Obtaining the  LM/NTLM hashes is crucial; it gives a huge list of possibilities to maintain access after an effective exploitation ( i.e. Golden Ticket, password cracking, pass-the hash, etc.) , and looks beautiful when is documented in a pentesting report ;) Common ways to dump hashes There are at least 3 well known ways of extracting the LM/NTLM hashes from Active Directory . Extracting the  NTDS.dit   file from a shadow copy using vssadmin , dumping the tables datatable and link_table with  esedbexport of esedebtools framework , and retrieving the users data using scripts o

One of the most common vulnerability that could be found in the wild is the buffer overflow . Either found as a stack overflow or heap overflow , it could allow not only reading but overwriting memory addresses which shouldn't be accessible from the standard program execution flow. By doing a code revision, or maybe some reversing over a binary or executable, it is possible to find this kind of vulnerabilities which impact the integrity, confidentiality and availability of the information when exploited by an attacker. Off by one in x86 This vulnerability occurs when a buffer operation is executed once more than it should. Let's look the next vulnerable c code: This program takes the string entered as argument when executing the program (i.e. ./program argument ), and copies it to the buf  variable, which size is 128 bytes. Nevertheless, there is a terrible mistake in the  for loop definition, but why? The buf array length is defined as 128, it is a char array,