PowerShell for Security Professionals Class at Derbycon

July 18, 2013 by Carlos Perez

On September 25 and 26 I will be teaching at Derbycon my class on Introduction to PowerShell for Security Professionals https://www.derbycon.com/training-courses/#intropower . To give a bit of background on it I have since 2007 been using PowerShell since version 1 for automating, managing, securing and breaking Exchange, Windows, VMware, NetApp and even Cisco for several customers in the Caribbean, Central and South America. I have to admit of all the command shells I have used PowerShell has to be my favorite, it is truly a very powerful shell. I have coded several thousands of lines of PowerShell, in modules both in PowerShell and C#, I have also written several blog posts on it, all of this leading me to the creation of these class. Microsoft is evolving its technologies at a more rapid pace and PowerShell has become a critical pillar of its Management Framework for Windows and Server products. In the class targeted at security professionals, to me these are:

System Admins that care about security.
Auditors and Incident Response teams that need to work with live and offline Windows Systems.
Pentesters that want to expand their skills with new ways to discover, enumerate, attack and do post exploitation using PowerShell.

The first day it will be a fast paced introduction to PowerShell and its philosophy, Covering:

What is PowerShell.
Using the Help Subsystem.
Working with the Pipeline.
Extending PowerShell via Module and Snappings.
Formatting
Remoteting
PowerShell notion of security
WMI and CIM
Powershell Scripting Syntax

The second day will cover:

Network Discovery.
Incident Response and Auditing.
Post Explotation

Stealing User Certificates with Meterpreter Mimikatz Extension

June 11, 2013 by Carlos Perez

The Mimikatz extension on Meterpreter allows us to use the same commands we would on the standalone tool inside of Meterpreter as native commands. This blog post will cover specifically the stealing of a users certificates by exporting their keys for use by the attacker. In this specific scenario we have gotten a Meterpreter session on a developers system. The system is a Windows 7 System as we can see

DNSRecon 0.8.6 is Out!

May 29, 2013 by Carlos Perez

Just updated DNSRecon to check if it can pull the Bind Version by doing a query for the TXT Record version.bind and it will now check if the RA Flag is set in responses from each of the NS servers it detects. If the server has recursion enabled it could be used for DDoS attacks and for performing Cache Snooping.

Fixin Raspistill and Raspivid for Headless Streaming on the Raspberry Pi

May 23, 2013 by Carlos Perez

Recently I got 2 Raspberry Pi Camera modules for my Raspberry Pi boards for some projects I have in mind. I was sad to find out I could not stream unless I had a monitor connected to the Pi and after some additional digging I found out that the initial version of the tools Raspistill and Raspivid the no preview option was broken causing it to not work. After some digging in the forums and trial and error I found how to fix it while the tools are updated and added to the package repo. Plus it was a good exercise in compiling files for ARM.

Script to Automate Metasploit Framework Installation

April 28, 2013 by Carlos Perez

For some time now I have been maintaining guides for installing Metasploit Framework on OSX, Ubuntu and CentOS. I decided this weekend to write a script to facilitate going thru all the steps. The script aids in installing Framework on OSX Mountain Lion and Ubuntu 12.10/13.04. the script can be found at https://github.com/darkoperator/MSF-Installer

To use the script on OSX Java, Xcode and Command Development Tools from Xcode must be installed before running the script. In the case of OSX I also added the option of installing GNU GCC in the case you want to compile the old Ruby 1.8.7 that requieres it. When you download the script you must make it executable, when ran with no arguments or with -h it will how the usage help message:

$ chmod +x msf_install.sh 
$ ./msf_install.sh -h
Scritp for Installing Metasploit Framework
By Carlos_Perez[at]darkoperator.com
Ver 0.1.0

-i                :Install Metasploit Framework.
-p      :password for MEtasploit databse msf user. If not provided a roandom one is generated for you.
-g                :Install GNU GCC (Not necessary uless you wish to compile and install ruby 1.8.7 in OSX
-h                :This help message

To start the installation you just run the script with the -i option and the installation will start. In the case of OSX it will:

Check that dependencies are meet.
Check if Homebrew is installed and of not it will install it.
Install Ruby 1.9.3
Install base ruby gems.
Install and configure Postgres for use with Metasploit
Install GCC if selected.
Download and install Metasploit Framework.
Installs all necessaries Ruby Gems using bundler.
Configure the database connection and sets the proper environment variables.
Download and install the latest version of Armitage.
Download and install the Pentest plugin and DNSRecon Import plugin.

in the case of Ubuntu 12.10 and 13.04 it will:

Install all necessary packages
Install base ruby gems.
Configure Postgres for use with Metasploit
Download and install Metasploit Framework.
Installs all necessaries Ruby Gems using bundler.
Configure the database connection and sets the proper environment variables.
Download and install the latest version of Armitage.
Download and install the Pentest plugin and DNSRecon Import plugin.

I let the script be as verbose as possible on purpose so as to identify any surprise changes from R7 or from any of the platforms. I hope it is useful to others as I know it will in my lab setups.

Update on 2013-04-29 13:03 by Carlos Perez

For better followup on updates and bug fixes check https://github.com/darkoperator/MSF-Installer did a fix on a regex and made sure the apt-get cache is updated before installing.