Slayer Labs

Cyber Range Platform

Windows Credential Harvesting Quick Guide

This post will cover some common scenarios on how to collect, dump and decrypt windows credentials - specifcally NTLM and MsCacheV2. Targeted to be a non-exhaustive cheat sheet.

Note

šŸšØ Be sure to Checkout our Labs to get hands-on experience with Windows credential harvesting and many other offensive security-related techniques.

Read more

Swimming up river to Own the Forest

Thisā€™ll be a quick post covering one method on how to pivot from Domain Admin to Enterprise Admin.

Note

This post is based on a specific scenario within the the lab ā€œCyborg Solutionā€ on the Blitz range. Be sure to check it out along with our other offense-focused labs.

Read more

Tunneling & Pivoting Quick Guide

This post will cover some useful tools and commands for tunneling and pivoting in relation to pentesting. Targeted to be a non-exhaustive cheat sheet.

Note

šŸšØ There are plenty of tools and unique scenarios involved in tunneling and post-exploitation, so be sure to Checkout Our Ranges to build your knowledge and gain hands-on experience!.

Read more

Living off the land

Note

šŸ„Interested in leveling up your Windows & AD Pentesting skills? Checkout our Udemy course and get Free 7-day lab access with proof of purchase!

This post will run through a scenario showcasing multiple methods of living off the land with built-in Windows assemblies (aka LOLbins). This scenario takes place on TheSprawl, one of our pentesting ranges. The lab scenario simply functions to emulate exfil and lateral movement utilizing built-in Windows tools.

At the end weā€™ll briefly run through some artifacts and logs. Keep in mind these methods may not be very practical in accomplishing our lab scenario goals. If you would like to test your own techniques or build up your offensive cyber skills be sure to checkout the rest of our pentesting ranges.

Note

šŸ“” Lab access is low-cost and includes multiple targets and networks already configured to be exploited - Request Access to get started!

Getting Started

Starting off we have shell on a domain joined box as a domain user with local admin privs (2EZ). Enumerating the box to see where we should go next can be done using all the basics like net, ipconfig, netstat, etc..but what if we could automate all this?

Read more

Windows Persistence via Port Monitors

Note

šŸšØ Be sure to Checkout our Labs to enhance your offensive-cyber skills and get hands-on experience with Windows persistence!

This post will cover some quick research done by poking around the Windows persistence technique of Port Monitors aka Mitre technique T1547.010. This method can also be used to escalate privileges from Administrator(in most cases) to SYSTEM.

Port Monitors have been documented in the past but I wanted to dive a little deeper and post couple extra trinkets.

Note

šŸ“” Lab access is low-cost and includes multiple targets and networks already configured to be exploited - Request Access to get started!

Whatā€™s a Port Monitor?

The context of a Port Monitor (in this post) is related to the Windows Print Spooler Service or spoolsv.exe. When adding a printer port monitor a user (or attackeršŸ˜ˆ) has the ability to add an arbitrary dll that acts as the ā€œmonitorā€.

There are basically two ways to add a port monitor aka your evil dll: via Registry for persistence or via a custom Windows app (AddMonitor function) for immediate dll execution.

A nice bonus is your dll will be executed as NT AUTHORITY/SYSTEM since this is what the parent spoolsv.exe is run as. The catch is you need local admin privs or at least the ability to write to the registry.

First, onto persistenceā€¦

Read more

Kerberos Double-Hop Workarounds

This post will cover some quick and dirty work-arounds to overcome the dreaded double-hop issue when conducting red team activities on Windows environments. Methods covered in this post also bleed into general Windows lateral movement techniques - not just double-hopping solutions.

Note

šŸšØ Be sure to Checkout our Labs to enhance your offensive-cyber skills and put these commands to use!

šŸ“” Lab access is low-cost and includes multiple targets and networks already configured to be exploited - Request Access to get started!

If youā€™ve had to move laterally or conduct general systems administration on Windows environments then youā€™ve probably come across this obstacle - specifically with Powershell Remoting/WinRM. If youā€™re unsure what the double-hop issue is, itā€™ll be briefly covered below. Otherwise checkout this Microsoft article to get a better idea.

This post will follow a scenario (from the viewpoint of a red teamer) when your attacking box has internal network access, but is NOT joined to the domain. Itā€™s also assuming you as the attacker just have CLI access, with Local Admin creds - also WinRM is enabled throughout the domain.

Read more