Stealth Persistence aka RID Hijacking

by Vince
in Blog
Hits: 338

Somehow you make your way onto a system and perhaps you want to maintain that access.  There are a number of reasons and methods for maintaining persistence and one such method is RID Hijacking.  The short of it is this -- each account is assigned a relative identifier (RID).  The Administrator account is assigned 500 and user accounts begin at 1000.  If we modify a user account and assign it the same RID as the Administrator account, for all intents and purposes, we are an administrator.

Read more

Cracking WiFi with a Pineapple

by Vince
in Blog
Hits: 254

I probably learned to crack WiFi over 10 years ago -- if you've never done it, do it, you won't regret it.  I learned on BackTrack and Kali using an Alpha antenna.  Somewhere along the way, I acquired a Pineapple... or four which streamlines the process.  Of the many times I've setup a Pineapple, I've never had it go smoothly and that's either because they can be buggy, I'm using older versions, or I just don't have the attention span when I'm setting them up.  

All that said, I'm doing an audit -- which is something I rarely do but I grabbed the Pineapple out of my bin of toys and here were are.

Read more

Covenant Donut

by Vince
in Blog
Hits: 437

I've been using Covenant for over three years now and I still have mixed feelings about it.  That being said, I'm still using it so I probably shouldn't complain about open source products when an alternative pay product, Cobalt Strike, is $6k.  My biggest gripe about Covenant is that it's quirky.  I feel like I'm always working around something.  For example, Covenant has the ability to generate Shellcode directly from launchers but when I try to process inject, it fails against Defender.  But when I convert the binary launcher with Donut, I can defeat Defender.  

Read more