Home View all posts by clymb3r
Blog Archives

Cracking Open PowerShell’s Constrained Runspace

Posted on June 25, 2014 by clymb3r 2 Comments

Recently at the PowerShell Summit, Lee Holmes and I did a talk on PowerShell security. One of the demonstrations we did showed how to find and exploit a command injection bug in a constrained runspace. I figured I’d write a

Read more ›

Tagged with: , , ,
Posted in Hacking, PowerShell

Injecting Logon Credentials With PowerShell

Posted on November 17, 2013 by clymb3r Leave a comment

In this article I will introduce a new script, Inject-LogonCredentials, that uses PowerShell (specifically, the Invoke-ReflectivePEInjection script) to inject credentials in memory. I’ll start with a brief review of the current commonly used methods of using stolen credentials. Doing a

Read more ›

Tagged with: , , , ,
Posted in Hacking, PowerShell

PowerShell and Token Impersonation

Posted on November 3, 2013 by clymb3r 3 Comments

This post will discuss bringing incognito-like functionality to PowerShell in the form of a new PowerShell script (Invoke-TokenManipulation), with some important differences. I’ll split this post up in to three sections: An overview on tokens and Windows authentication An overview

Read more ›

Tagged with: , , , , ,
Posted in Hacking, PowerShell, Uncategorized

Intercepting Password Changes With Function Hooking

Posted on September 15, 2013 by clymb3r 7 Comments

Last week, Mubix published a malicious Windows password filter DLL (http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html). The idea is simple, by installing this password filter, he can intercept the clear text credential whenever a user changes their password. There are two caveats with installing this

Read more ›

Tagged with: , ,
Posted in Hacking, PowerShell

Avoiding PowerShell Command Injection & Unicode Issues

Posted on September 7, 2013 by clymb3r 1 Comment

PowerShell exposes a powerful set of functionality and is increasing in popularity for server management tasks. This post aims to help penetration testers identify issues that may be found when PowerShell scripts handle user input. There are multiple scenarios where

Read more ›

Tagged with: , , ,
Posted in Hacking, PowerShell

Using PowerShell to Copy NTDS.dit / Registry Hives, Bypass SACL’s / DACL’s / File Locks

Posted on June 13, 2013 by clymb3r 13 Comments

Currently there are a few ways to dump Active Directory and local password hashes. Until recently, the techniques I had seen used to get the hashes either relied on injecting code in to LSASS or using the Volume Shadow Copy

Read more ›

Tagged with: , , , , , ,
Posted in Hacking

Implementing Remote LoadLibrary and Remote GetProcAddress Using PowerShell and Assembly

Posted on May 26, 2013 by clymb3r 3 Comments

Recently I have been working on reflective DLL injection in to remote processes in PowerShell. I encountered a problem; I need to call LoadLibrary to load libraries in the remote process and then call GetProcAddress to get function addresses in

Read more ›

Tagged with:
Posted in Hacking

Modifying Mimikatz to be Loaded Using Invoke-ReflectiveDLLInjection.ps1

Posted on April 9, 2013 by clymb3r 1 Comment

This is a follow up to my article about reflectively loading DLLs using PowerShell. This will walk you through the relatively simple process of modifying mimikatz to be loadable using the reflective DLL loader to dump passwords. I’ve included a

Read more ›

Tagged with: ,
Posted in Hacking

Reflective DLL Injection with PowerShell

Posted on April 6, 2013 by clymb3r 4 Comments

Normally when you load a DLL in Windows, you call LoadLibrary. LoadLibrary takes the file path of a DLL and loads it in to memory. In addition to the DLL being on disk, the DLL will show up when tools

Read more ›

Tagged with: ,
Posted in Hacking