Blog Archives

Cracking Open PowerShell’s Constrained Runspace

Recently at the PowerShell Summit, Lee Holmes and I did a talk on PowerShell security. One of the demonstrations we did showed how to find and exploit a command injection bug in a constrained runspace. I figured I’d write a

Tagged with: , , ,
Posted in Hacking, PowerShell

PowerShell and Token Impersonation

This post will discuss bringing incognito-like functionality to PowerShell in the form of a new PowerShell script (Invoke-TokenManipulation), with some important differences. I’ll split this post up in to three sections: An overview on tokens and Windows authentication An overview

Tagged with: , , , , ,
Posted in Hacking, PowerShell, Uncategorized

Using PowerShell to Copy NTDS.dit / Registry Hives, Bypass SACL’s / DACL’s / File Locks

Currently there are a few ways to dump Active Directory and local password hashes. Until recently, the techniques I had seen used to get the hashes either relied on injecting code in to LSASS or using the Volume Shadow Copy

Tagged with: , , , , , ,
Posted in Hacking