Searching for password files in PowerShell.

Searching for files in PowerShell, more specifically potential password files. During the course of a pentest once you have compromised a windows host there is a good chance that you will want to enumerate the box further to gather as much info as possible. This will most likely include searching the local system for passwords. We can use the following syntax in PowerShell to search for files with the text ‘password’ in the filename, just like below. We use the wildcard ‘*’ either end of the ‘passwords’ so we can search for variations in the file name.

Searching for files in powershell

Simple and quick!


Pivoting with netsh in Windows!

Just a quick post to demonstrating pivoting with netsh in Windows! More specifically port forwarding with netsh in Windows (Windows 7 and above). This really is great as your not having to upload any tools to the target system. It is limited in its functionality however is a great option for say a single port such as 445 or 3389.

Now if you don’t have interactive logon rights but you have a PSEXEC, PTH or even a meterpreter session you can add a port forward on you target system and pivot to your next target with SMB/445. This is especially great when you think of tools like PSEXEC module in Metasploit or the main other remote CMD tools available. Now you could use the autoroute or route add function in Metasploit but its nice to have a backup plan if you didn’t have Metasploit!

You can use the below to display your port forwarding rules:

Just remember to clear down your port forwarding rules when your finished with:



VLAN tagging in Kali Linux 2.0

Just a quick post on how to configure VLAN tagging in Kali Linux 2.0. If we have a trunk port presented to us, how do we utilise it?

To setup vlan tagging in Kali Linux 2.0 is pretty straight forward, to set the scene and demonstrate this further we need a lab. The below lab is our ‘test.local’ environment set up in GNS3. There are 3 vlans, 10 20 and 30. 10 and 20 are routable, vlan 30 is isolated from 10 and 20. In the lab we have a ‘router on stick’ configured  at R4, fa0/1 is sub interfaced with vlans 10 and 20. utilising DHCP, vlan 10 for servers and vlan 20 for clients. All devices in vlan 30 are statically assigned IP addresses and not routable to the 10 and 20 vlan networks.  In all switches there are a variety of 802.1q trunked and access ports.

The idea of the lab is that vlan 30 can’t talk to vlan 10 or 20. However as a trunked port is presented to the Kali vm, it will be able to communicate to all vlans.

This is how it looks:

VLAN tagging in Kali Linux 2.0 - switch configuration

Lets look at how we would configure Kali to test all hosts in the different vlans, first via CLI and then via GUI in Network Manager:

As you can see with the current trunk connection we can’t access any of the networks, however a quick Wireshark does reveal we can see traffic and the different vlans…

First lets open up ‘/etc/network/interfaces’ in nano and add our interfaces. The idea is very similar to a cisco router we are essentially sub interfacing our network connection in the interfaces file:

Save our file and then simply bring up the sub-interfaces with ‘ifconfig XXX up’ where XXX is our subinterface:

We can now access all of our vlans in question.

Further to this, if we set off a ping to each network and Wireshark the trunk connection we can see our tagged packets. Hooray.

The Gui is even easier, lets configure it via the Network Manager. We will do this via opening up our network connections/Network Manager, simple click on the ‘+’ sign, select ‘VLAN’ fill in the details on the vlan tab as well as the ‘IPv4Settings’ tab:

And there you have it.

I hope this helps someone!


Superceded Windows Updates

Is this update superseded or not?

I recently came across a need to check on whether a Windows update had been superseded or not. WSUS does give this information in the console view, it indicates whether an update has been superseded or not. However, in my opinion and experience people tend to find it not that great and bit confusing to read. A better and more solid view is to look up the official Microsoft Security Bulletin Data, which shows you what has been superseded and what has not.

If you search for ‘Microsoft Security Bulletin Data’ in google as below you find what we are after or the direct link is here. This is a link to the full Microsoft Security Bulletin Data.

Following the link will lead you to the download, this is in XLSX format. This is a list of all Security Bulletins that have been released. As you can see from the below you are able to navigate around the data with ease in Excel:

There really is a lot of useful information in here, such as whether a reboot is required, the severity rating and also the ‘supersedes’ column.

So when you need to check up on an update you can always refer to this useful data.


Creating a Windows 7 Logon Banner Legal Notice message at Logon via GPO

Windows 7 Logon Banner

This is just a super quick post to reference an earlier video which I created to demonstrates how to add an interactive logon banner legal notice to work/domain joined Windows 7 client machines via group policy object. A user would need to click ‘OK’ to accept the message before logging onto the machine.

This is a CIS (Center for Internet Security) benchmark for Windows 7 machines the rationale is that it is important to notify and warn unauthorized users attempting to gain access to carry out an attack on the computer by notifying them of the consequences of what they are about to do and any legal ramifications.


Microsoft LAPS (Local Administrator Password Solution) Deployment

Password re-use… ah such a bad idea.

During a penetration test one of the most common vulnerabilities I see is the local administrators account having the same password used across all client machines in the estate, usually one for servers and one for clients. So a classic scenario I see a lot goes something like this; a vulnerability is identified in an environment lets say a nasty remote code execution, it gets exploited giving SYSTEM level privileges, you then dump creds from the box and boom you have the local administrators password, even if you don’t get the clear text password you might get the hash. You use the creds/hash with something like hydra or medusa to try a few more workstations in the environment, and hey presto your screen lights up with successful smb authentications. You now have the ability to move laterally across the network logging into workstation after workstation either dumping more creds with mimikatz or stealing tokens with incognito until you reach a domain admin account.

There are in fact a few ways in which we can contain or should I say slow down lateral movement by an attacker, one being to use a different local administrators password on every device, I’m going to walk through how we can achieve this using Microsoft LAPS (Local Administrator Password Solution). This essentially allows you set a unique local administrators password on every workstation in the domain. Thus stopping password reuse and pass the hash type attacks. Granted this is only half the problem solved however does shutdown this avenue of attack.

OK, how do we set this up?

A quick search on google for LAPS and you will find the free download from Microsoft.

Go ahead and download the 32 & 64 bit downloads as well as the ops guide for reference.

For this demo I’m going to be using the trusty Blue Team Security lab in GNS3, you can see from the below diagram we have our Domain Controller and a few windows 7 clients to play with, great:

LAPS works by having what Microsoft refers to as clients and management computers within your domain. Passwords are stored in Active Directory as a computer object attribute this does mean that the password is stored in clear text. However transmission is encrypted. Management computers and its user will have the ability to fetch the password of any given client, so its important to delegate this responsibility carefully i.e to a specific security group. The msi we downloaded is the same for both client and management computers, the install has different options selected for each type. The default options being for clients. For the management computers I’m going to use ‘W71’ this is a standard Windows 7 Pro domain joined client.  For the client computers we are going to use W74 and W72, again just standard domain joined Windows 7 Pro builds.

When we talk about management machines we are talking about user admin machines so where your helpdesk or second line staff can access.

There are a couple of pre-requisites; the first is a schema update which adds two new attributes to AD these are to store the password and timestamp for password expiry. The second are some permissions that need to be setup for our clients and the users that can see these attributes.

Let’s first install the management software and tackle the schema update.

On our management computer lets go ahead and double click on the msi in my case 64 bit so ‘LAPS.x64’

Click Next.

Accept the End-User License Agreement and click next.

Select the ‘Managment Tools’ and select to install to all the computer and click next.

That it management install complete.

Onto our scheme update, open up an elevated PowerShell prompt with an appropriate scheme admin account, import the module and then update the schema like below:

Import-module AdmPwd.PS


Onto our permissions. Basically, the client machines need to be able to update the password and timestamp expiry attributes. Using the module that we have previously imported, or in the same window as before run:

Set-AdmPwdComputerSelfPermission -OrgUnit <name of the OU to delegate permissions>

In the Blue Team Security lab this would be on the ‘PCs’ OU:

So the command would be:

Set-AdmPwdComputerSelfPermission -OrgUnit PCs

Next we will create a User Group that we can assign read permissions for the new attributes. This will essentially allow the new group and its users the ability to read the password field of the computer objects. In this case I have created a group called ‘LAPS Admins.’ The comand is:

Set-AdmPwdReadPasswordPermission -OrgUnit <name of the OU to delegate permissions> -AllowedPrincipals <users or groups>

In the Blue Team Security Lab our command would be:

Set-AdmPwdReadPasswordPermission -OrgUnit PCs -AllowedPrincipals ‘LAPS Admins’

The same again for the expiry field:

Set-AdmPwdResetPasswordPermission -OrgUnit PCs -AllowedPrincipals ‘LAPS Admins’

Managing clients; telling them we want to control their local administrator password is done through group policy. The policy we want to configure is a computer policy under administrative templates called LAPS, this will have been imported when the management computer software was installed. Using our management machine, in our group policy management console we want to create a new GPO under the container where our client machines are, just like below:

The settings we want to configure are to initial switch on the password management this is called ‘Enable local admin password management’ funnily enough and we want to enable it. Next is the ‘password settings’ this looks like, and has the below configuration options, as you can see we have a fair amount of control over the password to configure it securely. What you see below is the default settings:

Its probably worth noting if you have changed the local administrators account name via policy (and you should!), then you will need to specify the new account name in the policy ‘Name of administrator account to manage’, enable the policy and specify the new name. This policy is only needed if you have renamed the account.

Next up is installing the client side software. I’m going to manually install this however in the enterprise you will probably use SCCM or GPO to deploy to your client machines. I will perhaps demonstrate this in my next post.

Over on our client the install takes all the default values from the same msi that we used for the management computers. I won’t bore you with additional screenshots, just know that it is a next, next, next, finish situation and installed successfully on my client machine W72.

Once the above GPO has had time to take effect on our client machine we can verify the password in AD and through the fat client installed on the management computer. First in Active directory users and computers you can view the password by navigating to the computer object in question (W72 in this case) selecting the attribute editor and scrolling down to the value ‘ms-Mcs-Adm-Pwd’ this value is our new password the one below it is the expiry time (you will need to have selected ‘Advanced Features’ to view the attribute editor on the computer object) and be viewing with the appropriate rights (ie be part of in our case the LAPS Admins group):

On the management machine with the account ‘Adam’ which is a member of the ‘LAPS Admins’ group through the fat client UI (which does require DotNet4).

Just to demonstrate if we log in with ‘Bob’s account on the same management computer and try to use the same LAPS UI tool the following expected results are shown, not the bob is not a member of the ‘LAPS Admins’ group and so the password is blank, ace!

And for the die hard CLI users you can of course use powershell to retrieve the password with the appropriate account of course:

You can now try out your new unique local administrators password. Now even if the box has been compromised an attacker will struggle to crack the likes of the above password and secondly won’t be able to reuse the hash to authenticate to another machine. Remember to test out in your lab before in production. I hope this has been informative.


Awk – Part 1 – Printing the 5th word in a line of text to std output


To kick off ‘Project Bash’ located here I’m going to be talking about Awk. Awk is a text processing tool that can be used to manipulate text in a line in bash. There are many uses of awk so I have called this one Part 1. In Part 1 we are going to use awk to select a word in a line of text, this can be very useful if we want a specific value in a line of text like the 5th word and want to iterate that through each line in a file. Take the following example:

So we have just used Nmap to ping sweep a subnet and want to create a target IP list from the results, we send the output to a file called alive.txt. check out the below:

Awk Part 1

If we break the command down:

The first command ‘Cat alive.txt’ prints out the contents of the file alive.txt to std output (ie into bash). We then use the command ‘grep “report”‘ to find all lines with the word ‘report’ in:

Then finally using ‘awk ‘{print $5}’ to print the 5th word in the line using the variable $5.

Changing the variable in the awk command to ‘$2’ prints the 2nd word in the line:



Searching for Exploits with

The needs no introduction. Most penetration testers will be well versed in the use of Exploit-db and its uses. However for new-comers, this is an excellent and ‘the go to’ resource when looking for exploits and exploit code for use in test labs on vulnerable systems.  It goes without saying though when looking through code that is published on the internet the following precautions should be taken;

  • Understand what the code is doing.
  • Modify the code if needed to suit your situation, especially any shellcode snippets.
  • Understand what lanuguage the code is written in.
  • Don’t run code from the internet without knowing what the code is going to do. You don’t want to create a reverse shell back to a C&C server do you.
  • Always test code in a lab, isolated from the internet and production systems.
  • Understand that some code such as C++ and C for example will most likely need compiling and need dependancies.


There are several ways to search the Exploit-db such as:

  1. Via the exploit-db site: however when searching for exploits you will have to use their captcher form in order to proceed with a search.
  2. Via Google search engine using the syntax: ‘ Windows Privilege Escalation’

    Google search of the Exploit-DB
    Google search of the Exploit-DB
  3. Using searchsploit built into Kali Linux like below, this has the added benefit that the databse is offline:

searchsploit in Kali
searchsploit in Kali

The offline copy can be updated with:

Hope you find this useful.


Sed – Part 2 – To remove text from a line.

Sed – To remove text from a line.

To remove specific characters or portion of text from a line in Linux in bash we can use sed. In the below example we want to specifically remove ‘BARRY\’ from a line everything within the square brackets [text to remove] is removed, so we use:



Insecure Service Permissions

How to check for them.

Just a quick post to show a way to check for insecure service permissions  in Windows using the following built in command line tools. This uses a combination of wmic to query for services and then icacls to check the permissions.

I found the below for loops as shown by to quickly get the results we require.

The first line using wmi to query the services excluding ‘system32’ and then the the second line takes the output and runs icacls against each line.

Another way to view these is via Sysinternals with the accesschk tool like below:

accesschk.exe -uwcqv *

accesschk.exe -uwcqv “Authenticated Users” *
accesschk.exe -uwcqv “Everyone” *