We here at RSM heavily rely on the Open Source tools that are available from the information security community. Like many penetration testing and research teams we rely on gems such as the Metasploit Framework, Responder, and Empire. We like to support to give back to the community and help others like us by contributing to these projects as well as by releasing and ... READ MORE
Metasploit
Razer rzpnk.sys IOCTL 0x22a050 ZwOpenProcess (CVE-2017-9769)
Today RSM is releasing the second and more serious of two unpatched vulnerabilities identified within drivers used in the gaming peripheral company Razer's Synapse application. The driver in question is rzpnk.sys (md5: B4598C05D5440250633E25933FFF42B0) which exposes some functionality via an IOCTL interface. This vulnerability exists within the handler for IOCTL code ... READ MORE
The Inner Workings Of Railgun
Recently, Railgun functionality was added to Metasploit’s Python Meterpreter. This blog describes details of the implementation and how it provides the functionality to make arbitrary calls to native API functions through Metasploit. This is a technical companion piece to the Metasploit Blog post outlining some of the new features to the Python Meterpreter and their ... READ MORE
Pivot, Exploit, Death by Firewall
Another scenario that is getting all too familiar: It is another day in the office. The external penetration test is going as planned. You broke in to the internal network and you have transports in place. You just need that last trophy before you can call it a day! You finally find the system where it is stored. You prep for the attack, and check to make sure all is setup ... READ MORE
Meterpreter Transports: Digging in with your Shell!
The scenario is all too familiar: Its a been a long week of digital warfare, and you are about to call it quits. And then all of a sudden, you have a shell call back to your handler! You're in for the moment, but it's only a matter of time before that pesky blue team finds and blocks you. You now must waste precious time desperately trying to set up persistence in order to ... READ MORE
Launch rdesktop from Metasploit
I often resort to remote desktop sessions when pillaging or attempting lateral escalation. Remote desktop provides an easy way to look for important data, get an idea of what applications are in use, run scripts or programs, and transfer data between my host and the target system. Since the Windows “Remote Desktop Connection” program keeps track of IP addresses and makes it ... READ MORE
Metasploit Module of the Month – enum_ad_computers
Summer has officially ended and Autumn is setting in. As the leaves begin to fall and September draws to a close, it’s a perfect time to sit back and reflect on the metasploit modules that filled our Summer months with joy. In the third installment of our “Module of the Month” series we examine enum_ad_computers, a post-exploitation module that combines the flexibility of LDAP ... READ MORE
Accessing Internal Web Apps via Meterpreter on a Jumpbox
Post breach on a recent external penetration test, I wanted to do some poking around the target's intranet which required that I set up a SOCKS proxy. Given that I was using a jumpbox, I knew it was going to be necessary to set up a tunnel to get everything working properly. If you're anything like me, tunneling makes your brain hurt. Fortunately, with a little help from jagar, ... READ MORE
Spawning Meterpreter Over Bluetooth
The last post on Shells with Spencer presented code to spawn a shell with a full PTY with a Bluetooth RFCOMM socket for extended post exploitation access. This post will present an additional technique, this time for spawning a Metasploit Meterpreter session between two hosts using a Bluetooth RFCOMM socket. Specifically, in this Proof-of-Concept, a Meterpreter session will be ... READ MORE
No RDP, No Problem!
The Setup I conducted some phishing for a pentest this past week. My ulterior motive was to have an opportunity to familiarize myself with Empire, so I decided to go with a pretext which would allow me to use the macro stager and a malicious Excel sheet attachment to drop agents onto victim boxes. After some initial hiccups, a handful of (elevated!) agents started calling ... READ MORE