DbgShell – A PowerShell Front-End For The Windows Debugger Engine

A PowerShell front-end for the Windows debugger engine.Ready to tab your way to glory? For a quicker intro, take a look at Getting Started.DisclaimersThis project is not produced, endorsed, or monitored by the Windows debugger team. While the debugger team welcomes feedback about their API and front ends (windbg, kd, et al), they have no connection with this project. Do not file bugs or feedback to the debugger team concerning this project. This is not a funded project: it has no official resources allocated to it, and is only worked on by volunteers. Do not take any production dependency on this project unless you are willing to support it completely yourself. Feel free to file Issues and submit Pull Requests, but understand that with the limited volunteer resources, it may be a while before your submissions are handled. This is an experimental project: it is not fully baked, and you should expect breaking changes to be made often. Corollary of above disclaimers: I would avoid attaching DbgShell to live targets of high value.Binarieshttps://aka.ms/dbgshell-latestMotivationHave you ever tried automating anything in the debugger? (cdb/ntsd/kd/windbg) How did that go for you?The main impetus for DbgShell is that it’s just waaaay too hard to automate anything in the debugger. There are facilities today to assist in automating the debugger, of course. But in my opinion they are not meeting people’s needs.Using the built-in scripting language is arcane, limited, difficult to get right, and difficult to get help with.DScript is kind of neat, but virtually unknown, and it lacks a REPL, and it’s too low-level.Writing a full-blown debugger extension DLL is very powerful, but it’s a significant investment—way too expensive for solving quick, “one-off" problems as you debug random, real-world problems. Despite the cost, there are a large number of debugger extensions in existence. I think there should not be nearly so many; I think the only reason there are so many is because there aren’t viable alternatives.Existing attempts at providing a better interface (such as PowerDbg) are based on "scraping" and text parsing, which is hugely limiting (not to mention idealogically annoying) and thus are not able to fulfill the promise of a truly better interface (they are only marginally better, at best).Existing attempts to provide an easier way to write a debugger extension are merely a stop-gap addressing the pain of developing a debugger extension; they don’t really solve the larger problem. (for instance, two major shortcomings are: they are still too low-level (you have to deal with the dbgeng COM API), and there’s no REPL)The debugger team has recently introduce Javascript scripting. Javascript is a much better (and more well-defined) language than the old windbg scripting language, but I think that PowerShell has some advantages, the largest of which is that nobody really uses a Javascript shell–PowerShell is much better as a combined shell and scripting language.The goal of the DbgShell project is to bring the goodness of the object-based PowerShell world to the debugging world. When you do ‘dt’ to dump an ‘object’, you should get an actual object. Scripting should be as easy as writing a PowerShell script.The DbgShell project provides a PowerShell front-end for dbgeng.dll, including:a managed "object model" (usable from C# if you wished), which is higher-level than the dbgeng COM API,a PowerShell "navigation provider", which exposes aspects of a debugging target as a hierarchical namespace (so you can "cd" to a particular thread, type "dir" to see the stack, "cd" into a frame, do another "dir" to see locals/registers/etc.),cmdlets for manipulating the target,a custom PowerShell host which allows better control of the debugger CLI experience, as well as providing features not available in the standard powershell.exe host (namely, support for text colorization using ANSI escape codes (a la ISO/IEC 6429))The custom host is still a command-line (conhost.exe-based) program (analogous to ntsd/cdb/kd), but it can be invoked from windbg (!DbgShell).In addition to making automation much easier and more powerful, it will address other concerns as well, such as ease of use for people who don’t have to use the debuggers so often. (one complaint I’ve heard is that "when I end up needing to use windbg, I spend all my time in the .CHM")For seasoned windbg users, on the other hand, another goal is to make the transition as seamless as possible. So, for instance, the namespace provider is not the only way to access data; you can still use traditional commands like "~3 s", "k", etc.ScreenshotsNotable FeaturesColor: support for text colorization using ANSI escape codes (a la ISO/IEC 6429)Custom formatting engine: Don’t like .ps1xml stuff? Me neither. In addition to standard table, list, and custom views, you can define "single-line" views which are very handy for customizing symbol value displays.Custom symbol value conversion: For most variables, the default conversion and display are good. But sometimes, you’d like the debugger to do a little more work for you. The symbol value conversion feature allows, for instance, STL collection objects to be transformed into .NET collection objects that are much easier to deal with.Derived type detection: For when your variable is an IFoo, but the actual object is a FooImpl.Rich type information: exposed for your programmatic pleasure.Q: Does it work in WinDbg? I will only use WinDbg. A: Yes–load up the DbgShellExt.dll extension DLL, and then run "!dbgshell" to pop open a DbgShell console.Other topics Getting Started with DbgShell Color Custom formatting engine Custom symbol value conversion Derived type detection Rich type information Hacking on DbgShell DbgEngWrapper You can find a short (3 minute) video introduction here: https://youtu.be/ynbg2zZ1IgcDownload DbgShell

Link: http://feedproxy.google.com/~r/PentestTools/~3/Odr9tvWj8e0/dbgshell-powershell-front-end-for.html

SharpSploit – A .NET Post-Exploitation Library Written In C#

SharpSploit is a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers.SharpSploit is named, in part, as a homage to the PowerSploit project, a personal favorite of mine! While SharpSploit does port over some functionality from PowerSploit, my intention is not at all to create a direct port of PowerSploit. SharpSploit will be it’s own project, albeit with similar goals to PowerSploit.IntroYou’ll find some details and motivations for the SharpSploit project in this introductory blog post.DocumentationThe complete SharpSploit API docfx documentation is available here.For an easier to read, high-level quick reference and summary of SharpSploit functionality, refer to the SharpSploit – Quick Command Reference.CreditsSharpSploit ports many modules written in PowerShell by others, utilizes techniques discovered by others, and borrows ideas and code from other C# projects as well:Justin Bui (@youslydawg) – For contributing the SharpSploit.Enumeration.Host.CreateProcessDump() function.Matt Graeber (@mattifestation), Will Schroeder (@harmj0y), and Ruben (@FuzzySec) – For their work on PowerSploit.Will Schroeder (@harmj0y) – For the PowerView project.Alexander Leary (@0xbadjuju) – For the Tokenvator project.James Foreshaw (@tiraniddo) – For his discovery of the token duplication UAC bypass technique documented here.Matt Nelson (@enigma0x3) – For his Invoke-TokenDuplication implementation of the token duplication UAC bypass, as well his C# shellcode execution method.Benjamin Delpy (@gentilkiwi) – For the Mimikatz project.Casey Smith (@subtee) – For his work on a C# PE Loader.Chris Ross (@xorrior) – For his implementation of a Mimikatz PE Loader found here.Matt Graeber (@mattifestation) – For discovery of the AMSI bypass found here.Lee Christensen (@tifkin_) – For the discovery of the PowerShell logging bypass found here.All the contributors to www.pinvoke.net – For numerous PInvoke signatures.Download SharpSploit

Link: http://feedproxy.google.com/~r/PentestTools/~3/egVvC26MSXU/sharpsploit-net-post-exploitation.html

Leaked? 2.0 – A Checking Tool For Hash Codes, Passwords And Emails Leaked

Leaked? is A Checking tool for Hash codes and Passwords and Emails leaked, uses leakz module from Aidan Holland, and leakz module uses API from Aurelius Wendelken.Leaked? can work in any OS if they have support Python 3 and 2.What’s new?Check email leakedUpdateMore friendly for usersSupport Python 2 and 3FeaturesCheck passwords leakedCheck hash code leakedCheck email leaked NEW!Update NEW!ExitAbout AuthorInstall and Run in Linuxsudo apt update && apt install python3 python3-pipgit clone https://github.com/GitHackTools/Leakedcd Leakedpip3 install -r requirements.txtpip install -r requirements.txtpython3 leaked.pyor python leaked.pyInstall and Run in WindowsDownload and run Python 3 setup file from Python.org. In Install Python 3 , enable Add Python 3.7 to PATH and For all usersDownload and run Git setup file from Git-scm.com, choose Use Git from Windows Command Propmt.After that, Run Command Propmt or PowerShell and enter this commands:git clone https://github.com/GitHackTools/Leakedcd Leakedpip install -r requirements.txtpython leaked.pyUpdate Leaked?: git pull -fNotesLeaked? uses leakz module from Aidan Holland, and leakz module uses API from Aurelius WendelkenLet follow their Twitter account!ScreenshotsContact to AuthorTwitter: @SecureGFFacebook: @GitHackToolsGoogle Plus: +TVT618Download Leaked

Link: http://feedproxy.google.com/~r/PentestTools/~3/ln-jAlMtxV8/leaked-20-checking-tool-for-hash-codes.html

Microsoft, Elon Musk, Kernel and Powershell – Paul’s Security Weekly #575

Microsoft accidentally lets encrypted Windows 10 out the the world, Kernel exploit discovered in macOS, PowerShell obfuscation ups the anty on anti virus, Google outlines incident response process, BombGar buys BeyondTrust, and Neil DeGrasse Tyson speaks on Elon Musk saying: Let the man Get High! All that and more, on this episode of Paul’s Security […]
The post Microsoft, Elon Musk, Kernel and Powershell – Paul’s Security Weekly #575 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/5xi_2xuShz4/

iBombShell: A Dynamic Post-Exploitation Remote Shell

PenTestIT RSS Feed
Consider you have a shell on a system and other post-exploitation do not work for you as they are being caught by a security solution on the system. Worry not as we now have iBombShell, a dynamic remote shell that can be run on any system that supports PowerShell. The reason this is called dynamicRead more about iBombShell: A Dynamic Post-Exploitation Remote Shell
The post iBombShell: A Dynamic Post-Exploitation Remote Shell appeared first on PenTestIT.

Link: http://pentestit.com/ibombshell-dynamic-post-exploitation-remote-shell/

Leaked? – A Checking Tool For Hash Codes And Passwords Leaked

Leaked? is A Checking tool for Hash codes and Passwords leaked, use API from @webtobesocial.Leaked? can work in any OS if they have support Python 3FeaturesCheck passwords leakedCheck hash code leakedExitAbout AuthorInstall and Run in Linuxsudo apt update && apt install python3 python3-pipgit clone https://github.com/GitHackTools/Leakedcd Leakedpip3 install requestspython3 leaked.pyInstall and Run in WindowsDownload and run Python 3 setup file from Python.org. In Install Python 3 , enable Add Python 3.7 to PATH and For all usersDownload and run Git setup file from Git-scm.com, choose Use Git from Windows Command Propmt.Afther that, Run Command Propmt or PowerShell and enter this commands:git clone https://github.com/GitHackTools/Leakedcd Leakedpip install requestspython leaked.pyUpdate Leaked?: git pull -fNotesLeaked? uses API from lea.kz of @webtobesocial Let follow his Twitter account!ScreenshotsContact to AuthorWebsite: GitHackTools.blogspot.comTwitter: @SecureGFFacebook: @GitHackToolsGoogle Plus: +TVT618Download Leaked

Link: http://feedproxy.google.com/~r/PentestTools/~3/GCUfckClIqk/leaked-checking-tool-for-hash-codes-and.html

Remote Desktop Caching – Tool To Recover Old RDP (mstsc) Session Information In The Form Of Broken PNG Files

This tool allows one to recover old RDP (mstsc) session information in the form of broken PNG files. These PNG files allows Red Team member to extract juicy information such as LAPS passwords or any sensitive information on the screen. Blue Team member can reconstruct PNG files to see what an attacker did on a compromised host. It is extremely useful for a forensics team to extract timestamps after an attack on a host to collect evidences and perform further analysis.ScreenshotsOn the first run of the Remote-Desktop-Caching using python.exe remotecache.py user will get options as below: Using Option 1 and Option 2 user can know the current session execution policy and set it to Bypass which executes the rdpcache.ps1 PowerShell script. USing Option 3 user can list the cached binary files which is going to be used to reconstruct PNG files.Choosing Option 4: Starts analyzing cache files and reconstruction process. This option creates a folder in user C drive with a name of Recovered_RDP_SessionsSensitive information is recovered from these binary files in the form of broken PNG images. Managed to recover LAPS password, Attacker IP address and malicious file names. It also reveals some of the crucial information about attacker activities on a compromised host. For forensics team timestamp is revealed in most of these recovered images.How do I use this?- git clone https://github.com/Viralmaniar/Remote-Desktop-Caching-.git- python.exe remotecache.pyQuestions?Twitter: https://twitter.com/maniarviral LinkedIn: https://au.linkedin.com/in/viralmaniarDownload Remote-Desktop-Caching

Link: http://feedproxy.google.com/~r/PentestTools/~3/VmAcD0fasMY/remote-desktop-caching-tool-to-recover.html

Win-PortFwd – Powershell Script To Setup Windows Port Forwarding Using Native Netsh Client

Powershell script to setup windows port forwarding using native netsh client.Install:git clone https://github.com/deepzec/Win-PortFwd.gitUsage:.\win-portfwd.ps1orpowershell.exe -noprofile -executionpolicy bypass -file .\win-portfwd.ps1Note: This script require admin privileges to run, this script will automatically try to elevate the privilges if you are running this script under normal user privileges.Download Win-PortFwd

Link: http://feedproxy.google.com/~r/PentestTools/~3/SoNwYOjrkQE/win-portfwd-powershell-script-to-setup.html