Friday, July 19, 2013

Guest Blog Posts and Cons

I had the pleasure of writing a few guest blogs in the last few weeks. If you haven't read them, please check them out:

"Using the Windows API and Copy-RawItem to Access Sensitive Password Files" on Microsoft's "Hey, Scripting Guy! Blog" The post covers how to use PowerShell and volume shadow copy to safely copy either the NTDS.dit or SAM files while running as admin. The accompanying script figures out if its running on a DC or not, finds the actual location of the NTDS.dit file from the registry (often installed on a different disk) and returns the VSS service to its original state. You can find the script here. Although useful in a pinch, there are niftier methods out there.

"PowerSploit: The Easiest Shell You’ll Ever Get" on Pentest Geek. The post is a tutorial on the easiest way I know to avoid AV and get a Meterpreter shell from GUI access. I also included a simple Python script (in a PowerShell post, really?) to configure the handler for you. You can check that out here, you may find it useful. The Pentest Geek blog is already full of great posts, you should definitely check it out and contribute!

"WMIS: The Missing Piece of the Ownage Puzzle" on the Passing-the-Hash blog. The post builds on the concepts introduced in the PowerSploit post on Pentest Geek. I wrote about how to use WMIS to get a Meterpreter shell with one command using PowerShell. It is extremely effective, and we will be releasing a tool to automate the entire process very soon.

Also, I look forward to seeing you again at both Blackhat and Derbycon. Skip and I will be discussing ways to mitigate the threat of the Pass-the-Hash attack at both conferences. Matt and I will be presenting "A Minimalist's Guide to Windows Post-Exploitation" at both BsidesAugusta and Derbycon. Thanks for reading and thanks for contributing to this great community.



  1. Hey Chris,
    Great talk at Blackhat. I tried the Find-NTLMLogon.ps1 script in my environment, and am getting the following error. Is this an indication of the security event log being acl'ed to the point where get-winevent cannot read it? Any recommendations on how to get the script working?

    Get-WinEvent : Could not retrieve information about the Security log. Error:
    Attempted to perform an unauthorized operation..
    At \Find-NTLMNetworkLogon.ps1:27 char:15
    + $Events = Get-WinEvent -Logname "security" -FilterXPath $Filter |
    Where-Obje ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-WinEvent], Exception
    + FullyQualifiedErrorId : LogInfoUnavailable,Microsoft.PowerShell.Commands

    Get-WinEvent : There is not an event log on the localhost computer that
    matches "security".
    At \Find-NTLMNetworkLogon.ps1:27 char:15
    + $Events = Get-WinEvent -Logname "security" -FilterXPath $Filter |
    Where-Obje ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (security:String) [Get-WinEvent]
    , Exception
    + FullyQualifiedErrorId : NoMatchingLogsFound,Microsoft.PowerShell.Command


    1. First, I would make sure that you ran PowerShell as administrator. Next remember that it isn't a script, but a function that has to be called. I would guess the first issue is the problem, but also double-check that there is a security eventlog on the machine. If you want to share more details, shoot me an email and I will try and help you out. Email is obscuresec at google's email.

  2. Hi Chris , the "PowerSploit: The Easiest Shell You’ll Ever Get" link is dead ;(