Powered by ACTIVECYBER, LLC
Powered by ACTIVECYBER, LLC
I was recently challenged to write a program to analyze a list of clear-text passwords and classify them into Hashcat-like masks, listing the top 3 most common masks used within the file and how many times they occurred. While researching password analysis and creating the program, I began to realize how useful this tool could be, not only for understanding the trends in password use but also its potential in penetration tests. For instance, say you’re able to gain access to the NTDS.dit file of a domain controller and crack a number of the NTLM hashes. With this program you could analyze the cracked passwords and output the most common masks in use, which you could then use in a mask attack with Hashcat to attempt to crack additional passwords. Or if you were to capture netNTLMv2 hashes with Responder and your password lists and rules files weren’t turning up anything, before turning to a brute-force attack you could obtain the organization’s password policy and target the most common masks that fit the password policy.
In March of 2023, Tenable released a CVE advisory regarding the TP-Link Archer AX21 router. After obtaining the hardware vulnerable to the exploit mentioned in the CVE, the team at ACTIVECYBER began exploring the vulnerability and developing an exploit for it.
The content presented in this lab is intended solely for educational purposes and informational use. The purpose of this lab is to provide a practical understanding of clickjacking attacks and their potential impact on web security. It is not intended to promote or encourage any malicious activities or harmful actions against real-world websites or individuals.
ACTIVECYBER has incorporated NPK into our arsenal of tools for penetration testing with clients, and we believe that sharing this with our ACTIVELabs library of resources would be beneficial to the community.
Password hashes are an essential part of many security assessments. Recovering plaintext passwords from these hashes can be crucial in a penetration test. However, hash cracking can be a challenging task for any penetration team as hashing is not reversible. The process involves making guesses about the original password, hashing them, and comparing the results with the available hash. Many tools like John the Ripper and Hashcat are available for cracking a variety of hash types, but the biggest challenge lies in the hardware.
As ACTIVECYBER continues to grow our testing services offerings as a key pillar of our ACTIVE Framework™, infrastructure is essential and needs to be built and tested regularly. This blog post details installing and setting up Covenant as a Command and Control (C2) server for the purpose of offensive testing. Covenant is an open source .NET Command and Control framework aimed at making .NET tradecraft easier and providing a collaborative C2 platform for red teamers. The post contains instructions, notes and tips for setting up and using the framework.
Link to post: Red Team Infrastructure - C2
GeForce Experience is the companion application to your GeForce GTX graphics card. It keeps your drivers up to date, automatically optimizes your game settings, and gives you the easiest way to share your greatest gaming moments with friends. It also regularly downloads new game profiles which are essentially collections of settings that control what your graphics driver does when it loads specific games. We have identified DLL Hijacking vulnerability in GeForce Experience software in late 2019 (see link for more details) and decided to revisit said software again this year. This led to the discovery of CVE-2020-5978 and CVE-2020-5990 within the same component, that is GAMESTREAM. However, in this blog post we will only go over CVE-2020-5990 because it’s more interesting from an exploitation standpoint.
The AppX Deployment Service (AppXSVC) on Microsoft Windows suffers from an arbitrary file/directory deletion vulnerability that could be triggered by standard non-privileged users due to improper user impersonation during the removal process of any application from the Windows App Store (also known as Microsoft Store) leading to an elevation of privileges attack. Now, before we dive into the finding details, let's briefly talk about the vulnerable service and Microsoft Store applications.
Overwolf is a software platform designed to help developers create extensions for video games, which are then offered to users through Overwolf's App Store. The extensions are often focused on providing in-game services that would normally require a user to exit the game, such as the use of a web browser or an IM client. Other extensions provide game-specific features that can remind users about certain in-game events, easing the game experience. The platform has gained traction in competitive video games, such as eSports and MMORPGs, where native extensions are often forbidden due to concerns about cheating. Overwolf extensions sidestep this concern since they do not interact with the game engine; they operate exclusively on the overlay created by the main Overwolf program.
IDrive for Windows prior to version 22.214.171.124 installs by default to “C:\Program Files(x86)\IDriveWindows” with weak folder permissions granting any user modify permission “NT AUTHORITY\Authenticated Users:(OI)(CI)(M)” to the contents of the directory and it's sub-folders. In addition, the program installs a service called “IDriveService” which runs as Local system, this will allow any standard user to escalate privileges to “NT AUTHORITY\SYSTEM” by substituting the service's binary with malicious one.
G.SKILL International Enterprise Co., Ltd.
ene.sys driver in Trident Z Lighting Control v1.00.08 exposes mapping and un-mapping of physical memory, reading and writing to Model Specific Register (MSR) registers, and input from and output to I/O ports to local non-privileged users which leads to privilege escalation as “NT AUTHORITY\SYSTEM”.
ACTIVELabs was created in 2018 to hunt and research undiscovered vulnerabilities, report them to vendors via responsible disclosure programs, publish advisories, develop and validate new patches, and to share this information for the advancement of the cybersecurity community. ACTIVELabs was established with the mission of securing our ever-growing client base, partnerships, and the technology community as a whole.
We are actively providing the community with verified findings and research that leads to the creation of new Common Vulnerabilities and Exposures (CVEs) and updates to the National Vulnerability Database (NVD). For a full listing of all of our Advisories, visit our GitHub page here.