Showing Articles About
credential-theft
-
Tim Carrington - 3 Aug 2021
Playing with PuTTY
This article explores techniques for manipulating PuTTY's source code and session sharing mechanism to capture credentials and execute remote commands. Multiple methods are demonstrated for backdooring PuTTY, including capturing user commands, stealing authentication details, and hijacking SSH sessions through named pipe communications. The techniques provide creative approaches for bypassing security controls during adversarial simulations without traditional keylogging methods.
- Alfie Champion
Riccardo Ancarani - 7 Apr 2021
Attack Detection Fundamentals 2021: Windows - Lab #1
This article details a cybersecurity workshop demonstrating advanced Windows endpoint attack techniques for initial access. An HTA-based attack method was developed that drops a DLL and uses registration-free COM activation to execute a malicious payload. The payload involves shellcode injection, AMSI bypassing, and process injection techniques targeting Windows endpoints.
- Alfie Champion Riccardo Ancarani
- 7 Apr 2021
Attack Detection Fundamentals 2021: Windows - Lab #2
This article explores advanced defense evasion techniques in Windows cybersecurity, focusing on API unhooking and ETW bypassing. The lab demonstrates methods attackers can use to minimize their detection footprint during endpoint attacks, such as removing API hooks and disabling event tracing. Techniques include intercepting API calls, unhooking ntdll.dll, and manipulating .NET runtime event tracing to avoid security monitoring.
- Alfie Champion Riccardo Ancarani
- 7 Apr 2021
Attack Detection Fundamentals 2021: Windows - Lab #3
This article explores API hooking techniques for stealing RDP credentials during Windows authentication. The lab demonstrates how API hooks can intercept plaintext login information when users connect to remote desktop sessions. Multiple methods are presented, including using Frida and RdpThief, to extract credentials from the RDP client process.
- Alfie Champion Riccardo Ancarani
- 7 Apr 2021
Attack Detection Fundamentals 2021: Windows - Lab #4
This article demonstrates a technique for stealing browser cookies and saved passwords from a Windows endpoint using Chlonium. The attack involves extracting Chrome's encryption keys and cookie databases to hijack web sessions. System Access Control Lists (SACLs) are explored as a method for detecting and logging sensitive file access during such attacks.
- Robert Bearsby Timo Hirvonen
- 14 Feb 2020
Rethinking Credential Theft
Physmem2profit is a novel red team tool for credential theft that bypasses traditional LSASS process monitoring. The tool allows remote extraction of credential material by exposing and analyzing physical memory without directly interacting with the LSASS process. It provides an alternative approach to credential theft by leveraging memory forensics techniques on Windows systems.
- Luke Jennings
- 18 Jul 2012
Incognito v2.0 Released
Incognito v2.0 is a Windows security tool for token enumeration and manipulation. The new version introduces multi-host input, multi-threading, grepable output, quiet mode, and improved handling of administrative privileges. Key improvements include better API compatibility, enhanced token discovery across multiple systems, and more flexible output options for security professionals.
- 12 Dec 2011
Tell Us Your Incognito Ideas and Win One of 5 Lego Ninjas
Incognito, a tool for exploiting Windows access tokens launched in 2007, seeks community input on potential improvements. The project aims to enhance the tool's effectiveness by gathering feature suggestions from the information security community. As an incentive, five Lego Ninjas will be awarded to the best feature ideas submitted.
- Luke Jennings
- 16 Apr 2008
Security Implications of Windows Access Tokens
A whitepaper by Luke Jennings explores the security implications of Windows access tokens in enterprise environments. The document details how access token design can be exploited during penetration testing, highlighting systemic vulnerabilities in corporate security controls. The paper discusses the technical mechanisms of Windows access tokens and provides insights into potential post-exploitation techniques.
| Name | Description | Stars | Link |
|---|---|---|---|
| physmem2profit | Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely | 402 | GitHub |