In this post I would like to talk about a technique that I read this summer and had not been able to practice until recently in a penetration test.

The technique involves obtaining passwords in clear text from a server without running “malicious” code in it. In this way we avoid having to deal with antivirus evasion techniques and other headaches.

Tools required:

• Mimikatz: http://blog.gentilkiwi.com/securite/mimikatz/minidump
• Procdump: http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

To know what Mimikatz does I recommend @mmorenog’s post that describes its purpose and operation. In summary, Mimikatz “attacks” the lsass process and takes advantage of a type of reversible encryption that Windows implements to obtain plaintext passwords.

On the other hand, Procdump is a tool developed by Mark Russinovich that will allow us to dump the memory space of a process to a file.

[Read more…]

A couple months ago, our partner Jose Vila talked about the power of SSH tunnels. He showed how we can avoid firewalls and bypass those tricky filters using tunnelled traffic.

Today, I’m going to show you a different approach.

Nowadays, it is a dangerous thing to connect your smartphone unprotected to a free Wi-Fi. It is quite common that somebody is sniffing the traffic or you suffer an ARP poison attack. Then how can I be secure on a wifi network? Once again, with SSH tunnels. And how to build SSH tunnels with my Android? With SSH Tunnel.

[Read more…]