SANS Penetration Testing: Category - Metasploit

SANS Penetration Testing:

Custom Payloads in Metasploit

[Editor's Note: Mark Baggett shares some useful insights into delivering custom payloads using Metasploit, with a little Python magic to boot! --Ed.]

By Mark Baggett

You launch your Metasploit exploit. It looks like it is working but no session is created. What happened? Your exploit just got popped by antivirus software. Such a bummer. Antivirus software is a hurdle that you have to overcome as a penetration tester, modeling the techniques of the real-world bad guys. The best way to avoid antivirus software is to stop using a payload that someone else created. Time and time again, penetration testers find they have a basic need to use custom payloads.

Createyour own custom payload, and then you won't have to worry about an AV signature catching your payload and eating it! It is easy and it gives you the flexibility to go after any target. There are lots of tools and articles for helping you doing so, including the


Network Pen Testing Tips, Tricks, Tools and Resources

[Editor's Note: For this year's SANS Pen Test Poster, we asked some of the best pen testers and instructors in the industry to share their wisdom in a series of tips, tricks, tools, and useful resources for various kinds of penetration tests. We got some great input on network pen testing, web app pen testing, mobile pen testing, exploit writing, and wireless pen testing. We'll be posting these really useful recommendations as a series of blog posts over the next few weeks. The first in the series is this set of recommendations from the amazing John Strand of Black Hills Information Security. --Ed.]

By John Strand


  • Recon— This is the one area most people skip over or put the least amount of effort into. Don't. Without question, this is the most important phase. If done

PsExec UAC Bypass

[Editor's Note: In this article, Tim Medin describes a common pen test scenario in which a tester gets limited access of a target Windows machine, and needs to escalate privileges without incurring the wrath of User Account Control (UAC). Tim describes his approach, which involves the use of psexec to bounce off of another machine to evade UAC and then pivot mercilessly in the target environment. Nice stuff! --Ed. ]

by Tim Medin

During a recent penetration test, we were trying to figure out how to bypass UAC on a fully patched Windows environment, given that we'd had a limited compromise of one system via phishing. I'd like to share the technique we came up with so you can apply it in your own work.

The Scenario

In our test, we were using phishing attacks trying to trick a user to click on an AV-dodging attachment that would


Invasion of the Network Snatchers: Part I

[Editor's Note: In this article, Tim Medin discusses methods for penetration testing network infrastructure components, specifically through the Simple Network Management Protocol (SNMP). Tim's tips below include a nice overview of SNMP, techniques for formulating highly useful lists of potential authentication credentials for SNMP, a description of how to use an Nmap NSE script for password-guessing SNMP, ideas for using snmpwalk to extract config info, and a description of a Metasploit module for harvesting SNMP info from a bunch of devices. He's got some great command-line kung fu throughout as well. It's a cornucopia of useful ideas. These techniques can be really helpful in showing security risks in a target organization's network infrastructure. Thanks, Tim! --Ed.]

By Tim Medin

Part of one of Sun Tzu's (overly used) quotes is, "Water shapes its course according to the nature of the ground over which it flows...". I often hear people say, "blah


SMB Relay Demystified and NTLMv2 Pwnage with Python

By Mark Baggett

[Editor's Note: In this _excellent_ article, Mark Baggett explains in detail how the very powerful SMBRelay attack works and offers tips for how penetration testers can operationalize around it. And, bet yet, about 2/3rds of the way in, Mark shows how you can use a Python module to perform these attacks in an environment that uses only NTLMv2, a more secure Windows authentication mechanism. Really good stuff! --Ed.]

The SMB Relay attack is one of those awesome tactics that really helps penetration testers demonstrate significant risk in a target organization; it is reliable, effective, and almost always works. Even when the organization has good patch management practices, the SMB Relay attack can still get you access to critical assets. Most networks have several automated systems that connect to all the hosts on the network to perform various management tasks. For example, software inventory systems, antivirus updates, nightly backups,