PenTest: PowerShell for Pentesters

Description

Dear PenTest Readers,

Welcome to the first edition of 2021! A new start and a new perspective ahead of us. While we definitely should be optimistic, we can’t forget that malicious actors of cyberspace never sleep, and that’s why ethical hackers need to stay vigilant.

The first articles of the issue present the power of Windows PowerShell used in the context of penetration testing. You will read about post exploitation, as well as on leveraging WMIObjects, CIMClasses, and transactions for PowerShell pentesting.

What also deserves your attention are two fantastic reports presented by our regular contributor, Filipi Pires - those are must reads for every threat hunting and analysis enthusiast! If you like to discover new projects, Project V3, presented in this edition by Anthony Radzykewych, is definitely your treat!

Also, we have two interesting interviews for you. Carmen Marsh tells the readers about her amazing educational initiative for women who want to start their career in the cybersecurity industry, while Alcyon Junior shares his reflections on last year’s impact on the offensive security landscape.

As usual, there are more valuable articles on various topics. Special thanks to every contributor, reviewer, and proofreader who made this edition happen!

Without further ado,
Let’s dive in the reading!

PenTest Magazine’s Editorial Team

---

Table of Contents

---

Post Exploitation Pentesting with PowerShell

by Anderson Nunes Sales

So, you studied your target, successfully got a reverse shell, obtained unauthorized access, escalated privilege and are now administrator of a Windows operating system, but what now? According to the pentest framework called PTES (http://www.pentest-standard.org/), the next level is Post Exploitation and it has nine topics; in this article, some PowerShell techniques will be presented that can be used in this step.

---

Leveraging WMIObjects, CIMClasses, and Transactions for PowerShell Pentesting

by Alexandros Pappas

PowerShell has gained popularity with SysAdmins and for good reason. It’s on every Windows machine and has capabilities to interact with almost every service on every machine on the network, and it’s a command line utility. For the same exact reasons, PowerShell has also become a favorite method of attackers interacting with a victim machine. Because of this, organizations have gotten wise to this attack vector and have put measures in place to mitigate its use. But there’s another way. Many don’t know of another built-in Windows utility that actually predates PowerShell and can also help them in their hacking pentesting engagements. That tool is Windows Management Instrumentation (WMI). This article will be a small introduction to not only understand the usage of WMI to enumerate some basic information from local machines, but it will also introduce to you the concepts of CIMClasses, and Registry Transactions.

---

Testing Creative Way Detection and Efficiency in Sophos Security Sensors

by Filipi Pires

The purpose of this document is to execute several efficiency and detection tests in our lab environment protected with an endpoint solution, provided by Sophos. This document presents the result of the defensive security analysis with an offensive mindset performing an execution of two Python scripts responsible to download some malware in our environment.

---

Project V3 - VulnHub, VirtualBox, and Vagrant

by Anthony Radzykewycz

When entering into the information security industry, demonstrating your skills in the field is an important factor when in pursuit of a job. There are multiple resources to gain these skills, with one of them being VulnHub. Remembering my experiences in the beginning of my journey, I feel it would be a benefit to lower the bar of entry to gain the skills necessary to do the job. As such, I have taken on a personal project of making all VulnHub machines compatible with VirtualBox and converting these VMs to Vagrant boxes. With this, a user of the project can simply type a single command to have a VulnHub machine provisioned in their system. This avoids the hassle of configuring the VulnHub machine and debugging issues related to the system, rather than getting to the point of the machine – achieving the relevant learning outcome.

---

“My biggest concern is with opening the door to newcomers”

an Interview with Carmen Marsh

One of the comments I often heard was that women were just not interested in this side of technology. I was determined to "bust the myth" about that so I posted on LinkedIn (October 2018) that I would be launching a fast track program called "100 Women in 100 Days Cybersecurity Career Accelerator" program in 2019 for women that would like to upskill for a job in cybersecurity. Within the first hour, I got 60 emails from women asking me: "How do I sign up?"

---

Outbreak Infection from Malware Bazaar, undetected by Sophos [FULL ARTICLE AVAILABLE IN THE FREE PREVIEW VERSION]

by Filipi Pires

The purpose of this document was to execute several efficiency and detection tests in our endpoint solution, provided by Sophos, this document brings the result of the defensive security analysis with an offensive mindset performing a download manually and executing of daily batches of malware samples created by MalwareBazaar in our environment.

---

From Fuzzing to Get a Shell

by Rodolpho Concurde

In this article, I’ll be teaching you how you can find a 0day vulnerability through the technique of fuzzing and how to write your own exploit, step-by-step, to get a shell. So let’s go ahead and get started!

---

AWS S3 Bucket Exploitation

by Yash Sharma

AWS provides a bunch of cloud computing services, which includes EC2, S3, Lambda, RDS, etc. They all are used for different purposes. AWS is the backbone of any organization as everything will be managed by the AWS itself and the developers and other departments can use the vast range of resources provided by it. AWS also provides a configuration console. From there, one can manage their resources. In cloud computing, we all know there are concepts of IAAS, PAAS and SAAS, etc. These services of AWS fall in the IAAS, PAAS and SAAS categories itself. Here we will be concentrating on S3 buckets only.

---

Opening a successful company during a pandemic time - is it possible? Building Your Own Pentesting Company in 2021

by Ahmed Mostafa

2020 was a tough year for everyone worldwide; most industries have been affected and more companies have been closed due to the pandemic. Many countries’ economies have decreased because of Covid19. Many, many incidents have happened during this year from cyber attacks and cyber threats so it will be a good idea to start your startup company in cybersecurity services right now.

---

“The cybersecurity career is becoming increasingly branched and specialized” 

an Interview with Alcyon Junior

The protection of corporate databases should be the biggest focus that should be given by CISOs, as the theft of personal information is becoming the biggest focus of attack, and it is also important to start looking more carefully at Ransomware attacks, as this it really has a chance to become the most common type of attack in the next year.

---