Fusing Reverse Shells And Kernel Exploits For Fun and Profit | Aleksa Zatezalo

Описание: 🔗 Join us in-person and virtually at our Wild West Hackin' Fest: information security conferences — https://wildwesthackinfest.com/

🔗 Register for Infosec Webcasts, Anti-casts & Summits. – https://poweredbybhis.com

In this presentation, I'll show you the inner mechanics of reverse shells and bind shells, Offensive Windows API use, and the basics of exploit coding in the C programming language all under the umbrella of my personal project, The Impersonator shell.

The Impersonator Shell started as a combination of two popular hacker tools: Netcat and Printspoofer. The exploit is named after the Windows privilege that Printspoofer uses to get administrative access to Windows machines, the SeImpersonate privilege.
This shell abuses the SeImpersonate privilege to create an administrative reverse or bind shell. Users running server software on Windows hosts will commonly have the SEImpersonate enabled. Security engineers who can obtain RCE on said servers can also obtain an administrative shell by abusing the SEImpersonate privilege.
Instead of uploading Netcat and the corresponding kernel exploit, security engineers can use the Impersonator shell. If the inbuilt exploit does not work, security engineers will be provided a non-administrative shell.
The Impersonator shell can connect to a Metasploit listener and be upgraded to a meterpreter shell.
The Impersonator Shell can also leverage native Windows API functions to grab a process and capture information about the token associated with the process.

00:00 - Whoami
00:15 - Overview/Agenda
01:07 - Inspiration/Guiding Ideas
02:14 - Why Impersonator Shell?
04:49 - Windows Token Basics
07:01 - Named Pipes and Process Spawning
08:25 - Impersonation
09:57 - What token permissions look like
11:54 - Sockets
13:06 - Next Steps
14:51 - DEMO
19:48 - Commands Available with Impersonator Shell
22:28 - Q&A - How do commands show up in the event log?
23:36 - Q&A - How do you impersonate System token if you’re not running as system?
24:17 - Q&A - What was the EDR reaction throughout the development?
25:15 - Q&A - What is a legitimate use for Impersonator privileges?

///Black Hills Infosec Socials
Twitter:   / bhinfosecurity  
Mastodon: https://infosec.exchange/@blackhillsi...
LinkedIn:   / antisyphon-training  
Discord:   / discord  

///Black Hills Infosec Shirts & Hoodies
https://spearphish-general-store.mysh...

///Black Hills Infosec Services
Active SOC: https://www.blackhillsinfosec.com/ser...
Penetration Testing: https://www.blackhillsinfosec.com/ser...
Incident Response: https://www.blackhillsinfosec.com/ser...

///Backdoors & Breaches - Incident Response Card Game
Backdoors & Breaches: https://www.backdoorsandbreaches.com/
Play B&B Online: https://play.backdoorsandbreaches.com/

///Antisyphon Training
Pay What You Can: https://www.antisyphontraining.com/pa...
Live Training: https://www.antisyphontraining.com/co...
On Demand Training: https://www.antisyphontraining.com/on...
Antisyphon Discord:   / discord  
Antisyphon Mastodon: https://infosec.exchange/@Antisy_Trai...

///Educational Infosec Content
Black Hills Infosec Blogs: https://www.blackhillsinfosec.com/blog/
Wild West Hackin' Fest YouTube:    / wildwesthackinfest  
Antisyphon Training YouTube:    / antisyphontraining  
Active Countermeasures YouTube:    / activecountermeasures  
Threat Hunter Community Discord:   / discord  

Join us at the annual information security conference in Deadwood, SD (in-person and virtually) — Wild West Hackin' Fest: https://wildwesthackinfest.com/