Sharing knowledge 💭

TL;DR In this blog post, we see how to retrieve a loaded module handle by parsing the PEB. Then, we use this handle to resolve function address by parsing the EAT. ...

Overview Reconnaissance Nmap $ nmap -Pn -A -T4 -p- 10.10.10.187 Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-05 21:49 CEST Nmap scan report for 10.10.10.187 Host is up (0.014s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0) | ssh-hostkey: | 2048 4a:71:e9:21:63:69:9d:cb:dd:84:02:1a:23:97:e1:b9 (RSA) | 256 c5:95:b6:21:4d:46:a4:25:55:7a:87:3e:19:a8:e7:02 (ECDSA) |_ 256 d0:2d:dd:d0:5c:42:f8:7b:31:5a:be:57:c4:a9:a7:56 (ED25519) 80/tcp open http Apache httpd 2....

Overview Reconnaissance Nmap $ nmap -Pn -n -A -T5 -p- 10.10.10.181 Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-04 22:03 CEST Nmap scan report for 10.10.10.181 Host is up (0.015s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA) | 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA) |_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519) 80/tcp open http Apache httpd 2....

Overview Reconnaissance Nmap $ nmap -Pn -n -A -T5 -p1-65535 10.10.10.171 Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-03 17:28 CEST Warning: 10.10.10.171 giving up on port because retransmission cap hit (2). Nmap scan report for 10.10.10.171 Host is up (0.058s latency). Not shown: 64972 closed ports, 561 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA) | 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA) |_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519) 80/tcp open http Apache httpd 2....

Overview Reconnaissance Nmap $ nmap -Pn -n -A -T5 -p1-65535 10.10.10.178 Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-02 17:04 CEST Nmap scan report for 10.10.10.178 Host is up (0.017s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 445/tcp open microsoft-ds? 4386/tcp open unknown | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, X11Probe: | Reporting Service V1.2 | FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions: | Reporting Service V1....