Brinkles Pentesting Notebook

Introduction
Certification Reviews
C2 and Payloads
- Sliver C2
- Cobalt Strike
  BOFs and Aggressor Scripts
  Situational Awareness BOF
  HOLLOW BOF
  DLL_Version_Enumeration_BOF
  InlineExecute-Assembly BOF
  BOF.NET
  C2-Tool-Collection BOFs
  Inline-Execute-PE
  Payloads
Tools
- Internal Tools
  BloodHound
  Certi
  Coercer
  CrackMapExec
  DCSync
  DFSCoerce
  DonPAPI
  WMIEXEC
  Kerberoasting
  Lsassy
  mitm6
  Pcredz
  PowerSploit
  PrivExchange
  Responder / RunFinger
  Rubeus
  Seatbelt
  Seth
- Web App Pentesting
  Payload All The Things
  Directory traversal
  Deep Traversal
  More Directory Traversal Payloads
  SAML Injection
  XXE - XML External Entity
  XSS - Cross Site Scripting
  XSLT Injection
  XPATH injection
  Upload Insecure Files
  SQL injection
  MSSQL Injection
  MYSQL Injection
  Oracle SQL Injection
  PostgreSQL injection
  SQLite Injection
  Server Side Templates Injections
  Server-Side Request Forgery
  Payloads Included in Server-Side Request Forgery
  Request Smuggling
  OAuth
  NoSQL injection
  LDAP injection
  Kubernetes
  JSON Web Token
  HTTP Parameter Pollution
  GraphQL injection
  CORS Misconfiguration
  CRLF
  Cross-Site Request Forgery
  CSV Injection (Formula Injection)
  File Inclusion
  PHPINFOlfi.py
  uploadlfi.py
Network Security

Powered by GitBook

On this page

What is this?
What problem are you trying to solve?
How do I build this?
How do I use this?
Any known downsides?
What does the output look like?

DLL_Version_Enumeration_BOF

What is this?

This is a Cobalt Strike BOF file (a mildly massaged port of @N4k3dTurtl3's existing PoC , meant to use ascertain information regarded imported DLLs (via the ENTRY_RESOURCE) within current process that your beacon associated with.

What problem are you trying to solve?

Given my current projects regarding DLLs, this is yet another blindspot I wanted to address after seeing @N4k3dTurtl3's work.
I wanted to support both 32-bit AND 64-bit Beacon sessions.
I wanted to have verbose or minified output, given an operator's desire
I wanted to keep the original design of @N4k3dTurtl3's intact; minimal API calls.
1. This is solved this by rolling our own from groked or cribbed implementations elsewhere.

How do I build this?

In this case, you have two options:
1. Use the existing, compiled object file, located in the dist directory (AKA proceed to major step two)
2. Compile from source via the Makefile
  1. cd src
  2. make clean
  3. make
Load the Aggressor file, in the Script Manager, located in the dist directory

How do I use this?

From a given Beacon:

Any known downsides?

We're still using the Win32 API and Dynamic Function Resolution. This is for you to determine as far as "risk", though this is limited to a single comparison function (stricmp).
You may attempt to incur a privileged action without sufficient requisite permissions. I can't keep you from burning your hand.

What does the output look like?

All known `DLL`s associated with the process

Verbose output of the aforementioned

Verbose output of the aforementioned with `needle`

PreviousHOLLOW BOF NextInlineExecute-Assembly BOF

Last updated 2 years ago

Page cover image