How often do you encounter a much-desired domain admin session on an outdated Windows 7 workstation? In the hands of a hacker pentester, this admin account is a ‘master key’ that can unlock the entire network. But imagine that an evil antivirus prevents you from dumping LSASS. What would you do in such a situation? How to hijack a user session bypassing all security mechanisms?

As you are likely aware, Windows assigns a unique session to each user logging into the system. And if somebody logs into an already hacked device, you can hijack that person’s session. This article discusses a promising privilege escalation technique: the attacker steals users’ sessions using COM classes.

Kerberos offers plenty of user authentication features. Its main ‘bricks’ are tickets; in the course of penetration testing, the attacker dumps such tickets from the LSASS process memory at least once. Today, I will explain how this operation can be performed without sophisticated hacker tools.

To implement a number of pass-the-ticket attacks, you have to inject a Kerberos ticket into the compromised system. Such tools as Mimikatz, Impacket, or Rubeus can be used for this purpose, but they are easily detected by antiviruses, thus, making this approach ineffective. In this article, I will explain how the ticket injection problem can be solved without special tools: all you need is WinAPI and some magic.

In Windows, privileges play a key role: only the admin has the authority to grant special rights to users so that they can perform their tasks. This article discusses a software tool called Privileger: it enables you to search the system for accounts with certain privileges and change privileges assigned to a given account.

In Windows, most security mechanisms are based on user account passwords. Today, you will learn several techniques making it possible to intercept a password at the time of user authentication and write code that automates this process.