search

Kevin-Robertson / Tater

Tater is a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit from @breenmachine and @foxglovesec
Other
447 stars 116 forks source link

FireWall Problem #3

Closed topazbor closed 8 years ago

topazbor commented 8 years ago

I have tried Tater, and for the first time I run it, it ask for a new windows firewall rule. And as you know, it require privileges for that. What do you think?

image

Kevin-Robertson commented 8 years ago

I'll test more firewall scenarios with Tater after I get Inveigh 1.1 released.

topazbor commented 8 years ago

maybe it will be nice to try to add arp spoffing for inveigh thanks

Kevin-Robertson commented 8 years ago

I'm not sure that the firewall is blocking you in this case. In my testing, it's the NBNS spoofer that triggers the firewall alert. With default setting, the spoofer is the only thing not using 127.0.0.1. In your screenshot, I can see that WPAD has been successfully spoofed so the NBNS spoofer has done its job. Here are a few things to try:

  1. Disable the firewall and see if it works
  2. Enable the firewall, delete whatever you are using (powershell or powershell_ise) from the firewall allowed list and start Tater with -NBNS N. You should not see a firewall prompt.
  3. If it always hangs at that same spot, open a browser and navigate to http://127.0.0.1. You should see an HTTP request notification from Tater. This will confirm that the HTTP listener is working.
  4. If the HTTP listener seems to be working, maybe try trigger 0 and just let it run for a day.
  5. Try potato.exe and see if it behaves the same. https://github.com/foxglovesec/Potato

I have a couple of test systems that just don't seem to want to work anymore with either potato or tater and the Windows Defender trigger. I have not had a chance to really look into it.

I'm going through a cleanup round with Tater and will continue to test.

topazbor commented 8 years ago

Great, I will test with -NBNS N and let you know what happened great job BTW

On Thu, Mar 17, 2016 at 4:23 AM, Kevin Robertson notifications@github.com wrote:

I'm not sure that the firewall is blocking you in this case. In my testing, it's the NBNS spoofer that triggers the firewall alert. With default setting, the spoofer is the only thing not using 127.0.0.1. In your screenshot, I can see that WPAD has been successfully spoofed so the NBNS spoofer has done its job. Here are a few things to try:

  1. Disable the firewall and see if it works
  2. Enable the firewall, delete whatever you are using (powershell or powershell_ise) from the firewall allowed list and start Tater with -NBNS N. You should not see a firewall prompt.
  3. If it always hangs at that same spot, open a browser and navigate to http://127.0.0.1. You should see an HTTP request notification from Tater. This will confirm that the HTTP listener is working.
  4. If the HTTP listener seems to be working, maybe try trigger 0 and just let it run for a day.
  5. Try potato.exe and see if it behaves the same. https://github.com/foxglovesec/Potato

I have a couple of test systems that just don't seem to want to work anymore with either potato or tater and the Windows Defender trigger. I have not had a chance to really look into it.

I'm going through a cleanup round with Tater and will continue to test.

— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub https://github.com/Kevin-Robertson/Tater/issues/3#issuecomment-197658161

topazbor commented 8 years ago

you can close this subject