Mark Mo
Mark Mo
Jun 21 · 6 min read

Research and Organization on the go and refinement when time permits

**NOTE I HAVE MY CLOUD DRIVE FOLDER EXCLUDED FROM MY AV SCAN. LOTS OF TOOLS CAN BE USED FOR GOOD OR EVIL**

Here is my process for capturing/organizing the fire hose of tools/ideas/information that people share. I get most of my information from Twitter. Usually I read it on my phone. When I find something that looks helpful or interesting here are the steps I take.

First, I create a folder for the content. I try to categorize it in a way that makes sense to me. I’ll use SharpDump from https://github.com/GhostPack/SharpDump as an example. I would categorize this a “CredentialDumping”. If the Credential Dumping Folder doesn’t exist I create it. I navigate to my “CredentialDumping” folder on my cloud drive (I use OneDrive). I click the “+” button to create the “SharpDump” folder on my Could Drive

I’ll name the folder “SharpDump” (the name of the tool) and select “Create”

Once the folder is created, I will drop in the tool and a PDF of the page where I downloaded the tool. First, I’ll get the tool. I browse to the URL using Edge and scroll down to the bottom of the page. THIS IS IMPORTANT — Click the “Desktop Version” link at the bottom of the page. This will then show the link to download and it also shows the read me page that I download as well.

Click the “Clone or Download” button and select “Download Zip”

Select “Open with”

Select your cloud drive (I use OneDrive)

I browse to my “CredentialDumping” folder

I find the “SharpDump” folder I created and select it.

I select “Upload Here”

It will start uploading

Next, I always take a PDF of the README. Yes, I could unzip it and read it, but I find it very nice for me to quickly get a sense of what the tool is for. This is just my personal preference. I also use this technique in my research folders to store copies of categorized websites with content I can copy/paste.

***NOTE — I ALWAYS USE EDGE BROWSER TO DOWNLOAD PDF’s — I can copy/paste from PDF’s created from Edge. I cannot select/copy the PDF content from other browsers I’ve tried in the past (that may have changed)****

First, I rotate my phone, so the display is wide. This changes the PDF Edge generates to landscape.

Next I’ll select the “upload button” circled here

I select the “PDF” button

This screen comes up and select the “upload button” circled in the bottom left hand corner

I select my cloud drive

I browse to my “CredentialDumping” folder

I browse to my “SharpDump” Folder

When I get to the folder I select “Upload Here” and I get a confirmation that the data was saved

Now I can easily access this from my home lab computer and play with it when time permits. I’ll usually copy the Zip file to my VM before expanding. SharpDump is a C# program so I’ll copy it to my developer machine and open it there.

I’ll expand the compressed file on my Developer VM machine

I’ll open it with a copy of Visual Studio. You could compile it command line without visual studio but that is out of scope for this write up.

When I open it with Visual Studio it says I don’t have .net framework 3.5 installed. For now I’m just going to target and installed framework.

I review the source for anything malicious and I’ll build the solution.

I can see my exe got created here

I’ll run the EXE from an elevated command prompt to dump my LSASS.EXE

At this point, I would use mimikatz to dump the NTLM hashes but this write up is focused on organizing data. My final step is to distill this further into something I can easily use later. I keep a detailed spread sheet with specific commands I need. For example, for SharpDump, I’m storing a sample of how to compile the code from a command line and what the output looks like. Someday I’ll redo this as a web page.

FYI, to make the compile command work, I had to target the .net framework and save my code to a folder targeting .Net Framework 4.5.2.

With a bit of time my collection has grown. Here is a screen shot of tools for Privilege Escalation for Linux and Windows that I’ve collected over the last two years.

I keep a separate folder for research. It is just a collection of organized PDF downloads from websites. You will notice I have a bunch of uncategorized articles in this folder. When time permits, I read through them and organize them further.

Anyway, that’s how I organize the firehose of data that comes at me daily. Feel free to follow me on Twitter @_markmo_ (yes with the underscores). I like to share what I learn.

Mark Mo

Written by

Mark Mo

@_markmo_ on twitter