Attack Infrastructure Log Aggregation and Monitoring

This post was co-written by Steve Borosh (@424f424f) and Jeff Dimmock (@bluscreenofjeff). Monitoring attack infrastructure can prove to be as important as our attacking. Quickly hiding from investigating blue teamers can mean the difference between keeping our interactive command and control (C2) sessions and burning our infrastructure. If you’ve read the Red Team Infrastructure Wiki that Steve and I wrote, you know we’re big fans of heavily distributed infrastructure and using redirectors in front of everything. Monitoring becomes increasingly difficult when we have 20+ assets comprising our infrastructure. Luckily for us, this problem was solved a long time ago with rsyslog. In this post, we’ll cover how to monitor a distributed attack infrastructure with rsyslog to help facilitate quicker counter-response actions. <h1... [Read More]

Serving Random Payloads with Apache mod_rewrite

As testers, we sometimes need some good, old-fashioned trial and error to get things working. Phishing is one of the attacks that commonly takes more than one attempt to get payloads and command and control (C2) working properly. This post covers how to help effectively perform payload trial and error by randomly serving payloads from one URL with Apache mod_rewrite. The technique described in this post lends itself more to a penetration test, where email phishing batches may span an entire target company, rather than a red team assessment, where email phishing is highly targeted and payload issues are painstakingly troubleshot manually. Following the steps below, we can configure an Apache redirector, or server directly, to serve a random payload from a predefined list of... [Read More]

How To Pass the Ticket Through SSH Tunnels

The Pass the Ticket (PtT) attack method uses a Kerberos ticket in place of a plaintext password or NTLM hash. Probably the most common uses of PtT are using Golden and Silver Tickets. Gaining access to a host via PtT is fairly straightforward; however, performing it through an SSH tunnel is more complex. At this year’s Pacific Rim CCDC, my fellow Red Teamers and I ran into a situation where we had the target’s krbtgt and machine account NTLM hashes and had unprivileged SSH access to one Linux host on the DMZ with internal network connectivity, but we had no direct access to any Windows hosts. The setup roughly looked like this: <span... [Read More]

Red Teaming for Pacific Rim CCDC 2017

A few weeks, ago I had the pleasure of participating on the Red Team for Pacific Rim CCDC. This is my third year doing the competition, and I feel like I have more fun each year. This year, I was on the Windows Meta Team and a Red Cell Team with Lee Christensen (@tifkin_) and Andy Robbins (@_wald0). I’ve previously written two posts about the competition, in 2015 and 2016, and don’t want to rehash the same points I’ve already covered. In this post, I will focus on the Windows Meta Team infrastructure design, Cobalt Strike Aggressor scripts, and provide some tips for the Blues. Infrastructure Design While designing the Windows Meta Team’s infrastructure, we considered the response we’d expect... [Read More]

Slack Bots for Trolls and Work

In the (belated) spirit of April Fool’s Day, I wanted to slightly diverge from a strictly infosec topic and talk about something that can be used for good (work) or evil (trolling coworkers): Slack bots. Incoming WebHooks Incoming Webhooks allow external applications to post into Slack. The webhook processes HTTP requests sent to a provided URL. The data is stored in a JSON payload and processed by Slack on receipt. Incoming webhooks are a good choice when you want to post data into Slack from an external source that wasn’t requested by a user. Incoming webhooks can currently only post in public channels, they do not support direct messages, group chats, or private channels. To use incoming... [Read More]