Finding Diamonds in the Rough- Parsing for Pentesters

Parsing data is a fundamental ability that anyone serious about information security should consider putting time and effort into understanding. It can mean the difference between spamming Ctrl+F in a text editor and pulling out exactly what you need with a Bash one-liner that took a couple of minutes to create and modify. In the long run, the initial investment pays dividends for the rest of your infosec career. In this post, and those that follow we will walk you through the tools and techniques we have used to find what we need when sifting through large amounts of data. This will be done using a Bash terminal from the perspective of a penetration tester, but the information translates to other infosec or IT ops... [Read More]

Cobalt Strike HTTP C2 Redirectors with Apache mod_rewrite

Imagine you are performing a Red Team engagement. So far it’s been very hard, fighting tooth and nail to get each step closer to totally owning their network. You finally get internal network access and things are stable. Everything looks good on your end, but on the Blue side of things IT is taking notice of traffic flowing to an unknown domain. A curious IT worker opens their browser and navigates to the site. 404 error. Suspicion++. Five minutes later your Beacons become unresponsive. You’re blocked. Now you have to spin up some new infrastructure and get in again. I am willing to bet we’ve all been in a similar situation at least once. One way we can reduce the risk of being caught is... [Read More]

Red Teaming for Pacific Rim CCDC 2016

Six weeks ago I had the opportunity to Red Team for Pacific Rim CCDC. I love doing this competition because it gives me a chance to do things one would never be allowed to do on a real network and it forces me think about a different set of problems than a pentest or red team engagement. In this post I will discuss my thoughts and experiences before, during, and after this year’s competition. Preparation Last year I made a few goals for myself, mostly centered around preparation. About a month before the competition some friends and I collaborated to prepare for the competition. Operations Plan The first piece of preparation is making an Operations Plan. The Ops Plan is a... [Read More]

Expire Phishing Links with Apache RewriteMap

On more than a few occasions phishing recipients have forwarded my phish to IT. The first indication is usually when I’m watching the access logs like a hawk and see multiple GET requests with a user’s token, yet haven’t received any credentials or beacon sessions. Sometimes it turns out the user is being blocked by a technical control after the initial request, but other times we are told that the user did what their security training suggested and forwarded the email. Yay. I don’t like the thought of being one email forward away from IR having free reign to peruse my phishing site in a sandbox. For a while I’ve wanted to limit this ability, allowing users to navigate to the malicious website or payload... [Read More]

Combatting Incident Responders with Apache mod_rewrite

Any phishing campaign involving an active incident response element usually requires some evasive steps to prolong its longevity. This often includes being stealthier, performing anti-forensics actions, or avoiding certain tradecraft altogether. Phishing is no different, and is often the most ‘vulnerable’ part of a campaign from an active IR perspective. Using a distributed infrastructure built with independent components helps reduce the risk of the overall architecture being blocked, but individual phishing campaigns are likely to be caught and blocked throughout the duration. The longer we can stretch out the usability of each of those campaigns, the better our chances of gaining access. Using Apache mod_rewrite rules, we can rewrite potential incident responder or security appliance requests to an innocuous website or the target’s real... [Read More]