Strengthen Your Phishing with Apache mod_rewrite and Mobile User Redirection

Often times a corporate internal network is heavily locked down. Workstations are restricted with limited internet access. These controls are often less strict on mobile devices (or sometimes not present), especially with BYOD being implemented more and more. While phishing, Apache access logs often show mobile devices accessing the malicious page, yet no sessions are established. I investigated a number of ways to solve the problem and ultimately landed on using Apache’s Rewrite module. The more I learned about mod_rewrite’s abilities, the more benefit I saw in using Apache redirectors for phishing. This post is the first in a series of posts about solving common problems that plague phishing including users visiting a malicious website on their mobile device, users visiting non-existent resources on our... [Read More]

SMB Relay with Snarf

Making the Most of Your MitM

SMB Relay is a well-known attack that involves intercepting SMB traffic and relaying the NTLM authentication handshakes to a target host. This post assumes you already understand the basics of SMB Relay (if not I highly suggest you check out Mark Baggett’s SANS post SMB Relay Demystified and NTLMv2 Pwnage with Python). SMB Relay has hands down been the most frequent foothold I’ve found on internal network pentests; however, sometimes the users in my broadcast domain don’t seem to have Local Administrator rights on any of the targeted hosts or AV is making the process take a lot longer. This is where Snarf comes to the rescue. I was on a network once where NBNS/LLMNR traffic was infrequent and administrator rights were limited.... [Read More]

Making a Powershell EXE Payload

I’ve been using TrustedSec’s Unicorn a LOT over the past few months. In fact, it’s become my go-to payload to pop a box. While it’s awesome to be able to paste a command and get a shell, sometimes an EXE is required. For those cases, I’ve made a script to make the whole process automated: tl;dr uses winrar’s commandline options under wine to make a self-extracting archive. Source Setup instructions cd /opt git clone cd ~/Desktop wget wine wrar511.exe Now just go through the default options of winrar to finish the install. Usage: python &lt;payload&gt; &lt;<span... [Read More]

How I Prepared to Red Team at PRCCDC 2015

I had the opportunity to take part in the Pacific Rim CCDC this past weekend and it was a BLAST! It was my first CCDC, so I really didn’t know what to expect. I did know that the last thing I would want to be doing is installing and configuring tools during test time. Kali I err’d on the side of installing tools I may not use rather than not installing something I would need. I’ve got a goto script I use for my setting up a Kali VM and customizing. It installs a ton of tools and scripts that I use. The script can be found here. Then, I made some manual tweaks: Change root password Enable autologin within /etc/gdm3/daemon.conf... [Read More]


Persistence is a great thing to have on a pentest, especially if testing from the outside. Persistence also seems to be a word that makes clients’ hairs on the back of their necks stand up. Backdoors are a scary thing if you’re in charge of keeping a network secure. When it comes to installing persistence, there are quite a few options available such as Metasploit’s persistence module or scheduleme.rb. These modules leave a permanent, like one would think, payload and schedule for phoning home to the tester’s box. But what about when this is out of scope? Here’s a method to keep a payload phoning home but leaves no permanent effects. Using WinRAR, we can pack our payload with a vbscript that sleeps for... [Read More]