Penetration Testing tips and tricks that will hopefully make your struggles at least a little bit better :)

Spear Phishing 101

May 7, 2017

Spear phishing is one of the most useful tools available to gain initial access in an environment. At its core Phishing is essentially a form of social engineering designed to entice a user to reveal sensitive information, or run a payload to compromise their system. Running a successful Phishing campaign requires a few different resources and some setup. In this post I will go over the process I use to setup and run a successful Phishing campaign. Target Identification The first step in a successful phishing campaign is to know your target. For the purpose of this post, our target will be the fictitious organization ACME LLC. There are a few things that we need to know about ACME to conduct the campaign. Is this a Linux or Windows Based environment? How are their email addresses formatted? Is there a public login portal for the organization? Does the organization implement email filtering? The answers to these questions will help establish a good baseline and give us the information we need to start setting up the campaign. However, these questions are not all inclusive, and the more time you spend researching the target organization, the better; enumeration is... [more]

Mod_Rewrite Automatic Setup

April 17, 2017

Setting up the infrastructure for a Red Team engagement can be time-consuming and arduous. Jeff Dimmock and Steve Borosh have done a lot of work to make this process easier and more transparent. They gave a great presentation that went over the fundamentals of setting up good Red Team infrastructure, as part of this effort they released a wiki. One of the most interesting bits of tradecraft released in this talk and on Jeff’s blog is their very creative use of apache2’s mod_rewrite functionality. Mod_Rewrite is very powerful for a few reasons: Mod_Rewrite proxy connections hide the actual location of your team server. Mod_Rewrite user-agent redirects can be used to redirect mobile users away from a payload to a spoofed login portal. Block specific IP addresses from your team server. Only allow Malleable C2 traffic to the team server. In a Red Team engagement, there are often multiple team servers and multiple redirectors in front of each team server. If a defender identifies and blocks one of the redirectors, they should be easy to recreate. However, manually setting up a mod_rewrite rule set for each redirector can be challenging and time-consuming. To make... [more]

From Patch Tuesday to DA

March 17, 2017

Recently on an assessment, I was stuck in the context of a user with low privileges on a Windows Server 2012 R2 system. This server functioned as a Remote Desktop server for the organization. I knew that if we could escalate to local administrator on the server, we would be able to use mimikatz to steal Domain Administrator credentials. I was working with Chris Myers , and we had tried almost everything. Right when we were about to move on, CVE-2017-0100 came to our attention. It was the perfect vulnerability for our situation. In theory, it should allow us to execute a payload on every user with an active session on the remote desktop server. The vulnerability and proof-of-concept exploit was submitted by James Forshaw; we modified it to fit our situation. The proof of concept uses session monikers with a DCOM activator to allow a user to start an arbitrary process in another logged on user’s session. After analyzing the original proof of concept, we still needed to make a few modifications to fit it to our situation. 1) Identify what types of payloads were viable with this exploit, and modify how the payload is defined... [more]

Mail Servers Made Easy

February 14, 2017

Setting up a phishing server is a very long and tedious process. It can take hours to setup and can be compromised in minutes. The esteemed gentlemen @cptjesus and @Killswitch_GUI have already made leaps and bounds in this arena. I took everything that I learned from them on setting up a server and applied it to a bash script to automate the process. Before we get to the script, let’s go over the basics to setting up a mail server. First, let’s outline the process, then dive deeper into each step: Obtain a VPS/Server/IP trusted by the target Setup Secure Access to the Server Disable IPv6 and Remove Exim Install SSL Certs from Let’s Encrypt Install Dovecot and Postfix Add Aliases Configure DNS Entries Test Mail Server Configuration 1) Obtain a VPS/Server/IP trusted by the target: To use this script, you must have a Domain Name, and access to a server running Debian 8. You must have the ability to set the PTR record for the IP Address assigned to your server. There are many different options available to purchase a virtual private server(VPS). Some notable ones include DigtalFyre, Linode, and DigitalOcean... [more]

WMI Persistence with Cobalt Strike

January 20, 2017

Lets be honest implementing persistence on an assessment can be hard, messy, and get you caught. Fuzzy Security did an excellent overview of some of the most common techniques used today and how to implement them. You can find that blog post here. Some of the persistence techniques mentioned are: Persistence through the Registry Scheduled Backdoors using Scheduled Tasks Process Resource Hooking Persistence through the MSDTC Service WMI Permanent Event Subscriptions Personally, I like to use WMI as my persistence mechanism. It is hard to detect, difficult to remove, doesn’t require payloads saved on disk, and can be implemented easily. So how does it work? Well, at a very high level to establish persistence it is a three step process. Establish an event filter to trigger on system boot Create a command line consumer to run the payload Set a Binding to active the command line consumer, when the event filter is activated To make this process a little easier I decided to make a quick PowerShell script. The script is available on Github. Most of the code I used came from research done by Matt Graeber and some help from Andrew... [more]

Cloning and Hosting Evil Captive Portals using a Wifi PineApple

January 10, 2017

Recently, I was on a wireless assessment, and one of our objectives was to obtain the Access Code to a guest wireless network. To do this, we decided to use a Wifi Pineapple - Tetra. For this post, I will go over the process of cloning a website to use for your captive portal using the Portal Auth module, then host it with the Evil Portal Module. I will not be going over the initial setup of the Wifi Pineapple. For more information on the initial setup, I suggest you look here. So let’s get started! The first thing we need to do is download the “Portal Auth” and “Evil Portal” modules. Click install and then click internal storage to install the module After they are both installed, we can start to setup Portal Auth! Portal Auth is going to help us capture and create a captive portal to host. First, click “use default” to populate all of the configuration options. Next, we have to pick a website to clone for the portal. For this example, I am going to use Under “Test... [more]