Hunting ThunderShell C2

ThunderShell is a PowerShell based Remote Access Tool (RAT) that relies on HTTP requests to communicate with the C2. All of the traffic is subsequently encrypted with RC4 in order to protect the data. My primary focus during this investigation was on the C2, and if there are any design issues to be concerned about before possibly using this in any future Red Team engagements.

[Read More]

CTF Lab Setup

VirtualBox is a free hyper-visor we can use to setup a lab for practice. Go ahead and download it now and we’ll go through setup for a semi-secure lab that will suffice. I’ll reference a book if you want to go balls to the wall lab setup at the end.

[Read More]

ASan Root Cause Parser

Address Sanitizer (ASan) is a memory corruption detection mechanism built into both clang and gcc. It is capable of detecting the following conditions: use after free, heap buffer overflow, stack buffer overflow, global buffer overflow, use after return, use after scope, initialization order, and memory leaks. It is often combined with fuzzing techniques in order to alert on bugs that may not have otherwised crashed the target application. While targeting large applications, it is common to end up with hundreds to thousands of crash reports. Depending on your fuzzing framework, many of these may be duplicates. This python script will parse ASan crash reports and group them based on the backtrace information.

[Read More]

PyCoin - Automated BitCoin Updates via SMS

There’s a lot of buzz around BitCoin right now. A lot of people frequent going to CoinBase or Google to find the price of BitCoin. I decided to make a automated script that would text you the price of BitCoin using Python. I used CoinBase API along with Twilio API to complete this task. There are ways to use python SMS without Twilio but I won’t be covering that here.

While this might not be Red Team related I feel it’s relevant in helping people with python, automation, and SMS. This same method could be used for automated texting to you if an engagement were successful. For example if a victim enters credentials to your C2, real time updating from implants, etc. You get the idea.

[Read More]

Domain Fronting with Meterpreter

Domain Fronting is a technique that is typically used for censorship evasion. It relies on popular Content Delivery Networks (CDNs) such as Amazon’s CloudFront to mask traffic origins. By changing the HTTP Host header, the CDN will happily route us to the correct server. Red Teams have been using this technique for hiding C2 traffic by using high reputation redirectors.

For more information on Domain Fronting, please refer to this whitepaper

[Read More]

Pupy WebSocket Transport

Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in Python. It’s easily expandable, and includes stackable network transports for C2 communication. It’s for this reason, that I recently chose it as a base for a Red Team operation against a “security-tough” target.

Requirements

I knew that the target had a corporate proxy, and most likely had SSL decryption capabilities. Therefore, all stages of the payload needed to be proxy aware. Pupy offers the auto_proxy option, but may require some tweaking to get a desired payload stages to be aware of default proxies. The engagement time per the scope was limited, so the RAT also needed to be easy to work with. I typically work with Python during my day to day, so this was the perfect fit.

[Read More]