Password Spraying ADFS with Burp

As many organizations are moving aggressively towards cloud based platforms, we as Red Teamers are coming more into contact with Federation services. Federations essentially extend authentication mechanisms from one system to another. These systems may be part of the same organization or completely separate. One of the most common implementations of this is Microsoft’s Active Directory Federation Servers (ADFS). For a good overview of securing ADFS, check out adsecurity’s article here. As these services are becoming more popular,

[Read More]

Attacking Network Protocols Review

Chapters 1 and 2 go over basic networking concepts and various ways to capture traffic. The author goes into pretty deep detail about everything. Chapter two focuses on MITM proxies, SOCK proxies, HTTP/Reverse HTTP proxies, etc. Great read for those new to offensive and defensive security, and good refresher for those of us that are not so new. The Author uses a C# Library he created called Canape which I found annoying since not everyone is a software dev in high level languages and he could have easily used Scapy which “hackers” as the title infers are more familiar with.

[Read More]

Bug Hunting with Mercurial

In this article, we will take a look at a technique for bug hunting in Open Source projects by using version tracking information. In this particular case, we will look at Firefox and their Mercurial setup. By identifying patches that are connected to bugs with public reading turned off, we are able to identify specific fixes for potential security issues in a major web browser, often before releases are pushed. This is also an excellent way of coming up with Proof of Concept code for N-day bugs.

[Read More]

Breaching the Perimeter with OpenConnect and ocproxy

As Red Teamers, we often encounter engagements with targets that may allow remote workers, but require all connections to pass through a central VPN for access to the Corporate assets. These VPNs typically authenticate with two factor authentication or other mechanisms. We will use OpenConnect and ocproxy to automatically log in to a VPN once credentials are acquired from a phishing page.

[Read More]

Openfuck Troubleshooting

In a previous post I had went over a walk through for Kioptrix Level 1. I had some issues and wanted to document them for anyone else that may run into those issues. I’ll admit that my first problem was getting ahead of myself and trying to compile the source code before doing anything else. Finally googling gave the answer that was right smack dab in front of my face which is looking at the first 8 lines of the source

[Read More]

Hunting ThunderShell C2

ThunderShell is a PowerShell based Remote Access Tool (RAT) that relies on HTTP requests to communicate with the C2. All of the traffic is subsequently encrypted with RC4 in order to protect the data. My primary focus during this investigation was on the C2, and if there are any design issues to be concerned about before possibly using this in any future Red Team engagements.

[Read More]

CTF Lab Setup

VirtualBox is a free hyper-visor we can use to setup a lab for practice. Go ahead and download it now and we’ll go through setup for a semi-secure lab that will suffice. I’ll reference a book if you want to go balls to the wall lab setup at the end.

[Read More]

ASan Root Cause Parser

Address Sanitizer (ASan) is a memory corruption detection mechanism built into both clang and gcc. It is capable of detecting the following conditions: use after free, heap buffer overflow, stack buffer overflow, global buffer overflow, use after return, use after scope, initialization order, and memory leaks. It is often combined with fuzzing techniques in order to alert on bugs that may not have otherwised crashed the target application. While targeting large applications, it is common to end up with hundreds to thousands of crash reports. Depending on your fuzzing framework, many of these may be duplicates. This python script will parse ASan crash reports and group them based on the backtrace information.

[Read More]