Obligatory OSCP Review

There may be an overwhelming amount of information available to those considering or attempting to pass the Offensive Security Certified Professional exam, but it is still a very common question among our readers and Twitter followers. Due to the continued interest, here are my 2 cents on the Penetration Testing with Kali course and subsequent OSCP exam. I’ll try to keep this as brief and as informative as possible.

[Read More]

Organic HTTP File Transfer

Living off the land is essential when it comes to penetrating networks. The box that you landed on may be bare bones with only the default corporate software installed. Infiltrating and exfiltrating data is critical to mission success. This cheatsheet is not all inclusive, but should give you a good starting point for organic file transfer mechanisms.

[Read More]

Breaking Into a Security Career

Breaking Into Information Security Career Intro Recently someone posted on /r/netsecstudents asking how to land a job in infosec but he wasn’t sure what the specific field was. He asked about incident response without knowing the specific name. Of course me being someone that works on an Incident Response team I chimed in with the names of the career path. Security Incident Response Team Cyber Incident Response Team Blue Team Forensics I started thinking about how I finally got a career into information security and my journey. [Read More]

Password Spraying ADFS with Burp

As many organizations are moving aggressively towards cloud based platforms, we as Red Teamers are coming more into contact with Federation services. Federations essentially extend authentication mechanisms from one system to another. These systems may be part of the same organization or completely separate. One of the most common implementations of this is Microsoft’s Active Directory Federation Servers (ADFS). For a good overview of securing ADFS, check out adsecurity’s article here. As these services are becoming more popular,

[Read More]

Bug Hunting with Mercurial

In this article, we will take a look at a technique for bug hunting in Open Source projects by using version tracking information. In this particular case, we will look at Firefox and their Mercurial setup. By identifying patches that are connected to bugs with public reading turned off, we are able to identify specific fixes for potential security issues in a major web browser, often before releases are pushed. This is also an excellent way of coming up with Proof of Concept code for N-day bugs.

[Read More]

Breaching the Perimeter with OpenConnect and ocproxy

As Red Teamers, we often encounter engagements with targets that may allow remote workers, but require all connections to pass through a central VPN for access to the Corporate assets. These VPNs typically authenticate with two factor authentication or other mechanisms. We will use OpenConnect and ocproxy to automatically log in to a VPN once credentials are acquired from a phishing page.

[Read More]

SSH Cheatsheet

Base Usage

ssh [user]@[host]

Use Specific Key

ssh -i ~/.ssh/id_rsa [user]@[host]

Use Alternative Port

ssh -i ~/.ssh/id_rsa -p [port] [user]@[host]

Dynamic SOCKS Proxy

This can be used with proxychains to forward client traffic through the remote server.

ssh -D8080 [user]@[host]

[Read More]

Hunting ThunderShell C2

ThunderShell is a PowerShell based Remote Access Tool (RAT) that relies on HTTP requests to communicate with the C2. All of the traffic is subsequently encrypted with RC4 in order to protect the data. My primary focus during this investigation was on the C2, and if there are any design issues to be concerned about before possibly using this in any future Red Team engagements.

[Read More]