Seasoned Metasploit Framework users know that it’s a bad idea to let the framework generate an executable for you. The framework’s encoders are not a tool to get past anti-virus. By happy accident, an encoded payload would get past some anti-virus products, but that was four or five years ago. If the Metasploit Framework generates […]
CTA Type: Blog
Evolution of a Modern Hacking Payload
One of the most important features in Cobalt Strike is its Beacon payload. This is my capability to model advanced attackers. In this post, I’d like to share my insights and reasons for the design decisions I made. If you’re a Cobalt Strike user, this post will help you reason about Beacon and fit it […]
That was a fun fire drill…
Last week saw the release of Metasploit 4.10. Those who use Armitage and Cobalt Strike noticed that neither tool worked after running msfupdate on Kali Linux. That’s resolved now. Last night, I pushed Armitage and Cobalt Strike updates to fix the database.yml not found issue AND to make both tools compatible with Metasploit 4.10’s new […]
Puttering my Panda and other Threat Replication Case Studies
Cobalt Strike 2.0 introduced Malleable C2, a technology to redefine network indicators in the Beacon payload. What does this mean for you? It means you can closely emulate an actor and test intrusion response during a penetration test. In this blog post, I’ll take you through three threat replication case studies with Cobalt Strike. In […]
Read More… from Puttering my Panda and other Threat Replication Case Studies
Introducing Morning Catch – A Phishing Paradise
Morning Catch is a VMware virtual machine, similar to Metasploitable, to demonstrate and teach about targeted client-side attacks and post-exploitation. On this virtual machine, you will find: a website for a fictitious seafood company, self-contained email infrastructure to receive phishes, and two desktop environments. One desktop environment is a vulnerable Linux client-side attack surface. The […]
Read More… from Introducing Morning Catch – A Phishing Paradise
Pass-the-Golden-Ticket with Cobalt Strike’s Beacon
Back in May, I wrote up some impressions about Meterpreter’s Kiwi extension. It’s Mimikatz 2.0, complete with its ability to generate a Kerberos “Golden Ticket” with domain-admin rights offline. I’ve had a very positive experience with this capability since May. My best practice is to create a Golden Ticket catalog. When you capture a domain controller, […]
Read More… from Pass-the-Golden-Ticket with Cobalt Strike’s Beacon
Use Cobalt Strike’s Beacon with Veil’s Evasion
The Veil Framework is a collection of red team tools, focused on evading detection. The Veil Evasion project is a tool to generate artifacts that get past anti-virus. It’s worth getting to know Veil. It has a lot of capability built into it. Cobalt Strike 2.0’s Payload Generator includes an option to output a Cobalt […]
Read More… from Use Cobalt Strike’s Beacon with Veil’s Evasion
Cobalt Strike 2.0 – Malleable Command and Control
I define threat replication as a penetration test that looks like an attack from an APT actor. Assessments that involve threat replication are more than a test of technical controls. Threat Replication is a full exercise of a customer’s analytical process and ability to attribute and respond to an APT. These definitions are all well […]
Read More… from Cobalt Strike 2.0 – Malleable Command and Control
HTTP Proxy Authentication for Malware
I spend a lot of time thinking about what my tools can and can’t do. One of the weakest points for penetration testing tools is their (in-)ability to get past some egress restrictions. I previously wrote about why this is a problem and how you might get past different egress restrictions. My general advice is […]
The Access Management Team [Shell Sherpas]
When I participate in an exercise, with multiple target networks and a large red team, I favor splitting the team up into cells. Each cell owns a target network and is responsible for any objectives that must occur in that target network. These cells are supported by an access management team. The access management team […]