Beacon is my payload for low and slow control of a compromised system. Recently, I added peer-to-peer communication to Beacon. When two Beacons are linked, the child Beacon will get its tasks from and send its output through its parent. Linked Beacons use SMB pipes to communicate. This is a big win for stealth. If a workstation […]
CTA Type: Blog
Reverse Meterpreter Connect-backs through a Compromised Host
<update 03:30pm> I’ve had some feedback that this post describes a concept that is too basic to put into blog form. I can see where this confusion may occur. Most literature that describes pivoting through Meterpreter, shows how to setup a payload connection that goes through Meterpreter (e.g., a bind payload). What isn’t well known or documented, […]
Read More… from Reverse Meterpreter Connect-backs through a Compromised Host
Cobalt Strike 1.48 – Peer-to-peer C&C
I’m pleased to announce Cobalt Strike 1.48. This release introduces a peer-to-peer data channel for Beacon, improves browser pivoting, and updates the signed applet attack with options the latest Java 1.7 updates require. Peer-to-Peer Beacon It’s hard to stay hidden when many compromised systems call out to the internet. To solve this problem, Beacon now supports peer-to-peer command and […]
Evade Egress Restrictions with Staged Payloads
Sometimes, it’s easy to get code execution in a network, but very difficult to egress out of it. When you are an external actor trying to get a foothold, it’s important that your attack package use a payload that’s likely to leave your target’s network. If you can’t get out, all of your work is […]
Read More… from Evade Egress Restrictions with Staged Payloads
Schtasks Persistence with PowerShell One Liners
One of my favorite Metasploit Framework modules is psh_web_delivery. You can find it in exploits -> windows -> misc. This module starts a local web server that hosts a PowerShell script. This module also provides a PowerShell one liner to download this script and run it. I use this module all of the time in […]
Read More… from Schtasks Persistence with PowerShell One Liners
Getting the Most from Armitage’s Console
I have a philosophy. Armitage should make common actions simple and efficient. As soon as you need to break away into an uncommon action, use a console. Because the console is so important in Armitage’s use, I put a lot of effort into making Armitage a solid interface to use the Metasploit Framework console through. […]
Tradecraft – Red Team Operations Course and Notes
A few days ago, I posted the YouTube playlist on Twitter and it’s made a few rounds. That’s great. This blog post properly introduces the course along with a few notes and references for each segment. Tradecraft is a new nine-part course that provides the background and skills needed to execute a targeted attack as […]
Read More… from Tradecraft – Red Team Operations Course and Notes
The ACE Problem Solving Method (I use this)
The reason I’m in security today is because of the US Air Force’s Advanced Course in Engineering Cyber Security internship program. I turned down an internship at NASA (after I accepted it!) to attend this “information warfare bootcamp” in 2003. The Air Force Research Lab modeled the ACE program after General Electric’s Advanced Course in Engineering. Each week, the […]
Email Delivery – What Pen Testers Should Know
I get a lot of questions about spear phishing. There’s a common myth that it’s easy to phish. Start a local mail server and have your hacking tool relay through it. No thinking required. Not quite. Email is not as open as it was ten years ago. Several standards exist to improve the security of email delivery and […]
Read More… from Email Delivery – What Pen Testers Should Know
Browser Pivoting (Get past two-factor auth)
Several months ago, I was asked if I had a way to get past two-factor authentication on web applications. Criminals do it, but penetration testers don’t. To solve this problem, I built a man-in-the-browser capability for penetration testers and red teams. I call it browser pivoting. A browser pivot is an HTTP proxy server that injects […]