I get a lot of questions about spear phishing. There’s a common myth that it’s easy to phish. Start a local mail server and have your hacking tool relay through it. No thinking required. Not quite. Email is not as open as it was ten years ago. Several standards exist to improve the security of email delivery and […]
Read More… from Email Delivery – What Pen Testers Should Know
Several months ago, I was asked if I had a way to get past two-factor authentication on web applications. Criminals do it, but penetration testers don’t. To solve this problem, I built a man-in-the-browser capability for penetration testers and red teams. I call it browser pivoting. A browser pivot is an HTTP proxy server that injects […]
Clients (like Armitage) interface with the Metasploit Framework through its Remote API. The Remote API is a way for clients to call functions in the Metasploit Framework’s RPC server. To pass different data types to/from the Metasploit Framework, clients use the MessagePack object serialization format. Because clients may interface with the Metasploit Framework in this […]
Beacon is a payload in Cobalt Strike that has a lot of communication flexibility. This blog post is not a replacement for the documentation, but rather a guide to how I use it. Reading this post will help you get the most out of Beacon during your operations. Setup To use Beacon, you must first create a […]
Cobalt Strike’s Java Applet attacks inject shellcode into memory. Injecting into memory is valuable as it helps get past application whitelisting and can help evade anti-virus as well. There are several approaches to inject shellcode into memory from Java. One approach is to drop syringe and call it with your shellcode. If syringe or your […]
Armitage and Cobalt Strike 1.47 are now available. This release improves many aspects of the workflow in both Armitage and Cobalt Strike. Here are some of the highlights. Beacon Type ‘meterpreter’ in a Beacon console to spawn a Meterpreter session and tunnel it through your Beacon in one fell swoop. This gives you the power […]
What type of reconnaissance do you do before a phishing attack? Recently, I was having dinner with new friends and inevitably, our conversation became a war story swap. One person started telling funny stories about calling help desk staff, trying to social engineer system information from them. I’m a lousy social engineer. When I was […]
Read More… from Phishing System Profiles without Phone Calls
To the observant network defender, notepad.exe connecting to the internet is a key indicator of compromise. In this blog post, I’d like to explain why attack frameworks inject code into notepad.exe and how you may avoid it in your attack process. Let’s say I email a Microsoft Word document that has a malicious macro to […]
Read More… from Why is notepad.exe connecting to the internet?
Hacking involves managing a lot of contextual factors at one time. Most times, the default situation works and a tool will perform beautifully for you. Sometimes though, there are things you have to check on and work around. That’s what this blog post is. I’d like to give you a list of contextual factors you […]
Several times now, an author has introduced Armitage, and the main value add to the hacking process that they emphasize is the “devastating” Hail Mary attack. I’m most proud of Armitage’s red team collaboration capability–it’s why I built the tool in the first place. The Hail Mary attack? Meh. That said, I’d like to share with you […]
Read More… from The Origin of Armitage’s Hail Mary Mass Exploitation Feature