Two weekends ago, I ran my Advanced Threat Tactics course with a group of 19 people. During the end exercise, one of the teams was frustrated. Their team server was incredibly slow, like mollasses. I asked the student with the team server to run top and I noticed the ruby process for msfrpcd was consuming all of […]
CTA Type: Blog
Advanced Threat Tactics Training
I share a lot from my experiences playing on exercise red teams. I talk about the tactics to collaborate, persist on systems, and challenge network defenders in an artificial environment. Armitage was built for this role. I speak little about my experience working as a penetration tester. I used to work for a security consulting firm […]
Dirty Red Team Tricks II at Derbycon 2.0
Last year, I spoke on Dirty Red Team Tricks at Derbycon. This talk was a chance to share what I had used at the Collegiate Cyber Defense Competition events to go after student networks. During this talk, I emphasized red team collaboration and our use of scripts to automatically own Windows and UNIX systems. I […]
Beacon – A PCI Compliant Payload for Cobalt Strike
TL;DR Beacon is a new Cobalt Strike payload that uses DNS to reduce the need to talk directly to Cobalt Strike. Beacon helps you mimic the low and slow command and control popular with APT and malware. In the interest of helping you verify vulnerabilities for compliance purposes, I’d like to introduce you to Beacon, […]
Read More… from Beacon – A PCI Compliant Payload for Cobalt Strike
Delivering custom payloads with Metasploit using DLL injection
I’m very interested in supporting alternative remote administration tools in Cobalt Strike. Meterpreter is awesome as an active RAT, but I need something less chatty to hold my accesses when I’m not using them. I plan to talk about about this in my upcoming Dirty Red Team Tricks II talk. In this post, I’d like […]
Read More… from Delivering custom payloads with Metasploit using DLL injection
A loader for Metasploit’s Meterpreter
Recently, there was an interesting discussion on the metasploit-framework mailing list about the staging protocol for Meterpreter. egypt let loose with some wisdom about what it would take to write a client to download and execute a payload from a Metasploit Framework multi/handler. mihi completed the discussion by advising where to place the socket value, […]
Covert VPN – Layer 2 Pivoting for Cobalt Strike
Currently, I’m debating a class of social engineering “packages” to force SMB requests against an attacker controlled system. Ideas include packages to generate LNK files, host a WPAD server, etc. This created a bit of an identity crisis though. I see Cobalt Strike as a tool for a penetration tester to emulate the capabilities of a motivated […]
Read More… from Covert VPN – Layer 2 Pivoting for Cobalt Strike
Cobalt Strike 1.44 Update
Cobalt Strike 1.44/16 Aug 12 is now available. Here are some of the changes: This release also fixes several bugs, improves usability for a few Metasploit(r) Framework modules, and updates Cortana. See the releasenotes.txt file for the full story. Licensed Cobalt Strike users may update using the included update program. Enjoy the update. […]
Cortana: real-time collaborative hacking… with bots
At BSides Las Vegas, I talked about Force Multipliers for Red Team Operations. In this talk, I shared several stories about how my evil bots stole passwords, instantly installed back doors, and generally wreaked havoc on college students defending (sometimes) unpatched systems. Today, I’d like to introduce you to the technology behind this havoc: Cortana. You may know Armitage: a […]
Read More… from Cortana: real-time collaborative hacking… with bots
Use Armitage and Cobalt Strike on Amazon’s EC2
James Webb has an interesting blog post on how to use Armitage to manage a pen test through Amazon’s Elastic Computing Cloud. He does a good job articulating the benefits which include using Amazon’s EC2 to test your security from an outside in perspective or using it as a central point for a distributed red […]
Read More… from Use Armitage and Cobalt Strike on Amazon’s EC2