Last year, I spoke on Dirty Red Team Tricks at Derbycon. This talk was a chance to share what I had used at the Collegiate Cyber Defense Competition events to go after student networks. During this talk, I emphasized red team collaboration and our use of scripts to automatically own Windows and UNIX systems. I […]
CTA Type: Blog
Beacon – A PCI Compliant Payload for Cobalt Strike
TL;DR Beacon is a new Cobalt Strike payload that uses DNS to reduce the need to talk directly to Cobalt Strike. Beacon helps you mimic the low and slow command and control popular with APT and malware. In the interest of helping you verify vulnerabilities for compliance purposes, I’d like to introduce you to Beacon, […]
Read More… from Beacon – A PCI Compliant Payload for Cobalt Strike
Delivering custom payloads with Metasploit using DLL injection
I’m very interested in supporting alternative remote administration tools in Cobalt Strike. Meterpreter is awesome as an active RAT, but I need something less chatty to hold my accesses when I’m not using them. I plan to talk about about this in my upcoming Dirty Red Team Tricks II talk. In this post, I’d like […]
Read More… from Delivering custom payloads with Metasploit using DLL injection
A loader for Metasploit’s Meterpreter
Recently, there was an interesting discussion on the metasploit-framework mailing list about the staging protocol for Meterpreter. egypt let loose with some wisdom about what it would take to write a client to download and execute a payload from a Metasploit Framework multi/handler. mihi completed the discussion by advising where to place the socket value, […]
Covert VPN – Layer 2 Pivoting for Cobalt Strike
Currently, I’m debating a class of social engineering “packages” to force SMB requests against an attacker controlled system. Ideas include packages to generate LNK files, host a WPAD server, etc. This created a bit of an identity crisis though. I see Cobalt Strike as a tool for a penetration tester to emulate the capabilities of a motivated […]
Read More… from Covert VPN – Layer 2 Pivoting for Cobalt Strike
Cobalt Strike 1.44 Update
Cobalt Strike 1.44/16 Aug 12 is now available. Here are some of the changes: This release also fixes several bugs, improves usability for a few Metasploit(r) Framework modules, and updates Cortana. See the releasenotes.txt file for the full story. Licensed Cobalt Strike users may update using the included update program. Enjoy the update. […]
Cortana: real-time collaborative hacking… with bots
At BSides Las Vegas, I talked about Force Multipliers for Red Team Operations. In this talk, I shared several stories about how my evil bots stole passwords, instantly installed back doors, and generally wreaked havoc on college students defending (sometimes) unpatched systems. Today, I’d like to introduce you to the technology behind this havoc: Cortana. You may know Armitage: a […]
Read More… from Cortana: real-time collaborative hacking… with bots
Use Armitage and Cobalt Strike on Amazon’s EC2
James Webb has an interesting blog post on how to use Armitage to manage a pen test through Amazon’s Elastic Computing Cloud. He does a good job articulating the benefits which include using Amazon’s EC2 to test your security from an outside in perspective or using it as a central point for a distributed red […]
Read More… from Use Armitage and Cobalt Strike on Amazon’s EC2
Cobalt Strike Video Review
Ryan Linn created a video review of Cobalt Strike for the Ethical Hacker Network. Unfortunately, I can’t embed the video into the blog post, but I encourage you to check it out. It’s 20 minutes with a well-regarded expert taking Cobalt Strike through its paces. Overall, I enjoyed getting to learn Cobalt Strike. It’s a new release, and […]
Meet Cobalt Strike: Adaptive Pen Testing
If you’re reading this, you’re likely aware of the Armitage project. Fed by your enthusiasm and feedback, Armitage has enjoyed a rapid pace of development since its inception. I left a security engineer role one year ago to search out how to properly nurture this project and its ideas going forward. This search led to […]