Projects Publications Brandon

Monday, January 04, 2016

2016 ShmooCon Hiring List

By With No comments:
Created the 2016 UNOFFICIAL ShmooCon Hiring List. To get on the list is even easier now! Just complete the following form: http://goo.gl/forms/pbYI0TZ9dG

(One small tip, first come first serve, so if you want to be on the top of the list it's best to submit the best info you have vs waiting on anyone, I don't change the list order for anyone.)

Direct Link to Google Doc: https://docs.google.com/spreadsheets/d/15xqphPVEnH7o2urovHWjJiS1VCjdAqcPNB_HS0yRexU/
 
Read More

Thursday, December 31, 2015

Reverse Proxying Attacker Tools

By With No comments:
Ever want to have all of your C2 go to the same box, have the functionality of Meterpreter, and Empire, while making it so if anyone goes to the actual site of your C2 all they get is something like Google?

 Nginx makes that possible, and instead of making a blog post that will disappear, I'll point you at my combo in my "Attacker Knowledge Base" site:

https://attackerkb.com/Combinations/ReverseProxyAttackTools

and instead, show you the results once it's setup:

Metasploit:



Empire:
 

And this is what happens if "they" try and use Google:

Read More

Sunday, December 27, 2015

Automating PowerShell Empire Install

By With No comments:
PowerShell Empire is an excellent tool and can outperform Metasploit in a few crucial ways simply because it’s using Window’s native scripting language, PowerShell. To this end, it is nice to have installed and set up on attack boxes from RaspberryPis to PwnPlugs to Kali boxes, here is how to do manually. In another post I will show you how to make this much more automated:

First you want to take care of installing all of the dependencies by going to their install.sh script and installing pip and the other python packages needed for your installation. (See here https://github.com/PowerShellEmpire/Empire/blob/master/setup/install.sh )
Next, simply clone the repo:

root@wpad:~# git clone https://github.com/powershellempire/empire
Cloning into 'empire'...
remote: Counting objects: 1988, done.
remote: Compressing objects: 100% (58/58), done.
remote: Total 1988 (delta 30), reused 0 (delta 0), pack-reused 1930
Receiving objects: 100% (1988/1988), 5.55 MiB | 357.00 KiB/s, done.
Resolving deltas: 100% (1159/1159), done.
Checking connectivity... done.

CD into the empire/setup directory and issue the “./install.sh” script with the temporary environmental variable “STAGING_KEY”, you can make it equal whatever you wish, or simply pick “RANDOM” and it will automatically select a long, random password for you.

root@wpad:~# cd empire/setup
root@wpad:~/empire/setup# STAGING_KEY=RANDOM ./install.sh
Reading package lists... Done
Building dependency tree
Reading state information... Done
python-dev is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists... Done
Building dependency tree
Reading state information... Done
python-m2crypto is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists... Done
Building dependency tree
Reading state information... Done
swig is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists... Done
Building dependency tree
Reading state information... Done
python-pip is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Requirement already satisfied (use --upgrade to upgrade): pycrypto in /usr/lib/python2.7/dist-packages
Cleaning up...
Requirement already satisfied (use --upgrade to upgrade): iptools in /usr/local/lib/python2.7/dist-packages
Cleaning up...
Requirement already satisfied (use --upgrade to upgrade): pydispatcher in /usr/local/lib/python2.7/dist-packages
Cleaning up...
[*] Database setup completed!
[*] Certificate written to ../data/empire.pem
[*] Setup complete!

The thing I like about doing the “./install.sh” instead of just doing the database setup is that it double checks to make sure that you have all the dependencies correct and creates a certificate for you.
Read More

Wednesday, November 18, 2015

Intel NUC Super Server

By With No comments:
Hi. I'm Rob... and I have a problem. Lets just say, when you find the limitations on Amazon's wishlist features for single items, you know you have a problem. My problem? I'm kinda addicted to Intel NUCs. They are so versitle, low-ish power consumption, and incredibly powerful and TINY. I carry 3 of these (the older / cheaper ones) around to run my trainings / classes from.

The follow is my current wishlist. It is an i7 NUC w/ 500GB of high speed M2 SSD, plus a 1TB SATA SSD, and 32 GB of RAM... ya, thats right 1.5 TB of SSD space, and 32 gigs of RAM!!

Intel NUC Kit NUC5i7RYH Barebone System
Samsung 850 EVO 500 GB M.2 3.5-Inch SSD (MZ-N5E500BW)
Samsung 850 EVO 1 TB 2.5-Inch SATA III Internal SSD (MZ-75E1T0B/AM)
Crucial 1600 MT/s (PC3L-12800) CL11 SODIMM 204-Pin Memory CT204864BF160B
Total Cost: 1328.28

I have gone back and forth between virtualization software (ESXi and Xen mostly)

Xen works out of the box but only has a decent interface in it's Windows GUI. OpenXenManager for Linux is ok. and Xen Orchestrator (Web UI) leaves a bit to be desired. If you're ok with keeping a Windows box around, Xen is the superior choice when it comes to feature sets. (Mainly clone and templating out of the gate and free)

If you do go the ESXi route follow steps here: https://www.virten.net/2015/03/esxi-6-0-image-for-intel-nuc/ because it doesn't work out of the box. I did create the ISO already, so if you want to use the one I made you can find it here: https://dl.dropboxusercontent.com/u/2627512/ESXi-6.0.0.update01-3073146-NUC.iso

You may run into the Manufacturer and Model being random strings (question marks in diamonds), but you can follow: http://www.virten.net/2015/02/how-to-install-esxi-on-5th-gen-intel-nuc-nic-and-ahci-workaround/

Again, I've already done these steps so you can download the pre-built BIOS rom here: https://dl.dropboxusercontent.com/u/2627512/RY0350-FIXED.bio - WARNING: I doubt the BIOS is universal so if you don't buy the NUC listed above, you probably want to just follow the steps yourself. Flashing a BIOS with the wrong ROM could brick the device.


Read More

Monday, November 02, 2015

Meterpreter show_mount

By With No comments:
Meterpreter’s STDAPI extension (the one that always gets loaded) has a new command. This doesn’t happen very often so it’s worth noting.

The new command prints out the currently attached “mounts”. In windows world, that means the normal CD ROM, C drive, etc, but it also means all of the mounted network drives as well.

This gets very interesting when you happen to find yourself in a VM environment where you can start writing files to the host:
meterpreter > show_mount
Mounts / Drives
===============
Name Type       Size (Total) Size (Free) Mapped to
---- ----       ------------ ----------- ---------
A:\ removable      0.00 B      0.00 B
C:\ fixed         59.90 GiB   28.15 GiB
D:\ cdrom          0.00 B      0.00 B
Z:\ remote        64.78 GiB   18.09 GiB  \\vmware-host\Shared Folders\


I’ll leave the rest up to your imagination for now. But we will come back to this very soon. Huge thanks to @TheColonial - OJ for implementing this much needed option. Merged pull request is here: https://github.com/rapid7/metasploit-framework/pull/6146
Read More

Thursday, October 29, 2015

Time

By With No comments:

 

Time is a one-time non-renewable precious resource you are given. It is ok to be greedy, selective, and even snobbish about how, and with whom you spend it.
 
If it helps, think of your time as a vault, money is withdrawn at a constant rate by people as you spend it, but you are not allowed to look inside to see how much you have left. It could be a billion dollars, it could be .25 cents. If it were money, who would you spend it on if that were the case? Most likely you would be more cautious on who and what you spent any amount on.  (This is not to say you live a hermit, but pushing you to actively choose what you want instead of letting life happen and spending your resource)
 
Also, respect other's choice to spend their time with you. I know we don't always acknowledge it, but we should be a bit more cognizant of it.
 
We actually dismiss it nonchalantly, in English, with simple phrasing changes like "Thank you for spending THE time". When we should probably say "Thank you for spending YOUR time". I have heard it both ways and much more the latter, but it just struck me as I was writing the close to this blog post that I was about to do what I had just warned against.
 
So, in closing, thank you for spending your precious moments reading my blog.
 
Rob
Read More

Wednesday, October 14, 2015

R5 Industries

By With No comments:
I recently took the plunge and joined a startup called R5 Industries. I wanted to say thanks for all the well wishes that I received on social media. It has certainly calmed my nerves about the choice ;-).

I've had a number of people ask what R5 Industries does. Our primary selling point is AntigenC2, which is a really Command and Control detection product (no agents). But we also do Red Team assessments and some other fun toys if you are interested, contact@r5industries.com

More info here: http://r5industries.com/

And thats the end and last sales pitch you'll get from me on the subject.

Why did I make the move?

1. While, I loved life as an internal Red Team member (highly recommended, if you need reasons why make sure you watch Chris Gates' talk at RuxCon: https://ruxcon.org.au/speakers/#Chris Gates ) where I got to help steer the boat of a Fortune 10 company, I had a number of opportunities that I had to turn down because of it, even though my higher ups went above and beyond to give me as much latitude as possible.

2. I had a bunch of crazy project ideas that I wanted to see come to life over the years, I don't think I would have ever had the time to see them become anything more than mythical ideas without this opportunity.

So, wish me luck, send me work (as I can finally accept it ;-) [through R5 of course]) and look out for some pretty wacky ideas and products that I've been talking about for years.

Thanks again, I wouldn't be here without you.
Rob
Read More
Home About-us Privacy Policy Contact-us Services
Design By Templateclue