sup /netsec/ I'm a red teamer working on a gig and i have a very busy week ahead of me.
Done a good bit of recon on our target the last week. Turns out somebody hijacked some DNS records and was using them to do some SEO spam. I haven't found how they hijacked them. Too bad, it would be cool to host my phishing pages on their domain.
I will be attempting to phish their Google credentials with a man-in-the-middle proxy this week. This is ready to go; just need to send some email. This framework can capture session tokens too, bypassing any 2FA in place. See github.com/kgretzky/evilginx2/
I also found that their lax SPF records allow me to spoof mail as coming from their domain. Tip; don't blanket allow transnational SMTP relays like Sendgrid or Mailgun in your SPF config. By sending my phishing mail through Sendgrid, it shouldn't hit any spam filters, even though i'm going to spoof [email protected] or [email protected]
I don't yet know what their wireless network looks like, but I am prepared for any scenario. If i'm lucky here it should be game over.
Their on the 14th floor of an office building. Very small company. Entry during business hours probably won't fly unless I can get an appointment with somebody. Most likely will try after hours entry if all else fails.
If I were to look for an NSA firmware-type malware, how should I check the disk? I'm aware of dumping the bios chip contents, but how do I know if something is written to the "dedicated hard drive area" of the hard disk? What is the formal name for that "dedicated hard drive area" anyways?
That's really cool. I hope I can transition from vulnerability research into red team operations some day. But I still have a lot to learn on the VR side.
Daniel Diaz
What's that clear tube with the metal inside?
Noah Lee
Very high-powered, directional antenna. This particular one is called a cantenna. I've been able to pick up on WLAN frames a mile away with this baby. Might not use it for this gig because i'll be in the city.
Isaac Rodriguez
Looks like a directional antenna.
Jordan Ross
That's a lot of gear, what does each thing do and what do you use it for?
Wifi pineapple/bash bunny/LAN turtle hak5 skid stuff, but they sometimes come in handy. I've used the bash bunny the most: find an unlocked computer, plug in, download and run my malware, in about 10 seconds.
A few different Alfa wifi adapters with various antenna for attacking 802.11 wireless networks. also a GPS module for physically mapping WLANs
Mousejacker is really cool. Wireless keyboards/mice (2.4ghz with receivers, not bluetooth) that have poor encryption standards can be cracked, and i can inject keystrokes and do fun stuff github.com/BastilleResearch/mousejack
I've got a large set of bump keys which i'm getting pretty good with, as well as a standard set of lockpicks. Tubular lock is great for unlocking elevator panels in locked down buildings
Under door tool is fucking awesome. You slide it under the bottom of a door, grab the latch, and pull with the wire. Fun fact: ADA requires levers in office buildings, and fire code requires that the doors always be openable from the inside, meaning this works 99% of the time. I've practiced and i can pull a lever in 15 seconds with this thing. Demo here youtube.com/watch?v=vU3zJqUktH0
>Showed up for meeting with executive >There to talk about scope and shit >Introduce myself to reception >Girl says "umm, are you here about the computers". >Yeah it's computing related >"Ok, let me write down my password just in case you need it" >Don't mention it during meeting >Go to office >Logon to Citrix server remotely >Girl's credentials work >Start looking for privesc >Realise I'm already Domain Admin
Large healthcare company
Jacob Young
Wow someone needs a security briefing
Isaiah Roberts
After a while they all start to run together. An organization with "average" security is no match for anyone who half knows what they're doing and has a few weeks to kill. And that's just an average company.
This one sticks in my mind; it was one of my first gigs
I got hired on to an insurance company as a fake intern for 3 weeks to see how much damage I could do. So i had a workstation and a domain account. Day 1 and 2, poking around my machine, intranet sites, sharepoint, learning as much as i could about the org Day 3-5: poking around file shares, looking for sensitive info, passwords, docs, etc. I havent even run cmd.exe at this point
Next week Day 1-2: huge stroke of luck. Their IT network share was readable to all users. I poured over router configs, inventory spreadsheets, purchase requests, to learn everything i could about the network. i know what security software their running, i know where their good stuff is. I have lots of passwords for stuff, but i'm still not an admin on my machine. I cant install software.
i also don't know what these accounts are used for.
Day 3: i finally open cmd, and run some net commands to enumerate users, groups, and computers on the domain. i'm confident this wont be detected. friend gives me custom port scanner and SMB enum tool exes, i download them to workstations. I poke around at other domain workstations and enumerate local admin group on workstations.
Most of what i have is useless, except for credentials i found that are a local account on another workstation.
Log in to remote system with RDP, creds work. Open task manager, dump lsass.exe, zip it up, exfil to my lab, run mimikatz on memory dump. I now have the credentials for some service accounts that they use to manage workstations.
Leo Adams
((cont))
Day 4:
Pivot again, mimikatz, get a service account for managing servers. Its GG at this point, domain admin is in reach but not necessary. I pivot again with my new service account, grab DBA credentials, grab a few prod databases that look juicy, and leave
Day 5: So now that i've one, the the game changes to smash and grab. I want to see what i have to do to get noticed by their IT staff. I grab domain admin creds, start logging into workstations looking for more data and more passwords. I also start blowing up a few subnets with port scans.
20 minutes of that, they shut my port down. 3 minutes later, IT and building security is at my desk wondering WTF is going on. I give them my letter of authorization, and the game is over.
Caleb Ramirez
is it normal to blow yourself up like that? do you really stop at "domain admin" instead of pursuing all the attack vectors you can find?
Jace Bell
Noone's going to get anything. They get to tell their people they fulfilled their obligation to have a pentest, and now that they can put a tick in that box they can get their cyber insurance approved and continue like nothing happened.
Tyler Perry
Normal pentests that don't involve goals or covertness, yeah i'll spend time testing for other attack paths.
For goal based covert tests? I already had completed my objective. i guess i could have snooped through the CEO's email or dug around some more, but my boss said to step up the noise and get caught. It helps keep their moral up considering they just got blasted in the ass and taken for everything their worth.
it's not fun, but it's the consulting way
Hudson Sanchez
no disrespect meant but i'm scrolling by this thread and want to correct a word you used a homophone for >I poured over router configs in the context of reading through something closely, the word is "pored"
again i don't mean to be a dick, everyone still knows what you meant and most people probably didn't even notice, but that's one of those asshole words that most people don't realize they're using the wrong spelling for
Alexander Lopez
so sometimes you get a contract to pentest and other times you get a contract to grab something? what other kinds of stuff do you do on contract? how often is the scope limited to the point that the test results are irrelevant?
Asher Bell
lol thanks mate, been saying that wrong my whole life
Widely varies from team to team and from company to company. Network pentests are usually "find as many path to domain admin". Sometimes there's a goal, like accessing customer data, financial records, access to transfer money to other accounts. Sometimes the goal is to reach a sensitive portion of the network, like the PCI zone where credit card data is stored, or a lab network where they are researching trade secrets and stuff. Sometimes they want to know if i can access their production source code for supply chain attacks. Scope is usually pretty limited on these. Most companies aren't ready for social engineering tests or physical break ins because their network is a dumpster fire.
Sometimes they are very different. Sometimes i'm only testing a single laptop with their golden image for privesc vulnerabilities. Sometimes i'm testing AV/EDR solutions effectiveness with different techniques. Sometimes i send a dozen phishing payloads to test their mail gateway.
Sometimes they are really boring, like a vulnerability assessment, where i cant actually exploit anything. Sometimes i'm only testing a single webapp, and i think that's really boring. Scope is often very limited on these.
Jace Russell
bump
Sebastian Campbell
>Empire nice.
Any other offensive PowerShell users here?
Matthew Reyes
.net, particularly powershell, are godsends to red teamers, pentesters, and active adversaries alike when engaging a target. It's kind of like cheating, most of the time.
Samuel Sullivan
There's always a bigger fish
Gavin Rogers
what your job doing related to RE?
Parker Gray
Bumping to keep this alive, Jow Forums was in dire need of a general like this.
Blake King
Oh look Maderas from null sec is back or at least someone who types exactly like him
