sup /netsec/ I'm a red teamer working on a gig and i have a very busy week ahead of me.
Done a good bit of recon on our target the last week. Turns out somebody hijacked some DNS records and was using them to do some SEO spam. I haven't found how they hijacked them. Too bad, it would be cool to host my phishing pages on their domain.
I will be attempting to phish their Google credentials with a man-in-the-middle proxy this week. This is ready to go; just need to send some email. This framework can capture session tokens too, bypassing any 2FA in place. See github.com/kgretzky/evilginx2/
I also found that their lax SPF records allow me to spoof mail as coming from their domain. Tip; don't blanket allow transnational SMTP relays like Sendgrid or Mailgun in your SPF config. By sending my phishing mail through Sendgrid, it shouldn't hit any spam filters, even though i'm going to spoof admin@target.com or it@target.com
I don't yet know what their wireless network looks like, but I am prepared for any scenario. If i'm lucky here it should be game over.
Their on the 14th floor of an office building. Very small company. Entry during business hours probably won't fly unless I can get an appointment with somebody. Most likely will try after hours entry if all else fails.
If I were to look for an NSA firmware-type malware, how should I check the disk? I'm aware of dumping the bios chip contents, but how do I know if something is written to the "dedicated hard drive area" of the hard disk? What is the formal name for that "dedicated hard drive area" anyways?
That's really cool. I hope I can transition from vulnerability research into red team operations some day. But I still have a lot to learn on the VR side.
Daniel Diaz
What's that clear tube with the metal inside?
Noah Lee
Very high-powered, directional antenna. This particular one is called a cantenna. I've been able to pick up on WLAN frames a mile away with this baby. Might not use it for this gig because i'll be in the city.
