Introduction Using and abusing the BITS service is a lot of fun. I can’t believe Windows just gives away this hacker tool for free. But wait, wait, are you telling me that there’s more? Does it come with a free blender? What else can this service do for me? In the last installment, we covered…
Read
So I Received a Phishing Email… I recently received an email indicating my credit card number had potentially been stolen and used for fraud. At this point, I am used to both having my credit card number stolen and receiving messages telling me it’s been stolen when it has not. My attempt to determine whether…
Read
During a recent engagement, I found a cross-site scripting (XSS) vulnerability in a legal document management application and created a quick and dirty document exfiltration payload. Unfortunately, this discovery and coding happened on the final day of the engagement (*cough* reporting bonus hacking day), and I didn’t have a chance to actually put the exfiltrated…
Read
ADExplorer is a tool I have always had in my backpack. It can be useful for both offensive and defensive purposes, but in this post, I am going to focus more on its offensive use. The tool itself can be found here: https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer A typical scenario I often face on engagements is that I have…
Read
With the ever-tightening defensive grip on techniques like domain fronting and detections becoming more effective at identifying common command and control (C2) traffic patterns, our ability to adapt to different egress methods is being tested. Of course, finding methods of pushing out C2 traffic can be a fun exercise during a Red Team engagement. A…
Read
For many organizations, rapidly implementing work-from-home initiatives over the past year due to the COVID-19 pandemic required quickly rolling out new processes and deploying new technologies without adequate time for attention to Information Security standards. Perhaps your company recently acquired a new line of business, and you want to make sure the integration won’t adversely…
Read
In the age of threat hunting, automated mass scanning, and the occasionally curious SOC, properly securing your command and control (C2) infrastructure is key to any engagement. While many setups today include a CDN Domain Front with a custom Nginx or Apache ruleset sprinkled on top, I wanted to share my recipe for success. Fully…
Read
We’ve all been there: you’ve completed your initial recon, sent in your emails to gather those leaked HTTP headers, spent an age configuring your malleable profile to be just right, set up your CDNs, and spun up your redirectors. Then it’s time, you send in your email aaaaaand…nothing. You can see from your DNS diagnostic…
Read
A security researcher (Joel Noguera @niemand_sec) discovered a ‘critical’ misconfiguration bug in Spring Data’s Application Level Profile Semantics (ALPS). This bug allows unauthenticated users to perform an Application Programming Interface (API) request, which responds with sensitive user data that can be utilized, manipulated, or even deleted. What is ALPS? “ALPS [is] a data format for defining…
Read
I’m sure everyone is already using Masscan and I’m the last one to jump on the bandwagon. Honestly, I don’t know how I got anything done before finding this tool. If you’re not aware, Masscan is an asynchronous, TCP network port scanner. It’s an incredibly fast tool that can be used to quickly identify live…
Read