Introduction Let’s say an ‘Administrator’ lands on a target network host and wants to look around and ‘administer’ the system without uploading any new tools… How can I do that without burning any of my Script Kiddie tools? WMI or Windows Management Instrumentation or Windows Managed Infrastructure is an interface for managed components that provides…
Read
1.1 Intro I spent my early IT career working for a Cisco partner that specialized in Cisco phone systems. My work wasn’t directly with the phone systems, but it was usually in an adjacent field like route/switch and security. I did, however, get to see my share of networks that used Cisco phone systems. Today,…
Read
I briefly mentioned using DKIM to verify an email’s sender in a previous blog post that described the steps I took to determine whether a suspicious email was legitimate or a phishing attempt. In this post, we will take a deeper dive into how organizations can help stop email spoofing using a combination of three…
Read
I briefly mentioned how easy it is to forge email sender addresses in a previous blog post that described the steps I took to determine whether a suspicious email was legitimate or a phishing attempt. In this post, we will take a deeper dive into why email sender addresses are so easy to forge and…
Read
1.0 Introduction On Friday, December 10, 2021, Charlie Clark (@exploitph) published a blog post detailing the weaponization of CVEs 2021-42287 and 2021-42278. In the blog post, Charlie extensively covered the background of the vulnerabilities, how the vulnerabilities were weaponized into Rubeus, with help from Ceri Coburn (@_EthicalChaos_), the full ‘attack chain,’ mitigations, and some detections….
Read
Intro I was at my local Target recently and spotted the section near the video games, where there were some little collectable arcade systems and handhelds that play games like Pac-Man, Galaga, and Contra. Whenever I see these types of systems, I like to pick one up to tear it apart and see what’s inside….
Read
In “Persistence Through Service Workers—PART 2: C2 Setup and Use,” we demonstrated setting up the Shadow Workers C2 server and how to add both the service worker JavaScript and what Shadow Workers calls the “XSS Payload” JavaScript to the target application. In the example, we didn’t load the “XSS Payload” through a cross-site scripting vulnerability….
Read
THIS POST WAS WRITTEN BY @NYXGEEK I decided to write this blog because I’ve seen a lot of articles mentioning that attackers will use a malicious OAuth web app with Azure AD, but I hadn’t actually seen much in the way of good examples of doing so. I’m sure I will find a dozen fantastic examples…
Read
In Part 1 of this 2-part blog, we provided an overview of service workers and created an appropriate target application to exploit using Shadow Workers. In this blog post we’ll build our C2 server in Digital Ocean and use Shadow Workers to exploit the target application. It is highly recommended to read Part 1 prior…
Read
During a recent discussion about achieving persistence on a web server, someone suggested that I explore using browser service workers. As I began reading about what service workers do, the possibilities for Red Team applications seemed intriguing. But first, I had to find out…what exactly is a service worker? In their efforts to make web…
Read