Jump to content


Active Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


About rottingsun

  • Rank
    Hak5 Fan ++

Recent Profile Visitors

1,986 profile views
  1. There's a few basic strategies, some hardware based and some software based. Normally a special type of firewall called a session border controller is placed in front of the PBX. They're designed to address issues like toll fraud. Other things can be done too though. General PBX hardening best practices should be enforced, like strong SIP account passwords, limiting SIP sessions to only your authorized private subnets, not allowing outgoing international calling, not allowing outgoing calling to offshore US territories, turning off call transfer feature codes for incoming calls, not exposing y
  2. With mimikatz and all the derivatives being flagged more and more these days, I find it more effective to take a memdump of lsass using procdump, then running it through mimi in minidump mode.
  3. So I ended up having a major issue with a VMware host at work and missed the live. Anyone care to share their impressions of the PS?
  4. Just a few more hours until the new eagles land.
  5. Any further details on the device and what it is capable of, or do we have to wait until tomorrow?
  6. Oughta been interesting. I'll be watching the live stream intently. This blog refers to it as a "programmable MITM device". https://www.doyler.net/security-not-included/def-con-25-bsideslv-2017 I also saw someone on Twitter describe it as "an online tap with payload capability, like the bash bunny".
  7. Is it assumed that the user you are attacking has local admin privs to begin with? If so, you have 2 options: - Create a new local admin with net user myuser userpass /add and then net localgroup Administrators myuser /add. - Use schtasks to create a scheduled task as the new local admin you just created. or -Just create a new scheduled task as system, which doesn't require a password if the user you're running the bunny against has local admin privs. You'll have to play with the schtasks command options to get the every x minutes timing down, but the gener
  8. Here's my working code for running an executable (procdump) from the bunny within powershell and the saving the dump file to the bunny, given the user has local admin privs to begin with. Note that in the line that runs procdump, the & character occurs at the front of the command. It is a special powershell operator that evaluates the text following the & character as a command and not a powershell object. LED Y 100 source bunny_helpers.sh LED B 100 ATTACKMODE HID STORAGE Q GUI r Q DELAY 500 Q STRING powershell Start-Process powershell -Verb runAs Q EN
  9. Perhaps LLMNR, NETBIOS, and WPAD are all disabled on the target? Far fetched of it's a home PC i know but.
  10. Nice. I got mine in recently. My first payload was running procdump from the bunny and then saving the dump file onto the bunny for later mimikatz analysis.
  11. A technique I've been experimenting with that gets past both Win Defender and Vipre AV currently is a custom shellcode loader, as per http://www.attactics.org/2016/03/bypassing-antivirus-with-10-lines-of.html. I've used the loader almost verbatim with a shikata_na_gai meterpreter rev_tcp payload to successfully bypass both.
  12. The latest Empire stagers actually have a bunny target.
  13. Very nice. I actually never thought of the bunny/ducky in the context of legitimate uses. I got a bunny personally so I can demo to management what happens if I grant a non-IT user local admin perms like I sometimes get asked.
  14. I believe RDP locks the session of the currently logged in user, which would be a dead give away. Would this payload be more in the context of a sneak attack while a user is away? Not knocking it - just wondering the intent.
  15. KeePass is really awesome. Just make sure an attacker using Empire doesn't get a shell on your system. It includes a module called KeeThief which can display your master password in cleartext.
  • Create New...