I feel asynchronous low and slow C2 is a missing piece in the penetration tester’s toolkit. Beacon is Cobalt Strike’s answer to this problem. Beacon periodically phones home to check for tasks. It can perform this check using the DNS or HTTP protocols. When tasks are available, it’ll download them as an encrypted blob using an […]
CTA Type: Resource
Offense in Depth
I regularly receive emails along the lines of “I tried these actions and nothing worked. What am I doing wrong?” Hacking tools are not magical keys into any network you desire. They’re tools to aid you through a process, a process that requires coping with many unknowns. If you’re interested in penetration testing as a […]
Two Years of Fast and Easy Hacking
Today marks the two-year anniversary of the release of Armitage. My goal was to create a collaboration tool for exercise red teams. I wanted to show up to North East CCDC with a new toy. I had no idea Armitage would lead to so many new friends and new adventures. In the past two years, Armitage […]
Using AV-safe Executables with Cortana
Part of a penetration tester’s job is to deal with security products, such as anti-virus. Those of us that use the open source Metasploit Framework know that AV vendors have given the framework more attention in the past year. Now, exotic templates and multiple iterations through the framework’s encoders are not always enough to defeat the […]
Post-Mortem of a Metasploit Framework Bug
Two weekends ago, I ran my Advanced Threat Tactics course with a group of 19 people. During the end exercise, one of the teams was frustrated. Their team server was incredibly slow, like mollasses. I asked the student with the team server to run top and I noticed the ruby process for msfrpcd was consuming all of […]
Advanced Threat Tactics Training
I share a lot from my experiences playing on exercise red teams. I talk about the tactics to collaborate, persist on systems, and challenge network defenders in an artificial environment. Armitage was built for this role. I speak little about my experience working as a penetration tester. I used to work for a security consulting firm […]
Dirty Red Team Tricks II at Derbycon 2.0
Last year, I spoke on Dirty Red Team Tricks at Derbycon. This talk was a chance to share what I had used at the Collegiate Cyber Defense Competition events to go after student networks. During this talk, I emphasized red team collaboration and our use of scripts to automatically own Windows and UNIX systems. I […]
Beacon – A PCI Compliant Payload for Cobalt Strike
TL;DR Beacon is a new Cobalt Strike payload that uses DNS to reduce the need to talk directly to Cobalt Strike. Beacon helps you mimic the low and slow command and control popular with APT and malware. In the interest of helping you verify vulnerabilities for compliance purposes, I’d like to introduce you to Beacon, […]
Read More… from Beacon – A PCI Compliant Payload for Cobalt Strike
Delivering custom payloads with Metasploit using DLL injection
I’m very interested in supporting alternative remote administration tools in Cobalt Strike. Meterpreter is awesome as an active RAT, but I need something less chatty to hold my accesses when I’m not using them. I plan to talk about about this in my upcoming Dirty Red Team Tricks II talk. In this post, I’d like […]
Read More… from Delivering custom payloads with Metasploit using DLL injection
A loader for Metasploit’s Meterpreter
Recently, there was an interesting discussion on the metasploit-framework mailing list about the staging protocol for Meterpreter. egypt let loose with some wisdom about what it would take to write a client to download and execute a payload from a Metasploit Framework multi/handler. mihi completed the discussion by advising where to place the socket value, […]