Category: Hacking

Defense

Things to do before you conduct a ‘red team’…

Introduction

‘Red Teaming’ the latest phrase in the cyber security world that brings a shudder down my spine! Now don’t get me wrong, adversary simulation is awesome, it’s a great tool and when wielded correctly brings massive value to enhancing your security posture… but alas, they aren’t always deployed in a business aligned and value driven position.

They sound ‘sexy’ and any pentester is going to jump at the chance to do one, let alone the sales and marketing teams will be grinning as they will come in with higher revenue but also will increase their case study portfolio for delivered red teams! (I’m not knocking this, it’s the reality of doing business).

Having witnessed a number of these take place against organizations who I don’t feel are ready for them, I thought I would write a piece on things I would recommend having in place before conducting a ‘red team’ assessment. Read more “Things to do before you conduct a ‘red team’ assessment”

Guides

Pentester Academy Attack Defense Labs – Web Application: Broken…

Introduction

Those who know me know that I not only practise offensive security techniques from a business perspective, I also play in a CTF team and build PwnDefend CTF challenges. I came up with the idea of doing a red and blue team CTF sometime in 2018 however this isn’t as easy to build and run as you would think. Anyway, I digress… as part of my research and personal development I like to test out other platforms and pwn a few things so I thought I’d do a quick write up of the Pentester Academy Attack Defense labs Web Application Broken Authentication challenge. Spoiler alert.. I spoil this one (but it’s easy so don’t cry too hard!) Read more “Pentester Academy Attack Defense Labs – Web Application: Broken Authentication”

Defense

Defending Office 365 against MFA bypass using IMAP

So, you have deployed Office 365, you’ve setup multi-factor authentication and deployed password managers so that your users can safely use MFA where it is supported but fall back to app passwords where it’s not. Great stuff… except by default you aren’t quite as secure as you would think!

Default Office365/Exchange Online Config

Now this is great for HTTP based communication methods. but email isn’t restricted to HTTP only. When we investigate the default deployment configuration we see that IMAP and POP3 are both enabled. The below screenshot shows the default mailbox feature configuration:

Now as we know, both IMAP and POP3 do not support a second or multi-factor authentication by default, so in the GUI you should disable those (unless you have a really specific business reason that means you MUST use these) Read more “Defending Office 365 against MFA bypass using IMAP”

Guides

Owning the Covenant like a Chief! – C2 Framework…

Covenant is a .NET c2 (Command & Control) Framework that aims to highlight the attack surface of .NET and aid red teamers! Today I’m going to jump into slip space with a Halo themed blog on my first use of Covenant in the lab. Let’s hope I don’t need Cortana to get this deployed (yes I’m a massive Halo nerd!)

Installation

First thing let’s head over to GitHub and check out the install notes:

The architecture seems to look like this:

Read more “Owning the Covenant like a Chief! – C2 Framework Review”

Hacking

OSCP Week 2

Getting back into it!

Following on in the series from my previous post – My OSCP Diary – Week 1 I continue my offensive security professional certification journey!

So, after a break in my training schedule (pro tip, ask Offensive Security (Offsec) to pause your PWK lab time – I didn’t which was stupid) I’m back into the PWK labs!

The first thing I realised after having ~ 40 days break was taking that long a gap isn’t the best idea (but hey holidays and life have to happen right!) I got back into the lab and looked at my attack Visio blankly for a bit, realising the task ahead of me had a lot of servers still in it!

I think the first box I decided to hit was pain, as its name says this box is not easy as is considered an OSCP boss box, as its name says, it’s painful but quite fun once you have cracked it. Read more “OSCP Week 2”

Guides

My OSCP Diary – Week 1

A long time ago in a more civilised age

I’ve been working on the technology industry for the last 17 years, planning, designing, building and operating solutions since I was able to access the internet. I’ve been working the last 10 years as a consultant architect (across a number of domains) working with clients to understand their businesses, their technology needs, current deployments, gaps, road map and create solutions to enable their businesses, but you can’t do that if you introduce risks to businesses by creating unnecessary and unwanted security risks.

I’ve delivered services directly for and as part of a supply chain for a large range of organisation verticals from global media organisations, logistic firms, retail, telecommunications, media & entertainment through to local authorities, central government agencies, armed forces and the metropolitan police. Read more “My OSCP Diary – Week 1”

Defense

A day out phishing

A common tactic for threat actors is to leverage weaknesses in human behaviour. Over the years a combination of poor configuration has led people to ‘click YES’ syndrome. A common vector for attackers is to send emails with document attachments using either embedded macros or abusing Office document OLE functionality.

Below we have a live sample of a phishing document. As you can see it’s been styled in a similar fashion to the Office user interface. Read more “A day out phishing”

Hacking

Hail Hydra – RDP brute forcing with HYDRA

Securing services requires a broad range of knowledge of operating systems, networking, protocols and offensive capabilities. So I thought I would demonstrate some testing methods to show how a control is effective in blocking certain types of attack, so here’s some offensive and defensive guidance to limit RDP attacks. Please remember this is for educational purposes, do NOT break the law and only use these techniques where you have permission! #whitehat

Overview

This document provides a sample of the internal (white box) testing process and procedure for testing RDP controls against brute force attacks.

Test Objectives

  • Demonstrate only authorised users can access the service
  • Demonstrate Remote Desktop Services has a hardened configuration
  • Demonstrate a brute force attack

Method

  1. Scope Evaluation
  2. Testing
    1. Enumeration
    2. Vulnerably Assessment
    3. Exploitation
  3. Report Results

Read more “Hail Hydra – RDP brute forcing with HYDRA”