Education

Nmap & CrackMapExec (CME)

The swiss army knife of the cyber world, it can port scan, fingerprint, produce reports and run scripts using the nmap scripting engine (NSE).

Why do we care about NMAP, surely everyone knows how to NMAP?

Well, that’s simply not true, it’s always important to tech new people, to revise and hone existing skills and the world of nmap scripting is constantly evolving.

Port scanning and fingerprinting let alone leaking sensitive data and conducting “attacks” is all possible. You can do a basic vulnerability scan with nmap alone!

Read more “Nmap & CrackMapExec (CME)”
Guides

I AM BRUTE

How long should you test brute force password attempts for?

Well, a recent Microsoft report showed the average RDP brute force attack over the internet lasted about 3 days. Now let’s take a look at what a single attacker machine (IP) can send to a single target server over a well-connected network (1GBE low latency):

Read more “I AM BRUTE”
CTF

Using CTFs for offensive and defensive training – Purple…

Pwning a legacy server on Hack the Box is good for a training exercise however what about if we want to think about how to use resrouces for red and blue. Looking at both sides of the coin when thinking about offense really should help people undesrand how to defend better. In the end of the day outside of a tiny tiny fraction of deployment types, you are going to need to be able to explain how to defend regardless of engagement type (vulnerability assessment, penetration test, purple team, red team etc.)

Getting access

I’m not going to talk through every step but here’s the commands you would need to run:

Read more “Using CTFs for offensive and defensive training – Purple Teaming”
Hacking

Linux Privilege Escalation

When you gain access to a target node you will want to explore, the exact method you use to do this will depend upon operational security considerations, time constraints and style. You will be looking for a range of elements to support progressing an objective.

It should be noted that the objective may NOT require elevation. You may be trying to obtain data and access might already be possible using the context you have assumed.

You also may need to move from a www-data user to a named user account or get to root level of access. If so there’s a range of questions we should be asking ourselves:

Read more “Linux Privilege Escalation”
Guides

Measuring Cyber Essentials: Windows Security Configuration

Measuring Compliance with standards is easy right?

Checking an environment configuration is one of those things where it’s easy to say and harder to do. If we take the cyber essentials standard and look at the requirements, they are quite different from say the CIS baselines. This alone makes for some fun, let’s investigate this further:

CIS baselines are based on a specific component e.g., Windows Server or Windows client and is contextually aware of roles: e.g., Domain Controller vs Member Server.

Is this registry key set?

Read more “Measuring Cyber Essentials: Windows Security Configuration”
Hacking

Priviledge Escalation Hunting – Scheduled Tasks and Scripts

TLDR: If you have been hunting for privescs before you will know it’s normally not a fast task, you will have a shed ton of data to look at. Sure WINPEAS is good but it’s not a silver bullet.

Here is a really small script which focuses on system administration files/scripts, scheduled tasks and scheduled task history to help you hunt for weaknesses:

Read more “Priviledge Escalation Hunting – Scheduled Tasks and Scripts”
Copyright (c) Xservus Limited