ath0#hack100days : Day 13 (belated post) : Today was a little weaksauce. Researched kit to bolt onto a Raspberry Pi 3 to make a wifi hacking rig. #getsmart #infosec #wifihacking
#hack100days : Day 14 : Took a crack at metactf.com's Thanksgiving CTF. It's multiple days. Today there are six challenges. I've gotten 5. #ctf #getsmart #infosec
#hack100days : Day 15 : Looks like matactf.com's Thanksgiving CTF is only the five challenges. I'm hit and miss with crypto. I've managed to work out part of the plaintext. Gonna keep noodling on it. #ctf #getsmart #infosec
#hack100days : Day 16 : Still banging at the crypto challenge. I've gotten a big push, by the implementation is still escaping me. I've focusing on the decimal values of the ASCII char set. Maybe tomorrow I try with hex values and see if that leads to a breakthrough. #crypto #ctf #getsmart #infosec
#hack100days : Day 17 : Where I was going to go with the crypto challenge is not the path I took. @apiratemoo gave me some advice and I managed to sort it out. Compared to other crypto challenges I've worked on, I'm happy to have gotten to a solution. I've not seen one like this before. #cryptography #getsmart #ctf #infosec
#hack100days : Day 18 : Started in on Responsible Red Teaming (https://taggartinstitute.org/p/responsible-red-teaming) Today was a busy day, so I need to read. #getsmart #redteam #infosec
#hack100days : Day 19 : #hackthebox release day. Worked on Precious an "easy" linux box. Pretty straightforward. #getsmart #sharpenthesaw #htb #ctf #infosec
#hack100days : Day 20 : More #hackthebox. Worked on awkward and got user. Still working out root. Also worked on carpediem, but didn't get any further than last time. Then went down a password cracking rabbit hole. Trying out JtR and incremental filters. #sharpenthesaw #htb #ctf #infosec
#hack100days : Day 21 : More #hackthebox again. Still chipping away at awkward. I'm likely running around in a rabbit hole. Better here than on a job, I reckon. Time to look through the forums. #sharpenthesaw #htb #ctf #infosec
#hack100days : Day 22 : Took a break from awkward. Poked around at Vortimo OSINT Tool (https://osint-tool.com/) and related integrations. Anyone w/search.censys.io accounts getting 500s after logging in? That's weird. Also played around with hashcat some more and tinkered with using masks. Next I want to play with combined masks and wordlists to see what that gets me. #sharpenthesaw #osint #infosec
#hack100days : Day 23 : Read more on Responsible Red Teaming. Two more sections down. Legality, ethics, responsiblity, and opsec. Good stuff to keep in mind. #sharpenthesaw #redteam #infosec
#hack100days : Day 24 : Today was a grab bag. Pulled off today's #tryhackme advent of cyber challenge. It was not what I was expecting, but I expect the difficulty to ramp up as we go. Tuned into @Alh4zr3d@twitter's twitch stream. Target looked familiar. #ctf #infosec
#hack100days : Day 25 : Today's #tryhackme advent of cyber challenge is sorted. Worked through the next section of Responsible Red Teaming. Tinkered with my zsh prompt. Need to try out sysmon for linux and the logging recommendations in my lab. #ctf #sharpenthesaw #redteam #infosec
#hack100days : Day 26 : Today's #tryhackme advent of cyber challenge is sorted. Poked at the new #htb release. I'm not grokking, but now the interruptions are minimized. So maybe some focus will get me there. #sharpenthesaw #ctf #infosec
#hack100days : Day 27 : Today's #tryhackme advent of cyber challenge is sorted. Nmap and smbclient are your friends. I've got a flipper zero now, so I'm poking around with that. Firmware is updated. Looking at a couple of alternative firmware options. Gonna try out some nfc and badge reading tomorrow. #sharpenthesaw #ctf #infosec #flipperzero
#hack100days : Day 28 : Today's #tryhackme advent cyber challenge is sorted. Didn't reckon hydra was really still a thing. #ctf #infosec
#hack100days : Day 29 : Today's #tryhackme advent cyber challenge is sorted. Outside of the ctf, spent some time getting re-acquainted with Splunk. #ctf #sharpenthesaw #infosec
#hack100days: Day 30 : Today's #tryhackme advent cyber challenge is sorted. Cyberchef is pretty slick. Outside the ctf, banged around in another SIEM-ish product exploring remote access behaviors. (Have *you* ever looked at RDP, ssh, vnc, telnet, etc. traffic in your network?) #ctf #sharpenthesaw #infosec
#hack100days: Day31 : Today's #tryhackme advent cyber challenge is sorted. I don't *really* care much about "Web3.0". ::old man shakes fist at cloud:: But, it is good to at least have a high-level view of what's going on "out there". Not sure how I was *supposed* to get the flag, I just ```bash```-ed at it until it made sense. #ctf #infosec
#hack100days: Day 1b : Fell off the wagon. Got back into it today. Hacked on #htb machine cronos with a coworker. One of my tools let me down. Need to figure what that was about. #sharpenthesaw #cyberrange
#hack100days : Day 2b : #hackthebox new release today. Needed a few nudges and learned about a newer feature in some tooling and about a tool that comes on Linux I hadn’t seen before. #getsmart #ctf #infosec
#hack100days : Day 3b : Working on cleaning up notes from yesterday. Need to capture lesson learned from Friday, as well--when searching for vhosts using fuff, check the http headers to see if "Host: FUZZ.${TARGET}" or "Host: FUZZ" is needed.
Also a note for #redteamers, are you testing USB detective controls every now and then? My next test is going to be with a #FlipperZero--if the tooling doesn't recognize it, gonna amp it up w/some BadUSB shennanigans. #infosec
#hack100days : Day 4b : Spent a little time looking at RubberDucky and did a simple test w/a #flipperzero. The bad usb capability looks very useful.
Finished yara rule section of Responsible Red Teaming and read through the C2 section. Itching to "lab it up"! #redteam #infosec
#hack100days: day 5b : Spent more time tinkering w/RubberDucky and started working on the next section of Responsible Red Teaming. Also conflab w/coworkers.
#hack100days : day 6b : Finished reading Responsible Red Teaming. Noodled on threat models post-Initial Access via Rubber Ducky. #infosec #att&ck #RRT
#hack100days : day 7b : Watched some #cobaltstrike videos on YouTube, by Mudge. Thinking through and planning the Execution, Persistence, C2, and possibly Lateral Movement phases of a #redteam exercise. Keeping Exfiltration and Impact off the table for this one and putting Persistence and Lateral Movement on the "maybe" or the "secondary" list. This is my first one, so I don't want to bite off way more than I can chew. I'd rather wring the hell out of a couple of tactics than skim across a bunch. Give #blueteam better insight on breaking a chain.
#hack100days : day 1c : watched some more of Mudge’s series on #cobaltstrike —finished up the section on infrastructure. Stuff is a little spooky. Gonna have to lab that up early next year. #infosec #redteam
#hack100days : Day 2c : More #cobaltstrike, today was learning about weaponization. #redteam #infosec
#hack100days : Day 3c : More about weaponization with #cobaltstrike. Started looking at php syntax. Expanding on an idea from Responsible Read Teaming. Thinking through spinning up a stupid simple api for testing hash of found malware against #redteam list of created malware. Depending on nature of exercise, "Yep, you found me, good job", "Nope, not me (but it is and objective includes testing dfir), or "Nope, not me--deal with it as you see fit". Make it a "Read Team CTI feed" to minimize analysis time. Legit? #infosec
#hack100days : Day 4c : Finished Mudge's #cobaltstrike weaponization video. Reckon some of it will make more sense after labbing it up, esp the bits where the the attack moves from an artifact to an implemented beacon. #infosec #redteam
#hack100days : Day 1d : Holidays haze plans. Started building out #cobaltstrike lab. Teamserver stood up. Will finish standing up target host tomorrow and start puttering around the UI. #redteam #infosec
#hack100days : Day 2d : #cobaltstrike team server built. Target built. Tried out a payload and tried out a web attack. Had to turn off all the Defender capabilities to get it to go. Time revisit weaponization video and notes to get more realistic. Also learned about pktmon (https://learn.microsoft.com/en-us/windows-server/networking/technologies/pktmon/pktmon), which has an option to turn etl to pcapng! #redteam #infosec
#hack100days : Day 3d : More banging on the target box. Sorted out how to use pktmon and re-learned Hyper-V checkpoints. Next action, w/protections off, write a script to test for user, target box. If pass, then set pktmon filter and start pcap, call back to teamserver for payload, and ???. Else, call to a web listener w/a "I'm not in the right place" message. Once that works, then start working on payload obfuscation to get to a point where I can turn protections back on. #amhacking #labitup #redteam #infosecurity
#hack100days : Day 4d : Today's efforts on this were thin. Took a stab at using #ChatGPT to write a draft of my script and it's going to be a good place to start. #infosec
#hack100days: Day 5d : Worked on #hackthebox new release broscience. #infosec (Went to a basketball game today, which took a lot of time. M-I-Z!)
#hack100days: Day 6d: Continued working on #hackthebox new release bioscience. Went down some enumeration rabbit holes. Found some usernames. Still need to figure out initial access. #infosec
#hack100days: Day 7d : Kept chipping away at #hackthebox new release broscience. Good challenge for #webappsec testing. Recognized an #owasp top 10 vulnerability, but I needed a nudge on how to get ZAP to help me exploit it--Replacer, ftw. Still have some enumeration to do to figure out initial access. Incremental progress is still progress... #infosec #sharpenthesaw
#hack100days : Day 8d : Watched more of Red Team Operations with #cobaltstrike from Raphael Mudge. Finished Initial Access and watched Post Exploitation. Likely going to need to watch that last one again. Some of the info is beyond what I've had to work with before. Malleable C2 profiles may take some time to get good at. #redteam #infosec
#hack100days : day 9d : Little thin today. Threat modelling galore. Some time at an #infosec meetup talking to a peer re: #cobaltstrike and #redteam #operations. Good to have a sounding board!
#hack100days : day 10d : Banged around with #cobaltstrike some more today. Put my wrapper testing for userid and hostname around a call to get a payload and those bits worked--after disabling the protections on the target box. Need to troubleshoot my flags on pktmon to get that working right. Downloaded the arsenal scripts and next action will be to take that apart to understand. Must. Figure. Out. Obfuscation. #redteam #infosec
#hack100days : day11d : More #cobaltstrike. Watched a couple of videos on artifact kit. Weird how Mudge said in one of the videos to not use or stay in rundll32 or svchost, but that's exactly how artifact kit rolls. I've got some more to figure out with that one. Also watched a couple of viddys on beacon object files--I suspect *that* is going to be something to explore more of. #redteam #infosec
#hack100days : day 12d : Banged around on #hackthebox release arena's stocker box. It's rated easy, but the foothold was new territory for me, so not too easy. Learned some new stuff, so that's good. #infosec #ctf #sharpenthesaw
#hack100days : day 13d : Took a crack at #hackthebox Fortress lab Jet. I'm about a third of the way through. I keep breaking the box trying to get the next flag. Reckon that's a hint what I'm doing is the wrong path for this one. #redteam #sharpenthesaw #infosec
#hack100days : day 14d : Watched Mudge’s lateral movement video for #cobaltstrike. #activedirectory and #windows refresher. #redteam #infosec
#hack100days : day 15d : Watched Alh4zr3d twitch stream. PHP assert is interesting. Read up on #redteaming #azuread Phishing is out of scope, so spending time thinking through additional threat vectors. #infosec
#hack100days : day 16d : Looked at establishing #persistence w/via registry run and runonce and via Startup. Only the beginning, really. #blueteamers are you watching these keys and folders?:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup (I was able to write here and use it in stock lab machine.)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Requires elevated privileges to save here.)
#hack100days : day 17d : Poking around some more at #windows #persistence. Scheduled Tasks is fun. Out of the box, users can do this. Should they in a business environment? Extra fun, via Scheduled Tasks or via Event Viewer, a task can be set up to trigger of Event IDs. Like event id 4800, which is when a user unlocks their workstation... Me likey. #redteam #infosec
#hack100days : day 18d : Looked at MITRE ATT&CK framework technique T1547.001 (https://attack.mitre.org/techniques/T1547/001/) for more scoop on scheduled tasks and run keys. Poked at schedtsk and the powershell commands for manipulated tasks. Not seeing how to use cli to set up a task triggering off of eventid 4800. I found this article, https://cyber.wtf/2022/06/01/windows-registry-analysis-todays-episode-tasks/, which suggests I could do it manually on a lab box, export it, and then import via cli on the target. So, this will be something to lab up. #redteam #infosec #persistence
#hack100days : day 19d : Worked on #hackthebox new release, investigation, and managed to get user and root. I used to be strong in perl... ...it was in the last century, though! LOL. #ctf #infosec
#hack100days : day 20d : Worked on #hackthebox Jet fortress. Got another flag. More php tricks. #ctf #infosec
#hack100days : day 21d : Tinkered with schedtask and eventviewer. Exported a task set to go off of 4801--unlocked wkstation (Previous post said 4800, which worked on another Windows 10 implementation had this. So, gonna have to unpack that weirdness...) When I imported it on another box, no joy. Permissions issue. Redid it from the context of the schedtask app and the import worked, but stuck it in an unexpected location. Tried to run as system instead of my defined user... ...so, that's interesting. ...? #redteam #windows #persistence
Figured out my 4800/4801 goof. Locking a #windows workstation is 4800 and 4801 is when it is unlocked. So, maybe from a #redteam perspective, depending on the action of the payload, triggering on lock and killing on unlock is useful. (Grrr, need to read the docs a little more closely next time. Testing worked, but it was false positive, wrote out the result on flippin’ lock. Murthy’s law, ftw!)
#hack100days : day 22d : Figured out my goof on 4800/4801. It's Lock/Unlock. Played around with schedtask to get a valid task on unlock. Took some experimentation, but got there. Got a good example exported as xml, so the next trick is writing a script to establish persistence after initial access. Concurrently I need to write the info gathering script(s). #redteam #windows #persistence
#hack100days : day 23d : Confirmed pktmon was not going to be in-play for my objective tooling. Wireshark is in the software catalog, so explored ways to use sccm at the command line. Still have a ways to go. Was able to enumerate part of the software catalog, but a lot of it wasn't visible. Including wireshark--I think tshark is installed with it, so that's my goal. #redteam #executeonobjectiv #infosec
#hack100days : day 24d: Today was research day. Attended a webinar on web hacking with some good links to resources. This one gave me a lot of good threads: https://github.com/dafthack/CloudPentestCheatsheets/tree/master Which is good, I've got some scope to nail down the next week or so, so this should help. #redteam #sharpenthesaw #infosec
GitHub - dafthack/CloudPentestCheatsheets: This repository contains a collection of cheatsheets I have put together for tools related to pentesting organizations that leverage cloud providers.
This repository contains a collection of cheatsheets I have put together for tools related to pentesting organizations that leverage cloud providers. - GitHub - dafthack/CloudPentestCheatsheets: Th...
#hack100days : day 25d : New hacktop from work today. Setting it up, trying stuff out. WSL is still sub-optimal. Gonna work on getting more facile w/Docker and Ubuntu's Multipass. Oh, something interesting... ...an EICAR dropped into a WSL image doesn't get flagged by Defender. #labitup #infosec
#hack100days : day 26d : New release on #hackthebox, but it's not coming easily. Found a thing to help with enumeration, but I need to do some more reading on php to get to the next bit. #ctf #infosec
#hack100days : day 27d : Took another look at the #hackthebox new release. Making some progress. #ctf #infosec
#hack100days : day 28d : Doing some Attack Chain threat modeling. After getting a #flipperZero and playing with BadUSB, I've gotten my hands on a #Hak5 Rubber Duckie. Looking at #mitreattack I notice the only BadUSB references are in footnotes! I think it fits as either Hardware Additions or as a Phishing technique. What say you #redteam and #blueteam, since it's not explicitly called out as a technique, do I infer this as "not likely"? #infosec
#hack100days: day 29d : Bashed at new hacktop's wifi. Going in to work tomorrow, chance to isolate issue to laptop or my network and their interaction--other devices are behaving as expected. Watched a bit of @Alh4zR3d@twitter's N00bie Tuesday. Also found this site: https://www.zaproxy.org/docs/docker/webswing/ Which means I don't have to pollute the new hacktop w/Java! Another opp to get more touches w/#docker. #infosec #labitup
#hack100days: day 30d : Pretty busy day, putting pressure on hacking for myself. Looked into "coding"--Red Teamer have to code(?). I'm down with bash and fairly comfortable with python and PowerShell. After looking at CobaltStrike, I can kind of connect the dots. So, nim, .Net/C#, go, rust? I'm not diving into c/c++, looked at K&R ages ago and it didn't take. Got a nudge to the .Net/C# direction, it *is* the "guts" of PowerShell and Windows. #redteam #coding
SIEM Shady@scottlink Thinking more initial access. T1091 or T1200?
@CDubbs I did look at T1200 and I interpret it as plugging something into the network--although I did miss the "keystroke injection" clause. When I looked at T1091, it was very "media"-centric, which I didn't take as a Human Interface Device. That's what BadUSB/Rubber Duckie tend to present as, a keyboard and mouse. I agree T1091 and T1200 both cover it to some degree.
Jeff the AlienUseless Trivia
php has the dirtiest code comments amongst all other languages.
Matthew Hackling@scottlink I often use WSL to install kali and metasploit (nmap doesn’t work too good under WSL) and defender is a bit hit and miss with WSL. It does have some coverage as it’s borked my metasploit install