WarBerryPi – The Revival

So we are releasing a new version of the WarBerryPi going from version 5.1c straight to version 6. We decided to skip all the in-betweens as this is a complete code overhaul including the new and updated reporting module. If you don’t care about my rumblings just scroll to the end to get the link to the repo. Background info Before going into the WarBerryPi specifics i want to give you a bit of a background on how this project started and where it has gotten me with the hope of helping people that feel that their stuff are not […]

Empire, Kaspersky & Obfuscation oh my!

Guest post by team member @taso_x After posting here some people on Twitter reported that they couldn’t replicate the functionality with Empire and Kaspersky. The current lab workstation i am testing on is a Windows 10 with Windows Defender and Kaspersky Endpoint Security 10. Since the release of the new Empire a few days ago, getting call backs from hosts with Windows Defender is not a problem as the payload doesn’t get blocked. Things get interesting when we encounter hosts that have both Windows Defender and Kaspersky Endpoint Security as this was the case during a recent engagement. Kaspersky will […]

Cobalt Strike – Bypassing Windows Defender with Obfuscation

Guest post by team member @taso_x For all red teamers delivering payloads while not kicking off all the bells and whistles of the organization is always a challenge. Just like all other security solutions Windows Defender has become better at detecting generic payloads generated with tools such as Cobalt Strike. In this example we will go through the generation of a PowerShell payload with Cobalt Strike and see how we can manipulate it in a way that it will execute bypassing Windows Defender on a Windows 10 PC. This is not the most elegant or easier solution to hide your […]

BYOS – Build your own sniffer – Python Tutorial

Lat post of 2017 and its going to be a long one. Before proceeding take into consideration the following: 1) I am not a developer and everything shown below is my own trip on understanding some principles 2) If there are mistakes or incorrect understanding let me know on Twitter. During an assessment you will most probably end up running Responder. If you read about Responder you will see that it is a LLMNR, NBT-NS and MDNS poisoner meaning that in order to for the tool to work it will need to first capture multicast packets of any of those […]

Hackbox – Kismet with GPS

This is a follow up post on my original writeup which can be found here. Since one of the purposes of this “thing” is have some fun while wardriving i wanted to be able to plot my route and capture APs on Google Earth. In order to do so i needed to configure a GPS dongle to work with Kismet. I am a big fan of using and re-using old hardware i have stored in boxed here and there i just found the only GPS dongle i bought about 5 years ago for no specific reason which is the BlueNext […]

HackBox Writeup

So it seems that my 2 day project got some attention on Twitter and a few people asked for a writeup on the setup. Although it may seem complicated it was really a very simple build. The complete setup looks like this. First of the purpose of the hackbox or whatever you want to call it its not to replace my hacking laptop. The purpose of this project is to be used as a companion to perform tasks like war driving, wifi attacking and Bluetooth assessments. Hardware Used Pelican case The pelican case is 8 inches which is enough for […]

Bloodhound Working with Results

This is the final part on the Bloodhound series and the most important for pen testers and red teamers. Picking up from Part 2 where the results are imported into the database it is time for making sense of them and achieving the objectives of our testing. The database info table on the left shows basic information about the current database and elements included. The Queries tab BloodHound comes with a number of predefined queries. In many cases these should be adequate to complete the goals. For example, if we need to find the shortest paths to Domain Admins we […]

Bloodhound Data Collection

This is part 2 of the series on Bloodhound. For setting up the database and the tool refer to Part 1. BloodHound data is done using the BloodHound.ps1 file located at: https://github.com/adaptivethreat/BloodHound/tree/master/PowerShell Clone the file and upload it to a host you have foothold. From either CMD or PS shell cd to a folder you have write access and follow these steps: Upload the BloodHound.ps1 file powershell.exe –Exec Bypass Import Module BloodHound.ps1 Get-BloodHoundData | Export-BloodHoundCSV Export the .csv files locally *There is an API for sending the data directly from Cobalt Strike to BloodHound but it is not described in […]

Bloodhound Setup

BloodHound is a tool developed by @_wald0, @CptJesus, and @harmj0y and it is a single page JavaScript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a PowerShell ingestor. BloodHound is developed on the interesting principle of six degrees of separation which states that all living things and everything else in the world is six or fewer steps away from each. This was brought into hacking terms as six degrees of domain admin. Source Repository: https://github.com/adaptivethreat/BloodHound Binary Releases: https://github.com/adaptivethreat/BloodHound/releases Wiki Page: https://github.com/adaptivethreat/BloodHound/wiki The installation instructions below are directed towards MacOS users but the same steps should apply for […]

WarBerryPi – Adding a switch

On one of my devices, I installed a toggle switch to control the script execution. This allows me to first check on the LCD that the WarBerryPi has obtained a valid IP address before starting the execution. Installing the switch is an easy job, but it does require you to drill a hole in the case. The connection schematic is shown below. Of course, you can connect to another pin of your preference, but in my setup, I used PIN16, which corresponds to BCM23 on the Raspberry Pi. Depending on the toggle switch you purchased, you need to identify which […]