• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation

Andy

Weaponizing hostapd-wpe

June 2, 2017 By Andy

hostapd-wpe-openwrt

TL;DR: Installing hostapd-wpe on a wireless router powered by an external power bank provides a standalone wireless attack platform with good transmit power, concealability, and mobility. Despite being almost 5 years old (but recently updated to support hostapd 2.6), hostapd-wpe is still a go-to tool for assessing the security of wireless clients attached to WPA2 Enterprise ... READ MORE

Evil AP Attacks with Spoofed Certificates

February 9, 2017 By Andy

We've written in the past about the "Evil twin" or "Evil AP" attack using hostapd-wpe ("wireless pwnage edition"). This remains a viable attack in environments using enterprise authentication, and the patched hostapd obviates the need for a wireless access point, making the attack easy and portable. However, like most attacks there are still opportunities for tweaking and ... READ MORE

CTF Example – Web Application Security

January 26, 2017 By Andy

During RSM's 2016 Capture the Flag (CTF) event, the Web Application Security category took the format of a full-blown web application penetration test.  Participants could accomplish the 100 point challenge simply by exploring and mapping out the web application.  By the time participants reached the 500 point level, they had performed password guessing, SQL injection, bypassed ... READ MORE

Approaches for Wireless Man-in-the-Middle

May 17, 2016 By Andy

The wireless medium is inherently susceptible to man-in-the middle attacks. Whether the objective of such an attack is to capture traffic, or simply make an "evil" access point more believable by connecting clients to the Internet, there are a few different approaches one can take to inserting themselves between their target(s) and the Internet. This post explores two of ... READ MORE

Create an Encrypted Leave-Behind Device

February 15, 2016 By Andy

Consider this scenario:  You've breached the physical perimeter of the target organization.  Once inside, you need to establish some means of remote network access, whether for yourself or your teammates waiting on the outside.  In this example, this takes the form of a device you plug in to an unattended network jack within the target organization. Whether you call this ... READ MORE

Scripting RDP for Pillaging and Potato

January 18, 2016 By Andy

Previous posts on the WarRoom have addressed expediting the use of remote desktop to facilitate pillaging.  This post explores scripting commands through an RDP client to serve that same purpose. The end result is one-liner that will log in to a remote system, attach a local directory, execute a script, and save the output to that same local directory, provided the attacker has ... READ MORE

Ghosts in the Machines

October 30, 2015 By Andy

Methods for the prevention, detection, and removal of ghosts in digital networks We often find that clients are so focused on preventing attacks from malicious living humans that they completely neglect the threat posed by ghosts. With that in mind, today’s post focuses on defensive measures that can be implemented to (1) prevent ghost infestations; (2) detect paranormal ... READ MORE

Launch rdesktop from Metasploit

October 26, 2015 By Andy

I often resort to remote desktop sessions when pillaging or attempting lateral escalation.  Remote desktop provides an easy way to look for important data, get an idea of what applications are in use, run scripts or programs, and transfer data between my host and the target system.  Since the Windows “Remote Desktop Connection” program keeps track of IP addresses and makes it ... READ MORE

Metasploit Module of the Month – enum_ad_computers

September 25, 2015 By Andy

Summer has officially ended and Autumn is setting in. As the leaves begin to fall and September draws to a close, it’s a perfect time to sit back and reflect on the metasploit modules that filled our Summer months with joy. In the third installment of our “Module of the Month” series we examine enum_ad_computers, a post-exploitation module that combines the flexibility of LDAP ... READ MORE

Retrieving Credentials from Configuration Files

August 14, 2015 By Andy

“Security is not convenient.”  Though blunt, this phrase neatly captures the fundamental conflict between typical users and information security personnel.  Typical users want their workstations and networks to be configured for speed, accessibility, and convenience, whereas security professionals prioritize tight access control and monitoring.  If you believe that security is ... READ MORE

  • Go to page 1
  • Go to page 2
  • Go to Next Page »

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.