On a recent forensics case, a coworker and I noticed some interesting logs on a Linux web server. TCPDump showed some strange traffic from a handful of IPs, but the access logs were not showing any visits from the offending addresses. The traffic was encrypted so it wasn't possible to see what was being sent, so we needed to do some additional digging. A lot is required to take ... READ MORE
Metasploit Module of the Month – ntlm_info_enumeration
This post will be the first in an ongoing series devoted to covering various modules in the Metasploit Framework and their uses. We hope that our readers will find this useful, as there are more modules added to the framework each day, as well as some obscure modules which are incredibly valuable. This entry in the series will examine one of the latter, ... READ MORE
Building a Vulnerable Box – Heartbleed
Patchwork may have wrapped this series up in his last post, but I've got one more to add. The Heartbleed bug (CVE-2014-0160) received a lot of press when it was discovered and disclosed in April of 2014, and deservedly so. The vulnerability was severe not only because of the sensitivity of the information it could leak, but also because of its prevalence across the ... READ MORE
CTF – Exploit PCAP Walkthrough
RSM recently hosted a Capture the Flag competition for high school students in partnership with the University of Mount Union. Our team attempted to craft challenging but "solvable" problems for the participants to complete. When I was writing my challenges (they fell mostly in the Forensics category) my goal was to make problems that were something a high school student ... READ MORE
DLL Injection Part 2: CreateRemoteThread and More
Back for more? Good. I learned quite a bit doing the research for this portion of the series, and I have to give credit mostly to my sources. Check out the Open Security Research and Infosec Institute articles in the references. They go really in depth on this topic. I am not really expanding on their content, but I find that spending time explaining it helps me to better ... READ MORE
CTF – PHP and OS Command Injection
This past weekend, RSM’s technical consultants worked with representatives from the University of Mount Union to host a Capture the Flag competition for teams of local high school students. The teams competed for scholarship money in challenges spread across six categories – Coding, Cryptography, Forensics, Grab Bag, Hacking, and Web. The students’ collaboration, research, ... READ MORE
Real World Malware Analysis Part 3: Sandbox
In the first post, we created our own malware lab with some basic tools. Now we're going to use someone else's sandbox. The automated analysis provided by Malwr.com has been tremendously useful in the short time that I have been using it. It's a great tool for getting things done quickly. Keep in mind that even though a lot of the essentials are automated here, we'll stick to a ... READ MORE
Shells by Mail: Backdooring USB Devices for Fun and Pwnage
Pretty much everyone is familiar with the most common ways that organizations are breached, weak passwords, misconfigured systems, social engineering, etc., but on a recent engagement we decided to do something a little bit unconventional. In terms of attack vectors, our client had placed only one restriction on us, we could not physically go inside their facilities. So ... READ MORE
DLL Injection Part 1: SetWindowsHookEx
The goal of DLL injection is to load a code into another running process’ address space. So how exactly do we go about accomplishing that? It turns out there are a couple of ways to do so in Windows. We are first going to examine "SetWindowsHookEx," a method for creating hooks in Windows. If by the end of this post you are hungry for more, check out the references at the ... READ MORE
Pillaging .pst Files
This post originally proposed using the open-source java program Xena and its included plugin for converting .pst files into a searchable format. It still references Xena, but has been updated to reflect a simpler approach. On a recent engagement we were able to quickly compromise a client’s network thanks to NetBIOS spoofing and easily cracked passwords. Of course, the ... READ MORE