Where did we start? From time to time, I still reminisce about my first ransomware investigation. The attack affected a family business in Florida during the summer of 2015. Business was humming along until one fateful morning when an employee arrived for their day of work, only to find that files stored on their servers were encrypted. I will never forget how devastated the ... READ MORE
Solarwinds
How a Default SolarWinds Guest Account Can Facilitate Compromise – and How to Fix It The Problem SolarWinds is a leading provider of network monitoring and configuration management software. However, there’s a default feature on the SolarWinds Orion Network Performance Monitor tool that could be putting your organization at big risk. The issue is a default guest account ... READ MORE
No More Mimikatz
Mitigating Windows Credential Flaws There’s a vulnerability in Windows systems that is leveraged time and time again while compromising a network. Though the technique is well known to attackers, it is rarely mitigated effectively. Bad combination. But it’s convenient… Windows systems will cache user credentials in system memory. In cleartext. This is a default feature in ... READ MORE
Stanford Password Policy
A creative solution for stronger passwords Rules, Rules, Rules Most of us are familiar with basic password rules: Don’t use ‘password’. Duh. Don’t use your username as your password. Got it. Don’t repeat the same password for multiple accounts. Don’t choose an easily guessable password combination, even if it looks complex, e.g. ‘Winter2016’. Ok… I know ... READ MORE
SMB Relay
SMB Relay Attack The SMB relay attack has been around for years, and publicly available tools make the attack easier to carry out. The attack can result in a full network compromise with relatively little effort or expertise on the part of the attacker, making this a very common technique. What’s worse, we’ve noticed many organizations are vulnerable to this attack and might ... READ MORE
Google Dorks
Google Dork: Finding the Information You Don’t Know Exists Reconnaissance Reconnaissance. It’s a technique not unknown to most teenagers, and if we’re honest, we’ve all done it ourselves too – Googling the person you just met at the bar, Facebook stalking the new person at work, we all know the drill. This is the age of social media and data breaches, so we all know there’s a ... READ MORE
King Phisher Release Version 1.15
King Phisher v1.15 is here! With this release you can now choose what columns are visible while viewing campaign messages, visits and credentials. Additionally, if you are having issues with King Phisher configuring its pipenv environment, you can now provide the --env-verbose flag on ./KingPhisher --env-install or ./KingPhisher --env-install. This will provide more ... READ MORE
King Phisher Release v1.14
It is time for the next release of King Phisher! Continuing down the path of making it easier to set your Web Server URL, the campaign editor now features an interactive URL builder component. This allows users to easily select the scheme, hostname and landing page as suggested by the server making it easier to select a proper URL. In addition, King Phisher now integrats ... READ MORE
King Phisher Release v1.13
With the version 1.13 release, we have added several goodies. First is a long requested feature! The ability to store MFA tokens submitted from a login page. Now you can grab username, password, and the MFA field . If you are using this feature as part of penetration test you will have to stay on top of the password submission field and use the data quickly as they often have a ... READ MORE
Email Controls: Implementing DKIM with Postfix
Previously on the War Room, we discussed some basic mail control implementations. Specifically, we looked at simple text records that can be posted to determine what is allowed to send on behalf on the domain. SPF records and DMARC records, when properly configured, can help reduce the chances of someone being able to spoof the domain in a phishing attack. So the next thing we ... READ MORE