Previously on the War Room, we discussed some basic mail control implementations. Specifically, we looked at simple text records that can be posted to determine what is allowed to send on behalf on the domain. SPF records and DMARC records, when properly configured, can help reduce the chances of someone being able to spoof the domain in a phishing attack. So the next thing we ... READ MORE
Spam Filter Evasion With King Phisher
It's no secret that phishing is the top attack vector when it comes to external compromise. So when it comes to penetration testing this is a vector that we can not ignore. However, as consultants, we are interacting with different clients and environments almost every week. Much like endpoint protection, there are a multitude of different spam filters and protection controls ... READ MORE
The Basics: SPF and DMARC Records
It is no secret that one of the major attack vectors is phishing. While some of the success of this is due to a lack of user education and awareness, the other side of the coin are missing basic controls. There is no shortage of enterprise level phishing controls out there, Mimecast and Proofpoint for example. However, these are not silver bullets when it comes to protecting ... READ MORE
Fire and Forget: Meterpreter Automation
Throughout the past year I have been conducting routine phishing assessments for a client. For their final test of the year, our point of contact wanted something consequential for those who fell for this phish... Something 'kinetic' if you will. They requested a 'Blue Screen of Death' approach, to which I ultimately opted for a less potentially destructive method. I would send ... READ MORE
All In One OSINT
If we've said it once, we've said it a thousand times: OSINT is an attacker's best friend. There are a plethora of tools out there that we use everyday as pentesters to accomplish our tasks. For those of you starting out in the field, or are hobbyists, you probably have virtual machine with Kali Linux installed. Kali is a great pentesting tool, the best part about it is it ... READ MORE
Do it Live! – Social Engineering Training
Social engineering one of the most utilized attack vectors used in real world breaches. These come in the form of phishing, vishing, device drops, and even in person. A lot of research and prep-time comes into play with social engineering as we have to know the target, the objective, the environment, and most importantly ourselves. Prior to security, I performed in theatre for ... READ MORE
Building a Convincing USB Drop
One of my favorite attack vectors is the USB drop. At RSM, our two go-to drops are the Rubber Ducky and backdoored executable files on a normal USB flash drive. We will typically load a Ducky with an Empire script which executes a PowerShell one-liner when plugged into a victim machine. The executable-loaded drives require the victim to mount and open the USB drive and then ... READ MORE
Download Now: Malicious Android Apps
In the modern world, almost every one of us has a mobile device in our pockets. Whether through Android, iOS, or even Windows, we have something that directly connects our lives to the internet. From texting to banking, smart phones can do it all. For better or worse, this means they are ripe for the picking in terms of an attack vector. Also according to the global market ... READ MORE
Intro to OSINT
*All images in this post were found using publicly available sources and should be used for educational purposes only One of the best things in the IT community is Open Source Software. Open source software is something where the a company develops a piece of software and then makes the source code publicly available, allowing anyone to look and manipulate the code. This has ... READ MORE