My last blog was a primer for getting into scripting web templates using Jinja2. In this next blog (part two of an intended four part series) we'll get started by installing the necessary dependencies, setting up a directory, and starting to build our site. Installation Before we get started, it's important to note I'm running Ubuntu Gnome 15.04, so the majority of commands ... READ MORE
Blog
SMShing Like Clockwork
Phishing utilizing SMS messages or SMShing is an increasingly common technique used in European countries. Many users are very aware that they should not trust all incoming email messages and thus it might be desirable for a pentester to try and take a different approach. To meet this need, the King Phisher project now includes simple instructions on how to send SMS messages as ... READ MORE
Create an Encrypted Leave-Behind Device
Consider this scenario: You've breached the physical perimeter of the target organization. Once inside, you need to establish some means of remote network access, whether for yourself or your teammates waiting on the outside. In this example, this takes the form of a device you plug in to an unattended network jack within the target organization. Whether you call this ... READ MORE
Bypassing Common Physical Security Interior Controls
A few months ago, I wrote a post about some of the simple techniques we use to get around common perimeter security controls, and I realized today that I've gotten you onto the property and left you high and dry! So, I would like to remedy that today and discuss some of the more successful tactics we use in our day-to-day work to get around interior controls. As in the previous ... READ MORE
Building a Lab Network in ESXi
Every hacker I know is always looking for ways to practice and improve their skills. One of the things I feel that is in short supply, is access to realistic networks to actually break into. Even here on this blog, we have a lot of posts about systems you can create to subsequently hack. In the real world, though, you will need more skills than running (or even creating an ... READ MORE
Scripting RDP for Pillaging and Potato
Previous posts on the WarRoom have addressed expediting the use of remote desktop to facilitate pillaging. This post explores scripting commands through an RDP client to serve that same purpose. The end result is one-liner that will log in to a remote system, attach a local directory, execute a script, and save the output to that same local directory, provided the attacker has ... READ MORE
BMP / x86 Polyglot
It's often desirable for an attacker to cover their tracks and hide their actions. This is often accomplished by randomization of any combination of bytes and strings, order of contact or time delays. While this can be effective in certain scenarios, a trained eye will still be suspicious of anomalous data traveling across their network. Take as a prime example the recent trend ... READ MORE
Beer:30 – Physical Security Assessment
Our very own patchwork talks about conducting a Physical Security Assessment for RSM's Beer:30 web series. ... READ MORE
WarRoom Revisited
Last year, one of our visions became a reality with the roll our of our technical blog, the War Room. Our original intent was to creat a space where any of us could write about topics we were learning or that others might find beneficial. It was a little bit of a learning experience at first, but we were able to publish our first post in September, 2014. What we didn't ... READ MORE
Becoming a Master Template Creator with Jinja2: Introduction
In my previous line of work, I made a living as a web developer. My time was spent building websites in content management systems, customizing the front end for clients and ensuring the back-end was usable and worked as intended. Today, I mostly tap my front-end developer experiences for building websites for use in social engineering campaigns. As we don't use content ... READ MORE