The last post on Shells with Spencer presented code to spawn a shell with a full PTY with a Bluetooth RFCOMM socket for extended post exploitation access. This post will present an additional technique, this time for spawning a Metasploit Meterpreter session between two hosts using a Bluetooth RFCOMM socket. Specifically, in this Proof-of-Concept, a Meterpreter session will be ... READ MORE
Blog
Spawning Shells Over Bluetooth
Lately, unique remote access techniques have become more commonly discussed. Most are payloads that beacon over some protocol using space within it that might be re-used for nefarious purposes (think HTTP). Some others are ones that use more obscure protocols that may not rely on TCP/IP at all. These have the added advantage of being able to communication more quickly than some ... READ MORE
No RDP, No Problem!
The Setup I conducted some phishing for a pentest this past week. My ulterior motive was to have an opportunity to familiarize myself with Empire, so I decided to go with a pretext which would allow me to use the macro stager and a malicious Excel sheet attachment to drop agents onto victim boxes. After some initial hiccups, a handful of (elevated!) agents started calling ... READ MORE
Building a Vulnerable Box – HFS Revisted
A few months ago, in the Building a Vulnerable Box series, I wrote a walkthrough for putting together and compromising a Rejetto HFS server. The post had originally been intended for my security students at the time, but, to my surprise, it's become one of the War Room's most consistently visited write-ups. Just last week, a similar exploit was posted to the Exploit-DB by Naser ... READ MORE
Empire: An Elegant Weapon for a More Civilized Age
Empire, developed by @harmj0y, @sixdub, and @enigma0x3, debuted earlier this month at BSides Las Vegas. In the words of the developers, "Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all ... READ MORE
I Like Syscalls (And I Cannot Lie)
So with the release of Windows 10 I (like many before me) decided to look into what new syscalls have been added. Syscalls are the means by which code running in the context of a user can request the functionality provided by the kernel be executed. This includes many basic operations such as opening and reading from files. Collecting this information will allow us to identify ... READ MORE
Kali 2.0: Fresh Look, Easy Updates, and Post Install Tips
Kali 2.0 was released last week which means that we get to spend some time sifting through Offensive Security's latest release looking at all the new tools and tricks. Offensive Security promised us a better, more powerful penetration testing platform, and my preliminary look at 2.0 shows that they delivered. The Look Kali 2.0 switched over to the GNOME3 interface which ... READ MORE
Retrieving Credentials from Configuration Files
“Security is not convenient.” Though blunt, this phrase neatly captures the fundamental conflict between typical users and information security personnel. Typical users want their workstations and networks to be configured for speed, accessibility, and convenience, whereas security professionals prioritize tight access control and monitoring. If you believe that security is ... READ MORE
Sophos UTM Home Edition 5 – SSL VPN
The topic of today's post is setting up an SSL VPN through the Sophos UTM Home Edition. The ease-of-use VPN solution was one of my primary reasons for pursuing this particular UTM in the first place, and so I think it's a topic definitely worth exploring. There are a variety of VPN options within the UTM. I'll only be covering the SSL option here. If you are looking to set up a ... READ MORE
Injecting Python Code Into Native Processes
There is quite a bit of material publicly available on DLL injection, the different techniques and how it works. Often times it's helpful for a researcher to be able to execute code within the context of a specific process, and DLL injection is an ideal way to accomplish this. By injecting a DLL into another process, that process can be "infected" allowing the injected DLL to ... READ MORE