UPDATE: Part 5 - SSL VPN is now available. In the first and second posts in this series, we stepped through the installation of the Sophos UTM. Two weeks ago, we finished up the setup process. Now, we're going to start exploring the meat and potatoes of Sophos' free UTM solution. This week, I'm going to cover establishing definitions and ... READ MORE
Blog
Metasploit Module of the Month – web_delivery
In the second edition of this series we are going to take a look at an exploit module that doesn't get a lot of attention. I'll use "exploit" in the same context that Metasploit does, which means that upon successful completion of this module you get a shell. It doesn't mean that this module is some super 1337 browser exploit/sandbox escape 0day, which I think, is partly ... READ MORE
King Phisher 0.2.1 Released
Yesterday, RSM released the latest version of their King Phisher phishing campaign toolkit. This version adds some exciting new features with a focus on usability. The message editor received some nice improvements, including syntax highlighting. The editor window now uses the GtkSourceView project to provide a more user friendly environment for writing and modifying ... READ MORE
How to Bypass SEP with Admin Access
I realize that this post is an edge case, but I recently used this method to bypass SEP (Symantec Endpoint Protection) during a pen test, so for my reference and that one person who runs into a similar scenario I am writing this. A little bit of backstory: I was able to acquire a shared local administrator's credentials during a pen test. I was using them to gain access to ... READ MORE
Sophos UTM Home Edition – 3 – The Setup
UPDATE: Part 4 – Definitions and Rules and Part 5 - SSL VPN are now available. It's been quite a while since I wrote the initial two Sophos UTM posts. I recently upgraded from a really old, re-purposed HP box to a slightly-less-old Dell Precision 670 courtesy of steiner, and I took the opportunity to document the setup process. This post assumes you have followed the ... READ MORE
Decrypting SSL Traffic with Wireshark
I recently was involved in an responding to an incident and one thing that was key to our investigation was decrypting SSL traffic. The attacker got a web shell on one of the servers and was mucking around with that. All of the traffic was over HTTPS, but we fortunately had the key. This allowed us to decrypt the traffic and view all of the commands issued. It was quite ... READ MORE
CTF – Malware Analysis Walkthrough
RSM hosted a capture the flag tournament for high school students at Mount Union back in April. This is the walkthrough for the forensics 400 CTF challenge. ("It should have been posted earlier, but it fell through the cracks." -patchwork). In my first walk-through I spent a lot of time talking about how I meant for the problem to be able to be solved without much prior ... READ MORE
Pillage Exchange
A while back I wrote a post detailing a technique for pillaging .pst files. A .pst is a "personal storage folder" created by Microsoft Outlook containing email messages, contacts, appointments, and other information, and may be stored locally or on a centralized server. The approach I detailed in that post involved dropping a small binary on the machine hosting the .pst ... READ MORE
Find Sensitive Data with Bulk Extractor
Bulk Extractor is a great tool for searching a file system for sensitive data. Bulk extractor ignores the file system and scans it linearly. This, in combination with parallel processing, makes the tool very fast. It will have an issue with fragmented files, but typically, files aren't fragmented. Follow the directions here for installation. Using BEViewer, the ... READ MORE
Intro to IMINT
*All images were obtained from Google maps and are to be used for educational reason only* I used to play Eye Spy all the time when I was younger. It made car rides go faster, gave me and my friends something to do while waiting in the ice cream line, and as I recently discovered, the game also provided me with a bit of career prep. Imagery Intelligence (IMINT) is ... READ MORE