Data URI Phishing with King Phisher One of the newest techniques being blogged about in the security world is phishing through the data URI. Thanks to a viral Twitter post, many sites like Wordfence have published specific advisories to warn users about this type of attack. What makes this technique so effective is the ability to create a convincing address in the address bar. ... READ MORE
Research
I’ve Got 1.2 Million Keys But A Private Ain’t One
GitHub has grown in popularity over the past few years as one of the defacto standard locations to share and collaborate on open source projects. Accounts on GitHub are encouraged to use key based authentication, and to that end, users to upload a public key to allow them to authenticate to their accounts while making changes to code. This summer I crawled, collected, and ... READ MORE
An Analysis of MS16-098 / ZDI-16-453
This past patch Tuesday, Microsoft released MS16-098, a patch for multiple vulnerabilities in "Kernel-Mode Drivers". Within this patch, the vulnerability identified as CVE-2016-3308 and ZDI-16-453 was addressed. This post is an analysis of this vulnerability and how it could potentially be leveraged by an attacker in the form of a Local Privilege Escalation (LPE) ... READ MORE
Bypassing Gmail’s Malicious Macro Signatures
Malicious macros in Excel spreadsheets are one of the most common methods of delivery in phishing attacks. If the premise is enticing enough, an unsuspecting user may download the document and enable macros which could result in arbitrary code being run on their system. In order to simulate a phishing campaign from an attacker, we at RSM will typically utilize the macro ... READ MORE
War Room Talks @ B-Sides Cleveland 2016
Video credit: Adrian Crenshaw, @irongeek_adc Process Ventriloquism with ZeroSteiner A Rookie PoV The Hollywood Fallacy with H3llcat ... READ MORE
SMShing Like Clockwork
Phishing utilizing SMS messages or SMShing is an increasingly common technique used in European countries. Many users are very aware that they should not trust all incoming email messages and thus it might be desirable for a pentester to try and take a different approach. To meet this need, the King Phisher project now includes simple instructions on how to send SMS messages as ... READ MORE
BMP / x86 Polyglot
It's often desirable for an attacker to cover their tracks and hide their actions. This is often accomplished by randomization of any combination of bytes and strings, order of contact or time delays. While this can be effective in certain scenarios, a trained eye will still be suspicious of anomalous data traveling across their network. Take as a prime example the recent trend ... READ MORE
Organizing the Bad News – Auditing Passwords with Python
From time to time we find ourselves conducting a password audit for a client. While not terribly exciting from an attackers point of view, it is a necessary check to perform and can provide valuable output if the client is capable of acting on it. Many organizations also perform similar assessments internally. Typically the process looks something like this: 1. Obtain ... READ MORE
Crontab One Time Payload Execution
Recently, I was writing an exploit for a vulnerability that I had discovered in a Linux based server application. The flaw, when successfully exploited, allowed a file to be written anywhere on the file system with the permissions of the user running the server. In the case of the application I was targeting, it was often executed as root in order to bind to a privileged port ... READ MORE
Spawning Meterpreter Over Bluetooth
The last post on Shells with Spencer presented code to spawn a shell with a full PTY with a Bluetooth RFCOMM socket for extended post exploitation access. This post will present an additional technique, this time for spawning a Metasploit Meterpreter session between two hosts using a Bluetooth RFCOMM socket. Specifically, in this Proof-of-Concept, a Meterpreter session will be ... READ MORE