Dear new followers,
- For solid red team technical tweets, follow my Red Signal list.
- For a curated list of latest hacker news, bookmark and read this:
- To be thought-lead, follow
@HackingLZ
- Keep following me only for the sublime trolls. 😁
This was my first IT job and a skill that continues to serve me to this day. Many great careers have started with similar menial tasks. If you want to “get into IT” but don’t know where to begin, this skill right here will serve you well.
I'm addicted to even the smallest methodology improvements. Grep out a list of IPs from unstructured data with this alias.
alias grepip='grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"'
Red Team: Do you know what data your offensive operations are leaking via TLS negotiations? Neither did I until a friend showed me. Blue Team: Good blocking & detection potential. Worth your interest!
Start here:
Thanks
@haroldogden
!
TIL about the paste command. Where have you been my whole life?? *nix is an endless well of amazing text manipulation commands.
(inb4 yall 1up me with sed/awk craziness)
Your nmap http scripts returning nothing? Might be because there's a block on nmap's default user agent. Either correct by modifying http.lua or use a script arg.
Here's my nmap alias:
New version of nmap (7.60) includes the smb-protocols nse script which gives you definitive answers on smb version support. Combine with smb-security-mode to get a nice picture of your targets smb posture.
#pentest
My new favorite nmap script: krb5-enum-users.nse.
Brute force Active Directory usernames using Kerberos & a userid list!
Read about it here:
#Pentesting
Some of people I admire most in
#infosec
:
- Rarely talk about themselves
- Love to share their knowledge
- Are competitive
- Freely admit when wrong
- Happily welcome newcomers
- Are perpetual students
- Give all the credit away
Got a shell on a git(lab) server? Enum all the source code objects in a .git folder & look for passwords:
for i in $(git ls-tree -r master | cut -d " " -f 3 | cut -f 1); do echo -e "${i}"; git cat-file -p ${i} | grep -i password; done
A few
@DakotaCon
students asked me about building an AD lab. Good resources here:
Also, for creating realistic AD users, my own meager mods to ADImporter here:
Good luck!
Carbon Black Response API python script for discovering malicious PowerShell events that have a crossproc with lsass.exe (i.e. Mimikatz). Tailor made for loading into your SIEM. Also works on Windows 10 bash. Enjoy! =) 💙
Mad respect for blue teams willing to share their detections with us prior to the start of the engagement.
This is a genuine sign of wanting to improve and how real change happens.
This is how partnerships are built.
This is the transparency Gotham needs.
Welcome to my 2023 Irreverant Red Team TTP Wrap Up (Trends, Trolls, Predictions)
It's likely some of these will ruffle feathers, but hackers break things right? 😁
🧵👇
Never fails, I will always have to Google:
- ln -s order
- openssl syntax
- “awk delimiter”
- iptables syntax
- How to spell reconisance
- “bash replace comma with newline”
No need to give me the answers, I’ll just forget.
Hey infosec peeps, what are the "dangerous ideas" you believe but don't say out loud much?
One of mine: breach victims are often partly responsible for being breached.
Another: there aren't enough skilled folks in this biz. We need to be doing more to fix this.
As a red teamer, I'm not afraid of the blue team who fights back and tries to scope me into a corner. DA will be found. I'm afraid of the blue team who jokes around in email, throws the scope wide open, and calmly knows they will detect just about everything effortlessly.
The most frustrating thing I hear on debrief calls:
"So, you're saying if we had just blocked X, then you never would have gotten this far, correct?"
I get it, but the answer is always "no".
Better question: "Had we blocked this, what would you have done next?"
No. I disagreed with his comments also, but he wasn't speaking on behalf of Blackhat, but as an individual. You are promoting a culture that uses the weight of corporate money to punish individual freedom of speech. Disagree with him publicly if you like, but this isn't the way.
If you feel "stuck" with twitter for infosec reasons, here are some great offsec content aggregators to help you take a nice long break from this platform while not missing out.
Handy! Just learned AWS EC2 instances have metadata that can be queried via HTTP GET requests. Example, get the public IP if your EC2 instance by running the following command on that instance:
curl
http://169.254.169.254/latest/meta-data/public-ipv4
Initial recon steps from Conti CS manual. Literally the first commands in the manual. This should bring comfort to any org that has prioritized pentesting/detection engineering to any degree.
Getting DA is fun, but the transfer of knowledge to an eager blue team is without question the most rewarding part of the job. If you don't finish your red teams with demos & conversations apart from report delivery, you're missing out (and so are they). Blue teams: ask for this!
To those orgs who have deployed long password policies (14+ chars), I applaud you. Seriously, well done.
Your next challenge, implement a password filter to stop things like:
Welcome1Welcome1
P
@ssw0rdP
@ssw0rd
Company2020!Company2020!
You can do it. I believe in you.
Seems like Defender isn't a big fan of the stock Cobalt Strike C# payload. I know you're not supposed to, but I rolled my own crypto to work around. Feeling pretty 1337....
I enjoy giving and watching presentations, and I pay close attention to the attributes of the ones I think are really good talks.
My personal acronym for what makes a great technical talk is SPEED. If you want to improve your presentation game, this is for you.
🧵
Defenders: are you monitoring who is doing SELECT *'s on tables containing PII? If you're not you should be. Would you know what to do if you saw a query out of the ordinary? Would you even recognize a query that is out of the ordinary?
#FoodForThought
😈
TIL You can set a list of local forwards in your SSH config file using the LocalForward directive (RemoteForward too). No more ssh -L for common forwards.
H/T to this incredible article on using SSH in amazing ways:
Written for setting up pentest dropboxes, this fantastic blog series helped me step-by-step set up a VPN tunnel across a cloud VPS back to my
#homelab
. Great work by
@CaseyCammilleri
&
@SprocketSec
!
Just discovered Bloodhound-Owned script. It receives a list of objects, marks them as owned in BH, then shows you reachable target paths based on those owned objects. Great tool & still works with latest BH.
New tool: rubeus2ccache
Generates ccache files directly from Rubeus dump output.
Major thanks to
@_dirkjan
for basically writing anything hard.
Merry Christmas Red Team! 🎄
Tip from the red team: If you give example passwords in your password policy (e.g. "Choose a pass phrase like 'Peanut butter cup'"), be sure to add that password/phrase to your block list. 😁
I've lost track of the number of times I've included this article as a finding reference in a pentest report (thanks
@Lee_Holmes
!). If your org is still on PowerShell v2, *please please* read this and convince the powers-that-be to upgrade!
Super happy to introduce redirect_rules.py - the next iteration of the AV htaccess block gist that expands on it as well as mkhtaccess_red to dynamically generate a dedup'd rules list. Fantastic work from
@0xZDH
and
@mdfarhan06
! 🔥
Finally got around to weaponizing some of the awesome research I've only just read about regarding group policy. Full attack path write-up coming soon. 😁
Fun
#BlackHat
story: Student working through a COM hijack challenge on our VM that's running the trial version of Win7. He found a hijack during the boot process on slui.exe and disabled all prompts to activate Windows. 🏴☠️🤘😈
Really been enjoying the streams put out by some awesome offsec researchers. It's like free class. Pay attention when these guys go online.
(Send me others I'm missing please)
Interested in red team operations using almost all internal tooling against some of the hardest companies in the world? Love coding on the fly? TrustedSec Targeted Operations may be for you. Shoot me a DM.
Would there be any interest in a twitch/YT series that's geared towards developing Python based infosec tools specifically with a terminal/vim focus? Feel free to tell me if this is a bad or redundant idea. Nano users would be welcome to watch and see what they are missing. xD
Do you wish you had a step by step guide and
#GitHub
resources to deploy infrastructure automation across a
#RedTeam
infrastructure?
@curi0usJack
thought you might. His latest
#blog
"Automating a RedELK Deployment Using Ansible", is a must-use resource❗
Years ago when I was just getting started in my career, I asked my Dad, a successful manager, for advice. He gave me two words that shaped my entire work ethic and put me on the path to success, and I now give them to you.
Be trainable.
Have had a few ask me about using my Derbycon 9 infosec maturity slides. Yes, you can get them here: .
They were from a talk I gave with
@contra_blueteam
at DerbyCon 8 (here: ).
Please simply credit our twitter handles. Thanks!
I love coming across those small, but extremely helpful improvements to my workflow.
From a terminal in OS X, you can open a Finder window to your current location by typing
open .
Loving the DLLExport project. Let's you created a managed dll that easily exposes methods to COM for calling via something like rundll32.exe. Super useful!
New stealthy lateral movement technique looks incredible (existing socket hijacking). Definitely something to keep eyes on when released. The PDF paper is extremely impressive and worth the read.
"
#ShadowMove
: a Stealthy Lateral Movement Strategy" is now available to read
Read if interested to see a new practical lateral movement
Demo (TDS (MS SQL) & FTP):
Prototype will be released soon
@MITREattack
@USENIXSecurity
After seeing this word undefined yet continually overused in breach reports for years, I now simply believe that the reported degree of a threat actor's "sophistication" is directly proportional to the amount of face the breached company is looking to save.
Use nmap's weblogic-t3-info.nse script to target Weblogic's T3 protocol and pull back the version number. Super helpful when scanning for recent Weblogic RCE vulns (cve 2725).
Hats off to the
@FireEye
FLARE team for putting together a great RE package in flare-vm. I know next to nothing about RE, but am enjoying the journey. Flare VM has made things way easier for us n00bs. Even details like the context menus are seen to. Bravo!
On the TrustedSec discord channel, someone asked how I do I move from pentesting to red teaming?
@jarsnah12
gave the best and most succinct answer to that question I think I've ever read. I know everyone charts their own path, but this is all around good advice. ❤️💙💜
Defenders: Guard your FIM sync accounts just like you would a DA. If I get a FIM account hash, I can dcsync anything I want. Many thanks to
@PyroTek3
for documenting this:
To be counted with the
@TrustedSec
Targeted Operations team is truly an honor. You guys are among the finest in the industry and it's my pleasure to also call you my friends. Long may your shells be fruitful and multiply.
Here's to you. 🍻
Doing a pentesting class with a client and I was asked *the* question:
"I see all these tools with ascii art - where do I go to generate that?"
/me awards 10 hacker points.. 👏
Nearly every offensive assessment I've performed has a very specific "try harder" moment that separates success from failure. If you can maintain your curiosity and push through it, the goal is usually right on the other side.
I'm giving a talk at a cybersecurity con in 3 weeks. It's at a college with a large student audience. I am *the worst* at coming up with talk ideas, so I'm using a lifeline.
If you were a infosec student at a college, what kind of talk would you be interested in seeing?
To all the good dads out there pouring themselves into their kids' lives, I trust this one will hit you like it hit me. Keep leading your children & families like only you can.
Proud to have my Advanced Attack Infrastructure course accepted at
#DerbyCon
9! If red team infrastructure & automation is your interest, I hope to see you there! 😊❤️💜💙
If you're just getting into Ansible, a handy parameter to remember is --step. Allows you to skip individual tasks in your playbook for more granular testing.
Helpful chart regarding the difference between
#nmap
's timing profiles. Note the incredible difference between T0 & T3 in terms of speed (scan_delay) & parallelization!
Taken from here: . Still accurate based on current nmap docs.
Me to class: What was the best part of training this week?
Everyone: Watching you get something wrong and try to troubleshoot and work your way through it.
The Lesson: Don't be afraid to let the class see you fail! They benefit significantly from watching your methodology. ❤️