High Output Management

High Output Management by Andy Grove is the best management book I’ve read. It is also the only one, but I don’t think that matters; it’s a classic for a reason. Written before I was born, the advice is timeless even if some of the terms aren’t. I had to look up what a “tickler” file was (a low tech reminder system). Your job as a manager starts to make more sense if you change your thinking to consider how you and your team can be leveraged, i.

Adobe Acrobat Command Injection (CVE-2021-28634)

During a recent red team engagement I was looking into options for VB macro execution on MacOS. The enterprise system I was investigating had Adobe Acrobat installed along with Microsoft Office integrations basically adding an Adobe tab to Word and Excel to convert documents to PDF. On whim, I decided to take a look at how this might be working, and started poking around the file system. Turns out Adobe installs an AppleScript file to ~/Library/Application Scripts/com.

Getting Started With Golang Windows APIs

This post covers some notes on writing a small Go program to getsystem using named pipe impersonation. If calling Windows APIs from Golang is relatively new to you, this Breaking All the Rules: Using Go to Call Windows API is basically required reading. This how to is a good intro as well. I also appreciate ropnop’s blog on Hosting CLR in GoLang both for its technical info and his willingness to show his learning progression.

A Sublime Office Sandbox Bypass

If an unwitting user runs a malicious macro-enabled document on a macOS system that has Sublime Text installed, an attacker can seamlessly escape the Office sandbox. In effect The MS Office sandbox allows writing files to arbitrary locations as long as they begin with ~$, with some exceptions The Sublime Text editor automatically loads (outside the sandbox) Python plugins from a user writable file path After reading Patrick Wardle’s Office Drama on macOS which outlined a persistence method leveraging a sandbox escaped discovered by Adam Chester (see Escaping the Microsoft Office Sandbox), I did some rudimentary experimenting.

Go Decrypt Jenkins

Over the past few years I’ve run into vulnerable Jenkins backups with anywhere from half a dozen to several hundred encrypted passwords, secrets, and keys to critical infrastructure. While there are a multitude of tools out there none of them behaved quite like I wanted, so I wrote my own and learned some Golang in the process. The tool isn’t groundbreaking but it does do something I haven’t seen available else where, and that is the ability to decrypt files encrypted with Jenkins’ SecretBytes implementation offline - not using the Groovy console.

How to Write a Hashcat Module

There’s not a lot written about creating new Hashcat modules. This is a brief tour of how I went about adding a new module and something I wish I had available a week ago. Hopefully after reading this you have a better understanding of how the pieces work and will enable you to more easily add new Hashcat modules. For what it’s worth, this is written from the perspective of someone who care barely read C.

How to Use the Shodan API at Scale

This is a quick post mostly for refreshing my memory in the future. I recently wanted to download the data Shodan had on a large corporate IP space with disparate ranges and several hundred thousand IP addresses for post processing. As far as I can tell the Shodan help docs are scattered across too many pages and domains and subdomains. There are a few guides out there on the basics of Shodan CLI and API but I didn’t see anything that documented things at a slightly larger scale so here are a few quick notes on gathering this data.

Brute Forcing 389-ds PBKDF2 Passwords

Several times now I’ve run across password hashes created by 389-ds, RedHat’s open source LDAP Directory Server solution. During a red team past operation I discovered a backup LDIF file which included hashed user passwords (think NTDS.dit but not as catastrophic). A number of the hashes were in prepended with PBKDF2_SHA256. While hashcat and john the ripper have support for most algorithms, they are at the moment lacking support for 389-ds’s PBKDF2_SHA256 implementation.

Empire Python Implant on Windows

A while back I was playing around with Empire (before it was shuttered, RIP) and bypassing a certain antivirus software. There were decent signatures for the basic powershell usage, but knowing Python was installed on the target Windows endpoints, I tried to run the Empire Python payload on Windows. It didn’t work. Turns out, it’s trivial to get things working again. If you generate a basic Python stager with stock Empire, we see an initial checkin to the server

Monkeying Around: Patching the boto3 User-Agent

I was recently doing some testing in AWS with some “obtained” access keys. Part of this engagement was to identify some threshold at which the blue team was noticing and engaging with suspicious activity and as such we were running some automated tooling. In AWS this can mean bruteforcing services and creating quite a bit of logs. After not so long we got a request asking if we were up to anything - success!

Decrypting Jenkins 2 Credentials

I like Jenkins. It’s a good orchestration tool and provides remote code execution as a service. If your user permissions give you access to the script console /script it’s trivial to obtain a shell. The developers explicitly call this out in their documentation as well so it’s a feature, not a bug. Of course if you can create a job you can run shell commands as well, but I’ll leave that for another time.

Using subTee's katz to Reflectively Load an exe

I haven’t seen this specifically outlined anywhere so I figured I’d write a short post to go over using subTee’s Katz2.0 program to create a custom binary that loads mimikatz (or whatever executable you’d like) into memory. Casey Smith (subTee) and company have created some incredible tools that have made my life easier, so hats off to them. Reflective Injection The following steps will create a custom binary with an encrypted and encoded mimikatz binary string which will load mimikatz into memory through reflective PE injection.

Informacast Singlewire Insecure JMX Config to RCE

I recently came across a good reminder to double check listening ephemeral ports. The organization in question was using the Informacast Singlewire Desktop Notifier v2.0 application. It allows organizations “to display a pop-up window on top of other running applications to inform users of important information” or to send desktop alerts to users in geographic regions. After some enumeration, it looked like it was exposing a JMX Remote management port of we’ll say port 42424.

The OSCE | Cracking the Perimeter Review

I recently took the CTP course by Offensive Security and passed the OSCE exam. Now there are a few dozen reviews on this thing, but I’ll add my own take here anyway. Pre Course You can’t just register for the CTP - you need to solve a small challenge first: http://fc4.me/. When I initially thought about taking this course, part of this challenge was beyond me. But to quote g0tmi1k:

Search Shodan and Censys With Shocens

Recon is close to step one in any pentest. When it comes to passively pulling data on infrastructure assets you have a number of options. ARIN can help identify an organization’s registered net blocks, but that’s only part of the picture. With many organizations based in or using cloud services, those assets won’t necessarily be registered to your target. And when AWS for example can tie directly into a datacenter, these servers become quite valuable.

Persistent C2 with dnscat2

Occasionally an environment has strict outbound rules with all traffic going through an authenticated proxy. This hampers exfiltration, especially if you don’t currently have valid credentials but need a foothold into an environment without phishing for instance. If we can find a live network jack in some accessible place and the switch hands out an IP address via DHCP along with DNS servers, we can more than likely obtain a foothold into the network.

OpenDNS's AppSec Training Lab

I came across OpenDNS Security Ninjas AppSec Training Lab not too long ago and found its simplicity rather enjoyable. It’s a simple web app written in PHP which illustrates each of the OWASP Top 10 categories. As I was going through the exercises I found myself checking to see how the vulnerable code was written and how the issues could be remediated. Since the lab is geared towards beginners, I thought it might be helpful to provide brief explanations along with links to the relevant lines of source code.

The OSCP | Penetration Testing With Kali Linux

I’ve spent the last few months working through the Penetration Testing with Kali Linux course by Offensive Security which has been an awesome learning experience. Much has been said on this course and I’ll only briefly go over my experience and takeaways. The following reviews were helpful in making the decision to take the course. Review by g0tmi1k Review by recrudesce Review from Buffered.io Review from IODigitalSec Review from SecuritySift For a little preview of what's involved, check out the free [Metasploit Unleashed](http://www.

Building a Web App in Rails

A brilliant software engineering friend and I were recently discussing with another mutual friend the inefficiencies of employees filling out paper forms after completion of a construction job and the inefficiencies of transferring said forms to excel and so on. Said friend and I figured we could probably fix this with a web app for a nominal fee, but which would greatly increase our mutual friends’ productivity. A win win situation if there ever was one.

Renewing your StartCom SSL Cert

Since I’ve forgotten how to do this over the past year, here are the directions for posterity. Startcom sends you a reminder after 50 weeks and opens a window for a renewal. Log in and validate your email and domain using the Validation Wizard. Note, you need to ensure your email is going to forward properly. Generate a key and CSR on the server with the following two commands openssl genrsa -out .

Just the Basics

Things have been busy lately, but I’ve been doing some reading, learning, and playing around in a small VM lab, and thought to briefly document what I’ve done. There is unfortunately nothing groundbreaking here, and nothing too interesting beyond a demonstration. ___ ___ _ _ _ _ | \/ | | | | | (_)| | | . . | ___ | |_ __ _ ___ _ __ | | ___ _ | |_ | |\/| | / _ \| __|/ _` |/ __|| '_ \ | | / _ \ | || __| | | | || __/| |_| (_| |\__ \| |_) || || (_) || || |_ \_| |_/ \___| \__|\__,_||___/| .

BSidesDC Badge

I recently attended my first security conference: BSidesDC. This isn’t a write up of that experience, although it was quite interesting and I learned a lot via some great sessions. One talk I really enjoyed by @grecs was Malware Analysis 101. Very well presented with lots of great getting started material. Anyways, the badges. Pretty cool badges; bottle openers in fact, with fourteen binary bytes all with leading zeroes around the circumference: ascii encoded binary.

Security Onion Network Configuration and Install

With apologies to The Onion I’ve played around with Security Onion in the past, but have never set up my network to capture or monitor traffic. And while installing Security Onion in a VM and only looking at only local or inter-VM traffic is quite interesting, especially if a person is playing around with Metasploit or something, I wanted to see all network traffic, including my other devices. I also had a laptop lying around, not being frequently used; perfect for dedicated monitoring.

Kippo on the Raspberry Pi

I recently bought a Raspberry Pi and installed Arch Linux ARM on it. I came across a rather amusing blog post of someone using the honeypot Kippo and thought what fun. See here to watch elite hackers and their mad skillz. That’s the great thing about Kippo - it records user sessions for playback. Anyways, this post basically walks through what I did to get Kippo and kippo-graph up and running on my RPi.

Career README.txt

I read this article by Patrick McKenzie a while back, came across it again, and decided it’s worth reading weekly. I’ve pulled out some of his bolded points. But seriously, read the article in it’s entirety. Again. And again. Don’t Call Yourself a Programmer, And Other Career Advice Modesty is not a career enhancing character trait Network. In person. Learn how to negotiate Get good at Enterprise Sales Most jobs are never available publicly

Rob Fuller on Getting a Job in InfoSec

I was fortunate enough to get a good job in IT right out of college. Not in InfoSec, but in telecom, and in specific, service delivery. I’m learning an incredible amount - from enterprise telephony environment to working in a highly complex work environment to leading delivery on new intent projects. But it’s not InfoSec. In my search for ways to break into InfoSec, I’ve come across numerous posts, advice, and tips to do just that.

On the Dumbest Ideas in Computer Security

The other day I came across an article by Marcus J Ranum on the six dumbest ideas in computer security which were very simple yet struck me as profound. I’ll summarize them here for future reference. Default Permit Back when computer networks were still in their infancy, there were few avenues for attack. With those avenues turned off, all else was allowed. Hence “default permit.” Another area is code execution: anything clicked is permitted to run, unless stopped by antivirus or the likes.

Breaking into Security

This blogging thing is harder than it seems - the what to write, the time to write. I came across another interesting blog post from Krebs on Security, who interviewed Thomas Ptackek, founder of Matasano Security, on how to get into the field of computer security. As this is precisely my intent, I gave it a quick read through and thought to post a to-do for myself. Learn how to program.

My Random Ramblings

Here, shall I attempt to document some random doings related to computers, security, linuxstuff, windowsstuff, and most likely miscellany. Apparently typing all this out helps the mind become better at communicating, and who doesn’t want that? So whether you or another read these ramblings, or I myself re-read them later on in my ever so awe-inspiring, galvanic, exhilarating life, let this be a place for learning and perusing.

About

Noah is an offensive security engineer with experience red teaming at several Fortune 500 companies in software and financial industries. With varied experience leading and managing operations including social engineering and covert physical entry into office buildings to stealthily gaining access to high value financial systems, to troubleshooting corporate networks, to securing web and mobile applications, Noah has a strong track record of applying creative thinking and determination to solve challenging technical problems.