Retrieving Data from Thunderbird and Firefox

Reading data from Mozilla products such as Thunderbird and Firefox has never been much of a challenge during engagements. Like many Windows applications, they both use SQLite databases to store their information – and unlike other “similar” products e.g. Google Chrome, these databases aren’t encrypted and can easily be read once they’ve been exfiltrated from…

A Data Hunting Overview

Background: Getting domain admin access is hardly ever the goal of penetration tests/red team assessments, unless it’s explicitly stated by the client of course. That said, having DA access in a target’s domain makes it a lot easier to take action on your actual objectives; which is why a lot of us will prioritise acquiring…

Attack Infrastructure Logging – Part 4: Log Event Alerting

Attack Infrastructure Logging Series: Part 1: Logging Server Setup Part 2: Log Aggregation Part 3: Graylog Dashboard 101 Part 4: Log Event Alerting Quick recap; we setup a Graylog logging server, configured it to collect logs from multiple attack infrastructure assets and visualised some of this log data on a custom dashboard. I’ll be wrapping up this…

Attack Infrastructure Logging – Part 3: Graylog Dashboard 101

Attack Infrastructure Logging Series: Part 1: Logging Server Setup Part 2: Log Aggregation Part 3: Graylog Dashboard 101 Part 4: Log Event Alerting The last 2 posts of this blog series had us setting up a logging server and aggregating logs into it from our various attack infrastructure assets. This brief post will go over setting up a…

Attack Infrastructure Logging – Part 2: Log Aggregation

Attack Infrastructure Logging Series: Part 1: Logging Server Setup Part 2: Log Aggregation Part 3: Graylog Dashboard 101 Part 4: Log Event Alerting In my previous post I covered setting up a Graylog2 logging server. In this post, we’re going to start getting some logs from our infrastructure assets into our Graylog installation. The number and type of…

Attack Infrastructure Logging – Part 1: Logging Server Setup

Background: One of my goals this year was to improve my infrastructure log management procedures during engagements. Up until quite recently my log management technique was opening a couple of terminal tabs, SSH-ing into all my infrastructure assets and cat-ing, tailf-ing and grepping the log files I was interested in. As you can imagine this…

Securing your Empire C2 with Apache mod_rewrite

Background: Christmas came early this year for red teamers with the release of the Red Team Infrastructure Wiki. It debuted right after an amazing red team infrastructure presentation by Jeff Dimmock and Steve Borosh. I can’t even begin to get into how invaluable the wiki is when designing and securing your infrastructure, check it out for yourself…

AIX for Penetration Testers

Background: On a recent internal pentesting engagement I managed to get an unprivileged shell on one of my client’s servers. It was a business critical server so enumerating it and rooting it was the next logical move to make. I always begin my enumeration by running the “uname -a” command to get some basic system…

DNSnitch – Reverse NS Lookups & Zone Transfers

The recent DDoS drama with Dyn has had me reading up on Domain Name Systems (DNS). Time and time again, bad guys have proved that one of the best ways to execute a successful Distributed Denial of Service (DDoS) is to hit DNS servers. As a pentester,  name servers do come up a lot during…