Introducing Slackor, a Remote Access Tool Using Slack as a C2 Channel
June 19, 2019, Esteban Rodriguez, Consultant, Coalfire Labs, Coalfire
As a penetration tester at Coalfire Labs, I frequently use exploitation frameworks such as Metasploit or PowerShell Empire to perform post-exploitation actions on compromised endpoints. While anti-virus (AV) bypass and detection avoidance is often trivial in all but the most mature environments, detections from AV have caused me to look toward custom tooling to mitigate the risk of being detected by both traditional AV as well as security operations teams relying on network indicators. Over the past year I’ve been slowly developing my own tooling to deal with these challenges.
Fuzzing: Common Tools and Techniques
June 04, 2019, Andy Bowden, Consultant, Coalfire Labs
Fuzzing is a software testing methodology that can be used from either a black or white box perspective and predominantly consists of providing deliberately malformed inputs to an application to identify errors such as unhandled exceptions, memory spikes, thread hangs, read access violations or buffer overruns that could lead to further compromise of a system.
pymetasploit3 – Metasploit Automation Library
May 20, 2019, Dan McInerney, Senior Security Consultant, Coalfire
Have a checklist of tasks you perform every penetration test, such as SSH bruteforcing or port mapping? Automate it with Python and Metasploit! Unfortunately, there hasn’t been a working, full-featured Python library for making these tasks easy for many years now. This changes today.
The Death Metal Suite
April 09, 2019, Victor Teissler, Security Consultant, Coalfire
Intel Active Management Technology (AMT) is a feature provided by Intel for remote administration. If you happen to have a corporate laptop, odds are you too have AMT built into your system. To a sysadmin, AMT eases access to machines for the sake of assisting employees with technical issues, even if the hard drive has failed or been affected by ransomware. This is due primarily to the fact that AMT does not require a functioning operating system for accessibility. Its configuration and operating environment reside completely within its own dedicated hardware!
High-Power Hash Cracking with NPK
March 21, 2019, Brad Woodward, Director, Coalfire Labs
Password hashes are an everyday part of life in Coalfire Labs. Barring any other low-hanging fruit, it’s not uncommon for a penetration test to hinge on recovering a plaintext password from one of these hashes. Whether it’s NTLM hashes from Active Directory, NetNTLMv2 from Responder, WPA2 PMK from a wireless penetration test, or hundreds of other possible sources of hashes, recovering the original password has been a challenge for hackers for decades.