Posts

Powershell Empire : Swiss-Army Knife for Windows Post-Exploitation (Part 2).

Image
So for this entry, we will pickup where we left off. If you not yet read part 1 you can read it here:  Powershell Empire :  Swiss-Army Knife for Windows Post-Exploitation (Part 1) . I apologize for taking some time to post this due to other commitment and now I have the time to finish this series as I currently on long holiday. To summarize the previous post, we have covered about Empire components and what it do, how to create listener, generating stager, execute the stager, getting connected with the agents and exiting Empire gracefully. So now, we will explore on how to performing post exploitation using module in Empire and do housekeeping tasks on the agents. Side note here, some example shown might have different agent name due to connection lost. But, the essence of the activity and the principal of the action is still the same. Managing Agents To view, list and start interacting with agents registered to your Empire, use command agents . In figure 1, you can see there are 2 act

Powershell Empire : Swiss-Army Knife for Windows Post-Exploitation (Part 1).

Image
Powershell Empire is powershell based post-exploitation agent and has an ability to execute powershell agent without needing powershell.exe and consisting variety of modules that can be deployed on exploitable windows machine. As of this post, I will share about Empire 3 based on Empire ( refer here ) which has been migrated to Python 3.x which has been actively maintain by BC-Security .  General Installation Process for Powershell-Empire Setting up Empire is pretty straight forward and based on your liking and platform. In Kali or Debian based OS, you can install the latest version by executing the following command: sudo apt install powershell-empire If you intended to clone th e repository using Git, execute the following command: git clone  https://github.com/BC-SECURITY/Empire.git cd Empire sudo ./setup/install.sh I never try using docker to deploy Empire. But, if you prefer using a pre-built docker container, follow the following procedure: docker pull bcsecurity/empire:{version}

Android Application Security - obfuscation using ProGuard in Android Studio

There are many techniques out there for Android Application code obfuscation. Most popular and easy to be applied is using ProGuard in Android Studio. What it usually does is it will shorten your app's class name, optimize your code, remove unnecessary resources and code. The main goal of it is to make your app harder to be reverse engineered. Obfuscation in Android Application has been applied extensively by malware author to hide their malicious code and give security researcher like us a bad day. As developer, you can applied ProGuard in your Android App project by implement this additional rule in your project level build.grade(Module:app)  file. buildTypes { release { minifyEnabled true shrinkResources true proguardFiles getDefaultProguardFile ( 'proguard-android-optimize.txt' ), 'proguard-rules.pro' } debug { minifyEnabled false shrinkResources false proguardFiles getDefaultProguardFile ( 'proguard-and

rawSEC MINICON CTF 2020 PCAP 1 Challenge Write Up

Image
I had an opportunity to participate this CTF this time, I joined this CTF just for fun and to gain new knowledge along the way by completing some of the challenges. In this particular challenge, I'm using this tool to find the flag: Notepad++ Wireshark Microsoft Excel Python XLRD python library Command line First I load the PCAP_1.pcap to Wireshark. Scrolling through the packet capture file, I notice there is GET request from 172.16.236.163 to 69.172.200.235 which can be seen there is a key value and its look like a base64 string, so I try to export it if there is any object from HTTP protocol. To extract object in particular stream in the pcap file using Wireshark, you have to go to File > Export Objects > HTTP. Looking at the export object there is a lot of base64 string can be found, decoding this string one by one does not seem practical. Therefore, I save all the objects into designated folder first to extract the string. I create a fo

NMAP- My penetration Testing Guide and Notes

Nmap (Network Mapper) is used for network discovery and security auditing. Nmap can be used to determine whether the hosts are available on the network, listing services those hosts currently offering and their open ports, determine hosts operating system, filter or network protection are in use on the network. Nmap provides great functionality and features. Can be used to scan multiple targets or large network, mapping out networks and it is an open source software. Nmap interactions are on command line, but if you prefer to have a graphical user interface, you can use Zenmap which includes an advanced graphical user interface and results viewer. These notes written by me in my early day when I interested in infosec as my reference when pentesting or trying boxes. I simplified the command and what it do. I also provide this note part by part in my Basic Penetration Testing repository   starting from number 15 to 18 in my Github . Here I provide the link to the not

Android Application Reverse Engineering and Malware Analysis: Analysis environment preparation.

Hi everyone, this time I would like to share my experiences on Android application analysis and reverse engineering preparation. Like every other processes when we need to do something in the world, we have to consider and prepare basic things to have everything executed in a structured and efficient manner. Prior to our analysis for any mobile application, we have to consider a few things to prepare which is: Workstation. Tools and software. Skills require. Considering and preparing these components will significantly improve your readiness and response time when the sample is acquired and needs to be examined. WORKSTATION For a workstation, this is the specification that at least you should have: Minimum Quad core  processor and support Virtualization . Currently I have 4 cores with 8 threads processor. Malware analysis and reverse engineering process is resource intensive, more is better to support virtualization and heavy processing. During my analy

Android Malware Analysis Overview: Reverse Engineering and Threat Actor Profiling Process

Hi everyone, I would like to share my way of doing Android malware analysis and investigation, definitely not the best methodology but sharing is caring. Dynamic Analysis Usually, I start with dynamic analysis (usually but most of the time I do it concurrently with static analysis) to understand the behavior of the malware & it easier to understand what is going on and it help me creating my mind map on how the malware execute and data I/O. Meanwhile, I use Burp Suite, ADB Logcat and interaction in emulator running concurrently and monitor the output the application generated and printed on the logcat. Why I do this? To observe its network activity, every HTTP connection it make to command and control  (C2) server. Any log created and behavior of the malware. Tracing functionality of the malware, what logcat and system react to the application. I screenshot everything what is happening on the screen. Extract data generated by application. Running processes (ps, t

AWUS035ACH Linux Driver Installation

Image
Hi All,  If you have problem to configure and connect your AWUS035ACH to your Kali machine, this commands and steps hopefully can help! If you connecting the adapter to your VM, because this adapter using USB 3.0 interface. Make sure to enable USB 3.0 on the setting for usb controller and configure your VM accordingly. Start your Kali Linux machine. To be able to configure this successfully, make sure you have superuser privilege and the latest version of package by running the following command. apt-get update apt-get upgrade Run this command to install the driver for the adapter, any adapter that using same chipset can use same command. apt-get install realtek-rtl88xxau-dkms Wait for everything to complete and that's all. Good luck and thank you.

Advance Persistence Threat (Bahasa Melayu)

Image
APT adalah serangan siber yang berlaku pada rangkaian (network), sistem, aset dan pelayan (server) oleh pihak yang cuba mendapatkan akses ke dalam infrastruktur yang disasarkan tanpa disedari, berterusan dan sukar dikesan sehingga waktu yang lama. Mensasarkan organisasi berkepentingan seperti syarikat kewangan, sistem pertahanan, jabatan dan agensi kerajaan serta infrastruktur kritikal sesuatu negara. Contoh yang kita boleh kaitkan kes serangan stuxnet yang disasarkan pada fasiliti janakuasa nuklear iran pada suatu ketika dulu, bermula dengan beberapa siri serangan daripada beberapa malware untuk mengumpul maklumat dalam proses melancarkan serangan. Malah banyak kes serangan APT yang telah dikenal pasti yang berlaku sehingga kini. Anda boleh rujuk disini untuk maklumat tambahan: FireEye Advance Persistence Group  https://www.fireeye.com/current-threats/apt-groups.html APT merupakan serangan yang kompleks yang sukar dikesan kerana ianya sentiasa berubah u