My Poor Mistreated Blog

Greetings, all.

As it's probably plainly evident, my success in keeping this thing up to date has been pretty awful. It's not entirely because of laziness, but that's certainly been a factor. 

Just as a life update and partial explanation, I recently moved again. At the same time, I was working on another work certification and managed to pass my GIAC GWAPT (The GIAC Web Application Penetration Tester) certification exam, though it took two tries. I thought about writing a little guide on how I passed it, but figured it was just too close to the original one I posted for the GSEC exam a while ago to be worth it, as most everything from that still applies.

One thing I have been meaning to get a blog post written up about, and will probably start on tonight, is creating a little "how to" for setting up Evilginx. 

For a little backstory, we were running into a lot of AiTM attacks at work where we couldn't figure out how the attackers were compromising the users so efficiently and so quickly. After some digging, we heard about Evilginx which was a AiTM attack toolset, so I started working to create a proof of concept that we could use against some test accounts we controlled to see if we could figure out what was going on.

We quickly realized just how effective this tool was, especially when the attackers put in even a modest amount of effort to create a URL that was reasonably convincing (close to the company name, instead of some of the usual URL's that could go edge-to-edge on a 4K monitor). Between that and the ease that it was able to harvest not just the user's password, displayed in plaintext, and also their active session ID, it was scary to see just how easily attackers were able to spin up VM's and deploy the tool, considering someone like me could figure it out without too much trouble. 

We did manage to figure out some effective counters to this that helped to largely reduce the number of incidents from it, and discovered that things like a Yubikey could almost entirely eliminate the threat at all, as the authentication takes place through a separate side channel that the AiTM server isn't privy to. 

Anyhow, I'll include more detail on that when I finally throw the post together. It was a lot of fun to get some real world "red team" experience, getting to attack my own account and see how it would pop up, and work with the team to find ways to allow us to track and treat these incidents before they escalated.

Until then!

Comments

Post a Comment

Popular posts from this blog

Small Life Update!

 So the move was a success. It was a grueling few days of entirely too much driving, too much running around and way too many boxes, but it went off pretty smoothly, and compared to my last few moves where the temperatures were in the high 90's, moving in the low 80's felt like a dream by comparison. I've finally managed to get all of my home network back up and running, managing to get my VM server successfully shoved into a closet corner and connected to the wifi without too much trouble. Since we're in a smaller apartment now, I genuinely wasn't sure if I was going to be able to find a place to set it up where it could run. Having had it sitting out in my office previously, it's not the ideal noise and heat generator you want constantly running in the place you work and play games. I'm still planning to get back to the Windows lab soon. Everything right now is a bit up in the air, as my workload at work may be changing, thought it's ultimately for the
Read more

Hacking Windows Domains: Introduction

Image
Part 1 of the Active Directory series. Wilkommen, everyone! After a few hurdles with my homelab server throwing a fit and forcing me to frantically recover my VM's so I could get all of my files off of my file server and temporarily into the cloud, I'm back with a new setup. I've moved from Hyper-V to ESXi, which I always liked for the ease of the web interface, and I've finally been able to recreate my hacking lab as well as my Kali machine that I use to learn on. As I work towards a pen test certification, I've been using a handful of resources to learn and get hands-on time. First up has been the great Active Directory rooms at Try Hack Me . The other has been the great Complete Practical Ethical Hacking course from TCM. This lab will be setup similar to the lab in the PEH course, as it makes it a bit easier to follow along with Heath's videos. There's always Hack the Box to get some hands on time as well, but that's something better saved for anot
Read more

Cyber Security Studying or: How I Learned to Stop Hand-Writing and Love the Digital Docs

Image
In life, learning to study is a critical skill to have...something that I discovered sadly late in life. Throughout my life, I struggled with sorting out my ADHD and finding ways to learn that worked for me. Taking notes in class was rough, because taking my mind and eyes off of the board and teacher meant I would quickly lose my place in the lesson trying to keep notes on what was important. Sadly, when I was a kid, smart phones and computers weren't in the classrooms, so the ability to easily record things and take notes wasn't there for me. Fortunately, I don't have any such restrictions anymore, and I don't have to suffer to keep up anymore. But the difficulties of paying attention in Algebra have now been replaced with learning in the Infosec world, which at times feels like trying to use a waterfall to fill a Solo cup. And that's coming from someone who was absolutely awful in math class. For me, there have always been a few problems taking notes. I need some
Read more