Amateur Radio Homebrew Experiments
My son and I have been getting into ham radio, and I've fallen deep into the homebrew well. Ham radio is fascinating because you can build your own equipment, and this is teaching me so much physics and analog electronics! I'm documenting my adventures here for future reference.
CLR assembly loading
Bryan Alexander developed a method for bootstrapping the CLR in an unmanaged process, and running an embedded .NET assembly as shellcode. One of the related challenges we ran into involved staging more assemblies from that position, and using the AppDomain separation boundary to our advantage. I ended up finding a neat way to circumvent some of the CLR's trust behavior in loading assemblies, and we put these two things together into a research blog post for Accenture Security. It's been great fun to work on some of these interesting post-exploitation challenges.
NolaCon '19 Presentation Out
My NolaCon presentation on EvilVM is available on Youtube. This is a post-exploitation framework built on a native code Forth compiler, which is itself a position independent shellcode. This project has been in the works for almost 3 years, and turned out far more interesting than I expected it to when I started it. Code is available, and I am continuing active development (partly because I've found it actually useful fairly often, just for my own use!).
I am putting my database hacking tool SQShell up here for download. I have kept this to myself and friends for awhile because of restrictions on distributing the proprietary JDBC drivers. Well, I'm now providing a download for the tool without those drivers and instructions for adding them yourself. SQShell gives you a consistent command line interface to the various DBMSs with a few handy commands for common tasks like downloading tables, listing schemas, etc.
BSides LV '16 Presentation
Patrick Fussell and I presented a talk on several strategies we have worked on for post exploitation. The talk is all about finding the crown jewels on a target network, once you've achieved a vertical escalation. You can find the talk on YouTube, here.
Derbycon '15 Presentation Out
My Derbycon presentation on bypassing multifactor authentication (MFA) is now available on Youtube. I had lots of fun putting this together. In the talk, I present a bypass method that we use for getting around RSA SecurID and Duo Security's MFA. I definitely have more in this area, so perhaps I'll be putting together some more scenarios for talks in the future!
Derbycon '14 Presentation: Snarf
Victor Mata and I presented Snarf at DerbyCon, 2014, here. It's a man-in-the-middle tool for making a lot more use out of intercepted conversations on the network (primarily SMB). It was a stable talk, so there wasn't a lot of time, but we've got a description of it, and some demo included.
PipeCat SMB Named Pipe Tool
At NolaCon '15, I demonstrated how I use SMB named pipes to tunnel TCP connections. PipeCat also provides a PSEXEC and WINEXE-style command execution mechanism without using services. You can download the presentation copy of pipecat here. Bear in mind that it's very... 'pragmatic' code... and it does depend on .NET framework 3.5+. I will get the source into github soon, though, to make it more accessible.
Metasploit Delay Loader
At NolaCon '15, I demonstrated how I use a modified metasploit-loader as a foundation for odd A/V and HIPS evasion during pen-tests. You can download the presentation copy of delay loader here.
Duo MFA Race Condition & Bypass
Duo Security has released a fix for a session stealing attack we discovered some time ago. I have also blogged about it. I included this in my presentation at NolaCon '15. I'll probably get my video of the PoC up soon.
Snarf SMB Man-in-the-Middle Tool
My buddy Victor and I have created what we think is the strongest SMB relay attack tool available. We have presented it at NolaCon '14 and DerbyCon '14. You can find it at the github repo.
NTFSx tool for raw access to NTFS files
I have used NTFSx to effect several times, from extracting NTDS.DIT when the new domains came out to extracting files without tripping file monitoring tools.