Cybersecurity Solutions and Support Services

    I've written a few things about Empire in the past but sometime around July of last year (I think), they stopped maintaining the project.  Then BC Security picked it up and moved the ball forward again.  I liked Empire because it's simple, no nonsense, and it worked.  That said, it wasn't as stealthy as some other C2 frameworks and it was unreliable when it came to evading antivirus.  When the new project came to light, I wanted to take a look but at the same time, I questioned whether or not I'd run into the same issues.  By necessity, I needed to test Empire for something I'm working on so I fired up the new project.


    It's hard to describe this in the subject line but how many times have you been on a Windows system and typed a *nix command?  Or on a *nix system and typed a Windows command?  One could assume that an attacker might do something similar and we could take advantage of that mistake.  First, we'll need to alias some commands like ifconfig and ls with doskey.  Our macro file looks like this:


    If you found yourself reading this article you probably know what a dropbox is already but to summarize, it's a piece of hardware that is either overtly or covertly planted on the network.  This particular model that I've constructed is using a Raspberry Pi Zero running Raspbian Lite.  In the diagram below, my dropbox is sitting the customer network.  It uses OpenVPN and calls home to our C2 server.  Logging into our C2 server, we can then SSH back into our dropbox bypassing all of the security measures.  What we do next depends on the engagement and this post is about the setup of the dropbox.


    From the description:  "Chisel is a fast TCP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server."

    What I like about this tool is that it's a single binary that supports both client and server while also being multi-platform.  What I don't like is that it seems to be very particular about the syntax ordering.  That being said, this is a tool in my toolbox for that very special need.  For example, we know there's a web server at the following address but when we perform an Nmap scan, we don't see it:


    Before I jump into the post, let's get a definition:  "Terraform is an open-source infrastructure as code software tool created by HashiCorp. It enables users to define and provision a datacenter infrastructure using a high-level configuration language known as Hashicorp Configuration Language, or optionally JSON."

    We use AWS mostly and a little bit of Digital Ocean.  The majority of the instances are created from the GUI but I've been working on a project that requires the spin up and shutdown of similar servers and that's where Infrastructure as Code comes in handy.


    A client mentioned to me that she was keeping confidential information on a thumb drive that she's been carrying around between her home and office.  When I asked about the type of the confidential data, I followed that question by asking -- if the drive were lost, would that cause a significant problem.  Of course knowing the answer, I then suggested encrypting the thumb drive. 

    This will be a two part post, probably with a separate title -- one for Mac and the other for PC. 

    Starting with Mac, we pull up the Disk Utility tool:


    Page 9 of 61

    © 2020 sevenlayers.com