During a recent engagement with a client, we had one of the usual discoveries of passwords stored in clear-text on a users workstation. Red Teamers know this is an ubiquitous issue and one of the first few things searched for when we gain access to a user’s workstation. This problem is amplified as the size of the organization grows; the more users there are, the more likely a user stores passwords in clear-text. Even if it is drilled into the users’ heads and they are aware of this security risk, some just seem impervious and have the attitude, “Oh, I am definitely not going to be the one to get hacked”. …

Bash is the command line interface so many of us use daily during our operations. Yet, how often are you at a loss of remembering what command was run during that thing that you worked so hard to achieve? Or how easily can you retrieve the time and date you executed a nmap scan against your target? The Red Team community, as of late, has been apt to apply systematic logging across their infrastructure to keep track of their Command and Control usage, and folks much more clever than I have gone above and beyond to automate alerting based on logs from their Redirectors and C2 agents through the RedELK project. …

Today, it is becoming more and more common for Penetration Testers, Security Researchers, Red Teams, and the like to require some sort of tunneling in and out of an organization’s infrastructure. Internal Red Teams, especially, who may need to cordon off their Command and Control Infrastructure will likely employ SSH (or VPN, but that will be a different post) tunnels from their External Infrastructure (such as callback servers, web hosting, mail, etc) to the Internal assets. Setting up these tunnels can become quite convoluted and difficult to manage, especially once the number of hops or jumps between servers increase.

Tunneling

For the purpose of this blog post, an environment as depicted below has been set up. The goal is to ensure beacons from the Victims can reach the teamserver host embedded deep in a corporate datacenter. …

TL;DR: I purchased a cheap domain that was very similar to a company’s domain. If the domain was used during a Red Team operation, as a C2 domain it would have blended in with noise. However, before I could use it, I was in an administrative proceeding due to a Domain Dispute. The dispute was based on an ICANN policy that was created to protect trademarks from people purchasing domains in “bad faith”. I choose the option to settle and transfer the domain to the company at no additional cost. As a Red Teamer, in the future if I plan to purchase a domain that is similar to a company for any reason, I plan to search the WIPO site to see if there are other proceedings filed by that company. …

A few years ago, I was involved in a consulting project with a large company in the healthcare industry that was in the middle of a data center migration. After the networks and servers were stood up at the new location they needed to migrate massive amounts of data in bulk so the company secured a pair of OC192 circuits, providing nearly 10Gbps of throughput in each direction on each circuit.

Everything seemed to be in order, so they began transferring data. To their surprise, they were only seeing throughput in the tens of megabits per second, even on servers connected to the network via gigabit Ethernet switches. After exhausting all the normal troubleshooting steps, they decided to bring in a fresh set of eyes. What we discovered may seem counter-intuitive: this company’s pipes were just too big. …

Recently, I was willingly forwarded a phishing email (for science!) which contained a ZIP attachment, requesting the recipient to update their contact information:

The hyperlink pointed to https://weitblicker.com/wp-content/uploads/2019/10/goes/JVC_83860.zip . Inside this ZIP, was a heavily obfuscated VBS file (found [here] if you’d like to follow along).

I just want to put it out there first, I love VirusTotal. I use it in both my professional career and in my personal life. When I have been busy and requested by family to investigate some “phishy” email or anything possibly malicious, I have been known to respond with the simple “Have you thrown it up in VirusTotal and seen what it says?”. I am aware that some organizations have used this same check as the starting point for their analysis process. For example, a Defender gets forwarded a phishing email with a link to investigate. The Defender creates the tracking ticket and starts the workflow in their “analysis checklist”. They just want to get through this investigation and close out the ticket. The Defender may not even think about looking at the other things surrounding the email as in whats the content, where did it come from, what are the email headers, and other indicators. The decision to continue or close the investigation has now become all about the outcome of the scan of over 70 AV scanners on VirusTotal. The results (most likely) return that all 70 plus AV scanners claim the link is clean (not one flag). Defender quickly marks all is clear and closes the ticket. In many cases, this might be a quick solution and is not a bad starting point but can provide many false negatives. This post is designed to reveal how VirusTotal is just a tool that aids in analysis and should not be a “one-stop-shop” in determining if content is malicious. …

Summary

During an engagement with one of Maveris’ customers, the Maveris Red Team discovered an Email Header Injection vulnerability in the eGain Web API that allows attackers to send specially crafted emails through otherwise trusted Mail Servers. Email Header Injection through the eGain Web API enables an attacker to spoof emails as organization employees, set unintended Subjects, and even send attachments. Depending on the architecture of the underlying infrastructure used to run an eGain application, this vulnerability could allow attackers to circumvent email filters and protections.

Email Header Injection is a vulnerability most notably introduced by the backend Server’s failure to properly sanitize user input. In the case of eGain’s Web API, the backend did not properly sanitize the input of the form parameters of the API URL: /system/ws/v11/ss/email. This allowed the Maveris Red Team to inject a Carriage Return 0x0D and Line Feed 0x0A byte into the fromName value and write custom headers, successfully crafting a new email using the hosting organizations backend Email Servers. …