How To Blogs

Want to learn HOW TO do something? This is a great place to start!

CredDefense Toolkit

WEBCAST: CredDefense Toolkit

Beau Bullock, Brian Fehrman, & Derek Banks // Pentesting organizations as your day-to-day job quickly reveals commonalities among environments. Although each test is a bit unique, there’s a typical path to “winning” that present themselves over and over. Expensive, difficult to configure, and cumbersome to maintain tools exist to help prevent and alert on some […]

Read the entire post here

WEBCAST: A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems

Mike Felch and Beau Bullock// Cryptocurrency conversations are everywhere you look! Mike Felch and Beau Bullock were so interested they started their own podcast about the topic. We’re excited to have them do a webcast for us and share the research they’ve been doing. Join us as we discuss specifically the security issues swirling around […]

Read the entire post here

BHIS_BLOG_PowerShell Win Defender

Getting PowerShell Empire Past Windows Defender

Carrie Roberts//* (Updated 2/26/2019) Note: Windows Defender added a detection on 2/25/2019 which now detects this method as “AmsiTamper.A” Windows Defender does a good job of blocking many attacks, including attempts to establish Command & Control (C2) sessions with published tools like PowerShell Empire. I was recently looking for a way to establish such a […]

Read the entire post here

green2

Bypassing Cylance: Part 2 – Using DNSCat2

David Fletcher // The following techniques serve to illustrate methods for obtaining C2 communication in a particular Cylance protected environment. The configuration of the centralized infrastructure and the endpoint agents were not inspected prior to testing. The environment may exhibit configuration errors and may not conform with best practice for deployment of Cylance infrastructure. However, […]

Read the entire post here

cisco

Cisco Smart Installs and Why They’re Not “Informational”

Jordan Drysdale// tl;dr Cisco Smart Install is awesome (on by default)…for hackers… not sysadmins. So, you Nessus too? Criticals and highs are all that matter! Right??? Until this beauty came along, but wait….this isn’t Critical or High. Let’s just ignore it. What can we do with this thing? Download config Upload config Execute commands […]

Read the entire post here

Analyzing Extension Effectiveness with Burp

Jordan Drysdale// tl;dr uBlock Origin appears, based on non-scientific testing, to be fairly effective at keeping trackers from making outbound HTTP GET requests. Tested Extensions: No Add-ons v Ghostery v uBlock Origin v AdBlock Plus Analyzed Website homepages: CNN v FoxNews v MSNBC I ran all of the following tests about the same. I clear […]

Read the entire post here

zoo podcast

PODCAST: Creating & Keeping a Malware Zoo

Join John as he covers what he and the BHIS Systems team have been working on lately – creating a C2/Implant/Malware test bed. Testing our C2/malware solutions is important because vendors tend to over-hype their capabilities. He’ll cross reference some different malware specimens with the MITRE ATT&CK framework and cover how you can use these […]

Podcast: Play in new window | Download

Subscribe: Android | RSS

Read the entire post here

I’m resigning from SANS

John Strand// Hello all, Well, this is a painful post to write, so I will get right to it. I am on my last run of classes with the SANS Institute. And, this is a good thing. It is a good thing for SANS SEC504, it is a good thing for me, my family, and […]

Read the entire post here

The Easiest Con – Hacking the Human & 9 Tips to Avoid Social Engineering

Heather Doerges // Of all the services we offer at BHIS, Social Engineering is the most interesting to me. It’s something (and quite possibly the only thing) I completely understand and feel I am fully capable of doing. I also know that it’s one of the more difficult and uncomfortable things our testers do. This […]

Read the entire post here

00400_08212019_SecuringTheCloud-1

How-To, Informational AWS EC2, AWS EMR, Coordinated disclosure, Jordan Drysdale, Nessus, Nmap, pentest, securing the Internet

Securing the Cloud: A Story of Research, Discovery, and Disclosure

Jordan Drysdale // tl;dr BHIS made some interesting discoveries while working with a customer to audit their Amazon Web Services (AWS) infrastructure. At the time of the discovery, we found two paths to ingress the customer’s virtual private cloud (VPC) through the elastic map reduce (EMR) application stacks. One of the vulns that gained us […]

Read the entire post here

How-To, Informational, Red Team Tools, Webcasts Active Directory, CredDefense Toolkit, David Fletcher, kerberoasting, password spraying, ResponderGuard

Webcast: Weaponizing Active Directory

Click on the timecodes to jump to that part of the video (on YouTube) Download slides: https://www.activecountermeasures.com/presentations 0:54 Background behind this webcast, what and why 7:02 Creating resources in Active Directory, User accounts, Groups, and Dummy Computer accounts 18:54 Tools, ResponderGuard, General flow of attacks, reconnaissance, deception and planted credentials 38:12 Password Spraying, honey users, […]

Read the entire post here

00398_08152019_UsingCloudFrontRelayCobaltStrike

C2, How-To, Informational, Red Team, Red Team Tools Brian Fehrman, CloudFront, cobalt strike, Domain Fronting

Using CloudFront to Relay Cobalt Strike Traffic

Brian Fehrman // Many of you have likely heard of Domain Fronting. Domain Fronting is a technique that can allow your C2 traffic to blend in with a target’s traffic by making it appear that it is calling out to the domain owned by your target. This is a great technique for red teamers to […]

Read the entire post here

00397_08132019_PyFunnels

General InfoSec Tips & Tricks, How-To, Informational, InfoSec 101 Github, PyFunnels, Python3, TJ Nicholls, Tool Output

PyFunnels: Data Normalization for InfoSec Workflows

TJ Nicholls // *BHIS Guest Contributor TL;DR How many times have you had to parse the same output from a tool? Wouldn’t you like to get that time back? There is a lot of overlap in the tools we use and the workflows we perform as information security professionals. Let’s not reinvent the wheel every […]

Read the entire post here

00396_07292019_YourReportingMatters

General InfoSec Tips & Tricks, How-To, Informational, InfoSec 101 Brian King, macros, MSWord Tricks, Pen Test Reports, reports, screenshots

Your Reporting Matters: How to Improve Pen Test Reporting

Brian B. King // This is a companion post to BBKing’s “Hack for Show, Report for Dough” report, given at BSides Cleveland in June, 2019. The fun part of pentesting is the hacking. But the part that makes it a viable career is the reporting. You can develop the most amazing exploit for the most surprising […]

Read the entire post here

Blue Team, General InfoSec Tips & Tricks, How-To, InfoSec 101, Red Team, Webcasts Backdoors, Beta Version, Breaches, Card Game, Coming Soon, Cubicles and Compromises, Incident Handling, Incident Response, john strand, SEC504

Webcast: Introducing Backdoors & Breaches Incident Response Card Game

This webcast was originally given live on June 5th, 2019 by John Strand and the BHIS (card) Testers. Download slides: https://www.activecountermeasures.com/presentationsRequest a deck of B&B cards (Coming in Sept): https://www.blackhillsinfosec.com/projects/backdoorsandbreaches/Also check out Cubicles & Compromises: https://www.blackhillsinfosec.com/dungeons-dragons-meet-cubicles-compromises So we have been working on a card game for Incident Response over the past few months and it […]

Read the entire post here

WEBCAST_YTBH073

How-To, Informational, LLMNR, Red Team, Red Team Tools, Webcasts ARP Cache Poisoning, GPP, john strand, Justin Angel, LaBrea Tar Pits, LLMNR, mDNS, SNAC, Stale Network Address Configuration, WPAD

Webcast: How to attack when LLMNR, mDNS, and WPAD attacks fail – eavesarp (Tool Overview)

Click on the timecodes to jump to that part of the video (on YouTube) 2:26 Introduction, background history covering LaBrea Tar Pits and ARP Cache Poisoning and how they relate to this webcast and how “eavesarp” basically works. 14:15 Demo of “eavesarp” against a Stale Network Address Configuration (SNAC) attack. 28:45 Q&A This webcast was […]

Read the entire post here

00392_06122019_AnalyzingARP

How-To, Informational, Red Team, Red Team Tools ARP, BruteLoops, eavesarp, Justin Angel, MailSniper, netdiscover, SNAC, swisslogger

Analyzing ARP to Discover & Exploit Stale Network Address Configurations

Justin Angel// Introduction In penetration testing, ARP is most commonly discussed in terms of poisoning attacks where an attacker achieves a man-in-the-middle (MITM) position between victim nodes by contaminating the ARP cache tables of neighboring hosts. While initially inspired by this technique and the desire to derive a means of passively obtaining a list of […]

Read the entire post here

00391_06052019_LocalAdminHash

How-To, Informational, Red Team, Red Team Tools Beau Bullock, Check-LocalAdminHash, Invoke-TheHash, PowerShell, PowerView, PSReadline, TL;DR

Check-LocalAdminHash & Exfiltrating All PowerShell History

Beau Bullock// TL;DR Check-LocalAdminHash is a new PowerShell script that can check a password hash against multiple hosts to determine if it’s a valid administrative credential. It also has the ability to exfiltrate all PowerShell PSReadline console history files from every profile on every system that the credential provided is an administrator of. Get Check-LocalAdminHash […]

Read the entire post here

1 2 3 4 5 >»

Subscribe to the BHISblog

Archives