Security Ripcord

Cutaway Security Blog and Projects

Iterating PowerShell Objects - Get-NetLocalGroup Examples

Starting out with PowerShell can be confusing. Google helps. Code from PowerSploit, PoshSec, and others can help, but just following the project coding examples will eventually be confusing for new situations. Actually coding is the only way to get over the hump of understanding how to use PowerShell objects, comparisons, and loops. Even with experience, each situation is going to be different and confusing depending on the type of object, command let being used, and how the pipeline impacts the situation.

The following is an example of some information gathering I recently attempted. This will be a walk-thru of the steps I attempted before figuring out (with help from 3nc0d3r) actually worked in the end. For those readers that are familiar with PowerShell this will either be a “yeah, I went thru that” or a “oh, that was obvious” story. For the rest, this will be a series of commands that can be run to experience the output and frustration of dealing with PowerShell objects. The commands will be provided. It will be up to the reader to play along and determine the output. For those readers that don’t have time to play along, I will provide a brief description of the results. Play along for more details.

Sniffing Out Trusts With BloodHound

BloodHound (BH) returns a lot of useful information. Like any tool there are different methods for extending the amount of information that it collects. The default configuration for BH is to search the local Domain for Users, Computers, Groups, Trusts, Sessions, and other information. While this information may be enough to demonstrate specific issues it is also limited in the amount of data collected for other Domains. For RED teams this means critical attack path information may not gathered and displayed. For BLUE teams the data collected does not provide all of the information necessary to assess risk across Domains.

The following information is intended to help users understand how to leverage BH’s options to gather information across Domain Trusts. Live examples are hard to come by. Therefore I will be leveraging examples to help explain these concepts without running the actual queries against a production environment. Users should still be able to leverage this guidance during their own trial-and-error process.

BloodHound - Custom Queries

Veris Group’s AdaptiveThreat Divisions BloodHound is an exciting new tool to help Enterprises understand the current state, and possibly threat, of their Windows Active Directory environment. It is designed to augment Empire and, if I followed the DerbyCon talk / video correctly, the injestor will be built into Empire 2.0 to facilitate easy discovery / reconnaissance.

The BloodHound project is currently a work in progress but, like Empire, is well maintained and already functional. Documentation is still growing and I suspect that new users may find there is a bit of a learning curve until the documentation is updated. Personally, I would rather have the developers complete all of their current feature and functionality ideas and allow the documentation to be updated from the community for a while and then pull some of it into the projects wiki. To that end, here is a little bit I have learned about running queries on information BloodHound has collected.

DerbyCon 6.0 - Recharging Cutaway

It has been a few years since I have been out to DerbyCon. I really enjoyed the first experience and I enjoyed this year’s just as much. Here are a few notes from my week in Louisville, Kentucky with my friends.

HoneyPots Are Now Required. Errrr... No.

It started with an innocent tweet that turned into an interesting conversation and shameless plug (marketing campaign??) at the same time.

"Its time to start accepting that your NSM infrastructure is incomplete if you arent leveraging honeypots for detection. #DFIR"

Since I follow Chris closely (as should all of you) I immediately noticed this tweet and responded with my heart.

"No @chrissanders88"

RfCat Dongle Update for Docker IEEE 802.15.4 Toolkit on Windows 10

For the TL;DR crowd, Windows 10 was not recognizing any device flashed with older versions of RfCat firmware. Dominic Spill had already identified the issue and created a pull request to fix an extra byte in the USB descriptor length field. Turns out Atlas had originally added that extra byte so that older Windows versions would recognize the dongles. Thus, RfCat has been updated to address this issue and Windows 10 will now recognize devices flashed with RfCat firmware. The rest of this post will outline the process I took to track down this issue and help get Dominic’s pull request merged.

YS1 Running in Docker IEEE 802.15.4 Toolkit

Windows 10 Not Recognizing YARD Stick One

My problems started when I wanted to test the Docker IEEE 802.15.4 Toolkit. I plugged in my trusty YARD Stick One (YS1) and Windows 10 complained that it did not recognize the device.

ZigBee Packet Capture Analysis Using ZBAanalyzer

For the TL;DR crowd, the (ZBAnalyzer) script provides an improved method for conducting analysis of ZigBee networks. It is designed to leverage the ZigBee Scapy functionality implemented within the KillerBee project with augmentation from an updated ZigBee Scapy layer provided by a Scapy-Com fork. The rest of this blog post provides a demonstration of how to use ZBAnalyzer.

Capturing ZigBee Packets with KillerBee

Capturing ZigBee network communications is accomplished using a ZigBee capture device. This is most commonly accomplished using the Atmel RZ RAVEN using firmware initially developed by Joshua Wright as a part of the KillerBee project. Riverloop Security is in the final stages of developing the ApiMote v4 beta which may change that in the near future.

Deploying GRR Clients With GRR Docker

For the TL;DR crowd, GRR Rapid Response can be configured to run on a development or small test network using GRR Docker. The GRR setup requires a repack of the GRR client as described in the repacking the client documentation and installation of the clients as described in the GRR Quick Start: Install the Clients documentation. There are a few caveats to getting it configured so that the GRR Clients can communciate with the GRR Server running in Docker. These steps are covered in this blog post.

In last weeks blog post, Creating a Docker IEEE 802.15.4 Toolkit, I talked about getting Docker up and running to test GRR Rapid Response. Installing GRR Docker is straight foward and outlined by GRRs Getting Started documentation. I will begin from there.

Creating a Docker IEEE 802.15.4 Toolkit

For the tl;dr crowd: I have started a project to consolidate IEEE 802.15.4 testing tools into a Docker image: cutaway/dot15d4_toolkit and a Githut repo: cutaway/dot15d4_toolkit. The Dockerfile in this project is designed to build, install, and run River Loop Securitys version of Killerbee, my implementation of Scapy-com, atlas rfcat, and Josh Wrights Killerzee.

While trying to understand Googles GRR Rapid Response framework I worked with the GRR Docker example deployment. Since I dont have any experience with Docker I decided I needed to understand what the GRR Docker was actually doing to get a grasp of how to communicate with systems running as a Docker container. I figured the best way to do this was to implement a simple Docker container of my own, other than the Docker Hello World.