Latest posts

byt3bl33d3r

Getting the goods with CrackMapExec: Part 2

In Part 1 we went over the basics such as:

  • Using credentials
  • Dumping credentials
  • Executing commands
  • Using the payload modules.

Part 2 will cover CME's internal database and getting shells using Metasploit and Empire!

The Database

CME's internal database can be queried by using the cme_db.py script, two things …

byt3bl33d3r

Getting the goods with CrackMapExec: Part 1

This is going to be a multipost series going over a lot of the functionality of CrackMapExec. Although there is some documentation already on the project's wiki (which I'm still in the process of writing) I feel blog posts will help get everyone who is interested up to speed on …

byt3bl33d3r

Installing Empire on Arch Linux

I'm an Arch linux fan and I've been using Empire on a lot of pentests recently. Problem is Empire requires Swig2 and Arch had only Swig3 in it's repos.

Today I just noticed that the Arch AUR has a functional Swig2 package, and I finally got Empire running! W00t!

So …

byt3bl33d3r

Mad-Max Scapy: Improving Scapy's packet sending performance

I've been using Scapy for years and one thing that's always bothered me was it's performace, especially when it comes to sending packets, to give you an idea:

from scapy.all import *
for i in range(0, 10):
    send(ARP(pdst='192.168.1.88', 
             psrc='192.168.1.11 …

byt3bl33d3r

Converting commands to Powershell compatible encoded strings for dummies

This is basically a reminder for me but could be useful for anyone. I keep forgetting how to convert commands to a Powershell compatible encoded string:

From the command line:

echo "iex(command)" | iconv --to-code UTF-16LE | base64 -w 0

For Python:

from base64 import b64encode
b64encode('iex(command)'.encode('UTF-16LE …

byt3bl33d3r

Using Nfqueue with Python the right way

While I was re-writing the Spoof plugin for MITMf I came across the "pythonic" way of using Nfqueue with python.

Previously the plugin was using code from dnspoof.py for DNS tampering, which used the nfqueue-bindings python library from here.

Problem was that it was a pain to setup: you …

byt3bl33d3r

Toby: finding the needle in the haystack

When I successfully extract a file system from the firmware of an embedded system, the first thing that I do is run grep or strings looking for low hanging fruit or even potential command injection vulns.

What I wanted though is something that recursively checked all files of a directory …

byt3bl33d3r

Pyexfil - Using Python to make Gmail a C&C server

Now I'm pretty sure there was a talk at BlackHat a couple of years ago about doing this, so this might not be anything new but I'll write about it anyway.

This is a great way to exfiltrate data from a network: it's stealthy (who looks at traffic going to …