Projects Publications Brandon

Wednesday, November 18, 2015

Intel NUC Super Server

By With
Hi. I'm Rob... and I have a problem. Lets just say, when you find the limitations on Amazon's wishlist features for single items, you know you have a problem. My problem? I'm kinda addicted to Intel NUCs. They are so versitle, low-ish power consumption, and incredibly powerful and TINY. I carry 3 of these (the older / cheaper ones) around to run my trainings / classes from.

The follow is my current wishlist. It is an i7 NUC w/ 500GB of high speed M2 SSD, plus a 1TB SATA SSD, and 32 GB of RAM... ya, thats right 1.5 TB of SSD space, and 32 gigs of RAM!!

Intel NUC Kit NUC5i7RYH Barebone System
Samsung 850 EVO 500 GB M.2 3.5-Inch SSD (MZ-N5E500BW)
Samsung 850 EVO 1 TB 2.5-Inch SATA III Internal SSD (MZ-75E1T0B/AM)
Crucial 1600 MT/s (PC3L-12800) CL11 SODIMM 204-Pin Memory CT204864BF160B
Total Cost: 1328.28

I have gone back and forth between virtualization software (ESXi and Xen mostly)

Xen works out of the box but only has a decent interface in it's Windows GUI. OpenXenManager for Linux is ok. and Xen Orchestrator (Web UI) leaves a bit to be desired. If you're ok with keeping a Windows box around, Xen is the superior choice when it comes to feature sets. (Mainly clone and templating out of the gate and free)

If you do go the ESXi route follow steps here: because it doesn't work out of the box. I did create the ISO already, so if you want to use the one I made you can find it here:

You may run into the Manufacturer and Model being random strings (question marks in diamonds), but you can follow:

Again, I've already done these steps so you can download the pre-built BIOS rom here: - WARNING: I doubt the BIOS is universal so if you don't buy the NUC listed above, you probably want to just follow the steps yourself. Flashing a BIOS with the wrong ROM could brick the device.

Read More

Monday, November 02, 2015

Meterpreter show_mount

By With
Meterpreter’s STDAPI extension (the one that always gets loaded) has a new command. This doesn’t happen very often so it’s worth noting.

The new command prints out the currently attached “mounts”. In windows world, that means the normal CD ROM, C drive, etc, but it also means all of the mounted network drives as well.

This gets very interesting when you happen to find yourself in a VM environment where you can start writing files to the host:
meterpreter > show_mount
Mounts / Drives
Name Type       Size (Total) Size (Free) Mapped to
---- ----       ------------ ----------- ---------
A:\ removable      0.00 B      0.00 B
C:\ fixed         59.90 GiB   28.15 GiB
D:\ cdrom          0.00 B      0.00 B
Z:\ remote        64.78 GiB   18.09 GiB  \\vmware-host\Shared Folders\

I’ll leave the rest up to your imagination for now. But we will come back to this very soon. Huge thanks to @TheColonial - OJ for implementing this much needed option. Merged pull request is here:
Read More

Thursday, October 29, 2015


By With


Time is a one-time non-renewable precious resource you are given. It is ok to be greedy, selective, and even snobbish about how, and with whom you spend it.
If it helps, think of your time as a vault, money is withdrawn at a constant rate by people as you spend it, but you are not allowed to look inside to see how much you have left. It could be a billion dollars, it could be .25 cents. If it were money, who would you spend it on if that were the case? Most likely you would be more cautious on who and what you spent any amount on.  (This is not to say you live a hermit, but pushing you to actively choose what you want instead of letting life happen and spending your resource)
Also, respect other's choice to spend their time with you. I know we don't always acknowledge it, but we should be a bit more cognizant of it.
We actually dismiss it nonchalantly, in English, with simple phrasing changes like "Thank you for spending THE time". When we should probably say "Thank you for spending YOUR time". I have heard it both ways and much more the latter, but it just struck me as I was writing the close to this blog post that I was about to do what I had just warned against.
So, in closing, thank you for spending your precious moments reading my blog.
Read More

Wednesday, October 14, 2015

R5 Industries

By With
I recently took the plunge and joined a startup called R5 Industries. I wanted to say thanks for all the well wishes that I received on social media. It has certainly calmed my nerves about the choice ;-).

I've had a number of people ask what R5 Industries does. Our primary selling point is AntigenC2, which is a really Command and Control detection product (no agents). But we also do Red Team assessments and some other fun toys if you are interested,

More info here:

And thats the end and last sales pitch you'll get from me on the subject.

Why did I make the move?

1. While, I loved life as an internal Red Team member (highly recommended, if you need reasons why make sure you watch Chris Gates' talk at RuxCon: Gates ) where I got to help steer the boat of a Fortune 10 company, I had a number of opportunities that I had to turn down because of it, even though my higher ups went above and beyond to give me as much latitude as possible.

2. I had a bunch of crazy project ideas that I wanted to see come to life over the years, I don't think I would have ever had the time to see them become anything more than mythical ideas without this opportunity.

So, wish me luck, send me work (as I can finally accept it ;-) [through R5 of course]) and look out for some pretty wacky ideas and products that I've been talking about for years.

Thanks again, I wouldn't be here without you.
Read More

Monday, October 05, 2015

DotNet's DNVM for Persistence on Developer Machines

By With
One of the best resources for persistence mechanisms is Hexacorn's blog.

If you haven't checked out his "Beyond good ol' Run key" (linked above) 32 post series, you really should. But today I wanted to talk about one that I didn't see up there:

DNVM ( is the DotNet Version Manager and it's a part of ASP.NET 5, which I believe has been inside of Visual Studio since the 2013 version. It's there to help to specify which runtime to use for applications, much like RVM (Ruby Version Manager) is for Ruby. With their goal being that you can install .Net and run .Net applications on Linux and Mac as well using DNVM.

Once installed it adds a "DNX_HOME" environmental variable:

 Inside the folder specified are 3 directories:

There are plenty of things to play with in here, but I wanted to specifically point out that the BIN directory is put into the $PATH variable (as well as two others)

C:\WINDOWS\system32\config\systemprofile\.dnx\bin (DOES NOT EXIST BY DEFAULT)
C:\Program Files\Microsoft DNX\Dnvm\

Ok, not a big deal right? Even a user under UAC can edit their own $PATH variable (we'll come back to that in another post)

Lets take a look at what is in those folders:

Interesting, why don't we see what the command dnvm does:

Seriously... I probably don't even have to continue at this point...

But, if I run dnvm from the command prompt (as a developer would) it runs it from inside that protected directory in Program Files right?... RIGHT?! Nope..

Edit the dnvm.cmd with a bit of PowerShell Empire stager (minus the -W Hidden, because we need the user to actually get the output of the dnvm command) and....

[+] Initial agent UU2YKZ3VDG2AUKFY from now active


Lets look a bit into how DNVM works to see if there is something juicier there (way to much for a single blog post)

Awesome! So I can modify things in the runtime directory, lets look in there:

Lots, of fun, but we still have to wait until they run some C# code with that run time and guess which one they will use (or backdoor all of them). I would rather just make a modification to the dnvm.cmd and be done with it. Simple and clean.

Oh did I mention that this is used to cross compile binaries? Ya, oh ok, so you can infect the built binaries, or web apps for Windows, Linux and OSX...

Oh and one other thing caught my eye while I was looking into the DNVM.ps1 script:

Have fun!

P.S. Unquoted paths FTW:
Read More

Thursday, October 01, 2015

Hiding desktop icons for presentations on OSX

By With
If you found this post via a search, you are probably like me, "not great" at keeping your desktop clear "stuff" (you probably have a 'stuff' folder you once put stuff in and forgot about). 

If you are, and you go into a presentation, you probably don't want to have all of your icons visible (and possibly recorded).  Hiding your desktop icons on Windows (since 7 I believe) is pretty simple. 

On OSX, its not as straight forward. Following a tip I found here: I was able to create a keyboard shortcut to hide, or unshide everything.

First, open up "Automator" and create a new document / "Service" 

Then drag and drop "Run AppleScript" from the Utilities section:

Next, make sure it says that the service doesn't accept input from any application:

Paste in the following script:

on run {input, parameters}
set myAnswer to (do shell script "defaults read CreateDesktop") as boolean
do shell script "defaults write CreateDesktop " & ((not myAnswer) as string)
do shell script "killall Finder"
end run

On the first run, you may get an error stating that the variable doesn't exist or that it couldn't convert it into a boolen. This is because by default this variable doesn't exist for new users. All you have to do to correct this is open a terminal and type:

defaults write CreateDesktop true

To set it for the first time:
Back in Automator, re-do the test run of the script:

Save the file and then you can setup up a keyboard shortcut in System Preferences:

Hit Control+Cmd+H to your hearts content. 

Read More

Thursday, September 24, 2015

Hacking Advice for @krystropolis

By With
Today I was asked by @Krystropolis for a "Hello" and maybe some hacking advice, see tweet:

I thought about it on my entire 1 hour drive home from just turning in my badge and laptop from a big corporation to go work at a start up. I thought about talking about ethics and data handling, to Geo-politics. I mean, what kind of hacking are we talking about.

I finally ended up thinking about what would have been the best advice for me, growing up, for "how to learn hacking", and I boiled it down right before I pulled into my drive way to two words: "Build It". For me personally, I didn't start to really understand attackers, attacks, or even simple defense strategies until I started to try to build it myself.

For many hackers (and mechanics, my father included) they started by taking things a part first, then putting them back together (usually with a few extra screws or parts that "didn't matter" on the side). But for me, I learned best, by building from scratch. This went from stealing RAM for the "old junk" computer locker from my high school to upgrade my Mom's 95 Mhz Pentium (OH YA!) - in my defense, the computer science teacher told me that I could take anything I needed to build a computer and he didn't specify the physical location that computer had to be in - all the way to working on the sensor grid for the Marine Corps networks when I helped at the MARCERT as a level 1 tech. I even convinced a few of the Hak5 crew at the time to let me build Gentoo (Stage 3 baby!) on their laptops because it was tons faster (once everything compiled 10 years later).

Man do I ramble. Point is. If you want to learn hacking, or how to hack, you need to know a system inside and out first. System (noun) in it's most basic sense. The best penetration testers / hackers I have ever known are the ones that have rebuilt their labs/phone/widget for the 500th time.

UPDATE: I have had a few comments, about the post already. But what I forgot to point out is that by building a system or network you not only get to know the ins and outs of how it works, and what shortcuts you had to take to get it to actually work, but also the appreciation of what it took for you to build it, the hours/research that went into it, how it connects to other systems and clients, and finally what kind of business impact it could or does have on actual corporations. These are core skills to be an effective communicator of risk and need, while keeping compassion for the requirements and business impact. Highly sought after skills in the job market.

I hope this helps.
Read More
Home About-us Privacy Policy Contact-us Services
Design By Templateclue