Monday, March 21, 2016

More on Purple Teaming

I wanted to add a bit more context/info/explanation on Purple Teaming after publishing the Ruxcon slides as well as Facebook and Twitter interactions on that topic.

What is Purple Teaming?

Currently there are as many definitions for Purple Teaming as there are talks and blog posts on the subject but I'm going to throw mine in as well.

Purple Teaming is "conducting focused Red Teams with clear training objectives for the Blue Team."

The clear training objectives (aka a plan to eventually get caught) for the Blue Team is what differentiates Purple Teaming from typical Red Teaming. By its very nature Red Teaming is making a HUGE attempt not to get caught. You are pulling out all the tips & tricks and big boy tools NOT to get caught.  With Purple Teaming, you have a plan to create an alert or event in the event the Red Team is not detected by the Blue Team during the Red Team process so the Blue Team can test their signatures and alerting and execute their incident response policies and procedures.

It isn't a "can you get access to X" exercise it is a "train the Blue Team on X" exercise. The Red Team activities are a means to conduct realistic training.

A couple practical examples:

The Blue Team has created alerts to identify Sysinternals PsExec usage in the enterprise.  The Red Team would at some point use PsExec to see if alerts fire off and the Blue Team can determine which hosts were accessed or pivoted from using PsExec.  The Red Team could also make use of all the PsExec alternatives (winexe, msf psexec, impacket, etc) so the Blue Team could continue to refine and improve their monitoring and alerting.

Another scenario would be where the Blue Team manager feels like the team has a good handle on the Windows side of things but less so on the OSX/Linux side of the house.  The manager could dictate to the Red Team that they should stay off Windows Infrastructure to identify gaps in host instrumentation and network coverage for *nix types hosts and also to force incident response on OSX or Linux hosts.

Another example could be to require the Red Team not to utilize freely available Remote Access Trojans such as Metasploit or powershell Empire. Instead they could ask that the Red Team purchase (or identify a consultancy that already uses) something like Core Impact or Immunity's Innuendo or find a consultancy that has their own custom backdoor to spice things up.


Other Purple Teaming resources (in no particular order):

Tuesday, March 15, 2016

APT Ransomware

Yesterday this article came out from Reuters:

I thought it would be useful to make a post explaining the situation a little more in-depth.

Myself and several colleges (InGuardians, G-C Partners) have been engaged in related, high-impact incident response engagements over recent months.

We have been working together to correlate the results of several major investigations. At least three high-value corporations were hit by well-known APT actors over the holidays between December 2015 and January 2016. The targets in these attacks include:

  • A Multi-national company from Southern California
  • A Major business solutions provider on the East coast
  • A Multi-national manufacturing business in the Southern US

Initially these recent incidents involved tactics that match previously seen APT style attacks, indicators of compromise, and tools, especially of a specific group. (We matched file hashes, typing patterns, source IPs / hostnames, etc.)

In the past the primary goals of these actors seemed to be collecting information from targets and maintaining access while evading detection. In these new cases however, the attackers attempted to manually deploy crypto ransomware across large swaths of victim computers in addition to the typical APT tools. This is unusual because in the experience of all three information security firms, crypto ransomware is typically installed opportunistically by malicious websites and drive-by downloads, not manually by an intruder. Also this behavior has always been seen related to criminal activities, not intelligence gathering by nation states.

Before these latest intrusions, active attackers mass installing crypto ransomware on major corporation computers had never been seen by any of the three companies performing the investigations. In the most recent occurrence the attacker made use of a much older breach to automatically deploy ransomware furthering changing the methods seen and used.

This is also unusual because it seems to be in contradiction to the motivations that have been seen in the past. Typically, the motivation behind installing crypto ransomware has been that lone actors or crime rings are using basic phishing tactics to extort relatively small amounts money from individuals or corporations.  In contrast, the motivation for APT attacks have traditionally been considered to be nation state directed and focused on stealing valuable information without being detected. The dollar amounts targeted are in the millions.


We have come up with several theories:

  1. After the fallout from the OPM hack, the Chinese government officially backed off from its hacking operations against the US. Numerous individuals who were employed as civilian contractors are now essentially out of work, but still have access to targets and toolsets. These individuals have started employing crypto-ransomware in order to replace lost government income and continue hacking.
  2. This activity is either practice for, or the beginnings of a denial and disruption campaign against US companies. The actors don’t actually care about the money potential but rather are interested in the extensive disruption caused by the attacks. 
  3. The activities and motivations of APT actors haven’t changed, but rogue elements within their groups are employing these tactics and reusing existing infrastructure in order to acquire supplemental income. 

In one case, the attackers used standard APT tools and techniques to attack laterally and gain access to domain controllers, then launch a GPO to push out the ransomware. Thankfully they made a small typo which caused it to fail. In another case they redirected monetary payments but, due to another small mistake, were caught before too much money was lost.

Due to confidentiality requirements with our clients, we can't post too many more details at this time, but will give updates as we can.

Attack Research, InGuardians, and G-C Partners are continuing to investigate the activity as it progresses. If you have seen similar activity and are willing to share details, please contact any of the three companies.

Val Smith

Saturday, February 27, 2016

CCDC Quals Notes (metasploit)

Some quick notes for interesting stuff to keep for CCDC Quals/Notes

Rapid Fire PSExec

Use db_nmap to scan and populate the databse or db_import to import nmap xml into your workspace.  This one uses open port 445 to query the database

This one uses open service of smb to query the database

Running Metasploit Post modules against all sessions

Resource script to run a single post module against all sessions.  Navigate to your post module, set up any required options then run this resource script.

Got this from:

Update: Dre mentioned his already exists here:

Running a Meterpreter Command against all sessions

Got the code from mubix

Running a Windows command against all sessions
This functionality is already built into the sessions command

Just run sessions -c "command" and if you don't put a session to interact with it will run on all sessions.

I used this to run the Empire launcher on all sessions.

Running a Meterpreter script against all sessions

Just run sessions -s meter_script and if you don't put a session to interact with it will run on all sessions.

Monday, January 18, 2016

Purple Teaming - Lessons Learned & Ruxcon Slides

I wrote a bunch of this while still at Facebook but have since changed jobs.  Anything FB is now replaced with $previousjob since I cant speak for them anymore. This was supposed to go on  their Protect The Graph post but never happened. The content was useful (I hope) so hopefully people will get something from it.  Also slides release here and at the bottom.


Recently Chris Gates from the $previousjob Incident Response team presented at Ruxcon (https:// on “Purple Teaming: One Year After Going From Full Time Breaker To Part Time Fixer”. The talk was used to highlight some of $previousjob’s experiences “Going Purple” over the last 18months.

What is Purple Teaming?
Purple Teaming is “Putting more Offense in your Defense” and “More Defense in your Of-
fense”. We do this to iteratively improve the quality of both our Red and Blue Teams by conducting focused Red Teams with clear training objectives for the Blue Team.

The talk highlighted observations and lessons learned during this process.
  1. Acknowledging the need for the creation of an internal Red Team. The maturity of the security program coupled with the complexity of the organization made it necessary to have internal knowledge to craft more interesting attacks for Red Team exercises.
  2. The creation of an internal Red Team and the location of the internal Red Team on the organizational chart. Many companies have both Red and Blue teams operating as separate entities. This frequently causes animosity between the two teams that can lead to growth stagnation because the two teams become focused on catching or defeating each other rather than innovating together in order to better defend their company. $previousjob’s Red Team is a component of the Incident Response team giving both the Red an Blue teams the same reporting structure. This placement was intentional as an attempt to avoid animosity and the “us vs. them” mentality that can frequently plague internal Red and Blue teams.
  3. Changing the typical definition of a “Red Team” to be less focused on vulnerability discovery and instead serve as a training event for the Blue Team. For $previousjob, a Red Team exercise tests our ability to respond to an incident and find broken tools and processes. The offensive part of the exercise is required to tell a good story, model the chosen attacker profile, and craft real world attacks for the Blue Team’s training objectives. The Post Exploitation, Persistence, Lateral Movement portions of the attack are far more important than the initial method of exploitation. With this is in mind, it is deemed “OK” for a trusted insider to be the initial exploitation vector (phish, browser attack, etc) and for the Incident Response manager to suppress any initial alerts that may come about from the initial exploitation vector in order to let the attack play out and allow the Red Team to move on to the post exploitation, persistence, and lateral movement pieces of the attack.
  4. Having a Red Team in-house allows $previousjob the ability to test vs. believing assumptions or information provided from other teams. It allows us to more easily validate answers to really important questions like “where can an attacker go if they had a certain set of credentials” or "what can an attacker REALLY do with a certain level of access" vs. what we THINK they can do with that access. The in-house Red Team is also required to stay up to date with the latest tools and techniques and can use that information to write detection signatures to catch these tools.
  5. Our Red Team reports have both the Red and Blue narrative making the report more valuable as readers see both sides of the attack. Red Team reports are typically only offensive oriented with no mention of incident response, defense, or how well the organization fared against the attackers. By having both the Blue and Red teams tell their respective sides of the story, we tell a much more complete story in our reports. This has the added benefit of highlighting to leadership and the company as a whole the value of the Incident Response team and show wins with new initiatives, gear, training, etc.
The talked wrapped up with a walk-thru of one of the latest Red Team exercises. The slides are available here:


Saturday, January 2, 2016

Arcade Gaming System on Raspberry Pi 2 & RetroPie (Part 2)

Arcade Gaming System on Raspberry Pi 2 & RetroPie (Part 2)


The RetroPie readme on ROM Management is here:

Prepare to spend a bunch of time here.  You basically drop the ROMs for the appropriate emulator in its folder inside of RetroPie/roms/mame-*

Ah but whats the appropriate emulator?  I'm still muddling through this but from what I've read so far, the community has upgraded rom sets over the years. MAME emulators in RetroPie support multiple ROM sets although you might not be able to download that specific set anymore.  For example I've been using this site: to download a bunch of the image. They are romset 1.58 which if you notice is not used by RetroPie!

So as you read the Managing Roms page you'll see it recommends to use Clrmamepro to convert one version of a ROM to another.  The instructions are on the page.  Most confusing thing so far has been split vs merged.  Merged ROMs will lump multiples into one zip file that may or may not give you all the versions of the game you want to play.

For example; If you download all the Galaga ROMs and do merged you'll get ONE Galaga game spit out in the output folder even though there are like 10 different ones (I like the fast shoot one).  If you do split you'll get the 10 different ones spit out and you'll have to check the scanner output (Step 6) will tell you by each folder which ROMs you are missing.

Once it builds and scans without errors you put it in the appropriate emulator folder you are building for. I ended up with multiple MAME instances for different versions of ROMS.  My trackball doesn't work for advmame-1.4 but does for mame4all.

If you need some motivation for games to download, THIS is pretty good:

How to get the thumbnails and metadata

All the cool screenies show the thumbnail and metadata in emulation station.


It's not super clear how to get this data.  There is a scaper built into emulationstation but it was slow. I gave up.  Some searching around lead to This worked great.

Make sure emulationstation is not running.

My Pi distro didn't have go installed so I just downloaded the binaries listed in the readme and it worked.  Afterwards I cd'd into the roms directory and did a scraper -scrape_all -thumb_only.  This worked for everything but the MAME roms, see the readme or just get into the MAME rom folder and do scraper -mame -thumb_only. Make sure emulationstation is not running. It puts a lock on the gamelist.xml file and it wont update.  Once its done you'll have the cool picture and metadata when you browse your games. :-)

Happy Dance

You can install background themes in Emulationstation. Everything you need is here:

Arcade Gaming System on Raspberry Pi 2 & RetroPie (Part 1)

Arcade Gaming System on Raspberry Pi 2 & RetroPie (Part 1)

I've been wanting an arcade system every since Rec Room Masters posted an ad on my Facebook feed last year.  It's very much a want vs. need so I waited over a year to purchase one. Below is the setup

Purchase Tankstick and Raspberry Pi 2 (see below)

The RetroPie for the RaspberryPi does all the heave lifting for you on getting the emulators set up. It even automates making the tankstick work. It was pretty much plug and play.


Downloaded and installed  Raspbian Wheezy. Instructions here:

Upgrade the distro once its booted up:

apt-get update
apt-get upgrade

To get Retro-Pie up and running I followed the Retro-Pie instructions here:

I picked to install the binaries vs install from source it still took about 4 hours to get all the packages downloaded and installed.

RetroPie also has a image you can use but I didn't go that route, it would probably be faster though

Running Total:
TankStick 149.99 + 19.99 (S/H) => $169.98 USD
Raspberry Pi 2  34.99 + 3.89 (S/H) => $38.88 USD

There is a separate wifi adapter and case for the Pi on their way; both technically optional

Raspberry Pi Case (it's going to eventually go in Arcade Cabinet) $8.79 + S/H
Small WiFi Adapter (inconvenient to ethernet to the Pi) $9.99 + S/H
Total for the above => $26.84

You'll also need a USB keyboard and mouse to log in to the pi and do some configuring. I had several laying around the house.

Starting Up

Connect everything up. Initially you'll probably need keyboard and mouse. Once things are set up the tankstick will take up 2 USB ports, keyboard 1 USB port and your USB wifi adapter the last one.

Log into your Pi  pi/raspberry

Type emulationstation to get to the Emulation Station Menu

Optionally you can type startx to do linux-y stuff. You'll need to plug the mouse in if you do this.

Getting Games

You can torrent most of the SNES, NES, Sega *, Atari games.  A decent starting point is here:

Those torrent links are still active and downloaded pretty quick.

Follow the wiki on where to put the respective ROMs for various systems. Put them in the right folder and the emulator will be active in the Emulation Station menu:

Atari, NES, SNES, Sega systems just work if you drop them in their folders.  MAME games are a whole another pain in the ass I'm going to do a separate post for those.  But at this point you should be able to play your favorite game console games.

Wednesday, December 16, 2015

More with smbclient, smbget, enum4linux

More notes because I can never remember and I'm sick of looking it up

Testing open shares/445

List shares with smbclient -L

root@localhost:~# smbclient -L
Enter root's password: 
Anonymous login successful
Domain=[MSHOME] OS=[VxWorks] Server=[NQ 4.32]

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       
Anonymous login successful
Domain=[MSHOME] OS=[VxWorks] Server=[NQ 4.32]

        Server               Comment
        ---------            -------

        Workgroup            Master

        ---------            -------

Try to connect to the share

root@localhost:~# smbclient \\\\\\MEMORY_CARD
Enter root's password: 
Anonymous login successful
Domain=[MSHOME] OS=[VxWorks] Server=[NQ 4.32]
tree connect failed: NT_STATUS_ACCESS_DENIED


When it works

root@localhost:~# smbclient \\\\\\MDMLOAD
Enter root's password: 
Anonymous login successful
Domain=[DEMO] OS=[Unix] Server=[Samba 3.6.23-20.el6]
smb: \> l
  .                                   D        0  Wed Nov  4 02:42:15 2015
  ..                                  D        0  Mon Oct 12 20:38:40 2015
  input.csv                           A     2024  Mon Nov  2 22:13:18 2015

59400 blocks of size 2097152. 19612 blocks available

enum4linux can help out when you have a bunch of shares to check or just want to do things quickly. -S to check shares, although you probably just want to do a -a for all.

root@localhost:~/enum4linux-0.8.9# perl -S
Starting enum4linux v0.8.9 ( ) on Tue Dec 15 22:34:52 2015

|    Target Information    |
Target ...........   
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

|    Share Enumeration on    |
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.12]
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.12]

        Sharename       Type      Comment
        ---------       ----      -------
        www             Disk      Public Stuff
        IPC$            IPC       IPC Service (Samba Server Version 4.1.12)

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

[+] Attempting to map shares on
//     Mapping: OK, Listing: OK
//$    Mapping: OK     Listing: DENIED
enum4linux complete on Tue Dec 15 22:35:09 2015

root@localhost:~# smbclient \\\\\\www
Enter root's password:
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.12]
smb: \> ls
  .                            DR        0  Sat Dec 12 14:23:20 2015
  ..                            D        0  Thu Oct  8 11:53:20 2015

 oops                           D        0  Fri Nov 27 17:38:04 2015

Want to download a whole folder?

root@localhost:~# smbget -R smb://
Username for www at [guest] 
Password for www at 
Using workgroup WORKGROUP, guest user
smb://   smb://            

enum4liux is also super handy internally as it tries multiple ways to get a domain SID, if successful it will brute force the SID to enumerate all the SIDs/user accounts for the domain.