Blog posts

2018

C2 Profile Updates

12 minute read

Published:

I recently started describing how to track red team operations in my Apfell project. It’s pretty rudamentary, and there’s a lot that still needs to be done, but it’s a start. I covered the idea of tracking individual payloads, but there’s still a few things missing. One of which is the idea of a command and control (C2) profile.

Beginning the operational tracking

5 minute read

Published:

In my previous post, I started describing what I want to see in offensive frameworks in terms of tracking. I spent the past week updating Apfell to start including this kind of logic to support a broad range of features that will come soon.

Current frameworks: the upsides, the downsides, and my ideal

13 minute read

Published:

There are currently a lot of amazing frameworks out there (open source or for purchase), so people are probably wondering why I started the long process of creating my own framework. I wanted to take a few minutes to walkthrough some of the current frameworks and discuss what I like, what I wish was different, and finally some of the bigger goals of my framework.

Bare-Bones Apfell server code release

9 minute read

Published:

It’s been a long time since my last post, but it’s finally time for the bare-bones Apfell server code release. There will also be a drop of a bare-bones Apfell implant to go with it and an accompanying blog series coming soon talking about design decisions, future ideals, and updates.

Creating an Apfell - Part 6

10 minute read

Published:

Ok, now that we’re starting to get a bunch of stuff added to our ecosystem, we want to make sure that it’s not just open to anybody. Additionally, we’ll want people to actually log in so that we can track which operators do which commands, spawn which processes, and create which payloads. I’ve seen a lot of times where we’ll get seemingly random new callbacks and have to check with everybody to track down that somebody spawned a new, redundant access. Eventually this will even be an interesting way to lock down the capabilities of certain operators so that they have to get approval from more senior members of a team before being able to do potentially OPSEC unsafe techniques. How will we do this? Initially, we’ll create a registration page and login page that submits a web form. Then, we’ll go through and mark that certain pages need authentication to be accessed.

Creating an Apfell - Part 5

8 minute read

Published:

We have three more components to cover before our initial release of this section of Apfell. Last time, we covered websockets and how to get data asynchronously to the JavaScript runngin in a user’s browser. But all we did was log it to the console. That’s not very exciting, and it doesn’t actually make anything useful for us. So, we need a way to automatically update the document object model (DOM) of our webpage when we get data through our websocket. Welcome, Vue.js

Creating an Apfell - Part 4

10 minute read

Published:

At the end of the last post we were starting to make some progress. We had a very basic RESTful interface that can communicate with a postgres database and a basic templeting engine to create a graphical user interface. To do this, we leveraged Jinja2 and the twitter bootstrap for making our user interface. If we go back to our original diagram, we’re only missing a few more pieces.

Creating an Apfell - Part 3

8 minute read

Published:

At the end of the last post we ended up with a very basic RESTful interface that can communicate with a postgres database. To do this we leveraged peewee (for our ORM) and peewee-async (for our connections). If you go back to our initial diagram of what all will be included in this, we started with the web server in the middle. We used Python 3.5+ and Sanic in general to get a RESTful interface. Then, we used postgresql, peewee, peewee-async, asyncio, and uvloop to create an asyncrhonous loop for doing database interactions and hooking those up to our prior RESTful API.

Creating an Apfell - Part 2

7 minute read

Published:

At the end of the last post we ended up with a very basic RESTful interface to work with some ‘operators’ and ‘callbacks’ by leveraging Python 3’s asyncio (async and await) and the Sanic project. From the first post, we said there are three main parts for this section of our project:

  • Database
  • Web Server (Sanic)
  • User Interface

Creating an Apfell - Part 1

9 minute read

Published:

The next tool I’m creating to help with Mac-based red teaming is called Apfell. This is a slight play on words since the German word for apple is apfel. Apfell will be a collaborative, red teaming framework and toolset to help with performing assessments on Macs. There are a bunch of different kinds of tools out there that aim to accomplish the same thing, but they all tend to rely on Python or Java. One of the goals is for the Apfell implant to be coded in Mac specific languages (JavaScript for Automation, Apple Script, Objective C, and Swift). There will be support for running terminal commands and python as well, but this will not be the focus.

Active Directory Discovery with a Mac

13 minute read

Published:

Due to the nature of the work, many Red Teamers have a much stronger focus on Windows Enterprise networks. Because of this, Red Teamers have a myriad of tools and experience querying Active Directory from a windows box. Many Red Teamers start off with the common net user, net group, net localgroup commands, and now everybody is familiar with Will Shroeder’s PowerView project. Some red teamers still want to use something like dsquery to do some custom LDAP queries like dsquery * -filter “(&(objectclass=group)(name=*admin*))” -limit 1 (this is also possible with PowerView). You can even run something like the BloodHound Project to quickly get an insane amount of Active Directory information if you have the ability to run PowerShell or C# code. What if you’re on a Mac though?