Quick update to add SSL support to Genesis, my (very) generic rootkit dropper which you can download at http://leetsys.com/programs/genesis/genesis-ssl.zip.  This allows us to download our rootkit over an encrypted tunnel.  Genesis still uses the curl library, however I chose not to compile it statically in this case.  If you wanted to compile this statically you’d have […]

Overview The fundamental issue with SSL is that of trust.  Despite all the effort that has gone into a robust and cryptographically secure design for SSL, its foundation is still easily abused.  In this paper I will explain an often-overlooked area of SSL exploitation.  That is the ability for any certificate to act as a […]

For the Eternally Impatient The quick lowdown: I wrote a DLL capable of logging the credentials entered at logon for Windows Vista, 7 and future versions which you can download at https://github.com/tdubs/credential-provider.  The credentials are logged to a file located at c:\cplog.txt.  Simply copy the dll to the system32 directory and run the included register.reg […]

Scenario You have an Internet system that you would like to administer remotely without leaving the administrative service open to the entire Internet.  However you’re not always coming from the same source IP address.  Although it’s common practice to restrict access to only secure administration services (eg SSH) I’d like to avoid having any TCP […]

I just wrote this simple rootkit dropper using the curl library which is extremely easy to customize to fit many needs.  Currently there are only three defines to change to specify the file you want to download and run.  Right now I’ve tested it grabbing the file via HTTP and executing it, works very nice. […]

Here’s the scenario: You send a target a backdoor through whatever means you want; phishing email, USB stick, whatever. If the network is like most environments today they are not restricting outbound requests on standard ports like 80 or 443 and thus our backdoor calls home on these ports and we have a connection inside […]

I’m releasing version 0.01 of WOMAN (Who’s On Ma Network). I find myself creating fake access points often for penetration tests and created this very simple tool to fill a need of mine. When clients associate to me I want a quick and dirty (and reliable) way to identify which systems are active and the […]