Here are some strings pulled from mostly headers and other key pieces of the webshells for detection. You can search your network for these strings or make simple rules to match these patterns to find webshells on your network. //Starting calls if (!function_exists(“getmicrotime”)) {function getmicrotime() {list($usec, $sec) = explode(” “, microtime()); return ((float)$usec + (float)$sec);}} .. $shver = “1.0 … Read more
FIREBALL Adware or Malware? The malware, called Fireball, acts as a browser-hijacker but and can be turned into a full-functioning malware downloader. Fireball is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.Fireball is spread mostly via bundling i.e. installed on … Read more
Ransomware is nothing new, since 2012 it has been wreaking havoc on the world. The TTPs for delivering and infecting victims has changed over the years but the end goal remains the same, give me your money or you’ll never see your files again. Some of the first ransomware campaigns used mechanisms such as exploit … Read more
Network Pivoting using SSH tunneling and forwarding: Is Microsoft Network Monitor was installed? If so, depending on which version, you may have to run netmon, netcap, or nmcap, each of which has slightly different features and syntax. For example, if Network Monitor 3 is installed running, you could execute the following command at a shell prompt: C:\> NMCap … Read more
Directory Brute Forcing and Service Brute Forcing The OSCP exam will almost certainly have a service that you can brute force a local or admin account on, there will also be webservers that will have unlinked content that you can find such as password files, user accounts and developer portals that provide easy access. You … Read more