Clik here to view.
How-to: Make Your Own Cert With OpenSSL on Windows (Reloaded)
As several things have changed since I published “Howto: Make Your Own Cert With OpenSSL on Windows” 5 years ago, I’m publishing an updated how-to. This time, I’m using the OpenSSL Windows binaries...
View ArticleClik here to view.
“Public” Private Cobalt Strike Keys
I found 6 private keys used by malicious Cobalt Strike servers. There’s a significant number of malicious CS servers on the Internet that reuse these keys, thus allowing us to decrypt their C2...
View ArticleClik here to view.
New Tool: cs-decrypt-metadata.py
cs-decrypt-metadata.py is a new tool, developed to decrypt the metadata of a Cobalt Strike beacon. An active beacon regularly checks in with its team server, transmitting medata (like the AES key, the...
View ArticleClik here to view.
New Tool: cs-extract-key.py
cs-extract-key.py is a tool designed to extract cryptographic keys from Cobalt Strike beacon process memory dumps. This tool was already available in my beta repository. This tool can extract...
View ArticleClik here to view.
Update: cs-decrypt-metadata.py Version 0.0.2
This new version of my tool to decrypt Cobalt Strike metadata, now supports transformations. By default, encrypted metadata in Cobalt Strike traffic is encoded with BASE64 and then transmitted via the...
View ArticleMiTM Cobalt Strike Network Traffic
I made a small PoC. cs-mitm. py is a mitmproxy script that intercepts Cobalt Strike traffic, decrypts it and injects its own commands. In this video, a malicious beacon is terminated by sending it an...
View ArticlePoC: Cobalt Strike mitm Attack
I did this about 6 months ago, but this blog post didn’t get posted back then. I’m posting it now. I made a small Proof-of-Concept: cs-mitm.py is a mitmproxy script that intercepts Cobalt Strike...
View ArticleClik here to view.
Quickpost: Cracking PDF Owner Passwords
I added code to John the Ripper to crack PDF owner passwords (JtR cracks PDF user passwords only). Source code can be found here. Compiled Windows (Cygwin) and Linux (Ubuntu) executables can be found...
View ArticleClik here to view.
Update: xor-kpa.py Version 0.0.6
This is an update for my tool to perform XOR known plaintext attacks: xor-kpa.py. The tool has been updated for Python 3, and 3 new plaintext have been added, all for Cobalt Strike configurations....
View ArticleClik here to view.
How-to: Make Your Own Cert With Web OpenSSL
I explain how to create certificates with OpenSSL on your Windows computer in my blog post “How-to: Make Your Own Cert With OpenSSL on Windows (Reloaded)“. If you can’t or don’t want to install...
View Article