After building and releasing PWNboard, I got some great feedback from many folks especially Vyrus (seriously thanks!). Vyrus gave me a little insight into what he and the National CCDC team were prepping which made me realize they were leagues ahead of PWNboard. But it served as pure inspiration.

I started thinking about Red Ream Telemetry (RTT) beyond CCDC, what lengths could one take it to and how could I use telemetry to convey impact and insights on red team engagements. A few ideas came to mind almost immediately, have better insight into red team operations and have a log of all actions taken against a target/organization help the blue team improve their defenses.

I built an operations tool for our Midwest CCDC Red Team called PWNboard. Our biggest challenge in these competitions is that we’re in a virtual environment where teams can revert the machines at any point and essentially kill our access. So monitoring the checkins and backdoors is essential to maintaining access for the duration of the event. And that’s why I made PWNboard, an operational board that monitors our implants and backdoors. As Tim MalcomVetter put it, it’s offensive inventory management.

Working for an organization with a strict data security policy puts a few challenges on a Red Team, especially when it comes to building robust infrastructure. m0ther_ and I set out to build a robust, multi-redirector infrastructure similar to what Raphael Mudge described in his blog post, Cloud-based Redirectors for Distributed Hacking, except we wanted to host the team server on-prem. The post below describes two iterations of infrastructure we built to meet our needs.

Recently, I tried to hire an AppSec contractor to add some capacity to our team. The request went out to some contracting firms and we received six resumes just a few days after posting. Now, the problem is that my team and I don’t have the capacity to interview that many candidates or even a subset of candidates. So I decided to send all of the candidates a few relatively straight forward web app vulnerability challenges, or at least I thought they should have been straight forward or relatively simple to solve. The experiment showed us that the consultants, all of which claim to have 5+ years AppSec experience, couldn’t identify major flaws in some stripped down CTF challenges. Their responses left me completely baffled and disheartened. I fear for our industry.

As I tell my 6 year old daughter, be a problem solver, not a complainer.

So I s Seriously…WebSpehre

During a recent test

References

• https://github.com/ztgrace/changeme