This week the following subjects caught my attention:
1. CRTO
Thank goodness that the Certified Red Team Operator (CRTO) course offered by Zero Point Security migrated to an AWS billing format. Between my personal obligations, work, and grad school, I just have not been able to make much meaningful progress on this coursework. And I say this sadly, because this material is really, really good. I mentioned this last month, but this training in effect gives you your own license of Cobalt Strike to learn and operate with (which is incredible in itself).
This month I stepped through the Host Persistence and Host Privilege Escalation portions of the coursework. I welcome the introduction to the use of various beacons and the in-depth write-ups for subjects like COM hijacking and targeting Windows Services.
2. PocketAdmins
Following the work last month I had with the hak5 rubber ducky, I thought it’d be interesting to try and explore some more cost effective options (so as to offer a cheap method for deploying them as an attack vector).
My first take was to try and create my own badUSB using CJMCU Arduino Leonardo Clones. However, I found that the Arduino scripts uploaded failed time and again to initialize the microSD cards. I tried debugging it but to no success; the only way I was able to get them to work was to compile and upload my own arduino script directly into the board (which wasn’t as convenient as swapping out the microSD card). The last trick I had yet to try was to insert a smaller microSD card (i.e. less than 2GB), but then I found…
A better solution was to go with PocketAdmins, which are compatible with the same ducky script language as the hak5 devices. Even better, they come with plastic casing and an appropriate USB connection (which is way less conspicuous than the CJMCU approach). The PocketAdmins don’t use microSD cards (dropping the overall cost per device even more), instead using an onboard button to neutralize the uploaded ducky script (for overwriting). The icing on the cake: the producer of the PocketAdmins have made their code and assembly process open source, so it may be possible to mass-produce them at wholesale pricing!
I ordered 4 of them pre-built in order to evaluate their efficacy, but - assuming they work - I’m looking forward to trying to build more on my own.
3. Coursework
I’ve really been consumed with managing my time with graduate school. Since the last time I wrote in, I worked through two coding projects in C++ as well as my midterm exam. My current course - High Performance Computer Architectures - has been an in depth examination of processors and caches, showing how seemingly small (otherwise imperceptible) changes can result in vastly different performances on a given machine.
My last project was a real slog on teasing out the differences between compulsory, capacity, and conflict misses experience by a level 1 (L1) cache. In brief, a cache exists as a a kind of shortcut when accessing memory (if your program has wanted something before, store it for rapid future access). Compulsory misses occur because a particular memory access has never been performed before (ergo, the cache would never have had this data stored to begin with); capacity miss occur as a result of overwriting/freeing cache contents because the cache space is finite (i.e. the data used to be in the cache, but because the cache is small it had to dump the data to free up space for other memory accesses); a conflict miss is somewhat similar to capacity misses, but is forced as a result of how the cache’s internal logic is structured (aka cache “associativity”, which is outside the scope of this blog post).