Dealing with the Many Stages of Pen Test Result Grief Part 1 | SANS Pentest Blog

If you've done penetration testing for any length of time, I'm sure you've encountered it. You perform a beautiful penetration test — technically rigorous, focused on real business risk, all wrapped up with a solid report. You don't wanna brag, but you feel pretty darned proud of completing a job well done.

And happens. Target system personnel, the very people you've labored to help secure, blindside you with a barrage of criticisms of your findings in your draft report. Some penetration testers are shocked as target system personnel, both business decision makers and the technical people responsible for acting on the pen test findings, reject your results. It's almost as though they willfully don't understand your findings and the associated business risk. Your findings make perfect sense to you, yet they just don't get it despite your efforts to explain things as best you can. And, you still have to turn your draft report into a final report that is meaningful for the target organization. I've been there, my friends, right along side you. It can be soul crushing.

Man, this is so true I thought everyone should read it.


A great update to Cobalt Strike

Today’s Cobalt Strike release is the result of notes and my first-hand experience from five different exercises. There’s a lot of great stuff here, particularly for Beacon users.

Beacon’s HTTP stager uses WinINet to communicate [even before this update]. This has a benefit. The HTTP stager will authenticate to a proxy server when stored credentials are available. Sometimes, the current process does not know the credentials needed to get through a web proxy server. Beacon’s HTTP stager now detects this situation and prompts the user for credentials. The dialog is the same one Internet Explorer uses. Between Beacon’s new HTTP stager and DNS stager—you now have the tools to defeat most tough egress restrictions.

Cobalt Strike is one of my favorite tools. It makes the Team's life easier.


The Fox Mindset | Rogue Dynamics

Find what motivates those you seek to influence and their patterns to understand how to react. In all things think to yourself how you can think like a fox. Remove yourself from the confined thinking of the mundane. Seek to eliminate your instinctual responses and remove your ego from the equation. Be the unseen in the battle that drives the victory without seeking to bask in the spotlight. As you work on your own thinking the path to understanding will become more clear.

A solid piece by the folks at Rogue Dynamics.


Calling out readers for a logo design

Within the Red Team at the core of the Digital Ops Group there is a smaller team. We do very specific projects that go beyond Red Teaming.

This team was formed even before the Red Team was active and it does not have an official logo or callsign. We want to change that.
So, I want to run a contest here, much like I did when I was looking for a good logo for the Red Team (done by Jered). Readers can send their ideas for a logo. The winner gets a patch with the logo they had helped design, a Red Teams patch and if we are in your area the chance to go on a recon mission with the team.

The logo will be used on different things, from a patch to a letterhead to a report to a website... The simpler the logo, the better it will be in adapting to the different backgrounds. When thinking and then designing the possible logo please ask yourself:

  • Is the logo legible? Will the logo standout on a dark background? What about light? On a business card? Try to keep the design to a minimum set of objects. Simple is better. Too much stuff on the logo and the meaning will get lost in the noise.
  • Is the logo scalable? Will the logo (and its details) remain legible when you shrink it to be used as an icon? Will it look ok when used full size on a web page?
  • Is it functional? Finally, is the logo a functional logo? Again, in order to keep the logo legible and scalable it must be simple. Having little icons inside the main logo will work on a full size, maybe, but what about smaller sizes? Are those little details getting lost because there are so many of them?

A few guidelines:

  • the logo can include the original Red Teams logo, however a new design is encouranged.
  • it has to be sterile - no text - but convey the idea.
  • no frame is needed on the logo - it must be able to fit a square patch, a circular logo, etc.

A little more about the small team: The team performs both physical and digital deep recon. This includes information gathering prior to an operation or project (the team's main purpose), digital disruption operations and offensive digital warfare. It also performs phyical security disruption when called upon this. Essentially anything that might create problems for the target.

Please send your designs to

Have fun!


Faster Toward Disaster: A Brief Thought on OODA Loops | Red Team Journal

... If your adversary deceives you, “getting inside your adversary’s OODA loop” is perhaps the worst thing you can do; it suggests you’re accelerating with heightened confidence toward his ends based on the prompts he presents. Put differently, “observe” with hubris and you just might find yourself running faster toward disaster. (Of course the seasoned red teamer will quickly observe that you can turn this same principle against your adversary.)

As always, our friends at the Red Team Journal make an excellent point.

The backdoor, literally

Sometimes you spent weeks trying to figure out the best way to infiltrate your target, whether digitally or physically.

Sometimes all it takes is a trip to the back of the building.

A few months ago we were performing an initial recon on a new customer. He wanted us to check whether his security team did a good job in setting the perimeter. The finaly target was one of the server rooms inside the building, where their data center was located.  
We arrived after hours and after laying low for a few hours, observing and collecting *atmospherics*, we decided to go around the perimeter to map it. In the past we've found vulnerable points of entries that were no visible from a single OP (observation post).  
As we were coming to the back of the building, we noticed that the trash collecting trucks were leaving the building. The gates were open and there was no guards there, only a camera. We layed there observing for 40 minutes and nothing happened. After a brief exchange we went for it. 

Read More

Please join me on a minute of silence

Please join me on a minute of silence for the victims of the attack in Boston last year during the marathon.

Just stand quietly for a minute, please. Think and reflect on this. Think about how we can fight terrorism better. This is what I wrote last year:

It's time to be strong now. It's time to remember those that are no longer with us and hope for the wounded. Then we need to return to our lives. We need to show the terrorists that they cannot disrupt the freedom we have.

We are stronger than them.