Enumeration

Containers

Docs

Snmp

Network_scanners

Windows

Exploit

CPUs

meltdown

Binaries

Shellcode
aslr

Buffer_overflow

Docs

ropping

Canary_bypass

canary_bypass

Format_string

format_string

Integral_promotion

integral_promotion

Dns

zone_transfer

Hashes

collision

Imagemagick

imagetragick

Java

OGNL

cve_2022_26134

Level3_hypervisor

Docker_sec

docker

Linux

capabilities

Dirty_pipe

dirty_pipe

Pkexec

CVE_2021_4034

Sudo

wildard_exploitation

MacOS

Network

mac_spoofing

Padding

padbuster

Python

Samba

smbmap

Sqli

Ssl_tls

heartbleed

Web

Bypass_rate_limiting

bypass_rate_limiting

command_injection

Content_security_policy

content_security_policy

cookie_tampering
csrf

Forced_browsing

forced_browsing

http_header_injection

Idor

idor

Javascript

Jwt

local_file_inclusion
methodology

Nodejs

deserialization

Php

re_registration
remote_file_inclusion

Ssrf

Ssti

ssti

Xxe

Windows

Portable Executables

Shellcode

Dll_hijacking

dll_hijacking

Docs

Macros

macros

Payloads

windows_scripting_host

Print_nightmare

CVE-2021-1675

Nightmare-dll

print_nightmare

Process_injection

Service_escalation

service_escalation

Zero_logon

zero_logon

Yaml

deserialization

Forensics

Hashes

Bruteforce

patator

Password_cracking

Password_guessing

standard_passwords

Persistence

Post exploitation

Seatbelt

.github

ISSUE_TEMPLATE

CHANGELOG

Seatbelt

Commands

Windows

EventLogs

Output

Bc_security

Docs

Windows

pivoting

Priv_esc

Docs

linux_priv_esc
pspy

Windows

Kernel-exploits

Privesc-scripts

Docs

get_script_onto_target

Suid

Reverse engineering

Android

misc

Docs

Java

krakatau

Windows

portable-executable

Reverse shells

Docs

firewalls

Windows

Command and Control

Command and Control

Matrix
bcsecurity maintains Empire 4
Empire
Armitage
Covenant
Sliver
Server
- Listener
Payloads/Agents
- Staged/Dropper
- Stageless
Beacons from Agents, disguised through jitter
Modules
- Post Exploitation
- Pivoting

Domain Fronting

Use a Domain on the C2 server
User Cloudflare to proxy the request and responses to and from the target
Use HTTPs for channel encryption

Profiles

Server evaluates by custom user-agents to identify agents

Types

Std listener, TCP or UDP
HTTP/HTTPS, counter FW
DNS, if internet access of the target is flaky
SMB, counter network segments

Redirector

Apache or nginx as reverse proxy in front of the c2 server
FW is still needed in front of the redirector
These get burned instead of the c2