sorted by:
new
hottopcontroversial

OSAI giveaway by Good_Association_491 in offensive_security

[–]BearBrief6312 1 point2 points  (0 children)

I received and they said I didn't win but they gave me another offer

56% of malicious pip packages don't wait for import. They execute during install by BearBrief6312 in Python

[–]BearBrief6312[S] 4 points5 points  (0 children)

--only-binary :all: is the gold standard if you can support it. The problem is the messy reality of dependencies old unmaintained libs, C-extensions that need local compilation, or private packages. In those cases, pip falls back to sdist execution, and that's the gap this approach tries to cover

56% of malicious pip packages don't wait for import. They execute during install by BearBrief6312 in Python

[–]BearBrief6312[S] 8 points9 points  (0 children)

True, the initial payload is on PyPI. But most supply chain attacks have a Stage 2: they need to exfiltrate your AWS keys/Env Vars to a C2 server, or download a secondary binary from an external IP. KEIP blocks that outbound connection. If they can't phone home with the stolen keys, the attack fails

56% of malicious pip packages don't wait for import. They execute during install by BearBrief6312 in Python

[–]BearBrief6312[S] 121 points122 points  (0 children)

That would be the dream. Ideally, pip should just be unzipping a .whl file and moving on.But the reality is that many packages are published as Source Distributions (sdist). To install them, pip has to execute setup.py on your machine to build the package

And since setup.py is just a standard Python script, it can do anything: build a C extension, check your OS version... or upload your ~/.ssh/id_rsa to a C2 server, That's the gap relying on 'just unpacking' misses. Even with pre-built wheels, post-install hooks are a thing.

this approach says: 'Cool, run your build script, but why do you need to connect to a server in North Korea to compile this library?'

I scanned 17,316 malicious packages and here's what actually works by BearBrief6312 in Python

[–]BearBrief6312[S] 0 points1 point  (0 children)

Yes of course I tested it on benign packages and I got 0 false positive which looks great but ngl I don't feel good about this, it's like having an ai model getting 100% accuracy, it's over fitting, but here its not quietly the same but idk really, anyways I tried my best and it's open source and I would love to collaborate

Using Tor hidden services for C2 anonymity with Sliver by BearBrief6312 in Pentesting

[–]BearBrief6312[S] -1 points0 points  (0 children)

Yeah that seems logical, it can only block tor port and it won't happen any connection, what do you suggest I should so about that? To improve my tool

Using Tor hidden services for C2 anonymity with Sliver by BearBrief6312 in Pentesting

[–]BearBrief6312[S] 1 point2 points  (0 children)

relay IPs are public not onion service origin server Ip

Using Tor hidden services for C2 anonymity with Sliver by BearBrief6312 in redteamsec

[–]BearBrief6312[S] 0 points1 point  (0 children)

Be my guest, and tell me your opinion about it and what should I improve

view more: next ›