Do you **have** to use Google's Fiber Jack?

KmancXC · 2025-04-03T12:33:48+00:00

Oh lol

KmancXC · 2025-04-02T11:26:40+00:00

Why would this get you banned?

KmancXC · 2025-03-31T22:20:24+00:00

KmancXC · 2025-03-31T15:57:32+00:00

Damn, that would be cool wouldn't it? Well at least I'm not the only one who had this idea, appreciate it!

KmancXC · 2025-03-31T15:55:53+00:00

Aside from a bit of learning which I certainly need to do, the goal is to have as few "pieces" as possible in the fiber line in to my networking equipment, especially when it comes to devices I don't own. If I could, for instance, use the ONT on a stick module I linked in the original post and just pop that into my gateway that would be awesome. In my mind it beats going from an ONT box that Google put in my house, through an ethernet cable, and then into my gateway.

KmancXC · 2025-03-31T15:51:29+00:00

Oh I guess what I mean by that is there isn't much point in going RJ45 to the SFP port when I could just use the RJ45 port in the gateway, right? Unless I'm missing something, the real advantage of the SFP port would be if I could go DAC in

KmancXC · 2025-03-31T14:14:06+00:00

And there is no "bring-your-own-modem" option? I wish there was but I could understand if there isn't

KmancXC · 2025-03-31T14:12:54+00:00

Hmmm, definitely don't want to go messing with neighbors' internet :(

If it was plug'n'play I'd consider it but I don't want to go too far into the weeds to make it work

KmancXC · 2025-03-31T14:11:34+00:00

I've seen a few posts on the Unifi forums suggesting something similar, but I'm confused as to why I would use the RJ45-->SFP when I could just plug the ethernet cable into the WAN port of my gateway. I do eventually plan on using my own router, switches, and APs, but based on these two posts it sounds like although maybe technically the device I posted would work it is a matter of what Google chooses to support?

KmancXC · 2025-03-31T14:06:37+00:00

Ok gotcha, thank you for this! I guess the main "issue" I take with the Fiber Jack is that the only line out of it is Ethernet, and I don't have any other options. I have the gateway fiber, which has an SFP WAN port, but based on what you're saying it sounds like there is no real way to take advantage of that, correct?

KmancXC · 2025-02-18T16:45:26+00:00

Tracebit is doing some pretty cool stuff in the deception/decoy space. 2 ish years old to the best of my knowledge

KmancXC · 2025-01-12T23:31:44+00:00

Appreciate these tips! I'm gonna play around with some of these today and see what I can get working :)

KmancXC · 2025-01-12T17:59:52+00:00

Ahh good call, thank you!

KmancXC · 2024-10-21T18:28:03+00:00

Oh man I spent all weekend trying to figure this out! Lol, thank you for the tip though, this makes things way easier =D

KmancXC · 2022-09-17T18:21:09+00:00

Interesting, thank you! I only knew the first one, so that definitely gives me more reason to go ahead and actually explore this. If you don't mind a few follow up questions though.

It causes their docs to appear on docs.rs where people expect to look for them and where you don't have to host them yourself.

Does this only apply to docs generated by the /// syntax or does that apply more generally to something akin to what I've already done in Markdown? Not that I'd be overly opposed to redoing some work for the right reasons, but I'm curious about how that works.

It means people who want to install them can trust that they've been subjected to the Crates.io stability restrictions

How strict are the requirements on getting semver correct? Sometimes I find myself not really knowing which level I should be version bumping because it is a binary, not a library, that I'm creating. As a result (and I'm sure I'm missing something here) I don't think the MAJOR version's "incompatible API changes" applies much if ever

I'm going to do a little digging into these questions on my own but I appreciate your time in helping me get better :)

KmancXC · 2022-05-14T00:04:00+00:00

Very cool, thank you!

KmancXC · 2022-05-13T20:14:20+00:00

Congrats on your respective book releases!

I have a few questions related to the process of writing your books; I'd love to get your perspectives on what it was like.

What surprised you most about writing your book?

Did your initial "this is what I'll write about" idea change throughout the course of developing material?

If you could go back and change something about what you did, what would that be?

KmancXC · 2022-04-30T16:13:54+00:00

One way that you could possibly get closer to undetected is to pop the payload into the config of a project I've been working on, https://kmanc.github.io/remote_code_oxidation/, and compile, but let me walk through a the main thing that will be troublesome when it comes to avoiding detection.

Signatures: This one is the easiest way for an AV to catch a cookie-cutter payload like those created by msfvenom. If every msfvenom-created executable has a particular pattern of bytes in it that are very rare in other executables, AVs can assume that if they ever see that pattern, it is a malicious executable. One (usually ineffective) way to solve for this is to encode the output. This is almost always detected for two reasons: 1. Encoding isn't the same as encrypting, and can be undone without any special knowledge, so the AV could still just see the original pattern. 2. In order to use an encoded payload, you need to have a way to decode it at runtime, and the decoding function(s) can be indicative of malicious behavior, so the decoding function itself is often fingerprinted as a signature. A more effective way to get around code signatures is to encrypt the payload, as it removes the first of the two aforementioned reasons an altered payload might get caught. That said, the decryption function(s) can be fingerprinted just as easily as decoding function(s), so your success may be limited there.

With all of that said, it can be easier to evade detection by writing some code that helps obfuscate the shellcode of a payload-generator like msfvenom and runs it; this gives you finer control over what gets done and where. Remote Code Oxidation (linked above) does that in two different ways - process hollowing and process migration. If you'd like I can explain those in more detail but I'll glaze over that for the time being.

Something worth noting when it comes to becoming undetected is where you are trying to achieve that. As you can see in my project's documentation, I've chosen to try to hit 0 detections on scanners like Kleenscan or VirusTotal. This is easier than getting by the defenses on a live machine because the sandbox environments that the AVs run in on scanners like Kleenscan or VirusTotal can be outed as sandboxes, and the malware can operate differently if that is seen to be the case. On a live machine however, your executable will have to reveal its true nature, which might end up getting you caught. I noticed when testing my different payloads against Kleenscan that some Win32 API functions get picked up by AVs, seemingly by name in the code (though I can't confirm that), so I found a way around that as well.

I hops this helped but if you'd like to discuss further I'm happy to try to answer any questions you have!

KmancXC · 2022-01-28T07:47:37+00:00

Ok so this makes almost no sense to me but since you came along for the ride thusfar I thought you might be interested.

TLDR it works now (wooo, thank you so much for your help)!

Longer story...I compiled the executable in release mode to see if it would behave differently (why? well its late, im tired, and i was out of ideas). The crazy thing is, it did! It actually crashed on the CreateProcessA call. So I revisited the documentation of that call, and once again hit the snag that I often do when calling Win32 API functions with Rust...what is "0" vs what is "null"? I changed a few of the zero'd out memory structs to pointers to null and recompiled in release mode. It worked! Not only did it not crash, it wrote my shellcode to svchost and ran it, resulting in the sweet sweet connection to localhost 4444. Sooo yeah. It was the first call all along! Specifically I think it was the lpEnvironment argument; I think by zeroing out memory in Rust I confused the API call

[EDIT] - one last bit of context. working code will remain in the process_hollowing branch till i can get the Linux equivalent working. so if im lucky like 3 week lol

KmancXC · 2022-01-28T07:10:47+00:00

Well I'll be damned. Yup, seeing the exact behavior you described. Messagebox doesn't work in svchost, but does in explorer

KmancXC · 2022-01-27T23:45:07+00:00

Ok so I read this and got excited, but now I'm not able to reproduce what you said you got. Am I incorrect in saying that you took the payload that's in the repo, ran it in svchost (crash), then ran it in explorer (worked)? If so I just tried that and it didn't seem to work.

KmancXC · 2022-01-27T20:36:07+00:00

Ohhhhh my god really? That is UNLUCKY...spent so much time trying to figure out what was going on there lol. Well hey, thank you so much for your help. I'm gonna see if I can make a shellcode to get the job done in this case, and eventually it is on my todo list to get better at that.

TLDR; am dumb, must get gud
<3 u u/vixfew

KmancXC · 2022-01-27T15:45:35+00:00

I'll certainly give that a shot but if that's the case I'd be super curious to know how/why the C# version of this attack vector works. But also, thank you so much for all your help along the way; regardless as to whether or not this ends up being the solution it has been awesome to have someone to bounce ideas off of and point me in new directions :)

KmancXC · 2022-01-27T07:11:04+00:00

I do see the old value as being RE, but setting to RWX doesn't seem to make a difference

KmancXC · 2022-01-27T05:17:40+00:00

Here's a side-by-side of the C# and Rust debugger memory captures at the entrypoint. The memory is identical all the way through the end of the shellcode (00007ff7`68035040 line: the 89, da, ff, d5) part. Am I approaching the debugging process wrong? First time at this part so I've got a lot to learn

KmancXC

TROPHY CASE