UHC - Jarmis

00:00 - Intro going over the attack chain, SSRF to Protocol Smuggling to OMIGod 01:17 - Using nmap and then checking out the website and adding the DNS Names to our host file 04:20 - Running GoBuster to discover the /docs directory, which is swagger documentation 06:00 - Reading the documentation and explaining JARM Signatures 09:45 - Explaining the front-end which just makes accessing the backend pretty 10:15 - Using Shodan to search JARM Hashes, which would be useful if you're looking for specific attack servers or collisions 11:55 - Dumping all the JARMS by abusing sequential ID's with a for loop and curl 14:04 - Whoops... Copied the wrong JARM, this was not cobalt strike lol. 15:50 - Running ncat with ssl, and checking if it is malicious... It's not malicious because the metadata was not there 16:50 - Using metasploit to show it would detect it as malicious 18:40 - Using IPTables to change the port on every 11th request with iptables -I PREROUTING -t NAT -p tcp --dport 443 -d 192.168.1.230 -m statistic --mode nth --every 11 --packet 10 -j REDIRECT --to-port 8443 21:50 - Showing Gopher connecting to our ncat 23:25 - Finding a way to enumerate ports listening on localhost and discovering 5985 and 5986 are open 26:05 - Using wfuzz to bruteforce all ports (1-65535) 29:20 - Downloading the OMIGod Exploit to grab the payload which we will use later 33:00 - Using openssl to generate private certificates for our python webserver. 33:25 - Creating a python webserver that listens on https 35:50 - Testing adding a Gopher HTTP Redirect on our custom python webserver 39:50 - Explaining that Gopher adds two bytes to the end of the Smuggled Request 41:50 - Using burpsuite to build the payload for us and convert it all to URL Encoding 44:00 - Updating our payload to have the correct URL for our gopher request 45:00 - Showing how to reset the iptables counter 46:40 - Showing how to do this exploit with Metasploit by coding a listener 52:40 - Debugging the MSF Module we creat