Skip to content

Teamserver Security Considerations Guidelines

Jump to bottom
byt3bl33d3r edited this page Oct 25, 2019 · 1 revision

Teamserver Security Considerations/Guidelines

It's extremely recommended to minimize access to the Teamserver port as much as possible as I cannot ever guarantee that there won't be security vulnerabilities within the Teamserver (either through the client port or its listeners)

Therefore, when exposing the Teamserver port to the internet it is recommended to whitelist client IP addresses using a firewall either at the OS level or through network ACLs (e.g. Amazon VPC Firewall).

Client/Teamserver Authentication

The Teamserver itself enforces authentication by checking a cookie sent by the client (which is generated via HMAC). If any client connection to the Teamserver does not contain the authorization cookie, it will be rejected.

Listener Security

Listeners are spun up in their own separate process. Because of this Connection objects are used between the listeners and the main Teamserver thread in order to receive events and data. Due to the nature of the way these Connection objects work, data received by them are pickled. From a security standpoint, pickling untrusted data is a horrible idea, however I've tried to mitigate this by putting the data in a tuple before the Connection object pickles stuff. From my testing this seems to mitigate potential RCE vulnerabilities.

Overview

  1. Home

Getting Started

  1. Installation
  2. Basic Usage

Stagers

  1. To Do

Modules

  1. To Do

Sessions

  1. To Do

Security

  1. Teamserver Security Considerations/Guidelines

Advanced

  1. Recompiling Stagers
  2. Generating Stageless Payloads
  3. Porting Over Existing C# Tools & Tradecraft

Misc

  1. Updating the Mimikatz DLLs for the Mimikatz Module
  2. Known Bugs & Fixes
Clone this wiki locally