Dominic White
SensePost at BlackHat & Defcon 2017
July is our favourite time of year, when thousands descend into Las Vegas for Blackhat/Defcon, or more commonly referred to as ‘Hacker Summer Camp’. This year, our camp councillors have been working hard to bring you all our latest creations.
BlackHat Training We’re running our usual training at BlackHat, and as usual have been working hard to build new courses and update others. Here’s a list:
BLACK OPS HACKING FOR PENTESTERS – MASTER LEVEL PENTESTING ENTERPRISE INFRASTRUCTURE – JOURNEYMAN LEVEL SECDEVOPS: INJECTING SECURITY INTO DEVOPS (NEW) TACTICS, TECHNIQUES AND PROCEDURES FOR HACKERS We’re pretty excited about the new SecDevOps course, which reflects what we’ve learned about transitioning old-style project pentesting into an agile world.
BSides Cape Town Secret Squirrel Challenge Write-Up
Last weekend was the BSides Cape Town conference, currently ZA’s only hacker con. It’s a cool little con with big dreams that get a little closer each time. This year was a lot a fun and well put together, congrats to all of the speakers organisers and volunteers.
SP gave some talks; Charl spoke about where we’re headed in a talk entitled Love Triangles in CyberSpace; a tale about trust in 5 chapters. Chris discussed his DLL preloading work and released his toolset. Finally, Darryn & Thomas spoke about exploiting unauth’ed X sessions and released their tool XRDP, it was also their first con talk ever.
Snoopy with Mana
In 2011 Glenn and Daniel released Snoopy, a set of tools for tracking and visualising wireless client activity. However, the Snoopy project is no longer maintained. This blog entry is about how I got Snoopy-like functionality built into Mana.
Snoopy’s core functionality was to observe probe requests for remembered networks from wireless clients, although it ended up doing much more.
The problem tools like Snoopy face, is that they can’t monitor the whole 2.4Ghz wireless spectrum for probe requests, without the use of multiple wireless cards. So they channel hop to make sure they see probes on multiple channels. In the 2.4Ghz range this wasn’t terrible, because the channels overlap, which means you didn’t have to tune in to all 11 or 14 (depending on location) channels individually to see probes across the spectrum. So while you may have missed a few probe requests, you didn’ t miss many.
Universal Serial aBUSe
Last Saturday, at Defcon 24, we gave a talk entitled “Universal Serial aBUSe: Remote Physical Access Attacks” about some research we had performed into USB attacks. The talk was part of a research theme we’ve been pursuing related to hardware bypasses of software security. We decided to look into these sorts of attacks after noting their use in real world attacks. For example, you have “Apex predators” such as the NSA’s extensive use of sophisticated hardware implants, most notably for this work, the COTTONMOUTH devices. On the other end of the scale, we noticed real world criminals in the UK and ZA making use of unsophisticated hardware devices, such as hardware keyloggers, drive imagers and physical VPN devices and successfully making off with millions. This led us to hypothesise that there’s probably a large series of possible attacks in between these two extremes. We also noted that there’s not many decent defences against these sorts of attacks, it’s 2016, and the only decent defence against decent hardware keyloggers is still to “manually inspect all USB ports” (assuming this stuff is even visible).
SensePost at Blackhat & Defcon 2016
The annual Hacker Summer Camp is nearly upon us, everyone at SensePost is getting ready. This is a brief overview of what we’ll be doing. The tl;dr is: BlackHat Training, BlackHat Arsenal x2, Defcon talk & Stickers :)
BlackHat Training We’re back at BlackHat for our 15th year of training with a selection of courses ranging from introductory courses for beginners through to hardcore courses for experts.
Basic Tools & Techniques for Hackers – Beginner Level Mobile Application Bootcamp – Journeyman Level Web Application Bootcamp – Journeyman Level Black Ops Hacking for Pentesters – Master Level Threat Intelligence using Maltego This one isn’t ours, but our good friends and business partners, Paterva :) BlackHat Arsenal We were fortunate enough to have two tools accepted for BlackHat Arsenal this year. We think building open source tools for the hacker community is an important part of how we roll, and we appreciate ToolsWatch and the NETpeas crews efforts with arsenal.
Handling Randomised MAC Addresses in MANA
mana development has been chugging along nicely. However, the OffSec crew politely asked us to move mana to proper releases a while back, which we’ve just done. This is about one of the many changes pushed in our first new set of releases since October 2014; 1.3.1-Fixy McFixface. There’s a longer summary of what’s new available at the previous release page 1.3-WPE & ACLs with the WPE functionality extensions from and inspired by Brad Antoniewicz’s work being the coolest from a pwnage perspective.
Too Easy – Adding Root CA’s to iOS Devices
With the recent buzz around the iMessage crypto bug from the John’s Hopkins team, several people pointed out that you would need a root CA to make it work. While getting access to the private key for a global root CA is probably hard, getting a device to trust a malicious root CA is sometimes phrased as difficult to do, but really isn’t. (There’s a brief technical note about this in the caveats section at the end.)
Improvements in Rogue AP attacks – MANA 1/2
At Defcon 22 we presented several improvements in wifi rogue access point attacks. We entitled the talk “Manna from heaven” and released the MANA toolkit. I’ll be doing two blog entries. The first will describe the improvements made at a wifi layer, and the second will cover the network credential interception stuff. If you just want the goodies, you can get them at the end of this entry for the price of scrolling down.
Offence oriented defence
We recently gave a talk at the ITWeb Security Summit entitled “Offense Oriented Defence”. The talk was targeted at defenders and auditors, rather then hackers (the con is oriented that way), although it’s odd that I feel the need to apologise for that ;)
The talks primary point, was that by understanding how attackers attack, more innovative defences can be imagined. The corollary was that common defences, in the form of “best practise” introduce commonality that is more easily exploited, or at least degrade over time as attackers adapt. Finally, many of these “security basics” are honestly hard, and we can’t place the reliance on them we’d hoped. But our approach doesn’t seem to want to acknowledge the problem, and much like an AA meeting, it’s time we recognise the problem.
Rogue Access Points, a how-to
In preparation for our wireless training course at BlackHat Vegas in a few weeks, I spent some time updating the content on rogue/spoofed access points. What we mean by this are access points under your control, that you attempt to trick a user into connecting to, rather than the “unauthorised access points” Bob in Marketing bought and plugged into your internal network for his team to use.
I’ll discuss how to quickly get a rogue AP up on Kali that will allow you to start gathering some creds, specifically mail creds. Once you have that basic pattern down, setting up more complex attacks is fairly easy.