2013
Rogue Access Points, a how-to
In preparation for our wireless training course at BlackHat Vegas in a few weeks, I spent some time updating the content on rogue/spoofed access points. What we mean by this are access points under your control, that you attempt to trick a user into connecting to, rather than the “unauthorised access points” Bob in Marketing bought and plugged into your internal network for his team to use.
I’ll discuss how to quickly get a rogue AP up on Kali that will allow you to start gathering some creds, specifically mail creds. Once you have that basic pattern down, setting up more complex attacks is fairly easy.
Technical Project Manager Role
As SensePost grows, so does our desire to ensure a healthy balance between technical savvy and organisational skills. As a result, we are on the lookout for a Technical Project Manager based in our Pretoria office in South Africa.
Job Title: Technical Project Manager
Salary Range: Industry standard, commensurate with experience
Location: Pretoria, South Africa
About the role
Define and implement Project workflows for various service lines. Architect , source and implement a project management system that includes real-time, accessible scheduling system. Technical project scoping. (can grow into this responsibility over time) Lead the planning and implementation of project Facilitate the definition of project scope, goals and deliverables Define project tasks and resource requirements Develop fullscale project plans Assemble and coordinate project staff Manage project budget Manage project resource allocation Plan and schedule project timelines Track project deliverables using appropriate tools Provide direction and support to project team Drive quality assurance process Constantly monitor and report on progress of the project to all stakeholders Present reports defining project progress, problems and solutions Implement and manage project changes and interventions to achieve project outputs Project evaluations and assessment of results Education and Experience
A software level analysis of TrustZone OS and Trustlets in Samsung Galaxy Phone
Introduction:
New types of mobile applications based on Trusted Execution Environments (TEE) and most notably ARM TrustZone micro-kernels are emerging which require new types of security assessment tools and techniques. In this blog post we review an example TrustZone application on a Galaxy S3 phone and demonstrate how to capture communication between the Android application and TrustZone OS using an instrumented version of the Mobicore Android library. We also present a security issue in the Mobicore kernel driver that could allow unauthorised communication between low privileged Android processes and Mobicore enabled kernel drivers such as an IPSEC driver.
BlackHat Challenge – 2013
One of the things we try and get across in our training – is that pen-testing requires out of the box thinking. It’s also about solving puzzles and making things work the way you want them to. It’s about identifying the small vulnerabilities (which are often easy to spot), and trying to leverage them into something useful. A key process we strive to do at SensePost, when performing these penetration tests, is about having fun.
Honey, I’m home!! – Hacking Z-Wave & other Black Hat news
You’ve probably never thought of this, but the home automation market in the US was worth approximately $3.2 billion in 2010 and is expected to exceed $5.5 billion in 2016.
Under the hood, the Zigbee and Z-wave wireless communication protocols are the most common used RF technology in home automation systems. Zigbee is based on an open specification (IEEE 802.15.4) and has been the subject of several academic and practical security researches. Z-wave is a proprietary wireless protocol that works in the Industrial, Scientific and Medical radio band (ISM). It transmits on the 868.42 MHz (Europe) and 908.42MHz (United States) frequencies designed for low-bandwidth data communications in embedded devices such as security sensors, alarms and home automation control panels.
Something about sudo, Kingcope and re-inventing the wheel
Willems and I are currently on an internal assessment and have popped a couple hundred (thousand?) RHEL machines, which was trivial since they are all imaged. Anyhoo – long story short, we have a user which is allowed to make use of sudo for a few commands, such as reboot and service. I immediately thought it would be nice to turn this into a local root somehow. Service seemed promising and I had a looksy how it works. Whilst it does do sanitation of the library path it does not remove LD_PRELOAD. So if we could sneak LD_PRELOAD past sudo then all should be good ?
Black Hat Vegas 2013 – Course Summaries
We have an updated breakdown of our BlackHat courses here
With the ‘early registration’ discount period coming to an end on May 31, I wanted to provide an overview of what courses we’re offering and how those courses fit together.
Please be sure to take advantage of these discounted prices whilst they’re still available. This summary will help you decide which course is best for you…
1. “Cadet” is our intro course. It provides the theoretical and practical base required to get the most of our other courses. Don’t let the introduction title put you off, this course sets the stage for the rest of the course, and indeed fills in many blanks people might have when performing offensive security assessments. We only offer it on the weekend (27th & 28th) but its really popular so we’ve opened a 2nd classroom. Plenty of space available, so sign up!
BlackOps Hacking Training – Las Vegas
BlackOps you say?
At SensePost we have quite a range of courses in our Hacking by Numbers series. We feel each one has its own special place. I’ve delivered almost all the courses over the years, but my somewhat biased favourite is our relatively new BlackOps Edition. Myself (Glenn) and Vlad will be presenting this course at BlackHat Vegas in July.
Where Does BlackOps fit in?
Our introductory courses (Cadet and Bootcamp) are meant to establish the hacker mindset – they introduce the student to psychological aspects of an attacker, and build on that to demonstrate real world capability. BlackOps is designed for students who understand the basics of hacking (either from attending Bootcamp/Cadet, or from other experience) and want to acquire deeper knowledge of techniques. We built the course based on our 12 years of experience of performing security assessments.
Stay low, move fast, shoot first, die last, one shot, one kill, no luck, pure skill …
We’re excited to be presenting our Hacking By Numbers Combat course again at Black Hat USA this year. SensePost’s resident German haxor dude Georg-Christian Pranschke will be presenting this year’s course. Combat fits in right at the top of our course offerings. No messing about, this really is the course where your sole aim is to pwn as much of the infrastructure and applications as possible. It is for the security professional looking to hone their skill-set, or to think like those in Unit 61398. There are a few assumptions though:
Your first mobile assessment
Monday morning, raring for a week of pwnage and you see you’ve just been handed a new assessment, awesome. The problem? It’s a mobile assessment and you’ve never done one before. What do you do, approach your team leader and ask for another assessment? He’s going to tell you to learn how to do a mobile assessment and do it quickly, there are plenty more to come.
Now you set out on your journey into mobile assessments and you get lucky, the application that needs to be assessed is an Android app. A few Google searches later and you are feeling pretty confident about this, Android assessments are meant to be easy, there are even a few tools out there that “do it all”. You download the latest and greatest version, run it and the app gets a clean bill of health. After all, the tool says so, there is no attack surface; no exposed intents and the permissions all check out. You compile your report, hand it off to the client and a week later the client gets owned through the application… Apparently the backend servers were accepting application input without performing any authentication checks. Furthermore, all user input was trusted and no server side validation was being performed. What went wrong? How did you miss these basic mistakes? After-all, you followed all the steps, you ran the best tools and you ticked all the boxes. Unfortunately this approach is wrong, mobile assessments are not always simply about running a tool, a lot of the time they require the same steps used to test web applications, just applied in a different manner. This is where SensePost’s Hacking by numbers: Mobile comes to the fore, the course aims to introduce you to mobile training from the ground up.