2016
XRDP: Exploiting Unauthenticated X Windows Sessions
In this blog post we are going to describe some tools we created to find and exploit unauthenticated X Windows sessions. We recently presented these at BSides Cape Town.
What is X11? X also known as the X Window System is currently in its 11th version, hence the name X11. X is a basic windowing system which provides a framework for drawing and moving windows on a display device as well as interaction with a mouse and keyboard. X uses a client-server model, with the server being the computer running in front of a human user and the X client applications running anywhere on the network. This contradicts the normal view of a client-server model, where the server is running at a remote location and the client is running in front of the user. In short, X plays a central role in displaying graphical windows on a users terminal. The major use of X is for administering remote machines graphically (similar to a remote desktop session), however X only displays one window at a time. An example being an xterm (terminal) window.
BSides Cape Town Secret Squirrel Challenge Write-Up
Last weekend was the BSides Cape Town conference, currently ZA’s only hacker con. It’s a cool little con with big dreams that get a little closer each time. This year was a lot a fun and well put together, congrats to all of the speakers organisers and volunteers.
SP gave some talks; Charl spoke about where we’re headed in a talk entitled Love Triangles in CyberSpace; a tale about trust in 5 chapters. Chris discussed his DLL preloading work and released his toolset. Finally, Darryn & Thomas spoke about exploiting unauth’ed X sessions and released their tool XRDP, it was also their first con talk ever.
Rattler:Identifying and Exploiting DLL Preloading Vulnerabilities
In this blog post I am going to describe a new tool (Rattler) that I have been working on and discuss some of the interesting anomalies found while building it. Rattler can be found on our Github repo and was recently discussed at BSides Cape Town.
What is Rattler? Rattler helps identify which application DLL’s are vulnerable to DLL preloading attacks. In a nutshell, DLL preloading attacks allow you to trick applications into loading and executing malicious DLL’s. DLL preloading attacks can result in escalation of privileges, persistence and RCE in some cases. While preloading attacks are nothing new, there were some interesting results found. For more information on DLL security, I found this link to be helpful.
Intercepting passwords with Empire and winning!
This is my password,” said the King as he drew his sword. “The light is dawning, the lie broken. Now guard thee, miscreant, for I am Tirian of Narnia.
C.S. Lewis
tl;dr You are part of the red team who’s just compromised the entire AD infrastructure. The blue team quickly changes the password, which is always recommended, but is this effective in preventing the red team from still inflicting damage?
Kwetza: Infecting Android Applications
This blog post describes a method for backdooring Android executables. After describing the manual step, I will show how to do the same with a new tool, Kwetza, that I’m releasing today.
Infecting Android applications provides a great way to determine the impact and affect of the malicious activities we see in the wild, from ransomware to practical jokes. This not only provides you with an entry point onto user devices, but also allows you to see how devices, users and anti-virus behave in these situations.
Snoopy with Mana
In 2011 Glenn and Daniel released Snoopy, a set of tools for tracking and visualising wireless client activity. However, the Snoopy project is no longer maintained. This blog entry is about how I got Snoopy-like functionality built into Mana.
Snoopy’s core functionality was to observe probe requests for remembered networks from wireless clients, although it ended up doing much more.
The problem tools like Snoopy face, is that they can’t monitor the whole 2.4Ghz wireless spectrum for probe requests, without the use of multiple wireless cards. So they channel hop to make sure they see probes on multiple channels. In the 2.4Ghz range this wasn’t terrible, because the channels overlap, which means you didn’t have to tune in to all 11 or 14 (depending on location) channels individually to see probes across the spectrum. So while you may have missed a few probe requests, you didn’ t miss many.
What to look for in a training provider
In the last few years, the infosec training scene has exploded. Arguably, the largest training provider is Blackhat, and in the last 15 years we’ve seen it grow from a handful of courses to 106 at the last BlackHat USA. With many courses purportedly offering the same or similar content, it’s getting harder to choose as a student.
This blog entry will cover some of the stuff we think makes our courses pretty great, and why we’re so proud of them. It may also help you to evaluate whether our courses are what you’re looking for at at least how to spot the better courses (not just ours) in a list of 100+.
The Basics
It’s our belief that if you have a deep passion for the work you do, then not only will you work hard to be great at it, you’ll also enjoy sharing that passion by teaching others. It’s held true for us for many years, and we make a point of putting our best analysts, rather than specialised trainers, to run our courses.
MAPI over HTTP and Mailrule Pwnage
History In December 2015 Silent Break Security wrote about “Malicious Outlook Rules” and using these to get a remote shell. This was great, we could now use those credentials found through brute-forcing OWA instances or a phishing page. The only issue I had with this was the fact that you needed to setup a local instance of the mailbox, which at times could be time consuming and also felt like overkill.
Universal Serial aBUSe
Last Saturday, at Defcon 24, we gave a talk entitled “Universal Serial aBUSe: Remote Physical Access Attacks” about some research we had performed into USB attacks. The talk was part of a research theme we’ve been pursuing related to hardware bypasses of software security. We decided to look into these sorts of attacks after noting their use in real world attacks. For example, you have “Apex predators” such as the NSA’s extensive use of sophisticated hardware implants, most notably for this work, the COTTONMOUTH devices. On the other end of the scale, we noticed real world criminals in the UK and ZA making use of unsophisticated hardware devices, such as hardware keyloggers, drive imagers and physical VPN devices and successfully making off with millions. This led us to hypothesise that there’s probably a large series of possible attacks in between these two extremes. We also noted that there’s not many decent defences against these sorts of attacks, it’s 2016, and the only decent defence against decent hardware keyloggers is still to “manually inspect all USB ports” (assuming this stuff is even visible).
SensePost at Blackhat & Defcon 2016
The annual Hacker Summer Camp is nearly upon us, everyone at SensePost is getting ready. This is a brief overview of what we’ll be doing. The tl;dr is: BlackHat Training, BlackHat Arsenal x2, Defcon talk & Stickers :)
BlackHat Training We’re back at BlackHat for our 15th year of training with a selection of courses ranging from introductory courses for beginners through to hardcore courses for experts.
Basic Tools & Techniques for Hackers – Beginner Level Mobile Application Bootcamp – Journeyman Level Web Application Bootcamp – Journeyman Level Black Ops Hacking for Pentesters – Master Level Threat Intelligence using Maltego This one isn’t ours, but our good friends and business partners, Paterva :) BlackHat Arsenal We were fortunate enough to have two tools accepted for BlackHat Arsenal this year. We think building open source tools for the hacker community is an important part of how we roll, and we appreciate ToolsWatch and the NETpeas crews efforts with arsenal.
Page 1 of 3
Next