2016
PwnBank en route to Vegas
Everyone has a mobile phone (ok some have two) and the wealth of information people put into them is staggering. This single platform gives attackers an incredibly large attack surface area to target, so it’s no surprise we *love* owning mobile devices.
With this in mind, the countdown to Blackhat USA has begun and we will be launching our latest iteration of the Mobile hacking course to the eager and thirsty minds that find themselves at the sensory circus that is Las Vegas!
PowerShell, C-Sharp and DDE The Power Within
aka Exploiting MS16-032 via Excel DDE without macros. The modified exploit script and video are at the end.
A while ago this cool PowerShell exploit for MS16-032 was released by FuzzySecurity. The vulnerability exploited was in the secondary login function, which had a race condition for a leaked elevated thread handle, we wont go into much details about the vulnerability here though. It is a really awesome vulnerability if you want to read more details about it, I suggest you read James Forshaw’s blog post at Project Zero.
Handling Randomised MAC Addresses in MANA
mana development has been chugging along nicely. However, the OffSec crew politely asked us to move mana to proper releases a while back, which we’ve just done. This is about one of the many changes pushed in our first new set of releases since October 2014; 1.3.1-Fixy McFixface. There’s a longer summary of what’s new available at the previous release page 1.3-WPE & ACLs with the WPE functionality extensions from and inspired by Brad Antoniewicz’s work being the coolest from a pwnage perspective.
Where SensePost meets the real world
SensePost Training at Blackhat USA
What is SensePost infrastructure training about and what does it give you as a novice pentester? What does it give you as a pentester looking to move into infrastructure hacking? Training at SensePost focuses on learning the Trade and not just the trick, thus our focus is on your testing methodology rather than simply showing you some cool tools. And what is this methodology you may ask, well it is one that aims to emulate real-world scenarios and push you into doing the attacks that are actively happening.
Not-quite-triangulation using the who’s near me feature in location-aware web apps
When assessing web applications, we typically look for vulnerabilities such as SQLi and XSS, which are generally a result of poor input validation. However, logical input validation is just as important, and you can get tons of interesting info if it’s not done properly.
Take the plethora of mobile apps that let you find people that are using the same app nearby. Logical validation on the coordinates you send should check that
Too Easy – Adding Root CA’s to iOS Devices
With the recent buzz around the iMessage crypto bug from the John’s Hopkins team, several people pointed out that you would need a root CA to make it work. While getting access to the private key for a global root CA is probably hard, getting a device to trust a malicious root CA is sometimes phrased as difficult to do, but really isn’t. (There’s a brief technical note about this in the caveats section at the end.)
DET – (extensible) Data Exfiltration Toolkit
Often gaining access to a network is just the first step for a targeted attacker. Once inside, the goal is to go after sensitive information and exfiltrate it to servers under their control.
To prevent this from occuring, a whole industry has popped up with the aim of stopping exfiltration attacks. However, often these are expensive and rarely work as expected. With this in mind, I created the Data Exfiltration Toolkit (DET) to help both penetration testers testing deployed security devices and those admins who’ve installed and configured them, to ensure they are working as expected and detecting when sensitive data is leaving the network.
Advanced Cycript and Substrate
Mobile assessments are always fun as the environment is constantly evolving. A recent trend has been the use of custom protocols for communication between the application and server. This holds particularly true for financial institutes who are aiming to protect both the confidentiality and integrity of data. Most of these custom protocols are over TCP, wrap data in custom crypto, which usually includes signing of the payload to prevent tampering. Even when transmitted over HTTPS, we have noticed a trend where data within the HTTP body gets encrypted and signed using some custom crypto. Both of these processes can greatly frustrate testers using standard network intercepting tools.
Android hooking with Introspy
Here’s my first blog where I’ll try to write up how I’ve managed to set up the Introspy framework for the Android emulator.
First things first, if you haven’t downloaded the Android SDK do it now from here. I am on Ubuntu 14.04 x64 machine but hopefully you will be able to follow this guide as long as you are on a modern linux system.
Sidenote: Since you are gonna run many commands on the emulator I highly recommend that you open a new shell during this proccess (adb shell) and run the logcat command. That way you can see all the debug messages and if something fails, play around and see how can you solve it.
Understanding Locky
A few days ago I was asked to have a look at the newly emerged crypto-ransomware threat “Locky” which utilises Dridex-like Command and Control (C&C) communications techniques. For some background reading, I recommend you read the following:
http://sensorstechforum.com/aes-128-encryption-employed-by-locky-ransomware/ https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/) http://www.theinquirer.net/inquirer/news/2447460/dridex-style-locky-ransomware-is-infecting-machines-via-microsoft-word It looks like a new (FEB2016) addition to the crypto-ransomware family :
1. Dirty Decrypt
2. CryptoLocker
3. CryptoWall / Cryptodefense
4. Critroni / CTB Locker
5. TorrentLocker
6. Cryptographic Locker
7. TeslaLocker
8. Locky