Our Blog
Not-quite-triangulation using the who’s near me feature in location-aware web apps
When assessing web applications, we typically look for vulnerabilities such as SQLi and XSS, which are generally a result of poor input validation. However, logical input validation is just as important, and you can get tons of interesting info if it’s not done properly. Take the plethora of mobile apps that let you find people that are using the same app nearby. Logical validation on the coordinates you send should…
Too Easy – Adding Root CA’s to iOS Devices
With the recent buzz around the iMessage crypto bug from the John’s Hopkins team, several people pointed out that you would need a root CA to make it work. While getting access to the private key for a global root CA is probably hard, getting a device to trust a malicious root CA is sometimes phrased as difficult to do, but really isn’t. (There’s a brief technical note about this in…
DET – (extensible) Data Exfiltration Toolkit
Often gaining access to a network is just the first step for a targeted attacker. Once inside, the goal is to go after sensitive information and exfiltrate it to servers under their control. To prevent this from occuring, a whole industry has popped up with the aim of stopping exfiltration attacks. However, often these are expensive and rarely work as expected. With this in mind, I created the Data Exfiltration…
Advanced Cycript and Substrate
Mobile assessments are always fun as the environment is constantly evolving. A recent trend has been the use of custom protocols for communication between the application and server. This holds particularly true for financial institutes who are aiming to protect both the confidentiality and integrity of data. Most of these custom protocols are over TCP, wrap data in custom crypto, which usually includes signing of the payload to prevent tampering.…
Android hooking with Introspy
Here’s my first blog where I’ll try to write up how I’ve managed to set up the Introspy framework for the Android emulator. First things first, if you haven’t downloaded the Android SDK do it now from here. I am on Ubuntu 14.04 x64 machine but hopefully you will be able to follow this guide as long as you are on a modern linux system. Sidenote: Since you are gonna…
Understanding Locky
A few days ago I was asked to have a look at the newly emerged crypto-ransomware threat “Locky” which utilises Dridex-like Command and Control (C&C) communications techniques. For some background reading, I recommend you read the following: http://sensorstechforum.com/aes-128-encryption-employed-by-locky-ransomware/ https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/) http://www.theinquirer.net/inquirer/news/2447460/dridex-style-locky-ransomware-is-infecting-machines-via-microsoft-word It looks like a new (FEB2016) addition to the crypto-ransomware family : 1. Dirty Decrypt 2. CryptoLocker 3. CryptoWall / Cryptodefense 4. Critroni / CTB Locker 5. TorrentLocker 6. Cryptographic Locker 7. TeslaLocker 8. Locky…
Bringing the hashes home with reGeorg & Empire
Is not a hack until you are 3 tunnels deep – Ian de Villiers External assessments. It’s about not only finding flaws but also looking at ways you can chain lower and medium-level vulnerabilities together, to be utterly devastating and gain full access. After situational awareness phase, pulling in all of my reconnaisance scans and input, I was left with typical results one might expect: missing patches here, little misconfiguration…
Sensepost Maltego Toolkit: Skyper
Collecting and performing Open Source Intelligence (OSINT) campaigns from a wide array of public sources means ensuring your sources contain the most up to date information relating to your target. Skype, with over 300 million users, can be a vital source if used correctly. The above graphic shows over 70 million active members and over 500 million users that have registered!. As with all things online, many users leak sensitive…
(local) AutoResponder
When doing internals, usually an easy first step is to use Responder and wait to retrieve NTLM hashes, cracking them and hoping for a weak password. The problem is that sometimes fancy cracking rigs might not be available, it might be a mess to copy/paste all those hashes, send them, wait for an answer where you could already do some work locally, without any effort. We’re all lazy, and I’m even more…
AutoDane at BSides Cape Town
Given the prevalence of Microsoft Active Directory domains as the primary means of managing large corporate networks both globally and in South Africa specifically; one of the common first goals of many internal penetration tests is to get Domain Administrator (DA) level access. To assist with this, a plethora of tools and techniques exist, from the initial “in” through to elevation of privilege and eventually extracting and cracking all domain…