Blog
Attacking smart cards in active directory
Recently, I encountered a fully password-less environment. Every employee in this company had their own smart card that they used to login into their computers, emails, internal applications and more. None of the employees at the company had a password at all – this sounded really cool. In this post I will detail a technique used to impersonate other users by modifying a User Principal Name (UPN) on an Active…
Chaining multiple techniques and tools for domain takeover using RBCD
Intro In this blog post I want to show a simulation of a real-world Resource Based Constrained Delegation attack scenario that could be used to escalate privileges on an Active Directory domain. I recently faced a network that had had several assessments done before. Luckily for me, before this engagement I had used some of my research time to understand more advanced Active Directory attack concepts. This blog post isn’t…
Intro to Chrome’s V8 from an exploit development angle
Last Christmas I was doing quite a bit of research around an exploit for Chrome’s JavaScript engine, V8. While most of the concepts around the exploit might seem familiar: for example, what is known as a Type Confusion today has the almost exact concept (or outcome) as a Use-After-Free vulnerability, one of the differences is that there is no free/malloc exploited directly; there is a huge difference in the root…
[Dual-Pod-Shock] Emotional abuse of a DualShock
Hacking PlayStation DualShock controllers to stream audio to their internal speakers. Ciao a tutti. I didn’t really know what this project was going to be about and where or how it would end up. The only thing I know is that I started working on it because one day I was bored and having a chat with a friend of mine: Your flat is like a Luna Park for nerds.…
Bypassing access control in BMC Control-D Report Viewer
BMC makes a number of mainframe-focused applications, one of which is Control-D. Control-D is a “Report Distribution system for distributed and mainframe platforms”. This blog post describes an authentication bypass vulnerability that was found, allowing access to restricted reports. To make mainframe-based reports accessible outside the mainframe, and to avoid having to create mainframe accounts for every report consumer, BMC provides a web application, making the reports available via a…
Obtaining shells via Logitech Unifying Dongles
In this post, I will recap some of the security research conducted on wireless keyboards and mice, and eventually show how current wireless keyboards and mice can be used to obtain a covert shell on a target computer. Around 2009, Max Moser realised that most wireless keyboards were simply transmitting the keystrokes in clear text. His initial research targeted systems using 27MHz radios. In 2010, he presented followup research targeting…
Hacking doom for fun, health and ammo
Remember iddqd and idkfa? Those are two strings were etched into my brain at a very young age where fond memories of playing shareware Doom live. For SenseCon ’19, Lauren and Reino joined me as we dove into some reversing of chocolate-doom with the aim of recreating similar cheats. The results? Well, a video of it is shown below. We managed to get cheats working that would: Increment your ammo…
The power of variant analysis (Semmle QL) CVE-2019-15937 and CVE-2019-15938
This post will try to do a small introduction to the QL language using real-world vulnerabilities that I found in the past, and it will end with a small challenge using QL. A few months ago, I heard of Semmle QL for the first time, what they do is perform multiple code analysis techniques against source code, and dump these results into a database. Then using the QL language, you…
mettle your ios with frida
For a long time I have wondered about getting Meterpreter running on an iOS device using Frida. It wasn’t until I had a Twitter conversation with @timwr that I was reminded of Mettle. It was finally time to give it a try. I built an objection plugin that would load it for you, which you can find here. My talk at DEF CON 27 mainly covered some ideas on how…
PEAP Relay Attacks with wpa_sycophant
Back in 2018, I was interested that MSCHAPv2 and NTLMv1 hashes crack using the same algorithms, and wanting to get onto the WiFi of one of our clients, I naively thought “Surely if you can relay NTLMv1 and it uses the same crypto as MSCHAPv2, you should be able to relay MSCHAPv2!”. The resulted in the creation of wpa_sycophant (and its helper berate_ap) to perform PEAP relay attacks. It was…