Blog
Advanced Cycript and Substrate
Mobile assessments are always fun as the environment is constantly evolving. A recent trend has been the use of custom protocols for communication between the application and server. This holds particularly true for financial institutes who are aiming to protect both the confidentiality and integrity of data. Most of these custom protocols are over TCP, wrap data in custom crypto, which usually includes signing of the payload to prevent tampering. Even when transmitted over HTTPS, we have noticed a trend where data within the HTTP body gets encrypted and signed using some custom crypto. Both of these processes can greatly frustrate testers using standard network intercepting tools.
Android hooking with Introspy
Here’s my first blog where I’ll try to write up how I’ve managed to set up the Introspy framework for the Android emulator.
First things first, if you haven’t downloaded the Android SDK do it now from here. I am on Ubuntu 14.04 x64 machine but hopefully you will be able to follow this guide as long as you are on a modern linux system.
Sidenote: Since you are gonna run many commands on the emulator I highly recommend that you open a new shell during this proccess (adb shell) and run the logcat command. That way you can see all the debug messages and if something fails, play around and see how can you solve it.
Understanding Locky
A few days ago I was asked to have a look at the newly emerged crypto-ransomware threat “Locky” which utilises Dridex-like Command and Control (C&C) communications techniques. For some background reading, I recommend you read the following:
http://sensorstechforum.com/aes-128-encryption-employed-by-locky-ransomware/ https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/) http://www.theinquirer.net/inquirer/news/2447460/dridex-style-locky-ransomware-is-infecting-machines-via-microsoft-word It looks like a new (FEB2016) addition to the crypto-ransomware family :
1. Dirty Decrypt
2. CryptoLocker
3. CryptoWall / Cryptodefense
4. Critroni / CTB Locker
5. TorrentLocker
6. Cryptographic Locker
7. TeslaLocker
8. Locky
Bringing the hashes home with reGeorg & Empire
Is not a hack until you are 3 tunnels deep – Ian de Villiers
External assessments. It’s about not only finding flaws but also looking at ways you can chain lower and medium-level vulnerabilities together, to be utterly devastating and gain full access.
After situational awareness phase, pulling in all of my reconnaisance scans and input, I was left with typical results one might expect: missing patches here, little misconfiguration there, the typical…
Sensepost Maltego Toolkit: Skyper
Collecting and performing Open Source Intelligence (OSINT) campaigns from a wide array of public sources means ensuring your sources contain the most up to date information relating to your target. Skype, with over 300 million users, can be a vital source if used correctly.
The above graphic shows over 70 million active members and over 500 million users that have registered!.
As with all things online, many users leak sensitive information about themselves that those with the right skills, could harvest.
(local) AutoResponder
When doing internals, usually an easy first step is to use Responder and wait to retrieve NTLM hashes, cracking them and hoping for a weak password.
The problem is that sometimes fancy cracking rigs might not be available, it might be a mess to copy/paste all those hashes, send them, wait for an answer where you could already do some work locally, without any effort. We’re all lazy, and I’m even more lazy. That’s why I decided doing this project.
AutoDane at BSides Cape Town
Given the prevalence of Microsoft Active Directory domains as the primary means of managing large corporate networks both globally and in South Africa specifically; one of the common first goals of many internal penetration tests is to get Domain Administrator (DA) level access. To assist with this, a plethora of tools and techniques exist, from the initial “in” through to elevation of privilege and eventually extracting and cracking all domain credentials.
Into The Cloud
SensePost Training in the Cloud Picture this. Every year, a group of Plakkers (our nickname for those who work at SensePost) descended into Las Vegas with more luggage than Imelda Marcos on a shoe shopping spree. In recent years, our kit list was immense. 200+ laptops, 25 servers, screens, switches and more backup disks than one should ever carry past TSA. Often we got there days before Blackhat started and spent 24 hours making sure our networks and servers started (inevitably they never did, which meant late nights debugging).
Wadi Fuzzer
“Operating system facilities, such as the kernel and utility programs, are typically assumed to be reliable. In our recent experiments, we have been able to crash 25-33% of the utility programs on any version of UNIX that was tested.” [1]
Those were the original words in one of the first fuzzing studies where Prof. Barton Miller was first to use the term ‘fuzzing’
One can see the importance of fuzzing as one of the techniques used to test software security against malformed input leading to crashes and in some cases exploitable bugs.
Abusing File Converters
Every now and then you run into a new file format and you find that you may not have a tool to parse that file. Or you are looking for an easy to use solution for you mom to access the photo’s you sent her in a .tar archive. This is where file conversion services come in, a quick Google for “online file converter” will yield multiple results. One thing to keep in mind when converting files, is that different file formats may support different features.