Blog
Dumping LSA secrets: a story about task decorrelation
While doing an internal assessment, I was able to compromise multiple computers and servers but wasn’t able to dump the LSA secrets because of a particular EDR being installed and pretty aggressive against me.
In this blog post we’ll see how this EDR was blocking me and why it is still possible to dump these secrets exploiting decorrelation attacks! As a bonus, I’ll show you a fancy way of retrieving the Windows boot key without having to dump the SYSTEM hive.
From a GLPI patch bypass to RCE
Introduction GLPI is a popular software used by companies, mainly in France. GLPI is usually used for two main purposes. Firstly it allows companies to see the inventory of their different equipment (such as: computers, software, printers, etc…). Secondly it is used for its ticketing system, allowing users to create tickets about their issues. It also has different roles for each user, those who can only create tickets (low privileges user), and those who get central access (again there are different roles here). During an internal penetration test, chances are that if you got an account, you will be a low privilege user, known as Self-Service.
Targeting an industrial protocol gateway
Inside industrial systems (also known as Operational Technology, or OT), devices communicate with each other and can be accessed over IP using familiar IT protocols (such as SSH, web services, etc.), as well as with a variety of industrial network protocols. Among them, you may have heard of Modbus, maybe S7comm, OPC-UA and a few others, but do you know all the industrial protocols you could find on industrial networks? It would take a lifetime to list them all, considering the field-specific standards, the manufacturer-dependent protocols and variations, the association-promoted specifications, and their numerous versions, layers, extensions and adaptations. In the end, an industrial process typically involves a collection of devices, servers and workstations that are likely to use many different protocols and still need to understand each other.
Guest vs Null session on Windows
If you have been doing internal assessments on Active Directory infrastructure you may have heard the following words: “Null session”, “Guest session” and “Anonymous session”. These words describe techniques that can be used on Windows servers to connect to resources and obtain information about a computer or Active Directory objects such as users or SMB shares you have access on. Even if these techniques are well known I realised that people, including myself, didn’t understand them completely. This got me wanting to better understand it, hence this blogpost :)!
From Discovery to Disclosure: ReCrystallize Server Vulnerabilities
TL&DR – While on an assessment, I found an instance of ReCrystallize Server. It had many problems, some of which had to do with insufficient hardening on the client’s side while others were new vulnerabilities I found that when chained together, achieve Remote Code Execution (RCE). These vulnerabilities were disclosed to ReCrystallize Software and MITRE.
Besides the disclosed vulnerabilities, some “features” were also used for malicious purposes. The replication and validation of the findings were done on my own test environment.
Mail in the Middle – A tool to automate spear phishing campaigns
Context In the chilly month of December 2023, my colleagues Jason (@BreakerOfSigns), Szymon (@TH3_GOAT_FARM3R), and myself (@felmoltor) were on a red team. This one was tough, but we had fun. We had to be a bit more creative than I am used to and two interesting things were done that are worth sharing:
Szymon and Jason physically broke into the client’s facilities. At a branch office, they left an implant using Rogan’s “Slimjim” device and it proved to be a solid and production ready project. Try it out and let us know how it goes. I developed a tool that we named Mail-in-the-Middle (Maitm for short). You can find it in our Github repository here: https://github.com/sensepost/mail-in-the-middle. I cannot speak in first person about the physical breakin beyond praising the excellent social engineering skills of both of my colleagues, but I can talk about Mail-in-the-Middle.
Deck of Cards CTF
I created a small crypto style CTF for Black Hat last year (we’re training again this year, check our courses out) and hid the starting point in an “easter egg” on a deck of cards. The deck of cards are a custom design by the SensePost training team, which were themed around hacking and were handed out during the conference. This post covers how we built it, and how to solve it.
Serial PitM
Sometimes you need to get in the way of a hardware device and its controller, and see what it has to say for itself. If you are lucky, the two parts are communicating using a serial port, and then it’s relatively simple to do. In this post, I will explain two scenarios where I had to do this, and the approach that I took in each. As a bonus, I’ll also show some hardware that I put together to make it easier.
Sensecon 23: from Windows drivers to an almost fully working EDR
TL;DR I wanted to better understand EDR’s so I built a dummy EDR and talk about it here. EDR (Endpoint Detection and Response) is a kind of security product that aims to detect abnormal activities being executed on a computer or a server.
When looking for resources about how EDR’s work, I realised that, even if there is a lot of literature available about EDR’s, there aren’t many articles explaining how an EDR’s is architected and how the different components of a EDR are orchestrated. This article aims to demystify how EDR’s work while building a custom one that will implement a few techniques used by real EDR’s.
your contributions, today
Keynoting 0xcon in Johannesburg this year, I had the immense privilege of talking and sharing ideas about something that is dear to my heart. That is, giving back more than you take. And by giving back I don’t mean *just* doing research or writing tools. Instead, giving back includes things like writing documentation or even just teaching someone else! In my talk, “your contributions, today” I reflected on a current view of practical security research and contributions in a time of ever-increasing systems complexity, abstractions and Instagram reels. By drawing parallels to the “Free-rider Problem” as described in an economics context, I argued that as an industry we need to caution against this phenomenon manifesting by actively making contributions.