Showing Posts From

Network Security

Binary Exploitation for SPECIAL Occasions: Privilege Escalation in z/OS

This article explores a privilege escalation technique in z/OS mainframe systems by manipulating the Accessor Environment Element (ACEE). The technique involves creating an APF-authorized assembly program that modifies user flags in memory to gain SPECIAL privileges. The exploit demonstrates how low-level memory structures and system internals can be leveraged to escalate system access.

The Hidden Depths of Mainframe Application Testing: More Than (Green) Screen-Deep

Mainframe application security testing requires looking beyond surface-level "green screen" interfaces. The article explores three key vulnerability areas in mainframe environments: application breakouts that allow unauthorized transaction access, surrogate chaining that can bypass environment segregation controls, and downstream misconfigurations in database and system components. Comprehensive security assessments must take a holistic approach to mainframe application testing.

Looting Microsoft Configuration Manager

CMLoot is a PowerShell tool designed to extract and analyze files from Microsoft Configuration Manager network shares. The tool automates exploration of content libraries, helping security professionals discover potentially sensitive information like credentials, certificates, and configuration details. By examining Distribution Points and Content Library structures, CMLoot enables systematic file inventory and selective downloading of interesting files.

Jamfing for Joy: Attacking macOS in Enterprise

The article details multiple attack vectors against Jamf, a macOS enterprise management platform. Multiple techniques for compromising device management systems are explored, including password spraying, user enumeration, and policy abuse. An open-source Jamf Attack Toolkit was developed to demonstrate and facilitate these cybersecurity vulnerabilities.

  • 6 Nov 2019

OU having a laugh?

A novel attack technique exploits Group Policy Object (GPO) processing in Active Directory by manipulating the gpLink attribute. An attacker with OU modification rights can redirect GPO resolution to a rogue domain controller, potentially compromising computers and users within that OU. The attack leverages default Active Directory configurations and can be executed with minimal domain user permissions.

  • 31 Oct 2018

Undisable Restricted Admin

Restricted Admin mode is a Windows feature that prevents credential caching during RDP sessions by using network logons instead of interactive logons. The mode offers protection against lateral movement in network environments, though it introduces a minor pass-the-hash attack vector. Organizations can enable this control by modifying registry settings and group policy to enhance network security.

  • 11 Jul 2018

Passing-the-Hash to NTLM Authenticated Web Applications

This article details a Pass-the-Hash (PtH) attack technique against web applications using Windows NTLM authentication. The attack allows impersonation of domain users by injecting a user's NT hash to authenticate to web applications without knowing the actual password. A practical demonstration is provided using an Exchange 2013 server and Mimikatz to execute the attack.

Finding the Low-Hanging Route

A critical vulnerability was discovered in Cisco's APIC-EM SDN controller that allows unauthorized access to internal network services. By adding a static route and exploiting IP routing configurations, an attacker can bypass network isolation and directly access sensitive internal services without authentication. The vulnerability enables potential compromise of system credentials and unauthorized access to critical infrastructure components like Apache Cassandra and RabbitMQ.

Offensive ICS Exploitation: A Description of an ICS CTF

A cybersecurity team demonstrated multiple attack vectors against industrial control systems (ICS) water treatment testbeds during a Capture the Flag competition. The attacks included establishing external command and control channels, overwriting historian database values, manipulating human-machine interfaces, and modifying programmable logic controller logic. Multiple techniques were used to compromise network systems and tamper with sensor data, exposing critical infrastructure vulnerabilities.

Trust? Years to earn, seconds to break

An Active Directory security vulnerability involves the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (T2A4D) User-Account-Control flag. The vulnerability can allow attackers to exploit Kerberos protocol extensions and potentially compromise domain controllers through dangerous authentication delegation attacks. Mitigation strategies include carefully managing account delegation settings and protecting sensitive user accounts.

Accessing Internal Fileshares through Exchange ActiveSync

Exchange ActiveSync (EAS) can be exploited to access internal Windows file shares using only user mailbox credentials. The vulnerability was confirmed in Exchange 2013 and 2016 with near-default configurations. Attackers can list file share contents and download files by using specific EAS commands, potentially bypassing traditional access controls.

Offline SQL Querying of Active Directory

ADOffline is a tool that converts Active Directory LDAP data into a SQLite database for offline analysis. It enables cybersecurity professionals to perform detailed reconnaissance by querying domain users, groups, and computers without maintaining a live connection to the domain controller. The tool supports complex SQL queries and provides intuitive views to explore Active Directory information.

Abusing PuTTY & Pageant through native functionality

A technique for remotely interacting with SSH keys stored in PuTTY's Pageant SSH agent on Windows is explored. The method leverages native functionality to proxy SSH authentication requests through a compromised workstation without traditional exploitation. An attack tool called PageantJacker enables forwarding authentication requests to a remote Pageant instance, allowing an attacker to use a target's SSH keys from their own machine.

When LanMan history reveals the present and future, but might just be lying to you

Windows password history hashes may contain seemingly random data even when LanMan hash storage is disabled. Analysis of these historical hashes can reveal password patterns and potentially help guess current user credentials during security assessments. Password history examination demonstrates how users often create predictable password sequences despite technical controls.

The Pageantry of Lateral Movement

A presentation on lateral movement techniques in network penetration testing explores abusing Pageant (PuTTY's SSH agent) on Windows hosts. The talk demonstrates a nearly undetectable method of tunneling SSH agent traffic using a meterpreter extension. Improvements were made to an existing reconnaissance tool to enhance its utility during simulated attacks.

Warranty Void If Label Removed: Attacking MPLS Networks

A presentation on MPLS network vulnerabilities revealed critical security weaknesses in service provider network infrastructures. Network reconnaissance techniques were demonstrated that could expose internal Label Switching Router interconnections. The research highlighted potential VRF hopping attacks that could allow unauthorized traffic injection between different customer networks in shared MPLS environments.

Active Directory: Users in Nested Groups Reconnaissance

The article discusses a technique for efficiently discovering users in nested Active Directory groups using the LDAP_MATCHING_RULE_IN_CHAIN OID. New Metasploit commands were introduced to perform comprehensive Active Directory user and group reconnaissance, allowing identification of users in complex nested group structures. The method enables penetration testers to quickly identify users with administrative privileges across nested group hierarchies.

Mass HTTP Enumeration with Metasploit

A Metasploit module enables mass HTTP enumeration of web servers during penetration testing. The module efficiently extracts server headers, HTTP status codes, and page titles across large networks. It allows quick identification of interesting or anomalous hosts using Metasploit's database and multithreading capabilities.

Memory Allocation: How injecting into your own tools might help you compromise a Windows domain

ADEGrab is a memory injection tool designed to extract search results from Sysinternals' AD Explorer by directly accessing the application's memory. The tool allows penetration testers to copy search results from Active Directory exploration tools that do not natively support result export. It uses Windows API calls to read and manipulate memory within the AD Explorer process, enabling users to capture and save search results.

  • 25 Sep 2015

A Practical Guide to Cracking Password Hashes

This article provides a comprehensive guide to password hash cracking techniques using Hashcat. It demonstrates how rule-based attacks can efficiently generate password variations from wordlists, significantly improving password guessing success rates. By empirically testing and developing targeted rulesets, password crackers can dramatically increase the number of cracked hashes.

How to own any Windows network with group policy hijacking attacks

Group policy hijacking attacks can compromise Windows networks by intercepting and manipulating group policy traffic. The attacks exploit vulnerabilities in SMB signing and Kerberos authentication to gain SYSTEM-level access on domain-joined systems. Multiple attack vectors allow attackers to modify group policy settings and execute arbitrary code on target networks.

Practically Exploiting MS15-014 and MS15-011

The article details two Microsoft vulnerabilities (MS15-011 and MS15-014) that enable remote code execution on domain-joined Windows systems. These vulnerabilities can be exploited through a two-stage attack method to gain SYSTEM-level access by manipulating group policy and SMB signing configurations. A video demonstration shows how these vulnerabilities can be chained together to compromise hardened domain environments.

Digging into MS14-068, Exploitation and Defence

MS14-068 is a critical Windows vulnerability in Kerberos authentication that allows any authenticated domain user to forge a Privilege Attribute Certificate (PAC) and escalate privileges to domain administrator. The vulnerability enables an attacker to manipulate PAC signatures and bypass authentication controls on domain controllers running Windows 2008 and earlier. Exploitation requires only a standard domain user account and can be performed using tools like PyKEK and Impacket.

Windows Services - All roads lead to SYSTEM

This whitepaper examines security vulnerabilities in Windows services, focusing on configuration-related flaws that can lead to privilege escalation. It explores six key service areas where misconfigurations can provide attackers opportunities to execute arbitrary code with elevated system privileges. The document provides insights into assessing and remediating potential security risks in Windows service configurations.

  • 12 Nov 2013

Run SAP, Run

Metasploit modules for SAP system security assessment were developed to comprehensively test SAP enterprise environments. The modules enable penetration testers to discover SAP services, enumerate clients, perform bruteforce attacks, and execute remote commands across different SAP connectors. Multiple attack techniques were demonstrated, including information gathering, credential extraction, and obtaining interactive shells on both Linux and Windows SAP systems.

Hack the Gibson - 44CON

A presentation at 44CON revealed significant security vulnerabilities in top supercomputers. The talk demonstrated novel attack techniques for compromising large-scale computing infrastructure. Penetration testing exposed lower security standards in high-performance computing systems compared to typical enterprise environments.

  • 25 Apr 2013

MWR HackLab - Chubby Data

A team analyzed a massive 9TB internet scan dataset using cloud and NoSQL technologies. Multiple approaches were explored to make the data searchable, including Amazon CloudSearch for FTP banners, SQL databases for NBTStat scan results, and NoSQL databases like CouchDB and ElasticSearch for HTTP headers. The project focused on developing efficient parsing and search techniques for large-scale internet infrastructure data.

SAP Slapping (DeepSec)

Dave Hartley's DeepSec presentation "SAP Slapping" explored vulnerabilities in SAP systems. The talk provided an overview of common misconfigurations and security weaknesses in enterprise software. Metasploit modules were demonstrated to highlight potential security risks in SAP infrastructure.

SAP Smashing (Internet Windows)

SAProuter is a SAP network proxy that can route TCP connections through firewalls. A proof-of-concept technique was developed to establish native connections through SAProuter. The method allows routing network connections and was demonstrated by integrating with Metasploit to access systems behind the proxy.

Security Testing 4G (LTE) Networks

This presentation explores security testing methodologies for 4G (LTE) networks. The shift to IP-based communications in LTE networks introduces potential new security risks. The talk aims to provide insights into network security assessment and potential vulnerabilities in LTE deployments.

SAP Parameter Injection

A vulnerability in SAP's Host Control service enables remote unauthenticated command execution on Windows SAP systems using SAP MaxDB. The attack involves manipulating parameters of the dbmcli executable to write and execute attacker-controlled commands. Metasploit modules were developed to demonstrate command injection across different SAP system interfaces.

  • 6 Jun 2012

veripy is Released

MWR Labs released veripy, an open-source testing tool for IPv6 network transition. The tool aims to build confidence in hardware and software products supporting IPv6 networking. veripy is designed to help organizations navigate the complex shift from IPv4 to IPv6 infrastructure.

MWR SAP Metasploit Modules

Metasploit modules were developed to assess SAP systems through Remote Function Calls (RFC). The modules enable security professionals to enumerate SAP clients, brute force logins, extract user hashes, and execute arbitrary commands across different SAP system configurations.

SAP Slapping

Dave Hartley presented the "SAP Slapping" talk at CRESTCon and BSides London, exploring common vulnerabilities in SAP systems. The presentation provided an overview of SAP security misconfigurations. Metasploit modules were demonstrated to highlight potential security weaknesses in SAP infrastructure.

  • 5 Jan 2012

Distributed Hash Cracking on the Web

A distributed hash cracking project explored using WebGL and WebCL technologies to crack password hashes through web browsers. WebGL proved unsuitable for hash computation, but WebCL showed promising performance for parallel processing of hash cracking. The project deployed a distributed system using web advertising to harness browser computing power for password retrieval.

  • 14 Dec 2011

veripy: New Project to Support the Migration to IPv6

MWR InfoSecurity launched a new open-source project called veripy to support IPv6 migration. The project aims to develop a tool for testing equipment readiness according to the RIPE 501 specification. The first version of the tool is planned for release in March 2012, with the goal of providing confidence in IPv6 networking hardware and software.

Middleware Risks: Guidance for IT Security Managers

A whitepaper examines risks associated with middleware technologies, specifically WebSphere MQ. The document provides guidance for IT security managers on assessing and addressing potential vulnerabilities in middleware systems. The goal is to help organizations better understand and mitigate middleware-related security risks.

DeepSec 2009 - Weapons of Mass Pwnage: Attacking Deployment Solutions

A presentation at DeepSec 2009 in Vienna explored security vulnerabilities in Symantec's Altiris Deployment Solution. Luke Jennings discussed potential weaknesses in enterprise deployment technologies. Presentation slides were made available to conference attendees.

Weapons of Mass Pwnage: Attacking Deployment Solutions - DeepSec 2009

A presentation at DeepSec 2009 explored security vulnerabilities in Symantec's Altiris Deployment Solution. The talk by Luke Jennings examined potential weaknesses in enterprise deployment technologies. Presentation slides are available for download from the original source.

  • 17 Nov 2009

Singing the Mainframe Security Blues?

This article explores the security challenges of legacy network protocols, particularly Systems Network Architecture (SNA), in enterprise environments. It emphasizes the critical importance of understanding network technologies beyond IP to effectively assess and mitigate security risks. The key message is that comprehensive network security requires deep knowledge of all protocols in use, not just modern IP-based technologies.

Attacking Altiris at DeepSec '09

Luke Jennings will present research on vulnerabilities in Symantec's Altiris Deployment Solution at DeepSec '09 in Vienna. The presentation will focus on security issues in deployment technologies. Cybersecurity professionals interested in deployment solution security are encouraged to attend the conference.

IBM WebSphere MQ Security Part 1

This whitepaper examines security vulnerabilities in IBM WebSphere MQ middleware, a widely used enterprise messaging system. It highlights the complexity of securing middleware environments and introduces a penetration testing methodology for assessing WebSphere MQ security. The research aims to provide insights for security professionals responsible for protecting complex messaging infrastructure.

DefCon 15 - Websphere MQ

A presentation about IBM Websphere MQ software security was delivered at DefCon 15 in Las Vegas on August 3rd, 2007. The presentation was given by MWR InfoSecurity and the slides are available for download from their website.

DefCon 14 - IBM Networking

A presentation by Martyn Ruks at DefCon 14 in 2006 explored IBM network security testing methodologies. The talk focused on identifying potential vulnerabilities in IBM network infrastructure. Specific network security assessment techniques for IBM systems were discussed during the presentation.