Showing Posts About

Network security

A bit of a Fixer Upper - Testing FIX-backed applications

This article explores testing and intercepting FIX protocol applications using MitM_Relay and Burp Suite. A custom Python script was developed to maintain message integrity when modifying FIX messages. A Burp extension called "Fixer Upper" was created to simplify FIX message interception and modification.

Detecting Exposed Cobalt Strike DNS Redirectors

A technique was developed to detect exposed Cobalt Strike DNS redirectors by identifying DNS servers that consistently return the same IP address for all domain queries. The method involves scanning DNS servers and analyzing their response patterns to identify potential Cobalt Strike infrastructure. An internet-wide survey was conducted to validate the detection approach, revealing multiple potential Cobalt Strike DNS servers.

Attack Detection Fundamentals 2021: Windows - Lab #4

This article demonstrates a technique for stealing browser cookies and saved passwords from a Windows endpoint using Chlonium. The attack involves extracting Chrome's encryption keys and cookie databases to hijack web sessions. System Access Control Lists (SACLs) are explored as a method for detecting and logging sensitive file access during such attacks.

  • 27 Aug 2020

Exploiting CVE-2019-17026 - A Firefox JIT Bug

A detailed technical analysis of a critical vulnerability (CVE-2019-17026) in Firefox's SpiderMonkey JIT compiler was presented. The vulnerability involves type confusion and bounds check elimination in the IonMonkey JIT compilation process. The article explores how carefully crafted JavaScript can exploit interactions between multiple compilation chains to bypass JIT compiler safeguards and potentially execute arbitrary code.

Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #5

This article explores lateral movement techniques using Windows Management Instrumentation (WMI) in cybersecurity attack detection. The lab demonstrates detection strategies for both native WMIC commands and Impacket's wmiexec tool. Key detection opportunities include analyzing process creation events, network traffic patterns, and examining parent-child process relationships during WMI-based lateral movement attacks.

  • 15 May 2020

Internet Exploiter: Understanding vulnerabilities in Internet Explorer

This article provides a deep technical analysis of CVE-2020-0674, a use-after-free vulnerability in Internet Explorer's legacy JScript engine. The analysis explores the internal mechanics of the JScript interpreter, garbage collection process, and demonstrates complex exploitation techniques to bypass security mitigations. The research reveals how an attacker could potentially execute arbitrary code by manipulating memory management in the legacy JavaScript engine.

  • 20 Dec 2019

Opening Up the Samsung Q60 series smart TV

A technical analysis was conducted on the Samsung Q60 series smart TV, exploring its hardware, firmware, and network services through detailed reverse engineering techniques. The investigation involved board-level analysis, extracting and examining the eMMC flash memory, and investigating the proprietary VDFS filesystem. Multiple approaches were used to understand the TV's internal architecture, including examining debug ports, firmware upgrade processes, and network services.

  • 31 Oct 2018

Undisable Restricted Admin

Restricted Admin mode is a Windows feature that prevents credential caching during RDP sessions by using network logons instead of interactive logons. The mode offers protection against lateral movement in network environments, though it introduces a minor pass-the-hash attack vector. Organizations can enable this control by modifying registry settings and group policy to enhance network security.

Big Game Fuzzing Pwn2Own Safari T2

A presentation detailed vulnerability research targeting macOS Safari at Pwn2Own. The talk covered specialized fuzzing tools and exploit development techniques for browser security. Specific vulnerabilities were discussed, including a heap underflow in the browser and a sandbox breakout using uninitialized memory.

  • 13 Apr 2018

Some Brief Notes on WebKit Heap Hardening

WebKit has implemented substantial heap hardening techniques to improve memory safety in browsers. The changes include Gigacages, which isolate different object types into separate heaps, and IsoHeap, which allocates objects in dedicated memory pages. Additional protections involve pointer poisoning to make type confusion attacks more difficult.

  • 7 Jul 2017

Using Windows File Auditing to Detect Honeyfile Access

Windows file auditing offers a covert method for detecting unauthorized access to sensitive files on network shares. By configuring native Windows audit policies, detailed logs can be generated when interactions occur with specific "honeyfiles". This technique provides a low-noise, high-fidelity approach to monitoring potential security breaches on file systems.

  • 29 Jun 2017

Offensive ICS Exploitation: A Description of an ICS CTF

A cybersecurity team demonstrated multiple attack vectors against industrial control systems (ICS) water treatment testbeds during a Capture the Flag competition. The attacks included establishing external command and control channels, overwriting historian database values, manipulating human-machine interfaces, and modifying programmable logic controller logic. Multiple techniques were used to compromise network systems and tamper with sensor data, exposing critical infrastructure vulnerabilities.

  • 21 Apr 2017

Logic Bug Hunting in Chrome on Android

A methodology for identifying logic flaws in mobile applications is demonstrated through an analysis of Chrome for Android. The approach focuses on finding logic bugs that enable access to user files and emails without memory corruption exploits. A specific logic bug in Chrome for Android is highlighted as allowing attackers to bypass Android Nougat security mechanisms.

  • 10 Jan 2017

Digital Lockpicking: Why Your Front Door Shouldn't Be On The Internet

A critical vulnerability was discovered in FingerTec/ZKTeco biometric access control devices. The unencrypted UDP protocol allows attackers to create unauthorized admin accounts, extract user data, and potentially unlock doors without authorization. Over 4000 such devices are exposed on the internet, posing significant security risks.

  • 4 Jan 2017

High Interaction Honeypots with Sysdig and Falco

A technical exploration of using sysdig and falco tools to rapidly deploy high-interaction honeypots on Linux systems. The project demonstrated techniques for monitoring and forensically analyzing attacker interactions through detailed system call and log capture. Two case studies revealed successful honeypot deployments that captured real-world attacker behaviors and malware interactions.

  • 3 Nov 2016

A Penetration Tester’s Guide to the Azure Cloud

This presentation provides a comprehensive guide to security assessment of Microsoft Azure Cloud services. It explores key security components, controls, and configurations across Azure deployments. The talk introduces Azurite, a tool for collecting and visualizing Azure infrastructure information.

  • 21 Oct 2016

A Hybrid Approach to ICS Intrusion Detection

SENAMI introduces a hybrid intrusion detection approach for Industrial Control Systems that combines passive network monitoring with selective active monitoring of critical Siemens S7 PLC variables. The method focuses on detecting value tampering attacks by monitoring three key memory locations with minimal performance impact. The approach achieves a 93% detection rate of active threats while avoiding overloading legacy PLC systems.

Accessing Internal Fileshares through Exchange ActiveSync

Exchange ActiveSync (EAS) can be exploited to access internal Windows file shares using only user mailbox credentials. The vulnerability was confirmed in Exchange 2013 and 2016 with near-default configurations. Attackers can list file share contents and download files by using specific EAS commands, potentially bypassing traditional access controls.

  • 20 Jun 2016

The current state of quantum cryptography, QKD, and the future of information security.

Quantum key distribution (QKD) offers a provably secure communication method based on quantum physics principles. The technology leverages the Heisenberg uncertainty principle to create encryption keys that cannot be intercepted without detection. Commercial QKD systems are being developed to extend communication ranges and integrate with existing security infrastructure.

  • 23 Mar 2016

LoRa Security: Building a secure LoRa solution

A whitepaper by Rob Miller explores the security aspects of LoRaWAN technology. The document provides insights into securing LoRa systems and understanding potential attack methodologies. It aims to help developers comprehend their security responsibilities when building LoRa solutions.

The Pageantry of Lateral Movement

A presentation on lateral movement techniques in network penetration testing explores abusing Pageant (PuTTY's SSH agent) on Windows hosts. The talk demonstrates a nearly undetectable method of tunneling SSH agent traffic using a meterpreter extension. Improvements were made to an existing reconnaissance tool to enhance its utility during simulated attacks.

Warranty Void If Label Removed: Attacking MPLS Networks

A presentation on MPLS network vulnerabilities revealed critical security weaknesses in service provider network infrastructures. Network reconnaissance techniques were demonstrated that could expose internal Label Switching Router interconnections. The research highlighted potential VRF hopping attacks that could allow unauthorized traffic injection between different customer networks in shared MPLS environments.

Active Directory: Users in Nested Groups Reconnaissance

The article discusses a technique for efficiently discovering users in nested Active Directory groups using the LDAP_MATCHING_RULE_IN_CHAIN OID. New Metasploit commands were introduced to perform comprehensive Active Directory user and group reconnaissance, allowing identification of users in complex nested group structures. The method enables penetration testers to quickly identify users with administrative privileges across nested group hierarchies.

Mass HTTP Enumeration with Metasploit

A Metasploit module enables mass HTTP enumeration of web servers during penetration testing. The module efficiently extracts server headers, HTTP status codes, and page titles across large networks. It allows quick identification of interesting or anomalous hosts using Metasploit's database and multithreading capabilities.

How to own any Windows network with group policy hijacking attacks

Group policy hijacking attacks can compromise Windows networks by intercepting and manipulating group policy traffic. The attacks exploit vulnerabilities in SMB signing and Kerberos authentication to gain SYSTEM-level access on domain-joined systems. Multiple attack vectors allow attackers to modify group policy settings and execute arbitrary code on target networks.

Practically Exploiting MS15-014 and MS15-011

The article details two Microsoft vulnerabilities (MS15-011 and MS15-014) that enable remote code execution on domain-joined Windows systems. These vulnerabilities can be exploited through a two-stage attack method to gain SYSTEM-level access by manipulating group policy and SMB signing configurations. A video demonstration shows how these vulnerabilities can be chained together to compromise hardened domain environments.

Digging into MS14-068, Exploitation and Defence

MS14-068 is a critical Windows vulnerability in Kerberos authentication that allows any authenticated domain user to forge a Privilege Attribute Certificate (PAC) and escalate privileges to domain administrator. The vulnerability enables an attacker to manipulate PAC signatures and bypass authentication controls on domain controllers running Windows 2008 and earlier. Exploitation requires only a standard domain user account and can be performed using tools like PyKEK and Impacket.

  • 20 Jun 2014

Isolated Heap & Friends - Object Allocation Hardening in Web Browsers

Web browsers have implemented object allocation hardening techniques to mitigate use-after-free vulnerabilities. These techniques include Internet Explorer's Isolated Heap, Firefox's Presentation Arena, and Chrome's PartitionAlloc. Each approach aims to constrain memory allocation strategies and make exploitation more difficult by separating object types and controlling memory reuse.

Native Bridge's Over Troubled Water

Mobile security research by Dave Hartley explored vulnerabilities in mobile advertising networks across multiple platforms. The study investigated cross-platform exploitation potential in Windows Phone, Android, Blackberry, and iOS operating systems. Findings focused on identifying security issues within popular mobile ad networks.

  • 20 Dec 2013

Google AdMob Ad Library - Arbitrary Intent Activity Invocation

A vulnerability was discovered in the Google AdMob SDK for Android that allows attackers to manipulate Intent Activities by injecting JavaScript into a WebView. The vulnerability enables arbitrary activity invocation by controlling multiple parameters passed to the 'startActivity' method. Potential remote exploitation can occur by targeting exposed activities in other Android applications.

  • 27 Nov 2013

Millenial Media Ad Library

A critical vulnerability was discovered in the Millenial Media SDK across mobile platforms. The SDK's WebView implementation allows attackers to perform dangerous actions like file manipulation, clipboard access, audio recording, and cross-application exploitation through malicious JavaScript injection. These security flaws could enable comprehensive mobile device compromise and unauthorized access to sensitive user information.

  • 12 Nov 2013

Run SAP, Run

Metasploit modules for SAP system security assessment were developed to comprehensively test SAP enterprise environments. The modules enable penetration testers to discover SAP services, enumerate clients, perform bruteforce attacks, and execute remote commands across different SAP connectors. Multiple attack techniques were demonstrated, including information gathering, credential extraction, and obtaining interactive shells on both Linux and Windows SAP systems.

  • 24 Sep 2013

WebView addJavascriptInterface Remote Code Execution

A critical remote code execution vulnerability was discovered in Android WebViews using JavaScript interfaces. The vulnerability allows attackers to execute arbitrary system commands by injecting malicious JavaScript into applications using advertising network SDKs. Analysis revealed that a significant number of Android applications could potentially be compromised through this security flaw.

Polishing Chrome for Fun and Profit (NSC)

A presentation at the Nordic Security Conference detailed a full sandbox escape vulnerability in Google Chrome. The vulnerability was successfully exploited at the Pwn2Own 2013 hacking competition. Technical details of compromising Chrome's security mechanisms were demonstrated by MWR's Nils and Jon.

  • 11 Mar 2013

BSides Challenge

MWR Labs hosted a cybersecurity challenge focused on analyzing the "Evil Planner" Android application. The challenge invited participants to find vulnerabilities that would allow BigCorp to extract encrypted data from a potentially malicious employee's device. Multiple prizes were offered for discovering and exploiting application security weaknesses.

  • 13 Sep 2012

SAP Smashing (Internet Windows)

SAProuter is a SAP network proxy that can route TCP connections through firewalls. A proof-of-concept technique was developed to establish native connections through SAProuter. The method allows routing network connections and was demonstrated by integrating with Metasploit to access systems behind the proxy.

Security Testing 4G (LTE) Networks

This presentation explores security testing methodologies for 4G (LTE) networks. The shift to IP-based communications in LTE networks introduces potential new security risks. The talk aims to provide insights into network security assessment and potential vulnerabilities in LTE deployments.

  • 18 Jul 2012

Incognito v2.0 Released

Incognito v2.0 is a Windows security tool for token enumeration and manipulation. The new version introduces multi-host input, multi-threading, grepable output, quiet mode, and improved handling of administrative privileges. Key improvements include better API compatibility, enhanced token discovery across multiple systems, and more flexible output options for security professionals.

  • 5 Jan 2012

Distributed Hash Cracking on the Web

A distributed hash cracking project explored using WebGL and WebCL technologies to crack password hashes through web browsers. WebGL proved unsuitable for hash computation, but WebCL showed promising performance for parallel processing of hash cracking. The project deployed a distributed system using web advertising to harness browser computing power for password retrieval.

  • 14 Dec 2011

veripy: New Project to Support the Migration to IPv6

MWR InfoSecurity launched a new open-source project called veripy to support IPv6 migration. The project aims to develop a tool for testing equipment readiness according to the RIPE 501 specification. The first version of the tool is planned for release in March 2012, with the goal of providing confidence in IPv6 networking hardware and software.

  • 18 May 2011

The Google Android Update Dilemma

The Android update process involves multiple parties including Google, device vendors, and carriers, creating a complex and fragmented security update mechanism. This multi-stage update chain introduces significant delays and vulnerabilities, as patches must pass through numerous intermediaries before reaching end-users. Google's recent update initiative fails to comprehensively address the fundamental security challenges in Android's update ecosystem.

DefCon 14 - IBM Networking

A presentation by Martyn Ruks at DefCon 14 in 2006 explored IBM network security testing methodologies. The talk focused on identifying potential vulnerabilities in IBM network infrastructure. Specific network security assessment techniques for IBM systems were discussed during the presentation.