2012
Snoopy: A distributed tracking and profiling framework
At this year’s 44Con conference (held in London) Daniel and I introduced a project we had been working on for the past few months. Snoopy, a distributed tracking and profiling framework, allowed us to perform some pretty interesting tracking and profiling of mobile users through the use of WiFi. The talk was well received (going on what people said afterwards) by those attending the conference and it was great to see so many others as excited about this as we have been.
44Con: Vulnerability analysis of the .NET smart Card Operating System
Today’s smart cards such as banking cards and smart corporate badges are capable of running multiple tiny applications which are often written in high level programming languages like Java or Microsoft .NET and compiled into small card resident binaries. It is a critical security requirement to isolate the execution context and data storage of these applications in order to protect them from unauthorized access by other malicious card applications. To satisfy this requirement, multi-application smart cards implement an “Application Firewall” concept in their operating system which creates an execution sandbox for card applications.
Solution for the 44Con Challenge
Last week, we published our 44Con “SillySIP” Challenge for free entry to our BlackOps training course at the 44Con conference this year. We’d like to thank all those who attempted this challenge.
$queue->add($beatbox_drumroll);
The winner, who responded with the first correct answer, is Ben Campbell. As a result, he gets to hang out with our trainers on a free BlackOps training course.
Congratulations Ben! We look forward to meeting you (in person) at the BlackOps training.
44Con Challenge
In a similar fashion to the BlackHat challenge held earlier this year, we’re giving away a free ticket to our BlackOps course at this year’s 44Con. As a penetration tester, knowledge of an issue is not enough when one needs to demonstrate risk to a client. Furthermore, when large numbers of potential targets are involved, it becomes crucial that effective attacks are packaged and automated to allow for mass-pwnage.
Privilege Escalation in SQL Server (Depending on some dodgy requirements)
I was playing with a few SQL server idiosyncrasies more than a year ago before becoming so completely distracted with the whole SAP protocol-decoding business. Having some time on my hands for once, I thought I would blog it.
Early last year, I found it possible to create jobs owned by other users on MS SQL Server (2000, 2005 and 2008) by an unprivileged user – providing the user had the capability of creating or altering stored procedures in the [master].[dbo] schema. The reason for this, comes as a result of cross-database permissions being chained, by default, across the system databases [master], [msdb] and [tempdb]. According to Microsoft, this is by design.
BlackOps – Post Exploitation Fun and Games
Brilliant, the client has decided to implement their own CMS and you’ve found a variable that’s vulnerable to SQL injection. Starting up your favourite SQL exploitation tool, you upload a suitable web shell and fire up the browser. In an instant, you control that server, but do you really own the box?
Looking back at the major hacks of the last 18 months, attackers used a variety of techniques to obtain sensitive information. For the RSA hack, social engineering was used, allegedly consisting of a malicious Excel spreadsheet sent from a web master at a recruitment website. Once loaded, Poison Ivy was dropped on the host and the games began. Attackers started recon exercises, pivoting between hosts and finally exfiltrated the data (the rest is well-known and publicised). In the case of HBGary, attackers compromised their systems using a similar approach as the RSA attackers did: target an individual using social engineering using an earlier toehold to expand to a foothold. These types of attackers might have a fancy new name (Advanced Persistent Threats) but at the end of the day, they are using techniques that have been around for a while.
Black Hat Training Classes Update
Hey All,
We’re about locked and loaded down here in ZA – ready to tackle the looooong journey to Vegas for Black Hat. If you’re headed to Black Hat but haven’t yet booked training there’s still time, so I thought I’d push out a brief update on what’s still available from our stable of courses. As many of our courses have sold out we opened second classrooms and as a result have plenty of space to accommodate late comers!
Solution for the BlackHat Challenge
We had published a network protocol analysis challenge for free entry to our BlackHat 2012 Vegas training courses and received seven correct answers. We’d like to thank those who attempted this challenge and hope that they find it useful.
The winner, Peter Af Geijerstam managed to respond first, with the correct answer. As a result, he wins a free place on any of our Hacking By Numbers courses. Here is a brief solution for it:
BlackHat Challenge
This year marks a special anniversary for us at SensePost in that we’ve been training at BlackHat for over a decade now. To celebrate this, we thought we’d give away a free ticket to any of our courses on offer at this year’s BlackHat Briefings in Las Vegas.
With data breaches happening almost on a monthly basis these days, everyone is turning to encryption in order to protect their information. Bob, a rather tech-savvy gentleman, works for a FTSE 100 company and they’ve written their own secure message implementation. You’ve been tasked to perform a penetration test and noticed that after compromising their shared document server, an internal web application leaked the source code used by the company for the client and the server.
RSA SecureID software token update
There has been a healthy reaction to our initial post on our research into the RSA SecureID Software Token. A number of readers had questions about certain aspects of the research, and I thought I’d clear up a number of concerns that people have.
The research pointed out two findings; the first of which is in fact a design vulnerability in RSA software’s “Token Binding” mechanism. The second finding is another design issue that affects not only RSA software token but also any other software, which generates pseudo-random numbers from a “secret seed” running on traditional computing devices such as laptops, tablets or mobile phones. The correct way of performing this has been approached with hardware tokens, which are often tamper-resistant.