2021
Android Application Testing Using Windows 11 and Windows Subsystem for Android
With the release of windows 11, Microsoft announced the Windows Subsystem for Android or WSA. This following their previous release, Windows Subsystem for Linux or WSL. These enable you to run a virtual Linux or Android environment directly on your Windows Operating System, without the prerequisite compatibility layer provided by third-party software. In this post I’ll show you how to use WSA for Android mobile application pentesting, such that you can perform all of the usual steps using only Windows, with no physical Android device or emulator needed.
sensecon 2021 – wargames edition
If last year taught us anything, it was that we can move quickly to organise a fully online hacker conference in little over a month. This year our annual, internal hacker conference ran from the 16th to the 18th of September, was attended by 102 hackers from 9 countries across 2 timezones, and was once again filled with epic hacks and laughs! In this post I’ll tell you more about the run up and execution of our internal SenseCon 2021! Some of this year’s challenges are available to play for a limited time on our Orange Cyberdefense Hacker Discord server as well. You can join using this link: https://discord.gg/yhfPKyBGbp.
Building an offensive RPC interface
Using the Windows Remote Procedure Call (RPC) interface is an interesting concept when conssidering the fact that it allows you to call functions, over the network in a remote process. I wanted to better understand how RPC worked, and decided to build my own RPC interface to help with that. As a result, I wrote an RPC interface that will spawn a reverse shell given an IP address and a port. In this post I’ll show you how to do just that and what I learnt in a few sections:
blackhat_defcon_virtual_vegas_2021.zip
Phew! This year’s hacker summer camp is packed with presentations from several hackers across the globe at Orange Cyberdefense. I can’t possibly go into all of the many details, but hope to give a somewhat compressed view of the highlights!
This year we have a total of 10 representations. Four of those are DEF CON 29 talks, where two are main stage talks, one a demo labs talk and one a radio frequency village talk. On the training side of things, we’re delivering five courses at BlackHat USA 21, and one course at Ringzer0. I’ve been fortunate enough to see the behind the scenes preparation that goes into these and can’t wait for the world to see and experience them too!
Come do Wi-Fi!
Wi-Fi is everywhere and having a better understanding of it can fair you well! Over the years we have made various tools such as hostapd-mana to enable attacks against Wi-Fi, and then tools such as berate_ap for those people who don’t want to, or have to, learn how to use hostapd-mana. In our Unplugged: Modern Wi-Fi Hacking course you will be forced to shun the convenience of automated tools such as berate_ap and get dirty with setting up Access Points and Client configurations in a terminal window to ensure you have a good understanding of what is happening under the hood.
Exploring The Fundamentals
We are excited to be presenting our Hands-on-Hacking Fundamentals (HHF) course at this year’s BlackHat USA 2021 conference. In our HHF course we explore the fundamentals required to grow your hacking skills where you can utilise your newly learned skills with practical, real world hacks in our custom lab environment. This blog aims to demonstrate the fundamentals of networking and scanning using the defacto Network Mapper “Nmap” which is one of the many tools utilised in our course.
Our Enterprise Infrastructure Hacking Course
Here at Orange Cyberdefense, clients often ask us to test and help secure their infrastructure. We do this a lot. We test clients, we test ourselves, and we set up labs to test new ideas and tools. We’ve become quite good at this, if we say so ourselves, and would love to share some of the lessons we’ve learned along the way with anyone that would be interested. That’s what our Enterprise Infrastructure Hacking course is all about: it’s our way of sharing what we’ve learned with you.
Adventures into HTTP2 and HTTP3
A few months ago I was exploring the write-ups and video solutions for the retired HackTheBox machine – Quick. It’s during this exploration that I came across HTTP/3. For those that are not aware, HTTP/3 is the upcoming third major version of the Hypertext Transfer Protocol used to exchange information on the World Wide Web, succeeding HTTP/2.
Now, to be honest, my knowledge of the Hypertext Transfer Protocol (HTTP) has mainly been restricted to the HTTP/1.0 and HTTP/1.1 specifications. In particular, as that is the main specifications of the protocol we (security pentesters) observe in Burp (our intercepting proxy) when assessing web applications. We are familiar and comfortable seeing HTTP GET/POST requests and the myriad of responses that can be received (e.g., 400, 503…)
From 500 to Account Takeover
Introduction What seemed like a regular Cross-site Scripting (XSS) vulnerability on an HTTP 500 “Internal Server Error”-page, I managed to turn into a one-click account takeover on an assessment. In this blog post I want to describe the path I took to achieve this leveraging a known Cloudflare WAF bypass and Google analytics to extract session tokens serving as a CSP bypass.
Reconnaissance At the beginning of the assessment, it quickly came to my attention that the web application stored the Session ID as part of some kind of error reporting JavaScript function in a message variable. This function would be executed if window.error was triggered:
on ios binary protections
I just got off a call with a client, and realised we need to think about how we report binary protections a bit more. More specifically the ios info binary command in objection. They can be a pain to explain if not well understood, and even harder to remediate! Binary protections make exploitation attempts much harder so, naturally we want all of them on. However, as you’d see in this article, not everything can always be enabled and sometimes it’s hard to understand why.
Page 1 of 2
Next