Blog
Covert Login Alerting
Intro For the longest time I had the idea to implement a notification system that would alert me if someone ever logged in (or tried to login) to an SSH server or XSession on a machine I controlled, using known compromised credentials that were obtained via a data breach or a canary password. In this post I am going to show you how I implemented just that using Canary Tokens.
Making the Perfect Red Team Dropbox (Part 2)
In part 1 of this series, we set up the NanoPi R1S as a USB attack tool, covering OS installation, installation of P4wnP1, and even keylogging a “passed through” keyboard. In this part, I am going to focus on operations as an Ethernet attack tool, using two scenarios. Firstly, as a box which can be connected to an unused Ethernet port, and provide remote access to the target’s network, and secondly, as an Ethernet Person in the Middle (PitM), where it can be placed in between a legitimate device and its upstream switch, and mask its own traffic using the legitimate device’s IP address and MAC address. In the second scenario, we can also defeat Network Access Control measures, because the legitimate device will handle all of that.
Multiple Android User Profiles
I was recently on a mobile assessment where you could only register one profile on the app, per device. To use another account you had to first deactivate the profile and then register a new one. I wasn’t sure whether that would invalidate the original token especially since my goal was to test authorisation issues against the backend. Sure, I could have tested whether the token was invalidated or not, which later I found out it wasn’t. But there were other restrictions within this environment which made me look for a different approach.
Resurrecting an old AMSI Bypass
While working on DoubleAgent as part of the Introduction To Red Teaming course we’re developing for RingZer0, I had a look at Anti-Malware Scan Interface (AMSI) bypasses. One of the objectives I had was to find a new way to evade AMSI. As with my DoubleAgent work, this did not lead to the identification of a novel finding, but instead revealed that old techniques can be revived with minimal work. This blog post describes how to resurrect the original DLL hijack documented by Cn33liz by extending it to simply define the typically exported functions found in amsi.dll in a fake DLL. This gives a low privileged user an AMSI bypass if they can write to a directory.
The hunt for Chromium issue 1072171
Intro The last few months I’ve been studying Chrome’s v8 internals and exploits with the focus of finding a type confusion bug. The good news is that I found one, so the fuzzing and analysis efforts didn’t go to waste. The bad news is that I can reliably trigger the vulnerability but I haven’t found a way to weaponise it yet.
If you don’t have prior knowledge of v8, I encourage you to take some time and read through the previous post I wrote. It covers all of the basics regarding the v8 compiler and tools that helped me throughout my research. More importantly, it will help newcomers understand all of the research described within this post.
Being Stubborn Pays Off pt. 2 – Tale of two 0days on PRTG Network Monitor
Intro Last year I wrote how to weaponize CVE-2018-19204. This blog post will continue and elaborate on the finding and analysis of two additional vulnerabilities that were discovered during the process; one leading to an arbitrary write as system where the contents can’t be fully controlled and the other leading to Remote Code Execution as SYSTEM. Both vulnerabilities require you to have the administrator password for PRTG Network Monitor. Often you just get lucky, as the software defaults to prtgadmin:prtgadmin for the username and password respectively.
Making the Perfect Red Team Dropbox (Part 1)
As part of our preparations for our upcoming RingZer0 “Q Division” Training, I have been working on making a software image for the FriendlyArm NanoPi R1S Single Board Computer (SBC) that we’ll be using to demonstrate some close quarters techniques. I will detail the process of configuring an R1S by installing the Armbian distribution as well as P4wnP1 ALOA. We will also take a quick look at getting USBProxy configured to act as a keylogger.
Hack-From-Home Challenge Walk Through
On the 27th of April 2020 SensePost created a CTF challenge (https://challenge.sensepost.com) for the public. The names of those who managed to capture flags would be placed in a draw for a seat on one of SensePost’s upcoming training courses. The challenge was to grab as many of the four flags as you could. Each flag was harder to get than the previous. Engage the brain. The challenge started with a simple engage the brain ctf, where we needed to try guess the next page value by looking at the clues on the current page.
Masquerading Windows processes like a DoubleAgent.
I’ve been spending some time building new content for our Introduction to Red Teaming course, which has been great for diving into AV/EDR bypass techniques again. In this blog post, I will demonstrate how to re-weaponise the old “DoubleAgent” technique, making endpoint security products do the hacking work for us.
One known vector to shimmy past AV solutions is to use process injections. At BlackHat 2019, a number of process injection techniques were presented by Itzik Kotler. A typical code injection implementation using known WINAPI functions, such as the combination of VirtualAlloc, WriteProcessMemory and CreateRemoteThread are well known by endpoint security solutions and will often raise alerts. Whether static or dynamic analysis kicks in, the chances of remaining undetected when using these functions are close to NULL. Alas, the cat and mouse game keeps going endlessly.
Attacking smart cards in active directory
Introduction Recently, I encountered a fully password-less environment. Every employee in this company had their own smart card that they used to login into their computers, emails, internal applications and more. None of the employees at the company had a password at all – this sounded really cool.
In this post I will detail a technique used to impersonate other users by modifying a User Principal Name (UPN) on an Active Directory domain that only uses smart cards.