Blog
RAT-a-tat-tat
Hey all,
So following on from my talk (slides, video) I am releasing the NMAP service probes and the Poison Ivy NSE script as well as the DarkComet config extractor.
Rat a-tat-tat from SensePost nmap-service-probes.pi poison-ivy.nse extract-DCconfig-from-binary.py An example of finding and extracting Camellia key from live Poison Ivy C2’s:
nmap -sV -Pn --versiondb=nmap-service-probes.pi --script=poison-ivy.nse <ip_address/range)
Finding Poison Ivy, DarkComet and/or Xtreme RAT C2’s:
nmap -sV -Pn --versiondb=nmap-service-probes.pi <ip_range>
Never mind the spies: the security gaps inside your phone
For the last year, Glenn and I have been obsessed with our phones; especially with regard to the data being leaked by a device that is always with you, powered on and often provided with a fast Internet connection. From this obsession, the Snoopy framework was born and released.
After 44con this year, Channel 4 contacted us to be part of a new experimental show named ‘Data Baby‘, whose main goal is to grab ideas from the security community, and transform them into an easy-to-understand concept screened to the public during the 7 o’clock news.
A new owner for a new chapter
We’re pleased to announce our acquisition today by SecureData Europe.
SecureData (www.secdata.com) is a complete independent security services provider based in the UK and was also previously part of the SecureData Holdings group before being acquired by management in November 2012. The strategic acquisition complements SecureData’s vision for enabling an end-to-end, proactive approach to security for global customers by assessing risk, detecting threats in real-time, protecting valuable assets and responding to security issues when they occur.
Offence oriented defence
We recently gave a talk at the ITWeb Security Summit entitled “Offense Oriented Defence”. The talk was targeted at defenders and auditors, rather then hackers (the con is oriented that way), although it’s odd that I feel the need to apologise for that ;)
The talks primary point, was that by understanding how attackers attack, more innovative defences can be imagined. The corollary was that common defences, in the form of “best practise” introduce commonality that is more easily exploited, or at least degrade over time as attackers adapt. Finally, many of these “security basics” are honestly hard, and we can’t place the reliance on them we’d hoped. But our approach doesn’t seem to want to acknowledge the problem, and much like an AA meeting, it’s time we recognise the problem.
44CON 2013
In one week, it’s 44CON time again! One of our favourite UK hacker cons. In keeping with our desire to make more hackers, we’re giving several sets of training courses as well as a talk this year.
Training: Hacking by Numbers – Mobile Edition
If you’re in a rush, you can book here.
We launched it at Blackhat USA, and nobody threw anything rotting, in-fact some said it went pretty well; our latest addition to the Hacking by Numbers training.
BlackHat Conference: Z-Wave Security
We are publishing the research paper and tool for our BlackHat 2013 USA talk on the Z-Wave proprietary wireless protocol security. The paper introduces our Z-Wave packet interception and injection toolkit (Z-Force) that was used to analyze the security layer of Z-Wave protocol stack and discover the implementation details of the frame encryption, data origin authentication and key establishment process. We developed the Z-Force module to perform security tests against the implementation of the Z-Wave security layer in encrypted home automation devices such as a door locks. The paper describes the details of a critical vulnerability discovered in a Z-Wave door lock that could enable an attacker to remotely take full control of the target device without knowledge of the network encryption key. The Z-Force download archive contains the GUI program and two radio firmware files for the receiver and transmitter TI CC1110 boards.
This research will also be presented at 44Con 2013 in London next month, followed by the release of Z-Force source code and US frequency support (908.4 MHz) in the firmware.
Hacking by Numbers – The mobile edition
West Coast in the house, well actually more like an African visiting Seattle for Blackhat’s West Coast Trainings.
We’ve had a great year delivering the latest course in our amazing Hacking by Numbers training series: Mobile. What’s cool about this course, is like the others, we teach a hacking methodology rather than punting a tool or a magic, do it all solutions.
Mobile was created to match the continuous growth in mobile phone usage, with a specific focus on showing you how you would go about testing the mobile platforms and installed applications, to ensure they have been developed in a secure manner. HBN Mobile provides a complete and practical window into the methods used when attacking mobile platforms and presents you with a methodology that can be applied across platforms. This course is structured to cater to penetration testers who are new to the mobile area and who need to understand how to analyze and audit applications on various mobile platforms using a variety of tools.
Rogue Access Points, a how-to
In preparation for our wireless training course at BlackHat Vegas in a few weeks, I spent some time updating the content on rogue/spoofed access points. What we mean by this are access points under your control, that you attempt to trick a user into connecting to, rather than the “unauthorised access points” Bob in Marketing bought and plugged into your internal network for his team to use.
I’ll discuss how to quickly get a rogue AP up on Kali that will allow you to start gathering some creds, specifically mail creds. Once you have that basic pattern down, setting up more complex attacks is fairly easy.
Technical Project Manager Role
As SensePost grows, so does our desire to ensure a healthy balance between technical savvy and organisational skills. As a result, we are on the lookout for a Technical Project Manager based in our Pretoria office in South Africa.
Job Title: Technical Project Manager
Salary Range: Industry standard, commensurate with experience
Location: Pretoria, South Africa
About the role
Define and implement Project workflows for various service lines. Architect , source and implement a project management system that includes real-time, accessible scheduling system. Technical project scoping. (can grow into this responsibility over time) Lead the planning and implementation of project Facilitate the definition of project scope, goals and deliverables Define project tasks and resource requirements Develop fullscale project plans Assemble and coordinate project staff Manage project budget Manage project resource allocation Plan and schedule project timelines Track project deliverables using appropriate tools Provide direction and support to project team Drive quality assurance process Constantly monitor and report on progress of the project to all stakeholders Present reports defining project progress, problems and solutions Implement and manage project changes and interventions to achieve project outputs Project evaluations and assessment of results Education and Experience
A software level analysis of TrustZone OS and Trustlets in Samsung Galaxy Phone
Introduction:
New types of mobile applications based on Trusted Execution Environments (TEE) and most notably ARM TrustZone micro-kernels are emerging which require new types of security assessment tools and techniques. In this blog post we review an example TrustZone application on a Galaxy S3 phone and demonstrate how to capture communication between the Android application and TrustZone OS using an instrumented version of the Mobicore Android library. We also present a security issue in the Mobicore kernel driver that could allow unauthorised communication between low privileged Android processes and Mobicore enabled kernel drivers such as an IPSEC driver.