Articles

Factoring RSA Export Keys (FREAK)

Factoring RSA Export Keys (FREAK) is an attack against “export ciphers suites” which are cipher suites that have intentionally limited security due to prior regulation within the United States. This regulation placed restrictions on the strength of encryption algorithms used in software for exportation. This attack was demonstrated in 2015 ...

Your Vulnerability Management Sucks

On March 16th I had the pleasure of speaking at the Yorkshire Cyber Security Cluster about Vulnerability Management. I’ve included my slides from the presentation and some speaker notes on the content covered here: In this presentation, I attempt a tool-agnostic look into how organisations should approach vulnerability management. Whilst I definitely ...

HTTP Security Headers: X-Frame-Options

The X-Frame-Options header can be used to specify whether a web browser should be allowed to render the target page in a frame (such as a frame, iframe, embed, or an object tag). This can be used to prevent attacks such as ClickJacking. Although this header is effectively made obsolete by the Content-Security-Policy (CSP) feature frame-ancestors, it can ...

HTTP Security Headers: Cache-Control

The Cache-Control HTTP server response header specifies whether the server response can be cached by the web browser and any interim devices such as web proxies. Generally, if the content of the page includes confidential information, then it should not be cached, as if confidential information is cached on user’s device, and ...

[Webinar] Your System Hardening Sucks

Akimbo hosted a Webinar to cover hints and tips about how to implement effective system hardening. We’re sharing the recording for those that couldn’t make it on the day! If you’d like more information about any of the content covered, or if you’d like to discuss a training requirement then ...

The OWASP Top 10 2021

OWASP OWASP, or the Open Web Application Security Project, are a non-profit organisation that produces a range of articles, tools, and other resources on security topics. Including topics such as web application, API, and mobile application security issues. It also produces the “OWASP Top 10”, an awareness document that is ...

ScotSoft: Building and Breaking Web Applications

On October 7th I had the pleasure of speaking at ScotSoft 2021 about Penetration Testing and breaking Web Applications. I’ve included my slides from the presentation and some speaker notes on the content covered below: For this presentation, I opened with my working definition of what Penetration Testing is, to ...

What is Penetration Testing?

Penetration Testing, often abbreviated to PenTesting, is a method of testing the security of a system through attempting to discover and actively exploit vulnerabilities within the system. It is amongst the most effective methods of determining the actual risk posed by a system. This is due to the fact that ...

An Introduction to Logic Analyzers

Logic Analyzers are inexpensive devices that allow you to just take a look at what a small number of pins on a chip are up to. They can be hooked into software like PulseView to read pin output and decode it into something more useful. Many decoders are available, but ...

Introduction to Radio Hacking

In my introduction to hardware hacking, I mention that radio systems may be part of the attack surface for a hardware device penetration test. So I thought I’d give a gentle introduction to hacking with an SDR here! Firstly, what’s an SDR? It stands for software-defined radio, and refers to ...

Calculating Subnets and CIDR Quickly

A friend of mine mentioned recently that he has to work out subnet masks in his head for an exam and commented in reality he’d just use a subnet calculator. Whilst this is probably true, there’s a quick trick that might help if you’re calculating subnets under duress. This isn’t ...

Finding Serial Interfaces (UART)

UART stands for Universal Asynchronous Receiver/Transmitter, however in the context of Hardware Hacking we’re generally looking for an serial interface which will give us text output from the system and possibly allow for command input. The general intention from the manufacturers point of view – is to allow easy debugging, ...

A Quick Malware Teardown

A follower sent me a suspicious looking file recently to get my opinion on its behavior and to see if I could pull out a little detail on how it’s working. “Suspicious looking” because at the time, it was getting a zero score on VirusTotal but it appeared to be ...

Linux PrivEsc: Abusing SUID

Recently during a CTF I found a few users were unfamiliar with abusing setuid on executable on Linux systems for the purposes of privilege escalation. If an executable file on Linux has the “suid” bit set when a user executes a file it will execute with the owners permission level ...

Extracting Flash Memory using JTAG

I previously mentioned dumping memory contents using SPI, with a BusPirate. Sometimes that’s not feasible – such as if the flash memory module is a little inaccessible and you’re not feeling like deconstructing the board just yet. An alternative is to pull memory over JTAG. I talked about accessing JTAG ...

HTTP Header Injection

HTTP Header Injection vulnerabilities occur when user input is insecurely included within server responses headers. Specifically they are based around the idea that a threat actor can cause the server to generate a response which includes carriage-return and line-feed characters (or %0D and %0A respectively in their URI encoded forms) within the ...

An Introduction to Hardware Hacking

I’m currently writing up a series on hardware hacking fundamentals, and before I get into the specifics – I thought it sensible to add a piece on why hardware security is important and to lay out the major themes of what I’ll be discussing. Firstly, with physical devices, threat actors have more options when ...

British Airways Breach (2018)

I wanted to talk a little bit about the British Airways breach; I won’t be focusing on the intention to fine from the ICO. I’ll just be talking a little about vulnerabilities, how they can be addressed, and the issues mitigations may bright. I’ll also be talking about a security ...

Equifax Breach (2017)

In 2017 Equifax were breached, the breach was discovered on July 29[5] and an announcement was published on Sept 7.[5] It wasn’t the largest breach of all time, and not even of 2017, but it was big and the data was sensitive. Over the two weeks following the announcement, Equifax stock fell ...

An Introduction to Penetration Testing AWS

When penetration testing Amazon Web Services (AWS) environments there are different perspectives the assessment could consider, some are very similar to external infrastructure/web application assessments and some are different. I’ll separate the things that are the same from the things that are different to traditional penetration testing by considering the ...

Windows Desktop Breakout

Many organisations “lock-down” their desktop environments to reduce the impact that malicious staff members and compromised accounts can have on the overall domain security. Many desktop restrictions can slow down a threat actor but it’s often possible to “break-out” of the restricted environment. Both assessing and securing these desktop environments can be ...

PrivEsc: DLL Hijacking

I posted earlier about Privilege Escalation through Unquoted Service Paths and how it’s now rare to be able to exploit this in the real world due to the protected nature of the C:\Program Files and C:\Windows directories. It’s still possible to exploit this vulnerability, but only when the service executable is installed outside of these protect ...

Calculating the Details of Awkward Subnets

I posted recently about calculating subnets and CIDR notation quickly, but I didn’t mention in that post host to quickly get the Network ID, first host and Broadcast address for a subnet given an awkward address. This is another easy trick that covers that! If it’s a simple, classful, address then ...

PrivEsc: Unquoted Service Path

One method for escalating permission from Local/Domain User to Local Administrator, is “Unquoted Service paths”. In my experience finding unquoted service paths is a common occurrence, however actually being able to exploit them is not. In this article we’ll explore how to find these issues and how to quickly determine ...

Custom Rules for John the Ripper

Whilst Hashcat is often provable faster than John the Ripper, John is still my favourite. I find it simple to use, fast and the jumbo community patch (which I recommend highly) comes packed with hash types making it a versatile tool. One of the features of these tools, which is often unknown or at ...

2 / 5
Play Cover Track Title
Track Authors