Tag Archives: Tech

SSLv3 and POODLE


October 15, 2014

By Norman Yue (LinkedIn

For those of you paying attention to mailing lists early last night, you may have noticed a curious email come through, regarding a “Truly scary” SSL3.0 vulnerability about to drop – and drop it did today.

The vulnerability, known as POODLE, allows attackers to partially decipher bits of plaintext, such as session cookies, in conjunction with a man-in-the-middle attack where an attacker can modify traffic. The really scary part (imo) is on Page 3 of the whitepaper:

The expected overall effort is 256 SSL 3.0 requests per byte.

This is amazingly low, meaning that depending on the circumstances of exploitation, your typical web app session cookie can be broken in minutes. Continue reading

Building an iClass Cloner


May 21, 2014

By Jay Davis, @jaymaster2000

We have been investigating RFID access control security and the models typically implemented by businesses in Australia. The iClass line of devices developed by HID are an interesting subject as they are commonly used throughout Australia (and globally) and have been proven to have security flaws. We conducted some research to see if we could create a covert cloning device for use in our engagements. Read on for more details of our successes! Continue reading

How I got root with Sudo


March 17, 2014

By Sebastien Macke, @lanjelot

Introduction

During security engagements, we regularly come across servers configured with the privilege management software Sudo. As with any software, the principle of least privilege must be closely followed, users must be granted the minimum possible privileges to perform necessary tasks or operations. Therefore to securely configure Sudo, user accounts must be restricted to a limited set of commands that they can legitimately execute with elevated privileges (usually those of the root account).

Out in the real world, we don’t often see Sudo configured according to the principle of least privilege. But when we do, we always uncover a mistake or two that allows us to escalate our privileges to root, at which point it’s game over. We win.

The purpose of this post is to present a series of examples of common mistakes and insecure configurations that we have seen and leveraged on production environments during security assessments and how you can make our team’s life that little bit harder.

Continue reading

Cracking .NET Membership Password Hashes


February 25, 2014

By Sebastien Macke, @lanjelot

During a recent penetration test against an ASP.NET web application, we gained a significant level of control over the server and leveraged our access to get a copy of the application’s database, where the user password hashes were stored.

This post provides details of how we recovered passwords from the hashes. Read on if you want to play along at home and crack them as we did!

Continue reading

Dumping Windows Credentials


December 20, 2013

By Sebastien Macke, @lanjelot

Introduction

During penetration testing engagements, we often find ourselves on Windows systems, looking for account credentials. The purpose of this post is to walk through some techniques to gather credentials from Windows systems while being as non-intrusive as possible.

The core principles behind the techniques described in this post are:

  • Safety – Avoid causing any downtime, by using tools and techniques which are known to be safe, and will not render a system unstable.
  • Stealthiness – Avoid detection by using tools and techniques that will trigger alerts. Refrain from uploading binaries, turning off the anti-virus, generating suspicious event logs etc.
  • Efficiency – While Bernardo’s blog attempts to cover many of the tools and techniques available for dumping credentials from a Windows host, this post focuses on the most practical way to get the job done. Continue reading

Open Source and Software Trust


November 20, 2013

By Norman Yue – Chief Technology Officer

Recently, I stumbled across an interesting blog post about trusting security software on Reddit (http://blog.cryptographyengineering.com/2013/10/lets-audit-truecrypt.html). This got me thinking, and kicked off a few conversations – to be honest, pretty much any open source software can be backdoored, and a good number of open source software packages have been/still are. It doesn’t need to be an obvious backdoor – simply omitting a security control, or rendering it weaker than it could be, could be just as effective (and much, much more difficult to detect during a source code audit).

For an attacker, the payoff is potentially huge, depending on the particular software being backdoored (just imagine if a tool such as nmap, or some FIM software, was to be backdoored). The cost can range from the attacker putting his hand up to “maintain” an open source WordPress plugin, to going after something unrelated and ending up with access to the source code repository of a popular security tool in his/her lap. Continue reading

The Information Security Vacuum


August 15, 2013

By Michael Gianarakis, Senior Security Consultant
Originally published: http://eightbit.io/post/56489111073/the-information-security-vacuum

Many penetration testers and information security consultants complain when a client just accepts the risk of an issue or doesn’t provide adequate support to the security team. I often hear “ the business doesn’t get security” and that “security risk is a business risk, they should pay more attention”.

Unfortunately, what I don’t see is penetration testers and security consultants actively trying to understand business in order to truly understand, and more importantly, articulate the security risk. I’m not talking about “the business” of a client but rather business in general. In fact I often encounter disdain for the very notion of devoting any time or thought to understanding business and risk concepts. Continue reading