506 matches found
How to use Keepalived for high availability and load balancing
In a nutshell Keepalived implements VRRP Virtual Router Redundancy Protocol on a Linux system as well as managing Linux Virtual Server configuration. Keepalived can implement High Availability active/passive and load balancing active/active setups that can be made responsive to several customisab...
Ewon Flexy IoT Router. A Deep dive
First off I would like to thank the techs at PTP for their insights and help during this process. I know what I know, and I don't know what I don’t know, so I asked for help sometimes. I've learned a lot from this project e.g. how XOR works, and how to use IDA to analyse ARM binaries better, so I...
Commands and Tools for Embedded Reverse Engineering
We’ve been training a lot of people to look at embedded systems. The training is intensive, and it can be hard to remember all the commands and tools used. This is just a quick rundown of those tools with enough information to jog your memory! Basic Commands If we want to see the content of a fil...
Securing your red team kit with Uncomplicated Firewall
After reading Identifying Cobalt Strike team servers in the wild I started thinking, why are people not firewalling off their kit? If you read the above post and I suggest you do, you will see under section “Scanning and Results” that the research concluded that 7718 unique Cobalt Strike CS team...
Getting your head under the hood and out of the sand: Automotive security testing
We’ve been doing automotive pen testing for several years now. Along the way we’ve had some fascinating experiences, working with some insightful and forward-thinking OEMs. But we’ve also worked with some OEMs and suppliers that consider pen testing to be a box checking exercise and frankly, buri...
RCE vulnerability in OpenSSH – RegreSSHion (CVE-2024-6387)
TL;DR The Qualys Threat Research Unit has found a high-severity vulnerability, filed under CVE-2024-6387, affects OpenSSH Open Secure Shell, a networking utility often used for remote server management and secure communication over insecure networks. CVE-2024-6387 affects the OpenSSH server on...
Schneider T200 RTU vulnerabilities
A few CVEs published in a Schneider T300 RTU recently jogged my memory. I went back 8 years to 2012 to dig out a disclosure we made to Schneider via an operator. And there it was, similar probably identical vulnerabilities in its predecessor, the Easergy T200. As we were working via the operator,...
Reverse Engineering Keys from Firmware. A how-to
TL;DR It is possible to reverse engineer keys from firmware with some tips: 1. Always looks for strings/constants. 2. Make guesses about the original source. 3. Find a function you can recognise and work backwards to identify other functions. 4. It helps if they use open-source code so you can cr...
A Logical Volume Manager / LVM primer for Linux
About LVM LVM is an abstraction layer that provides block devices same kind of disk partitions. This is done by using 3 layers: physical volumes PV - disk partitions; volume groups VG - aggregates of physical volumes, could be across multiple disks or multiple partitions, whatever; logical volume...
Jeopardising aircraft through TCAS spoofing
The Traffic Alert & Collision Avoidance System or TCAS was first developed in the early 1980s using transponders on aircraft to interrogate other aircraft within a set range about their distance, altitude, and heading. If a collision course is detected and the aircraft is suitably equipped, a TCA...
Raining SYSTEM Shells with Citrix Workspace app
TL;DR Citrix Workspace is vulnerable to a remote command execution attack running under the context of the SYSTEM account. By sending a crafted message over a named pipe and spoofing the client process ID, the Citrix Workspace Updater Service can be tricked into executing an arbitrary process und...
Breaking (Bad) Cross-Site Request Forgery Protection – The Netgear Nighthawk M1
What is CSRF? Cross-site Request Forgery CSRF is a descriptive term, but pretty oblique if you don’t know exactly what it means. Broken down, it’s pretty simple: A malicious web page running in your browser can send requests to other sites. When it sends those requests, it’ll use the current...
Hackers in Hot Water. Pwning smart hot tubs, yes really
TL;DR? Video first… We were given a tip by the awesome Ceri Coburn that something was amiss with the Balboa Water App, a mobile app used for controlling 30,000 hot tubs. You can remotely control your tub, so you can heat it up for when you’re ready, saving power when you don’t use it. Nice idea!...
F5 Networks Endpoint Inspector – Browser-to-RCE?
If a bug falls in the forest, and the vendor denies that it’s a bug, is it still a bug? TL;DR? The F5 Endpoint Inspector is an application which can be called from a web browser to scan a client for compliance. We found it can be abused to run arbitrary code, triggered by visiting a malicious...
Pwning a Siemens Scalance ICS switch through ARM reversing
We’ve been working in industrial control systems security for a long time. Several of the team here used to work in OT control rooms or support SCADA environments. Whilst pen testing a ship control system, we noticed a heavy reliance on Siemens Scalance industrial ethernet switches, so bought a...
Slok API
You may have read my previous post where I had a look at the SLOK padlock and found it had an interesting BLE interface which I couldn’t find a vulnerability for and a physical design that took seconds to work around. Anyway, I alluded to some weirdness from the API and an actual vulnerability in...
Sharing the Secrets: Pwning an industrial IoT router
I get involved in a lot of IoT and ICS pen tests and found an interesting device on one of them. I didn’t have enough time on the job to go as deep as I wanted, so got PTP to buy a couple to play with. eBay FTW! It’s an Ewon Flexy IoT Router. It’s important to note that local access / public IP...
DLL Hijacking in NVIDIA SMI
What is NVIDIA SMI? The NVIDIA System Management Interface nvidia-smi is a command line utility, based on top of the NVIDIA Management Library NVML, intended to aid in the management and monitoring of NVIDIA GPU devices. This utility allows administrators to query GPU device state and with the...
Mapping the Attack Surface of an Airport
Aviation security is a complex environment. What first sparked my interest in avionics security was a comment from an airport customer of ours. They had seen the media coverage of the DHS work against a Boeing 757 a few years ago and were concerned that an ‘infected’ airplane might create a fresh...
Pwning the Nokelock API
Nokelock Vulnerabilities I’ve been talking at some Infosec meet ups about a certain padlock, called the Nokelock. I need to differentiate this right now as there is a product called nokē, this is not about that. This is about a set of Chinese made padlocks called Nokelock from a company called...
Echelon PII Leak and Disclosure Fail
Echelon Echelon Fitness is a competitor to companies such as Peloton. You buy the hardware, quickly assemble it, buy a subscription, use a built-in or external smart device and you do your exercise thing! However, their API had significantly worse security flaws than those we found in Peloton...
Three Word Passwords
Introduction The National Cyber Security Centre NCSC have advocated the use of three random words for several years to create strong passwords, and that advice has been repeated recently by the National Crime Agency, and multiple police forces in the UK…. but just how strong are these passwords?...
OSINT for Avionics
One of the biggest challenges with avionics research is simply getting hold of equipment to work on. Current equipment is frighteningly expensive – think $100,000 and up for some components, reflecting the relatively short production run, high reliability requirement and significant certification...
IoT: OFF by default
It’s increasingly difficult to buy home appliances and other tech that DOESN’T have connectivity. Despite reservations about the security of smart tech, if we want to buy mid to high end devices, we often have no choice but to buy appliances with connectivity. To quote @Mikko Hypponen: If it is...
Tic Toc Pwned
We were recently tipped off that the Australian Tic Toc Track watch was almost undoubtedly just a version of the Gator kids GPS tracking watch. That’s the tracker watch which leaked real time kids position data to anyone, it also allowed anyone to silently listen to children through the watch...
Introduction to Bluetooth Low Energy
Bluetooth Low Energy BLE is used by almost everyone in our everyday lives, from wireless headphones, to car stereos, computer keyboards and mice, and other everyday items. Even though this standard is popular there seems a general lack of understanding of how it works and what certain terms mean...
EFB Tampering 3. Take-off pt1
Take-off Performance Part 1: Introduction, Thrust & Speeds TL;DR Take-off performance applications perform calculations to provide critical take-off performance data to pilots e.g. thrust/trim/flap setting for take-off Modifying any one of these could have severe consequences. For example, an...
Admin password re-use. Don’t do it
As a pentester, one of the most disappointing sights is see on a test is extensive local admin password reuse. I know others get excited as it means easy pwnage of the network, but for me, it makes my job too straightforward. I want more of a challenge, particularly as resolving the local admin...
Operational Technology Networks or OT
Operational Technology Networks or OT Notes: It’s mixing up OT with maritime, so probably isn’t suitable as is. The first section is really good, very relevant. We can use all of that. Once we get in to NMEA data, then it goes off topic. I suggest: Network equipment such as the Scalance Then a...
Gone in six seconds? Exploiting car alarms
Key relay attacks against keyless entry vehicles are well known. Many 3rd party car alarm vendors market themselves as solutions to this. We have shown that fitting these alarms can make your vehicle EVEN LESS SECURE! These alarms can expose you to hijack, may allow your engine to be stopped whil...
Walkthrough. Investigating an SSD
I had an interesting job come in. A client wants the data off a dead SSD, and it’s a model that regular data recovery companies won’t deal with, an SK Hynix drive. It’s used extensively on many Dell laptops. The drive is NVMe which means it uses several PCIe lanes for communication. First things...
Sinking a ship and hiding the evidence
Our earlier work on Voyage Data Recorder manipulation got us thinking about how a malicious individual or organisation might bring about the demise of a ship and hide the evidence. There are plenty of ways to get malware on to a ship. Whether it’s via satcoms, phishing, USB, crew Wi-Fi, dodgy DVD...
Bluetooth vuln CVE-2018-5383 explained
Yesterday a vulnerability, CVE-2018-5383 was released in the security specification for Bluetooth, with the title "Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange". It was given an adjusted CVSSv2 score of 5.7 - so roughly a...
A Pen Tester’s First Solo: Aviation Security 101
My colleague Ken and I are both private pilots with a keen interest in avionics and security. We were fortunate to have access to some end of life, functioning airframes so had the opportunity to start investigating the security of airplane and avionics. Here’s a primer for anyone interested in...
Group sex app leaks locations, pics and personal details. Identifies users in White House and Supreme Court
We’ve seen some pretty poor security in dating apps over recent years; breaches of personal data, leaking users locations and more. But this one really takes the biscuit: probably the worst security for any dating app we’ve ever seen And it’s used for arranging threesomes. It’s 3fun. It exposes t...
Google for OpSec data discovery
Following last months post about what OpSec is and how it can benefit your company I wanted go a step further, and look at some of the ways you can super charge your searches to find interesting data about your company. Basic search parameters As I mentioned last month, one of the most useful too...
Pwning WordPress GraphQL
Third-party plugins are often the security Achilles heel of Content Management Systems CMS. It seems like not a month goes by without one security researcher or another uncovers a vulnerability in a plugin, undermining the security of the whole platform. Plugins are used to add functionality that...
No need for lock picking tools
This is something I knocked up to show how terrible some locks are. I found this one in my garage. It was from when my wife and I went to a Download festival a couple of years back and is a lock from one of those paid-for secure storage places where you can leave your car keys, phone etc. Let's...
Updating Airplanes
If you think updating Windows etc is painful, spare a thought for avionics maintenance engineers. Flight Management System FMS and related navigation databases navaids, airspace etc have to be updated monthly, locally. On older planes, it’s sometimes still done on 3.5” floppy. It’s more common to...
Using Velociraptor for large-scale endpoint visibility and rapid threat hunting
TL;DR Network-wide collection, acquisition and monitoring tool for use in DFIR engagements Designed for enterprise networks 150k+ Deployments aren’t unheard of Boasts many features that your commercial EDR has, and a few more Flexible querying language that can adapt to new threats and encourages...
SweetPotato – Service to SYSTEM
I've had a keen interest in the original RottenPotato and JuicyPotato exploits that utilize DCOM and NTLM reflection to perform privilege escalation to SYSTEM from service accounts. The applications behave by leveraging the SeImpersontePrivilege and MITM to perform privilege escalation when a hig...
Decapping with Dave (chip decapping)
Thought I'd share my first attempt at chip decapping using the @LargeCardinal technique. I found using a gas soldering iron more flexible than a blowtorch. This is attempt number two, this time with an Atmel 328 MCU; this is almost a work of art. Blowtorch decapping try number 3. Firstly an STC M...
Why we shouldn’t use sequential booking references
I travel a lot with work. In the last 6 months there have only be 2 weeks where I haven’t been to Heathrow airport. Heathrow isn’t the easiest journey by public transport for me as the PTP HQ is in a field in north Bucks. Hence, I usually end driving to the airport. I’ve been to Heathrow twice th...
Turning an OBD-II reader into a USB / NFC attack tool
One of my favourite sorts of hardware hacking is making a device do something it was never intended for. It's creative, disruptive, and fun. Everyone has their own way of going about things. Different methodologies, habits, and skill sets mean that approaches will be diverse. This is how I work...
Hacking AIS
Maritime AIS, or ‘Automatic Identification System’ is used for broadcast and reception of vessel position and information alerts. It has proved invaluable since its introduction in the 1990s and has undoubtedly helped prevent many marine accidents, collisions and related incidents. Previous...
Hacking an assault tank… A Nerf one
TL;DR A complex, challenging reverse and hijack of a toy tank Nerf gun camera, but the result was we got to shoot the 44Con conference organiser with it! Why A remote-controlled Nerf gun with video feed and aiming crosshairs. Who wouldn’t want to reverse the RF and firmware, with a view to...
Ships engines, a guide for pen testers
I spent several years as a ships engineer before straying in to pen testing. Ships used to be fairly secure; they were physically isolated at sea. Satcoms were scarily expensive, usually available only to the captain for business-critical communication. Even satphone use was heavily rationed. All...
The 5 breach readiness mistakes
The most common mistakes we see in engagements Responding to cyber incidents and data breaches is rarely straightforward. You are generally faced with making on-the-spot critical decisions with little or no real information. This often leads to mistakes. Let’s review some of the common mistakes w...
Embedded device research. The tools you’ll need
Over the last couple of years, we’ve run many courses on embedded device security. The focus is often defensive, but all the courses have an aspect of offensive: hacking demonstration and real devices so that you can understand the mindset of an attacker. To hack devices, you need tools. And the...
The Disgruntled Employee?
When we talk about cyber threat actors one of the terms we use is “Disgruntled Employee”. Everyone knows what that means; someone who is fed up at work, has an axe to grind, feels aggrieved etc. There are sometimes other factors though, ones that aren’t as obvious… The symptoms and effects I was...