Lucene search
K
PentestpartnersMost viewed

506 matches found

Pen Test Partners Blog
Pen Test Partners Blog
added 2020/12/22 7:20 a.m.171 views

How to use Keepalived for high availability and load balancing

In a nutshell Keepalived implements VRRP Virtual Router Redundancy Protocol on a Linux system as well as managing Linux Virtual Server configuration. Keepalived can implement High Availability active/passive and load balancing active/active setups that can be made responsive to several customisab...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/06/18 7:2 a.m.171 views

Ewon Flexy IoT Router. A Deep dive

First off I would like to thank the techs at PTP for their insights and help during this process. I know what I know, and I don't know what I don’t know, so I asked for help sometimes. I've learned a lot from this project e.g. how XOR works, and how to use IDA to analyse ARM binaries better, so I...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/12/03 1:20 p.m.166 views

Commands and Tools for Embedded Reverse Engineering

We’ve been training a lot of people to look at embedded systems. The training is intensive, and it can be hard to remember all the commands and tools used. This is just a quick rundown of those tools with enough information to jog your memory! Basic Commands If we want to see the content of a fil...

7.3AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/05/29 8:18 a.m.166 views

Securing your red team kit with Uncomplicated Firewall

After reading Identifying Cobalt Strike team servers in the wild I started thinking, why are people not firewalling off their kit? If you read the above post and I suggest you do, you will see under section “Scanning and Results” that the research concluded that 7718 unique Cobalt Strike CS team...

6.7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/07/05 8:0 a.m.163 views

Getting your head under the hood and out of the sand: Automotive security testing

We’ve been doing automotive pen testing for several years now. Along the way we’ve had some fascinating experiences, working with some insightful and forward-thinking OEMs. But we’ve also worked with some OEMs and suppliers that consider pen testing to be a box checking exercise and frankly, buri...

7.3AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2024/07/02 5:31 a.m.162 views

RCE vulnerability in OpenSSH – RegreSSHion (CVE-2024-6387)

TL;DR The Qualys Threat Research Unit has found a high-severity vulnerability, filed under CVE-2024-6387, affects OpenSSH Open Secure Shell, a networking utility often used for remote server management and secure communication over insecure networks. CVE-2024-6387 affects the OpenSSH server on...

8.1CVSS9.1AI score0.99506EPSS
Exploits68
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/01/07 6:10 a.m.157 views

Schneider T200 RTU vulnerabilities

A few CVEs published in a Schneider T300 RTU recently jogged my memory. I went back 8 years to 2012 to dig out a disclosure we made to Schneider via an operator. And there it was, similar probably identical vulnerabilities in its predecessor, the Easergy T200. As we were working via the operator,...

6.6AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/02/08 7:33 a.m.156 views

Reverse Engineering Keys from Firmware. A how-to

TL;DR It is possible to reverse engineer keys from firmware with some tips: 1. Always looks for strings/constants. 2. Make guesses about the original source. 3. Find a function you can recognise and work backwards to identify other functions. 4. It helps if they use open-source code so you can cr...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/12/21 7:35 a.m.155 views

A Logical Volume Manager / LVM primer for Linux

About LVM LVM is an abstraction layer that provides block devices same kind of disk partitions. This is done by using 3 layers: physical volumes PV - disk partitions; volume groups VG - aggregates of physical volumes, could be across multiple disks or multiple partitions, whatever; logical volume...

7.1AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/05/01 6:20 a.m.154 views

Jeopardising aircraft through TCAS spoofing

The Traffic Alert & Collision Avoidance System or TCAS was first developed in the early 1980s using transponders on aircraft to interrogate other aircraft within a set range about their distance, altitude, and heading. If a collision course is detected and the aircraft is suitably equipped, a TCA...

7.2AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/07/21 3:27 p.m.150 views

Raining SYSTEM Shells with Citrix Workspace app

TL;DR Citrix Workspace is vulnerable to a remote command execution attack running under the context of the SYSTEM account. By sending a crafted message over a named pipe and spoofing the client process ID, the Citrix Workspace Updater Service can be tricked into executing an arbitrary process und...

7.2CVSS8.1AI score0.02062EPSS
Exploits2
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/08/10 7:59 a.m.148 views

Breaking (Bad) Cross-Site Request Forgery Protection – The Netgear Nighthawk M1

What is CSRF? Cross-site Request Forgery CSRF is a descriptive term, but pretty oblique if you don’t know exactly what it means. Broken down, it’s pretty simple: A malicious web page running in your browser can send requests to other sites. When it sends those requests, it’ll use the current...

10CVSS9.3AI score0.02727EPSS
Exploits2
Pen Test Partners Blog
Pen Test Partners Blog
added 2018/12/22 7:36 a.m.145 views

Hackers in Hot Water. Pwning smart hot tubs, yes really

TL;DR? Video first… We were given a tip by the awesome Ceri Coburn that something was amiss with the Balboa Water App, a mobile app used for controlling 30,000 hot tubs. You can remotely control your tub, so you can heat it up for when you’re ready, saving power when you don’t use it. Nice idea!...

7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/06/26 8:10 a.m.143 views

F5 Networks Endpoint Inspector – Browser-to-RCE?

If a bug falls in the forest, and the vendor denies that it’s a bug, is it still a bug? TL;DR? The F5 Endpoint Inspector is an application which can be called from a web browser to scan a client for compliance. We found it can be abused to run arbitrary code, triggered by visiting a malicious...

7.8AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/09/03 6:55 a.m.142 views

Pwning a Siemens Scalance ICS switch through ARM reversing

We’ve been working in industrial control systems security for a long time. Several of the team here used to work in OT control rooms or support SCADA environments. Whilst pen testing a ship control system, we noticed a heavy reliance on Siemens Scalance industrial ethernet switches, so bought a...

2.1CVSS6.2AI score0.00301EPSS
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/07/03 8:0 a.m.141 views

Slok API

You may have read my previous post where I had a look at the SLOK padlock and found it had an interesting BLE interface which I couldn’t find a vulnerability for and a physical design that took seconds to work around. Anyway, I alluded to some weirdness from the API and an actual vulnerability in...

7.1AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/06/18 7:2 a.m.139 views

Sharing the Secrets: Pwning an industrial IoT router

I get involved in a lot of IoT and ICS pen tests and found an interesting device on one of them. I didn’t have enough time on the job to go as deep as I wanted, so got PTP to buy a couple to play with. eBay FTW! It’s an Ewon Flexy IoT Router. It’s important to note that local access / public IP...

7.1AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/10/01 5:39 a.m.136 views

DLL Hijacking in NVIDIA SMI

What is NVIDIA SMI? The NVIDIA System Management Interface nvidia-smi is a command line utility, based on top of the NVIDIA Management Library NVML, intended to aid in the management and monitoring of NVIDIA GPU devices. This utility allows administrators to query GPU device state and with the...

4.6CVSS2.9AI score0.00376EPSS
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/10/11 5:45 a.m.136 views

Mapping the Attack Surface of an Airport

Aviation security is a complex environment. What first sparked my interest in avionics security was a comment from an airport customer of ours. They had seen the media coverage of the DHS work against a Boeing 757 a few years ago and were concerned that an ‘infected’ airplane might create a fresh...

7.5AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/05/24 11:58 a.m.136 views

Pwning the Nokelock API

Nokelock Vulnerabilities I’ve been talking at some Infosec meet ups about a certain padlock, called the Nokelock. I need to differentiate this right now as there is a product called nokē, this is not about that. This is about a set of Chinese made padlocks called Nokelock from a company called...

4.3CVSS5.7AI score0.01588EPSS
Exploits2
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/05/14 5:11 a.m.133 views

Echelon PII Leak and Disclosure Fail

Echelon Echelon Fitness is a competitor to companies such as Peloton. You buy the hardware, quickly assemble it, buy a subscription, use a built-in or external smart device and you do your exercise thing! However, their API had significantly worse security flaws than those we found in Peloton...

6.6AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/01/19 6:0 a.m.131 views

Three Word Passwords

Introduction The National Cyber Security Centre NCSC have advocated the use of three random words for several years to create strong passwords, and that advice has been repeated recently by the National Crime Agency, and multiple police forces in the UK…. but just how strong are these passwords?...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/10/04 9:44 a.m.131 views

OSINT for Avionics

One of the biggest challenges with avionics research is simply getting hold of equipment to work on. Current equipment is frighteningly expensive – think $100,000 and up for some components, reflecting the relatively short production run, high reliability requirement and significant certification...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/01/11 2:42 p.m.129 views

IoT: OFF by default

It’s increasingly difficult to buy home appliances and other tech that DOESN’T have connectivity. Despite reservations about the security of smart tech, if we want to buy mid to high end devices, we often have no choice but to buy appliances with connectivity. To quote @Mikko Hypponen: If it is...

7.1AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/04/15 7:21 a.m.124 views

Tic Toc Pwned

We were recently tipped off that the Australian Tic Toc Track watch was almost undoubtedly just a version of the Gator kids GPS tracking watch. That’s the tracker watch which leaked real time kids position data to anyone, it also allowed anyone to silently listen to children through the watch...

7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/03/12 6:38 a.m.123 views

Introduction to Bluetooth Low Energy

Bluetooth Low Energy BLE is used by almost everyone in our everyday lives, from wireless headphones, to car stereos, computer keyboards and mice, and other everyday items. Even though this standard is popular there seems a general lack of understanding of how it works and what certain terms mean...

6.8AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/05/17 10:32 a.m.120 views

EFB Tampering 3. Take-off pt1

Take-off Performance Part 1: Introduction, Thrust & Speeds TL;DR Take-off performance applications perform calculations to provide critical take-off performance data to pilots e.g. thrust/trim/flap setting for take-off Modifying any one of these could have severe consequences. For example, an...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/08/26 9:16 a.m.119 views

Admin password re-use. Don’t do it

As a pentester, one of the most disappointing sights is see on a test is extensive local admin password reuse. I know others get excited as it means easy pwnage of the network, but for me, it makes my job too straightforward. I want more of a challenge, particularly as resolving the local admin...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/10/10 2:30 p.m.117 views

Operational Technology Networks or OT

Operational Technology Networks or OT Notes: It’s mixing up OT with maritime, so probably isn’t suitable as is. The first section is really good, very relevant. We can use all of that. Once we get in to NMEA data, then it goes off topic. I suggest: Network equipment such as the Scalance Then a...

7.5CVSS0.4AI score0.19856EPSS
Exploits4
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/03/08 6:0 a.m.113 views

Gone in six seconds? Exploiting car alarms

Key relay attacks against keyless entry vehicles are well known. Many 3rd party car alarm vendors market themselves as solutions to this. We have shown that fitting these alarms can make your vehicle EVEN LESS SECURE! These alarms can expose you to hijack, may allow your engine to be stopped whil...

7.3AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/03/15 12:38 p.m.112 views

Walkthrough. Investigating an SSD

I had an interesting job come in. A client wants the data off a dead SSD, and it’s a model that regular data recovery companies won’t deal with, an SK Hynix drive. It’s used extensively on many Dell laptops. The drive is NVMe which means it uses several PCIe lanes for communication. First things...

7.2AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/02/18 10:21 a.m.111 views

Sinking a ship and hiding the evidence

Our earlier work on Voyage Data Recorder manipulation got us thinking about how a malicious individual or organisation might bring about the demise of a ship and hide the evidence. There are plenty of ways to get malware on to a ship. Whether it’s via satcoms, phishing, USB, crew Wi-Fi, dodgy DVD...

10CVSS9.4AI score0.0719EPSS
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2018/07/24 2:46 p.m.111 views

Bluetooth vuln CVE-2018-5383 explained

Yesterday a vulnerability, CVE-2018-5383 was released in the security specification for Bluetooth, with the title "Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange". It was given an adjusted CVSSv2 score of 5.7 - so roughly a...

0.3AI score0.00802EPSS
Exploits1
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/09/20 7:27 a.m.108 views

A Pen Tester’s First Solo: Aviation Security 101

My colleague Ken and I are both private pilots with a keen interest in avionics and security. We were fortunate to have access to some end of life, functioning airframes so had the opportunity to start investigating the security of airplane and avionics. Here’s a primer for anyone interested in...

7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/08/08 3:5 p.m.108 views

Group sex app leaks locations, pics and personal details. Identifies users in White House and Supreme Court

We’ve seen some pretty poor security in dating apps over recent years; breaches of personal data, leaking users locations and more. But this one really takes the biscuit: probably the worst security for any dating app we’ve ever seen And it’s used for arranging threesomes. It’s 3fun. It exposes t...

6.7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/06/29 5:23 a.m.107 views

Google for OpSec data discovery

Following last months post about what OpSec is and how it can benefit your company I wanted go a step further, and look at some of the ways you can super charge your searches to find interesting data about your company. Basic search parameters As I mentioned last month, one of the most useful too...

6.6AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/05/08 6:12 a.m.105 views

Pwning WordPress GraphQL

Third-party plugins are often the security Achilles heel of Content Management Systems CMS. It seems like not a month goes by without one security researcher or another uncovers a vulnerability in a plugin, undermining the security of the whole platform. Plugins are used to add functionality that...

7.4AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2018/11/02 2:29 p.m.104 views

No need for lock picking tools

This is something I knocked up to show how terrible some locks are. I found this one in my garage. It was from when my wife and I went to a Download festival a couple of years back and is a lock from one of those paid-for secure storage places where you can leave your car keys, phone etc. Let's...

6.8AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/11/11 7:14 a.m.102 views

Updating Airplanes

If you think updating Windows etc is painful, spare a thought for avionics maintenance engineers. Flight Management System FMS and related navigation databases navaids, airspace etc have to be updated monthly, locally. On older planes, it’s sometimes still done on 3.5” floppy. It’s more common to...

6.6AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2023/10/12 5:8 a.m.100 views

Using Velociraptor for large-scale endpoint visibility and rapid threat hunting

TL;DR Network-wide collection, acquisition and monitoring tool for use in DFIR engagements Designed for enterprise networks 150k+ Deployments aren’t unheard of Boasts many features that your commercial EDR has, and a few more Flexible querying language that can adapt to new threats and encourages...

7.1AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/04/14 8:30 a.m.99 views

SweetPotato – Service to SYSTEM

I've had a keen interest in the original RottenPotato and JuicyPotato exploits that utilize DCOM and NTLM reflection to perform privilege escalation to SYSTEM from service accounts. The applications behave by leveraging the SeImpersontePrivilege and MITM to perform privilege escalation when a hig...

7.2AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2018/11/08 3:14 p.m.99 views

Decapping with Dave (chip decapping)

Thought I'd share my first attempt at chip decapping using the @LargeCardinal technique. I found using a gas soldering iron more flexible than a blowtorch. This is attempt number two, this time with an Atmel 328 MCU; this is almost a work of art. Blowtorch decapping try number 3. Firstly an STC M...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/06/19 7:28 a.m.98 views

Why we shouldn’t use sequential booking references

I travel a lot with work. In the last 6 months there have only be 2 weeks where I haven’t been to Heathrow airport. Heathrow isn’t the easiest journey by public transport for me as the PTP HQ is in a field in north Bucks. Hence, I usually end driving to the airport. I’ve been to Heathrow twice th...

6.4AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/03/25 7:23 a.m.96 views

Turning an OBD-II reader into a USB / NFC attack tool

One of my favourite sorts of hardware hacking is making a device do something it was never intended for. It's creative, disruptive, and fun. Everyone has their own way of going about things. Different methodologies, habits, and skill sets mean that approaches will be diverse. This is how I work...

6.8AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2018/09/18 6:28 a.m.96 views

Hacking AIS

Maritime AIS, or ‘Automatic Identification System’ is used for broadcast and reception of vessel position and information alerts. It has proved invaluable since its introduction in the 1990s and has undoubtedly helped prevent many marine accidents, collisions and related incidents. Previous...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2018/09/13 5:30 p.m.96 views

Hacking an assault tank… A Nerf one

TL;DR A complex, challenging reverse and hijack of a toy tank Nerf gun camera, but the result was we got to shoot the 44Con conference organiser with it! Why A remote-controlled Nerf gun with video feed and aiming crosshairs. Who wouldn’t want to reverse the RF and firmware, with a view to...

7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/11/29 9:41 a.m.94 views

Ships engines, a guide for pen testers

I spent several years as a ships engineer before straying in to pen testing. Ships used to be fairly secure; they were physically isolated at sea. Satcoms were scarily expensive, usually available only to the captain for business-critical communication. Even satphone use was heavily rationed. All...

6.6AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/09/30 7:10 a.m.94 views

The 5 breach readiness mistakes

The most common mistakes we see in engagements Responding to cyber incidents and data breaches is rarely straightforward. You are generally faced with making on-the-spot critical decisions with little or no real information. This often leads to mistakes. Let’s review some of the common mistakes w...

6.8AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/11/29 1:26 p.m.89 views

Embedded device research. The tools you’ll need

Over the last couple of years, we’ve run many courses on embedded device security. The focus is often defensive, but all the courses have an aspect of offensive: hacking demonstration and real devices so that you can understand the mindset of an attacker. To hack devices, you need tools. And the...

7.3AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/11/15 3:40 p.m.89 views

The Disgruntled Employee?

When we talk about cyber threat actors one of the terms we use is “Disgruntled Employee”. Everyone knows what that means; someone who is fed up at work, has an axe to grind, feels aggrieved etc. There are sometimes other factors though, ones that aren’t as obvious… The symptoms and effects I was...

7.1AI score
Exploits0
Total number of security vulnerabilities506