Lucene search
K
PentestpartnersMost viewed

506 matches found

Pen Test Partners Blog
Pen Test Partners Blog
added 2022/10/13 5:48 a.m.88 views

MS Enterprise app management service RCE. CVE-2022-35841

TL;DR A remote command execution and local privilege escalation vulnerability has been fixed by Microsoft as part of September’s patch Tuesday. The vulnerability, filed under CVE-2022-35841, affects the Enterprise App Management Service which handles the installation of enterprise applications...

0.1AI score0.02599EPSS
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/02/23 6:32 a.m.88 views

Feature and Permission Policies. Security issues

Introduction In order to help enhance the user experience of their site, companies may ask to use features of your browser, such as geolocation or notifications to produce a more tailored experience. Web site developers may configure the site or allow third-party content, loaded in frames, to use...

6AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/09/18 10:43 a.m.87 views

How to: Kerberoast like a boss

Kerberoasting: by default, all standard domain users can request a copy of all service accounts along with their correlating password hashes. Crack these and you could have administrative privileges. But that’s so 2014. Why write a blog post about this in 2019 then? It still works well, yet there...

7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/07/02 5:38 a.m.87 views

The null choice. A social engineering example in the wild

With social engineering there are lots of ways to get what you want, depending on the circumstance of course. The null choice is one that works really well when your desired outcome isn't obvious to the people you're trying to dupe. There are ways and means of overcoming a null choice scenario...

6.8AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/12/21 7:18 a.m.86 views

Mimosa Cloud. Invite friends, not hackers

TL;DR Global wireless network provider had an IDOR in their cloud management platform Anyone can create an account, anyone can upgrade that account to take control of anyone else’s devices Excellent VDP, responded to promptly Fixed in ONE WORKING DAY! Other vendors can learn from Mimosa Who? Mimo...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/02/14 2:41 p.m.86 views

Vulnerability disclosure buzzword bingo!

Play Buzzword Bingo With Us! In the last 5 or so years of research we’ve found a substantial number of products with vulnerabilities in their supporting apps and infrastructure, as well as in the devices themselves. Some were low-impact, some were just curiosities, but many critical flaws exposin...

7.1AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/07/07 9:43 a.m.85 views

Patchless AMSI bypass using SharpBlock

Introduction For those that followed my personal blog posts on Creating an EDR and Bypassing It, I developed a new tool called SharpBlock. The tool implements a Windows debugger to prevent EDR’s or any other DLL from loading into a process that SharpBlock launches. One feature that was missing fr...

7.3AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/03/20 4:16 p.m.85 views

Connected camera cock up

I haven’t touched adult toy security for over a year now, mostly because we kept finding the same stuff over and over again. Besides, @internetofdongs has been doing some great work in this space, so it seemed pointless to duplicate his efforts. However, this morning, @dcuthbert tweeted us this: ...

7.2AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/09/27 7:25 a.m.84 views

A security researcher has made contact. What do I do?

Businesses say that they take security of customer data seriously but, when presented with a vulnerability, are often more concerned about their own reputation than the security of their customers. Handle disclosure correctly and you can do both: protect your customers and protect your reputation...

6.7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/09/21 7:53 a.m.83 views

The Return of Raining SYSTEM Shells with Citrix Workspace app

TL;DR Back in July I documented a new Citrix Workspace vulnerability that allowed attackers to remotely execute arbitrary commands under the SYSTEM account. Well after some further investigation on the initial fix I discovered a new vector that quite frankly should not exist at all since the...

6CVSS9.4AI score0.02062EPSS
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/02/07 9:38 a.m.83 views

Burp HMAC header extensions, a how-to

I was recently on a test where the client’s API used a custom authentication scheme to add a SHA256 HMAC dynamically on each request, based on the URL, time, and message body. My normal go-to for API testing is Postman especially when your client is lovely enough to give you definitions you can...

7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/11/10 6:55 a.m.81 views

Pun-free Cylance vulnerability, fixed

TL;DR Blackberry Cylance for Windows is affected by three vulnerabilities. CVE-2021-32021 - Denial of service in message broker. CVE-2021-32022 - Low privileged delete using CEF RPC server. CVE-2021-32023 - Elevation of privilege in message broker. A heap overflow resulting in a denial of service...

7.2CVSS7.7AI score0.00935EPSS
Exploits2
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/11/28 7:14 a.m.81 views

Christmas socialising. Goodwill to all, and keep your devices safe

It’s that time of year again. Christmas parties, socialising, travelling, and time spent away from home. Seasonal socialising generally involves eating, drinking, and making merry, and there’s nothing wrong with that. The downside is that a “goodwill to all” attitude and an excess of alcohol caus...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/08/11 5:21 a.m.79 views

Dating apps that track users from home to work and everywhere in-between

TL;DR We were able to precisely locate and track the users of four major dating apps, potentially putting at risk 10 million users This risk level is elevated for the LGBT+ community who may use these apps in countries with poor human rights where they may be subject to arrest and persecution. Ap...

6.5AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/12/10 5:53 a.m.77 views

Serious Vulnerabilities in Dualog Connection Suite

TL;DR The flaws found in this maritime comms and connection suite were many, and not insignificant: Directory traversal 2FA challenge/response is performed in a client-side application Default install password SQL injection User data leakage Easily brute forcible password hashes Introduction Duri...

7.7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2023/08/25 5:35 a.m.76 views

A broken marriage. Abusing mixed vendor Kerberos stacks

My first DEF CON talk was nerve-racking but something I would definitely put myself through again. In hindsight I should have submitted a 45-minute talk as there were some elements missing from what I presented, based on additional research since submitting the CFP. With that in mind, and for tho...

6.5CVSS6.9AI score0.74265EPSS
Exploits10
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/01/31 7:55 a.m.74 views

HTTP Request Smuggling. A how-to

TL;DR HTTP Request Smuggling is not a new issue, a 2005 white paper from Watchfire discusses it in detail and there are other resources too. What I found missing was practical, actionable, how-to references. This post covers my findings and, hopefully, sheds some light on the intricacies of HTTP...

6.1AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/03/23 8:23 a.m.72 views

Spying on old folks

We’ve tested plenty of kids GPS tracker watches over the years. Nearly all we looked at had critical security issues. For a BBC show a while back we were asked to investigate the security of similar trackers for the elderly. They’re a nice idea; allowing people to live independently for longer an...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/02/12 7:41 a.m.72 views

Reverse Engineering the Tesla Firmware Update Process

TL;DR How does the Tesla update its firmware? What did we find when reverse engineering the display and instrument cluster? Here’s the result of a couple of weeks work, working on a real vehicle that mostly worked after we had finished. Part 1: analysing the hardware, complete with a 14 layer PCB...

7.8AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/03/04 7:23 a.m.71 views

Grid. Locked.

In the UK we are used to having a reliable and stable electricity grid. So stable that you can keep time with it. Before quartz clocks became common, mains powered clocks used the electricity grid frequency of 50Hz as their time reference, you can still find the odd central heating timer or old...

6.8AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/01/10 9:38 a.m.71 views

IR & Forensics in the Cloud

More and more organisations are moving their business to the cloud. This makes securing data and being able to respond effectively to incidents in cloud environments an important topic. Having the skills on hand to properly collect digital forensics data in response to a legal dispute or during a...

6.4AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/05/16 2:31 p.m.71 views

Tesla Killer: The Fuzzed and the Furious

The Tesla doesn’t have a conventional OBDII port onboard diagnostics as such. There’s a connector, but it’s just provided with +12V/ground in order to power things like insurance telematics dongles. Instead, there’s the Tesla diagnostics connector X427 which is where things get a bit weird. That...

6.8AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2018/08/31 8:1 a.m.70 views

Smart Locks: Dumb Security

Dave Lodge and I presented at the BSides Manchester pre-party, aka ‘beersides’ on the subject of not very smart locks. Doubtless you’ve already seen our work on the Tapplock over BLE and the API, our hardware work on the Fipilock, and maybe even our smart lock security interview with hardware.io...

6.6AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/11/18 5:7 a.m.68 views

OBDeleven vulnerability

OBDelevens OBD-II dongle is an onboard diagnostics port module that connects to a mobile app over Bluetooth. It takes advantage of weaknesses in UDS secure access to unlock the vehicle ECU and enable enhanced diagnostics and some additional functionality. Some of these functions are only availabl...

7.3AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/07/23 10:6 a.m.68 views

Social engineering. When you’re the mark…

Who am I? I am Scott, and you may have met me, if you did your recollection of me will be unique most likely. I am a social chameleon. I can be your best mate, the lost friend you never knew you lost and even an expert in things you are interested in. I live off your stories and I weave my way in...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/02/18 11:46 a.m.68 views

Different ‘smart’ lock, similar security issues

I was looking through Amazon and found this padlock at the cheaper end of the scale. For twenty of my well-earnt English pounds I could become the owner of a new and shiny SLOK lock. Image credit: Amazon It can be unlocked by BLE and can be shared to others, what could I do but buy one and revers...

6.7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/03/27 1:28 p.m.67 views

Quick wins with Adobe Experience Manager

Introduction Adobe Experience Manager AEM, is a comprehensive content management solution for building websites, mobile apps and forms. And it makes it easy to manage your marketing content and assets. If you've ever looked into AEM you may have heard of Mikhail Egorov @0ang3el. He has done some...

7.6AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/02/04 7:36 a.m.67 views

Pen Testing Ships. A year in review

Partially driven by the upcoming inclusion of Cyber Security by the IMO International Maritime Organisation, 2019 was a really busy year for maritime security testing at PTP. What can we all learn from a year of evaluating the security of ships? We’ve been involved in all sorts of ship testing,...

2.1CVSS6.8AI score0.00301EPSS
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/12/06 8:9 a.m.66 views

Hacking Hardware Password Managers: Royal Vault Password Keeper

TL;DR: Taking three hardware password managers I used them to: Learn the basics of hardware hacking Practice disassembling Perform chipset research Understand pinouts and protocols Read data off each device The royal password vault boards looked to be reused from a previous hardware device with...

7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/11/07 11:44 a.m.66 views

Schiphol hijack false alarm. An insiders view of what happened

I had the misfortune of being at Schiphol last night as this unfolded: All ended well, delayed by about an hour. Had the incident been real, it could have been much worse. Here’s what the pilot had to say about it thanks to @asantosb: Our flight was at D16, the incident flight was directly the...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/05/28 6:32 a.m.65 views

Do you know your OpSec?

Open Source Intelligence OSINT is any information in the public domain that an attacker can dig up about you. Because of that it forms the basis of every Red Team engagement, as threat actor scenarios are created using publicly available information. Bearing that in mind it makes sense to review...

6.6AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/12/06 8:52 a.m.65 views

Hacking Hardware Password Managers: passwordsFAST

TL:DR Taking three hardware password managers I used them to: Learn the basics of hardware hacking Practice disassembling Perform chipset research Understand pinouts and protocols Read data off each device The passwordFast device uses different ways to store the data on a flash chip with a...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2018/06/21 6:31 a.m.65 views

Windows Server settings. Administrative Templates – Network Items. A security how-to

This is the first part of a multi part series looking at the settings within Windows Server that are looked at as part of a standard build review. Sometimes a red team exercise, where the consultant turns up with ninja gear, lock picks and grappling hooks isn’t what you need in a security...

6.8AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/04/19 5:40 a.m.64 views

EFB Tampering 2. Device Integrity

TL;DR Electronic Flight Bag EFB integrity varies between different airlines and devices Aviation cyber security is becoming increasingly prominent with regulators EFBs often connect to unsecure networks including public Wi-Fi Security measures are not always effective and can be inconsistent Devi...

6.8AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/05/27 8:0 a.m.64 views

In Flight Entertainment System Security

Contrary to alarmist stories in the press, it really isn’t practically possible to hack an airplane from the in-flight entertainment system IFE/IFEC. The ‘C’ adds Connectivity, so internet access Whilst earlier moving map systems did take a feed from the flight management system, particularly so...

7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/09/23 5:45 a.m.64 views

Drilling open a smart door lock in 4 seconds

The BBC asked us to have a look at some smart locks for a TV show recently. We didn’t have much prep time, but were genuinely shocked by just how easy this one was to compromise. Usually, we spend time looking at Bluetooth/RF, the mobile app, the API and then move on to hardware. This time we...

6.7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/07/01 7:1 a.m.64 views

Ninja Turtles in your network: LAN Turtle 3G. A how-to for red teaming

Introduction This post will detail how to configure and utilise a LAN turtle 3G from Hak 5 to gain a persistent, remotely accessible presence within a network. With ethernet ports becoming less common on new hardware, many people have been forced into deploying an array of various dongles and...

7.4AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/01/29 9:0 a.m.64 views

GPS watch issues… AGAIN

Over the last year of looking at kids GPS tracking watches we have found some staggering issues. With these devices it almost seems that having multiple security issues is the new normal. While parents and guardians may get a feeling of security from using these devices, our testing and research...

6.7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2023/10/31 7:12 a.m.63 views

FujiFilm printer credentials encryption issue fixed

TL;DR Many multi-function printers made by FujiFilm Business Innovation Corporation Fujifilm which includes Apeos, ApeosPro, PrimeLink and RevoriaPress brands as well as Xerox Corporation Xerox which includes VersaLink, PrimeLink, and WorkCentre brands, allow administrators to store credentials o...

2.6CVSS7.2AI score0.0035EPSS
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/09/01 5:10 a.m.63 views

Why the Raspberry Pi isn’t suitable for IoT

Let’s start by praising the Raspberry Pi: it has brought cheap computing to many, has inspired and enabled education and undoubtedly been a huge benefit. I use my own Pi daily, and we have often used its flexibility to perform hardware testing, from accessing UART to reading flash memory. So why ...

7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/02/17 6:12 a.m.63 views

Out Of Band, Out Of Sight, Out Of Mind

Satellite receivers aboard maritime vessels can be tricky things to manage, yet are crucial to efficient operations of modern drilling rigs and ships. Particularly on rigs, it’s not that unusual for a receiver dish to be knocked out of alignment during drilling operations. Lose satcoms and you’re...

10CVSS9.6AI score0.03356EPSS
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2024/05/03 5:12 a.m.62 views

Vulnerabilities that (mostly) aren’t: LUCKY13

TL;DR LUCKY13 is more an attack than a vulnerability LUCKY13 was patched over a decade ago … so it’s really unlikely that your server is vulnerable now Its an implementation issue Disabling CBC ciphers is still a good idea … but not because of susceptibility to LUCKY13 There is no material risk i...

2.6CVSS7.4AI score0.35584EPSS
Exploits1
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/07/08 5:47 a.m.62 views

Top 10 Cloud security tips

About half of the pen tests we’re asked to do involved cloud services at some point. We’ve even tested a cloud platform on an aeroplane – the irony was not lost on us! There is a multitude of ways to improve the security of your cloud platforms and often those ways are ever-changing or obscured...

7.6AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/08/10 6:0 a.m.62 views

DEF CON 28: Introduction to ACARS

This post is a companion to the DEF CON 28 video available here What is ACARS? ACARS Aircraft Communications Addressing and Reporting System, pronounced ‘ay-cars’ which is an avionics system used to for sending text messages between ground and airborne stations. This is a light touch on the topic...

7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/02/25 8:45 a.m.62 views

Hardcoding Keys. Is that Wyse?

A couple of years ago, we were testing a large system of around 3000 Wyse terminals, all operating unattended. To configure themselves, they download a configuration file called wlx.ini from a webserver. This file contained a few fields that seemed interesting - ChangeRootPassword and...

6.8AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/11/06 8:45 a.m.62 views

Pwning a Smart Car Charger, Building a Botnet

…or Why We Don’t Build Commercial IoT on a Raspberry Pi. A positive story of disclosure and remediation. We’re quite into our electric vehicles at PTP, so we started hunting for a smart car charger. There are plenty of industrial chargers out there and some research has been done in the past. We...

7.1AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/04/23 11:16 a.m.61 views

We’re Hiring!

Were growing and we need to fill these 5 UK based roles: PHP Full-Stack Developer Pen Testing Consultant Red Team Support Digital Forensic Analyst IT Support Technician You can find all the details here. We think were a good bunch and there are some really good perks. If you have the skills and...

7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/02/11 1:9 p.m.61 views

BBC Inside Out. Consumer advice for the ‘smart’ homeowner

We were recently asked to demonstrate security flaws in a smart home for the BBC Inside Out TV show. We’ve done this before, so what was different? This home was by far the most connected we had looked at. Typically, homes have a few smart devices; a smart thermostat, CCTV, maybe a doorbell and...

6.7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2018/04/13 1:1 p.m.61 views

Soldering for Reverse Engineering. Swapping out eSIMs with “normal” SIMs

Sometimes, the mobile devices we work on only have cellular data connections. In those instances, we’re usually pretty interested in trying things like this to get credentials for the APN so we can start snooping around on that. We’re also really interested in monitoring what kind of traffic is...

6.7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/05/21 6:33 a.m.60 views

Getting a persistent shell on a 747 IFE

TL:DR The Coronavirus pandemic has hit the airline industry hard. One sad consequence was early retirement of most of the 747 passenger fleet. This does however create opportunities for aviation security research, as airframes are parked up before parting out in breakers yards. This 747 was flyin...

8.2AI score
Exploits0
Total number of security vulnerabilities506