Lucene search
K
PentestpartnersMost viewed

506 matches found

Pen Test Partners Blog
Pen Test Partners Blog
added 2022/03/03 6:28 a.m.28 views

Red Team lab automation

It’s not uncommon for red teamers to regularly tear down and rebuild their test labs, I know I do on a sometimes daily basis. It keeps things fresh and manageable, and now, using Infrastructure as Code IaC, we can create a consistent environment to test tools and techniques in. If we break...

0.4AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2022/01/17 6:38 a.m.28 views

Domestic CCTV and audio recording

Last week, we had BBC Morning Live in to film a piece on the legalities and challenges of domestic CCTV systems. You can watch it on iPlayer here, starting at 10:30. It was sparked by a conversation we had with Radio 4 before Xmas, where a journalist had taken an interest in CCTV systems exposed ...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/10/08 10:34 a.m.28 views

Free BrewDog beer with a side order of shareholder PII?

TL;DR BrewDog exposed the details of over 200,000 ‘Equity for Punks’ shareholders for over 18 months plus many more customers Every mobile app user was given the same hard coded API Bearer Token, rendering request authorisation useless It was therefore trivial for any user to access any other...

7.1AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/08/27 9:10 a.m.28 views

Protected: TBD

This content is password protected. To view it please enter your password below: Password:...

7.2AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/06/12 5:48 a.m.28 views

Revisiting old tools

Many, many years ago I was onsite and noticed that a company's internal website had checked out their website using the subversion code versioning system. This subversion archive contained the site's web.config which has a set of credentials for SQL server, which through many steps led to domain...

7.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2018/08/02 2:11 p.m.28 views

Hacking the Bitfi. Part 2: John McAfee’s video

The unhackable Bitfi story isn't going away any time soon. Following John McAfee's tweet yesterday that he would put out a "definitive video countering all of the nonsense claims instigated and co-coordinated by BirFi's sic established, monolithic competitors in the hardware wallet space" here's ...

6.8AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2023/09/07 5:32 a.m.27 views

Information disclosure through insecure design

Introduction Insecure design can lead to many issues. The Software Development Life Cycle SDLC should contain steps to evaluate and consider security throughout the process. Several recent web application and API tests have revealed a common issue of responses containing too much data, and leakin...

6.7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2023/08/03 5:41 a.m.27 views

PTP at DEF CON 31 2023

Come and see us at the Aerospace Village, at Caesars Forum. Aerospace Village Fri 11th to Sun 13th Activity Take off in an A320 with hacked engine performance calculator. Then try to land it again. Fri 11th August 5:00 PM Pen Test Partners Power Hour We’ll be talking about: Hacking Electronic...

7.1AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/11/03 6:53 a.m.27 views

DCOM abuse and lateral movement with Cobalt Strike

Introduction When researching lateral movement techniques I came across a post from Raphael Mudge of Cobalt Strike fame. He details scripting an Aggressor Script for Matt Nelson’s MMC20.Application Lateral Movement technique. Reading that post spurred me to make my own DCOM based lateral movement...

7.5AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/08/12 3:2 p.m.27 views

The value of regulator-driven red teaming: CBEST

How do we in the UK avoid something like the Colonial Oil Pipeline ransomware attack happening? How would you feel if your mobile phone suddenly stopped working altogether? What if ambulances couldn’t respond to 999 emergency calls? What if the mechanism of government suddenly ground to a halt? T...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/09/17 8:25 a.m.27 views

Speed 2 – The Poseidon Adventure – Part Two

This post is a companion to the DEF CON 28 video available here Part One is available here Issue 3: Time and Tide Wait for No VLAN As mentioned the cabin switch appeared to be the key to all our access requirements. From that we could get to the trunk network, and all those TV, VOIP, and Wi-Fi...

7.8AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/08/12 8:0 a.m.27 views

DEF CON 28: 747 Walkthrough from a Hacker’s Perspective

This post is a companion to the DEF CON 28 video available here Airframe tour Alex: Welcome to this virtual 747-400 walkthrough. One of the advantages of DEF CON Safe Mode this year is that we’re able to bring you things like this. Nothing beats being able to climb onboard and poke around a real...

7.3AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/07/17 5:58 a.m.27 views

Threat modelling and IoT hubs

IoT hubs are increasingly being used to provide a single point of access to the myriad of smart devices in the home. One ring to rule them all, if rather than multiple apps for different devices. When reviewing devices we often start with the single biggest security threat: unauthorised access to...

7.6AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2018/05/23 6:38 a.m.27 views

Z-Shave. Exploiting Z-Wave downgrade attacks

TL;DR: Stronger S2 Z-Wave pairing security process can be downgraded to weak S0, exposing smart devices to compromise. Z-Wave uses a shared network key to secure traffic. This key is exchanged between the controller and the client devices ‘nodes’ when the devices are paired. The keys are used to...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2023/09/20 5:53 a.m.26 views

3yrs of CAA ASSURE assessments. What we’ve learned

Introduction Were now in our third year of CREST CAA ASSURE auditing and weve learned a lot. The Cyber Assessment Framework CAF is big, theres no denying that. It’s not something that you can complete overnight, it’s not something that requires minimal effort and can just be thrown at an auditor ...

6.7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2023/05/19 5:10 a.m.26 views

All your building are belong to us

TL;DR Building Management Systems BMS bring new risks to businesses that havent had previous experience of securing Operational Technology OT While there might not be direct financial gain from hacking BMS, these systems can be a soft target for attackers to pivot into your business operations. I...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2023/02/07 6:37 a.m.26 views

Causing incidents with in-flight entertainment systems

Some odd things have happened on airplanes recently. The voice on the PA system on an American Airlines flight was one of these. Before the airline put out a response, we were asked to speculate about how it might have happened. American then discovered that there was an issue with one of the PA...

0.1AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2023/01/09 1:30 p.m.26 views

UK gov website being used to redirect to porn sites

TL;DR UK Government Environment Agency web site had an open redirect that was actively being used to redirect to various porn sites, including OnlyFans clone sites. Disclosure should have been easy but wasn’t, as the agency haven’t followed wider UK government policy on vulnerability disclosure...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2022/02/01 6:4 a.m.26 views

Who has access to your leased Tesla?

One of the cool features of a Tesla is controlling it through the mobile application. This gives a whole host of options such as controlling the air conditioning, opening the “frunk”, and setting charge limits. The most useful feature however is using you mobile as a car key. Walk up to the car a...

6.7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/11/10 7:30 a.m.26 views

Snakes and Ladder Logic

A click to a reverse shell in OpenPLC and ladder logic OR Why you shouldn’t run everything as root in PLC and RTUs. TL;DR Most of the RTU’s and PLC’s that run a Unix based OS that we test and, and some devices on Windows that we’ve tested on maritime engagements, run as root and/or admin. They al...

7.3AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/09/29 5:20 a.m.26 views

Cloud-y, with a chance of hacking all the wireless things

Grandstream are a provider of IP video and voice services, as well as Wi-Fi and other related services and equipment. Their products are sold in over 150 countries and they have offices around the globe. We were having a look at their GWN.Cloud management platform, used for remote device and...

7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/04/17 11:8 a.m.26 views

Are you cyber seaworthy?

The decision to set sail in a commercial vessel rests with the captain. A captain with years of experience and training, who is skilled at sailing and navigating in all conditions. Increasingly, the state of a vessel’s cyber security will affect its seaworthiness. Yet in future we may expect a...

7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2018/10/09 1:43 p.m.26 views

‘Secure by Design’ & SB-327. Standards for a secure IoT?

The ‘Secure by Design’ guidance for consumer IoT security from the UK's Department for Digital, Culture, Media and Sport DCMS is coming shortly. In the meantime we’ve seen SB-327 from California legislators, mandating some basic security standards for consumer smart tech. Both are big steps...

7.1AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2018/10/08 11:0 a.m.26 views

Which? Magazine recommends vulnerable smart home camera

You’ll already know that we have a keen interest in smart home camera security. Our recent work on Swann and FLIR cameras showed how it could be trivially easy to spy on people through their security cameras. Which? Magazine has a well-earned reputation for providing product reviews for consumers...

7.4AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2018/08/15 11:10 a.m.26 views

PTP, IoT & the Norwegian Government

We were privileged to be invited to speak an event in Arendal, Norway yesterday to make the case for IoT regulation. 'Arendalsuka' is the largest political gathering in Norway, an open forum event where the public can interact directly with political leaders, business leaders, entrepreneurs,...

7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2025/05/20 5:37 a.m.25 views

Bypass SharePoint Restricted View to exfiltrate data using Copilot AI and more…

TL;DR Restricted View allows users to read files, but not copy, download or print them Attackers will look for ways to circumvent these controls Traditional workarounds include manual transcription, screenshots, and photos OCR tools can extract text from screenshots Microsoft Copilot can read fil...

6AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2024/01/10 11:24 a.m.25 views

Cockpit door lock auto-unlock is no surprise

TL;DR Through reverse engineering a cockpit door lock controller several years ago, we’ve known about the auto-unlatch issue We couldn’t publish owing to the risk to flight safety, even though some airplane type manuals already described the behaviour in a depressurisation event Now that the Alas...

7.5AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2022/05/23 5:39 a.m.25 views

We need to talk about sex toys and cyber security

Introduction We’ve written about the appalling security of smart sex toys over the years. Finally, an invite came to give a talk on the subject to a TEDx audience. I debated whether to give the talk with colleagues, as we’ve never wanted to be pigeon-holed in this space! But we felt that public...

7.3AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/12/17 9:25 a.m.25 views

Kids Tracker Watches: CloudPets, exploiting athletes and hijacking reality TV

Kids smart tracker watch security: everyone has missed the point. It’s not a few thousand here and there. It’s at least 47 million, probably around 150 million exposed tracking devices. It all points back to two or three lazy device manufacturers, much like Mirai v1 did There have been lots of...

7.5AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/08/14 10:14 a.m.25 views

Lojack’d: Pwning Smart vehicle trackers

This research is by @evstykas with help from @Yekki1 and @TheKenMunroShow. Many car insurers insist that smart trackers are fitted to high end vehicles. In the event of theft, the car can be tracked and recovered. Probably the most well-known is LoJack, also known as Tracker in Europe. We also...

7.8AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2025/05/08 5:36 a.m.24 views

RCEs and more in the KUNBUS GmbH Revolution Pi PLC

TL;DR Four new vulnerabilities in the Revolution Pi industrial PLCs Two give unauthenticated attackers RCE—potentially a direct impact on safety and operations Documentation and firmware is public, meaning greater oversight and better security in the long run KUNBUS’ PSIRT and CISA were great at...

9.3CVSS8.5AI score0.22202EPSS
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2022/09/08 5:4 a.m.24 views

DEF CON 30. Hacking EFBs. Engine Performance

At DEF CON 30 this year we demonstrated some vulnerabilities in electronic flight bags and the potential impact on flight safety. There’s plenty more detail of EFB security issues here. As part of the Aerospace Village at DEF CON 30, we invited people to fly our flight sim under instruction from...

0.5AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2022/07/04 5:42 a.m.24 views

Cloud OSINT. Finding Interesting Resources

Locating sensitive information, personally identifiable information PII and questionable assets in the cloud. TL; DR I had a curiosity driven excursion into the public clouds of AWS and Azure to find what is publicly hosted and who by. As anticipated, the results were extremely broad and...

7.2AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2022/02/21 6:44 a.m.24 views

OAuth consent phishing, in the wild

TL;DR An interesting incident response investigation showed exploitation of a recent OAuth related consent-phishing issue. We had been asked to investigate as the organisation had noticed some odd behaviours in the mailbox of one of the exec team. The mailbox was being queried using GraphAPI and...

7.1AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/09/14 5:47 a.m.24 views

EFB Tampering. Approach and Landing Performance Part 2

Approach and Landing Performance Part 2: Approach Speeds, Cold Weather Corrections, Sources of Data Click here for part 1 Target: Approach speed calculation The speed at which aircraft fly on approach depends on a variety of factors including: Aircraft weight Flap setting Wind direction/speed Fin...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/09/02 5:55 a.m.24 views

OpSec. Expanding your search: Hunting domains

In the last few blogs I have introduced OSINT and OpSec, talked about leaky images and using Google Dorks and how to use those techniques specifically to examine your own corporate OpSec. One of the most important aspects is to understand how wide your target expands. Many companies own multiple...

6.8AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2020/12/04 10:44 a.m.24 views

Locking down your cyber life in lockdown

Today the NCSC refreshed their advice for online shoppers, so I thought it’d be handy to review and advise on other aspects of consumer security hygiene. More than ever, we’re reliant on technology, so now that we’re in various stages of lockdown it’s a great time to have a look at your home and...

7.2AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2018/06/01 8:17 a.m.24 views

So, you just caused a data breach, by CCing the wrong person in an email…

I had two encounters today both of which I thought I’d share. The first thing that happened A received a call from a friend who had made a mistake at work, due to the area I work within they decided I could save them Yes, it happened THEY COPIED THE WRONG PERSON IN AN EMAIL. Happily working away...

6.5AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2024/01/02 6:49 a.m.23 views

Mobile malware analysis for the BBC

This is a version of our report referenced in the Helping a mobile malware fraud victim blog post, with all sensitive information removed. Summary One malicious application was identified on the device, and evidence identified during the examination strong suggests though this cannot be confirmed...

7.1AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2023/12/05 6:27 a.m.23 views

OSINT. What can you find from a domain or company name

We carry out lots of attack surface assessments, parts of which involve investigating information that has been unintentionally disclosed. To help OPSEC people I thought it might be useful to go over some of the key things that can be found using domain and company names. Domain name So let’s div...

6.9AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2022/10/21 5:30 a.m.23 views

Effecting positive change in the Internet of Things

Way back when… We started our journey back in the day when the IoT was in its infancy. Our first published research was in June 2015 with a post about extracting the Wi-Fi PSK from Fitbit’s Aria weighing scales. This led to a challenging disclosure process with Fitbit, though it ended positively...

7.6AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2022/03/31 5:30 a.m.24 views

The reality of OT segregation

One of the areas I find most fascinating about industrial control systems and related operational technology is the perception that OT networks are segregated and isolated from the wider IT network. We’re often told that “IT and OT are totally separated” as there’s a genuine belief that OT is...

0.1AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2021/12/22 5:55 p.m.23 views

Audio bugging with the Fisher Price Chatter Bluetooth Telephone

The Fisher Price Chatter Bluetooth Telephone is a reincarnation of a familiar kids toy. It acts as a Bluetooth headset, so the user can connect their smartphone to it and take calls using the kids phone handset. Cute! Unfortunately, little to no consideration has been given to privacy and securit...

6.7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2018/11/21 9:23 a.m.23 views

Advice on buying ‘smart’ gadgets for Christmas

Christmas isn’t far off, and many of you will be in full present buying mode. In the world of smart-this and connected-that there is more at stake than ever before, and we’re not talking about whether batteries are included or not. As we’ve been testing the security of smart products for over 5...

6.8AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2024/11/08 6:17 a.m.22 views

BEC-ware the Phish (part 2): Respond and Remediate Incidents in M365

TL;DR Ensure you can reliably take initial containment actions such as disabling accounts, resetting passwords, and revoking tokens. Token binding ensures that a token only works on the specific device the token was issued and is currently the best protection against token theft. As a minimum...

7.3AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2024/04/12 5:34 a.m.22 views

Can ships be hacked?

Photo: David Adams, MV Dali and the Francis Scott Key Bridge collapse - 240326-A-SE916-6662, A layer has been added showing a character and a speech bubble, CC0 1.0 TL;DR Ships can be hacked Was the MV Dali hacked? Practically impossible Polarised views from uninformed commentators do not help...

7.5AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2024/02/13 6:33 a.m.22 views

Android Content Providers 101

Introduction Android has a number of different types of components that a program or app can instantiate to interact with the user or other programs. Recently Ive been looking at exported as an interesting way to manipulate information that other apps have stored. A content provider is what it...

7.7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2023/08/09 5:41 a.m.22 views

Vulnerability disclosure in aviation

We joined Boeing and United Airlines on a panel recently at the RSA Conference to talk about vulnerability disclosure in the aviation world. The engagement we are now seeing between researchers and industry is a powerful force for positive change. Hopefully this will start to reduce the number of...

7AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2023/04/11 5:28 a.m.22 views

London Councils & pirate books. Google dorking for subdomain takeovers

TL;DR Google dorks found me an exploited DigitalOcean subdomain takeover on London Councils’ .gov.uk domain It used a meta refresh to redirect to a site hosting unprovenanced PDFs London Councils had a security.txt file which made disclosure a doddle Their security team were awesome and fixed it...

6.1AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2022/10/20 5:3 a.m.22 views

Social Engineering dos and don’ts

Another day, another success at sneaking into a building and pretending to be staff. I do so love drinking other peoples expensive office coffee. No fruit bowls though. Close, but no banana. It got me thinking, again, about what makes for good social engineering SE, and what advice would I give m...

6.8AI score
Exploits0
Total number of security vulnerabilities506