DCOM abuse and lateral movement with Cobalt Strike

Introduction When researching lateral movement techniques I came across a post from Raphael Mudge of Cobalt Strike fame. He details scripting an Aggressor Script for Matt Nelson’s MMC20.Application Lateral Movement technique. Reading that post spurred me to make my own DCOM based lateral movement...

Germ-term, but all year. How criminals are hacking schools

In some schools, the autumn term is often called “germ-term” due to the number of bugs the children bring back after the summer holidays. It usually calms down after a few weeks, however, with hacking there is no slow down. Its all year, its relentless. In the last 10 months of this year schools...

Free BrewDog beer with a side order of shareholder PII?

TL;DR BrewDog exposed the details of over 200,000 ‘Equity for Punks’ shareholders for over 18 months plus many more customers Every mobile app user was given the same hard coded API Bearer Token, rendering request authorisation useless It was therefore trivial for any user to access any other...

Free BrewDog beer, with a side order of shareholder PII?

TL;DR BrewDog exposed the details of over 200,000 ‘Equity for Punks’ shareholders for over 18 months plus many more customers Every mobile app user was given the same hard coded API Bearer Token, rendering request authorisation useless It was therefore trivial for any user to access any other...

How to build a password cracking rig during a worldwide chip shortage

… and keep a domain password auditing service online. Making money on GPUs, the hard way… At PTP we had a fairly decent GPU password cracking box called Titan. It used 4×1080 GPUs and had an NTLM hash rate of around 180GH/s. Several years ago I realised that the box was sitting idle much of the...

When the IoT vendor goes bust

Over recent years, legislation has started to emerge to protect consumers from unethical behaviour from IoT vendors. Far too many smart devices didn’t charge for a subscription to the online platform that made the device ‘smart’. As a result, manufacturers had a perverse incentive to end-of-life...

Securing mobile devices. A timely reminder

While home working might now be the norm for some, more and more people are going back to their place of work on a more regular basis. If you’re commuting again or if you’re responsible for securing your people’s devices it’s a good idea to revisit and review your security admin for mobile device...

Commercial Air Transport EFB Regulation

Introduction The Electronic Flight Bag EFB is a device pilots use to gather information. This includes viewing airport charts ground and in-flight, calculating take-off and landing performance, as well as multiple other uses as detailed in our other EFB blog posts. EFB regulation is, in a word,...

EFB Tampering. Approach and Landing Performance Part 2

Approach and Landing Performance Part 2: Approach Speeds, Cold Weather Corrections, Sources of Data Click here for part 1 Target: Approach speed calculation The speed at which aircraft fly on approach depends on a variety of factors including: Aircraft weight Flap setting Wind direction/speed Fin...

EFB Tampering. Approach and Landing Performance Part 1

Approach and Landing Performance Part 1: Introduction and Landing Distance Calculations Click here for part 2 TL;DR Approach and landing performance applications perform calculations to provide critical performance data to pilots e.g. speed / flap settings on approach Modifying any one of these...

EFB Tampering. The Human Factor

Like most people, pilots want to expedite things and generally make their work easier. A common conception about aviation is that its a leading industry with technology at its forefront. While this is generally true some of the systems in use today are rather dated to put it mildly. A great examp...

ASSURE Case Study: Two

The engagement The purpose of this exercise was to validate the clients’ baseline security assessment against NIS and the CAF and prepare them for the CAA Assure audit against NIS and CAF. There were 24 systems for the client and 9 third party systems. The client had carried out some initial...

ASSURE Case Study: One

The engagement The client needed to meet the requirements of the Network Information Systems NIS CAF. There was a target profile for the NIS CAF that the CAA had set out for the client’s systems. However, we discovered early on that this had the potential to be a transformational piece of work fo...

From open Guest Wi-Fi to pwning a lift

…or why validating network segregation is critical TL;DR A recent engagement took quite an unexpected turn and led to me having remote control of a bunch of building services including a lift from the street outside, unauthenticated. A single firewall rule bypassed some well configured VLANs and...

OpSec. Expanding your search: Hunting domains

In the last few blogs I have introduced OSINT and OpSec, talked about leaky images and using Google Dorks and how to use those techniques specifically to examine your own corporate OpSec. One of the most important aspects is to understand how wide your target expands. Many companies own multiple...

Why the Raspberry Pi isn’t suitable for IoT

Let’s start by praising the Raspberry Pi: it has brought cheap computing to many, has inspired and enabled education and undoubtedly been a huge benefit. I use my own Pi daily, and we have often used its flexibility to perform hardware testing, from accessing UART to reading flash memory. So why ...

Admin password re-use. Don’t do it

As a pentester, one of the most disappointing sights is see on a test is extensive local admin password reuse. I know others get excited as it means easy pwnage of the network, but for me, it makes my job too straightforward. I want more of a challenge, particularly as resolving the local admin...

How to install Frida into an Android application

On a recent job I was testing a rather interesting piece of technology that had several server side checks but they wanted to add some additional security on the client side. Great!! One of these additional checks was to see if Frida was running on the device, this was proving a difficult nut to...

Breaking the NFC chips in tens of millions of smart phones, and a few PoS systems

This second post is a companion to the DEF CON 29 video. Starts at 25:43 here. About a year ago I did some research into adding new capabilities to Samsung’s NFC chips in their smartphones, by bypassing their signature protection and applying code patches. This allowed me to add custom NFC tag...

The value of regulator-driven red teaming: CBEST

How do we in the UK avoid something like the Colonial Oil Pipeline ransomware attack happening? How would you feel if your mobile phone suddenly stopped working altogether? What if ambulances couldn’t respond to 999 emergency calls? What if the mechanism of government suddenly ground to a halt? T...

Breaking the Android Bootloader on the Qualcomm Snapdragon 660

This post is a companion to the DEF CON 29 video available here. A few months ago I purchased an Android phone to do some research around a specific series of NFC chips, which required me to gain root access to the device in order to fully access its hardware capabilities. Gaining root access on...

OpSec Leaky Images

Hackers love your marketing department. Fact! Your marketing department love telling the world what happens in your company, then they attach images to the posts, often of staff at work. They ensure the subject is central and the image tells a story. The problem is often they tell hackers a...

Smart car chargers. Plug-n-play for hackers?

Over the last 18 months, we’ve been investigating the security of smart electric vehicle chargers. These allow the owner to remotely monitor and manage the charge state, speed and timing of their car charger, among many functions. We bought 6 different brands of chargers and also reviewed securit...

Are you sharing your address on social media?

Do you share your full address on social media? No, of course not, or at least I hope you are not. But are you sharing enough information for someone to work out your address? Maybe! Over time we share seemingly small amounts of information that put together could allow attackers to find your...

The Cloud in the clouds

Heading back to the airport to sit in another 747 pilot seat chair is always exciting. After our first research session on a grounded airplane this time we spent more time looking at the IFE In-Flight Entertainment system. We found very different results from the first plane. Rather than an old...

Top 10 Cloud security tips

About half of the pen tests we’re asked to do involved cloud services at some point. We’ve even tested a cloud platform on an aeroplane – the irony was not lost on us! There is a multitude of ways to improve the security of your cloud platforms and often those ways are ever-changing or obscured...

SNMP – Simply Not My Problem. Or is it?

TL;DR: Use SNMPv3; long gone is default community strings, hello complex passwords! Remove from the internet, if required, implement a VPN solution to restrict access to only authorised parties. SNMP is a protocol used for the remote management of devices on a network. By remote, we mean access...

Ransomware. In the air?

Introduction As an exercise, we were asked to look at the potential vectors for ransomware to affect flight despatch and operations. In most cases, flight systems simply werent significantly exposed, but ground systems affected by ransomware may make flight ops either impossible or significantly...

Google for OpSec data discovery

Following last months post about what OpSec is and how it can benefit your company I wanted go a step further, and look at some of the ways you can super charge your searches to find interesting data about your company. Basic search parameters As I mentioned last month, one of the most useful too...

Red Teaming. Practice what you preach

We carry out plenty of Red Teaming for customers. As a CBEST, STAR-FS and GBEST accredited supplier, our Red Team work with many large regulated organisations every day of the week. We frequently remind our clients how a simulated attack can be one of the best ways to assess prevention, detection...

Tracking Amazon delivery staff

TL; DR The Amazon delivery tracking API allows ultra-precise tracking of drivers. Amazon claim that customers can only track the driver for the 10 stops prior to theirs. This isn’t the case – one can track the driver on the entire route and all drops, including their speed on the road. This preci...

Why hackers don’t fly coach

Physical security is relied on too heavily for cabin-based systems on the Airline Information Services Domain AISD. Whilst the Aircraft Control Domain ACD is separated, there are still plenty of interesting information, data and systems that are accessible from the cabin, for those who are prepar...

Deploying EFBs securely

It may come as a surprise to some to discover that electronic flight bag security at airlines is often quite variable. Whilst some use an MDM, a lot don’t. Of those who do, PINs are often weak. Some airlines actively encourage pilots to use their devices for personal use. We’ve heard stories of a...

Do you know your OpSec?

Open Source Intelligence OSINT is any information in the public domain that an attacker can dig up about you. Because of that it forms the basis of every Red Team engagement, as threat actor scenarios are created using publicly available information. Bearing that in mind it makes sense to review...

Smart lighting security

Smart lighting systems create great opportunity for improved efficiency, cost savings and easy management. The long lifespan and low power requirement of LED luminaires and lamps means that it’s worth investing in replacing older fluorescent and incandescent lighting. RJ45 connections delivering...

Getting a persistent shell on a 747 IFE

TL:DR The Coronavirus pandemic has hit the airline industry hard. One sad consequence was early retirement of most of the 747 passenger fleet. This does however create opportunities for aviation security research, as airframes are parked up before parting out in breakers yards. This 747 was flyin...

EFB Tampering 3. Take-off pt1

Take-off Performance Part 1: Introduction, Thrust & Speeds TL;DR Take-off performance applications perform calculations to provide critical take-off performance data to pilots e.g. thrust/trim/flap setting for take-off Modifying any one of these could have severe consequences. For example, an...

EFB Tampering 3. Take-off pt2

Take-off Performance Part 2: Flap, Trim, Database and Sources of Data Target: FLAP SETTING There are various forms of flaps and slats. The difference between the two and the technicalities of how they work is outside the scope of this blog. As a general rule flaps extend from the rear/trailing ed...

Echelon PII Leak and Disclosure Fail

Echelon Echelon Fitness is a competitor to companies such as Peloton. You buy the hardware, quickly assemble it, buy a subscription, use a built-in or external smart device and you do your exercise thing! However, their API had significantly worse security flaws than those we found in Peloton...

EFB Safety Advice for Pilots

As a pilot you will be all too aware of how important an electronic flight bag EFB is to you and your role. It’s probably critical to your takeoff performance calculations, your roster, pax lists and plenty more. It’s one thing if its not working, but have you ever stopped to consider what could...

Tour de Peloton: Exposed user data

An unauthenticated user could view sensitive information for all users, and snoop on live class statistics and its attendees, despite having a private mode. TL;DR Information disclosed included: - User IDs - Instructor IDs - Group Membership - Location - Workout stats - Gender and age - If they a...

2021. The age of the super vulnerability?

I don’t know about you, but to me it seems that every week we are seeing another vulnerability that not only grants significant access to the vulnerable system but also more widely internally. This last week we have seen the latest round of Microsoft Exchange vulnerabilities. The April 2021 updat...

We’re Hiring!

Were growing and we need to fill these 5 UK based roles: PHP Full-Stack Developer Pen Testing Consultant Red Team Support Digital Forensic Analyst IT Support Technician You can find all the details here. We think were a good bunch and there are some really good perks. If you have the skills and...

Training apps. Have their privacy settings improved in 5 years?

TL;DR Run and bike tracking apps still have a pretty poor approach to password security & default privacy settings From being one of the more secure apps 5 years ago, Strava has now been pushed to the back of this pack as others improved Amazingly, none of these apps support multi factor...

Homeworking vs Homeschooling. The cyber challenge

March 2020 was a significant challenge. We were propelled into lockdown. From happily working in an office I had to switch to working from home. Previously I had always looked at my home as exactly that, a home. A place to relax and spend time as a family. Never did I expect to be spending every...

EFB Tampering 2. Device Integrity

TL;DR Electronic Flight Bag EFB integrity varies between different airlines and devices Aviation cyber security is becoming increasingly prominent with regulators EFBs often connect to unsecure networks including public Wi-Fi Security measures are not always effective and can be inconsistent Devi...

Security vs User Journey

Something I often think about is how my recommendations for clients to fix small security issues can spoil / complicate their users journey. UX matters I understand that UX is hugely important, even subtle changes can influence whether a journey is completed or abandoned. The difference between...

Dumping LSASS in memory undetected using MirrorDump

Introduction As I am sure some of you are aware from the occasional ramblings and screenshots on twitter, I am a big fan of .NET based offensive tooling. Not because it’s trendy or cool, but because of the development speed and ease of testing and debugging in comparison to C/C++. A month or so a...

Multi-factor Authentication. Reset MFA you say?

MFA is a no brainer. It helps mitigate the risk of password re-use, overly simple passwords and more. Just don’t confuse it with 2 step verification… Anyway, when we’re red teaming, MFA can make things more complicated. So why not social engineer your way around it? Having worked on a helpdesk...

Out of cyber class. Maritime compliance.

Ships classification societies have a key role to play in the International Maritime Organisations cyber security requirements. Based on our experience to date, there are some significant issues coming that maritime insurers need to be aware of before writing cover for any vessel that includes...