Windows includes OpenSSH by default - ssh.exe. This means all those wonderful tricks we used as washed-up *nix sysadmins, we can now revisit as Offensive Security Consultants! This article shows how Windows’ OpenSSH can be used as a network proxy implant, deployed as a “remote-access trojan” for lower privileged users, and as a data exfiltration tool.
WiFi network client isolation is a security feature that prevents devices connected to the same network communicating directly with each other. This article shows how to bypass client isolation by manually crafting packets and injecting them into the air with a monitor mode wireless adapter, even with WPA2-PSK enabled. This allows an attacker to target other connected devices through bypassing the access point entirely, along with the client isolation security it enforces.
This article takes a close look at what stands in the way of filtering outbound HTTP to the wider web in a restricted server environment, shows how to evade typical filtering configuration using a relative of domain fronting, and presents some ideas for ways to plug this gap.
TLS is good, arguably necessary, but managing PKI makes me feel bad. Is there no other way? This article will show how you can reap the benefits of mutual TLS quickly and easily without the mire of PKI.
This article discusses Airtable Formula injection, a vulnerability that occurs when untrusted input is included in an Airtable formula. We’ll cover the vulnerability fundamentals, detection, exploitation and some thoughts on remediation.
2024 was a year. What better way to close it off than by releasing some silly, but ultimately useful, tools. This article discusses and releases 4 USB HID fuzzing tools that get far, far, too much use. Meet the four horsemen of the HID apocalypse. Plug them in and watch the chaos.
A goblin emoji and an empty string are the same thing, according to Microsoft SQL Server. The issue here is that almost every application language tends to disagree. This can lead to one of my favourite kinds of security issue ever – a whacky processing logic inconsistency between two systems leading to a vulnerability. The bickering-couple of AppSec. This is an article about one such condition, which causes a potential issue for any application using MSSQL as a back-end database. Let’s dive in!
Noot: a pair of PowerShell scripts for transferring files using ICMP (ping). Complete with encryption, partial transfer resume, and big (1GB+) file support.
This article is going to look at patching Golang code at the assembly level to modify some behaviour in the net/http standard library. The Golang maintainers aren’t super interested in changing this bit of behavior, so lets fix it ourselves!
Since Pulse Security kicked off, we’ve been contributing code to open source projects to fix bugs, implement new functionality and try to do our part in pushing the state of open source security tooling forward. This post digs into some of these contributions, and how we’re trying to empower our clients to start addressing some of the security basics themselves using this FOSS tooling.
CI/CD systems are often used for continuous deployment so that when the right things happen in the source repo, the code magically ends up built and deployed where it needs to be. Underneath all of this is usually a “runner”, which is responsible for doing the work. An attacker who can get their malicious pipeline executing on this runner can steal information for other work executing on the same runner, and subsequently gain access to production systems. This article is going to discuss practically carrying this attack out against a GitLab CI/CD environment.
Lack of HTTP request rate limiting has been a staple low severity finding in penetration test reports for as long as I can remember. OWASP called it API4:2019 Lack of Resources & Rate Limiting in the 2019 API Top 10 and refined it to API4:2023 Unrestricted Resource Consumption in 2023. Is this still a good idea, or are we more likely to shoot ourselves in the foot with it?
Dynamic analysis is the process of using tools such as a debugger and instrumentation (or, lets be honest with each other here, mad printf statements), to understand a piece of software that we’re researching. This article will look at getting line-level debugging set up with a remote target, all without source code.
This article is a follow up to Part I - Practical CANBUS Reversing – Understanding the Ducati Monster. We’ll look at implementing the protocols from Part I using an aftermarket ECU, pulling some starting fuel and ignition map data out of the factory ECU through the chip debugging interface and we’ll talk about a few of the things I learned along the way.
We were recently asked to review a Tailscale deployment for one of our clients. Naturally we had to take a look under the hood at how Tailscale implement things - to satisfy our own curiosity as well as to make sure our assumptions about the details were correct. This article explains a couple of the interesting things we found during this process and presents a couple of tricks that might be useful when you next encounter a Tailscale network during a security review, or which might give you some food for thought regarding how you securely deploy Tailscale in your environment.
I’ve spent a while dwelling on how dotnet’s default Aes.Create() behavior is to use CBC mode with PKCS7 padding. This means that, by default, dotnet’s System.Security.Cryptography.AES is vulnerable to padding oracle attacks. These attacks are certainly nothing new, so let’s look at a practical example of an attack that simulates a recent real-life bug that came up during testing. We’ll explore some specifics of exploiting padding-oracle attacks against targets with hard-coded unknown IV values.
Default SameSite settings are not the same as SameSite: Lax set explicitly. TLDR? A two-minute window from when a cookie is issued is open to exploit CSRF. Let’s take a closer look at how to do that…
The pandemic maxed out our work-from-home stats, we forgot to cancel our coffee subscription and ended up hoarding Havana beans by accident, we hacked many boxes and investigated an incident or two. This article is a brief, informal overview of some things that happened at Pulse in 2021, and a chance to talk about some of that Stuff ™ that happened.
This article takes a look at reversing the CANBUS on a Ducati Monster 696. The goal is to figure out the protocols in use and allow an aftermarket ECU to play nice with the OEM systems.
In this post I’ll show you a neat party trick that can let you easily bypass Time-Based One Time Password (TOTP) multi-factor authentication, and often within just a few hours. If your TOTP implementation doesn’t include brute-force protection, you might be in trouble. Sample code to exploit this can be found here.
This article is a look at an example SQL injection in a codebase using QueryDSL (which, inturn, uses Hibernate ORM). ORMs are good for a lot of things, but preventing SQL injection isn’t as automatic as you might think.
Network pivoting is a fancy name we use to describe sending network traffic via one or more hosts that we’ve compromised. It lets us get behind firewalls, access more stuff and is an essential component of serious malware. This is the story of a highly portable network pivot I created. It’s based on (more or less) stealing code from some malware I reverse engineered as part of an incident response engagement.
Penetration testing and vulnerability research are not the same thing. At Pulse Security, we’ve taken a different approach to certain penetration and security testing engagements. We’ve begun using a vulnerability-research based approach where we collaborate directly with client staff to understand and assess complex or heavily integrated systems. We’re calling it our “hybrid security assessment” service which can include aspects of threat modelling, attacker analysis, network testing, architecture review, application testing, reverse engineering, source code review, and more, as needed to fully understand and assess the security of large and complicated systems.
Authentication design for websites is tricky business, and we’re finding more and more websites are falling behind the times. Let’s talk user login design and how to get decent security without stamping all over your user experience. It’ll be fun, I promise!
An SQL injection bug in an ORDER BY clause came up in a recent engagement, which lead to an interesting rabbit hole regarding exploiting SQLi against a PostgreSQL database. This post details some of that adventure. We’ll look at some useful Postgres functions to make exploiting SQLi easier, some interesting file read/write primitives and a path to command execution as the DB user. I’ve included some sample vulnerable code for those of you that want to try this stuff out first hand.
This article explains a technique we discovered for bypassing a web application firewall or blacklist to trigger an expression language injection and get remote code execution, without being able to pass certain strings.
2019 was a big year for us at Pulse. We found a lot of bugs, compromised a lot of boxes and wrote a lot of reports. This post will provide an overview of three generic things that made our lives as attackers difficult last year. We’ll cover strong password policies, multi-factor authentication and a surprisingly effective phishing control. This post explains how these security controls made a few of our engagements harder for us.
In this article I’m going to take a look at Microsoft SQL Servers RAND() implementation. We’ll reverse the relevant parts of SQL Server using windbg and Ghidra, replicate the random number generator in C and then look at some attacks and brute forcing methods. This project stemmed from a job I worked on recently where a stored procedure which called RAND() was used to generate session tokens within an API[1].
I recently had the chance to set up a few security automation bits and pieces, and figured I’d go ahead and detail some of my thoughts on a few quick wins. We’ll look at assigning code owners for security sensitive source code, extending linters to keep bugs from re-appearing in the future and automating alerting on third party library vulnerabilities. These techniques give a low-false-positive rate, and provide a simpler way to get started with security automation rather than attempting to cobble together full-fat static and dynamic security analysis right off the bat.
Containers aren’t really a thing. They’re a mishmash of Linux kernel-isms like namespaces and cgroups. I wanted to write a rootkit that would make exploiting privileged docker containers easier, and learn about how these kernel-isms are implemented along the way. This post is going to take a look at three kernel-module specific techniques to escape a privileged container, ranging from easy-peasy-lemon-squeezy to difficult-difficult-lemon-difficult.
TLDR: You can sniff BitLocker keys in the default config, from either a TPM1.2 or TPM2.0 device, using a dirt cheap FPGA (~$40NZD) and now publicly available code, or with a sufficiently fancy logic analyzer. After sniffing, you can decrypt the drive. Don’t want to be vulnerable to this? Enable additional pre-boot authentication.
We’re coming across more and more instances of Office 365 accounts with suspicious activity. Unfortunately the logging defaults in Office 365 are unsatisfactory and a little additional configuration is required to improve the effectiveness of the logging, especially in regards to user activity.
In this article I’ll be taking a look at the CAN bus network in a 2009 Ducati 848. How to find the bus, confirm the high and low lines with a scope and analyse messages with a Linux box and socket-CAN. The aim of the game is to identify a way to get onto the bus, and then analyse the messages going across the bus. We’ll end up figuring out how to log the throttle position and RPM data, how the immobilizer is implemented and how to bypass it.
Sourcemaps are intended to make debugging minified JavaScript less of a pain. This article will take a closer look at Sourcemaps and discuss retrieving the original source code tree from a downloaded Sourcemap file.
Can you tell me how to get, how to get shells on OpenCPU…
When it comes to offensive security, engagements can be broadly broken up into two categories: Penetration testing and red teaming. Understanding the differences between the two is essential when attempting to verify the security of an application, network or organisation.