My first Defcon experience

Defcon 23Defcon is a meta-conference which anyone passionate by IT security should attend. It is more than a conference, it is the heaven of hackers and security professionals, a place where definitely you will find something both cool and useful, even if you are interested in web security, reverse engineering, social engineering, hardware, lock-picking, Internet of Things or car-hacking topics.

Las Vegas

If Defcon reputation is not enough to get you at the conference, Las Vegas might be another reason to come here. If you don’t like to sleep, have some free time and some money, you’ll surely enjoy Vegas. Casinos and night-clubs are everywhere.

If you didn’t visit Paris or New York, no problem, here you can find the Tour Eiffel and the Statue of the Liberty. You can also visit a lot things: High Roller Wheel, Bellagio Fountain show and Luxor pyramid hotel are just a few examples.

Continue reading

Pivoting to internal network via non-interactive shell

ninja1During a recent penetration test we have experienced the situation where we’ve gained remote code execution with limited privileges to a web server and had to pivot to other hosts from the internal network.

For this, we had to find a reliable method to forward our traffic from our local machine to the internal host via the compromised server. This blog post describes how we solved this situation – for future reference.

Problem details

Our scenario is best described in the diagram below:

port forwarding via php shell

Achieving our goal was not that straight forward since the compromised server was behind a firewall and only ports 80 and 443 were permitted inbound. Furthermore, we were executing commands as www-data user and our non-interactive shell (PHP passthru) was pretty limited.

shell1

 

Continue reading

NetRipper – Smart traffic sniffing for penetration testers

Ionut

Ionut Popescu, Senior Security Consultant @ KPMG Romania has been accepted as speaker at the prestigious DEFCON conference. He will present one of his projects: NetRipper tool, developed especially to be used in penetration testing projects.

The conference will be held in Las Vegas, Nevada, between 6-9 August 2015.

NetRipper – Short description

The post-exploitation activities in a penetration test can be challenging if the tester has low-privileges on a fully patched, well configured Windows machine. This work presents a technique for helping the tester to find useful information by sniffing network traffic of the applications on the compromised machine, despite his low-privileged rights. Furthermore, the encrypted traffic is also captured before being sent to the encryption layer, thus all traffic (clear-text and encrypted) can be sniffed. The implementation of this technique is the tool called NetRipper which uses API hooking to do the actions mentioned above and which has been especially designed to be used in penetration tests, but the concept can also be used to monitor network traffic of employees or to analyze a malicious application.

https://www.defcon.org/html/defcon-23/dc-23-speakers.html#Popescu

And we will be waiting to share  his experience at the conference in the next article.

Mobile penetration testing on Android using Drozer

Android red logoMobile phones have become an indispensable part of our daily life. We use mobile phones to communicate with our loved ones, for quick access to information through the Internet, to make transactions through mobile banking apps or to relax reading a good book.

In a way, a big part of our private life has moved into the digital environment. Mobile phones seem to be a pocket-sized treasure of secrets and information, hiding our most valuable photos, mails, contacts and even banking information. There’s no wonder why we need mobile phones to have bullet-proof security.

Android is the most common operating system for mobile devices and is particularly interesting from the security point of view.  It is very permissive, allowing its users to customize about anything, administrative privileges (a.k.a. rooting) can be unlocked on most phones, it has a very fuzzy system for the permissions required by applications and it features different ways for one application to interact with other applications.

In this blog post, we are going to focus on how Android apps can interact with each other and how the security of those interactions can be tested.

Continue reading

Hacknet 2015

Map-God1KPMG Europe’s internal information security conference – Hacknet, was held in Berlin and lasted two days, the 29th and the 30th of April.

This year, it was Ionut, Daniel and me who had the privilege of representing KPMG Romania.

Our team arrived in Berlin on the 28th. After taking our luggage to the hotel, we went for dinner, followed by a short walk in the city.

First Day

The conference kicked off early on the 29th and the program for the day consisted of three presentations and the CTF competition.

First presentation was on Relaying Contactless EMV, by a colleague from KPMG NL. After an introduction to smart-cards and EMV, the speaker described the concept of Relay Attacks on Contactless Transactions. Afterwords, he showed a video illustrating his Android implementation of the attack, the novelty of his approach being the small time overhead incurred by the relay. Measurements showed that the duration of a relayed transaction was very close to the duration of a native transaction (sometimes, due to optimizations, even faster). Continue reading