Building a Cellular Man-in-the-Middle Setup for 4G

With the ongoing rise of the Internet of Things (IoT) and current 4G/5G technologies, testing connected devices and mobile communcation in terms of security is more important than ever before. Approriate testing enviromnents are required in order to examine devices that transmit data over cellular networks.

With this 4G test setup, it is possible to redirect the internet traffic, normally sent over the mobile network, through a dedicated test network. This enables testers to intercept, redirect and modify the traffic with tools like mitmproxy or mitm_relay.

Continue reading “Building a Cellular Man-in-the-Middle Setup for 4G”

Creating evil WiFi hotspots, network bridges and complex hybrids

Intercepting traffic between devices and the internet is part of the day to day work of an IoT pentester. More often than not, those devices only support one type of connectivity, and it’s usually the one you don’t have at hand, at that moment (well, at least sort of 😉 ). So, this guide will show code snippets for creating (evil) access points and network bridges (under Linux) for:

Continue reading “Creating evil WiFi hotspots, network bridges and complex hybrids”

PrintNightmare/CVE-2021-34527 Search the Domain with PowerShell

In my latest blog post “Vulnerability advisory: PrintNightmare/CVE-2021-34527 Zero-day Exploit Code Available – What to do now?” I’ve recommended enabling monitoring with Windows EventLogs or Sysmon logging. Since many small to medium business leak the possibility to aggregate, search and alert on Windows EventLogs, I want to propose a simple yet effective manual way for these businesses until a patch is available.

Continue reading “PrintNightmare/CVE-2021-34527 Search the Domain with PowerShell”

Vulnerability advisory: PrintNightmare/CVE-2021-34527 Zero-day Exploit Code Available – What to do now?

What has happened?

With the June 2021 security update Microsoft fixed a vulnerability (CVE-2021-1675) in the Windows Print Spooler Service that allowed for Privilege Escalation (LPE) and Remote Code Execution (RCE).

On June 29th exploit code for this vulnerability was published by a security researcher as PoC but then quickly removed as it was clear that the PoC did not address the vulnerability that Microsoft has fixed. Unfortunately the PoC code was already being actively shared at this moment. So for now, we have a 0-day RCE in the Windows Print Spooler Service for which exploit code is available.

Continue reading “Vulnerability advisory: PrintNightmare/CVE-2021-34527 Zero-day Exploit Code Available – What to do now?”

Bypass PassKey-Entry Authentication in BT-LE

As part of my bachelor’s thesis published in 2020 in information technology, I investigated a largely unknown weakness in a Bluetooth Low Energy (BT-LE) pairing process and developed a concept to prove it in practice.

The basis for this is a document[1] by Mr. Tomáš Rosa, who claims that a mathematical function for calculating confirmation parameters can be bypassed. According to some research, this issue in particular has not been addressed by anyone since the publication of Rosa’s document in 2013.

In the blog post, I present the results of my thesis in short form. In the end, the vulnerability was practically exploited and all tested devices of all BT-LE versions (v4.0-v5.1) are affected.

Continue reading “Bypass PassKey-Entry Authentication in BT-LE”

Write-up: Hack The Box – Rope Two

The machine Rope2 by r4j is probably (one of) the hardest boxes on with only 104 system owns after 202 days. The theme of the box is more or less “research”, since it requires (gaining) knowledge in many different fields: Browser Exploitation, esoteric Heap Feng-Shui, and finally Linux Kernel Exploitation. For me, all 3 fields were pretty new and thus I had a lot to learn (over the course of almost exactly 3 months).

Continue reading “Write-up: Hack The Box – Rope Two”

Customizing Desinfec’t (and other Linux Live disks)

Desinfec’t, formerly known as Knoppicillin, is a Ubuntu-based Linux distribution that was created by the c’t Magazine for Computer Technology. It contains several anti-virus engines (currently ESET, F-Secure, Kaspersky and Sophos), as well as several tools for recovering systems from malware incidents.

Continue reading “Customizing Desinfec’t (and other Linux Live disks)”

Investigating: CVE-2019-19781 on Citrix NetScaler appliances

We got quite a few cases related to CVE-2019-19781 during the past few weeks.

However, most of the NetScaler VM images we got were acquired after the appliances were shut down, so we had no RAM image data. Unfortunately, this also implicates the loss of the root file system /, as it turned out that the root partition was mounted as a RAM disk.

Continue reading “Investigating: CVE-2019-19781 on Citrix NetScaler appliances”

Write-up: Hackvent 2019

Like the past few years, the HackingLab Team provided the white-hat hacking competition Hackvent in the form of a advent calendar. From December 1st to 24th , each day, a new challenge was released that has to be solved in-time for scoring full points. Like the past years, challenges were provided from various community members.

Continue reading “Write-up: Hackvent 2019”

Write-up: Flare-On 6

From August 16 to September 27, FireEye’s FLARE team ran the Flare-On challenge for the 6th straight year (see announcement, here). This CTF-style challenge is comprised of 12 reverse-engineering tasks for different architectures. Like the past years, it was a great event with so much new things learned.
TL;DR: I started a tad bit late, but managed to solve 11 out of those 12 challenges (after solving “vv_max”, I had 4 hours left to break the last challenge – a malicious Windows driver – which was way too little time 😉

Continue reading “Write-up: Flare-On 6”