Saturday, May 5, 2018

Files for part 2 of 3 from Fully Functional & Programmed in Multiple Techniques

This time we covered content provider abuse in android applications.

Here is the android studio project

Slides from the demo

I hope everyone enjoyed this presentation.

Thank you.

Monday, April 16, 2018

Files for part 1 of 3 from Fully Functional & Programmed in Multiple Techniques

More info on series here - https://www.meetup.com/St-Louis-2600/events/skcdpnyxgbjb/


Source for the app HERE

Apps to inspect other apps AndroidManifest.xml file and manipulate activities:
Apk Analyzer by Martin Styk
Apk Analyzer by Dinostudio8891
Same name and some duplication, but one gives you a better view of the AndroidManifest.xml file (Martin), and the other gives you more control over the exposed elements (Dino). You can find them in the play store.

Sorry it took me so long to get this up...

Saturday, March 31, 2018

Three part series on android app pen-testing at stl2600/dc314 by me!

Come join me while I do a three part series on android app pen-testing at the next three stl2600/DC314 meetings! 

First session is setup and intent spoofing. (5/6/18)

Second is exploiting exported content providers and insecure file storage. (6/4/18)

Third is exploiting exported broadcast receivers. (7/1/18)

In each case we examine the source code of an app with the vuln and
and how to exploit. Then discuss the hallmarks on how to find them in other apps "grep dorks".

People can/should bring their own systems to play along! I hope to see you there!

More info HERE


Saturday, February 10, 2018

Advanced HaX11 Social Engineering Functionality

One of the features of HaX11 is the ability to open a full screen browser on the target machine to any URL you like. It is intended to be used in a social engineering attack on the target to attempt to get passwords or other sensitive information but you can use it for what ever you can imagine. Its easy to use, but does require you to have a web server running somewhere the target machine can access.

This attack also has a higher success rate as far as executing relative to the apps other functions on the target machine because rather then depending on the configuration of the target to share windows/desktops, you share a window to it!

Another thought I was playing around with was a type of ransomeware attack where you just keep popping the window until they give you bitcoins. The idea is the victim will have no idea whats really going on and might assume they really are infected with some of the ransomeware they see on TV. The scareware approach might work as well. Anyway that just a few ideas, but how you use it is really up to you. Enjoy.

Friday, December 8, 2017

Happy New Year & Big SharePointSpy update!

Happy New Year!! I hope everyone's is better than the last! To bring in the new year is a big update to SharePointSpy already available on GitHub! It features a new, more user friendly UI, and an anonymous or specific user scan! Please check it out and let me know what you think. Thank you and good luck in the new year!

Sunday, December 3, 2017

DNS cache snooping via Blind XXE based SSRF?

Is this a thing? You tell me.

Say you have an XXE vuln that lets you make HTTP calls only (SSRF) on a pentest, you know its working only because you see packets over port 80 to a server you control coming from the target system, no data exfil or other fun stuff, so no out put of any kind other then server response times. Not much you can do right? Well while playing around I noticed the response time was long when I looked for domains that don't exist. So I switched to subdomains of good root domains and saw the same delay... That is DNS cache snooping yeah? If so its a newish worthless attack vector kinda I think. At least I have not seen any papers on it so it might be new. What do you think?

Tuesday, October 3, 2017

I be Jahamming - Jamming stuff with a Ham radio

So I have been looking at playing around with the HackRF One for a while and seeing Calebs talk at DEFCON really got me itching to play, but was not quite sure where to start. After googling RF/HackRF,GNURadio 101 for a bit, I figured since I already have a Ham radio sitting around I would start with the frequencies available on my Ham and the stuff in my house. This gave me a something familiar to start with since everything was so new with both the HackRF, the software I needed to operate it "GNURadio", RF it self, etc. Here are just a few notes on my experiences so far..

First a few things to note about the HackRF, it leaks RF all over the spectrum. When I would do a sweep, on the frequencies my Ham could Rx/Tx on and then listen in on my Ham on the IDed frequencies it was nothing of importance. So I started a few very professional trial and error methods "moving around and tapping on the HackRF" and noticed a change in the white noise then when I unplugged it the Tx stopped. Also when you Tx on a frequency that the HackRF ins't already leaking on, then stop the program "GNURadio" the HackRF will continue to transmit on that frequency.

On to Jamming. First thing I wanted to mess with was my car, I don't know much about it but I am guessing it uses a rolling code so therefore replay was out, but jamming would be ok :) After a quick check of its FCC ID I found the frequency. To my surprise it was in the range of my Ham! First thing I did was listen to it on my Ham when I hit the lock button on my fob I could hear little beeps, my car locked and boy was I excited! So then I keyed up my radio and hit the lock button on my fob again, this time nothing!! I stopped Tx on my radio and I could once again lock my car. My Ham Tx was more powerful then the fobs Tx so it was jammed! 

Next up was a motorized bed we got a few years back. It has a remote to control the head, foot, and vibrate functions. It does not have an IR Led so I figured it must be RF. I opened it and there was an FCC ID. Again it was in the range of my radio! After listening to the beeps on my radio and getting a good message, I keyed up my radio and the remote stopped working, lol. 

Thats all I have for now, but there is more to come on this topic! One thing for sure, there are way more commercial products using Ham frequencies then I first originally thought, it should be fun breaking them.  I have had a blast so far and look forward to playing with the HackRF and my Ham more! Might make my own bed remote with a doggy style position/mode or something lol! Happy Hacking.