Https www.review-secrets.com mailsniper năm 2024

Overview Visual Studio is a complex and powerful IDE developed by Microsoft and comes with a lot of features that can be interesting from a red team perspective. During this…

• ActiveBreach

  Nighthawk 0.2.6 – Three Wise Monkeys

  Overview See no evil, hear no evil, speak no evil. This Japanese maxim epitomises the EDRs coming up against our latest release of Nighthawk. Following copious amounts of research and…
• ActiveBreach

  The Not So Pleasant Password Manager

  Overview During a recent adversary simulation, the MDSec ActiveBreach red team were asked to investigate the organisation’s Password Manager solution, with the key objective of compromising stored credentials, ideally from…
• ActiveBreach

  Leveraging VSCode Extensions for Initial Access

  Introduction On a recent red team engagement, MDSec were tasked with crafting a phishing campaign for initial access. The catch was that the in-scope phishing targets were developers with technical…
• ActiveBreach

  CVE-2023-26258 – Remote Code Execution in ArcServe UDP Backup

  Overview During a recent adversary simulation, the MDSec ActiveBreach red team were performing a ransomware scenario, with a key objective set on compromising the organisation’s backup infrastructure. As part of…
• ActiveBreach

  Nighthawk 0.2.4 – Taking Out The Trash

  May 2nd 2023 Congratulations to our new king and in honour of the coronation, we proudly present Nighthawk 0.2.4. Our last Nighthawk public post was for our 0.2.1 release in…
• ActiveBreach

  Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability

  Date: 14th March 2023 Today saw Microsoft patch an interesting vulnerability in Microsoft Outlook. The vulnerability is described as follows: Microsoft Office Outlook contains a privilege escalation vulnerability that allows…
• ActiveBreach

  Nighthawk: With Great Power Comes Great Responsibility

  Recently, Proofpoint released a blog post entitled “Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice”. In this post, Proofpoint outlined a campaign used by a legitimate red…
• ActiveBreach

  Nighthawk 0.2.1 – Haunting Blue

  November 1st 2022 This Halloween week brings our third and final Nighthawk release for the year and its packed with exciting new features, backed by MDSec’s world class research and…
• ActiveBreach

  Autodial(DLL)ing Your Way

  The use of the AutodialDLL registry subkey (located in HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters) as a persistence method has been previously documented by @Hexacorn in his series Beyond good ol’ Run key, (Part 24)….
• ActiveBreach

  Microsoft Office Online Server Remote Code Execution

  Microsoft’s Office Online Server is the next generation of Office Web Apps Server; it provides a browser based viewer/editor for Word, PowerPoint, Excel and OneNote documents. The product can be…
• ActiveBreach

  Analysing LastPass, Part 1

  Having been in IT longer than I care to remember, one issue keeps coming up. It doesn’t matter how well you have implemented what really matters is…
• ActiveBreach

  PART 3: How I Met Your Beacon – Brute Ratel

  Introduction In part one, we introduced generic approaches to performing threat hunting of C2 frameworks and then followed it up with practical examples against Cobalt Strike in part two. In…
• ActiveBreach

  Fourteen Ways to Read the PID for the Local Security Authority Subsystem Service (LSASS)

  Introduction Process enumeration is necessary prior to injecting shellcode or dumping memory. Threat actors tend to favour using CreateToolhelp32Snapshot with Process32First and Process32Next to gather a list of running processes….
• ActiveBreach

  PART 2: How I Met Your Beacon – Cobalt Strike

  Cobalt Strike is one of the most popular command-and-control frameworks, favoured by red teams and threat actors alike. In this blog post we will discuss strategies that can be used…
• ActiveBreach

  PART 1: How I Met Your Beacon – Overview

  Introduction Its no secret that MDSec provides a commercial command-and-control framework with a focus on evasion for covert operations. With this in mind, we are continuously performing on-going R&D in…
• ActiveBreach

  Altiris Methods for Lateral Movement

  Introduction During a recent engagement the team came up against an unfamiliar product, Altiris. Very little public research was available about Altiris, with a considerable lack of information regarding abusing…
• ActiveBreach

  Nighthawk 0.2 – Catch Us If you Can

  Introduction It’s been some months since our 0.1 release in December ‘21 and the development team have been working hard on new features, research and development, alongside bug fixes and…
• ActiveBreach

  Resolving System Service Numbers using the Exception Directory

  Introduction While developing new features for Nighthawk C2, we observed that NTDLL contains up to three internal tables with the Relative Virtual Address (RVA) of all system calls. Two of these…
• ActiveBreach

  Process Injection via Component Object Model (COM) IRundown::DoCallback()

  Introduction The MDSec red team are continually performing research in to new and innovative techniques for code injection enabling us to integrate them in to tools used for our red…
• ActiveBreach

  ABC-Code Execution for Veeam

  This blog post details several recently patched vulnerabilities in the Veeam Backup & Replication and Veeam Agent for Microsoft Windows. We’ll detail MDSec’s process for identifying these 1Day vulnerabilities, writing…
• ActiveBreach

  EDR Parallel-asis through Analysis

  Introduction Post-exploitation tooling designed to operate within mature environments is frequently required to slip past endpoint detection and response (EDR) software running on the target. EDR frequently operate by hooking…
• ActiveBreach

  Nighthawk 0.1 – New Beginnings

  Introduction MDSec’s ActiveBreach red team operate in the some of the highest maturity environments, where a significant degree of in-memory and post-exploitation operational security is often required to counteract defensive…
• ActiveBreach

  NSA Meeting Proposal for ProxyShell

  As part of Microsoft Exchange April and May 2021 patch, several important vulnerabilities were fixed which could lead to code execution or e-mail hijacking. Any outdated and exposed Exchange server…
• Response

  Investigating a Suspicious Service

  The Incident Response team at MDSec regularly gets queries from our customers, as well as our consultants about odd things that they’ve found, either during engagements, or on an ad-hoc…
• ActiveBreach

  Bypassing Image Load Kernel Callbacks

  As security teams continue to advance, it has become essential for attacker’s to have complete control over every part of their operation, from the infrastructure down to individual actions that…
• ActiveBreach

  Phishing Users to Take a Test

  Introduction When looking for new interesting attack surfaces in Windows, I’ve often looked to default file handlers and LOLBins. Another interesting place to look is the default protocol handlers and…
• ActiveBreach

  Farming for Red Teams: Harvesting NetNTLM

  Overview In the ActiveBreach red team, we’re always looking for innovative approaches for lateral movement and privilege escalation. For many of the environments we operate in, focusing on the classic…
• ActiveBreach

  macOS Post-Exploitation Shenanigans with VSCode Extensions

  Overview It’s no secret that macOS post-exploitation is often centric around targeting the installed apps for privilege escalation, persistence and more. Indeed, we’ve previously posted about approaches for code injection…
• ActiveBreach

  Breaking The Browser – A tale of IPC, credentials and backdoors

  Web browsers are inherently trusted by users. They are trained to trust websites which “have a padlock in the address bar” and that “have the correct name”, This trust leads…
• ActiveBreach

  Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams

  Introduction The motivation to bypass user-mode hooks initially began with improving the success rate of process injection. There can be legitimate reasons to perform injection. UI Automation and Active Accessibility will use it…
• ActiveBreach

  A Fresh Outlook on Mail Based Persistence

  Introduction Low privileged, user land persistence techniques are worth their weight in gold, as there are far fewer opportunities from this perspective than when you’re elevated. As such, we are…
• ActiveBreach

  Segmentation Vault: Cloning Thick Client Access

  Overview I started out this research having taken some inspiration from @buffaloverflow‘s Chlonium tool for easily exfiltrating and using a victim’s Chromium based web browser cookies. I was working on…
• ActiveBreach

  Covert Web Shells in .NET with Read-Only Web Paths

  In a recent red team engagement, we discovered a SharePoint instance that was vulnerable to CVE-2020-1147. I was asked to build a web shell without running any commands to avoid…
• ActiveBreach

  I Like to Move It: Windows Lateral Movement Part 3: DLL Hijacking

  Overview In the past two posts of this series, we’ve covered lateral movement through WMI event subscriptions and DCOM, detailing approaches to improve the OpSec of our tradecraft. In the…
• ActiveBreach

  I Like to Move It: Windows Lateral Movement Part 2 – DCOM

  Overview In part 1 of this series, we discussed lateral movement using WMI event subscriptions. During this post we will discuss another of my “go to” techniques for lateral movement,…
• ActiveBreach

  I Like to Move It: Windows Lateral Movement Part 1 – WMI Event Subscription

  Overview Performing lateral movement in an OpSec safe manner in mature Windows environments can often be a challenge as defenders hone their detections around the indicators generated by many of…
• ActiveBreach

  Massaging your CLR: Preventing Environment.Exit in In-Process .NET Assemblies

  At MDSec it not uncommon to need to develop custom post-exploitation tooling to meet the requirements of an engagement; this is especially true for the red team where the techniques employed for tasks such as information gathering and lateral movement often need to be adapted to the target environment.
• ActiveBreach

  FireWalker: A New Approach to Generically Bypass User-Space EDR Hooking

  Introduction During red team engagements, it is not uncommon to encounter Endpoint Defence & Response (EDR) / Prevention (EDP) products that implement user-land hooks to gain insight in to a…
• ActiveBreach

  Detecting and Advancing In-Memory .NET Tradecraft

  Introduction In-memory tradecraft is becoming more and more important for remaining undetected during a red team operation, with it becoming common practice for blue teams to peek in to running…
• All

  Analysis of CVE-2020-0605 – Code Execution using XPS Files in .NET

  Introduction Microsoft patched a number of deserialisation issues using the XPS files. Although the patch for CVE-2020-0605 was released in January 2020, it was incomplete and an additional update was released in…
• All

  Mattermost Enterprise Denial of Service

  Introduction LaTeX is a document typesetting system that takes a plaintext file, stylised using mark-up tags similar to HTML or CSS, and converts this into a high-quality document for displaying…
• ActiveBreach

  T1111: Two Factor Interception, RSA SecurID Software Tokens

  Introduction During Red Team Operations, it is not uncommon to find systems or applications related to the engagement objectives being protected by Two Factor Authentication. One of the solutions that…
• Exploitation

  Introducing YSoSerial.Net April 2020 Improvements

  The YSoSerial.Net project has become the most popular tool when researching or exploiting deserialisation issues in .NET. We have recently invested some research time to improve this tool to help ourselves and…
• ActiveBreach

  Abusing Firefox in Enterprise Environments

  Introduction In this blogpost, we will describe a technique that abuses legacy Firefox functionality to achieve command execution in enterprise environments. These capabilities can be used for lateral movement, persistence…
• ActiveBreach

  Designing The Adversary Simulation Lab

  As some of you will know, we have recently entered into the Red Team training space. Before deciding to create our course now known as “Adversary Simulation and Red Team…
• ActiveBreach

  Hiding Your .NET – ETW

  After the introduction of PowerShell detection capabilities, attackers did what you expect and migrated over to less scrutinised technologies, such as .NET. Fast-forward a few years and many of us…
• ActiveBreach

  Offensive Development with GitHub Actions

  Introduction Actions is a CI/CD pipeline, built into GitHub, which was made generally available back in November 2019. Actions allows us to build, test and deploy our code based on triggers…
• All

  A Security Review of SharePoint Site Pages

  Introduction If you have worked with SharePoint, you have seen two types of ASPX pages: Application pages Site pages Application pages are not customisable. They are stored on the file…
• ActiveBreach

  Getting What You’re Entitled To: A Journey Into MacOS Stored Credentials

  Introduction Credential recovery is a common tactic for red team operators and of particular interest are persistently stored, remote access credentials as these may provide an opportunity to move laterally…
• All

  IIS Raid – Backdooring IIS Using Native Modules

  Introduction Back in 2018, PaloAlto Unit42 publicly documented RGDoor, an IIS backdoor used by the APT34. The article highlighted some details which sparked my interest and inspired me to write…
• ActiveBreach

  Testing your RedTeam Infrastructure

  As RedTeaming has grown with the industry, so has our need to build dependable environments. In keeping with the cat-and-mouse game we find ourselves in, it’s essential to possess the…
• All

  CVE-2020-0618: RCE in SQL Server Reporting Services (SSRS)

  SQL Server Reporting Services (SSRS) provides a set of on-premises tools and services that create, deploy, and manage mobile and paginated reports. Functionality within the SSRS web application allowed low privileged…
• Penetration testing

  Code injection in Workflows leading to SharePoint RCE (CVE-2020-0646)

  Description A remote code execution issue in SharePoint Online via Workflows code injection was reported to Microsoft in November 2019 which was addressed immediately on the online platform. However, the…
• ActiveBreach

  Deep Dive in to Citrix ADC Remote Code Execution, CVE-2019-19781

  Last month, a critical vulnerability in Citrix ADC and Citrix Gateway was published under CVE-2019-19781. The vulnerability caught our attention as it suggested that an unauthenticated adversary could leverage it to…
• ActiveBreach

  MacOS Filename Homoglyphs Revisited

  Last year I posted a few tricks to help when targeting MacOS users, and included a technique useful for spoofing file extensions with the aim of taking advantage of Finder’s…
• ActiveBreach

  RdpThief: Extracting Clear-text Credentials from Remote Desktop Clients

  Introduction Remote Desktop is one of the most widely used tools for managing Windows Servers. Admins love using RDP and so do attackers. Often the credentials that are used to…
• ActiveBreach

  Introducing the Office 365 Attack Toolkit

  During our red team operations, we frequently come in contact with organisations using Office 365. The present tooling targeted at this environment is somewhat limited meaning that development is often…
• ActiveBreach

  Persistence: “the continued or prolonged existence of something”: Part 3 – WMI Event Subscription

  In my previous two posts I covered persistence using both Microsoft Office and COM hijacking, in this post I’ll discuss my third favourite technique for persistence; WMI event subscription. Unlike…
• ActiveBreach

  Persistence: “the continued or prolonged existence of something”: Part 2 – COM Hijacking

  In the first post I talked about my favourite persistence technique using Microsoft Office add-ins and templates. My second favourite technique for persistence is using COM hijacking which will be…
• ActiveBreach

  Persistence: “the continued or prolonged existence of something”: Part 1 – Microsoft Office

  During a red team engagement, one of the first things you may want to do after obtaining initial access is establish reliable persistence on the endpoint. Being able to streamline…
• ActiveBreach

  Silencing Cylance: A Case Study in Modern EDRs

  As red teamers regularly operating against mature organisations, we frequently come in to contact with a variety of Endpoint Detection & Response solutions. To better our chances of success in…
• ActiveBreach

  External C2, IE COM Objects and how to use them for Command and Control

  Background Cobalt Strike 3.6 introduced a powerful new feature called External C2, providing an interface for custom Command and Control channels. Being a fan of custom C2 channels I started…
• ActiveBreach

  Macros and More with SharpShooter v2.0

  In March 2018 we released SharpShooter, a framework for red team payload generation. We followed up with further updates and new techniques in June. Like many offensive tools, the framework…
• ActiveBreach

  Abusing Office Web Add-ins (for fun and limited profit)

  Background The Office add-ins platform allows developers to extend Office applications and interact with document content. Add-ins are built using HTML, CSS and JavaScript, with JavaScript being used to interact…
• ActiveBreach

  ActiveBreach, powered by Ethereum Blockchain

  No matter where you turn, it’s hard to miss just how much of an effect the Blockchain has had on our daily lives. Being the backbone of the digital currency…
• News

  SharpPack: The Insider Threat Toolkit

  Introduction We recently performed an Insider Threat red team engagement, posing as employees within the company. We were provided with all the benefits of a regular employee (except salary :))…
• ActiveBreach

  Cisco AMP – Bypassing Self-Protection

  Sometimes when you are in the middle of an engagement, you will come across a hurdle which requires a quick bit of research, coding, and a little bit of luck….
• ActiveBreach

  AppLocker CLM Bypass via COM

  Constrained Language Mode is a method of restricting PowerShell’s access to functionality such as Add-Type, or many of the reflective methods which can be used to leverage the PowerShell runtime…
• ActiveBreach

  Serverless Red Team Infrastructure: Part 1, Web Bugs

  During a red team engagement, it is often beneficial to have the ability to quickly and programatically deploy infrastructure. To date, most existing literature has focussed on deploying the server…
• Exploitation

  Advisory: CVE-2018-7572 – Pulse Secure Client Authentication Bypass

  Overview Title: Pulse Secure Client Authentication Bypass Version: Pulse Desktop Client 9.0R1 and 5.3RX before 5.3R5. Researcher(s): Nassar Amin, Ricardo Ramos, Russel Crozier and Dominic Chell Disclosure Date: 01-03-2018 Public Disclosure…
• News

  Advisory: CVE-2018-8007 – Apache CouchDB Remote Code Execution

  Overview Title: CouchDB Arbitrary Write Local.ini Configuration Authenticated Remote Code Execution Version: <=2.1.1 Researcher: Francesco Oddo at MDSec Labs (https://www.mdsec.co.uk) Disclosure Date: 5/01/2018 Public Disclosure Date: 30/04/2018 Severity: High Description…
• ActiveBreach

  Disabling MacOS SIP via a VirtualBox kext Vulnerability

  System Integrity Protection (sometimes called “rootless”) is a security feature introduced in OS X El Capitan as a way to protect critical system components from all accounts, including the root…
• ActiveBreach

  Endpoint Security Self-Protection on MacOS

  Recently we’ve been looking at MacOS in the context of redteaming, looking at endpoint security products and how they can be evaded on a Mac. I have previously explored Windows…
• ActiveBreach

  Escaping the Sandbox – Microsoft Office on MacOS

  You’ve completed your recon, and found that your target is using MacOS… what next? With the increased popularity of MacOS in the enterprise, we are often finding that having phishing…
• ActiveBreach

  FreeStyling with SharpShooter v1.0

  In April, we released our in-house payload generation tool SharpShooter to demonstrate the automation of some of the nuances in payload creation and evasion of defensive controls. This was generally…
• ActiveBreach

  Exploring PowerShell AMSI and Logging Evasion

  By now, many of us know that during an engagement, AMSI (Antimalware Scripting Interface) can be used to trip up PowerShell scripts in an operators arsenal. Attempt to IEX Invoke-Mimikatz…
• ActiveBreach

  Payload Generation using SharpShooter

  Getting a foothold is often one of the most complex and time-consuming aspects of an adversary simulation. We typically find much of our effort is spent creating and testing payloads…
• ActiveBreach

  Adobe Flash Exploitation, Then and Now: From CVE-2015-5119 to CVE-2018-4878

  Last week, it was reported that an exploit was being used to spread the ROKRAT malware. What made this so interesting is that Flash was being used by an APT…
• Penetration testing

  Penetration Testing Apache Thrift Applications

  During a recent mobile application assessment, MDSec’s mobile team encountered a binary protocol over HTTP used for server communication. Analysis of this protocol revealed it to be Apache Thrift, which…
• Hardware

  Extracting Firmware from the Virgin Super Hub 2ac

  The MDSec hardware security team were recently researching the Virgin Super Hub 2ac; the latest of Virgin’s Super Hub models which supports the 5Ghz band of wireless. This blog post…
• Exploitation

  Advisory: CVE-2017-10927 – Sophos Web Appliance PPD Injection

  Overview Sophos Web Appliance is a “next generation” anti-malware and content filtering proxy appliance created by Sophos. Description During a review of Sophos Web Appliance, MDSec discovered a remote code…
• ActiveBreach

  Exploiting CVE-2017-8759: SOAP WSDL Parser Code Injection

  Introduction CVE-2017-8759, the vulnerability recently discovered by FireEye as being exploited in the wild is a code injection vulnerability that occurs in the .NET framework when parsing a WSDL using…
• ActiveBreach

  Introducing ANGRYPUPPY

  What is ANGRYPUPPY ANGRYPUPPY is a tool for the Cobalt Strike framework, designed to automatically parse and execute BloodHound attack paths. ANGRYPUPPY was partly inspired by the GoFetch and DeathStar projects, which…
• ActiveBreach

  PowerShell DNS Delivery with PowerDNS

  Delivery of staged and stageless payloads is often achieved using the PowerShell web delivery technique. While this is a highly effective strategy for staging, in some cases it can be…
• ActiveBreach

  Reconnaissance using LinkedInt

  A key step in an adversary simulation is the reconnaissance phase which almost always requires obtaining e-mail addresses for employees within the organisation. LinkedIn is probably one of the most…
• News

  Categorisation is not a Security Boundary

  Prior to commencing any red team engagement, it is important to carefully consider how your infrastructure will be designed. As part of this process, one pivotal consideration is the host/domains…
• ActiveBreach

  Payload Generation with CACTUSTORCH

  CACTUSTORCH is a framework for payload generation that can be used in adversary simulation engagements based on James Forshaw’s DotNetToJScript tool. This tool allows C# binaries to be bootstrapped inside a…
• ActiveBreach

  RDPInception

  Remote Desktop is often used by Systems Administrators to remotely manage machines. In a lot of organisations this could mean that a machine is placed in a DMZ or segregated…
• Hardware

  Hacking Hardware with an Arduino

  Sometimes on embedded systems (such as routers or webcams), the manufacturer has left debugging ports on the board. These ports are obviously not meant for the public as they are…
• ActiveBreach

  Exploiting CVE-2017-0199: HTA Handler Vulnerability

  FireEye recently documented attacks of a 0-day vulnerability in the Windows HTA handler being exploited in the wild using Office RTF documents. The vulnerability later became referenced as CVE-2017-0199 and addressed…
• ActiveBreach

  Penetration Testing Skype for Business: Exploiting the Missing Lync

  Around a year ago, Black Hills documented multiple ways to obtain domain credentials from the outside using password spraying against Outlook Web Access. They then went on to release MailSniper,…
• Exploitation

  Containerised Browsing with Docker

  This year’s Pwn2Own contest saw the majority of the main stream browsers being compromised once again, highlighting that we still have some way to go for a secure browsing experience….
• ActiveBreach

  TOR Fronting – Utilising Hidden Services for Privacy

  Tor, also known as The Onion Router as well as the Dark Web is a network that is aimed to conceal its users’ identity and their online activity from surveillance…
• ActiveBreach

  Domain Fronting Via Cloudfront Alternate Domains

  These are not the domains you are looking for… A technique known as Domain Fronting was recently documented for circumventing censorship restrictions by Open Whisper Systems. The benefits of this…
• ActiveBreach

  Eventvwr File-less UAC Bypass CNA

  Matt Nelson recently released a very useful, file-less UAC bypass using Event Viewer which was quickly implemented in to a Metasploit module by @TheColonial. Following this, we decided to release our own implementation…
• Exploitation

  Building an IoT Botnet: BSides Manchester 2016

  In August, @MDSecLabs delivered a talk at the Manchester BSides titled “Breaking and Entering, Hacking Consumer Security Systems”. The talk outlined research that we had performed in to the security (or…
• ActiveBreach

  Tool Release: CredHunter

  Sometimes when conducting internal assessments or even simulated attacks, you may want the ability to quickly identify weak credentials in your environment. We often faced this problem which led to…
• ActiveBreach

  Protected Mode: A Case of When No Means Yes

  Browser exploitation is continually getting more challenging as defenders constantly introduce new protections, moving the goal posts further and further away. Memory corruption on the latest Internet Explorer is now not…
• Mobile

  SQL Injection in Samsung Voice Framework Application

  Vulnerability Description The Samsung Voice application provides a means to control your smartphone through voice commands, such as initiating calls to the device’s contacts. It is installed by default on…
• Exploitation

  Multiple Vulnerabilities in SED Systems’ Decimator D3

  During a recent penetration test, MDSec found several vulnerabilities in a RF spectrum analyzer that was exposed to the Internet. The SED Systems Decimator D3 is the third generation of SED’s popular…
• Hardware

  An Introduction to Hardware Hacking: the RIPE Atlas probe

  RIPE NCC is building the largest Internet measurement network ever made. RIPE Atlas employs a global network of probes that measure Internet connectivity and reachability, providing an unprecedented understanding of…
• Exploitation

  My Lulzy Pwniez – Abusing the ELF loader in PonyOS

  PonyOS is a hobby Unix-like operating system that uses it’s own kernel, built from scratch. This makes it a great research target for exploring software exploitation concepts. The OS is…
• Mobile

  Instrumenting Android Applications with Frida

  As you may have heard, our latest publication the Mobile Application Hacker’s Handbook is out. When you’re writing a book you have to agree a number of things with the…
• News

  Upcoming Training Events 2015

  If you’re interested in web and/or mobile security and want to learn some cutting-edge techniques, then we have just the thing! This April and June we’re running two training courses…
• Mobile

  Apple iOS Hardware Assisted Screenlock Bruteforce

  We recently became aware of a device known as an IP Box that was being used in the phone repair markets to bruteforce the iOS screenlock. This obviously has huge…
• Mobile

  The Mobile Application Hacker’s Handbook

  Following on from our previous publications in the Hacker’s Handbook series, MDSec’s director Dominic Chell has co-authored a new book on how to secure mobile applications. The Mobile Application Hacker’s…
• Mobile

  44Con 2014: GreedyBTS – Hacking Adventures in GSM

  At 44CON in September 2014, MDSec presented “GreedyBTS: Hacking Adventures in GSM” where we discussed our research of 2.5G network attacks against mobile devices. We outlined many existing known weaknesses…
• News

  Heartbleed Teardown

  Yesterday we presented some of our exploitation notes on the Heartbleed vulnerability at 44Cafe and shared some of the lessons learned, the slides are available for review here: The accompanying…
• News

  OpenSSL ‘heartbleed’ CVE-2014-0160 Analysis

  This week, the OpenSSL security team announced a high-risk vulnerability within a TLS extension of the popular open-source cryptography toolkit. The original advisory can be found here. The advisory indicates that a missing…
• Mobile

  Hooking SQLCipher Crypto Keys with CydiaSubstrate

  Security conscious developers often turn to SQLCipher [1] to encrypt content stored on a device’s file system. SQLCipher is a slightly extended version of SQLite, which allows 256-bit AES encryption…
• News

  VoIP Attacks: Skype Proof of Concept Released

  In October 2013, Dominic Chell and I (Shaun Colley) presented our research and proof-of-concept tool for traffic analysis of encrypted VoIP streams. We focused on Skype as a case study….
• Exploitation

  Practical Attacks Against Encrypted VoIP Communications

  At HackInTheBox KUL 2013, we demonstrated two possible techniques that could be used to perform side channel attacks on packet captures of encrypted VoIP communications. The two techniques, Dynamic Time…
• News

  Introducing Mobile AppArmour

  Overview Threats to mobile apps are well documented, as are the risks posed from jailbreaking, rooting and malware. As we place an increasing level of trust in mobile apps, we…
• News

  No source? No problem…

  When performing any kind of product assessment, it is always preferable to have the source code. However, in the real world we all know that this isn’t always possible and…
• News

  BlackHat USA 2012 – MDSec’s WAHH Live Training

  MDSec will be delivering the WAHH live training course at BlackHat USA again this year. The course syllabus follows the chapters of the Second Edition of The Web Application Hacker’s…
• Mobile

  Introduction to iOS Platform Security

  This if the first in a series of blog posts about iOS and iOS platform security, encompassing and expanding on the MDSec iOS Application (In)Security whitepaper. In this post, MDSec…
• Mobile

  iOS Application (In)Security Whitepaper

  Today MDSec released a whitepaper detailing some of the vulnerabilities we’ve observed over the past year while performing regular security assessments of iPhone and iPad applications. This whitepaper details some…
• News

  Beyond the OWASP Top 10

  We recently had the pleasure of presenting at OWASP Ireland. The following talk discusses some of the issues we’ve identified during pentests that don’t easily slot in to the categories…
• News

  iOS Application (in)Security

  We recently had the pleasure of talking about iOS application security at OWASP Ireland, the slides for our presentation are below: iOS application (in)security
• News

  MDSec @ Countermeasure 2012

  MDSec are proud to announce the Web Application Hacker’s Handbook training course will be running at Countermeasure 2012! The course syllabus follows the chapters of the Second Edition of The…
• News

  Evaluating iOS Applications

  We recently presented at the Manchester OWASP chapter on Evaluating iOS Applications. Thanks to everyone involved, it was a great evening. Our slides can be found below:Evaluating iOS Applications
• Penetration testing

  Automating Oracle Penetration Tests

  Some time in 2008, we developed a framework for automating Oracle penetration tests. The framework was called OAP, which stood for Oracle Attack and Penetration. However, due to the lack…
• News

  New Blog Launched

  Along with our new website, MDSec are proud to announce the launch of our new blog where MDSec consultants will be speaking their mind on both technical and non-technical information…