SerializingMe

AnyConnect Inter-Process Communication

Fri, 27 Jan 2023 19:00:00 +0000

In my first deep dive into Cisco AnyConnect (CAC) Secure Mobility Client (see AnyConnect Elevation of Privileges Part 1 and Part 2), I reversed engineered how CAC made use of a TCP based Inter-Process Communication (IPC) protocol. Based on that research, I found a Local Privilege Escalation (LPE) vulnerability (see CVE-2016-9192 and the proof-of-concept code). Yorick Koster and Antoine Goichot followed suit, and using that research also found other vulnerabilities (see CVE-2020-3153, CVE-2020-3433, CVE-2020-3434, and CVE-2020-3435). This post presents the results of my second deep dive, correcting a wrong conclusion about the protocol, further reverse engineering the various IPC messages, and providing some tools that can potentially aid further research.

CAC IPC

Fri, 27 Jan 2023 00:19:00 +0000

Cisco AnyConnect (CAC) makes use of Inter-Process Communication (IPC) protocol. This project provides a Wireshark dissector and a tool to generate syntactically valid packets.

Freedom and Solitude

Wed, 16 Nov 2022 19:06:00 +0000

The freedom of not having to account for someone else's needs, wants and feelings, has the cost of solitude. Silva, Duarte. 2022 Image via Pexels @ Pixabay

Raspberry Pi Custom Fedora Kernel

Sun, 06 Nov 2022 07:35:00 +0000

Over the years I have gotten very used to Red Hat Enterprise Linux (RHEL) type distributions, and have for a long time now selected Fedora as my default goto Linux distribution. However, I needed a specific driver that comes out of the box with Raspbian (Raspberry Pi’s Debian based distribution), but does not come with Fedora. This post elaborates how to go about compiling a custom kernel on a Pi running Fedora.

e-GPU Plus Bracket

Sun, 14 Mar 2021 19:10:00 +0000

Razer Core X Chroma is an excellent device, but its functionalities didn’t fully cover my use case. As such, I decided to add a bracket and a PCI-e extender to the mix.

Bypass All The GPOs

Sun, 29 Mar 2020 14:50:00 +0000

During a red team engagement, one has landed on a machine with the need to make an application “ignore” Group Policies enforced configurations. This application runs on the context of the user but the settings are only changeable with administrative privileges and without access to a highly privileged account how can one make the application ignore these settings?

GPO Bypass

Sun, 29 Mar 2020 14:50:00 +0000

This utility allows you to bypass Group Policy enforced controls on Firefox (as an example), especifically, it allows you to still install add-ons even if disabled through GPOs. This tool only supports 64 bit versions of Firefox.

Simulating APTs For Fun

Mon, 29 Apr 2019 20:30:00 +0000

In the post I will explain how one could simulate an Advanced Persistent Threat (APT) using Praetorian’s Purple Team Attack Automation and MITRE’s ATT&CK framework.

Malware Classification

Fri, 01 Mar 2019 15:00:00 +0000

Malware Classification is a workflow that makes use of Machine Learning to classify unknown Windows Portable Executable files.

It's Me, FireEye!

Wed, 27 Feb 2019 12:00:00 +0000

A little over three years ago, while researching malware execution sandboxes, I found a stealth way to detect FireEye’s Malware Analysis System (MAS). In this blog post I will release the details.

Three Honeypots and a Month After

Sun, 27 Jan 2019 11:30:00 +0000

I deployed three web honeypots, one in Singapore, another in Australia and another one in France. I then leveraged IVRE and Suricata to investigate the visitors, and respective traffic they generated.

Frontdoor to the Technicolor 7210

Tue, 23 Oct 2018 00:40:00 +0000

In a previous article, I explained how to get root on the embedded Linux part of the Technicolor 7210 router by leveraging a remote code execution (RCE). This article on the other hand, will explain how one can leverage a “frontdoor” to gain the same level of access.

Reversing the TC7210 Embedded Linux Firmware

Sun, 30 Sep 2018 15:00:00 +0000

In this article I will explain how to reverse the firmware of the embedded Linux part of the Technicolor (TC) 7210 router by leveraging the usual tools of the trade.

Facts and Alternative Realities

Sat, 21 Jul 2018 08:40:00 +0000

(...) simply insisted we prove that the Queen didn’t do it — that is, demanding a refutation of wild speculation to prove fact, rather than seeking out the evidence first. This proof-by-negation is akin to fastidiously believing in the tooth fairy simply because no one has seen proof that the tooth fairy doesn’t exist. That is noxious thinking — and, (...), it’s exactly the kind of aggressive, close-minded speculation that fuels fake news, Trumpian rhetoric, and political divisions.

Rooting the Technicolor 7210

Sun, 03 Jun 2018 11:20:00 +0000

The Technicolor 7210 home router is a powerful little device. It provides 1Gbps Ethernet, dual-band wireless for speeds ranging from 300Mbps to 1300Mbps, and Network Attached Storage (NAS) for file sharing and media streaming.

PowaScripts Update: Kerberos Pre-authentication

Sun, 22 Jan 2017 09:55:00 +0000

After reading harmj0y blog post about “Roasting AS-REPs”, I have decided to update the Dump-User.ps1 script in order for it to report on users that don’t have Kerberos pre-authentication enabled. Running the updated version against a “in the wild” target yielded interesting results to say the least.

AnyConnect Elevation of Privileges, Part 2

Tue, 20 Dec 2016 18:28:00 +0000

In the previous part of this multi-part article, I explained how I reversed engineered one of the binaries of the Cisco AnyConnect (CAC) Secure Mobility Client. This allowed me to understand the header format of the network packets used in the Inter-Process Communication (IPC) mechanism. In this part, I will focus on doing a more dynamic analysis in order to understand what goes in the packet body.

AnyConnect Elevation of Privileges, Part 1

Wed, 14 Dec 2016 18:56:17 +0000

The Cisco AnyConnect (CAC) Secure Mobility Client doesn’t have the brightest security track record. CVE-2015-4211 and CVE-2015-6305 are only two out of the fourteen CVEs that have been assigned to it just in 2015. This spiked my curiosity and prompted me to confirm if Cisco had properly fixed the underlying issue of these vulnerabilities.

HPQPswd Encrypted Passwords Decryption

Sat, 15 Oct 2016 19:00:00 +0000

Ever wondered how to decrypt HPQPswd encrypted passwords? So did I when, for the first time, I came across a strange file called password.bin with a magic value of _HPPW12_.

HPQPswdD

Sat, 15 Oct 2016 19:00:00 +0000

Small utility that can be used to decrypt HPQPswd encrypted passwords.

Active Directory Dump

Fri, 07 Oct 2016 18:05:00 +0000

During many penetration tests (or red versus blue team exercises), I have found myself with the need to investigate users, groups, computers and policies of a Windows domain. To do that, I have developed a series of PowerShell scripts that dump all that information from Active Directory into XML files.

Updated AppLocker Dump Script

Fri, 23 Sep 2016 20:33:00 +0000

I have created a new version of this script so that it is better aligned with the conventions I use for other PowerShell scripts.

PowaScripts

Fri, 23 Sep 2016 20:16:00 +0000

Collection of PowerShell scripts used for incident response, reconnaissance, etc.

Migrated From WordPress to Hugo

Wed, 14 Sep 2016 19:14:28 +0200

I have been using WordPress since I started blogging, but since then, the blogging landscape changed a lot. Welcome to the age of static site generators.

Security

Thu, 08 Sep 2016 19:54:00 +0000

I appreciate the efforts of fellow security researchers and provide secure means for disclosing security vulnerabilities responsibly. As a reward, I will feature in the hall of fame the name, handle (e.g. Twitter) and/or website of the reporter of any valid vulnerability. Additional rewards are at my discretion. Rules and Scope A positive outcome of the validation of a submitted vulnerability can only be achieved if the following rules and scope are respected by the researcher.

Privacy Policy

Thu, 01 Sep 2016 23:05:00 +0000

This Privacy Policy governs the privacy of this website, located at https://www.serializing.me. The policy sets out the different areas where user privacy is concerned and outlines the obligations and requirements of the users, the website and website owners. Furthermore the way this website processes, stores and protects user data and information will also be detailed within this policy. Definitions Cookies are small files saved to the user’s computers hard drive that track, save and store information about the user’s interactions and usage of the website.

Feeds

Mon, 15 Aug 2016 16:11:16 +0000

List of RSS feeds of this site that can be subscribed. Posts Subscribe to receive the latest created posts. Projects Subscribe to receive the latest created projects. Pages Pages only feed. Will contain any newly created page. Combined An aggregated feed of all the content which includes, pages, posts and projects.

Portugueses e Senhas de Acesso, Um Caso de Estudo

Thu, 17 Mar 2016 22:14:13 +0000

Nos últimos anos tenho tido a oportunidade de coleccionar várias listas de senhas de acesso. O que se segue é um caso de estudo focado em três dessas listas. Sendo que estas, são de sítios portugueses.

TQ-Invincible

Sun, 24 Jan 2016 00:43:08 +0000

Library that makes the player character invulnerable to attack in THQ 2006 role playing game, Titan Quest.

Titan Quest Invincibility Cheat

Sat, 23 Jan 2016 22:19:09 +0000

In the last level of Titan Quest, every player will have to face the titan Typhon, Bane of the Gods. A task that is very far from easy…

Bug Bounty, Serious Rewards

Thu, 12 Nov 2015 17:47:33 +0000

My first Bugcrowd private bug bounty program that involves some serious rewards. One thing is for sure, they got my attention :D

Inspecting AppLocker Policy

Sun, 01 Nov 2015 15:16:50 +0000

While doing incident response, if AppLocker is being used but the computer still got infected by a malicious executable, it is useful to know exactly what AppLocker policy is currently applied.

Reversing Aruba Instant Firmware

Wed, 21 Oct 2015 19:54:28 +0000

Aruba produces two different software loads for their Access Point hardware. The first is called ArubaOS and the second is called Aruba Instant. With ArubaOS, the AP requires a Mobility Controller (hardware) to be installed in the network. With the Aruba Instant it is possible to run AP’s independently (standalone mode) or in a cluster, with no Mobility Controller in the network.

What follows is the full process to extract all the files recreating the Aruba Instant firmware file system.

SSH Brute Force and Suricata

Wed, 12 Aug 2015 18:24:28 +0000

Since SSH is one of the most pervasive ways to manage servers remotely, it is also one of the most plagued by brute force attacks. What follows is a simple set of Suricata rules to stop the majority of SSH brute force attacks. It will drop connections based on the reported SSH client version.

WordPress and Suricata, The Test

Tue, 07 Jul 2015 19:00:51 +0000

Adding a full featured IDPS solution like Suricata is a good step in protecting any Web based application like WordPress, but how well will it fare when under attack?

Emotional Fishes are Emotional

Fri, 26 Jun 2015 10:44:13 +0000

Following my research with Pafish and subsequent development of Cufish, I decided to create the Emofishes (Emotional Fishes) project.

Emofishes

Fri, 26 Jun 2015 09:48:54 +0000

Collection of proof of concepts that help improve, bypass or detect virtualized malware execution environments.

Curious Fish is Curious

Fri, 12 Jun 2015 11:02:16 +0000

Testing virtualized malware sandboxes with Paranoid Fish wasn’t enough, there might be other things that could be improved to avoid malware detection. Enter Curious Fish, a tool to help fingerprinting sandboxes.

Portuguese Banking Apps, Yay or Nay?

Wed, 03 Jun 2015 20:46:43 +0000

I have been using my bank mobile application for a while, but never had a look at its security. This is an account of my findings, not only on that specific application, but on eight of the offerings available in the Portuguese market.

Reversing ArubaOS Firmware

Tue, 02 Jun 2015 20:09:29 +0000

Some time ago, I had the chance to get my hands on a ArubaOS firmware, what follows is the full process to extract all the files recreating the appliance running file system. This had the objective of fuzzing the extracted binaries in QEMU (ArubaOS management console is CGI based).

A Paranoid Fish and Silver Bullets

Thu, 28 May 2015 22:24:56 +0000

I have been doing some research (and development) around virtualized malware sandboxes, being the question, “how easy is for malware to detect such an environment” the most important one, I turned to a tool called Pafish (Paranoid Fish).

Protecting WordPress with Suricata

Tue, 12 May 2015 20:59:57 +0000

There aren’t any silver bullets that will protect a WordPress installation against every single attack, but adding a full featured IDPS solution like Suricata, is a good step in protecting not only that “all too many times vulnerable” WordPress installation but also other services like SSH.

"Check my CV", Generating YARA Rules

Sun, 03 May 2015 12:19:48 +0000

Recently, one e-Mail that was sent to one of my colleagues caught my attention. The message was quite believable but there were some little subtleties that gave it away. First step was to get the attachment out of the message and do an initial analysis.

Contacts

Sun, 03 May 2015 11:24:58 +0000

One can follow me on Mastodon (or Twitter) and subscribe to my YouTube and Twitch channel, or check my profile at GitHub and Bugcrowd. You can also drop me a line at my E-mail. If you want to keep any communications content private, feel free to use GPG/PGP to do so. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 mQINBFf1LooBEADP1fkhn83zAZQg+jj6OP8zBR+cWKYcHiUBJDa7PP+yHz+3dG01 3fKJCCmFT2OeXf44Lo+B5ne1UgoAL4h9YazgMLuMLi5R6sOqRG2t9bM/E1euhGDa KCtCYjcPFhf0OW0hV0KrJCM+7HW8D9ns6Q2jELOZtbN9Hy4lnJ1gaoBuujsKdvlp cjy2pj+fGOOF2nnGk/NCzPqhR5aoh1/ubNODVw1KiSVN5jS8DcmNEkcidqZgJJpL 9cyhKhR1IpmVuTjPDW480M3/wX1fldHvmYy6yZC5nEizNGqwH4BE1MD/chsMgxT1 0fTI65q/Q/e8F+DgV5WAvd7oFfLOk94rBEB6Fjzt/OEaUQvPCJGPS14lA9mGkHom IYdEmnvr9GlaEwDa5bPOkR/5gjFLMty0BYvcGwx37kMPVfTVqYrpVgC7TU+Ibb0f Eh5fwh9rISvtkXyVNJMlv5V8qaekOpSjyRYv15DozQcOCjZzAR9XG6Zyl6uFFLzx aSlKjGKm63RYZAOvCVTo8Zx4DPEheLvHWfFo+2TYQSdESadDfsOcWsfP27ESgcfX gDCpHQqPcfZ+45LyxPXfBsMdGUO06Kg/qTXczGE3kUMWRFNwIp7bUJo/Tqf9zcCW 6tIcTbAW7bO4cuij+SZOcfAt27Voz9Elp3T8o0fUg8CLLVSAP0qYyVs3KQARAQAB tCpEdWFydGUgU2lsdmEgPGR1YXJ0ZS5zaWx2YUBzZXJpYWxpemluZy5tZT6JAjkE EwEIACMFAlf1LooCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDlijOZ skoukNcREACoEw0ehz9Bzcd3DR91SLZ3JdcO/wWcIC/uGKIulnDbc8RqkG7SuFLG t9pba2i8l5q78zSPShcApVc4LC31Jht6nwcLQg63LAHtez92TvoxikHdnl0rrtsn gRNSSA+ul2TNyqHOjtXnmbaH5DsdsWgkGpgBB+3+OOOy1RGD46ofbi36JEaTLSev HqEt4d9pwaYV6SFStjFwJIDtntzGIWjde8ZFDdTMyTthQh9SkTdrm04IDrylJVag Zobv8/CxoaNbmKZDRpPRqMw+uVmP1xEPvyUpcwCg2BTtMDyJrHPceAQL5gLeH6lX IyuqiD/h76NKsoDBhbHh0rky5HquHmc8qeeKdKvlvX0NhpfclXG0Q2sYbgl6kSJM GqQGc8vPB4QMxrydHK7EwSAs3nsscvpc8BliG0kT0Z1SpvwvvBLh/DShx0axb9Hb f1NnBOR90nsOjhbaCJrZ0Mlr6PhkRM6B+6EVudr9xiNFN+6KMh6DBGeZYiorHF1u 5BAHRhf2hz9C/WlijUbVGnYsn67jaGXjaEi2HCF9s2/JGME3IyNds4sa3cmgvucv bcX0nokagfuvaj4aVHa/IWVFEoAcsShu68JEW4VE0tKLDjWBzbnRUJ6PT5oj2Dgs 5dHWl7l+7AalIzhXXR1er7ZtT39IoiACRHArG4JNHwszQlYeaMspa7kCDQRX9S6K ARAA3/cPHeAIoGT2BEax1/E/HdqYE4Hs/enJvBPNzib54kRGBLJ9yjPtdRl7xfIo 5rKy276RYONLdX3HiZcrY1IVHxs172rccU2WIg8koiosmkNE/ubh7WPp/2JcwJP+ BZMc1I1kPOV4qfiE2W3aGN5GuwguDhA/zOxzrSAoHq21suFKCCazc3XuTj+EZ/A4 0b8dVNvoWWd8GFcg9ETbUh4Z7ZIpU1K/vOs50ji6cucbzvImWekwIhIq5nwGcNju 7dpZlITWYkkpqgRCAlC1EJERUOZLBqw2t2nnYZZWn5EX/tUdiytP51jrA/jhDTLb elOZeGltTCCpCVooL7IO6KGSqGCugGz7c9BiZiy+JBG5X/hgJ4QbfgoDk2/iMw7O DkGXNKbeRVlq1hUba6x1ikv0fG7B8B/TcFmDzGiMGY08p369JANgOSkng6tPWO8H HANwqeZCy2TSUq6E/UJxA/Mm5SI0jPUqfI1ezwFQcWXBr41lnBu3RZLuAwezHdb2 8Po0YiusYJDFjucswn/gh5lxkLwc76iENzj4MMfVhx4MEfeimvNc7OIKP+w9EJjd BTsBg7NjNRbv2HAeRmL0ps/Gf20Ufl4N19fhIEZgbwJxDC3DPAHYrg+pI+5MBwgH 94b42hlKAuUrKp9UniyPgU8Fr0SwZwAl8lfxu68I8/pZmPMAEQEAAYkCHwQYAQgA CQUCV/UuigIbDAAKCRDlijOZskoukPc8D/9wAn8idLjHT0E6ZcTKE18yDj0oHcWd ul7lMX5T2n1Aefmg/nAF6Gti/2BpzSOOUzhtbO/znIlxP9QitdWCkUeImYlcwo8Z 9jamOMzvVMsavNoDojC7fKEMz6j0RSByFqtqINVh2skC/8InU7ogSzYNYI5vnkPG jZVkoMj+r7Cc8pxbLEcsC0CRAFjvgwKRdd3ZnK2zrDUnJ9rATmdykZKzqbnORqAU Q3wvK669ZkA+/a73seqAQ536jLoh1SkqopItACSNI7G1vpeM3oFxwBymhTNJsfxG oKQ0Izo3xCyrY+9Ug2z6pMtfnBRux7l52l35xKo+Nb97qV6QnTDep4JgQmUyYOwN MgjcZg+lXYd4hZSDPT78dqgFXfHjNYnOMzlEqY09owUmJix85ENuYNg3IiNvL87a tKPMykaDnd1w3mdKmJZwbWNn2BQNryYKgcgZY7jpiZel/YAFkhgZh43aJurl+ssy 7rf6xPgyDwXZ0EHxtCyqAB619r1DgWot6vG3mMfh7ZvBenxBOKSvIleRpUGj/310 KcfTR7xlBGMw4fsv1vBMfjCdcksJUfC9nYAFThnJbO8v/VHjsX7ZOROsJjFV6+1z +0nH8N+4DNxRuB4eDpCHksdfSv06wC3wfJnlIiAWcGdW5tkrSuqqVtd+iitmhAd5 YWzoR4W+lcMEjw== =jV7M -----END PGP PUBLIC KEY BLOCK-----

RX/TX Buffers, Flow Hash and Others on Boot

Sat, 25 Apr 2015 16:00:30 +0000

After installing Suricata, some fine tuning of the network interface(s) used in the traffic capture is required to ensure every ounce of performance is extracted from the new IDPS installation. Those configurations need to be persisted when the system is power cycled. To do that on a Enterprise Linux based OS (e.g. RedHat, CentOS, Fedora, etc.) one can leverage the /sbin/ifup-local script.

Hello World!

Sat, 25 Apr 2015 11:14:03 +0000

The man of modern industrial society thinks, repeatedly, that he can replace the loss of intimacy through external mechanisms. This belief is reinforced by a series of activities that promise you hope and happiness, but that really only leaves you the insipid taste of an even greater disappointment. Bender, Erich. Helga. Wiesbaden (Germany): Falken-Verlang, 1968 In a world where many strive to find instant happiness and gratification in one nighters, through Facebook likes, Twitter retweets and the ramp for limelight that YouTube views are known for, this quote from Erich F.

Contributions

Mon, 20 Apr 2015 16:18:20 +0000

Over time, I have contributed to some Open Source Software projects. What follows a list of such contributions. The list of contributions is grouped by project and sorted in chronological order. Metasploit Fixed AnyConnect IPC message format (#17564). IVRE Minor fixes to IVRE’s web interface (#601). NSE script sslv2-drown causes import error (#631). Added the display:vulnerability search filter directive (#634). Fixed an issue with the calculation of the top CPEs (#635).

Licensing

Mon, 20 Apr 2015 16:16:28 +0000

Content (e.g. research, documentation, images, etc.) on this website that is of my authorship (see the about page) is by default (i.e. when not otherwise stated) published under the terms of the Creative Commons Attribution-NonCommercial 4.0 International License. There are some notable exceptions to this rule: Any content related with the SerializingMe branding; Source code which is published under GNU General Public License 3, and Videos which are published under Creative Commons Attribution 3.

About

Thu, 16 Apr 2015 14:45:52 +0000

Yet another blog about personal projects and research, thoughts and ideas. Just about anything that I’m tinkering at the moment but focusing on one of my passions, Communications and Information Systems (CIS) security. Author I was always fond of understanding how things worked, breaking them down and getting them back together. In high school I started moving away from hardware to software. I decided to follow an CIS specific course for the three years that preceded college.