Posts on SerializingMe

AnyConnect Inter-Process Communication

Fri, 27 Jan 2023 19:00:00 +0000

In my first deep dive into Cisco AnyConnect (CAC) Secure Mobility Client (see AnyConnect Elevation of Privileges Part 1 and Part 2), I reversed engineered how CAC made use of a TCP based Inter-Process Communication (IPC) protocol. Based on that research, I found a Local Privilege Escalation (LPE) vulnerability (see CVE-2016-9192 and the proof-of-concept code). Yorick Koster and Antoine Goichot followed suit, and using that research also found other vulnerabilities (see CVE-2020-3153, CVE-2020-3433, CVE-2020-3434, and CVE-2020-3435). This post presents the results of my second deep dive, correcting a wrong conclusion about the protocol, further reverse engineering the various IPC messages, and providing some tools that can potentially aid further research.

Freedom and Solitude

Wed, 16 Nov 2022 19:06:00 +0000

The freedom of not having to account for someone else's needs, wants and feelings, has the cost of solitude. Silva, Duarte. 2022 Image via Pexels @ Pixabay

Raspberry Pi Custom Fedora Kernel

Sun, 06 Nov 2022 07:35:00 +0000

Over the years I have gotten very used to Red Hat Enterprise Linux (RHEL) type distributions, and have for a long time now selected Fedora as my default goto Linux distribution. However, I needed a specific driver that comes out of the box with Raspbian (Raspberry Pi’s Debian based distribution), but does not come with Fedora. This post elaborates how to go about compiling a custom kernel on a Pi running Fedora.

e-GPU Plus Bracket

Sun, 14 Mar 2021 19:10:00 +0000

Razer Core X Chroma is an excellent device, but its functionalities didn’t fully cover my use case. As such, I decided to add a bracket and a PCI-e extender to the mix.

Bypass All The GPOs

Sun, 29 Mar 2020 14:50:00 +0000

During a red team engagement, one has landed on a machine with the need to make an application “ignore” Group Policies enforced configurations. This application runs on the context of the user but the settings are only changeable with administrative privileges and without access to a highly privileged account how can one make the application ignore these settings?

Simulating APTs For Fun

Mon, 29 Apr 2019 20:30:00 +0000

In the post I will explain how one could simulate an Advanced Persistent Threat (APT) using Praetorian’s Purple Team Attack Automation and MITRE’s ATT&CK framework.

It's Me, FireEye!

Wed, 27 Feb 2019 12:00:00 +0000

A little over three years ago, while researching malware execution sandboxes, I found a stealth way to detect FireEye’s Malware Analysis System (MAS). In this blog post I will release the details.

Three Honeypots and a Month After

Sun, 27 Jan 2019 11:30:00 +0000

I deployed three web honeypots, one in Singapore, another in Australia and another one in France. I then leveraged IVRE and Suricata to investigate the visitors, and respective traffic they generated.

Frontdoor to the Technicolor 7210

Tue, 23 Oct 2018 00:40:00 +0000

In a previous article, I explained how to get root on the embedded Linux part of the Technicolor 7210 router by leveraging a remote code execution (RCE). This article on the other hand, will explain how one can leverage a “frontdoor” to gain the same level of access.

Reversing the TC7210 Embedded Linux Firmware

Sun, 30 Sep 2018 15:00:00 +0000

In this article I will explain how to reverse the firmware of the embedded Linux part of the Technicolor (TC) 7210 router by leveraging the usual tools of the trade.

Facts and Alternative Realities

Sat, 21 Jul 2018 08:40:00 +0000

(...) simply insisted we prove that the Queen didn’t do it — that is, demanding a refutation of wild speculation to prove fact, rather than seeking out the evidence first. This proof-by-negation is akin to fastidiously believing in the tooth fairy simply because no one has seen proof that the tooth fairy doesn’t exist. That is noxious thinking — and, (...), it’s exactly the kind of aggressive, close-minded speculation that fuels fake news, Trumpian rhetoric, and political divisions.

Rooting the Technicolor 7210

Sun, 03 Jun 2018 11:20:00 +0000

The Technicolor 7210 home router is a powerful little device. It provides 1Gbps Ethernet, dual-band wireless for speeds ranging from 300Mbps to 1300Mbps, and Network Attached Storage (NAS) for file sharing and media streaming.

PowaScripts Update: Kerberos Pre-authentication

Sun, 22 Jan 2017 09:55:00 +0000

After reading harmj0y blog post about “Roasting AS-REPs”, I have decided to update the Dump-User.ps1 script in order for it to report on users that don’t have Kerberos pre-authentication enabled. Running the updated version against a “in the wild” target yielded interesting results to say the least.

AnyConnect Elevation of Privileges, Part 2

Tue, 20 Dec 2016 18:28:00 +0000

In the previous part of this multi-part article, I explained how I reversed engineered one of the binaries of the Cisco AnyConnect (CAC) Secure Mobility Client. This allowed me to understand the header format of the network packets used in the Inter-Process Communication (IPC) mechanism. In this part, I will focus on doing a more dynamic analysis in order to understand what goes in the packet body.

AnyConnect Elevation of Privileges, Part 1

Wed, 14 Dec 2016 18:56:17 +0000

The Cisco AnyConnect (CAC) Secure Mobility Client doesn’t have the brightest security track record. CVE-2015-4211 and CVE-2015-6305 are only two out of the fourteen CVEs that have been assigned to it just in 2015. This spiked my curiosity and prompted me to confirm if Cisco had properly fixed the underlying issue of these vulnerabilities.

HPQPswd Encrypted Passwords Decryption

Sat, 15 Oct 2016 19:00:00 +0000

Ever wondered how to decrypt HPQPswd encrypted passwords? So did I when, for the first time, I came across a strange file called password.bin with a magic value of _HPPW12_.

Active Directory Dump

Fri, 07 Oct 2016 18:05:00 +0000

During many penetration tests (or red versus blue team exercises), I have found myself with the need to investigate users, groups, computers and policies of a Windows domain. To do that, I have developed a series of PowerShell scripts that dump all that information from Active Directory into XML files.

Updated AppLocker Dump Script

Fri, 23 Sep 2016 20:33:00 +0000

I have created a new version of this script so that it is better aligned with the conventions I use for other PowerShell scripts.

Migrated From WordPress to Hugo

Wed, 14 Sep 2016 19:14:28 +0200

I have been using WordPress since I started blogging, but since then, the blogging landscape changed a lot. Welcome to the age of static site generators.

Portugueses e Senhas de Acesso, Um Caso de Estudo

Thu, 17 Mar 2016 22:14:13 +0000

Nos últimos anos tenho tido a oportunidade de coleccionar várias listas de senhas de acesso. O que se segue é um caso de estudo focado em três dessas listas. Sendo que estas, são de sítios portugueses.

Titan Quest Invincibility Cheat

Sat, 23 Jan 2016 22:19:09 +0000

In the last level of Titan Quest, every player will have to face the titan Typhon, Bane of the Gods. A task that is very far from easy…

Bug Bounty, Serious Rewards

Thu, 12 Nov 2015 17:47:33 +0000

My first Bugcrowd private bug bounty program that involves some serious rewards. One thing is for sure, they got my attention :D

Inspecting AppLocker Policy

Sun, 01 Nov 2015 15:16:50 +0000

While doing incident response, if AppLocker is being used but the computer still got infected by a malicious executable, it is useful to know exactly what AppLocker policy is currently applied.

Reversing Aruba Instant Firmware

Wed, 21 Oct 2015 19:54:28 +0000

Aruba produces two different software loads for their Access Point hardware. The first is called ArubaOS and the second is called Aruba Instant. With ArubaOS, the AP requires a Mobility Controller (hardware) to be installed in the network. With the Aruba Instant it is possible to run AP’s independently (standalone mode) or in a cluster, with no Mobility Controller in the network.

What follows is the full process to extract all the files recreating the Aruba Instant firmware file system.

SSH Brute Force and Suricata

Wed, 12 Aug 2015 18:24:28 +0000

Since SSH is one of the most pervasive ways to manage servers remotely, it is also one of the most plagued by brute force attacks. What follows is a simple set of Suricata rules to stop the majority of SSH brute force attacks. It will drop connections based on the reported SSH client version.

WordPress and Suricata, The Test

Tue, 07 Jul 2015 19:00:51 +0000

Adding a full featured IDPS solution like Suricata is a good step in protecting any Web based application like WordPress, but how well will it fare when under attack?

Emotional Fishes are Emotional

Fri, 26 Jun 2015 10:44:13 +0000

Following my research with Pafish and subsequent development of Cufish, I decided to create the Emofishes (Emotional Fishes) project.

Curious Fish is Curious

Fri, 12 Jun 2015 11:02:16 +0000

Testing virtualized malware sandboxes with Paranoid Fish wasn’t enough, there might be other things that could be improved to avoid malware detection. Enter Curious Fish, a tool to help fingerprinting sandboxes.

Portuguese Banking Apps, Yay or Nay?

Wed, 03 Jun 2015 20:46:43 +0000

I have been using my bank mobile application for a while, but never had a look at its security. This is an account of my findings, not only on that specific application, but on eight of the offerings available in the Portuguese market.

Reversing ArubaOS Firmware

Tue, 02 Jun 2015 20:09:29 +0000

Some time ago, I had the chance to get my hands on a ArubaOS firmware, what follows is the full process to extract all the files recreating the appliance running file system. This had the objective of fuzzing the extracted binaries in QEMU (ArubaOS management console is CGI based).

A Paranoid Fish and Silver Bullets

Thu, 28 May 2015 22:24:56 +0000

I have been doing some research (and development) around virtualized malware sandboxes, being the question, “how easy is for malware to detect such an environment” the most important one, I turned to a tool called Pafish (Paranoid Fish).

Protecting WordPress with Suricata

Tue, 12 May 2015 20:59:57 +0000

There aren’t any silver bullets that will protect a WordPress installation against every single attack, but adding a full featured IDPS solution like Suricata, is a good step in protecting not only that “all too many times vulnerable” WordPress installation but also other services like SSH.

"Check my CV", Generating YARA Rules

Sun, 03 May 2015 12:19:48 +0000

Recently, one e-Mail that was sent to one of my colleagues caught my attention. The message was quite believable but there were some little subtleties that gave it away. First step was to get the attachment out of the message and do an initial analysis.

RX/TX Buffers, Flow Hash and Others on Boot

Sat, 25 Apr 2015 16:00:30 +0000

After installing Suricata, some fine tuning of the network interface(s) used in the traffic capture is required to ensure every ounce of performance is extracted from the new IDPS installation. Those configurations need to be persisted when the system is power cycled. To do that on a Enterprise Linux based OS (e.g. RedHat, CentOS, Fedora, etc.) one can leverage the /sbin/ifup-local script.

Hello World!

Sat, 25 Apr 2015 11:14:03 +0000

The man of modern industrial society thinks, repeatedly, that he can replace the loss of intimacy through external mechanisms. This belief is reinforced by a series of activities that promise you hope and happiness, but that really only leaves you the insipid taste of an even greater disappointment. Bender, Erich. Helga. Wiesbaden (Germany): Falken-Verlang, 1968 In a world where many strive to find instant happiness and gratification in one nighters, through Facebook likes, Twitter retweets and the ramp for limelight that YouTube views are known for, this quote from Erich F.