Blog

Stay up to date on the cybersecurity world with Payatu.
Subscribe to our blog.

05/07/2019

Token Stealing with Windows Update KB4054518


by Siddhant Badhe

Tokens, Accounts, Processes: On a Windows system, there are various user accounts, some are default to Windows and some are created explicitly. Some of the default user accounts are Local Service, Network Service and so on. Apart from user accounts there are also groups like Users, Everyone etc. Using AccessChk [2] privileges

Read more
13/03/2019

Introduction of Tcache bins in Heap management


by Gaurav Nayak

Understanding glibc malloc Painless intro to the Linux userland heap understanding the glibc heap implementation Heap Exploitation

Read more
22/02/2019

6 Must have tools for your iOS pentesting toolkit


by Akansha Kesharwani

When performing a pentesting either it is web, network, mobile or IoT the essential thing the pentester should have is its tool. So in this blog, I am going to share the tools which I use to perform pentesting of iOS applications. 1. Cydia Impactor: Cydia Impactor is a GUI tool which is used to install the ios application into the iPhone when we have the IPA file of it. So if you have a jailbreak IPA then this tool is must which will let you install that jailbreak exploit IPA into your device. You can download Cydia from here.

Read more
14/12/2018

Raspberrypi as poor man’s hardware hacking tool


by Arun Magesh

I have been wanting to write this blog for quite some time, either I was busy or lazy. I have been asked by so many people on the list of hardware to buy to get started with hardware hacking. To be honest, there are a lot of products available, but not many target beginners. In this blog i will cover about using SPI, I2C, JTAG/SWD and JTAGenum using Raspberry Pi. I will be using Raspberry pi zero w, as it is dead cheap and small. Setting up your Raspberry Pi Before you go into each section, I would suggest you boot into your raspberry pi and enable SPI, I2C, GPIO from the interfacing options in the raspi-config menu.  You can follow this link for setting up your Pi.  In all the connection pinouts, It is the hardware pin location and not the GPIO number.

Read more
30/11/2018

“MyMiko” – Responsible Vulnerability Disclosure


by Arun Magesh

This is my another case of a vulnerable IoT device. In my previous blogs, we talked about vulnerabilities there was found in Smart lock and beacons. This one is a fun device, which is made for kids to learn to code and play with it. I don’t have access to the device, so I just checked on the mobile app and found series of vulnerability. These are my findings on a Connected smart toy – MyMiko by Emotix from their Android app. Findings 1: Hard Coded information in the android app It was identified on extracting the android app. several hard-coded information is present. These hard-coded information involves API calls, Web Endpoints and other information which could pose a threat. Steps:

Read more
27/11/2018

“Find – Bluetooth Tracker” Responsible Vulnerability Disclosure – Blog


by Arun Magesh

With the advent of IoT, everything is getting connected to the internet. Bluetooth is one such protocol which is used to connect devices to the internet as the most mobile device has Bluetooth Capability, you can check this blog on how to reverse a Bluetooth communication.  There are devices called Bluetooth beacons which are used to track devices which are in close proximity, companies have started connecting these beacons to the internet with geolocation and this is one such example. This is a case of my findings on a Smart Bluetooth Beacon from Sensegiz The testing was done on their Android Mobile Application. For User's privacy, the IP/End-Point is not disclosed. It will be replaced by xxx. Findings 1: Directory indexing

Read more
22/10/2018

Another case of a Vulnerable Smart Lock


by Arun Magesh

  Disclaimer: The smart lock which i got is pretty common and it is even available in amazon. Several thousands devices are already in the market, I have changed the name of the brand to something imaginary – “*unhackable*” Smart Lock.     Smart Lock: The lock which i got is from a company called as *unhackable*, which is a chinese company . You also get the same lock locally from amazon. So people do use these devices. The specifications are good too.  

Read more
22/10/2018

IoT Security – Part 4 (Bluetooth Low Energy – 101)


by Arun Magesh

If you haven’t read through Part 1 to Part 3 of our IoT Security Blog series I would urge you to go through them first unless you are already familiar with the basics of IoT. Link to the previous blog – IoT security – Part 3 Bluetooth has been a buzz-word as people wanted all their devices to be smart and which basically implies that you get to control things across the devices and not needing to carry wire around. Bluetooth has been in the market for more than a decade. If you’re a millennial, you would have used those classic fancy Nokia phone which has Bluetooth in it. Bluetooth was invented by Ericsson and other vendors have started using Bluetooth. Soon after that, all the major vendors created a consortium called as Bluetooth Special Interest Group – SIG which governs how the standard should be and the interoperability between different versions. We are not going to talk about Bluetooth. Bluetooth by itself is a massive stack and their specification is around 2000+ pages.  In this blog, I will be covering only the Bluetooth Low Energy more famously known as BLE. With the advent of connecting all the things to the internet, there comes the problem of power and resource. As I mentioned early, Bluetooth is a huge stack. Implementing it in an end device like a fitness band would take more power and resource. So in the Bluetooth 4.0 standard, they introduced something called Low energy which is specially targeted for IoT and smart devices which runs on memory and power constrained devices. Bluetooth SIG started selling the standard as Bluetooth Smart. Which has two components, Bluetooth smart devices are end devices which have only the Bluetooth Low Energy component and Bluetooth smart Ready are the device which is capable of doing both the Bluetooth LE and the EDR-Bluetooth classic component which could be your central device, ie, mobile phone or laptop.

Read more
29/08/2018

RedTeaming from Zero to One – Part 2


by Rashid Feroze

In this part, we will cover Payload Creation, Payload delivery and AV/NIDS Evasion. 3. Payload Creation Empire gives us a variety of options to generate your Powershell agent which includes – exe, dll, Macro, HTA, bat, lnk, SCT, shellcode, bunny, ducky, etc Empire windows payload options Some payload creation Techniques: 3.1 One liner Powershell payload

Read more
29/08/2018

RedTeaming from Zero to One – Part 1


by Rashid Feroze

Prologue This post is particularly aimed at beginners who want to dive deep into red teaming and move a step ahead from traditional penetration testing. It would also be helpful for Blue Teams/Breach Response Team/SOC analysts to understand the motive/methodology and match the preparedness of a Redteam or real-life adversary. It’s a summary of my experience when I decided to move into Redteaming. It’s a long post, so better grab a coffee and then continue reading this.

Read more
15/05/2018

CloudFuzz


by Nikhil Joshi

My previous post discusses about an attempt we made to gain higher code coverage by leveraging some machine learning methodologies. I recommend you to read that post first, also you can take a look at this post to get a beginner level idea about machine learning. In previous experimentation have targeted JPEG and PDF parsers. The proposed system proved to work better for JPEG file generation than for PDF input generation. This is reasonable, since PDF parsers are syntactically more sensitive. Slight change in syntax will stop the parser from parsing the input. Hence previously proposed mutation technique resulted in decreased code coverage for generated PDFs. Long story short, we needed a system that learns the grammar/syntax from a corpus of sample inputs. In this post we will discuss an approach to overcome previously seen limitations. We will be targeting Adobe Acrobat Reader for experimentation. First we will take a look at PDF file specifications. Then the Deep Learning algorithms that can be used to infer grammar from a dataset. Finally we will inspect the quality of generated data based on the code coverage. Below mentioned system is integrated with CloudFuzz. Why machine learning? Fuzzing any software that accepts a highly syntactical input requires a grammar which can generate syntactically correct inputs. But designing a grammar is a tedious and time consuming process. Also, the created grammar is highly specific to that particular target software or might cover a very narrow spectrum of softwares. So, our target is to create a very generic system using Deep Learning. Which can be used to learn grammar from a set of samples and generate new inputs for fuzzing accordingly. Anatomy of a PDF file:

Read more
12/04/2018

Expedition ML4SEC Part – 1


by Nikhil Joshi

There is no doubt that state-of-the-art systems can be built using machine learning algorithms but at the same time these algorithm poses serious security flaws. An attacker can take advantage of these flaws by creating adversarial inputs resulting in misbehaviour of Machine Learning systems. In this series we will explore these flaws. But to understand about the vulnerabilities we first need to understand how machine learning models work. Hence, I will dedicate this post to understand the basics of machine learning and finish with building a basic machine learning model. Introduction: Training a machine learning model means increasing the performance of that model in a particular task. Model “Learns” from a dataset. Based on this learning process, machine learning algorithms are classified into following major types. Supervised learning: In supervised learning, we feed the algorithm with features and labels. Consider a problem of classifying network packets into malicious or non malicious. Here features could be the attributes of packet such as source IP, destination IP, port, protocol, payload length, flags,etc. And the labels could be 0 or 1 based based on whether the packet is malicious or not. Classification algorithms like Neural Nets and SVM. Unsupervised learning: This type of learning is used when we do not have a labeled samples. Algorithms learns to differentiate the samples based on the features. Suppose we have a huge set of images of 2 persons and want to classify them. Then we feed these images to an unsupervised algorithm. The algorithm will then create two or more clusters of these images(based on features), which can be labelled as person A and person B. Hence these algorithms are sometimes called as “clustering” algorithms. Semi-supervised learning: Semi-supervised learning is used when we have a mixture of labeled and unlabeled data in dataset.

Read more
20/02/2018

A guide to Linux Privilege Escalation


by Rashid Feroze

What is Privilege escalation? Most computer systems are designed for use with multiple users. Privileges mean what a user is permitted to do. Common privileges include viewing and editing files, or modifying system files. Privilege escalation means a user receives privileges they are not entitled to. These privileges can be used to delete files, view private information, or install unwanted programs such as viruses. It usually occurs when a system has a bug that allows security to be bypassed or, alternatively, has flawed design assumptions about how it will be used. Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions. While organizations are statistically likely to have more Windows clients, Linux privilege escalation attacks are significant threats to account for when considering an organization’s information security posture. Consider that an organization’s most critical infrastructure, such as web servers, databases, firewalls, etc. are very likely running a Linux operating system. Compromises to these critical devices have the potential to severely disrupt an organization’s operations, if not destroy them entirely. Furthermore, Internet of Things (IoT) and embedded systems are becoming ubiquitous in the workplace, thereby increasing the number of potential targets for malicious hackers. Given the prevalence of Linux devices in the workplace, it is of paramount importance that organizations harden and secure these devices. Objective In this blog, we will talk in detail as what security issues could lead to a successful privilege escalation attack on any Linux based systems. We would also discuss as how an attacker can use the possible known techniques to successfully elevate his privileges on a remote host and how we can protect our systems from any such attack. At the end, examples would be demonstrated as how we achieved privilege escalation on different Linux systems under different conditions.

Read more
05/02/2018

Machine learning for effective fuzzing – CloudFuzz


by Nikhil Joshi

  Problem: Fuzzing a software with random data may or may not discover new bugs. Also, such random attempts do not guarantee of covering the complete code. Hence there should be a system which learns the type and format of input files and generate similar files to attain higher code coverage. Since there could be countless number of file formats, our system should be highly generic and should work for every type of file format. It should not be bounded by a certain type of input. Eg: If the system is working for .doc files then it should also work for JPEGs or PDFs, etc.  

Read more
19/01/2018

IoT Security – Part 3 (101 – IoT Top Ten Vulnerabilities)


by admin_payatu

When talking about Top Ten vulnerabilities, the first thing that comes to our mind is OWASP. Why not, after all they are the pioneers in defining top 10 vulnerabilities for web and mobile. I’m an OWASP fan, simply because of the work the OWASP community has done over the years to define Application security issues, provide free tutorials and open source tools for the Industry to mitigate the risks and vulnerabilities. It would be highly unlikely that you haven’t heard of OWASP or read content from their website, however if you have not, I strongly suggest that you go through their website  https://www.owasp.org OWASP has also started the IoT security initiative where the community has defined the IoT attack surface and the IoT Top 10 vulnerabilities in addition to web and mobile. They are in the right direction and soon enough it will be an excellent place for IoT security content. The content relevant to the reader for IoT security on OWASP website is as follows: 1. OWASP Web Top 10 project: – https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 2. OWASP Mobile Top 10 Project: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project 3. OWASP Internet of things project: https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project

Read more
15/01/2018

Understanding Stack based buffer overflow


by Siddharth Bezalwar

What is stack? A stack is a limited access data structure – elements can be added and removed from the stack only at the top. It works on LIFO(last-in-first-out) principle. Stack supports two operations push and pop. Push: Adds an item to the top of the stack. Pop: Removes an item from the top of the stack. Now lets examine the memory layout of a c program especially stack, it’s content and it’s working during function call and return.

Read more
01/12/2017

Tiredful API Solution


by Siddharth Bezalwar

The idea behind usage of the app is to consume the API-end points using RESTClient app such as Postman, Curl,ARC, RESTClient firefox add-on.For demonstration I am using RESTClient firefox add-on. Now, lets get started with main motto of this post – Solution to Tiredful API challenges. Solutions Information Disclosure First challenge in the list is “Information Disclosure”. From the following image you can see that API end point is /api/v1/books// and use valid ids mentioned .

Read more
30/11/2017

CSV injection


by Akansha Kesharwani

In this write up we will be focusing on CSV injection. CSV also knows as Comma Separated Value stores tabular data (numbers and text) in plain text. Each record consists of one or more fields, separated by comma. Nowadays, there are many web application and frameworks being developed which allow users to export the data saved in database into a csv file. The csv file created might lead to CSV injection. So it becomes very important to be sure that the file exported through the web application is safe and will not leave the users system prone to any attack. CSV Injection aka Formula Injection. It occurs when websites embed untrusted user input inside CSV files without validating. When the user tries to open the CSV file using any spreadsheet program such as Microsoft Excel or LibreOffice Calc, any cells starting with ‘=’ will be interpreted by the software as a formula. Spreadsheet programs like Microsoft Excel, Open Office, Libre Office Calc are not a new programs. We have been using it to perform different task like calculation, analysis, and visualization of data and information. These software’s provide many formulas and functions which can be used by us in our day to day life. For example: Below image shows the Microsoft Excel allowing to add value of two field and display it in the third field.

Read more
22/11/2017

Getting Started with Radio Hacking – Part 2 – Listening to FM using RTL-SDR and GQRX


by Nitesh Malviya

Welcome to the 2nd post in Radio Hacking series. I hope you have gone through the 1st part. If not please check Part-1. Also, I hope you have installed GQRX on your PC/LAPTOP. Let’s start. What we will learn – In this post, we will learn how to use GQRX along with RTL-SDR. We will be using RTL-SDR to receive FM signal for listening  a song. Tools – We will use RTL-SDR and GQRX. Please install GQRX on your PC/LAPTOP. What is RTL-SDR – RTL-SDR is a cheap USB dongle which can be used for “RECEIVING” Radio Signal. In our case, it will capture the FM signal. It’s price is around $20. RTL-SDR is also referred as RTL2832U, DVB-T SDR, RTL dongle or the “$20 Software Defined Radio”. There are many other software defined radios better than the RTL-SDR, but they all come at a higher price. RTL-SDR looks like this –

Read more
22/11/2017

6 tools you need to be aware of if you are into device pentesting


by Arun Magesh

IoT and smart devices are dominating the market at a tremendous rate. But with growing competition in the market, these devices often forgo proper standard and security procedures leadin g to attacks, including, Mirai botnet, reaper attack, and others that are yet to be discovered. The good news is these incidents have cautioned companies to take security testing more seriou sly. This has resulted in a host of security testers, developers and software security professionals getting into IoT penetration testing.

Read more
21/11/2017

CSAW CTF Finals 2017 WriteUps


by Sudhakar Verma

Rabbithole Reversing rabbithole How far down the rabbit hole can you go?

Read more
21/11/2017

How I Reverse Engineered and Exploited a Smart Massager


by Arun Magesh

I have been working with Bluetooth for quite some time. I chose to reverse engineer a smart device to prove how crazy is the security standard being implemented in these smart devices. In this post, I will be showing you how I reverse engineered a Bluetooth based (Smart) Massager and how I could exploit it to make it lethal. Now how is a massager lethal? Massager works on a principle called as TENS — transcutaneous electrical nerve stimulation. Our entire nervous system works based on neural impulse, which is electric signals. Sense of p inch to the sense of orgasm is an electrical impulse which is going to secrete different hormones in your brain and you feel pain or pleasure.

Read more
09/10/2017

Authentication schemes in REST API


by Siddharth Bezalwar

In simple terms, authentication means process of verifying the identity of a user. The process consist of simple steps, 1) User tries to connect to web services. 2) Web services asked user for credentials(Identity Information). 3) User provides credentials. 4)Web services verify the identity of the user by verifying provided credentials and responds accordingly.

Read more
08/09/2017

IoT Security – Part 2 (101 – IoT Attack surface)


by admin_payatu

Welcome! I hope you have gone through the previous blog post “IoT Security – Part 1” If not, I would urge you to go through it to understand the meaning of IoT and IoT architecture. Now we will start getting into security and try to define a way to understand and create a structured process to perform security research or penetration testing of IoT. If we look at the architecture defined in the previous post, it now becomes clear and easy for us to segregate the components of IoT and try to define the attack surface for each one of them individually and then combine them to create a holistic overview of the IoT ecosystem attack surface. I call it IoT ecosystem instead of IoT product because it indeed is an ecosystem of different components talking to each other and solving a particular real world problem. Let’s go ahead and define the attack surface of IoT ecosystem and discuss each component’s attack surface in detail. The attack surface by components can be divided into three or four( if we include communication as an attack surface) major areas as follows: Mobile Cloud Communication

Read more
06/09/2017

Automating IVR pentesting


by Rashid Feroze

The call might get disconnected if you put some invalid DTMF value and you would have to make a call again and enter all those DTMF values manually to reach to that stage where you can enter a different payload. So, I thought of automating it because I couldn’t find any tool on the internet which can do this. Objective To develop a generic tool which can automate the IVR call flow and also automate the process of sending attack vectors through a interactive program so that it can save a pentester’s time. What is IVR? Interactive voice response (IVR) is a technology that allows a computer to interact with humans through the use of voice and DTMF tones input via keypad. In telecommunications, IVR allows customers to interact with a company’s host system via a telephone keypad or by speech recognition, after which services can be inquired about through the IVR dialogue. IVR systems can respond with prerecorded or dynamically generated audio to further direct users on how to proceed. Where it is used?

Read more
04/09/2017

Vulnhub SickOs 1.2 – Walkthrough


by Harish Tiwari

The objective was to break into and read the flag kept under /root/7d03aaa2bf93d80040f3f22ec6ad9d5a.txt Attacker’s IP is 192.168.56.101 So lets start !!! 1. Started with netdiscover to locate the victim IP address. Victim was at 192.168.56.102 2. Scanned for open ports using nmap and found port 22 and 80 open. A lighttpd web server is running on port 80.

Read more
03/09/2017

Vulnhub Stapler – Walkthrough


by Harish Tiwari

on here. 1. First I tried checking the IP address using netdiscover. The victim appears to be sitting at 10.0.2.9. The attacker machine is at 10.0.2.11 2. Next nmap helped us in checking the open ports and the respective services running.

Read more
01/09/2017

Kioptrix Level -1 Walkthrough


by Harish Tiwari

Unlike other walk-throughs, this will be a crisp manual. Without wasting much time I’d be showing the final steps and not go into the details of reconnaissance and failure steps. The VMs were hosted/setup up back in 2010 and while solving challenge 1, I ran into a couple of issues which I was able to eventually resolve. I downloaded the VM from here and using Virtual Box 4.3.36 on an Ubuntu host. Both victim machine (Kioptrix 1 VM) and attacker machine (Kali 2.0) are kept on “Host Only” network configuration. Attacker’s IP : 192.168.56.101 In order to find the victim within the local network, we’ll be using netdiscover utility. Victim appears to be sitting at 192.168.56.102

Read more
31/08/2017

Dissecting GSM encryption and Location update process


by Rashid Feroze

Have you ever wondered as what happens when you turn on your mobile phone? How does it communicate to the network in a secure manner? Almost all of us would have read about TCP/IP and many of us would be experts in it but when it comes to telecom, very few know about how it actually works from inside. What’s the message structure in gsm? What kind of encryption it uses? So, today we will talking in detail about the encryption standards of gsm and how the mobile phone update it’s location to the mobile network. What happens when you turn on your cell phone? When you turn on your cell phone, It first initiates it’s radio resource and mobility management process. The phone receives a list of frequencies supported on the neighbouring cells either by the SIM or from the network. It camps on a cell depending upon the power level and the mobile provider. After that, It performs a location update process to the network where the authentication happens. After a successful location update, the mobile phone gets it’s TMSI and it is ready to do other operations now. Now, let’s verify the above statements by having a look at the mobile application debug logs. The below screenshots are from the osmocom mobile application which simulates a mobile phone working on a PC.

Read more
29/08/2017

Active analysis of a GSM call through osmocom-bb


by Rashid Feroze

In the last blog, we learnt how to do passive sniffing of gsm data using a RTL-SDR. I don’t wanna get much into what can be further done with passive analysis of GSM as it didn’t interest me much. Almost all of the operators now have upgraded their encryption standards, so sniffing GSM data using a USRP and cracking them using kraken is difficult now. There are other cost effective approaches that researches have used to crack and find the key(Kc) from the sniffed GSM data like running osmocom-bb on multiple phones and hopping channels to capture data or just by using a RTL-SDR. But today, we will focus on active analysis of GSM as that is more interesting and useful for research purpose. If you still want to know what can be done with just passive analysis of gsm data, you can read the tutorials released by srlabs on how to decrypt gsm data. They have done an awesome job on this. Objective We will intercept a gsm call in wireshark using Osmocom-BB and a motorola C118 phone and then we will analyze the GSM packets and learn what we can make out of it. What is Osmocom-BB?

Read more
18/08/2017

Automating Stuff with Python


by Akansha Kesharwani

What is Automation? The use of any machine or computer to perform your task efficiently and in very less time can be termed as automation. Why do we need automated scripts? Humans can do great stuff, but sometimes we are too lazy to perform some. For example, if I ask you to multiply 345*246 most of you people will open calculator in your devices to calculate the result, rather than using pen paper to solve it. So using automated scripts make our task easy and is less time consuming. Ever wondered why do we need automated scripts is security testing? If so then the answer to your question is here. While performing security testing you can across a task that needs to be done multiple times like placing 1 lakh orders to check that the application can be flooded with multiple request. Now, sitting and creating each and every request manually will be a very tough job. So, here we can use automated scripts to perform our job.

Read more
10/08/2017

IoT Security – Part 1 (101 – IoT Introduction and Architecture)


by admin_payatu

The problem with every new and complex technology for security researchers is not knowing where to start and how/where to attack. This is a common problem and has a common solution i.e. breaking the technology into small components and start learning each component individually. This process makes you master each component and guides you to focus on the most interesting components according to the researcher. If you have read till here, I’m assuming you are going to stick around and read through. So, without any delay let’s start : ) . Note: 1. The information in this blog series is generic and can be applied to the security research of IoT products in any domain irrespective of their usage including Home automation, Industrial Control Systems, Healthcare, Transportation etc. 2. I will use the words device, hardware and sensor interchangeably to mean the same thing unless specifically mentioned with explanation. 3. I mention IoT ecosystem to mean an IoT product or a solution due to the nature of the IoT technology that comprises of different technologies. IoT != Hardware

Read more
05/08/2017

OAuth Security Overview


by Chirag Solanki

In OAuth, “Auth” stands for Authorization as well as Authentication. Before OAuth, there were other authentication methods used to protect the user’s ID and password from other applications. When user accesses a secured web application it first verifies your identity by login us in and then it ensures that users have access only to data or functionality in the application which are authorized. So basic requirements are identity and permission for authentication and authorization. OAuth allowed an application to gain access to users data within another application without knowing the user login ID and password for the second application. When authentication by OAuth is performed, the service provider asks whether a user wants to authorize the request of the third-party application or it has their own authentication.   OAuth History

Read more
24/07/2017

Getting started with Radio Hacking – Part 1 – Radio Frequency basics and theory


by Nitesh Malviya

In this blog series, we will be learning about Radio Frequency (henceforth RF) theory, various modulation techniques and how to analyze them. Since the topic is huge, we will cover RF basics and theory in this part. Also, instead of using technical terms and definition, I will be using simple words to make you understand any topic/concept easily. Why we should study RF ?? – Internet of things – IoT, we all have heard this term right?? The popularity of IoT and all the devices getting connected wirelessly is imminent in today’s life. The majority of these devices will communicate with each other wirelessly using radio protocols ( frequency range ~ 3 kHz to 300 GHz). IoT devices use different Radio protocols such as ZigBee, RFID, Bluetooth etc. for communication. If we go back in time, many vulnerabilities have been found and exploited in IoT devices using some sort of radio communication. So, for pentesting IoT devices we need to have a strong foundation of various radio protocols, how they communicate and different modulation schemes they use for communication.  Thus, analyzing radio communication is of utmost importance from a security point of view and cannot be taken for granted. So let’s start.

Read more
14/07/2017

Writeup for inst_prof(pwn) from Google CTF 2017


by Sudhakar Verma

Please help test our new compiler micro-service Challenge running at inst-prof.ctfcompetition.com:1337 I don’t know what inst_prof means, it might be instruction profiler? idk. It was a pwn challenge. The challenge was tricky yet simple. Lets start. $ file inst_prof

Read more
07/07/2017

Beginner’s Guide to RESTful API VAPT – Part 2


by Siddharth Bezalwar

You have got the basic concepts of REST API and how it is implemented. Now let’s get started with the main motto of this post i.e.How to perform VAPT of a REST API web service and what are different issues we should be looking. Finally, the Guide! REST API VAPT is somewhat similar to web application VAPT since we need to look for some standard vulnerabilities that we look for the web application such as SQL Injection, Access Control, XSS, CSRF, etc. Apart from these standard vulnerabilities, we need to look for API specific vulnerabilities also. Enumeration Before attacking any web service it is necessary to know from where you can start attacking. This can be tricky, finding attack surface for a web application is easy as we get GUI to examine different form fields, URLS, etc. But for API we only get API end point. In this stage we need to gather as much information as we can about the API’s endpoints, messages, parameters and behavior and technologies implemented. Following are some helpful points to gather information about the API end points. a) If client provides API programming documentation or configuration files, analyse it thoroughly check how user authentication process is implemented, check URL style used, check what are different standard HTTP headers and non-standard HTTP headers are required to interact with the API service and analyse the error codes and description to get clear idea about the valid range of values an API end point is accepting, how user authentication and authorisation is handled by web service.

Read more
07/07/2017

Beginner’s Guide to RESTful API VAPT – Part 1


by Siddharth Bezalwar

With more and more web applications are developed on top of the web services (RESTful API) many web application penetration tester are wondering exactly how to test these web services and what to actually look for. To help explain how to perform VAPT of REST API, let’s take a quick look at the basics of RESTful API. What is a RESTful API? Before understanding RESTful API let’s take a look at what the term REST actually mean. REST REST stands for REpresentational State Transfer which is a style of web architecture which describes six constraints. Uniform Interface

Read more
03/07/2017

Reversing and Exploiting BLE 4.0 communication


by Arun Mane

Before we start, we need to understand first Bluetooth communication, there are 2 types Bluetooth communications, Classic Bluetooth i.e Bluetooth 2.0 Bluetooth Low energy i.e BLE 4.0 Actually, Classic Bluetooth specification started from Bluetooth 1.0 and 1.0B, these specifications are handled by SIG (Bluetooth Special Interest Group) and all Bluetooth manufacturers and service companies are a member of SIG.

Read more
26/06/2017

Firmware Visual Analysis Part-1


by Abhijith Soman

Firmware analysis gives more understanding about the embedded device and what it contains. It helps to, Identify vulnerabilities in the embedded device firmware. Improve product stability and resistance to attacks. Do security auditing

Read more
16/06/2017

iOS app Runtime analysis using GDB


by Sneha Rajguru

We have crafted a vulnerable iOS application for understanding and to learn to use GDB to perform runtime analysis, with our crafted vulnerable app known as ‘swizzle-me’. Introduction to the app. The app ‘swizzle-me’ is a simple authentication app, wherein the user is required to enter his/her valid credentials and get access to the application. App’s challenge:  Your task is to bypass this login mechanism of the application and access the authenticated page!

Read more
09/06/2017

Attacking interactive applications with python’s pexpect


by Harish Tiwari

While available shelf penetration programs/tools are used widely, there can be situations when certain tools might fail. Security Professionals love to automate pentesting tasks and write their own set of tools while testing. For example one can write his/her own port scanner program when nmap fails. Here a custom script would send packets to the static host and gives out result but how about the case when we are trying to attack an interactive service such as SSH, FTP, TELNET etc. Lets say we wish to bruteforce the ssh service on the remote machine and there are a series of prompts that are expected depending upon the interaction between client and ssh server. Lets check out some of the prompts ssh service sends to a connecting client – 1. When connecting to a ssh server for the first time, a yes/no prompt gets introduced. 2. While trying password.

Read more
02/06/2017

Passive GSM sniffing with Software defined radio


by Rashid Feroze

I have been working on Telecom Security and Software defined radio since a few months and I noticed that there are very limited resources on the internet for beginners who want to get into telecom security. Not many people from security industry are into this and very less information has been shared online. I would be sharing here whatever I have gained in past few months in a series of blog posts. Now, before getting into active security analysis of GSM networks, let’s first see what we can do by just passively sniffing the airwaves around us. To sniff RF waves around us, the best way is get your hands on a SDR. What is a SDR? According to Wikipedia, Software-defined radio (SDR) is a radio communication system where components that have been typically implemented in hardware (e.g. mixers, filters, amplifiers, modulators/demodulators, detectors, etc.) are instead implemented by means of software on a personal computer or embedded system. In simple terms, It refers to a technique in which all the processing is done in software. The processing mentioned include mixing, filtering, demodulation etc. We can use a SDR to capture airwaves when tuned to a particular frequency. The range of frequency it can capture and the bandwidth differs with different SDR devices. Here, we would be using RTL-SDR, the cheapest one available, to sniff over GSM.

Read more
27/05/2017

Is your Captcha really secure?


by Akansha Kesharwani

Captcha is the challenge solving test used in the computing to distinguish between the human and machine. It is implemented as one of the security feature to stop automation of any process. But what if the any small piece of code is able to solve that challenge and is successful in impersonating the application that the form is been submitted by the human. While performing Web Application Security Assessment for different web application we came across many wrong implementation of Captcha being done by the developer. So here are some of the common mistakes made by the developer while implementing Captcha in your application: Using only numbers with the small length of string. The permutation and combination required to brute force the captcha will be less. Here the length of string is 4. To brute force above string total number of tries will be 10*10*10*10=10000, which is very less.

Read more