RedTeaming from Zero to One – Part 2
In this part, we will cover Payload Creation, Payload delivery and AV/NIDS Evasion. 3. Payload Creation Empire gives us a variety of options to generate your Powershell agent which includes – exe, dll, Macro, HTA, bat, lnk, SCT, shellcode, bunny, ducky, etc Empire windows payload options Some payload creation Techniques: 3.1 One liner Powershell payload
RedTeaming from Zero to One – Part 1
Prologue This post is particularly aimed at beginners who want to dive deep into red teaming and move a step ahead from traditional penetration testing. It would also be helpful for Blue Teams/Breach Response Team/SOC analysts to understand the motive/methodology and match the preparedness of a Redteam or real-life adversary. It’s a summary of my experience when I decided to move into Redteaming. It’s a long post, so better grab a coffee and then continue reading this.
A guide to Linux Privilege Escalation
What is Privilege escalation? Most computer systems are designed for use with multiple users. Privileges mean what a user is permitted to do. Common privileges include viewing and editing files, or modifying system files. Privilege escalation means a user receives privileges they are not entitled to. These privileges can be used to delete files, view private information, or install unwanted programs such as viruses. It usually occurs when a system has a bug that allows security to be bypassed or, alternatively, has flawed design assumptions about how it will be used. Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions. While organizations are statistically likely to have more Windows clients, Linux privilege escalation attacks are significant threats to account for when considering an organization’s information security posture. Consider that an organization’s most critical infrastructure, such as web servers, databases, firewalls, etc. are very likely running a Linux operating system. Compromises to these critical devices have the potential to severely disrupt an organization’s operations, if not destroy them entirely. Furthermore, Internet of Things (IoT) and embedded systems are becoming ubiquitous in the workplace, thereby increasing the number of potential targets for malicious hackers. Given the prevalence of Linux devices in the workplace, it is of paramount importance that organizations harden and secure these devices. Objective In this blog, we will talk in detail as what security issues could lead to a successful privilege escalation attack on any Linux based systems. We would also discuss as how an attacker can use the possible known techniques to successfully elevate his privileges on a remote host and how we can protect our systems from any such attack. At the end, examples would be demonstrated as how we achieved privilege escalation on different Linux systems under different conditions.
Automating IVR pentesting
The call might get disconnected if you put some invalid DTMF value and you would have to make a call again and enter all those DTMF values manually to reach to that stage where you can enter a different payload. So, I thought of automating it because I couldn’t find any tool on the internet which can do this. Objective To develop a generic tool which can automate the IVR call flow and also automate the process of sending attack vectors through a interactive program so that it can save a pentester’s time. What is IVR? Interactive voice response (IVR) is a technology that allows a computer to interact with humans through the use of voice and DTMF tones input via keypad. In telecommunications, IVR allows customers to interact with a company’s host system via a telephone keypad or by speech recognition, after which services can be inquired about through the IVR dialogue. IVR systems can respond with prerecorded or dynamically generated audio to further direct users on how to proceed. Where it is used?
Dissecting GSM encryption and Location update process
Have you ever wondered as what happens when you turn on your mobile phone? How does it communicate to the network in a secure manner? Almost all of us would have read about TCP/IP and many of us would be experts in it but when it comes to telecom, very few know about how it actually works from inside. What’s the message structure in gsm? What kind of encryption it uses? So, today we will talking in detail about the encryption standards of gsm and how the mobile phone update it’s location to the mobile network. What happens when you turn on your cell phone? When you turn on your cell phone, It first initiates it’s radio resource and mobility management process. The phone receives a list of frequencies supported on the neighbouring cells either by the SIM or from the network. It camps on a cell depending upon the power level and the mobile provider. After that, It performs a location update process to the network where the authentication happens. After a successful location update, the mobile phone gets it’s TMSI and it is ready to do other operations now. Now, let’s verify the above statements by having a look at the mobile application debug logs. The below screenshots are from the osmocom mobile application which simulates a mobile phone working on a PC.
Active analysis of a GSM call through osmocom-bb
In the last blog, we learnt how to do passive sniffing of gsm data using a RTL-SDR. I don’t wanna get much into what can be further done with passive analysis of GSM as it didn’t interest me much. Almost all of the operators now have upgraded their encryption standards, so sniffing GSM data using a USRP and cracking them using kraken is difficult now. There are other cost effective approaches that researches have used to crack and find the key(Kc) from the sniffed GSM data like running osmocom-bb on multiple phones and hopping channels to capture data or just by using a RTL-SDR. But today, we will focus on active analysis of GSM as that is more interesting and useful for research purpose. If you still want to know what can be done with just passive analysis of gsm data, you can read the tutorials released by srlabs on how to decrypt gsm data. They have done an awesome job on this. Objective We will intercept a gsm call in wireshark using Osmocom-BB and a motorola C118 phone and then we will analyze the GSM packets and learn what we can make out of it. What is Osmocom-BB?
Passive GSM sniffing with Software defined radio
I have been working on Telecom Security and Software defined radio since a few months and I noticed that there are very limited resources on the internet for beginners who want to get into telecom security. Not many people from security industry are into this and very less information has been shared online. I would be sharing here whatever I have gained in past few months in a series of blog posts. Now, before getting into active security analysis of GSM networks, let’s first see what we can do by just passively sniffing the airwaves around us. To sniff RF waves around us, the best way is get your hands on a SDR. What is a SDR? According to Wikipedia, Software-defined radio (SDR) is a radio communication system where components that have been typically implemented in hardware (e.g. mixers, filters, amplifiers, modulators/demodulators, detectors, etc.) are instead implemented by means of software on a personal computer or embedded system. In simple terms, It refers to a technique in which all the processing is done in software. The processing mentioned include mixing, filtering, demodulation etc. We can use a SDR to capture airwaves when tuned to a particular frequency. The range of frequency it can capture and the bandwidth differs with different SDR devices. Here, we would be using RTL-SDR, the cheapest one available, to sniff over GSM.