I have had several occasions when I’ve been performing a pentest against an Android or iOS application, attempting to monitor the traffic with Burp Suite, only to realize that the application is not respecting my proxy settings. Now, if you have a rooted or jailbroken device, there are some ways you can force the application…
Read
Background OAuth is an open authorization standard that facilitates unrelated servers and services working together, allowing access to their assets without sharing the initial, related, single logon credential. I have been thinking of it as a kind of Kerberos for external services, without a shared domain or forest. A familiar instance would be authentication to…
Read
In this post, I will go over some hardening configurations that are typically set in Group Policy settings and ways to bypass them. It is important to remember that hardening configurations can be a whole series of different settings. For this post, I am showing only a few specific settings, meaning that if these were…
Read
BurpSuite is a remarkably extensible platform. While I have written a number of extensions for testing specific applications, as well as more general extensions, one type of extension I had never attempted before was creating my own BurpSuite Scanner plugin. Because modern applications are increasingly difficult to exhaustively test for certain types of issues, I…
Read
If you like to stand up infrastructure in the cloud using Ansible (like we do), one of the pain points can be getting the new instance IP addresses configured in an SSH config file for easy connecting. This used to be a manual process, but generating these files as part of your playbook is straightforward…
Read
As a Red teamer, the key to not getting detected is to blend in. That means that if I need to spawn a new process on a host, it is important that it looks legitimate with command line parameters that look correct. Many system binaries have a set of parameters when they are executed. This…
Read
In this blog post, we will look at some simple JavaScript tricks for creating weaponized cross-site scripting (XSS) payloads. If less reading more videoing is your thing, watch this topic in webinar form here: https://www.trustedsec.com/events/webinar-popping-shells-instead-of-alert-boxes-weaponizing-xss-for-fun-and-profit/ Often, penetration testers use a simple alert(1) payload to demonstrate successful JavaScript execution when we identify an XSS vulnerability. While…
Read
Continuing on the idea of creating checklists, (see previous blog about OSINT checklists), I wanted to share my personal phishing checklist. This list is what I use to make sure I have covered all my bases before firing the email. Some of these items may or may not be used, depending on your pretext. TLDR:…
Read
With so many new cool techniques and tools being released every day, I’ve caught myself going down rabbit holes or chasing false leads during engagements. Sometimes I’ll get so bogged down with tunnel-vision that I make OpSec mistakes or delay an entire testing objective. At best, this could result in my attacks being discovered, resulting…
Read
Often, a malicious author wants to be able to load non-disk backed code into memory. This could include code that was decrypted and unpacked (a second stage providing more functionality) or plugins to existing running code. After this non-disk backed code is loaded via some mechanism, it can be called normally, or a thread can…
Read