Microsoft JScript and VBScript are two languages that can be used for initial code execution on a new target. This may be done through the use of a phishing payload that leverages .hta files or through the use of trusted binaries to execute a payload on a new target. The use of .hta files specifically…
Read
In this blog post, I will cover the current state of my research investigating the possibility of using neural networks to hide shellcode. But before we dig in, I will provide a little background information. For those unfamiliar with neural networks, they are a type of computer system design that is inspired by how human…
Read
A few months ago, I came across a piece of Java malware. This was a nice change of pace for me, since most of what I see is written in C/C++. The malware was heavily obfuscated using a common tool, Allatori v5.3. After working my way manually through decoding, I came to a point where…
Read
For those tempted to delay migration away from Secure Sockets Layer (SSL)/early Transport Layer Security (TLS)—don’t wait! This includes all versions of SSL and version 1.0 of TLS (TLS v1.1 and newer are fine). For Payment Card Industry Data Security Standard (PCI-DSS) compliance, you can’t simply migrate sometime before your next PCI audit. Rather, you…
Read
As a penetration tester, I often need to stand up small environments (and sometimes not so small) for a few different reasons—to try things out before making a mess of a client’s production system, to avoid being detected, or to use it simply for our own practice. A lot of us at TrustedSec are remote,…
Read
Fighting/writing malware is very much a cat and mouse game. One of several techniques used by Anti-Virus/EDR solutions is to detonate payloads in a sandbox and watch what happens. To combat this, malware writers (and pentesters) have been including checks in their payloads to identify when running in a sandbox to evade detection. However, these…
Read
Dropping payloads to disk is often risky, not only from an Operations Security (OPSEC) standpoint, but it’s also more likely to trigger AV. To avoid exposing ourselves to these risks, it’s often more desirable to reference a file from a remote location. One method of doing this is to make use of WebDAV, a service…
ReadAs news of a new breach appears almost daily anymore, one has to wonder if their organization may be next. Having the opportunity to help organizations of all sizes and lines of business, there are many different struggles that each may face. Some of the organizations are new to a security program, know they need…
ReadFollowing are a few (and brief) guidelines to make a webapp pentester’s life measurably harder. Server-side Input Validation– Input validation that is enforced on the server side runs its own validation checks against the user input to determine whether or not it is “safe”, and contains disallowed characters. This type of validation is nearly impossible…
ReadOracle’s most recent update to Java 7 addresses 42 security flaws has 19 which are considered “critical” and a 10 ranking. In addition to the security fixes, Oracle has been attempting to fix the self signed framework for applets to make them appear less trusted. If you are familiar with the Social-Engineer Toolkit – the…
Read