Posts

Showing posts from 2017

WPA2 KRACK unleashed

WPA2 Krack in a nutshell While its raging all over , lets see in what the finding is all about? KRACK (Key Reinstallation Attack) is a replay attack discovered in 2016 by Belgian researchers Mathy Vanhoef and Frank Piessens. The details were published in October 2017. 1. Where exactly is KRACK exploiting wireless networks? WPA2 protocol offers a "four-way handshake." In simple words, the 4-way handshake determines whether a user attempting to join a network and the access point offering the network have matching credentials. By repeatedly resetting the nonce transmitted in the third step of the WPA2 handshake, an attacker can gradually match encrypted packets seen before and learn the full keychain used to encrypt the traffic. 2. How does it become vulnerable? The four-way handshake generates a new encryption key ( the third communication in the four way handshake) 3. Enter the "Key Reinstallation Attack" At this juncture, a hacker can tamper/

Thick Client Penetration Testing Tutorials - Part 4 ( Memory Forensics/ Reversing)

Image
Static Analysis/ Reverse Engineering for Thick Clients Penetration Testing 4 Hi Readers, let’s take a look into static analysis. The advantage which thick clients offer over web applications are the ability to inspect the code and perform code level fuzzing which is more interesting for me! How to inspect code at a static level? There are many test cases which aid us to perform static analysis. Some of these include:    1  1)       Memory Level Protection Checks ( DEP / ASLR) 2  2)       String based analysis to find information 3  3)       Configuration File checks 4  4)       Memory inspection to find hardcoded passwords 5  5)       Reverse Code Level Logic to bypass checks/ licences 1.        To check memory level protections , we can use the free system internals suite by Microsoft ( https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite ) Once you download the above suite, there are multiple tools available out in to play with. Let’s launch a sample applic

Thick Client Penetration Testing Tutorials - Part 3 ( Java Deserialization Exploit to RCE)

Image
Thick Client Penetration Testing – 3 (Java Deserialization Exploit: Remote Code Execution) Welcome Readers, in the previous two blogs, we have learnt about the various test cases as well as setting up traffic for thick clients using interception proxy. Among the plethora of test cases out here, one particularly interesting is about “ Remote Code Execution on thick clients”. For this particular RCE, among one of the thick clients I was testing, it was based on Java Application. While researching possible exploits, I noticed that there are custom deserialization methods in Apache commons-collections which has a particular “reflection logic” . This can be particularly exploited which can lead to remote command injection as well as lethal arbitrary code execution. All applications which are java based and perform serialization/ deserialization with untrusted data to deserialize having “commons-collections” in its classpath can be exploited to run arbitrary code! For starters, let’s cover

Thick Client Penetration Testing Tutorials - Part 2 ( Traffic Interception)

Image
After getting the basics of thick client pentest, let’s delve into the very first steps you can take to commence thick client pentest. Interception and setting up proxy of application. Thick clients can be broken down into two types based on proxy settings: 1    1)       Proxy aware      2)       Proxy unaware Proxy aware are those applications which has settings in the application itself to route through IP address and ports for the purpose of logging in the application as well as transmit and receive data. Whenever you log into the application, you will be given a prompt showing username/ password along with destination IP and port. In case where the application does not have such settings, and only accepts username and password for authentication, you have to redirect the traffic from the application to your system to the actual server. This is the case of proxy unaware thick clients. Let’s see how: The very first step involves in getting the hostname of the thick client applic

Thick Client Penetration Testing Tutorials - Part 1

Image
Hi Readers, today we will read on performing a penetration testing on thick clients. Why thick client penetration testing? Thick client applications are not new having been in existence for a long time, however if given to perform a pentest on thick clients, it is not as simple as a Web Application Pentest. Thick clients are majorly used across organizations for their internal operations. In this series of articles, we will learn various tools and techniques used to perform thick client application penetration testing. A step by step breakdown being deployed, we will discuss about starting with the very basics to the advanced test cases. Introduction Referenced under multiple names, such as: Fat client/Heavy client/Rich client/Thick client, such applications follow a client –server architecture . For an easy to understand approach, thick clients are applications which are deployed locally on our systems. Such as skype/ outlook. Thick clients can be developed using multiple languages