I posted about a back in February about a new Android bug in the Bluetooth stack (CVE-2020-0022). This is a nasty bug that affects Android 8-10 devices and requires no user interaction the attack just needs to be in proximity to any Android device that has Bluetooth enabled. In Android 8 and 9 it’ll gain remote code execution and in Android 10 it’ll just crash the Bluetooth stack. BlueFrag is the name of the exploit that takes advantage of this vulnerability.
ProxyJump makes SSH’ing from a bastion to hosts behind it very convenient and it is built into SSH since v7.3. It makes use of the ProxyCommand underneath the hood that will dispatch commands to another SSH connection and display the output and has been in SSH for a “long time” according to the article.
I found this really awesome guide on Twitter this morning which walks you through what NTLM relay attacks are and then teaches you how to do this style attack against Windows and Samba.
Direct Kernel Object Manipulation (DKOM) is a technique that allows for software to “hook” in with the Windows operating system at the kernel level. This video is from the INFILTRATE 2019 conference and is titled “DKOM 3.0: Hiding and Hooking with Windows Extension Hosts.” Where they take advantage of a Windows subsystem introduced in Windows 7 to hook the kernel.
I was reading an article published by SANS, which lead me down a rabbit hole of modifying firmware to have a persistent implant and all the research that has been done on the topic. Firmware runs on a majority of the devices in a modern day computer systems, ranging from a laptop to a cell phone. This includes components such as the track pad, HDD/SSD, network card, USB hubs, GPUs, etc. Doing this research I stumbled on the fact that PCI devices can directly talk to one another with NO OS supervision. So things like antivirus programs or even host based firewalls won’t be able to observe what is going on. This is due to the device directly communication across the PCI/PCIe bus and by modifying the firmware you can achieve persistence and could potentially be platform agnostic.
Black Hills Information Security (BHIS) recently wrote a blog post on how to debug embedded firmware via a JTAG port. The author, Raymond Felch, used a JTAGulator and a multi-meter to find the JTAG ports left on a Linksys router that he got at a yard sale.
Paul Clark, who literally wrote the book on using software defined radios, gave a presentation on how he built a custom data exfiltration box using software defined radios (SDRs) for Black Hills Information Security (BHIS). By all accounts this capability could be very challenging to spot especially because listing on a single MHz of the RF spectrum would generate 8MB of data per second and if you do frequency hopping it significantly increases the complexity. He also goes through how GNURadioCompanion (GRC) actually generates Python code from the flow graphs that you build the user interface. At the tail end of the presentation Paul discusses the work of Josh Conway and how he built a device he calls the SigInt Tablet for about $150 that will allow for sampling of the RF spectrum and also how he found he could actually transmit data simply by applying voltage to a GPIO pin which could potentially used to interfere or even jam a RF transmission.
I found an article posted to Twitter regarding a new technique for how to inject Meterpreter directly into memory and will bypass Windows Defender. Windows Defender has been slowly upping their game over the past year and previous techniques that did work have stopped working with Windows Defender.
Link to the article: http://bit.ly/38wuAtq
Update 20191226: In the latest updates for Windows 10 and Windows Server 2019 these steps are slightly different. You need to disable two local GPOs policies. The first is labeled as “Turn off smart multi-homed name resolution” and the second is “Turn off multicast name resolution”.
Many of you are probably already familiar with what Responder does. It takes advantages of protocols such as LLMNR to spoof responses to Windows auto proxy discovery. Black Hills Information Security has just published a blog post on how to disable LLMNR. This protocol has no security, is a broadcast layer 2 protocol and was designed to be used for DNS resolution when there is no DNS server in the network. Nice right? It is also how Windows performs it’s proxy discovery since Windows Vista and it can be spoofed from any node on the broadcast domain. This has been used by hackers to send the user to a proxy server they control to steal user credentials for websites such as online banking and also exploit the browser itself.
BHIS Blog Post: http://bit.ly/2RHtBAZ
Black Hills Information Security just published an article with a lot of living off the land techniques for pentesting and red teaming. Turns out there is a lot you can do on modern day Windows systems such as decode Base64 data using “certutil.exe” and writing data to the clipboard using “clip.exe”.
Full BHIS article: http://bit.ly/32Y54JD