The Evil Twin Attack has been around for some time. In the past, when we've run across WPA/2 Enterprise Wireless networks while on assessments, we'd break out a separate router and sit in a parking lot or lunch room waiting for victims to pass. The attack was simple, but the setup was overly complicated and left us tied to a power outlet. Fortunately, all that is in the past. A ... READ MORE
Analyzing Safe Exception Handlers
SafeSEH (Safe Structured Exception Handlers) is a Windows binary protection mechanism for 32-bit executables that has been around for a while now. When the option is enabled, the linker creates a list of valid exception handler addresses in the SEHandlerTable when the binary is being built. This protection prevents the execution of corrupted exception handlers which is a common ... READ MORE
Chromoting For Access
Chromoting Background Google Chrome offers a service dubbed "Chromoting" which allows users to opt into allowing remote access to their systems for either personal reasons or technical support. To use this service a user must download Chrome, be logged into their Google account, and enable Chromoting via the Chrome Remote Desktop application. The remote desktop application, ... READ MORE
Understanding Radio Frequency Theory
I did a short series on attacking Wi-Fi for my personal blog last year, but I did not cover Enterprise Wireless. A few interesting tools have been released in the time that has passed, so I'm going to steal some of my own words as a short lead into a new post on conducting attacks against WPA/2-Enterprise wireless networks. The Spectrum Electromagnetic energy is the basis on ... READ MORE
Request to Exit Sensor Bypass
(Originally published by @coldfusion39) When performing Physical Attack and Penetration Tests, we occasionally find ourselves on the wrong side of a locked door. The exterior or public side, of these doors is often controlled by an Access Control System utilizing either a Prox or iClass card reader. Due to various fire codes and regulations, the secured side of these doors ... READ MORE
King Phisher 0.1.6 Released
The latest version of RSM's phishing tool King Phisher has been released with numerous improvements. King Phisher is RSM's Phishing Campaign toolkit of choice, developed internally to meet the demands of the engagements that the team encounters. Some of the new features in this release include: Support for email messages with inline images that do not need to be ... READ MORE
Sophos UTM Home Edition – 2 – The Installation
UPDATE: Part 3 - The Setup, Part 4 - Definitions and Rules, and Part 5 - SSL VPN are now available. Now that we've discussed acquiring a Sophos UTM license and downloading the ISO, it's time for the install. This process is extremely straightforward assuming the hardware of choice is compatible. Should any questions arise, concerned users should reference the Hardware ... READ MORE
Enumerating User IDs On Smart Meters
The latest module for the Termineter Framework supports enumerating valid user IDs on smart meters as part of the C12.18 login process. This is particularly useful for certain smart meter vendors that allow the C12.19 general information tables #0 and #1 to be read with a valid user ID and but no password. Enumerating user IDs on smart meters can also identify accounts that can ... READ MORE
Sophos UTM Home Edition – 1 – Getting Started
UPDATE: Part 2 - The Installation, Part 3 - The Setup, Part 4 - Definitions and Rules, and Part 5 - SSL VPN are now available. I recently built a house and was fortunate enough to be able to fill the walls with Cat6. This has allowed me to build out a significant home network which includes multiple wireless access points, a mixed Windows/Linux environment, and various other ... READ MORE
MS14-040 AFD.sys Dangling Pointer Further Analysis
In July of this year (2014), an excellent write up was released by Sebastian Apelt of Siberas on the vulnerability described in the MS14-040 advisory. This vulnerability is a dangling pointer in the AFD.sys driver that when successfully exploited can allow a program to execute code in the context of NT_AUTHORITY\SYSTEM. This is a significant vulnerability as there are currently ... READ MORE