Today RSM is releasing the first of two unpatched vulnerabilities identified within drivers used in the gaming peripheral company Razer's Synapse application. The driver in question is rzpnk.sys (md5: B4598C05D5440250633E25933FFF42B0) which exposes some functionality via an IOCTL interface. Today's vulnerability is an out of bounds read condition that can be exploited by ... READ MORE
Offense
All In One OSINT
If we've said it once, we've said it a thousand times: OSINT is an attacker's best friend. There are a plethora of tools out there that we use everyday as pentesters to accomplish our tasks. For those of you starting out in the field, or are hobbyists, you probably have virtual machine with Kali Linux installed. Kali is a great pentesting tool, the best part about it is it ... READ MORE
Weaponizing hostapd-wpe
TL;DR: Installing hostapd-wpe on a wireless router powered by an external power bank provides a standalone wireless attack platform with good transmit power, concealability, and mobility. Despite being almost 5 years old (but recently updated to support hostapd 2.6), hostapd-wpe is still a go-to tool for assessing the security of wireless clients attached to WPA2 Enterprise ... READ MORE
Footprinting the Target with Recon-ng
Thank you for dropping in for part 2 of our tutorial series on LaNMaSteR53's Recon-ng information gathering framework. Last time, we focused on the fundamentals of navigation within the tool, selecting, configuring and executing modules, and understanding the output. If you came across this page first, please drop back to Part 1 of the series to get a solid background on the ... READ MORE
Obfuscating Launchers to Limit Detection
Last time, I provided a method for encrypting macro payloads (https://warroom.rsmus.com/encrypt-macros-bypass-sandboxes/) to prevent them from executing correctly in the event they were analyzed in a sandbox. On a somewhat-related note, in this post, I will discuss another method which can help ensure your payload makes it successfully to your target: obfuscation. First, ... READ MORE
Segmenting, Subnetting and You
I completed a week of Cisco Certified Network Associate (CCNA) training and passed the exam. I learned an interesting bit about how to quickly subnet. I would like to focus on how to subnet quickly without a calculator. For blue teamers, this skill is useful for implementing and evaluating segmentation. For red teamers, it can be useful for determining the number of potential ... READ MORE
Reconnaissance with Recon-ng
Intro to Recon-ng Reconnaissance is the first and arguably the most critical phase of any penetration test. It is the first step of the Attacker’s Methodology, and depending on how it is done will define how the test proceeds. This information gathering phase can be done countless different ways, but if it is not done correctly, you end up with very limited information and ... READ MORE
Fuzzing with Boofuzz – Primer
Introduction On one of our recent engagements we were tasked with testing a network protocol for DoS conditions. Naturally this engagement led us to explore the various fuzzers that are currently available. After going through a few options, I came across a python fuzzing framework on Github called Sulley. The framework looked to be unmaintained, which led to the discovery of ... READ MORE
Flash….Thunder!
So another year has passed and what an active year it was, chocked full of security events, breaches, and account dumps! Accounts that have been breached continue to pop up on multiple sale sites and we continue to see a trend that has plagued the industry for years and years... password reuse. I know what you're thinking, oh boy another blog about password reuse and why ... READ MORE
Evil AP Attacks with Spoofed Certificates
We've written in the past about the "Evil twin" or "Evil AP" attack using hostapd-wpe ("wireless pwnage edition"). This remains a viable attack in environments using enterprise authentication, and the patched hostapd obviates the need for a wireless access point, making the attack easy and portable. However, like most attacks there are still opportunities for tweaking and ... READ MORE