Category: security
-
CertGraph: visualizing the distribution of trusted CA’s
Much of the Internet’s security posture relies on the correct implementation of certificates or certs. We’ve all been taught to look for the “green lock” on websites, and things such as mixed mode and HSTS are a good push for that. Certs 101: Websites, say michaelhendrickx.com, have a leaf certificate. This certificate holds some metadata,…
-
Cross domain cookie contamination
TLDR: XSS attacks can be used to set cookies for sub domains that share the same top level domain. This increases the scope of XSS attacks. In a cloud world; several applications are hosted under the same top level domain. An organization can have hostnames such as: company.com: corporate landing page mail.company.com: webmail intranet.company.com: internal…
-
CSS keyloggers, hype and/or impact
A few days ago, I stumbled across one of the videos of LiveOverflow, where he discusses a so called “CSS keylogger” (github), its impact and novelty. While there’s nothing new about the attack (it was reported several years ago, yet it popped up again on YCombinator’s HackerNews), I guess it trigger LiveOverflow to make the…
-
Nullcon 2017
A few months ago, I was asked to speak at Nullcon 2017, which concluded a few weeks ago. It was very well setup conference, and it attracts a lot of the security community in the Indian subcontinent. A pleasure to speak at, and I’d be happy to do it again in Goa 2018. I presented…
-
The lost art of penetration testing
Just a little rant. Often, if a security consultant is asked to perform asked to perform a VA/PT (the difference is a whole topic for another day) for a customer in a number of man-days. Obviously, as with most service based deliverables, one quantifies work in the time spent on it. Hours, or -more often-…
-
Post exploitation tools: Lazagne
Often, after a compromise of a machine, red teams / adversaries search for certificates or credentials to hop to other machines, often referred to as “lateral movement”. When doing so, many use Mimikatz, a tool that extracts credentials, PIN codes and kerberos tickets from memory. There are countless blog articles about how to detect it,…
-
Quick SSH security tips
Just a quick post about a page I stumbled across, and I merely want to keep it in bookmarks. I was talking to some people to secure public facing SSH servers; and while we have the obvious: Only allows SSH2 Disable root logins Use keypairs instead of passwords Implement fail2ban When researching to make internet…
-
Testing phishing scenario’s
When I joined my company, I was asked to perform a few social engineering assessments for private and government customers alike. Previously, the assessment being done were more testing the amount of people that would click a link in a spoofed e-mail, regardless of the damage. But I wanted to step things up a bit,…
-
Cross Window Redirect slides
Khaled and I just gave a talk in Owasp Qatar about tricks you can do with the Cross Window Redirect, and how it can help you in phishing attacks. I few people asked for the slides, so I though I’ll link to them here. The Cross Window redirect from Michael Hendrickx The PoC links are:…
-
The fake CC conversation
During social engineering exercises, one of the difficulties we face is to get a person to click a link or open an attachment. For the past few decades, we haven’t seen much changes in it. A rather, *sad* part even, a few days ago; Cisco researchers wrote about a quite aggressive malware; Rombertik. While being…