Some people say that eavesdropping is bad. But for many security specialists, traffic sniffing is a profession, not a hobby. For some reason, it’s believed that this process requires special expensive equipment, but today, I will show how network traffic can be intercepted using regular crocodile clips.
Read full article →Cold boot attack. Dumping RAM with a USB flash drive
Even if you take efforts to protect the safety of your data, don’t attach sheets with passwords to the monitor, encrypt your hard drive, and always lock your computer before leaving it unattended, this doesn’t guarantee that your information is safe. Your RAM can be easily dumped using a simple memory stick, and today I will explain in detail how to do this.
Read full article →Sad Guard. Identifying and exploiting vulnerability in AdGuard driver for Windows
Last year, I discovered a binary bug in the AdGuard driver. Its ID in the National Vulnerability Database is CVE-2022-45770. I was disassembling the ad blocker and found a way to use the identified vulnerability for local privilege escalation. As a bonus, this article gives insight into the low-level Windows structure.
Read full article →Kung fu enumeration. Data collection in attacked systems
In penetration testing, there’s a world of difference between reconnaissance (recon) and data collection (enum). Recon involves passive actions; while enum, active ones. During recon, you use only open sources (OSINT), and the target system is not affected in any way (i.e. all actions are performed anonymously). By contrast, at the enumeration (data collection) stage, you interact with the target. This article discusses the data collection stage as an integral component of any pentesting study.
Read full article →Serpent pyramid. Run malware from the EDR blind spots!
In this article, I’ll show how to modify a standalone Python interpreter so that you can load malicious dependencies directly into memory using the Pyramid tool (not to be confused with the web framework of the same name). Potentially, this enables you to evade antivirus protection in pentesting studies and conceal a suspicious telemetry source from EDR in the course of Red Team operations.
Read full article →Attacks on the DHCP protocol: DHCP starvation, DHCP spoofing, and protection against these techniques
Chances are high that you had dealt with DHCP when configuring a router. But are you aware of risks arising if this protocol is misconfigured on a company’s server? Using its misconfigurations, not only can a hacker disable the DHCP server, but also deliver an MITM attack and intercept critical data. This article discusses two attack vectors targeting DHCP and provides important security recommendations.
Read full article →Poisonous spuds. Privilege escalation in AD with RemotePotato0
This article discusses different variations of the NTLM Relay cross-protocol attack delivered using the RemotePotato0 exploit. In addition, you will learn how to hide the signature of an executable file from static analysis.
Read full article →