Skip to main content

Posts

Weak credentials encryption at rest with DPAPI: NordVPN case study

TL;DR The Windows client of NordVPN leverages DPAPI (Data Protection API) to effortlessly save the login credentials of the customers. This is a suitable way for developers to avoid common pitfalls regarding cryptographic implementation and key management. However, this simplistic solution entails trivial plain-text password recovery. The goal of this article is to provide a walk-through on how easy is to dump (offline) the VPN credentials in a post exploitation scenario with the help of the mighty Mimikatz.

Analyzing the encryption and decryption routines of NordVPN Few days ago I was playing with what I already consider to be the best .NET debugger, dnSpy, and the first application I happened to open was NordVPN client v6.23.11.0. After a quick code review I decided to focus on the login routine that auto-connects the VPN at startup. This routine is demanded to the third-party DLL 'Liberation.OS', that in turn, is also developed in .NET. Have a look for the documentation avail…
Recent posts

How To Harden Your Docker Containers

Properly securing your Docker containers can be a cumbersome and time consuming task. The goal of this technical walkthrough is to comfortably guide you through the steps involved in hardening your docker containers and securing your containerized infrastructure. Let's start with the basics, a checklist and common sense best practices, we can then move on to the key point of sandboxing a container: drop capabilities and create ad hoc security profiles. A good example of this is my own project which I have made available in my Github repository, check it out for a much deeper technical insight. Preliminary steps 1) Update Docker: Clearly this is the first thing to do, even more so when a clever container escape has been recently disclosed (CVE-2019-5736).   2) Deploy Only Trusted Docker Images: enable the Content Trust feature for guarantee the authencity and integrity of the pulled images from Docker Hub. You can also arrange an offline registry available in your environment by s…

Mobile Infosec Challenge Walkthrough

This article aims to briefly document some techniques and tools involved in the vulnerability assessment process of android applications. For such purpose, we will solve the 2nd CTF challenge of Infosec institute (please, get the apk from here).
" The goal of this challenge is to extract encrypted data plus its secret from a database embedded inside the application. Successfully decrypting the data reveals the flag."

First of all, we simply launch the app in the android emulator.

Here are the standard steps we will perform to understand the inner working of the application: 1.         Decompiling the apk 2.         Retrieving the source code 3.         Crafting the solution with a PoC
1) Decompiling the apk

We use apktool to decompile the resources and the bytecode.

We have a look at the android manifest, to have an overview of the components exported by the application.
Nothing interesting for now, only one activity is exported in this app. Obviously, this activity is the main activi…