Abusing Windows 10 Narrator's 'Feedback-Hub' URI for Fileless Persistence

Novel Accessibility Feature Abuse technique
While investigating Ease of Access options in Windows 10 for new persistence techniques, I have actually found an undocumented one via 'Provide Narrator feedback' functionality.
Behind the scenes the Narrator feedback consists in launching the custom handler via URI scheme ‘feedback-hub’. However, in a post exploitation scenario is possible to trivially backdoor this component with fileless payloads hosted in the registry. Even if there is no security boundary between windows logon screen and the default user desktop (indeed both part of the same window station WinSta0) the possibility of the interaction between the Narrator instance running in the environment of the locked out users and the Windows logon screen opens the chance to trigger the malicious command defined in the registry as soon as the 'Provide Narrator feedback' combination keys are pressed in the latter context. The novel technique presented in this article ha…

Weak credentials encryption at rest with DPAPI: NordVPN case study

TL;DR The Windows client of NordVPN leverages DPAPI (Data Protection API) to effortlessly save the login credentials of the customers. This is a suitable way for developers to avoid common pitfalls regarding cryptographic implementation and key management. However, this simplistic solution entails trivial plain-text password recovery. The goal of this article is to provide a walk-through on how easy is to dump the VPN credentials in a post exploitation scenario with the help of the mighty Mimikatz.

Analyzing the encryption and decryption routines of NordVPN Few days ago I was playing with what I already consider to be the best .NET debugger, dnSpy, and the first application I happened to open was NordVPN client v6.23.11.0. After a quick code review I decided to focus on the login routine that auto-connects the VPN at startup. This routine is demanded to the third-party DLL 'Liberation.OS', that in turn, is also developed in .NET. Have a look for the documentation available of DP…

How To Harden Your Docker Containers

Properly securing your Docker containers can be a cumbersome and time consuming task. The goal of this technical walkthrough is to comfortably guide you through the steps involved in hardening your docker containers and securing your containerized infrastructure. Let's start with the basics, a checklist and common sense best practices, we can then move on to the key point of sandboxing a container: drop capabilities and create ad hoc security profiles. A good example of this is my own project which I have made available in my Github repository, check it out for a much deeper technical insight. Preliminary steps 1) Update Docker: Clearly this is the first thing to do, even more so when a clever container escape has been recently disclosed (CVE-2019-5736).   2) Deploy Only Trusted Docker Images: enable the Content Trust feature for guarantee the authencity and integrity of the pulled images from Docker Hub. You can also arrange an offline registry available in your environment by s…