Posts

Showing posts from 2018

Mobile Infosec Challenge Walkthrough

Image
This article aims to briefly document some techniques and tools involved in the vulnerability assessment process of android applications. For such purpose, we will solve the 2nd CTF challenge of Infosec institute (please, get the apk from  here ). " The goal of this challenge is to extract encrypted data plus its secret from a database embedded inside the application. Successfully decrypting the data reveals the flag." First of all, we simply launch the app in the android emulator. Here are the standard steps we will perform to understand the inner working of the application: 1.         Decompiling the apk 2.         Retrieving the source code 3.         Crafting the solution with a PoC 1) Decompiling the apk We use  apktool  to decompile the resources and the bytecode. Apktool output Decompiled folders and files We have a look at the android manifest, to have an overview of the components exported by the application.

Port Knocking, a charming security through obscurity protection

This post is a short analysis of the idea behind port knocking, the reasons why it provides a layer of security to systems and its limits when it comes to usability. Introduction A subset of network services is meant to be accessible only by few authorized users (mainly system administrators). Services like SSH, web administrative panels, (S)FTP are often the most targeted because, if exploited, may allow an attacker to gain a foothold in the system. Even information disclosure of running processes, username enumerations and similar actions can allow an attacker to collect enough information to plan more targeted and harmful attacks. At this point port knocking comes in as a niche solution to conceal this type of network services from massive Internet scanner (e.g. Shodan). It also comes handy for protecting critical network services in the scenario that another host of the intranet have already been compromised and leveraged as pivots. Port knocking as a positive securi

WPA2-PSK vs WPA2-Enterprise: hacking and hardening

Image
This post has the aim to summarise the security aspects of WPA2, with a focus on WPA2-Enterprise hacking. At the end, EAP-TLS is presented as a pretty secure implementation. WPA2 in brief The Wi-Fi Protected Access is a wireless technology designed to secure the communiciations between stations and the Access Point from eavesdropping and tampering attacks. It is defined in 802.11i standard and has been adopted in home, small business (WPA2-Personal) and enterprises (WPA2-Enterprise) since 2004.  The WPA2 implementation is based on the 4-way handshake. The PMK (pairwise master key) is the value that both station and AP know and from which the PTK (pairwise transient key) is calculated and valid for the session. The station MAC, the AP MAC and two nonces (A-Nonce, S-Nonce) that are exchanged during the 4-way handshake are also part of the PTK generation process. From an offensive point of view, capturing the messages of the 4-way handshake that are transm

Management Frame Protection and its limitations

Image
In this article we talk about management frames, their exposure to Denial of Service (DoS) via de-authentication attack, how Management Frames Protection can prevent this and its limitations against other DoS attacks discovered during the years by security researchers. A brief overview of Management Frames Management frames are at the centre of the WLAN operability and also have an important role in the negotiation activity between an access point and its stations. Code Field (Wireshark filter) Subtype 0x00 Association Request 0x01 Association Response 0x02 Re-Association Request 0x03 Re-Association Response 0x04 Probe Request 0x05 Probe Response 0x06 Reserved 0x07 Reserved 0x08 Beacon 0x09 ATIM 0x0a Disassociation 0x0b Authentication 0x0c Deauthentication 0x0d Actio