Latest articles

  1. How to install GNS3 and VMware Player on Linux (Debian)

    Published: Sat 12 August 2017 in Cookbook.
    Updated: Sat 19 August 2017
    Step-by-step guides to install GNS3 and/or VMware player on Linux.

    While installing GNS3 and VMware should be easy, it in fact very easy to loose a lot of time on silly issues.

    • If you are interested only in installing VMware Player, feel free to directly go corresponding part.

    • If you are interested in installing GNS3, I also recommend to install VMware player as some appliances may require it.

    RouterGods also shared a few tips on how to setup a more comfortable GNS3 lab. Take a few minutes to check it once you’ve ended the installation!

    Installing GNS3

    GNS3 relies on Linux kernel features. If you are not a Linux user, the recommended way to use GNS3 is to use the GNS3 official virtual machine. This virtual machine may also be a good solution if you are a Linux user but you just want to quickly test GNS3 or do not want to modify your host environment.

    For a regular …

  2. How to build a virtual pentest lab

    Published: Fri 11 August 2017 in Cookbook.
    Updated: Sat 19 August 2017
    A guide to choose the best hardware and software to match your needs at the lowest cost and efforts.

    Standalone virtual machines are both a cheaper and more practical solution to test systems as they doesn’t need to dedicate hardware and are easier to handle than physical installation (actions such as cloning, doing a snapshot or a rollback become trivial).

    Network virtualization goes a step further and apply the same system to a whole network, including workstations, servers, and all networking devices such as switches, routers and firewalls. A virtual network can be of any size and topology, and can mimic any real-life situation such as Active Directory domains, remote-access or site-to-site VPNs or test protocols of every network plane.

    Such virtual network can be either fully isolated or have one or several link to physical devices and networks, its all up to you to decide.



    The goal of a virtual lab is to be able to quickly setup the environment which will allow you to …

  3. Isolate your services using jails and containers

    Published: Thu 10 August 2017 in Cookbook.
    Use FreeBSD jails and Linux LXC efficiently to make you server both more secure and easier to manage.

    Containers and jails allow you to make your system more secure, more reliable, more flexible and, at the end of the day, easier to manage. Once you get used to it, it become difficult to conceive to setup a server without such features.

    But what are they exactly?

    Containers and jails

    Containers and jails designate different implementations of operating-system-level virtualization. Like a lot of low-level security features we encounter in today’s world, this functionality can be traced back to the old mainframes, where reliability and parallelism are at the core of the system, and which allow to partition a host system into smaller isolated systems.

    This feature then went through commercial Unixes to finally reach open-source operating systems. The first open-source OS to really implement this feature was FreeBSD which offers its jail functionality since 2000 (FreeBSD 4.0). In the mean time there were several more-or-less successful attempts …

  4. FreeBSD jail SHM hole (CVE-2017-1087)

    Published: Wed 02 August 2017 in Cookbook.
    Updated: Thu 16 November 2017 (CVE assigned to this issue (finally, thanks Remko!))
    FreeBSD <=10.3 jails are not air-tight, vulnerability explanation and POC.

    In FreeBSD early days, shared memory (SHM) objects were associated to an actual file system object. Each jail having its own filesystem root, SHM object were therefore not reachable by other jails.

    FreeBSD 7.0 switched to a purely abstract representation of SHM objects. They are now just names, with no relation to the underlying filesystem.

    Due to this, any jail gained a read-write access to any SHM object system-wide, with no available workaround to prevent or limit this (this is not to be confused with IPCs which can be disabled on a per-jail basis, here there is strictly no way to prevent the issue).

    This issue has been published in the FreeBSD Security Advisory FreeBSD-SA-17:09 and CVE-2017-1087.


    fbsd-shm-hole.c is a small POC allowing to quickly test and demonstrate the issue.

    SHA-512 OpenPGP

    1. Compile and copy this tool in two different jails …

  5. Carbanak APT, the great bank robbery

    Published: Mon 31 July 2017 in Library.
    The 3rd millennium version of the postal train robbery, readable as a good detective novel.

    In 2015, several surveillance cameras filmed people presenting themselves in front of an ATM, and while no interaction occurred between them and the machine the ATM suddenly started to dispense cash.

    Strange enough, this was actually only the tip of iceberg as the investigation unveils an operation ongoing for around two years, infecting and stealthily altering bank operations from the inside, to achieve what may be one of the biggest bank robbery estimated up to one billion dollars.

    Kaspersky report tells this investigation. While this document provides technical details for interested people, they are not necessary to understand it and can be easily skipped. In fact, this report is quite well written and can be read as a good detective novel and provides a good description on how a high-end attack may look-like nowadays

    Actually, this report looks so much like a detective novel that Wikipedia notices there was some …

  6. 23, Karl Koch and Cliff Stoll

    Published: Sun 23 July 2017 in Library.
    The best depiction of the hacking world in the early days of the Chaos Computer Club.

    23 - Nichts ist so wie es scheint (1998)

    The best depiction I’ve seen so far of the state of the hackers’ world in western Germany in the 80’s. You name it: this the place and time which gave birth to the Chaos Computer Club.

    This film is an independent production (by Hans-Christian Schmid), and due to this is not very widely known which I think is a real shame. This film follows Karl Koch, a German hacker stealing information from US military systems to sell them to the KGB. But, IMHO, this is merely an excuse to provide us an overview of the hackers’ world of that time, both at the cultural and technical level, where idealism faces conspiracy theories, the desire to free the access to information meets individual and national craving for power, and Usenet groups were creating new kinds of links between people.

    Screenshot of "23 - Nichts ist so wie es scheint"

    Some people …

  7. NSA and Microsoft, toward a tighter “collaborative teamwork”?

    Published: Tue 16 May 2017 in Opinions.
    An history of forced love and denial between the National "Security" Agency and large corporations.

    This article is somewhat a sequel of my thoughts about the Wannacry case.

    The NSA relies on a large database of undisclosed and unfixed software vulnerabilities database to allow them to hack their way into any system either deemed hostile or useful for their intelligence gathering. As explained by explained by the former NSA director Michael Hayden:

    If the agency thinks that no one else will be able to exploit a vulnerability, it leaves the problem unfixed to aid in its own spying efforts.

    It is only if the NSA estimates that the exploit may be known to someone else, and therefore represents a potential risk to the US safety, that they will inform the vendor for the vulnerability to get fixed.

    It may happen that sometime this process gets a hiccup, with a vendor interfering with NSA activity like it most probably happened to Microsoft with the MS08-067 …

  8. Wannacry: a full scale war game?

    Published: Tue 16 May 2017 in Opinions.
    With the shadowbroked announcing WWIII, the ransomware may actually convey a different message than the advertised one.

    An unidentified group, the Shadow Brokers, stole NSA’s secret cyber-weapons and decided to publish (some of) them. A mafia group took this opportunity to develop a ransomware which will make the headlines as “WannaCry” or “Wcry”.

    Fortunately, the damages were far from what they could have been:

    • Microsoft published a fix for the exact issue exploited by the ransomware just a month before these tools became public.
    • The malware embedded a trivial kill switch allowing anyone in the world to easily stop the propagation: it worked so well it was accidentally trigerred stopping malware propagation just a few hours after its release.

    Without this “luck” the attack could have been damaging in a way out of proportion with what we currently encountered. The current estimation of 230,000 infected computers may seem a high and impressive number, but this is nothing like one could expect with such a piece …

  9. wwwolf’s PHP webshell is now available

    Published: Sat 21 January 2017 in Projects.
    Updated: Sat 02 December 2017 (Added the password feature + link to project page.)
    Discover wwwolf's PHP webshell, a lightweight off-road PHP web shell!

    I frequently encountered issues when using other web shells:

    • They use new PHP syntax features not compatible with the old PHP version running on some targets.
    • They make wrong assumption on the remote URL, breaking PHP code injection or GET parameters (un)expected by the server.
    • They often only display standard output content, throwing away stderr.
    • They poorly handle special characters in output display (such as <).
    • They do not allow file upload, or offer a method unsupported/blocked by the target’s settings.
    • They require manual modification depending whether the target is running a UNIX-like or a Windows system.

    Here is my attempt to solve these issues. As opposed to some other solutions, this one does not even barely aim to become a “full-featured post-exploitation framework”. It’s only goal is to provide a stable and reliable way to get a foot in the door on the target by …

  10. How to examine Android SELinux policy

    Published: Mon 15 August 2016 in Cookbook.
    A step-by-step guide from building your environment to a concrete example showing the tools in action.

    Examining SELinux policy should be a trivial thing, but Android turns this into some kind of nightmare. In fact, Google has designed Android mainly from a consumer perspective, and not for power users. The result is that, as soon as you want to do something outside of using the latest Facebook app or playing Candy Crush, you very quickly find yourself back in realm of early-2000 Linux, when a developer-like knowledge was required to change what should be simple settings. I believe that the situation will fastly evolve as Android system gets more mature, but for now we have to do with what we have got…

    As you said, there are two reasons why it is necessary to compile your own SELinux toolset:

    • The system provided toolset is usually a version behind. While Android’s SELinux relies on policy DB version 30, current Linux boxes usually handle only version up …

Pages: 1 2 3 4 5 6

Popular tags see all