Latest articles in ‘Offsec’

  1. How are attacks and APTs attributed

    Published: Sun 01 October 2017 in Opinions.
    How to put the name of a country or an individual behind a security event.

    Computer-based attack attribution works like the attribution of any other illegal activity: it requires a significant amount of investigation, gathering clues, corroborating information, attempting to eliminate false leads and recognize right ones, etc.

    On the attackers’ side

    The attacker may cover his tracks using two main techniques: plausible deniability and false flag.

    Plausible deniability

    Plausible deniability aims non-attribution by making the attacker’s identity unclear. It relies notably on using off-the-shelf and widely available tools and techniques, and carefully removing all metadata or potential clue.

    CIA’s Development Tradecraft DOs and DON’Ts from the “Vault 7” leak is a perfect example on how to implement plausible deniability in malicious software.

    False flag

    False flag (in the case of a government entity we can also talk of a black ops) aims misattribution by voluntarily and actively forging clues designed to deceive investigators (or simply the targets) into attributing the attack …

  2. Introduction to z/OS and IBM mainframes world and security

    Published: Sun 01 October 2017 in Library.
    They run our economy and critical infrastructures all over the world, yet remain mostly unknown.

    Mainframes are often designated as “legacy platforms”. This triggers the mental image of those old 80’s era enormous bulky computers which can be found in any good computers museum and vintage videos, and leaves a mixed feeling about the place of such machines in todays computing world.

    However, nothing could be such wrong:

    1. A lot of the technologies which made today’s computing what it is actually owe to the mainframe world.

      Things like non-executable memory, process isolation, virtualization and symmetric multiprocessing to name just a few are all technologies that were first developed for mainframes environments, and only then ported onto other architectures.

    2. Today’s mainframes hardware has nothing in common with antique computers, they evolved as the rest of the computer world did.

      They are bulky but not as much as one may imagine, the size of a large fridge to give a rough idea. They remains …

  3. Professional Penetration Testing (Thomas Wilhelm)

    Published: Sat 19 August 2017 in Library.
    Penetration testing not seen as a technical operation but as a business activity: what changes when a hobby becomes a real job?

    This book does not teach you penetration testing technically, it teaches you penetration testing professionally. Here, the pentest is not a technical exercise anymore, it becomes a paid service delivered to a customer to satisfy a business need. This requires more than throwing a bunch of tools and lines of code toward a target. This requires things like planning, methodology, quality and risks management, and communication. This is what this book is about.

    This book target mainly three kind of audiences:

    • People who are already familiar with the technical side of pentesting and are wondering if making it a career would be interesting for them (doing something as a hobby and as a job is not the same) and, if so, how to proceed and what to expect.

    • Pentesters already in the field but who would-like to have a broader view of their current job.

    • Project managers who are already …

  4. Why I teach people how to hack (Ýmir Vigfússon)

    Published: Thu 17 August 2017 in Library.
    Why learning to hack is a good thing, explained to the grown-up, serious people :).

    In this short TEDx talk, Ýmir Vigfússon tells us what it means to be a hacker, from the curious teenage who does not really have a “moral compass” (yet!) to the senior professional sharing his knowledge.

    He tells us what leads people in this direction, but above us he tells us how all these people, from the teenage to professional, do all benefit to the society as a whole.

    For those who may not know this text, this video has a strong feeling of the Hacker’s Manifesto, but now explained by a well-respected professional and assistant professor instead of a 11 years old teenager.

    Watch on YouTube

  5. Hacker’s Manifesto (The Mentor)

    Published: Sat 12 August 2017 in Library.
    A heart-moving foundational document on the hacker culture, written 1986 but still current.

    Teenagers interested in computer hacking in the broad sense of the term, where hacking focuses on the technical aspects of computer science and security is just a part of it, often face the same roadblock.

    As this practice is generally not understood and the subject of a lot fantasies and misconceptions, they are often facing the same criticisms: they spend all their time playing on their computer, are anti-social, do not respect authority. In a few words, they are ruining their life.

    However, the most difficult in such situations are not the criticisms by themselves, it is the sense of isolation that they produce. Forty years ago, one of such teenager raised up against this feeling and wrote, under the pen name The Mentor what now counts as one of the most heart-moving and inspirational text about the hacking culture: the Hacker’s Manifesto, also known as The Conscience of …

  6. How to build a virtual pentest lab

    Published: Fri 11 August 2017 in Cookbook.
    Updated: Sat 19 August 2017
    A guide to choose the best hardware and software to match your needs at the lowest cost and efforts.

    Standalone virtual machines are both a cheaper and more practical solution to test systems as they doesn’t need to dedicate hardware and are easier to handle than physical installation (actions such as cloning, doing a snapshot or a rollback become trivial).

    Network virtualization goes a step further and apply the same system to a whole network, including workstations, servers, and all networking devices such as switches, routers and firewalls. A virtual network can be of any size and topology, and can mimic any real-life situation such as Active Directory domains, remote-access or site-to-site VPNs or test protocols of every network plane.

    Such virtual network can be either fully isolated or have one or several link to physical devices and networks, its all up to you to decide.



    The goal of a virtual lab is to be able to quickly setup the environment which will allow you to …

  7. FreeBSD jail SHM hole (CVE-2017-1087)

    Published: Wed 02 August 2017 in Cookbook.
    Updated: Thu 16 November 2017 (CVE assigned to this issue (finally, thanks Remko!))
    FreeBSD <=10.3 jails are not air-tight, vulnerability explanation and POC.

    In FreeBSD early days, shared memory (SHM) objects were associated to an actual file system object. Each jail having its own filesystem root, SHM object were therefore not reachable by other jails.

    FreeBSD 7.0 switched to a purely abstract representation of SHM objects. They are now just names, with no relation to the underlying filesystem.

    Due to this, any jail gained a read-write access to any SHM object system-wide, with no available workaround to prevent or limit this (this is not to be confused with IPCs which can be disabled on a per-jail basis, here there is strictly no way to prevent the issue).

    This issue has been published in the FreeBSD Security Advisory FreeBSD-SA-17:09 and CVE-2017-1087.


    fbsd-shm-hole.c is a small POC allowing to quickly test and demonstrate the issue.

    SHA-512 OpenPGP

    1. Compile and copy this tool in two different jails …

  8. Carbanak APT, the great bank robbery

    Published: Mon 31 July 2017 in Library.
    The 3rd millennium version of the postal train robbery, readable as a good detective novel.

    In 2015, several surveillance cameras filmed people presenting themselves in front of an ATM, and while no interaction occurred between them and the machine the ATM suddenly started to dispense cash.

    Strange enough, this was actually only the tip of iceberg as the investigation unveils an operation ongoing for around two years, infecting and stealthily altering bank operations from the inside, to achieve what may be one of the biggest bank robbery estimated up to one billion dollars.

    Kaspersky report tells this investigation. While this document provides technical details for interested people, they are not necessary to understand it and can be easily skipped. In fact, this report is quite well written and can be read as a good detective novel and provides a good description on how a high-end attack may look-like nowadays

    Actually, this report looks so much like a detective novel that Wikipedia notices there was some …

  9. 23, Karl Koch and Cliff Stoll

    Published: Sun 23 July 2017 in Library.
    The best depiction of the hacking world in the early days of the Chaos Computer Club.

    23 - Nichts ist so wie es scheint (1998)

    The best depiction I’ve seen so far of the state of the hackers’ world in western Germany in the 80’s. You name it: this the place and time which gave birth to the Chaos Computer Club.

    This film is an independent production (by Hans-Christian Schmid), and due to this is not very widely known which I think is a real shame. This film follows Karl Koch, a German hacker stealing information from US military systems to sell them to the KGB. But, IMHO, this is merely an excuse to provide us an overview of the hackers’ world of that time, both at the cultural and technical level, where idealism faces conspiracy theories, the desire to free the access to information meets individual and national craving for power, and Usenet groups were creating new kinds of links between people.

    Screenshot of "23 - Nichts ist so wie es scheint"

    Some people …

  10. Wannacry: a full scale war game?

    Published: Tue 16 May 2017 in Opinions.
    With the shadowbroked announcing WWIII, the ransomware may actually convey a different message than the advertised one.

    An unidentified group, the Shadow Brokers, stole NSA’s secret cyber-weapons and decided to publish (some of) them. A mafia group took this opportunity to develop a ransomware which will make the headlines as “WannaCry” or “Wcry”.

    Fortunately, the damages were far from what they could have been:

    • Microsoft published a fix for the exact issue exploited by the ransomware just a month before these tools became public.
    • The malware embedded a trivial kill switch allowing anyone in the world to easily stop the propagation: it worked so well it was accidentally trigerred stopping malware propagation just a few hours after its release.

    Without this “luck” the attack could have been damaging in a way out of proportion with what we currently encountered. The current estimation of 230,000 infected computers may seem a high and impressive number, but this is nothing like one could expect with such a piece …

  11. wwwolf’s PHP webshell is now available

    Published: Sat 21 January 2017 in Projects.
    Updated: Sat 02 December 2017 (Added the password feature + link to project page.)
    Discover wwwolf's PHP webshell, a lightweight off-road PHP web shell!

    I frequently encountered issues when using other web shells:

    • They use new PHP syntax features not compatible with the old PHP version running on some targets.
    • They make wrong assumption on the remote URL, breaking PHP code injection or GET parameters (un)expected by the server.
    • They often only display standard output content, throwing away stderr.
    • They poorly handle special characters in output display (such as <).
    • They do not allow file upload, or offer a method unsupported/blocked by the target’s settings.
    • They require manual modification depending whether the target is running a UNIX-like or a Windows system.

    Here is my attempt to solve these issues. As opposed to some other solutions, this one does not even barely aim to become a “full-featured post-exploitation framework”. It’s only goal is to provide a stable and reliable way to get a foot in the door on the target by …

  12. Are EMV credit cards clonable? How?

    Published: Tue 15 September 2015 in Opinions.
    Why a system regularly presented as unbreakable actually isn't.

    From a theoretical perspective, a smart card can be compared to a networked computer: it’s content cannot be accessed directly like a disk or a USB stick, you must send requests to the chip (either to access some data or to execute some operation) and the chip answers following a given protocol (authentication may be needed for some requests, etc.).

    Therefore, still from a theoretical perspective, while a smart card itself can be considered as secure, this led to a wrong marketing discourse claiming that systems based on it were “unbreakable” or that such cards were “unclonable”. However, a complex system like a complete payment system cannot be shrinked to the sole EMV card security. The payment card is only the tip of the iceberg, every element composing this system and their mutual interaction must be taken into account, from the various involved devices to the protocols and the …

Pages: 1 2

Popular tags see all