by Nicholas Bousamra What is an Arduino Rubber Ducky? An Arduino Rubber Ducky refers to a device that emulates a USB keyboard and can be used for various tasks, including automating keyboard inputs and executing specific commands on a computer. The name "Rubber Ducky" is a nod to the original USB Rubber Ducky, a popular tool developed by Hak5 for penetration testing and security research. The Digispark ATtiny85 is a microcontroller board based on the ATtiny85 chip. It's known for its compact size and affordability. Some enthusiasts and security researchers have used the Digispark ATtiny85 as a ..read more

Paul A. Watters, Strategic Cyber Consultant, Ionize In Australia, the Defence Industry Security Program (DISP) is an initiative administered by the Department of Defence that is responsible for protecting classified information and technology in the possession of Defence contractors and other private sector organisations that have been granted access to such information and technology (https://www.defence.gov.au/security/industry). The DISP serves to protect classified information and technology from unauthorised disclosure and to ensure that contractors and other private sector organisations ..read more

I wanted to provide a quick overview on Windows credential management in relation to penetration testing, why passwords are not always stored in memory and the Double Hop problem. Windows creates a logon session upon a successful authentication. Each logon session will be backed by several authentication packages. These authentication packages store the credential material. The logon type and protocol will determine what credential material gets stored. All processes and threads have an access token that is tied to a logon session. If a process or thread wants to execute in a differe ..read more

It’s no secret that we’re big fans of the Metasploit Framework for red-team operations. Every now and again, we come across a unique problem and think “Wouldn’t it be great if Metasploit could do X?” Often, after some investigation, it turns out that it is actually possible! But unfortunately, some of these great features haven’t had the attention they deserve. We hope this post will correct that for one feature that made our life much easier on a recent engagement. Once Meterpreter shellcode has been run; whether from a phish, or some other means, it will reach out to the attacker’s Command a ..read more

Currently one of the most effective methods of domain privileges escalation is finding open shares with sensitive information, server backups, database passwords, user passwords, or modifiable executables or scripts. This method often gets us Domain Admin privileges and has been successful on several recent client engagements. Some of the real world examples include finding Domain Controller backups (with the ability to extract KRBTGT), plaintext domain admin credentials, database passwords (which allowed us to create a Drupal admin and shell the server), writable web roots and even the abilit ..read more

During red team engagements, we’ve found ourselves in the situation of wanting to use multiple remote access tools (Metasploit, Empire, Cobalt Strike, etc), all over port 443 for HTTPS communications. This is common when the only egress method from a network is HTTPS. This could be achieved with multiple hosts, each receiving a different type of shell; but what if you want or need to do this through a single domain or single host? This can be solved by using a reverse proxy to terminate the SSL connections and then proxy requests to each of the required tools based on a URI path. We’ve us ..read more

This blog post will discuss techniques to bypass the Attack Surface Reduction (ASR) rule “Block process creations originating from PSExec and WMI commands” which I came up against during a recent engagement. The simplest solution to bypassing these restrictions could be to use a different lateral movement method such as Windows Remote Management (WinRM), Remote Desktop Protocol (RDP) or Distributed Component Object Model (DCOM) applications. Let’s assume these are all out of the question for the sake of the blog post. The PSExec lateral movement method (also referred to by the name SMBExec) us ..read more

On a recent engagement, our testers were faced with a single page web application which was used to generate PDF documents.  This web application contained a multi-step form that ultimately let the user download a PDF document containing the details they had entered. As a user progressed through the form, the data entered would occasionally be redisplayed in future questions. We tried to find an XSS vulnerability in this workflow; and although the application itself correctly escaped user input, an interesting discovery was made when downloading the PDF file: it appeared that the PDF docu ..read more

Seemingly one of the most overlooked security vulnerabilities in the web applications that we test is the deserialization of untrusted data. I say overlooked because awareness of this issue seems to be comparatively low among web developers. Contrast that with the severity of this class of vulnerability (an attacker running arbitrary code on your web server), and the fact that it is present in the more common modern web application frameworks (.NET and Java), and you have a dangerous situation. OWASP recently recognised this, moving it into their Top 10 Most Critical Web Application Security R ..read more

Paul A. Watters – Ionize and Simon Brown It’s a question that is asked time and time again, and it may well be the most important commercial question in relation to cybersecurity investment: how much should I be spending on cybersecurity? As with the answer to most questions, this needs to be broken down into a number of sub-questions, some of which are easier to answer than others. Rather than offering a simple answer to a complex problem, we analyse the question as follows: · Should you follow a fixed percentage guideline of revenue? Or profit? It depends on whether you are trying to protect ..read more