Sunday, May 6, 2018

Stealing NTLM hash with BadPDF - A Technique to bypass AV and Endpoint protections


On April 26, 2018 checkpoint research team discovered the malicious exploit which can be embedded in PDF files to send further to the victims. After opening the malicious PDF file, victim’s machine will leak NTLM hash via SMB protocol.

I created the malicious PDF and tested on my personal machine which was fully equipped with cutting edge end-point protection technology. It leaked NTLM hash to the attacker. If SMB protocol is opened on victim’s machine, it will leak the hash through it.

I thought disabling SMB protocol will patch this issue. So I turned off the SMB protocol on the machine, downloaded the PDF via the web browser and opened it through the Chrome browser only. In that case, the browser made an HTTP request to attacker’s machine for leaking the NTLM hash value.

Saturday, April 21, 2018

Android OS/Phone Security Hardening Guide

In this article, I am going to list down all security features which can be hardened for any Android phone operating system in order to improve the security of user phone. I believe that there are plenty of articles available online for the same, however, they are missing one or other thing. Hence, my try here is to list down every possible feature that we can use to improve Android phone security.

Friday, February 16, 2018

Datasploit usage using docker container - OSINT

Datasploit performs automated OSINT on a domain / email / username / IP and find out relevant information from different sources. Easy to contribute OSINT Framework. Code for Banner, Main and Output function. Datasploit automatically do rest of the things for you. Useful for Pen-testers, Bug Bounty Hunters, Cyber Investigators, Product companies, Security Engineers, etc.Collaborate the results, show them in a consolidated manner. Tries to find out credentials, api-keys, tokens, sub-domains, domain history, legacy portals, usernames, dumped accounts, etc. related to the target. Can be used as library, automated scripts or standalone scripts.Can generate lists which can be feeded to active scan tools.Generates HTML, along with text files.

Thursday, January 11, 2018

Less perks and more pitfalls of cryptocurrency

I was always wondering to invest or not to invest in cryptocurrency. I started looking all articles that exist on the internet. Majority of articles were reflecting the same in terms of advantages and disadvantages. However, after reviewing almost 50 different articles, what I have analyzed is there are more pitfalls with fewer perks.

So I gathered all pitfalls of bitcoin to cover them in the single article. Those are as follows. Thanks to the industry contributors.

Saturday, September 16, 2017

Android Kiosk Browser Lock down Security Testing Checklist

What is Kiosk Browser Lockdown?
In simple words, if you want to restrict the usability of the device that you are giving to your employee/customer's hand, you can use kiosk browser lockdown facility to make that device single purpose used.

Generally, all finance companies use that at their branches when the customer comes to their branch and any kind of help and representative approaches them with a tablet which has that bank/company's application running on it. Now that device may land into many hands such as a company's all employees and sometimes clients too. So to restrict that device's all functionalities such as settings, other apps on home screen etc.., a company uses kiosk lockdown which can be paid or free software. 

Monday, May 1, 2017

Working with BurpSuite MobileAssistant Tool



Recently on Friday, April 28, 2017, burpsuite has released its new tool dubbed as mobile assistant. Mainly this is released for two purposes. It is designed to change the system wide proxy setting and to bypass ssl certificate pinning. Currently this is available for iOS device 8 and later only. You can found more detail on the official blog referenced below: Here I am going for an in-depth tutorial starting from the setting up the mobile assistant to using it.

Friday, April 7, 2017

CVE-2016-7786 - Sophos Cyberoam UTM - Privilege Escalation

In this small article I am going to share one of my zero day that I found a while back ago in Sophos Cyberoam UTM device. A vulnerability, which was classified as critical, has been found in Sophos Cyberoam UTM CR25iNG 10.6.3 MR-5. This issue affects an unknown function of the file Licenseinformation.jsp of the component Access Restriction. The manipulation with an unknown input leads to a privilege escalation vulnerability. Using CWE to declare the problem leads to CWE-264. Impacted are confidentiality, integrity, and availability.

Thursday, March 30, 2017

Network Security VAPT Checklist

Hi Guys, there are very few technical network security assessment checklist. So I thought to share my own on this. Have a look and enjoy. Lets talk about the scope first. If you are given a 1000 machines to perform VAPT, then here is your scope. Single machine can have 65535 ports open. Any single port can deploy any service software from the world. For example FTP can be run on smartftp, pureftpd etc.. Any single FTP software version (for example pureftpd 1.0.22) can have number of vulnerabilities available. So if you multiply all of these, then it is impossible for any auditor to go ahead and probe all ports manually and find services manually. Even if he/she is able to do it, it is impossible to check all vulnerabilities that are pertaining to a single port of a single machine. Hence we have to rely on scanners such as nexpose, nessus, openvas, coreimpact etc. Here are some quick tools and test cases that one can perform on commonly found ports in the network pentest.