Latest Articles
Research and Development
Hello w0rld. On this post we would like to let you know our areas of research and the research projects that we are working on currently. For 2016 we are planning to develop tools that will be used in our tests. Our areas of interest can be highlighted as: AntiVirus Detection and Evasion techniques (sandbox detection, etc) Packers, anti-debugging, anti-disassembly and binary obfuscation Network packet capture analysis scripts looking for IoC
January 28, 2016
Covert channels - (Mis)Using ICMP protocol for file transfers with scapy
Hello w0rld. In this post I will show how it is possible to (mis)use ICMP protocol for file transfers with scapy. “In computer security, a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy.” Source: Wikipedia I have to give credit to the GhostInTheShellcode 2015 for “borrowing” the idea from the forensics challenge (see my previous post!). It is quite tricky to achieve, but the effort is worth it for the result. Network filtering restricts the traversal of specific packets or all the traffic of a kind. A firewall (pseudo)entry might be similar to “allow src dst http” “allow src dst icmp” and the (invisible usually) implicit deny restrict all other traffic. In cases like this there are 2 solutions; either use the existing “allow” for transferring data or switch to a different protocol which is allowed. ICMP is usually allowed because it was created for network troubleshooting mainly. More over messages like ICMP timestamps are blocked but echo requests/responses are not. A network admin that denies ICMP traffic will have troubleshooting difficulties when problems arise. The idea is not new, and according to the wish list of metasploit we should expect to see ICMP/UDP file transfers add-ons/functionalities to be introduced soon.
April 24, 2015
Microsoft Onenote Image Caching Bug (Confidential Information Leakage)
Bug Summary A security bug in the Microsoft Onenote allows images placed in user-created password-protected sections to be cached persistently in the user profile temporary directory folder: C:\Users\%username%\AppData\Local\Temp. Analysing the content the temporary folder will reveal images that should be securely protected by Onenote. Bug Scope This has only been tested with Microsoft Onenote 2013 with all known updates installed. Last testing on 01/03/2015.
March 1, 2015,rw