About Juan Manuel Fernandez

This author has not yet filled in any details.
So far Juan Manuel Fernandez has created 32 blog entries.

Analyzing an RFID scanner: bad habits never die

By |12 Jun. 2020|

More than a year ago, BlackArrow's Red Team conducted a security analysis of an RFID scanner used by one of its customers. These kind of devices entail serious risks when integrated into the company's network. Their security is usually not a priority during their development and, as a result, easy to exploit critical vulnerabilities are often found on them. This article aims to share, in a short and simple way, some of the vulnerabilities found, as well as to discuss their viability as a starting point in a Red Team exercise. RFID scanner Reconnaissance Externally, the device has a small screen and four buttons (Cancel / OK, and Up / Down) through which it can be physically interacted with. In ...

Comments Off on Analyzing an RFID scanner: bad habits never die

Backdoors in XAMP stack (part III): Apache Modules

By |22 May. 2019|

This third fascicle of the series about backdoors for web servers based on the XAMP stack (Apache2, MySQL, PHP), will focus on the development of modules for Apache2 in the context of a Red Team operation . The use of modules and plugins for web servers as a method of persistence is an old and well-known tactic (example: Linux / Cdorked.A 2013 ) that is still being used today. The group OilRig recently used a malicious module for IIS  as backdoor in different web servers in the Middle East (RGDoor). That is why, depending on the maturity level of the client, it is a persistence method to consider for the TTPs used during a Red Team operation. In this ...

Comments Off on Backdoors in XAMP stack (part III): Apache Modules

Security in Sciter-based applications

By |4 Apr. 2019|

Sciter is an embeddable engine for user interfaces in multi-platform applications. Through Sciter engine the user interfaces are created using HTML, CSS and TISscript, the latter being a language similar to JavaScript and capable of handling files, connections, executing commands, etc. via some exposed APIs. This engine is used by some projects like AntiMalware solutions (Symantec, ESET, Avast...) or videogames (War Thunder). This article is aimed to analyze the attack surface in Sciter-based applications. The weaknesses or vulnerabilities showed in this post are related with insecure practices adopted in the development of a project, it does not mean that Sciter is vulnerable (in the same way that PHP is not vulnerable because of having a language constructor like eval(): issues ...

Arecibo: an OOB exfiltration tool (DNS & HTTP)

By |9 Nov. 2018|

In the process of identifying and exploiting vulnerabilities, it is sometimes necessary to resort to Out of Band (OOB) techniques in order to exfiltrate information through DNS resolutions or HTTP requests. To address this kind of situation the faster and simpler solution can be the use of a Burp Collaborator instance or a online service like requestbin.net, but this has a big disadvantage: both are services hosted by a third party. Local instances of Burp Collaborator or requestbin can be deployed but they are heavy and poorly customizable or adaptable. To suply this need during a RedTeam operation a tool (Arecibo) with an easy API was developed. 0x01 – Introduction Arecibo is a small tool written in python with ...

Comments Off on Arecibo: an OOB exfiltration tool (DNS & HTTP)

Vulnerabilities in OCS Inventory 2.4.1

By |10 Sep. 2018|

During a Red Team operation, multiple vulnerabilities were discovered in OCS Inventory (version 2.4.1). The following CVEs have been assigned to the vulnerabilities: CVE-2018-12482 (Multiple SQL Injections in the search engine) CVE-2018-12483 (Remote Command Execution) CVE-2018-14473 (XXE). Introduction OCS Inventory is a inventory software widely used in corporations to monitor their computers via agents (for Linux and Windows) that are deployed inside the machines. The agents collect information from the computers and send it to a HTTP endpoint located in a master server. Likewise, in addition to monitoring, OCS Inventory allows the installation of software and the execution of OS commands from the master server to the computers where an agent is installed. Due to these capabilities, this product ...

Comments Off on Vulnerabilities in OCS Inventory 2.4.1

Interactive Shell via Bluetooth

By |1 Jun. 2018|

Occasionally, one or several phases requiring physical access to a machine are included during Red Team exercises. This requires redesigning how to confront this type of particular scenarios. In this post, it is explained the physical intrusion process followed in a Linux laptop without internet connection, although Wi-Fi and Bluetooth is available. The main aim of this post, which is addressed to a junior audience, is documenting and explaining the following points: How to exchange information via RFCOMN between two devices with Bluetooth How to obtain an interactive shell in order to run commands How to abuse sudo cache in order to raise privileges How to run binaries in memory in order to reduce our trace Let’s analyze every ...

Comments Off on Interactive Shell via Bluetooth

CVE-2017-11318: RCE in Cobian Backup 11

By |9 Aug. 2017|

During a Tarlogic Red Team operation, a serious vulnerability was discovered in Cobian Backup software (CVE-2017-11318) whose exploitation enabled taking the control over several machines in a corporate network. Introduction to cobian vulnerability CVE-2017-11318 Cobian Backup is software aimed at the creation of security copies containing a great variety of options and utilities. In corporate networks, it is developed with a customers’ architecture receiving backup tasks from a master server. Password allocation is necessary in order to connect a customer to the server. Customer connected to master server Briefly analyzing the protocol and how the program logic works, several deficiencies could be observed. These ones can be abused by an attacker. Customer’s connection to the servers First of ...

Comments Off on CVE-2017-11318: RCE in Cobian Backup 11

Backdoors in XAMPP stack (part I): PHP extensions

By |20 Jun. 2017|

Web servers exposed to the Internet are a traditional entry point during penetration tests and Red Team exercises. Ensuring the persistence in these perimeter actives is crucial for keeping a pivot in order to penetrate target networks. There are plenty of techniques aimed at achieving persistence. In fact, it is very common to combine them. In this particular occasion, we start a series of posts where we explain how to create backdoors (PHP extensions) in XAMP stack (OS / Apache / MySQL / PHP) and how to use them in your own penetration tests. Let’s start with backdoors in the form of PHP extensions. Introduction to PHP extensions PHP extensions are libraries (.so in case of Linux and .dll in ...

Comments Off on Backdoors in XAMPP stack (part I): PHP extensions

How to make a keylogger in PowerShell?

By |16 May. 2017|

The creation of a keylogger in PowerShell during the development of a Tarlogic Red Team exercise was necessary. And given the specific condition of the scenario, the best resulting option was programming a small script in PowerShell in order to save keystrokes to file and exfiltrate data over the c2 channel. Find in this post a detailed explanation of all the procedures explored during the development of the keystroke interception function of the keylogger software. Besides, advantages and disadvantages of each of the procedures are also explained. Introduction to keyloggers in PowerShell The use of PowerShell scripts in order to develop pentesting tasks in Windows environments has spread in recent years. Frameworks such as Empire or Nishang, provide the pentester ...

Comments Off on How to make a keylogger in PowerShell?

How to bypass disable_functions and open_basedir

By |15 May. 2017|

In the last edition of HackRon, in our talk "The Red Team always wins" we tackled some techniques used during penetration tests including how to bypass disable_functions and open_basedir, among others. A common situation whenever a penetration test is run consists on finding the application of certain hardening measures in web servers. This complicates privilege elevation or even its own use in order to pivot towards other points of the corporate network. Introduction To begin with, we could highlight disabling the usage of dangerous functions used in order to run operating system commands or start processes, among other traditional measures applied. Functions such as system() or shell_exec() are usually found disabled through the PHP directives defined in the configuration file php.ini. ...

Comments Off on How to bypass disable_functions and open_basedir

We are using cookies to give you the best experience on our website. You can find out more about which cookies we are using or switch them off in Cookies Settings

Necessary

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

3rd Party Cookies

This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages. Keeping this cookie enabled helps us to improve our website.

Cookies policy