Grey bar Blue bar
Share this:

Mon, 7 Apr 2014

SenseCon 2014

L1000617
What originally started as one of those "hey, wouldn't this be cool?" ideas, has blossomed into a yearly event for us at SensePost. SenseCon is a time for all of us to descend on South Africa and spend a week, learning/hacking/tinkering/breaking/building, together and in person.


A few years ago we made the difficult, and sometimes painful, shift to enable remote working in preparation for the opening of our UK and Cape Town offices. Some of you probably think this is a no-brainer, but the benefit of being in the same room as your fellow hackers can't be overlooked. Being able to call everyone over to view an epic hack, or to ask for a hand when stuck is something tools like Skype fail to provide. We've put a lot of time into getting the tech and processes in place to give us the "hackers in the same room" feel, but this needs to be backed with some IRL interaction too.


People outside of our industry seem to think of "technical" people as the opposite of "creative" people. However, anyone who's slung even a small amount of code, or even dabbled in hacking will know this isn't true. We give our analysts "20% time" each month to give that creativity an outlet (or to let on-project creativity get developed further). This is part of the intention of SenseCon: a week of space and time for intense learning, building, and just plain tinkering without the stresses of report deadlines or anything else.


But, ideas need input, so we try to organise someone to teach us new tricks. This year that was done by Schalk from House 4 Hack (these guys rocks) who gave us some electronic and Arduino skills and some other internal trainings. Also, there's something about an all-nighter that drives creativity, so much so that some Plakkers used to make sure they did one at least once a month. We use our hackathon for that.


Our hackathon's setup is similar to others - you get to pitch an idea, see if you can get two other team mates on board, and have 24 hours to complete it. We had some coolness come out of this last year and I was looking forward to seeing what everyone would come up with this time round.


L1000662


Copious amounts of energy drinks, snacks, biltong and chocolates were on supply and it started after dinner together. The agreed projects were are listed below, with some vagueness, since this was internal after all :)


  • pORTAL anonymous comms device - Sam & Dr Frans


Getting a modified version of Grug's pORTAL device working on a Beagle Bone and Rasperry Pi for us to use while traveling.

  • Video Conferencing - Craig and Marc


For video conferencing we normally use a combination of Skype, Go-To-Meeting, Google hangouts, or a page long gstreamer command piped over a netcat tunnel (I'm not kidding). Craig and Marc built an internal video conferencing solution with some other internal comms tools on the side.

  • SensePost Radar - Keiran and Dane


SensePost Radar
SensePost Radar


Keiran and Dane put our office discone antenna to good use and implemented some SDR-fu to pick up aeroplane transponder signals and decode them. They didn't find MH370, but we now have a cool plane tracker for SP.


  • WiFi Death Flag - Charl


Charl, so incredibly happy!!
Charl, so incredibly happy!!


Using wifi-deauth packets can be useful if you want to knock a station (or several) off a wifi network. Say you wanted to prevent some cheap wifi cams from picking you up ... Doing this right can get complicated when you're sitting a few km's away with a yagi and some binoculars. Charl got an arduino to raise a flag when it was successfully deauthed, and lower it when connectivity is restored for use in a wifi-shootout game.


  • Burp Collaboration tool - Jurgens, Johan & Willem


Inspired by Maltego Teeth, Jurgens set about building a way to have multiple analysts collaborate on one Burp session using a secure Jabber transport. He and Johan got this working well, and we will be releasing it and several other Burp apps during the ITWeb Security Summit in Johannesburg in May.

  • How to Pwn a Country - Panda and Sara


YMCA pwnage
YMCA pwnage


Panda (Jeremy) and Sara ended up building local Maltego transforms that would allow mass/rapid scanning of large netblocks so you can quickly zoom in on the most vulnerable boxes. No countries were harmed in the making of this.


  • Bender - Vladislav


While doing client-side engagements, we realised we needed our own payload to help us to better move from spear-phish to persistent internal network access. Earlier in the year, Vlad put our hacks into a professional SensePost beaconing payload he called Bender. During the hackathon he extended its capability in some key areas.

  • Oh-day stuffs - Georg and Etienne


He likes his ice-cream
He likes his ice-cream


gcp and et decided on some good ol'fashioned fuzz-n-find bug hunting on a commercial mail platform, and websense. Along the way they learned some interesting lessons in how not to fuzz, but in the end found some coolness.


  • 3d Printer - Rogan


Rogan finally got around to putting his 3D printer together! He hasn't printed an SP logo yet, but we're assuming this is the most logical first print.

  • Rogue AP - Dominic & Ian


In preparation for our BlackHat submission, singe and ian spent some time researching our new wifi attacks. This resulted in a key new finding and implementation of their new KARMA rogue-ap attack.

  • The challenge - Daniel


I too had to show that I still had tech skills (not all spreadsheeting you know) and created a challenge to send our peeps down the rabbit hole while pushing their skills but also awaken some old school hacking approaches.


L1000686


The hackathon went gangbusters; most of the team went through the night and into the morning (I didn't, getting old and crashed at 2am). Returning that morning to see everyone still hacking away on their projects (and a few hacking away on their snoring) was amazing.


Once the 24-hours was up, many left the office to grab a shower and refresh before having to present to the entire company later on that afternoon.


Overall this years SenseCon was a great success. Some cool projects/ideas were born, a good time was had AND we even made Charl feel young again. As the kids would say, #winning


 


 


 


 

Wed, 2 Apr 2014

Combat Reloaded

The British Special Air Service (SAS) have a motto that's rather fitting for their line of work - Who Dares Wins


To a degree, the same could be said for our newly updated Hacking by Numbers course, Combat. Penetration testing is sometimes more than following a checklist or going for the easy kill. A good penetration tester knows how to handle all thrown at them, be it a Joomla implementation, or *shudder* an OpenBSD box.



What does prevail in these situations is very much a 'Who Dares Wins' attitude. Sure, you could just give up, report that the box is vulnerable to predictable TCP sequence numbers, issue the PDF and move on, right?


Thought not.


If you are like us, the above situation would drive you potty and you'd end up looking for other ways to obtain maximum pwnage. Thankfully help is at hand. Our newly updated Combat course aims to help you, the penetration tester, learn how to tackle these obstacles.


Using an approach similar to capturing the flag, we take you through a whole host of obstacles that you might find during a career in pwnage. This isn't a simple SQLi in a login form, or a basic file upload vuln exploitation class, but one that gets the creative juices flowing. From chaining low/medium vulnerabilities, to exploiting logic flaws, over the two days, you will be pushed on all seven layers.


The solutions lie much more in technique and an out-of-box thought process than in the use of scripts or tools. Each exercise is designed to teach a specific lesson and is discussed in detail upon completion with the group.


If you are looking at polishing up your pwnage skills, learning how to tackle CTF competitions like the infamous Defcon one, then this is for you.


We don't offer this course frequently, but this year we will be offering it at the amazing Hack In The Box in Amsterdam on the 27th May AND at Blackhat USA's new home at Mandalay Bay in Las Vegas on the 4th August

Mon, 20 Jan 2014

January Get Fit Reversing Challenge

Aah, January, a month where resolutions usually flare out spectacularly before we get back to the couch in February. We'd like to help you along your way with a reverse engineering challenge put together by Siavosh as an introduction to reversing, and a bit of fun.

The Setup


This simple reversing challenge should take 4-10+ hours to complete, depending on your previous experience. The goal was to create an interactive challenge that takes you through different areas of the reverse engineering process, such as file format reverse engineering, behavioural and disassembly analysis.


Once you reached the final levels, you might need to spend some time understanding x86 assembly or spend some time refreshing it depending on your level. To help out, Siavosh created a crash course tutorial in x86 assembly for our malware workshop at 44con last year, and you can download that over here.


The zip file containing the reversing challenge and additional bytecode binaries could be found here.


Send your solution(s) to challenge at sensepost.com

The Scenario


You've been called into ACME Banks global headquarters to investigate a breach. It appears Evilgroup has managed to breach a server and deploy their own executable on it (EvilGroupVM.exe). The executable is software that accepts bytecode files and executes them, similar to how the Java Virtual Machine functions. Using this technique, Evilgroup hopes they can evade detection by antivirus software. Their OPSEC failure meant that both the virtual machine executable and several bytecode files were left behind after the cleanup script ran and it's your job to work out the instruction set of EvilGroupVM.exe.


Disclaimer: When using the term "virtual machine" we mean something like the Java Virtual Machine. A software based architecture that you can write programs for. This particular architecture, EvilGroupVM.exe, has nine instructions whose operation code (opcode) you need to find through binary reverse engineering.


The tools you will require are:


  • A hex editor (any will do)

  • A disassembler like IDA (the free version for Windows will work if you don't have a registered copy)

  • A debugger, Olly or WinDBG on Windows, Gnu GDB or EDB on Linux https://www.gnu.org/software/gdb/


Basic Usage: Unzip the reverseme folder, open a command line and cd to it. Depending on operating system, type
Windows: EvilGroupVM.exe <BytecodeFile>
Ubuntu Linux: ./EvilGroupVM <BytecodeFile>

For example, to run the helloworld bytecode file on Windows, you would type:
EvilGroupVM.exe helloworld

IMPORTANT: Note that the EvilGroupVM.exe architecture has debugging capabilities enabled. This means, it has one instruction that shows you the thread context of a binary when it is hit. Once you start developing your own bytecode binaries, it is possible to debug them (but you need to find the debug instruction/opcode first).


The outcome of this exercise should include the following key structures in your report:


  1. A description of the binary file format. For example:

    • What does the bytecode file header look like?

    • What determines where execution will start once the bytecode is loaded in the VM?

    • Does the architecture contain other parts of memory (like a stack) where it can store data and operate on them?


  2. The instruction set including their impact on the runtime memory. You should:


    • Find all instructions that the EvilGroupVM.exe accepts

    • Analyse each of them and understand how they make changes to the runtime memory of the bytecodes thread


  3. Write a proof of concept self modifying bytecode file that prints your name to the screen. The binary must be self modifying, that is, you may not use the "print_char" instruction directly, rather, the binary must modify itself if it wants to make use of "print_char".

  4. For the advanced challenge, if you have the ability and time, send us back a C file that, when compiled, will give an almost exact match compared to EvilGroupVM (Ubuntu Linux) or EvilGroupVM.exe (Windows). Focus on getting pointer arithmetic and data structures correct.


In case you missed it earlier, the zip file containing the reversing challenge and additional bytecode binaries could be found here.


Send your solution(s) to challenge at sensepost.com


Good luck!

Fri, 22 Nov 2013

Hacking by Numbers - The mobile edition

West Coast in the house, well actually more like an African visiting Seattle for Blackhat's West Coast Trainings.


We've had a great year delivering the latest course in our amazing Hacking by Numbers training series: Mobile. What's cool about this course, is like the others, we teach a hacking methodology rather than punting a tool or a magic, do it all solutions.


Mobile was created to match the continuous growth in mobile phone usage, with a specific focus on showing you how you would go about testing the mobile platforms and installed applications, to ensure they have been developed in a secure manner. HBN Mobile provides a complete and practical window into the methods used when attacking mobile platforms and presents you with a methodology that can be applied across platforms. This course is structured to cater to penetration testers who are new to the mobile area and who need to understand how to analyze and audit applications on various mobile platforms using a variety of tools.


Some of the material covered in the course includes:


  • Android, iOS, RIM and Windows 8 Platform security

  • Communication protocols

  • Programming languages for mobile development

  • Building your own mobile penetration testing lab

  • Mobile application analysis

  • Static Analysis

  • Authentication and authorization

  • Data validation

  • Session management

  • Transport layer security and information disclosure


The methodology presented is structured to allow testing to be performed on different mobile platforms and is demonstrated using both the Android and iOS platforms. Like all the HBN courses, the mobile edition focuses heavily on demonstration and hands-on practicals.



Blackhat Las Vegas 2013 saw the introduction HBN Mobile with two training sessions being presented. The course was well attended and consisted of students with varying degrees of mobile experience, however, the vast majority were new to Mobile application security and HBN Mobile provided the ideal launch pad for them. The great thing about the HBN series is that it accommodates people from all technical and security backgrounds. This held true with the Mobile edition, where we had reverse engineers, penetration testers, development managers, aerospace engineers and developers just to name a few. The feedback from the course was extremely positive and has been fed back into the course and used to improve it even further. Then we had the chance to give it to students over at 44Con in London and this again gave us a chance to take your feedback and make the course even better.


What's slightly different about this course is that you get to find flaws in common mobile applications available both in the Google Play and Apple App store. In addition, we have devices for you to use, so not everything is done in an emulator. As a result, students on the last course found common security vulnerabilities in numerous well known and popular applications.


On the 11th December in Seattle, I'll be delivering Hacking by Numbers: Mobile edition at Blackhat and I cannot wait to get on that plane. If you want to learn more about how to tear apart mobile apps, this is definitely for you. The regular price goes up on the 5th of December, so take advantage of this now and book your place.



Look forward to seeing you there.

Fri, 7 Jun 2013

Technical Project Manager Role

As SensePost grows, so does our desire to ensure a healthy balance between technical savvy and organisational skills. As a result, we are on the lookout for a Technical Project Manager based in our Pretoria office in South Africa.


Job Title: Technical Project Manager
Salary Range: Industry standard, commensurate with experience
Location: Pretoria, South Africa


About the role


  • Define and implement Project workflows for various service lines.

  • Architect , source and implement a project management system that includes real-time, accessible scheduling system.

  • Technical project scoping. (can grow into this responsibility over time)

  • Lead the planning and implementation of project

  • Facilitate the definition of project scope, goals and deliverables

  • Define project tasks and resource requirements

  • Develop fullscale project plans

  • Assemble and coordinate project staff

  • Manage project budget

  • Manage project resource allocation

  • Plan and schedule project timelines

  • Track project deliverables using appropriate tools

  • Provide direction and support to project team

  • Drive quality assurance process

  • Constantly monitor and report on progress of the project to all stakeholders

  • Present reports defining project progress, problems and solutions

  • Implement and manage project changes and interventions to achieve project outputs

  • Project evaluations and assessment of results


Education and Experience

  • Qualification in project management or equivalent

  • Knowledge of both theoretical and practical aspects of project management

  • Knowledge of project management techniques and tools

  • Direct work experience in project management capacity

  • Proven experience in people management

  • Proven experience in strategic planning

  • Proven experience in IT, with security being an advantage

  • Proven experience in change management

  • Proficient in project management software


Key competencies

  • Critical thinking and problem solving skills

  • Planning and organizing

  • Decision-making

  • Communication skills

  • Influencing and leading

  • Delegation

  • Team work

  • Negotiation

  • Conflict management

  • Adaptability

  • Stress tolerance


This role is open to South African citizens only, or those in possession of a valid South African work visa only. Please send your CV to jobs@sensepost.com