Posts

Showing posts from 2019

Process Injection - Part V

Image
Hello All, Wondering where is the part IV of the process injection blog post series ? The part IV of this series was written by Renos  on  Parent PID Spoofing  technique. Parent PID Spoofing technique is useful for evading detection. In this post I will cover about Asynchronous Procedure Calls (APC) Queue Process Injection technique. Parent PID Spoofing can also be used with APC Queue Process Injection. The tool can be found on my github repo . What is Asynchronous Procedure Calls (APC) ? This is best described by Microsoft in their documentation . Below is the short brief about APC from the Microsoft Docs. An asynchronous procedure call (APC) is a function that executes asynchronously in the context of a particular thread. When an APC is queued to a thread, the system issues a software interrupt. The next time the thread is scheduled, it will run the APC function. An APC generated by the system is called a kernel-mode APC. An APC generated by an application i...

Shell is just a beginning

Image
Hi Guys, It been long time since my last post. Recently I came across and amazing blog  post which made me forced to replicate the scenario in my lab. But I made additional changes in the lab where we can learn few more cool things. So let create a fictional story which will make us feel more excited. So lets assume we have got an assignment where we are suppose to perform an external Red Team assessment and our goal is to gain access on the domain controller. As this is a lab environment for demonstration, let's consider this 10.0.2.6 IP as an external IP system/address Step 1: Let scan the IP address on port 8080 for Apache tomcat Step 2: As we see we need an login credentials to access the tomcat manager. So lets try to brute force using Metasploit auxiliary module. Hurrah we got the credential for the tomcat manager tomcat:tomcat Step 3: Lets create a normal webshell and generate the war file for uploading it on tomcat. You can read this...

Managed DLL Exports and run via rundll32

Hello All, Security landscape is changing very quickly wherein security researchers have to be more dynamic and innovative to improve the security posture of the organizations. In this post I will cover the concept on how we can develop a DLL with exported function in C#. Note:- I am not the first person to develop this tool or technique. Thanks to Nikhil Mittal for giving me the idea and encouraging me to develop and play with Exported DLL functions in C#. Also thanks to Adam Chester for writing an amazing blog post on this technique. What is DLL ? Dynamic Link Library (DLL) is a file which contains the code and is been loaded by the program to perform one or more actions during run time. Introduction DLL files are very commonly used during red teaming exercise or while simulating attacks / threat actors. There are multiple ways by which we can execute the arbitrary DLL's. LOLBAS project has documented most of those techniques which can also be used for bypassin...

Process Injection - Part III

Image
Hello All, Finally I have got one contributor ( Renos ) who has added process hollowing technique to the Process Injection tool which I wrote for learning about various Process Injection techniques and to enhance my knowledge about C# and Windows API. In this post I will cover about the Process Hollowing technique. The tool can be found on my github repo . What is Process Hollowing ? Process hollowing occurs when a process is created in a suspended state and the executable section of the legitimate process in the memory is unmapped and replaced with malicious executable (Shellcode in our case). This technique allows an attacker to disguise his malware as a legitimate process and execute malicious code. As a result, attacker may evade defenses and endpoint detection. In this Process Hollowing technique 10 Windows API are used. ZwCreateSection - The ZwCreateSection function creates a section object that represents a section of memory that can be shared. A process c...

Security Testing for Android Cross Platform Application ( Xamarin & Cordova ) - Part 2

Image
Hello All, This is the continuation of my previous post where we tried to bypass SSL Pinning by modifying the  JS File in Cordova framework . Now in this post we will focused on Xamarin based application and how to get C# code which is used for building of Android App using  Xamarin framework. What is Xamarin? According to Microsoft Docs Xamarin allows you write code in C#, with a class library and runtime that works across all many platforms, including iOS, Android, and Windows, while still compiling native (non-interpreted) applications. Let's Begin: How to Identify Xamarin Based application? The way I used to identify was by converting the apk file to jar using  dex2jar  to get source code for the application and jd-gui  for viewing the source code. Command:- d2j-dex2jar.bat yourapp.apk Now open the .jar file with jd-gui and you can notice keyword "xamarin" in below screen. So while going through the source code of application i...

Security Testing for Android Cross Platform Application ( Xamarin & Cordova) - Part 1

Image
Hello All, Hope you all are doing great. So this would be an interesting topic which need more research from the community. I have not explore much but let me share what I have found. If I have missed  few aspect or made any mistake kindly comments below and I will update the post. Let's begin: Bypassing SSL Pinning or Connection not secure Error of Cordova based Application  What is Cordova? Apache Cordova enables software programmers to build applications for mobile devices using CSS3, HTML5, and JavaScript instead of relying on platform-specific APIs like those in Android, iOS, or Windows Phone. It enables wrapping up of CSS, HTML, and JavaScript code depending upon the platform of the device. It extends the features of HTML and JavaScript to work with the device. The resulting applications are hybrid, meaning that they are neither truly native mobile application So Recently I was given an android application to assess which was build using Cordova framework. ...