Part 2: Using security risks from the Modern Open Web Application Security Project to help hack hardware

This blog serves as a guide to helping demystify some of the bugs and issues discovered during hardware assessments. I’ve shared some of the lessons learned from years of applied logic, and reason to find problems that do not exist. This blog maps loosely some OWASP web application risks to hardware vulnerabilities, from a red team perspective.

Some may find the guide below more useful, for IOT based controls, and not generalized hardware assessments.

I cover some other general ways to assess IOT devices , in my previous article:


A list for all things wireless that you may find useful while assessing a real world Wi-Fi Enterprise Network. How-to: Evil Twin, KARMA, MANA, EAP-GTC Downgrade, passivity perform wireless recon, capture WPA2 handshakes (WPA2 full, half, PKMID), and test guest networks for known misconfigurations.

Overview

Ive tried to consolidate information from a variety of sources to assist penetration testing during a wireless assessment. This list includes plausible tactics, techniques, and procedures (TTP). I’ve decided to publish these in an easy to read, and hopefully digestible blog fashion. Some of the items below will be updated occasionally, with new attack vectors.

  1. Find…


This blog is to help consolidate the existing information about what USB devices are compatible with the latest Kali Linux Release.This is not meant to be an exhaustive post, but to provide well tested and easily obtainable hardware to perform a wireless penetration assessment.

Devices have been tested on both bare metal, and virtual machine configurations. Some results may/will need updating, and can be found at the gist address below.

For 5Gz Specific cards you can reference my blog post below:

Cheat Sheet

Troubleshooting Monitor Mode# rfkill unblock all 
# airmon-ng check kill
Injection…


In this new wireless attack, I’ll walk you through the process of creating a Hot Spot 2.0 Evil Twin. This is potentially another attack vector, one that can be used with or without social engineering, that a penetration tester or nefarious actor can use when performing a wireless pen test or trying to social engineer a user.

Abusing Hot Spot 2.0 can help to gain a user to trust a certificate. Hot Spot 2.0 misuse can guise a user to think a network is more secure when indeed it is a rogue access point. …


When looking at different routing and networking technology it’s easy to be overwhelmed, with how to assess an embedded device. I like many other penetration testers and red teamer’s, did not feel I was capable of finding any 0-days or bugs in such fortified devices. Well sometimes just because a device is made by a cyber security company, doesn’t guarantee it’s by any means it’s secure.

OSINT, read about the device. Find the https://fccid.io information and try to understand the devices basic makeup. Look at the devices model, and it’s software. Study the latest publicly disclosed vulnerabilities from that vendor…


Be very careful when playing with any cellular bands. Denial of service attacks can have devastating and sometimes jail worthy consequences. All testing was done within a Faraday Cage.

The cellular world is cryptic and confusing. Although we’re constantly engrossed in our phones, or tied to some device talking to some “eNodeB” — the back end cellular infrastructure is different and a relic of the telecom industry’s golden age. When I tried to research LTE, I would often fall into a Google search abyss loop to only self realize, this information needed to be curated. …


In this article we’ll discuss how to get clear text credentials from Outlook 2016 using Responder on Mac OS High Sierra. From password spraying SSO endpoints, to abusing Azure programs and Office applications — Office 365 and Microsoft Communication products are often the target of credential theft.

As shown below by @_dirk-jan ; there are new attack vectors that can leverage both old and new insecurities within the Microsoft, Azure and Office 365 environments and products.

As Mac OS, iOS and Microsoft platforms collide in the cloud space, I think we’ll see more, cross platform abuse, and sophisticated exploits that…


When password spraying attacks are executed properly, coordinated and scoped properly during an authorized engagement — they can identify and illustrate the dangers of weak passwords and how extremely dangerous, even one legacy Internet facing endpoint can be.

Password spraying can lead to domain administrator before lunch. Remember you can password spray Windows hosts, and domain controllers internally too!

The SprayingToolkit is extremely powerful when targeting Microsoft services.


We tailgate, skim and clone. Social engineer and deceived to employee and CISO alike, to get onsite and hit our “Breach” Physical, or “Red Team” goal. In my years performing physical security assessments, these are some of the techniques my peers and I found successful.

Some say that as the perimeter, and external environments are becoming harder to breach and penetrate; and as Windows Domains and
Personal Computers become less common, and networks change, computers like everything else evolves.

One must ask the question it’s only a of time before adversaries will go the Physical route? The benefits of a…


New attack on WPA/WPA2 using PMKID

In this short blog, I will walk you through the process of obtaining a valid PMKID packet, and converting those frames of data to hashcat format for cracking. This is a new way to recover the WPA2-PSK passphrases from vulnerable devices, that doesn’t require station <->client interaction or a 4-way handshake.

Linux — Debian

# uname -ar
Linux ubuntu 4.13.0-46-generic #51-Ubuntu SMP Tue Jun 12 12:36:29 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
USB ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter
USB ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
USB…

Adam Toscher

Adam is a offensive security engineer and red team operator with over 20 years of experience in IT

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store