Blogs

qsslcaudit release v0.4.0

Our tool designed to assess TLS clients security (certificates validation, protocols and ciphers support) got several updates and achieved version v0.4.0.

TLS clients are now analyzed more precisely, summary table is now colored, few bugs were fixed.

Give it a try. Github's issue tracker is at your service.

qsslcaudit repository

Man-in-the-Conference-Room - Part II (Hardware Hacking)

In this post I'll describe how I used hardware hacking techniques to get more information about the device and dump its internal storage. If you missed the introductory post you can find it here Man-in-the-conference room - Part I (Introduction). Let's start right away !

If we remove the two enclosure screws and open it up, we immediately identify two pinout slots:

Man-in-the-Conference-Room

Back in 2017 a small device appeared on my desk. A wireless presentation device that one of our customers wanted to deploy on its premises, but not before we had audited it first.

The idea behind those devices is pretty simple: instead of running from meetings to meetings with HDMI and VGA cables in your pockets, just leave a device connected to a presentation screen at all time and let presenters connect to the device using a client application on their laptop or smartphone. These presentation devices are usually deployed in large companies or universities and cost between $800 to something around $1800 based on the features they got.

The device in question was an Airmedia AM-101 and in this blog series I'll describe my complete process on how I went to test it. Hopefully this can be used as some kind of cheat sheet for folks starting in the field.

JTAG Enumeration Tool

JTAG enumeration rig
Pavel has released go-jtagenum. This project is a port of JTAGenum and JTAGualtor to the Golang. It is supposed to be used under Linux (or any OS which Go supports) on the device with GPIO lines exported to userspace. Raspberry Pi 1,2,3 is the most famous example.

QSSLCAUDIT

Table of Contents

TCP to WebSockets proxy in python

There seems to be a few proxies that can convert a WebSockets connection to TCP, however I couldn't find anything that goes other way around. Having the task of sending crafted messages to a WebSockets connection made me write one. Having a TCP to WebSockets proxy allows me to use netcat as a WebSockets client.

I have used the code developed by our Quentin, and added stuff like proper command-line options, upstream proxy support (to tunnel it through Burp) and making it multithreaded.

The tool is written in python and uses the websocket library.

Secure file upload in PHP web applications

This is an old paper I wrote about vulnerabilities in file upload implementations in PHP web applications. The web site it used to live on no longer exists, so I thought I repost it here to have it close at hand. It is relevant to other web application technologies (Java, .NET, etc.) but all the examples are for PHP.

Introduction

Burp is Going to Support PKCS#11

Great news - PortSwigger is working on PKCS#11 support (SSL client certificates stored on hardware tokens, such as smart cards) for Burp. I got to try the test build - it works perfectly with Belgian eID on Linux.

I am really happy about it - no more awkward chaining of proxies and SSL tunnels to get the job done.

Tags: 

MagicTree 1.3 - important bug fixes and support for IBM Rational AppScan

We have released MagicTree 1.3. It fixes several nasty bugs that may lead to data corruption. We recommend everybody who uses MagicTree to upgrade. New features include support for AppScan XML and better handling of Imperva Scuba XML

Here is the full change log:

We are hiring again!

Once again, we are looking for a penetration tester. See this post for a descriptiong of skills we are interested in. Prior penetration testing experience is a plus, but not a must, provided that you have the necessary knowledge, both practical and theoretical. The job is in Brussels, Belgium, working remotely may be possible for some projects, but most of the time you'll have to be on site.

Contact us at info@gremwell.com if you are interested.

Pages

Subscribe to RSS - blogs