Showing posts with label Penetration Testing. Show all posts
Showing posts with label Penetration Testing. Show all posts

Friday, 1 May 2020

Re-encode screen recordings to work in iMovie

There was a case where I did some screen recordings but iMovie refused to see the video files .mp4 format. Video captures can be very useful as proof-of-concept and/or evidence of actions performed, for example during a security assessment, such as penetration testing sessions. 

In my case, it was showing only a "green screen" instead of what it was actually captured during the screen recording. Bear in mind that VLC could play the video file without any issues, but when loaded in iMovie, the same video file was failing to show properly.

If you have ffmpeg installed on your MacOS, you can very easily fix this problem, by re-encoding e.g. from an .mp4 file to a .mov file. 

Keep in mind, simply changing the "container" from an .mp4 video to .avi/.mov in most cases won't fix your problem. Hence, doing something like the following, as many others advice online, it will simply not work for you:
- ffmpeg -i Video.mp4 -c copy Video.mp4
- ffmpeg -i Video.mp4 -acodec copy -vcodec copy -f mov Video.mov


Re-encoding however, will fix your problem and ensure that iMovie can see the video as they were captured:

ffmpeg -i ScreenRec.mp4 -c:v libx264 -preset fast -profile:v baseline outRec.mov 

Of course, if you want to keep the same format, you can do:

ffmpeg -i ScreenRec.mp4 -c:v libx264 -preset fast -profile:v baseline outRec.mp4


Sunday, 5 April 2020

Ping an IP range from the command line interface (CLI)

If you ever wanted to do host discovery while no specific network scanning tools were available (e.g. nmap), or you wanted to avoid creating a script file (e.g. due to having no write permissions)? Here are a couple of useful commands depending on the OS of your choice:

Windows OS:
for /L %i IN (1,1,254) DO ping -n 1 -w 1 192.168.1.%i| FIND /i "Reply" >> IPs.txt

Note: command prompt has a limitation when asked to return the exact string using regex and returns the whole line. Here is an example of replacing find with findstr in order to use a regular expression (regex). 
findstr /r "[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*"

The regular expression can still be useful in cases such as:
ipconfig | findstr /r "[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*"


Linux OS:
for i in {1..254}; do (ping -c 1 -i 1 192.168.1.$i >/dev/null && echo "192.168.1.$i" &); done

Note: The above command will only list the discovered IP address, without any additional text.

Tip/Trick: Did you know you can use apr to achieve the same results but much faster. This seems to be reliable under Linux. The following command will list the discovered host on your network, including any additional information per IP (including the IPv6 address).
for ip in $(seq 1 254); do arp -n 192.168.1.$ip | grep on; done

The following command however, will list only the IP addresses without any additional text (also avoiding to specify the IP range twice)
for ip in $(seq 1 254); do arp -n 192.168.1.$ip | grep on | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' ; done

Saturday, 22 June 2019

Security BSides Athens 2019

Security BSides Athens 2019 was the 4th Ethical Hacking / Information Security / Cybersecurity conference that took place in Athens, Greece. Once again we created a conference for the information security community, by the information security community, with a special thanks to all our volunteers. 

Due to the feedback we received we kept the same location again this year allowing more people to explore Athens Impact Hub. We try our best to make the event a unique experience each year and a day to look forward to. We have dedicated ourselves in having more quality in the event, rather that focus on quantity. 


Security BSides Athens 2019 (www.bsidesath.gr) took place at Impact Hub Athens (link). (All the information for our previous events is archived and can be found here: https://www.bsidesath.gr/index.php#Pevents)
This year we managed to reach 230 attendees throughout the day exceeding our expectation. 

We are the conference that introduced the "gamification" of the CTF, and we are very proud that we did that again this year! We tried to have a realistic CTF scenario with the help of our CTF partner Hack The Box, while demonstrating the ethical side of hacking. 

We look forward to seeing you at
Security BSides Athens 2020! 

Wednesday, 19 April 2017

OWASP Top 10 (2017 Release Candidate) - Thoughts


I understand the importance of highlighting the Underprotected APIs (A10), and I do agree with the importance of it. However, to my eyes this is another stage during a security assessment, while the penetration tester is engaging into testing for different types of Injections (A1)
I believe Injections (A1) should include the Underprotected APIs.
(especially based on the example attack scenarios given in the PDF page 17 for the Top 10 RC)


From what I have seen on several real-world projects, Unvalidated Redirects and Forwards, is a very common security issue (when you manage to identify where it is hiding) but it is not highlighted in security reports (and penetration testing reports) that often. Thus, it seems and fills like, it is not that popular as a finding. 

One of the main reasons this particular security issue is not mentioned that often, is because businesses (the business perspective) see this highlighted risk as a "two-step attack", so, instead of addressing it, they simply "accept the risk".

From what I have seen in different real-life projects, dropping "A10 – Unvalidated Redirects and Forwards" will be mistakenly perceived (misunderstood) as an "insignificant" security issue, while, it can be used to spawn a number of attacks. 

If an attacker manages to redirect/forward a user to a fraudulent website (that looks exactly like the legitimate one), then it is game-over for that user. How many of you remember the issues with the Unicode URLs back in the day? In one case, two companies lost a significant amount of money because of a fraudster, due to this "insignificant" issue.

Just to mention a couple very recent examples: 
punicode https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/
or the unvalidated redirect on linkedin, which allowed to download malware from linkedin redirects (even though they were hashing the urls).
https://gfragkos.blogspot.co.uk/2015/06/linkedin-security-issue-unvalidated.html


So, in my humble opinion, A1 should be Injections that include calls to Underprotected APIs: 
A1 - Injections, including Underprotected APIs

and keep:
A10 - Unvalidated Redirects and Forwards. 

This blog post is intended to be perceived as food-for-thought.

Monday, 6 February 2017

Guest Speaker for University of South Wales (Information Security Research Group) - InfoSec Community; Stepping into the security industry

I had the pleasure to be invited as a guest speaker to the University of South Wales by the Information Security Research Group (ISRG). The talk was about the Information Security community and more specifically how young professionals can step into the security industry.
During this talk, the students (graduates & postgraduates) had the opportunity to understand and discuss what they can do today in order to ensure they are well prepared when it comes to stepping into the security industry.

The talk included an introduction to what is considered to be a security oriented mindset, provided a number of quick tips, mentioned several online resources, and last but not least how to prepare for an interview. The students among a number of subjects that were raised during the talk, were also introduced to penetration testing types, practices, methodologies, real stories from the industry, tools, and techniques. Black Box testing versus White Box testing was explained, the significance of white-listing was discussed and a brief comparison between Vulnerability Assessments and Penetration Testing was given.


Friday, 23 December 2016

in-flight entertainment vs avionics

For those of you who have had the opportunity to see one of my presentations "Can you really hack an airplane: Myths & Truths", you are already familiar with what is really happening and the confusion between in-flight entertainment systems and avionics (https://en.wikipedia.org/wiki/Avionics). I was asked to put this article up by a number of friends in the security industry to highlight a few very important points. The purpose of this article is to provide food for thought. Especially, when you hear someone saying that "hacked" an airplane, or made it fly "sideways" by tampering with its systems through the in-flight entertainment system. Consider the following points and come to your own conclusions. 

Anyone who is trying to "generalise" and claim that during an actual flight, for example through the in-flight entertainment system, managed to take control of the plane and/or that it is possible to actually fly an aircraft like this, should first read what the law has to say about this. (Tokyo Convention 1963). 
Do you really want someone with the excuse of being a "security researcher" tampering with the airplane's systems while you are on an actual flight, because he/she decided that has nothing better to do? I am sorry, but from where I stand, we (security researchers) respect the law, and make sure we have permission to conduct any security assessments & penetration testing, in a safe and approved environment. 

Wednesday, 29 June 2016

SnoopCon 2016

I had the honour to be invited again this year by the Cyber Security Testing and Validation Team at British Telecoms (BT) in order to attend their annual internal conference, as a guest speaker. The conference is known as SnoopCon and it is BT’s Penetration Testing and Ethical Hacking annual meet-up event which lasts five days.

The event is held behind closed doors, however it is customary that on the third day they invite people from the industry, recognising that their work would be an invaluable input if presented at their internal conference.

It was a great opportunity for me to catch-up with so many friends at SnoopCon. I also find out that Anoop Sethi has decided to retire after approximately 12302 days uptime (33 years) for BT. 

It is a great honour to have known Anoop, the man who fundamentally changed the way Security and Penetration Testing is viewed in BT. Given the opportunity, I would like to personally wish Anoop all the best with anything he decides to do and I would like to thank him for being such an amazing individual.

I had a fantastic day at BT and the quality of the guest talks was over the roof. I am going to outline here briefly the content of the talks in the order they were presented. 



Tuesday, 28 June 2016

Security BSides Athens 2016



It has been a while since my last blog-post and the main reason for that, was the numerous things I had to keep track for organising:

Security BSides Athens 2016 (www.bsidesath.gr) 


It has been a very busy year trying to organise this Security BSides event for the first time in Athens, Greece, with plenty of “hiccups” to overcome in the meantime. 


Once we had a team of people who were equally excited and passionate about this, we started working towards the event details.  


Given the opportunity, I would like to personally thank the team once again, all the volunteers who helped out on the day, the review committee who provided constructive feedback to all submissions, the speakers who travelled from all over the world to be there and present, and last but not least, all of YOU who attended the event. 

Special thanks goes to our sponsors, who trusted us on our promise to deliver this information security community based conference. We couldn't be able to bring this event to Athens, especially for the first time if it wasn’t for them, and for that we really appreciate their contribution and support.

Of course, such an event would not be able to exist without the community support we had from fellow conferences all over Europe, the Universities that promoted the conference, the Hellenic Army General Staff, and all the people how were involved and made this event a success story. 

We had some great feedback already and we are committed to tweak things according to the recommendations and suggestions we received in order to make the event next year even better. There is always room for improvement and for more people to get involved. 

Tuesday, 12 January 2016

SSH vulnerability in Fortinet Fortigate products

It was stated that an SSH "backdoor" was identified in Fortinet Fortigate products and the proof-of-concept source code was posted on the Full Disclosure mailing list. 



Fortinet released a brief statement regarding the issues found with FortiOS on January 12, 2016. The brief statement says that the issue that was recently disclosed publicly was resolved and a patch was made available in July 2014. 

Fortinet stated that: "This was not a “backdoor” vulnerability issue but rather a management authentication issue. The issue was identified by our Product Security team as part of their regular review and testing efforts. After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external."

Wednesday, 6 January 2016

Quickly detect CMS & other technologies being used on a website

Ever wanted to uncover quickly the Content Management System (CMS) being used on a particular website? Well, if you are a developer or responsible for assessing the security of Web Applications, this might be a good tip on how to do this quickly and effectively. 

First of all, let me point out that there are several websites online that offer to analyse a given URL and then return results not only about the particular CMS being used, but on other technologies utilised in each case as well. These technologies may be the use of Apache, the presence of Google Analytics, other technologies such as jQuery, reCaptcha, etc. 

The problem with all these online services however is privacy. When checking a particular website, especially if you have been contracted to assess the security of the web application in place, you do not want this information to be shared with a third party or to be included in a publicly available "recently checked" list. 

I actually spent some time trying to locate a button or a check box on these website that would allow me to opt-out from allowing them to cache or display the information, but I couldn't. Thus, I had to find a different way that would respect my privacy and I think that I did. 

Wednesday, 11 November 2015

Guest Speaker for Cardiff University - CyberSecurity and the Payment Card Industry

I had the pleasure to be invited as a guest speaker to Cardiff University in order to give a talk about: "CyberSecurity and the Payment Card Industry". 


The talk starts with an introduction to the Payment Card Industry (PCI),  Payment Card Industry Data Security Standard (PCI DSS) and the Payment Card Industry Security Standards Council (PCI SSC). The participants are given the opportunity to understand what is an Approved Scanning Vendor (ASV), the responsibilities of a Qualified Security Assessor (QSA) and last but not least the job of a PCI Forensics Investigator (PFI).

Thursday, 23 July 2015

Burp Suite - Error handshake alert: unrecognized_name

This is the first time I had to deal with this error in Burp and I was trying to figure out what was the problem. It seems there is a problem with Java which causes Burp to fail when accessing some specific websites. This is the screen you get when this particular error occurs. 
Figure 1 - Burp Error handshake alert: unrecognized_name

If you ever stumble upon this problem the solution is easy once you know what to do. As a start, make sure you have the latest version of Java installed. 

Saturday, 4 July 2015

SteelCon 2015 - Can you really hack an airplane? (myths & truths)

I was very excited to hear my talk that was sent to SteelCon 2015 (http://www.steelcon.info) was accepted. This time I am talking about something different than usual, which has to do about hacking airplanes.
A lot of noise, many discussions and many articles have been written lately due to the recent so claimed airplane hack. It is indeed very difficult, up to impossible, to find information about the security of an airplane's systems if you are not actually the person responsible for designing and building such systems. Of course, it is understandable that these details regarding these systems will never become available to the general public for security reasons.

Friday, 5 June 2015

Understanding the significance of Operations Security (OPSEC) in a fast evolving threat landscape

It is not the first time a military term is being used by the Information Security community in order to describe an Information Assurance process. Operations Security (OPSEC) is a military term referring to the protection of different types of unclassified information which could end up exposing the security of an entity if put together and combined. In other words, in information security OPSEC describes the process by which publicly available information (unclassified) can be used against us if taken advantage by cyber criminals and/or adversaries with malicious intent.

Thursday, 30 April 2015

Guest Speaker for University of South Wales (Information Security Research Group) - CyberSecurity and the Payment Card Industry

I had the pleasure to be invited as a guest speaker to the University of South Wales in order to give a talk about CyberSecurity and the Payment Card Industry more specifically for the Information Security Research Group (ISRG).
The talk included an introduction to the Payment Card Industry (PCI),  Payment Card Industry Data Security Standard (PCI DSS) and the Payment Card Industry Security Standards Council (PCI SSC). The participant had an opportunity to understand what is an Approved Scanning Vendor (ASV), a Qualified Security Assessor (QSA) and last but not least a PCI Forensics Investigator (PFI).

Monday, 20 April 2015

BSides London 2015 - CFP

I hope you all look forward to BSides London 2015, https://www.securitybsides.org.uk. In case you want to tweet about it, this year we are using the #BSidesLDN2015 hash tag. The event will take place on Wednesday 3/Jun/2015 at the ILEC Conference Centre, 47 Lillie Road, SW6 1UD, London (see the MAP). 

As a side note, this year InfoSecurity Europe in London will take place between the dates 2nd and 4th/June/2015. Usually, Security BSides London is in line with InfoSec and the event takes place on the first day of InfoSec. However, this year, make sure you note down that the event will take place on the second day of InfoSec (see InfoSec). 

I am happy to see that my talk for this year is number 2 on the list of submissions (CFP Submissions). Voting for the talks opened today 20/Apr/2015 and it will be running until 1/May/2015. Please find some more information about my talk in the section below (click Read More). You can find/follow me at twitter @drgfragkos and I really hope you spread the word regarding this talk to your friends and followers. 

Sunday, 15 March 2015

Raspberry Pi 2 Model B and Kali Linux - quick setup

The new Raspberry Pi 2 Model B is approximately 6 times faster that its predecessor. It comes with:
  • QUAD Core Broadcom BCM2836 CPU
  • 1 GB RAM
  •  40 pin extended GPIO
  • Micro SD slot
  • 4x USB ports
  • HDMI
  • 4 pole Stereo output and Composite video port
  • CSI camera port & DSI display port
  • Micro USB power source
In order to install Kali Linux on the new Raspberry Pi you will need to download the new image for Raspberry Pi 2 (0.48G) version 1.1.0  from https://www.offensive-security.com/kali-linux-vmware-arm-image-download/ (filename: kali-1.1.0-rpi2.img.xz). 

Friday, 27 February 2015

How to prevent a business from being the next exploited target

Over the past few years, Cybersecurity has become a high priority task on the agenda of every organisation that wants to: prevent unpleasant security incidents, avoid being breached by sophisticated attacks and Advance Persistent Threats, detect malicious activity which is specifically designed to evade detection and last but not least respond proactively to the emerging cyber threat landscape. During 2014 in particular, cyberattacks became the norm making headlines on a regular basis with a number of high profile breaches being in the spotlight which as a result affected the number of online transactions. More specifically, it was reported that the levels of fraud increased in 2013-2014 by 12% which accounts for 37% of the total £603m cost of retail crime as reported by the BRC Retail Crime Survey


Thursday, 12 February 2015

PCI SSC bulletin on impending revisions to PCI DSS, PA-DSS (updating to version 3.1)

The Payment Card Industry Security Standards Council (PCI SSC) in order to address few minor updates and clarifications and one impacting change, will publish a revision to the PCI DSS and PA-DSS v3.0 in the following weeks. The following bulletin will be issued on the PCI SSC website on 13 February in regards to this impending update to the standards.

Wednesday, 4 February 2015

Private IPv4 and IPv6 address spaces

In the Internet addressing architecture, a private network is a network that uses private IP address space, following the standards set by RFC 1918 for Internet Protocol Version 4 (IPv4), and RFC 4193 for Internet Protocol Version 6 (IPv6). These addresses are commonly used for home, office, and enterprise local area networks (LANs), when globally routable addresses are not mandatory, or are not available for the intended network applications. Under IPv4, the private IP address spaces were originally defined in an effort to delay IPv4 address exhaustion, but they are also a feature of IPv6, the next generation Internet Protocol.

These addresses are characterized as private because they are not globally delegated, meaning that they are not allocated to any specific organization, and IP packets addressed with them cannot be transmitted through the public Internet.