Babadook: Connection-less Powershell Persistent and Resilient “Backdoor”

At my previous company I used to prank the colleagues who left their stations unlocked. I call this my “internal awareness program”. It was all fun and games at the beginning. I would leave post-its on their monitors with a friendly message “You could’ve been hacked” but it wasn’t giving the expected results. Some colleagues found it funny and started “collecting” my post-its. There was a guy in particular with 5 of them.

Read More

Introducing VirtuaPlant 0.1

Today I’m releasing a project I’ve been working on for the past week which I called VirtuaPlant (yeah I now, I suck at giving names). From the project page: VirtuaPlant is a Industrial Control Systems simulator which adds a “similar to real-world control logic” to the basic “read/write tags” feature of most PLC simulators. Paired with a game library and 2d physics engine, VirtuaPlant is able to present a GUI simulating the “world view” behind the control system allowing the user to have a vision of the would-be actions behind the control systems.

Read More

Calling functions without their names in PHP

Strings. Ah juicy and precious strings! It is common for malware scanners and IDPS to look for suspicious strings in network traffic and files… but what if there are no strings to look for? (whaaa?) Today I was wondering about some features found in many interpreted languages of listing its internal functions in some sort of list/array. This way we can enumerate the [index] => function_name relationship, replace all function_names on the code to their index and voilá!

Read More

GoldenEye 2.1 released with even more randomness

Recently I’ve discovered that GoldenEye got his first signature from a big vendor. That’s funny since the main GoldenEye objective is to be signature-proof due its randomness. I’ve done a quick search on the internet and found the signature update link for their products, downloaded, located that one mentioned above. It was a very crude signature, as expected: <Pattern>\[Keep-Alive: 1(1\d|20)\]</Pattern> <Pattern>\[Cache-Control: (must-revalidate, )?no-cache\].*</Pattern> <Pattern>\[http://(www\.(google|usatoday)|engadget\.search\.aol)\.com/(search)?(/results)?\?q\].*</Pattern> <Pattern>.*\[(Mozilla/\d\.\d|Opera 9.80) \((Windows|X11|compatible); U?; (Linux|Windows NT \d\.

Read More

Whitespace Esolang Covert Channel / Steganography

I’ve been always a fan of esoteric programming languages (esolangs). These programming languages are generally made just for fun, mostly in universities or for challenges. Wikipedia describes as the following: An esoteric programming language (esolang, in short) is a programming language designed to test the boundaries of computer programming language design, as a proof of concept, or as a joke. The use of esoteric distinguishes these languages from programming languages that working developers use to write software.

Read More

Enumerating Android installed applications without special permissions

Sometimes I took some random Android app I’ve recently installed on my phone and start performing some tests on it. It’s not uncommon to see unauthenticated API requests, plaintext HTTP communication and some obfuscation logic or hardcoded credentials rammed down at client code. As I use to say in my SCADA talks, “everything that is ‘new’ is prone to ‘newbie’ mistakes” This is not different for mobile development.

Read More

New version of GoldenEye WebServer DoS tool released

After the hackers 2 hackers conference talk last year, some people contacted me about known Python performance issues regarding the use of threads related to the GIL. Indeed the threading wasn’t performing well due the nature of GIL so I’ve rewritten the code to support Python’s multiprocessing module. It’s a tad faster but I haven’t tested it exhaustively so if you feel the inner-beta-tester in you, let me know! The download is available as always at the github project page at https://github.

Read More