Offensive Security

Introduction️ Various devices marketed in the market both for acquisition by consumers and for rental by Internet service providers’ clients allow their administration through a web portal. This portal may be limited in features and if more advanced configurations are needed, such as configuring the firewall, with the iptables tool, access via console is necessary. The operating system of routers usually is GNU/Linux.️ The console access is usually blocked to prevent problems with incorrect configurations made by inexperienced users, which makes it necessary, for example, to access the serial port by removing the device casing. In other cases, access to the console is allowed through the SSH (Secure Shell) protocol, but access is limited to a restricted console, with pre-defined commands from the manufacturer. These devices usually have a backdoor that allows deploying a command terminal sh or bash with the introduction of specific commands.️ ...

Introduction️ There are additional protections related to the requirement for a specific TLS certificate (pinning). There is also the possibility of encrypting network communications over the HTTP protocol. In the case of symmetric encryption, the application will obtain the key from the server or obtain it from the application’s own source code, statically (stored in a variable), or dynamically, where several obfuscated methods will be executed to create the key to use. ...

Introduction️ Various applications related to banking environments or public administrations contain restrictions that prevent their execution on Android mobile devices that have been altered, for example, after installing Magisk and obtaining super administrator permissions, unlocking the boot loader, or if they are running in emulators and not on real devices, all of this to avoid analysis.️ In an example application, we will have to remove those restrictions from the source code of the application. One option will be to unpack the application and modify the .smali code, which is a type of low-level non-binary bytecode that can be read. For this, we will first extract the corresponding APK file for the application and decompile the source code of the application using the tool JADX.️ ...

Introducción A handshake WPA (Wi-Fi Protected Access) is a process in which a client device authenticates with an access point that uses the security protocol WPA. During this process, the client device and the access point exchange information to establish a secure connection. This information includes cryptographic data used to encrypt communication between the client device and the access point, ensuring thus the privacy and security of the Wi-Fi connection. In computer security environments, capturing a handshake WPA can be used to perform brute-force attacks to decrypt the Wi-Fi network password.️ ...

Introduction️ Kali Linux is a security auditing Linux distribution based on Debian GNU/Linux. Kali is aimed at security professionals and IT administrators, allowing them to perform advanced penetration testing, forensic analysis, and security audits. Debian GNU/Linux is one of the main generic Linux distributions, known for its quality and stability. Kali Linux is based on the work of the Debian project and adds over 400 special purpose packages of its own, all related to information security, particularly in the field of penetration testing. The default ISO images can be downloaded from the Kali website.️ ...

Introduction️ NXDN (Next Generation Digital Narrowband) is a digital radio standard developed jointly by Icom and Kenwood in Japan. It was designed for voice and data communications in bidirectional radio environments, such as mobile and portable radio communication systems used by organizations like emergency services, companies, and government agencies.️ These communications may be sent without encryption or using DES or AES encryption as specified in the NXDN TS 1-D Version 1.3 specification NXDN TS 1-D Version 1.3. In this case we will focus on Scramble encryption, which is defined as follows.️ ...

Introduction️ Nordic nRF51 is a series of system-on-a-chip (SoC) developed by Nordic Semiconductor. These chips are designed specifically for low power and low energy applications in the field of wireless connectivity. The nRF51 series includes several models, such as the nRF51822 and the nRF51802, among others.️ These chips are widely used in low-power devices, such as wearables, IoT sensors (Internet of Things), health devices, and other devices that require efficient connectivity and minimal energy consumption. In the case that we need to perform a reverse engineering analysis on some of these devices it will be necessary to obtain a copy of the firmware from the chip itself of the device.️ ...

Introduction️ Remote controls by infrared (IR) are electronic devices that use infrared signals to communicate with other electronic devices, such as televisions or air conditioners. The basic operation of an IR remote control is based on the emission of infrared signals from the remote towards an infrared receiver in the device being controlled.️ These signals contain specific codes that are interpreted by the receiving device, causing the corresponding action to be executed, such as turning the device on and off, changing channels, or adjusting volume. The infrared signals generated by the IR LED are modulated, meaning the light intensity is periodically modified according to a specific pattern. This modulation pattern is unique for each button or function on the remote control.️ ...

Introduction️ One of the phases of dynamic analysis of Android applications is the interception of connections made by the application to remote servers. In the case that they use the HTTP protocol can be easily intercepted and manipulated with a proxy server since the protocol does not use encryption. But in the case that it uses the HTTPS protocol we will need to install an SSL certificate from a Certification Authority on our device since the connection will be encrypted with this one. Additionally, some applications use the technique of SSL Pinning, which consists in trusting only certain embedded certificates in the application.️ ...

Introduction️ To perform a security audit of an Android application, it is necessary to create a customized environment, which can be based on a physical device or an emulator. For most cases, an emulator will suffice. In this article we will create a virtual machine for Android in x86_64 architecture, and modify it by installing Magisk, to obtain superuser permissions and install modules, and install some applications.️ Installing the Android Emulator For the Android emulator, we have chosen the official Android IDE, Android Studio, which includes support for Android Virtual Devices (AVD). To install the IDE, simply go to its official website and download the installer by accepting the license terms. During the installation process, when selecting the components to install, we will deselect the option Android Virtual Device, as we will configure it later. In this case, we will install the IDE in our Documents directory.️ ...