MacOS Two-machine Kernel Debugging

If you are a macOS security researcher, chances are that at some point you’ll have to perform kernel-level code debugging. While there are many great and helpful blog posts on topic of macOS kernel debugging, the fact is that at this point they are slightly outdated and mostly focused on using virtual machines.

March 06, 2022 | Read More

Purple Fox - a comparison of old and new techniques in the Exploitation phase

Purple Fox is a malware categorized as a Trojan/Rootkit that has already been described in 2019 by Trend Micro and in 2020 by Proofpoint. Both articles bring interesting insights about attacker's techniques. This article describes techniques used by attackers in May 2020 and July 2020 with significant changes in the Exploitation phase of the Kill Chain (KC), this time using steganographic techniques on PNG files. The focus of this article is in the Exploitation phase. Other KC phases will not be described in detail, but they will be touched briefly. At the end of the article there are tips on hunting techniques and IOC’s specific to Purple Fox, which will hopefully be useful.

September 22, 2020 | Read More

Bypassing browser limits in WebAssembly debugging

Current state of WebAssembly debugging and tracing sets limits in browser on number of lines disassembled during debugging in development tools on both Firefox and Google Chrome based browsers. In case there is larger project than the limit imposed, browser only display disassembly up to the hardcoded limit. If you hit the problem you will identify it by having ;; .... text is truncated due to the size message on the end of the disassembly or just hit the limit without any message. What is the cause and is there any way to bypass it?

August 15, 2020 | Read More

Extracting credentials from IoT devices via UART

Buying IoT devices which communicates wirelessly means it have to store credentials to network it is connecting to. It could be Zigbee network key, wireless WPA key or any other wireless protocol .As an example, we have extracted wireless credentials stored in Broadlink RM Mini which can be easily bought from many gadget web shops on the Internet. Such credentials were extracted simply via standard and simple UART access to the device.

June 30, 2020 | Read More

Cracking LUKS/dm-crypt passphrases

Linux uses dm-crypt in order to provide transparent disk or partition encryption. What are the options in case you need to recover passphrase from such encryption? There are already ready-made tools, but we have also produced and published our own in order to support newer LUKS format/ciphers/hashing.

November 18, 2019 | Read More

Extracting passwords from hiberfil.sys and memory dumps

When in password hunting mode and having access to the filesystem of the target, most people would reach out to SAM and/or extracting cached credentials. While this can usually be the way to go, it can pose a huge challenge, as the result can depend on the strength of the storage format of the password and the strength of the password itself. Something often overlooked is hiberfil.sys and/or virtual machine snapshots or memory dumps, as they usually contain passwords in plain text. When you have those, there’s no need for cracking at all and it doesn’t depend on password strength/size.

November 05, 2019 | Read More