Skip to content →

s0lst1c3 Posts

WHITEPAPER – BYPASSING PORT-SECURITY IN 2018: DEFEATING MACSEC AND 802.1X-2010

At DEF CON 26 I introduced an attack that can be used to bypass 802.1x-2010 and MACsec when weak EAP methods are used. The attack, known as a Rogue Gateway, forces the supplicant to authenticate with a rogue radius server by mechanically diverting ethernet traffic to the attacker’s rogue device. The attack can be performed remotely with the assistance of a side channel interface, and can also be implemented completely in software to attack 802.1x-2004. I also introduced several improvements to the classical bridge-based 802.1x bypass, along with EAP-MD5 Forced Reauthentication attack.

Leave a Comment

5GHZ ELECTRONIC WARFARE PART 1: ATTACKING 802.11N NETWORKS

The is the first of a two part series about our attempts to make rogue AP attacks against 802.11n and 802.11ac networks a bit easier. Up until this point, we haven’t really seen any serious attempts to provide out-of-the-box support for rogue AP attacks against 802.11ac and 802.11n. Considering that most modern wireless networks use these versions of the 802.11 standard, we decided to find out why and attempt to do something about the problem ourselves.

Leave a Comment

POWERSHELL EMPIRE – EVADING NESSUS PLUGIN 99592

Back in November 2017, Tenable Network Security released a Nessus plugin that was capable of identifying the HTTP Listeners used by the Empire post-exploitation framework [1]. Since Empire is a tool that I often use during pentests and red team engagements, I felt inspired to develop a patch for Empire’s HTTP Listeners (both HTTP and HTTP_Com) that renders this plugin ineffective.

Leave a Comment

DEF CON 25: The Black Art Of Wireless Post-Exploitation – Bypassing Port-Based Access Controls Using Indirect Wireless Pivots

At DEF CON 25 and Hackfest 0x9 I introduced a novel attack that can be used to bypass port-based access controls in WPA2-EAP networks.

Leave a Comment

DEF CON 24 (Wireless Village): Slaying Rogue Access Points With Python And Cheap Hardware

This blog post will cover the development of sentrygun, from the algorithms used to detect rogue APs to the design patterns used to leverage those algorithms by network administrators.

Leave a Comment

XSS Session Hijacking Part II

In Part I of this series, we learned how to create two modern cookie stealers for stealthily carrying out session hijacking attacks. Although highly effective in many cases, both cookie stealers were useless against websites that employ HttpOnly session cookies. In this tutorial, we’re not going to be focusing on stealing sessions. Instead, we’re going to learn how to log keystrokes in realtime using WebSockets, as well as map keystrokes to specific DOM elements.

Leave a Comment

Reflected XSS Through iFrame

Imagine we are targeting an instance of Damn Vulnerable Web App on an enterprise network. In this totally realistic scenario, there is also an instance of Web Cal running on the same network. The Web Cal instance is vulnerable to clickjacking. To gain access to DVWA, we can create a malicious web page that masquerades as the Web Cal instance using an iframe. We then could place a second iframe into the page that executes a reflected XSS attack against the target DVWA instance on page load. We could then use social engineering to trick a user into navigating to our fake Web Cal page, and by doing so steal the user’s DVWA session.

Leave a Comment

Hacking Blindfolded – Exploiting SQL injections with no error output

In many cases, developers faced with patching a SQL injection will attempt to be clever by turning off error output instead of trying to fix their broken code. This results in a situation in which the target web page is vulnerable to SQLi, but no messages from the database are shown except for the intended output onto the page. This forces us to get creative when attempting to extract information from the target database.

Leave a Comment