Do you know that feeling, when you think you did a great job, and suddenly you look at it with a new perspective and only then you realize in terror that it was not at all as good as you thought? I do. One of the things our Cyberculture team does is War Games. Crisis [...]
Introducing IOXY: an open-source MQTT intercepting proxy
TL;DR: IOXY is an open source MQTT intercepting proxy, developed by NVISO for our IoT pentest needs, and now available on GitHub. Features include a GUI, live packet interception and modification and MQTTS support. The need for IOXY In the web and mobile application worlds, intercepting proxies like Burp and OWASP ZAP occupy a central [...]
Unmanaged file searching with Filesearcher.exe
During our red team engagements, we are often reliant on a command and control infrastructure. Typically these infrastructures are capable of loading .NET assemblies in memory, which gave me the idea of coding a filesearcher assembly. This was partially invented because of a CTF event I was participating in which had me hunting several file [...]
IoT hacking field notes #2: Using bind mounts to temporarily modify read-only files
TL;DR: The second of our short, IoT-related posts shares a simple trick we use in IoT pentests to temporarily change the contents of read-only files in Linux-based devices. Very useful when trying to proxy network traffic or temporary change the behavior of a device! IoT field notes is a series of short stories about interesting [...]
Burp, OAuth2.0 and tons of coding: a testimony of my internship in the penetration testing team at NVISO!
Hi my name is Turpal and I did my internship at NVISO starting on the 24th of February until the 29th of May 2020. In this blog post, I want to provide a bit more details about what exactly I did during this time, and what my experience felt like! The internship was part of [...]
Intercepting Flutter traffic on iOS
My previous blogposts explained how to intercept Flutter traffic on Android ARMv8, with a detailed follow along guide for ARMv7. This blogpost does the same for iOS. Testing apps The beauty of a cross-platform application is of course that I can use my previous Android test app for iOS so it has the same functionality. [...]
Reviewing an ISO 27001 certificate: a checklist
The ISO 27001 Certification silver bullet An ISO 27001 certification is often used by a supplier to assure its customers they take information security seriously. This doesn’t mean that they will not suffer any security breaches but maintaining a well-designed ISMS will decrease the likelihood from happening. And that’s why many organizations rely on an [...]
Tampering with Digitally Signed VBA Projects
TL;DR Macro code in Office documents can be digitally signed, and Office can be configured to restrict macro execution to digitally signed documents. We found a method to alter digitally signed VBA projects to execute our own, arbitrary code under the right conditions, without invalidating the digital signature. When we recommend clients to harden their [...]
A checklist to populate your Acceptable Use Policy
In our previous blogpost, we discussed how to take some of the dust off your Acceptable Use Policy (AUP) or IT security code of conduct, making it a bit more user friendly and educational. Now, we're giving you a sort of checklist of the topics to discuss in a typical AUP, based on the table [...]
Intercepting Flutter traffic on Android x64
In a previous blogpost, I explained my steps for reversing the flutter.so binary to identify the correct offset/pattern to bypass certificate validation. As a very quick summary: Flutter doesn't use the system's proxy settings, and it doesn't use the system's certificate store, so normal approaches don't work. My previous guide only explained how to intercept [...]