[ Upcoming Event] Mobile Security Summit 2016 – South Africa

•April 1, 2016 • Leave a Comment

Rhys Mossom will be providing an indepth, out of the box look at what mobile security means and the importance of well-organized collaboration.

The two day event will take place at Indaba Hotel in Johannesburg on 11 &
12 May 2016.

It is possible to download a program from:

Mobile Security Summit 2016 Brochure Download

The programme will cover a range of current topics which are pertinent to
mobile security. The content includes subject matter on the rise of mobile
malware, creating secure mobile usage policies, ensuring safe mobile
payments, biometric integration, data analytics and the impact mobile has
upon organisations.
Modern organisations need to be up to date and creative towards their
security approach due to the broad nature of evolving threats in the mobile
realm. The expert speaker panel will share their wealth of experience in
mobile security by discussing the latest innovations in keeping the mobile
channel secure.
The event will bring professionals from across the mobile sphere together.
The content from the programme topics is beneficial to banks, IT firms,
security solutions, telecommunication companies, service providers and
software developers.
For more information contact Project Manager, Jesse de Bruyn
jesse@tci-sa.co.za

Topics to be addressed
• Securing end to end experiences in a mobile-first cloud-first world
• Mobile security threats
• Establishing solutions to counteract evolving mobile threats
• Understanding risk and threats as they apply to mobile application security
• From where to where?
• Radio frequency signals: sniffing, jamming and exploitation
• Closing the mobile security gap
• Growing mobile security within the organisation
• The dark web and cyber-crime mechanics
• Mobile malware terror
• Integration of data and biometrics to keep the mobile channel secure

mobilesummitmobilesummit2contributersspeakerswhowhyprogram

SNMP: Part 1 SNMP Client in C and Introduction

•March 6, 2015 • Leave a Comment

SNMP Client written in C, started up and ready to fire!:
Untitled

In this first of a two post article will cover:
-Basics of SNMP.
-Writing an SNMP Client in C.
-The usefulness it can have in conducting penetration testing and hacking.
In Part 2 I will cover
-Possible malicious use of SNMP, that could be performed by an attacker, and how this could be mitigated.

As a note, all of this is performed on a windows 7 system with Visual Studio 2013 as my IDE.

The SNMP protocol is used for communicating with network devices.
tree

Typical queries in SNMP are things such as: bytes In/Out on an interface, errors, CPU load, Uptime, and temperature.
SNMP requests are performed through a numbering scheme where each perion (.) represents a leg of the MIB tree pictured below. The numbers represent the member of that MIB tree leg extention:

mib2

mib

As pictured above it is easy to see that an SNMP request such as a GET or a SET request with the data of 1.3.6.1.2.1.1.1 represents the SysDescr member.
Or expanded, it represents: iso->org->dod->Internet->directory->mib-2->SysDescr.

SNMP is generally defined under the following RFC’s, and is carried out under UDP communication and on port 161 and 162.

Version 1 was originally written in 1988.
Version 1:RFC1155, RFC1156, RFC1157
Version 2:RFC1901, RFC1908, RFC2578
These updates Extended version 1, added new data types, and added better retrieval methods such as GETBULK.
version 3:RFC3411, RFC3418 (w/security)

Typically SNMPv2 (v2c) is used.

Basic commands in SNMP are:
GET (client to server), Query for a value.
GET-NEXT (client -> server), Get next value (list of values for a table)
GET-RESPONSE (server to client), Response to GET/SET, or error.
SET (client to server), Set a value, or perform action.
TRAP (server to client), Spontaneous notification from equipment (line down,temperature above threshold, etc).

Community strings act to only allow “authorized” requests.
The common (and misfortune) practice of leaving things default leads to the widespread use of the two default community names, although others exists, and can be used to find some really interesting equipment.
The two default (or one of the 3 variations used for each “public” and “private”) common community strings are “public”, “Public”, “PUBLIC” and “private”, “Private”, “PRIVATE”.
Public is for read-only access to the device.
Private is used for write access to the device..

Below is a GET request in Wireshare and the subsequent server response:

snmp-packet1

Wireshark response to GET request:
snmp-packet received

Version 1, originally conceived in the 80’s. Community strings are sent in plain text.
Version 2c: SNMP v2c was developed to fix some of the problems in v1. Community strings are still sent in plain-text.
Version 3: The newest version of SNMP, v3 supports full security and authentication.

Refer to the RFCs quoted above for more information.

logfile1a

logfile2a

Below is some source code that performs a query with a GET-NEXT request, and subsequently walks the table by successively requesting the OID string returned in each request, starting with “1.3”.
The compiled Executable and accompanying project file is also downloadable.

[ ZIP ] VS2013 Project
[ ZIP ] Executable
[ C   ] C Code for SNMP Client.

Happy 2015

•January 4, 2015 • Leave a Comment

newyearbig

My moms art work!

•December 9, 2014 • Leave a Comment

Nicola Holgate Artist Painting

My mothers art work. She works with a variety of artistic mediums.

For more have a look at Nicola Holgates webpage:

Homepage: http://www.nicolaholgate.com

She is available for contact at:

http://www.nicolaholgate.com/contact.html

or

Telephone number: +267 393 0645
Mobile number: +267 726 36 016

Market Research Survey

•December 5, 2014 • Leave a Comment
 Rhys A. Mossom Network Security Services

Market Research Survey for Rhys A. Mossom Network Security Services

Hi Guys, please take a moment to take this survey of ours. Every result is appreciated. We are using it as part of our market-research.

Kind Regards,
Rhys A. Mossom

Survey:
http://networksecurityservices.net/survey/index.php/895741/lang-en

home page:
http://networksecurityservices.net

MS-DOS – Trip Down Memory Lane…

•November 2, 2014 • Leave a Comment

Version 2.1 and Version 5.0:

MSDOS

and for interests sake platters out of some old hard-drives. (vernier caliper is showing 3.5inches):

DSC08633

Rhys A. Mossom Network Security Services

•October 25, 2014 • Leave a Comment

Rhys A. Mossom Network Security Services

[ Company Website ] R.A.M. Network Security Services Website

[ Company Twitter ] R.A.M. Network Security Services Twitter

[ Company LinkedIn ] R.A.M. Network Security Services LinkedIn

[ Company Facebook ] R.A.M. Network Security Services Facebook

Rhys A. Mossom Network Security Services has been formed to offer Cyber Security offerings to South Africa, Southern Africa and on a wider international scale.

Rhys A. Mossom Network Security Services is based in Johannesburg, South Africa delivering international services, specializing in ethical hacking, penetration testing, web-application testing, vulnerability assessments, and information-security compliance assessments.

R.A.M Network Security Services encompasses a broad range of security-testing methods known as Ethical Hacking. It is the practice of assessing the security posture of a given security system, using the same tools and techniques employed by blackhat-hackers on a daily basis. These techniques can be performed against system Operating Systems, services, software and website-applications. There are a number of ways to achieve various results, according to your business needs.

The benefits of a comprehensive analysis can range from reducing the likely hood of downtime and financial or other business implications and damage to electronic assets.

According to the currently available statistics at the time of writing, the document “Net Losses: Estimating the Global Cost of Cybercrime Economic impact of cybercrime II Center for Strategic and international Studies – June 2014” by the renowned global Security company, McAffee, estimates that 0.14% of South Africa’s GPD is lost through cyber-crime. This equates to just less than five (R4.91 Billion) Billion Rand that is stolen. Additionally South Africa ranks number six amongst the most targeted counties for cyber-crime globally by the U.S. Federal Bureau of Investigation (FBI), whilst another renowned security company, Symantec, listed South Africa as the third worst hit country globally by cyber-crime.

[ Game Trainer ] Assassins Creed 4 – Black Flag Stealth/Invisibilitity hack

•September 29, 2014 • 3 Comments

Assassins-Creed-IV-Black-Flag-Logo

Here is a basic trainer for Assassins Creed 4 – Black Sails.
The game, although fun, is full of annoying sneaking missions. This trainer can assist here.
By searching for a specific array of bytes that represent a compare and a jump and replacing them with no-operation commands a sort of invisibility hack is created. By searching for an array of bytes and not relying on fixed addresses it is possible for this trainer to work on multiple versions, if not all versions.

The array of bytes to search for is: 0x80, 0x7d, 0xff, 0x00, 0x74, 0x0a, 0x5e

This should be replaced with six NOP’s.
The Address in my version of the game is 0x018a239b

Image of memory before patching:

ac4before1

Image of memory after patching:

ac4after2

I have attached source code to automatically patch it.

The trainer is designed as a launcher, and as such must be placed within the games root directory and then executed. The trainer will then launch Assassins creed, whilst searching for the relevant arrays to patch. The hack is completed once a call to WriteProcessMemory is made and six NOP’s are written to the address determined through pattern-searching.

Image of the trainer/launcher is displayed below:

launcher

[ CODE ] Trainer.c

Representing Telspace Systems at ITWeb Security Summit

•May 28, 2014 • Leave a Comment

telspaceitweb

Over the past two days (the 27th and 28th of May 2014) Telspace Systems has sponsored the ITWeb Security Summit in Sandton, South Africa.

Telspace was represented through the above stand and a slew of hard-working staff.

Booz8IVIcAAZHjL.jpg large

[ Security Tool ] Orafuzz Version 2 – HTTP Fuzzing Tool

•April 29, 2014 • Leave a Comment

orafuzz_v2_1

This application is a rewrite of my original fuzzer. Several features have been added as well as a full user-friendly GUI.

Additionally the major change in this version is the ability to modify and add the attack strings through the provided sample list. This adds to the overall flexibility of the application.

Additionally the application now supports both POST and GET requests.
The provided text file “attackstrings.txt” contains a list of attack request strings, this file must reside in the applications root directory.

This can also be used to determine whether vulnerability “CVE-2007-1036 JBoss JMX-Console Access Vulnerability” exists on a particular server.

You can try for yourself a target with google, and a google dork: inurl: /reports/rwservlet/help?

As mentioned the contents can be modified to suit the attackers needs.
The sample contents of the “attackstrings.txt” file are as below:

/reports/rwservlet
/reports/rwservlet/showenv?
/reports/rwservlet/showjobs?
/reports/rwservlet/help?
/reports/rwservlet/showmap?
/reports/rwservlet/showmyjobs?
/reports/rwservlet/showjobid?
/reports/rwservlet/killjobid?
/reports/rwservlet/parsequery?
/reports/rwservlet/showauth?
/reports/rwservlet/delauth?
/reports/rwservlet/getjobid?
/reports/rwservlet/getserverinfo?
/reports/rwservlet/killengine?
/discoverer/app
/web-console
/jmx-console

The application and code can be downloaded and viewed below:

[ .TXT C-Code ] OraFuzz_V2_GUI.c
[ .TXT C-Code ] fuzzer.c
[ .TXT C-Code ] OraFuzz_V2_GUI.h
[ .ZIP ] VS Project Files
[ .ZIP/.EXE ] Executable File
[ .TXT ] Attackstrings.txt

[XSS] Breif Security Review – Smartermail 12.0 and 5.5 Enterprise

•April 28, 2014 • Leave a Comment

SMARTERMAIL 12.0.x FREE EDITION:

Vulnerability 1:
Contact Book XSS:

It is possible to send someone a vulnerable .vcf contact file, assuming they are accessing it through Smartermail. The code is executed upon viewing the contact book.
Using the following .VCF file parameters including attack command, in javascript, alert(1):

v12_contact
The following was the result of the above XSS attack:
v12

Version 5.5 Enterprise:
The below fields can be seen below:

BEGIN:VCARD
ADR;HOME=TRUE:;;foo11;foo12;foo13;foo14;foo15
ADR;WORK=TRUE:;foo25;foo18;foo19;foo20;foo21;foo22
EMAIL;INTERNET=TRUE:alert(2)
FN:foo1 foo2 foo3 foo4
N:foo3;foo1;foo2;;foo4
NOTE:foo24
ORG:alert(6);foo17
PRODID:-//SmarterTools//SmarterMail//EN
REV:20140119T173038Z
SORT-STRING:alert(1)
TEL;ISDN=TRUE:foo10
TEL;PAGER=TRUE:foo8
TEL;CELL=TRUE;VOICE=TRUE:alert(4)
TEL;HOME=TRUE;VOICE=TRUE:foo7
TEL;WORK=TRUE;VOICE=TRUE:alert(3)
TEL;HOME=TRUE;FAX=TRUE:foo9
TEL;WORK=TRUE;FAX=TRUE:alert(5)
TITLE:foo16
URL:foo6
END:VCARD

5.5_address

The result can be seen below by visiting the contacts page, the code is executed:

5.5_address_result

The VCARDS used in these attacks can be viewed here:
[ .TXT ] VCard Version 12.0
[ .TXT ] VCard Version 5.5 Enterprise

This issue was reported to Smartertools and I am happy to report that the issues have been resolved speedily with a new build with version numbers after and including: 12.0.5197.19984

[ Code ] Enumerating Wifi access-points programatically.

•April 8, 2014 • 2 Comments

Heres some brief code that allows you to enumerate and scan for wireless ap’s in your vicinity.
The data is stored both printed on screen and stored in a log file for easy viewing.

mainprogram

logfile

 

[ .TXT ] C- Code

[ .ZIP ] Project Files

[ .ZIP ] Executable File