Blog
News and updates from OffSec
Jan 22, 2013
BackTrack Reborn – Kali Linux
It’s been 7 years since we released our first version of BackTrack Linux, and the ride so far has been exhilarating. When the dev team started talking about BackTrack 6 (almost a year ago), each of us put on paper a few “wish list goals” that we each wanted implemented in our “next version”. It
Categories
Research & Tutorials
Yahoo DOM XSS 0day – Not fixed yet!
After discussing the recent Yahoo DOM XSS 0day with Shahin from Abysssec.com, it was discovered that Yahoo’s fix set in place on 6:20 PM EST, Jan 7th, 2013 is not effective as one would hope.
Jan 8, 2013
2 min read
Exploit Development
Fun with AIX Shellcode and Metasploit
In one of our recent pentests, we discovered an 0day for a custom C application server running on the AIX Operating System. After debugging the crash, we discovered that the bug could lead to remote code execution and since we don’t deal very often with AIX exploitation, we decided to write an exploit for it. The first steps were accomplished pretty quickly and we successfully diverted the execution flow by jumping to a controlled buffer. At this point, we thought we could easily generate some shellcode from MSF and enjoy our remote shell.
Nov 20, 2012
6 min read
Exploit Development
CA ARCserve – CVE-2012-2971
On a recent penetration test, we encountered an installation of CA ARCserve Backup on one of the target systems that piqued our interest. Like most “good” enterprise applications, ARCserve has processes that are running as SYSTEM so naturally, we went straight to work looking for vulnerabilities.
Oct 30, 2012
11 min read
Research & Tutorials
Onity Door Unlocker, Round Two.
On one of our engagements, we figured an Onity Hotel door unlocker would be useful to us. Inspired by the “James Bond” type setup we saw on the Spiderlabs blog post, we thought we’de try to build a small, simple and “TSA friendly” version of the Onity key unlocker.
Oct 23, 2012
2 min read
Research & Tutorials
Stand-Alone EM4x RFID Harvester
Continuing off from our last RFID Cloning with Proxmark3 post, we wanted to build a small, portable, stand-alone EM4x RFID tag stealer. We needed an easy way of storing multiple tag IDs whilst “rubbing elbows” with company personnel. The proxmark3 seemed liked an overkill and not particularly fast at reading em4x tags so we figured we’d try hooking up our RoboticsConnection RFID reader to a Teensy and see if we could make them play nicely together.
Sep 27, 2012
2 min read
Research & Tutorials
RFID Cloning with Proxmark 3
Our Proxmark 3 (and antennae) finally arrived, and we thought we’d take it for a spin. It’s a great little device for physical pentests, allowing us to capture, replay and clone certain RFID tags.
Sep 24, 2012
5 min read
Enterprise Security
Offsec BlackHat / Defcon Scavenger Hunt
Are you in Vegas for BlackHat and Defcon ? Are you desperately looking for Offensive Security schwag ? We are giving out Metasploit books, BackTrack Challenge coins and large sized BackTrack Decals in this years BlackHat and Defcon conferences. So, what exactly does one need to do to get these wonderful, sought after gifts ? It’s easy:
Jul 24, 2012
2 min read
Research & Tutorials
FreePBX Exploit Phone Home
During a routine scan of new vulnerability reports for the Exploit Database, we came across a single post in full disclosure by Martin Tschirsich, about a Remote Code Execution vulnerability in FreePBX. This vulnerability sounded intriguing, and as usual, required verification in the EDB. At first glance, the vulnerability didn’t jump out at us, especially as we are not familiar with the inner workings of asterisk. After a couple of emails back and forth with Martin, the path to code execution became clearer:
Mar 23, 2012
3 min read
OffSec News
Announcing the OSEE Certification
Since the inception of our Advanced Windows Exploitation (AWE) course, our students (who are always searching for more pain) have been asking for an accompanying certification exam. We are very pleased to announce the launch of the Offensive Security Exploit Expert (OSEE) certification.
Jan 16, 2012
2 min read
Enterprise Security
PWB in the Caribbean, Part 3
In Part 2 of our series of posts on the recent PWB in the Caribbean course, Johnny was desperately seeking an exit from the upcoming pain that is exploit development. However, he didn’t come up with an escape plan quickly enough and his tale continues in this latest diary entry.
Dec 28, 2011
5 min read
Enterprise Security
PWB in the Caribbean, Part 2
In our ongoing series covering our most recent live PWB in the Caribbean course, Johnny picks up from Part 1 and provides an inside and personal look at the course as it picks up speed and increases in difficulty.
Dec 21, 2011
4 min read
Penetration Testing
Offensive Security Wireless Attacks Updated
At long last, our highly rated Wireless Attacks Course (Wi-Fu) has been updated to version 3! This is a major revision of the course with a complete restructure and redesign of the course content with a far broader range of attack techniques.
Dec 7, 2011
2 min read
Join the OffSec Community!
Our community members connect, communicate and collaborate on all things cybersecurity.