RedTeam Pentesting

5 June 2023

Storing Passwords - A Journey of Common Pitfalls

As pentesters, we regularly see creative ways of handling authentication and almost as often we see the pitfalls that come along with these unconventional ways. For instance, we recently discovered a vulnerability in the web interface of STARFACE PBX allowing login using the password hash rather than the cleartext password (see advisory). We want to use this as an opportunity to discuss how we analyse such login mechanisms and talk about the misconceptions in security concepts that result in such pitfalls along the way.

9 May 2023

Introducing resocks - An Encrypted Back-Connect SOCKS Proxy for Network Pivoting

Compromising a host in a company’s perimeter often creates the opportunity to pivot into an internal network. From there on, each additional compromised system may grant us access into further subnets. Pivoting like this is second nature to pentesters, but let’s step back and look at this scenario in detail in order to understand why we created our newest open-source tool resocks - a secure reverse SOCKS5 proxy (reverse as in reverse shell, not as in reverse proxy).

12 April 2023

Rooting a Common-Criteria Certified Printer to Improve OPSEC

Besides conducting penetration tests, we also attend to maintenance tasks of our internal infrastructure in order to have all systems being involved in our everyday work meet our specified requirements. One of these systems is the printer that we use to print our penetration test reports. When our service provider announced that they will not be able to provide maintenance services for our printer anymore, we started looking for a new one. This blog post deals with the analysis process of our new Canon imageRUNNER ADVANCE DX C5850i printer with the aim to meet our specified security requirements according to our threat model.

13 July 2022

Introducing Pretender - Your New Sidekick for Relaying Attacks

We’ve just released another open-source tool: pretender, a cross-platform tool to obtain a machine-in-the-middle position inside Windows networks in the spirit of Responder and mitm6. It implements local name resolution spoofing using the mDNS, LLMNR, and NetBIOS-NS protocols as well as a DHCPv6 DNS takeover attack. Since last year pretender has become a frequently used tool in our network penetration tests and we are proud to share our work with the community.

20 December 2021

Inside a PBX - Discovering a Firmware Backdoor

This blog post illustrates how RedTeam Pentesting discovered a real-world backdoor in a widely used Auerswald phone system (see also the advisory and CVE-2021-40859). We will describe the methodology used to find the backdoor by examining the firmware, highlight the practical implications of the vulnerability and outline our communications with Auerswald.