RedTeam Pentesting

13 July 2022

Introducing Pretender - Your New Sidekick for Relaying Attacks

We’ve just released another open-source tool: pretender, a cross-platform tool to obtain a machine-in-the-middle position inside Windows networks in the spirit of Responder and mitm6. It implements local name resolution spoofing using the mDNS, LLMNR, and NetBIOS-NS protocols as well as a DHCPv6 DNS takeover attack. Since last year pretender has become a frequently used tool in our network penetration tests and we are proud to share our work with the community.

20 December 2021

Inside a PBX - Discovering a Firmware Backdoor

This blog post illustrates how RedTeam Pentesting discovered a real-world backdoor in a widely used Auerswald phone system (see also the advisory and CVE-2021-40859). We will describe the methodology used to find the backdoor by examining the firmware, highlight the practical implications of the vulnerability and outline our communications with Auerswald.

21 May 2021

Remarkable Encryption - From Threat Model to Final Implementation

In the process of going paperless, we recently acquired multiple reMarkable 2 epaper tablets. Among other things, the tablets will be used for taking notes about engagements. These data are highly sensitive and must be well protected. Unfortunately, by default the reMarkable offers little protection against attackers with physical access. We therefore opted to add a layer of encryption to our tablets. In this blog post we outline our journey from threat modeling to a secure, reliable and user-friendly implementation using gocryptfs, C++, Qt and systemd. The final result has been released on GitHub.

4 March 2021

Wholesome curl Calls for Your Blog Posts

An important part of each penetration test is the documentation of all discovered vulnerabilities. The documentation often includes program calls to further demonstrate how a vulnerability was found, tested or exploited. To better visualise these steps in the context of web applications, we often include invocations of the command-line HTTP client curl. In the following, we discuss how program calls can be styled for documentation to appeal to all audiences.

4 January 2021

Insecure Deserialization - How to Trace Down a Gadget Chain

Insecure deserialization vulnerabilities potentially result in the ability to remotely execute code on the affected system. Once such a vulnerability is identified it is still necessary to compose a gadget chain that provides this ability. This post deals with the complex but also fascinating process of finding a gadget chain in the Yii PHP framework. Finally, the discovered gadget chain is demonstrated by means of an example application.