This is a copy of the original article for archival purposes: https://blog.fox-it.com/2020/11/11/decrypting-openssh-sessions-for-fun-and-profit/
A while ago we had a forensics case in which a Linux server was compromised and a modified OpenSSH binary was loaded into the memory of a webserver. The modified OpenSSH binary was used as a backdoor to the system for the attackers. The customer had pcaps and a hypervisor snapshot of the system on the moment it was compromised. We started wondering if it was possible to decrypt the SSH session and gain knowledge of it by recovering key material from the memory snapshot. In this blogpost I will cover the research I have done into OpenSSH and release some tools to dump OpenSSH session keys from memory and decrypt and parse sessions in combinarion with pcaps. I have also submitted my research to the 2020 Volatility framework plugin contest.
This blog will be a technical deep-dive into CyberArk credential files and how the credentials stored in these files are encrypted and decrypted. I discovered it was possible to reverse engineer the encryption and key generation algorithms and decrypt the encrypted vault password. I also provide a python implementation to decrypt the contents of the files.
The first part of this blog will be the story of how this tool found it’s way into existence, the problems we faced and the thought process followed. The second part will be a more technical deep dive into the tool itself, how to use it, and how it works.
About 1½ half years ago I did an awesome Red Team like project. The project boils down to the following: Continue reading
Taskbaricon mouseover highlight
First things first: Happy new year! I am sure 2016 will be a great year! Next up: DominantColor. It’s a project for calculating the dominant (hue) color in an image.This is something that took some research as I was building JeS Multi-Monitor Suite. The taskbar in Windows 7, 8 and 8.1 implemented a similar feature showing the dominant color as a highlight when you mouseover the taskbar icon. Continue reading
DevOps! A must for modern software development, right?! You would expect most companies are already moving towards this new way of working. Why? Because software development needs to be more agile. Say you have a new customer, he wants a demo of your application but he also wants to see that one new feature. The software release that contains that feature is scheduled to be released in 2 months. Though, that specific feature is already “done and ready”. You ask the developers/administrators if they can put together a demo of that feature.. At that moment the devs and administrators are getting nervous. Everyone checks in their code to one single code branch so how are they going to demo that specific feature? Maybe on a laptop of a dev that still has a stable (*kuch* compiling) revision? This is where we have to change the way we develop software.
During the development of a Windows 10 Universal Windows App today I ran into a weird issue with Entity Framework 7, beta 6. I was using a Sqlite database for local storage within the app and everything seemed to work fine until I hit against a bug in the EF (Entity Framework). Continue reading
Today I publish Yara.NET – A C++/CLI .NET wrapper around the Yara 3.4.0 library. It enables you to use all the Yara functionality that the native C lib exposes in .NET! Yara.NET API was inspired by the Python API and has thus a somewhat similar API. Why is it built in C++/CLI and not C#? Because building a wrapper library in C# around a native library is a pain compared to using C++/CLI. Using C++/CLI you can link directly against the native lib and use all of the existing header files without the need to redefine every function using PInvoke..
Figure 1, .NET Pinvoke memory corruption
Today I ran into some old screenshots of a problem I was having in 2013. Interesting problem! I was trying retrieve a piece of data that was located in another process memory space using the ReadProcessMemory API. I defined the API using PInvoke(Platform Invoke), a technique used to call native functions from .NET. The issue I was having was that only under Windows 8 I was getting a NullReferenceException and initially I had no clue why. Continue reading
I decided to dust off some old projects! I decided to post the source for the multi tab command line utility I wrote some time ago. Note that I don’t intend to support or further develop it. Just want to share 😉
Finally, the last level! Level 5 is a “simple number manager”. It is similar to the note manager as it allows to store up to 10 numbers. That’s… really useful.. 😛
Level 5, simple number manager