Dear PenTest Readers,
In the current edition of PenTest Magazine our contributors present you with mixed offensive security content. However, we’d like to highlight 2 major topics: Post-exploitation and SATCOM security. Inside, you’ll read interesting tutorials on some methods used in the post-exploitation phase, like DLL Proxying, or exfiltration methods. You’ll also read a great write-up on bypassing encryption in Android Apps with Frida - it’s definitely a must-read for every mobile pentester.
If you’re into less popular pentesting fields, don’t miss the two articles that open our issue: The OPS-SAT Space Red Team and SATCOM Security: Past, Present and Future. The first one presents two scenarios: on the ground through the platform, and in Space through the network, while the second is a thorough overview of SATCOM security challenges.
If you’re interested in a wider range of cybersecurity topics, you’ll also read about OT in the Cloud, Splunk, or Active Directory pentesting.
As you can see, the spectrum of the topics covered in this edition is quite impressive. Thus, without further ado, let’s dive into the reading process.
Enjoy the content!
PenTest Magazine’s Editorial Team.
Table of Contents
The OPS-SAT Space Red Team
by Jamel Metmati
The article presents the OPS-SAT SPACE RED TEAM organization and two scenarios on the ground through a platform and in Space by the networks.
SATCOM Security - Past, Present, Future
by Tatyana Stojnic
With the cost of launching satellites becoming cheaper and satellites themselves becoming smaller, there are increasingly more and more companies in the field offering these services from big players such as Elon Musk’s SpaceX project Starlink to a growing number of small space industry start-ups worldwide. Additionally, the rising use of IoT devices relying on wireless communications and geolocation services and the increased availability of commercial Cubesats and nanosatellites is in response to a greater demand for the services provided by SATCOM technology. However, as the use cases and number of commercial players in the satellite communication industry increase alongside IoT and 5G capabilities, as does the opportunity for cyber attacks. Since most satellite networks were not initially built with security in mind, this presents a large number of security gaps.
How to Bypass Encryption Mechanism in Android Apps with Frida
by Selvie Feta (Cobalt.io)
The Rijndael block cipher was developed in 2000 by two Belgian cryptographers. This encryption technique, which is more reliable than DES, has key lengths of 128, 192, and 256 bits. The data is divided into 4x4 matrices called states and used in the method. Separate loop allocations for 128-bit, 192-bit, and 256-bit key lengths are made as AES encryption is completed. According to the DES algorithm, it is easy to apply and requires less memory, which is one of its powerful features. AES and RSA are two of the most extensively used encryption methods today. Both are highly effective and secure, but they're employed in different ways.
by Theotime Chapier-Maldague
In a context of post-exploitation, attackers are generally confronted with the idea of persistence. Nowadays, a wide set of techniques allows them to achieve persistence in most systems. One of these techniques, called DLL Proxying or also DLL Hijacking, can be used against Windows systems in a very discreet manner. In this article, I will share with you how to proceed to DLL Proxying, and what limits this technique has.
In most cases, internal networks do not in any way restrict the resolution of DNS names for arbitrary zones. And since the nature of DNS is distributed, our DNS request can come exactly to the attacker's controlled server. As a result, we have a full-fledged data transmission channel. There are great solutions these days for opening entire VPN tunnels like iodine. However, even if you are not root on victim, you can always use dnscat or dns2tcp, which can forward an arbitrary connection to a proxy. In either case, you can overcome the limitations of the firewalls and launch an attack on the internal network.
Types of AWS S3 Bucket Exploitation
by Vijay Bhardwaj
There are so many automation tools available to find S3 buckets and a brute force approach is used in them to predict the name of the buckets. One of the most common tools that provide the bucket name is “AWS Extender”, which is used in conjunction with “Burp-Suite”.
Top 10 Active Directory Attacks
by Harpreet Singh
In this article, we will be discussing a few cases of attacking Active Directory and see how we can gain partial or complete control of it. We will start with the technology and the features it has, followed by a bit of the architecture in general terms. Next we will be discussing the attack scenarios and the attack tree covering various AD attack methods and the mitigation strategies.
Operational Technology in the Cloud: Control System Data and Operations in a Cloud Environment
by Marlene Ladendorff, Phd
Currently, experts in the field of OT cybersecurity usually cringe when approached by management or executives interested in moving OT capabilities into connected environments like the cloud, and understandably so. From a cloud computing cybersecurity perspective, industrial control systems information and IT data face the same types of compromises. IT data can include personally identifiable information (PII) like names, social security numbers, and addresses while OT information may be data from a historian in the operational environment or something more interesting (to a hacker) like command and control opportunities. Other nefarious activity that could take place in the cloud may include a breach into an IT environment followed by the hacker moving laterally in the cloud and finding OT locations to attempt a compromise.
SaaS Security Checklist: Best Practices to Protect SaaS Application [FULL ARTICLE AVAILABLE IN THE FREE PREVIEW VERSION]
by Mehul Rajput
When companies move their data and apps to the cloud, they experience the benefits of productivity enhancement and cost reduction against some security issues. And the mandatory work-from-home because of the COVID-19 pandemic increased the demand for SaaS apps. While SaaS is a fantastic software distribution model, easy to use, install, and configure in the cloud, companies face several issues. What are those issues? Cyber concerns like data breaches, malicious attacks, unauthorized access, etc., are mostly seen.
Splunk Security Overview
by Deepan Naveen
How do our users ‘use’ Splunk? It typically starts with searching to troubleshoot issues or investigate incidents. Users then ‘add knowledge’ or meaning to their data, making it more useful. Then they start seeing the power of Splunk and automate monitoring for specific conditions, threats, etc. Then they start using powerful reporting and charting tools to analyze their data for all manner of things.