As the year comes to another end; this is a gentle reminder that we moved our blog to our main website:

If you want to keep up-to-date with our monthly updates, best to head over there.

With ransomware and wiperware being the criminals choice of earning a quick buck, having a secure backup is more important than ever. But what happens when resilience fails? and you risk losing your backups. This post discusses the attempted recovery of OSX’s Timemachine, after it has become faulty.

This post describes the steps our team took, to recover a clients corrupted Time Machine backup.

You may see the following message as a warning that something has gone wrong with Time Machine:

One of the most popular WSGI utility frameworks for Python is Werkzeug. It simplifies the handling of HTTP connections within your Python application but also provides a powerful debugger that permits one to execute code from within the browser.

While the provided link warns those to not enable the debugger on anything production, it is often ignored or forgotten about and ends up being enabled in the first place. It is possible to search for systems on the Internet that have the debugger enabled and execute Python code remotely.

It should be noted that this affects both the Flask and…

What is Railgun?

Railgun is a very powerful post exploitation feature exclusive to Windows Meterpreter. It allows you to have complete control of your target machine’s Windows API, or you can use whatever DLL you find and do even more creative stuff with it.

It can even be used to bypass Anti-Virus by calling functions directly from DLLs

How to use Railgun for Windows post exploitation

For the purpose of this post, we will assume you have successfully launched a meterpreter torjan on a test vm, or exploited a vulnerable vm and have a meterpreter session on a Windows(XP/7/10(<1703)) target.

Note: We state Windows 10 before version 1703, as 1703 introduced…

Another day, another breach. But this time an unsecured mongodb instance in the cloud.

What is Mongodb

MongoDB stores data in flexible, JSON-like documents, meaning fields can vary from document to document and data structure can be changed over time. Enabling users to perform ad-hoc queries, indexing and data aggregation in real-time.

Finding Mongo

By default Mongodb listens on TCP/27017, but it can depending on configuration also be found on 27018–27019.

In the fore mentioned breach Shodan was used to discover the vulnerable instance, and from our screenshot today there are approximately 59,503 accessible instances:

Centre of Information Security (CIS) for Amazon Web Services has a networking section and two points related to security management of AWS firewalls or security groups. More specifically section 4 Networking has two checks for unrestricted ingress on TCP ports 22 (SSH) and 3389 (RDP). At Netscylla we decided to create two scripts that would highlight security groups and associated instances that run exposed services to/from the internet.

Trusted Advisor

For those with minimalistic accounts, or even support contracts ‘ Trusted Advisor’ is an excellent source for potential weaknesses. But what if we wanted a more generic audit, to flag any instances…

Below we walk though a very simple example of writing your own serverless code / Lambda functions from a Linux workstation.

Lambda Languages

AWS Lambda currently supports the following languages:

  • C# versions 1,2, & 2.1
  • Go version 1
  • Java version 8
  • Node versions 4, 6 & 8
  • Python versions 2 & 3

It is advisable that you at least know one of these programming scripting languages before you begin with any Lamba code.

For demonstration purposes we will continue with python3.

Lambda Creation

Step 1 — Create a workspace

mkdir my_lambda_module

Step 2 — Create

Assuming we are creating a python-based lambda function:

touch my_lamba_module/

Step 3 — Install any missing/prerequisite modules:

pip3 install <module> -t ./my_lamba_module

Step 4 — Code

Code away using your…

Modern day cyber-criminals and legitimate Red-Teaming are increasingly using cyber squatted domains (including bitsquatting and homoglyphs) to register a domain that is very similar to the victim/targets’s corporate domain:

may become any number of:

These (or similar domains) are often intentionally chosen to avoid suspicion and human analysis, and can be difficult for the blue-team to determine, if some of these are new domains registered by legitimate developers, for new products and/or services? Or if these domains are part of a sophisticated attack platform, ready to exfiltrate corporate secrets?

As modern C2 implants…

A new technique to crack WPA PSK (Pre-Shared Key) passwords.

In order to make use of this new attack you need the following tools:

This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. However, WPA3 is not vulnerable to this specific attack! WPA3 will be much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).

The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way or…

Netscylla Cyber Security

Interesting thoughts and opinions from the field of cyber security in general, focusing mainly on penetration testing and red-teaming.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store