Primary Content: Home

JTAGulating JTAG!

Discovering JTAG ports with the JTAGulator, and connecting to them with UM232H!

What is JTAG?

JTAG is short for Joint Test Action Group and generally refers to on-chip debugging interfaces that follow the IEEE 1149.x standard. The standard doesn’t mandate a certain connection – it just dictates a standard for communicating with chips in a device. It uses 5 pins: TCK, TMS, TDI, TDO and (options) TRST; which are (Test) Clock, Mode Select, Data In, Data Out, and Reset.

It can be useful to hardware hackers in various ways, such as extracting device IDs, extracting firmware, overwriting memory.

Continue reading: JTAGulating JTAG!

Kerberos PreAuthentication and Party Tricks

Back in 2016, Geoffrey Janjua of Exumbra Operations Group, presented at LayerOne about “Kerberos Party Tricks” and abusing user accounts which have Kerberos Pre-authentication disabled.

The python script he released at the time was a great proof-of-concept, but there are alternative tools available now for detecting, and exploiting, this issue.

Continue reading: Kerberos PreAuthentication and Party Tricks

ClickJacking and JavaScript KeyLogging in Iframes

This week I was asked some specific questions about the security of iframes. The questions came about from a PCI standpoint, for stores that use fully outsourced iframes for taking payment.

The question was effectively, if an attacker can inject JavaScript into the framing (store) page, what effect can they have on the security of the site and the payment page.

Short answer: The attacks are very limited.

Long answer:

Continue reading: ClickJacking and JavaScript KeyLogging in Iframes

Spoofing Packets and DNS Exfiltration

Following a successful penetration test, you may have large amounts of data to exfiltrate from an environment specifically hardened to make it difficult to exfiltrate data. For example, the network might have a firewall that explicitly blocks common exfiltration methods – such as SSH, HTTPS, HTTP.

It is common that you can still exfiltrate data from these networks by using DNS. For example you could make a request to a domain name that you control where the subdomain contains some information to be exfiltrated. Such as sensitive-data-here.attacker.example.com. DNS is a recursive system, such that if you send this request to a local DNS server, it will forward it on and on until it reaches the authoritative server. If you control the authoritative server, you can simply read the sensitive data from the DNS logs.

Continue reading: Spoofing Packets and DNS Exfiltration