Hide in Plain Sight: Protocol Multiplexers

Almost every Internet-connected device on the planet comes with a nice web interface to interact with. And some of them like routers and APs come with their own little firewall to prevent backdoors and whatnot. So what if one of these devices or even servers gets compromised? Where do you look at to find IoC (indication of compromise) in them? I don't think I need to explain why IoT is a huge security challenge for every organization since everyone at least has a “smart” printer lying around somewhere.

Dissection of Winbox critical vulnerability

On April 23rd 2018, Mikrotik fixed a vulnerability “that allowed gaining access to an unsecured router”. myself and @yalpanian of @BASUCERT (part of IR CERT) reverse engineering lab tried to figure out what exactly got fixed, what was the problem in the first place and how severe was the impact of it. UPDATE: full PoC is now available on Github. UPDATE: CVE-2018-14847 has been assigned to this vulnerability and there should be a MetaSploit module related to this bug soon.

Getting started with Dynamic Binary Analysis

What, Why, and Where? What is it exactly? Dynamic Binary Analysis (DBA) is a technique to analyze the behavior of a binary by somehow running it and watch its behavior. Obviously it's the opposite of Static Binary Analysis in which you disassemble a piece of code and draw the graph of the entire program to see what it does. Why not Static? well, it's actually better if you have a small binary or a binary written in a friendly programming language.

What is port sharding in Linux and why should I care

It's actually called SO_REUSEPORT Kernel 3.9 introduced a new cool feature in SOCKET interface called SO_REUSEPORT. So what is it? As the official documentation says, it allows multiple AF_INET or AF_INET6 sockets to be bound to an identical socket address. before binding a socket to an interface, each one should have this option enabled. This way, mutiple processes can listen on the same port at the same time! How Can This Possibly Be Secure?