Industry News

This article describes how to capture and decrypt TLS traffic (the encryption protocol that secures web communication) on Windows using built-in tools like netsh and Wireshark. The technique works by setting an environment variable to log TLS session keys, capturing network traffic without installing extra software, and then using Wireshark to decrypt the captured data.

The EU AI Act requires technical standards to be written by European standardization organizations (CEN and CENELEC) that explain how companies can safely build high-risk AI systems. These standards follow a six-step approval process and, once published and approved by the European Commission, become 'harmonized and cited standards' that legally presume compliance with safety regulations if companies follow them. The drafting process is currently ongoing but behind schedule, with different standards at different completion stages.

Attackers are using a new phishing technique that exploits OAuth2 Device Authorization Grant (a protocol that lets devices log in by directing users to a website to authorize access) to trick users into granting them access to data, especially as organizations adopt passwordless authentication methods like hardware tokens. The attack begins when an attacker initiates a device code flow by sending a request to a service provider's device code endpoint, such as Microsoft's Azure AD (active directory, a system that manages user identities and permissions).

The article discusses security risks with Azure's AAD (Azure Active Directory, Microsoft's cloud identity service) when MFA (multi-factor authentication, an extra security check beyond passwords) is misconfigured. A common mistake is enforcing MFA only at the federated identity provider (an external service that handles logins) while leaving ROPC (Resource Owner Password Credentials, a method where users send passwords directly to get access tokens) enabled in AAD itself, which allows attackers to bypass MFA protections after gaining initial access.

PenTest Magazine's latest free issue features an article about ropci, a tool used in penetration testing (simulated security attacks to find vulnerabilities). The article provides more detailed information than the tool's blog post or GitHub repository, and the magazine also includes coverage of Nuclei, another popular security testing tool.

ROPC (Resource Owner Password Credentials, an OAuth2 method that sends usernames and passwords directly to get access tokens) can bypass multi-factor authentication (MFA, a security check requiring multiple forms of verification) in Microsoft Azure Active Directory if not properly configured, because over 50 default apps in every tenant support ROPC and may not enforce MFA. The post warns that ROPC should not be used and recommends testing your Azure setup for this vulnerability using the ropci tool.

SSH Agent Hijacking is an attack where an adversary with root permissions can steal SSH private keys (encryption keys used for secure shell access) from a forwarded SSH Agent, a service that stores authentication credentials. On shared systems like jumpboxes (intermediate servers used to access other machines), an attacker can find another user's SSH_AUTH_SOCK (an environment variable pointing to the SSH Agent's communication socket) and use it to impersonate that user and access machines they have permission to reach.

Gospray is a tool designed to test credentials by attempting to log into domain controllers (the central servers that manage network access) using LDAP bind (a method for authenticating directly against these servers). Unlike some other credential-testing approaches, it communicates quietly and directly with the domain controller without needing other servers as intermediaries, and it allows configurable levels of parallel attempts.

This post demonstrates how attackers can use eBPF (extended Berkeley Packet Filter, a technology that lets programs run safely inside the Linux kernel) and bpftrace (a tool for tracing system events) to intercept and steal PAM (Pluggable Authentication Modules, the system that handles login authentication) passwords when users log in. The technique works similarly to a backdoor PAM module but uses eBPF instead, highlighting emerging security risks from new kernel-level attack tools.

This post describes a post-exploitation attack where an attacker modifies PAM (Pluggable Authentication Modules, a Unix system for controlling login behavior) to secretly capture user passwords by inserting a malicious script into the authentication pipeline. The attacker creates a bash script that logs usernames, passwords, and IP addresses whenever someone logs in, making it difficult to detect because it operates within legitimate system authentication mechanisms.

This article explains how to customize shell prompts (the command-line interface where users type commands) to automatically display date and time information, which helps security professionals document their activities during red team exercises (simulated attacks to test security). The article provides examples for three common shells: Bash, zsh on macOS, and PowerShell.

On macOS, attackers can extract password hashes from the local directory service (the system that stores account information) using the dscl command tool, even when System Integrity Protection is enabled, then convert these hashes to a format that hashcat (a password-cracking tool) can process to crack the passwords. This technique is particularly dangerous when organizations reuse the same admin password across multiple Mac computers, making lateral movement (spreading access across a network) easier for attackers.

The Flipper Zero is a handheld device that can read and emulate NFC (near-field communication, the wireless tech in credit cards and phones), RFID (radio-frequency identification used in key fobs), infrared signals, and radio frequencies, along with a Bad-USB feature that lets it act as a keyboard to send preprogrammed commands. The author demonstrates that it can easily read credit card numbers from physical cards and Apple Watches, though they note the device is educational and users should understand the risks and legal implications of its capabilities.

This article describes a bash script tool that runs AWS commands across multiple AWS profiles (sets of credentials configured locally) to help security researchers test discovered AWS access keys during penetration testing or bug bounties. The script checks whether each key is valid, identifies what resources it can access, and logs metadata like timestamps and the source IP address for reporting purposes.

This post documents reconnaissance techniques for GitLab (a code hosting platform similar to GitHub) after obtaining a GitLab Token (a credential that grants API access). An attacker with a valid token can enumerate projects, clone source code repositories to search for secrets, extract CI/CD variables (configuration values that often contain passwords or access keys), and discover runner tokens (registration credentials for build automation systems).

Log4Shell is a critical vulnerability in Apache's log4j library (a widely-used Java logging tool) that allows remote code execution (running commands on a system from afar) through its Java Naming and Directory Interface support. The vulnerability is particularly dangerous because log4j is used in many Java applications and is easy to exploit. The source mentions that patches were released to fix the issue, though it also notes that bypasses to those patches were discovered, leading to additional patches.