In the book we looked at specific examples of vulnerabilities. My goal was to cover as many classes of issues as possible, though of course I could not cover every possible issue you might encounter on your pentests. As you continue your penetration testing career, you will need to take what you have learned and…
In my book chapters about exploit development, I note that finding bad characters is outside of the scope of the chapters and just give the readers the bad characters list. With only four exploit development chapters in the book, there is just so much I can cover. My editors asked me to provide a resource…
This capture the flag game and accompanying class is designed with security beginners and those who are new to CTFs in mind. The vulnerabilities will range from blank passwords to custom buffer overflow vulnerabilities. Choose the instructor of your choice and work with the rest of the students to defend servers built by the other…
One of the features of SPF is being able to take a compiled Android APK and refactor it to include the SPF Agent. Details of how to do this in SPF are in the SPF User manualBackdooring APKs section. The resulting app looks and feels like the original app, but with some extra functionality. In…
I’ve been messing with SMS for hidden out of bounds communication since 2011. My earlier work involved a backdoored device driver: Demo Video: Background SMS Demo Whitepaper: Transparent Botnet Command and Control for Smartphones over SMS PoC Code: botPoCrelease-android.c Slides: Shmoocon 2011 Slides Working at the application layer in Android is for one easier and…
This post assumes basic knowledge of using the Smartphone Pentest Framework (SPF). Specific required knowledge is referenced in the User Manual as it is referenced. SPF can be downloaded here: Github The SPF User Guide is here: User Guide Videos about SPF are here: SPF Videos In 2013 I started taking a look at the…