Presented by Tim
Follow me on Twitter
Introduction This is a follow up article to Paul W’s write-up about m1con’s mobile ctf. In the article, Paul mentioned Cyberchef, and it was a quick way of solving the challenge.
Since Cyberchef wasn’t covered, and may provide a quicker solution for future ctf challenges, I decided to describe it here.
What is CyberChef? CyberChef was developed by GCHQ to quickly perform certain operations on inputs.
Presented by Paul w
Follow me on Twitter
Introduction Last night I went to the meetup group “M1 Con” hosted by Digital Interruption and Outsource UK Ltd.
Jay Harris gave a talk about mobile security - it wasn’t super technical, but it highlighted the fact that clearly security is still a bit of an after thought especially when it comes to mobile development - he cited examples of issues that crop up in mobile devices that were fixed in web apps (XSS vulnerabilities for example) long ago.
Written by Rob
Whilst analysing a number of free communication based applications on the Google Play Store, I took a look at WiFi Baby Monitor: Free & Lite (the free version of WiFi Baby Monitor). Although the premium version offered users the ability to specify a password to be used in the pairing process, the free version offered no such function.
Monitoring the traffic using Wireshark during the pairing process revealed:
Written by Jay
During most mobile application or IoT pen test, it’s often a requirement to perform a man in the middle attack to view network traffic. Below are some approaches which work when the it’s not possible to set a system proxy (or when a mobile application does not honour it).
ARP Poisioning Pros/Cons Pro cons Easy |Active attack; can be detected Redirects all traffic |Can be risky |Device and laptop need to be on the same network.