UnseenHex TechLog

===================================

Introduction

-------------------

Reporesenting data on a computer involves mapping the arrangement of binary bits (10110) to a defined character set (A-z, 0-9). This is encoding and comes in a many varieties. If the received encoding is different from the expected encoding there will be errors and things will generally not work.

    * Encoding representations - Hex (0x41), Code Point (U+0041), Binary (01000001), ASCII (A)
    * The encoding length for UTF-8 & UTF-16 is variable. (UTF-8 1 byte min, 4 byte max) (UTF-16 2 byte min, 4 byte max)
    * The line termination signal varies between Linux (LF) & Windows (CRLF).

Payloads on Windows will not trigger unless the correct encoding and line termination signal are received.
This can be frustrating, ask me how I know.

UTF-8	11111111   11111111   11111111   11111111
UTF-16	11111111   11111111   11111111   11111111
UTF-8 1 byte	0x41
UTF-8 4 byte	0xF0 9F 98 80
UTF-16 2 byte	0x41 00
UTF-16 4 byte	0x3D D8 00 DE

Base	Encoded UTF-8	Encoded UTF-16LE	Application
LF	0x0a	0x0a 0x00	Linux, Unix
CR	0x0d	0x0d 0x00	.
CRLF	0x0d 0x0a	0x0d 0x00 0x0a 0x00	Windows PowerShell

. .

File: UTF-8 Line Termination: LE	File: UTF-16 Line Termination: LE	File: UTF-16LE Line Termination: CRLF	File Payload: UTF-16LE Line Termination: None

TL;DR

Unix2dos payload.txt
iconv -f UTF-8 -t UTF-16LE payload.txt > payload16LE.txt
file --mime-encoding payload16LE.txt    

* * *

Introduction

-------------------

Making custom payloads and offensive tools for Initial Access, Reconnaissance, Authentication Bypass and Target Enumeration. Generally written in Python, Lua (NSE).

    * Multi-Threading for network & web requests. 
    * Implemented logging pipline for clear visability and team dashboards.
    * Remote notification messages for key events.

---

---

* * *

What is AMSI

-------------------

The Windows Aniti Malware Scan Interface¹ is a security feature that will scan and evaluate text input to common Windows script interfaces like PowerShell and JScript. The input text is assigned to a memory buffer and checked for techniques & tactics used by malware and threat actors.

    * Input characters are checked for malisious behavior or Indicators of Compromise (IOC).
    * Bypass 1: Memory structure can be patched to result in a [Fail-Open] condition bypassing anti malware scanning. 
    * Bypass 2: Internal AMSI status attribute can be changed to bypass anti malware scanning.

What Data Strcuture?

-----------------------------

Microsoft provides the AMSI service to any software that wants to register and hook user input for evaluation against known malware TTP².
The AMSI service provies a memory input buffer where input data can be evaluated character by character to catch violations early.
Communication between the programs is done by registered COM interfaces that are exposed to each registered software.

By attaching a debugger we can observe the AMSI data strcuture including the memory storage buffer and associated meta-data with the process.
We see key strcutured information in memory. The inialization header [ISMA] is the first 4 bytes of the structure (encoded as Little-Edian) and is a critical integrity check on the ANSI operation.
Patching thsee bytes in memory, resulting in an integrity check fail, which enabled the AMSI instance to [Fail-Open].
Ensuring the user experience is not interupted when malisious intent is not 100% certain.
Inspecting the AMSI strcuture there is a second attribute that acts as an integrity check on the AMSI instance - The 'amsiInitFailed'. This attribute is a boolean set False when no data strcuture issues have been encoutered.

As a protective practice when an issue occurs in operation the 'amsiInitFailed' is set True, the AMSI instance is inactive to prevent a corrupted state.
However, this value can be manually patched in memory, resulting in the integrity check failing and AMSI being inaffective for all future buffer input for that instance.

AMSI is a great mitigation that steps Windows security in the right direction, but should be seen a playing a part in a larger layered security system.

---

1. Antimalware Scan Interface (AMSI) Link

2. TTP - Tactics, Techniques & Procedures Link

Date: 03/09/25

---

* * *

- Calcuklting the partity bit for integrity. show in table. The general programming 1 problem is swapping the position of two integers within an array without a temp variable that will increase space requirements. The Logical Bitwise operations can be really helpful for performing some tasks really efficently. For exmaple (Logical AND &) for data valdiation, (Logical OR |) for flag attribute and permission management.

LRC XOR - A longitudinal redundancy check (LRC), or horizontal redundancy check, is a form of redundancy check that is applied independently to each of a parallel group.

---

Longitudinal Redundancy Check (LRC)/2-D Parity Check Link

---

* * *

is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book.

is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book.

|--- _RPC Header Information_ ---|	// header info stuff
|--- ____Bind or Request_____ ---|	// tpye of request
|--- ___Shell Code Payload___ ---|	// hex encoded payload

System notificaiton of the beginning phase of infection is done by directly patching into the Windows function call to mem_Copy.

---

Network XKCD Comic Link

---

* * *

The ASD (Australian Signals Directorate) released a challenge coin to celebrate the 75th anniversary.
Markings on the coin can be used for decoded using subsitutions and ciphers.
I built an animated cipher solver for each of the challenges in C#.

    * Writing characters to the indexed screen buffer  
    * Changing cursor position with timed delays 
    * Creating String literal ASCII art  

---

75th Anniversary Commemorative Coin Challenge Link

---

* * *

...What are you doing?
...I'm taking over a TV network.

Introduction

-------------------

Traditionally broadcast television will modulate electromagnetic energy into Radio Frequencies. This is considered analog and continious, unlike digital network streaming (eg: HDMI), that is sampled, descreate. The signal carried by the coaxial cable (PAL) is analough. Bandwidth (in Hz) Amplitude, frequency, and phase Signal-to-noise ratio (SNR) Wave seperation

|---- Raspberry Pi ---|---Station Software---|------>-----|---RF Modulation Unit---|---->----|---TV ANT---|

- RF Energy - signal partabola focual point - residance /very powerful - see bridge.
|\ /| | \ / | ---------

is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book.

---

Ultimate Homelab Cable Setup Link

---

* * *

Introduction

-------------------

Histroy has been pretty clear. Never roll your own Crypto. Secure cryptographic protocols are best as open standards and will need to. 48 bit keyspace (k).

mifare Classic is old and vulnerable using a propiatary encryption protocol. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book.

---

---

* * *

Introduction

-------------------

Wireless proximity cards are avaiable in many different types and use cases. The diffent types generally fall into 3 categaories.

1. Access Control. 
2. Signal Control. 
3. Identification.

Magnetic Stripe	Multiple tracks store data - vulnerable to cloning and skimming attacks. Un-Authed.
Prox Cards	Cards are either powered passivley / actively. Sub-Class of RFID (125 kHz). SEND identfier code.
RFID	High frequency - Read / Write operation with IC.
NFC	Sub-Class of RFID - additonal security authentication.

mifare Classic is old and vulnerable using a propiatary encryption protocol. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book.

---

---

* * *

Introduction

-------------------

Consistent security controls and high reliability are common expectations for any systems administrator. How do you deliver both on a network with thousands of servers supporting thousands of engineers? Most off-the-shelf solutions require a compromise in at least one of these areas — and we refused to accept this. - PKI
- transitive trust
- symet \ asym encryption
- encryption attributes\properties

mifare Classic is old and vulnerable using a propiatary encryption protocol. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book.

---

Scalable and secure access with SSH Link

---

* * *

Introduction

-------------------

The SIP and RPT protocols are common in enterprise environments and often contain sesitive information. If correct security controls are not implemeted correctly SIP endpoints become a target of thread actors.

    * Voip SIP strcuture and call handling proceedures.
    * Handling authentication and joining a call. 
    * RTP carry.

Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book.

Links
---------

---

---

* * *

...Linux is awesome and so are you!

Introduction

-------------------

A light vim config that has been configured towards reading code and config files. I have a preference for managing a single windows in VIM with splits and using tmux for multi-window work

    * light touch vim config. Ready to add file explorer, fuzzy finder and LSP as needed with plugin-manager of choice.
    * relative line numbers for easy navigation. Underline and highlight of current line for clarity. File status bar. Code LF indicator at 100 characters.
    * you can find a copy of the .vimrc configuration file here

---

0 to LSP : Neovim RC From Scratch Link

---

* * *

Introduction

-------------------

Two common techniques for external domain enumeration are often mentioned but rarely explained in depth: (1) LDAP anonymous binds (2) SMB/RPC¹ null sessions. Although both allow enumeration, they operate over different protocols and expose different classes of information and often discussed interchangeably.

    * attack opportunties open up when account information can be enumerated.
    * common attack from outside the domain perimeter is - connecting to hiden services through null authentication.
    * These two attack methods are commonly conflated but use two different communication protocols.

This is a well worn attack path and is commonly seen in CTFs and introductory offensive security cources.

ldap connection

SMB not only provides file shares but is the transport for multiple backend services. You can get a shell, change the properties of services and enumerate/process security policy all through SMB. The Inter-process Communication share \\IPC$ is the gateway to special operations using named pipes. In this case authentication happens through SMB. Once authenticted by credentials or ananoymous access through a null session. This typically occurs because a domain has been updated from a old operating system version and the security policy has not been updated by the system administrator1. Operations through SAMR² are based on objects and access is handled through the provision of object handles that are provided to the client as an access token.

Once authenticted:
- a Connect Handle is provisioned and provided to the client.

SMB/MSRPC connection

---

1. Server Message Block/Remote proceedure Call

2. Security Account Manager Remote Protocol

SMB and Null Sessions: Why Your Pen Test is Probably Wrong Link

Security Account Manager SAM RPC Link

---

* * *

Binary-Safe is the watchword

Introduction

-------------------

When comparison operations are executed at the binary/byte/hex level - they are strict and only one path leads to a pass. This can be very restrictive and does not work for all situations of user input from general purpose computing that you might want accomodated. Lose commparisons can assist in this situation, that will allow multiple paths to a pass for a single input (Type Coercion)/Casting.

    * Data types are critical in computer operations, everything from pointer arithmetic, to CPU instruction selection for int(ALU) or float(FPU) operations, to the evaluation of high-level language abstractions.
    * With PHP loose comparison - multiple paths exist to the accept path. 'secret' === 'secret' = (is equal). 'secret' == true = (is equal). 
    * This behaviour can be helpful but really dangerious in particular situations, like with authentication.

The common approach for authentication is:

+--- take user password as text to server.  ---+ +--- transform password with known algorithm + salt. ---+ +--- retrive password representation from database. ---+ +--- comparison ---+

- We have some comparisons going on. Looks strict and safe, moving right along >>

- We have some branching logic through a SWITCH statment. Although the PHP (equals) == === are not present a evaluation/comparison and branch are happening!

- Coding my own lab in PHP - we can see strict comparison case is applied to the String literal "secrests" with access denied. Access granted with Boolean true of type Boolean (true == 'secrets').

Solutions:
- Comparisons for authentication material (usernames, passwords, hashes) should ALWAYS be Binary-Safe.
- Ensure value lookups are in Constant time. (hmac.compare_digest[Python], hash_equals[PHP], crypto.timingSafeEqual[Node], bcrypt, argon2)

TL;DR

In PHP using == can cause strings that look like numbers to be coerced into numeric form.
This allows authentication bypasses if stored hashes can be shaped into “0e…” patterns that evaluate to 0.
var_dump("0e12345" == "0"); // true
var_dump("0e98765" == "0e12345"); // true

---

PHP Type Juggling - Why === is Important - Bug Bounty Tips Link

---

* * *

Introduction

-------------------

C OpenGL

Coming Soon. Air Defence

---

---

* * *

Introduction ICS

-------------------------

Industrial Control Systems (ICS) security is a speciality area that involves components that are sensitive to latency, and data integrty. These sytems and security hardening require knowledge from network systems, operating systems, application coding and encryption protocols. Tyically these networks are segmented from the main corporate network and internet, the robustness of this segmentation will vary depending on the implementation and the businesses appetite for risk.
These systems can include time dependent operations that include, encoding a value or voltage in a encoded message expected with within the scan rate for optimial operation. TLS can introduce variance that will negatively affect operations.

    * Often the strongest defensive control against ICS attacks is (Air gapped network, network segmentation, IP Blocks)
    * ICS networks contain multiple internal segments that need to be assessed in individually. These can include {HMI, Remote Access, Protocol / RTU / communication band transition layer, Deploymnet / Configuration layer}.
    * Internal services and software need to be considered carfully. 1) Device software. For example the default Siemens web server that runs as part of the control plane is rarely updated, and generally outlasts the supported update lifecycle.
    2) The ICS devices and management / monitor devices have dependent servies. For example {DHCP, File Storage, IAM, Actve Directory}, typically these services are implemented centrally and access into the ICS is done by Dual-Homed setup.

When I was assessing ICS networks I would be provided a plugin appliance that required a bunch of configuration and licensing and generally wasn't optimial for the 
information we were looking for during the limited site-time we had.
I create a drop-in replacement / secondary software that would quickly provide points of interest and guide the direction of the security assessment, which is great for time-boxed engagements.
Kernel Flags optimisation. CPU affinity, Intrupts, execution task prioritisation, large buffers. 

Fast limited Linux kernel
RAW socket data
Filtering capability - socket data
Station Node connection graph
Statistics output

- Here is my application being used at the beginning of a ICS security assessment.
- The application is written in C++ and will provide the pentester key insights into the network layout, network egress, insecure network protocols.
- Optimised for high packet throughput and operation.
- Can run directly in RAM or be installed to disk.

---

---

* * *

Introduction signal analysis

------------------------------------

These systems can include time dependent operations that include, encoding a value or voltage in a encoded message expected with within the scan rate for optimial operation. TLS can introduce variance that will negatively affect operations.

    * 
    * 
    * 

POCSAG
433 mHz
Satellite Commuinications

---

---

* * *

Introduction

-------------------

TEXT

    * 
    * 
    * 

text

TL;DR

text

* * *

Introduction

-------------------

Our Red Team had a cracking machine, however it was also our test machine and the 'I need this' machine.
I wanted to develop something that solved two problems.

1. A running process that was fault tolerant of interuptions.
2. A running process that dynamically scaled as more computing resources became available.

    * Supports known hash types & custom, Salts and Rainbow Tables.
    * PCs can be added or removed during runtime.
    * Each PC resources are evaluated and work distributed on capability. A redistribution can occur based on node enter, node exit and early complete.

Overview Diagram	C++ Backend Application	Python Frontend Application

The Setup

--------------

4 PCs with a estimated IPOS of (). Each PC is performace weighted and work is divided and distributed accordingly. 

The Configuration

--------------------------

The main node will be responsibale for the worker division, tracking and assembling of all work. Each node is given a socket to stream data. The worker nodes will 
run an application, accept work, and stream results back in batches.

The Results

----------------

Total Hashes Loaded	10, 000
Total Time	1 hour, 6 minutes
Cracked Hashes	23

TL;DR

Salts. Peppers. NTLMv1 weaknesses. Computational intensity. 

---

IOPS Link

---

* * *

---