Almost every Internet-connected device on the planet comes with a nice web interface to interact with. And some of them like routers and APs come with their own little firewall to prevent backdoors and whatnot. So what if one of these devices or even servers gets compromised? Where do you look at to find IoC (indication of compromise) in them?

I don’t think I need to explain why IoT is a huge security challenge for every organization since everyone at least has a “smart” printer lying around somewhere. Lately, I was looking at ways to hide the traffic within another traffic type or regular TCP port and I stumbled upon two great ways to make it happen.

On April 23rd 2018, Mikrotik fixed a vulnerability “that allowed gaining access to an unsecured router”. myself and @yalpanian of @BASUCERT (part of IR CERT) reverse engineering lab tried to figure out what exactly got fixed, what was the problem in the first place and how severe was the impact of it.

UPDATE: full PoC is now available on Github.

UPDATE: CVE-2018-14847 has been assigned to this vulnerability and there should be a MetaSploit module related to this bug soon.

Dynamic Binary Analysis (DBA) is a technique to analyze the behavior of a binary by somehow running it and watch its behavior. Obviously it’s the opposite of Static Binary Analysis in which you disassemble a piece of code and draw the graph of the entire program to see what it does.

If you’re a sysadmin or a backend engineer, you probably have heard of the term “port sharding” or “socket sharding” before. It’s a technique to allow multiple processes to listen on the same TCP or UDP port at the same time. This is done by enabling a special socket option called SO_REUSEPORT on each socket before binding it to an interface.