SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing
HOME SECFORCE - penetration testing COMPANY SECFORCE - penetration testing SERVICES SECFORCE - penetration testing RESEARCH SECFORCE - penetration testing BLOG SECFORCE - penetration testing INITIATIVES SECFORCE - penetration testing CONTACT
SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing
    SECFORCE - penetration testing

Blog ■

SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing
    Home : Blog  
SECFORCE - penetration testing SECFORCE - penetration testing
Archive for the ‘SECFORCE’ Category

Tunna v1.1a SOCKS!

Monday, November 24th, 2014

Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP.

Due to popular demand, in this new version, Tunna (v1.1a) can be set up to be a local SOCKS proxy, that will accept any TCP traffic and send over to the webserver using HTTP requests. The traffic will be unwrapped at the server and forwarded to the specified address/port. Tunna effectively pivots connections through a webserver; thus bypassing firewall restrictions.


Secondary functionality added in the new version:

  • Tunna is now able to connect to the local proxy (if exists) and through the internal proxy, then tunnel the connection to the webserver.
  • A standalone Tunna webserver has been added for situations were a webserver is not available.
  • Windows compiled binaries for both “Tunna Client” and “Tunna webserver” have been added.
  • Ping delay increases (up to 60 sec) whenever data is not received. This minimises network traffic to the webserver with a small hit on waiting time that should be unnoticeable.

Tunna v1.1a Changelog:

  • Added SOCKS4a support
  • Tunna webserver
  • Windows binaries
  • Support for UpStream Proxy
  • Removed Ruby version of Client


  • python -u <remoteurl> -l 8000

This will set up Tunna and start a SOCKS4a proxy server on port 8000


SOCKS Operation Details:



Local ports are “mapped” to remote ports. For this, a header is added in every HTTP packet sent to/from the webserver that shows the originating/remote port. Once the packet is received, the header port is read and the rest of the data gets redirected to the correct port on the local side.


The SOCKS server is a simple implementation based on SOCKS protocol version 4 RFC. Currently “SOCKS BIND” method is not supported and protocols such as FTP cannot be used.


Bypassing Firewall restrictions:

Tunna SSH


Inbound restrictions:

As in the previous version if inbound HTTP traffic is allowed a webshell or Tunna webserver can be used to pivot connections.

For example, an external user can upload a Tunna webshell (or use Tunna webserver) on a remote webserver and request a service on the local host or any other host that will normally be blocked by the firewall. The request will be forwarded to the webserver in the form of an HTTP request (must be allowed by the firewall). The webserver is going to establish the connection for the user and redirect all traffic to that service. Response data will be transferred back to Tunna’s client in the form of HTTP responses.

Outbound restrictions:

Tunna can be used in situations where the firewall restricts access to certain hosts or services.

A user controlled Tunna webserver is needed as well as HTTP access to the remote webserver.

For example, an internal user can set Tunna (client) as his system’s proxy and request any website/service that is blocked. The request will be forwarded to the webserver in the form of an HTTP request. The webserver will establish the connection to the requested service and redirect all traffic to that service. Response data will be transferred back to Tunna’s Client in the form of HTTP responses.


Up-stream proxy:

In many companies, internal connections to the internet go via an internal proxy that restricts access to certain services or websites. Tunna can be configured to use that proxy for requests to Tunna’s webserver.
Tunna will get the proxy settings from the system (internet) options and use them for all requests. If this is not possible, then the proxy parameters can be set up as an argument (currently DIGEST and BASIC authentications are supported)


Tunna webserver:

This is a python standalone webserver for Tunna. The functionality is the same as a webserver that has a Tunna webshell.


  • python -r

Will start a Tunna webserver listening on port 8000

Append –ssl to add SSL support (https)*

* In Windows (webserver.exe) the certificate file (certificate.pem) needs to be present in the same folder as the executable


Tunna SOCKS webshells:

For Tunna to be used as a SOCKS server when webshells are used, an executable that will handle the SOCKS traffic will be uploaded to the remote webserver and executed.



As well as Tunna generating a massive overhead for every TCP packet, theconnections are tunnelled through a single channel using HTTP requests. Consequently, large amounts of traffic translate to large amounts of HTTP requests. When a Tunna webshell is used, then this can lead to a Denial of Service condition where the webserver will not be able to cope with all the requests.The standalone Tunna webserver is significantly less prone to DOS.

Some functionality is still experimental; therefore it is recommended that Tunna webshells are not to be used as a permanent solution.

Although the mechanisms for clean-up and graceful shutdown are in place, in certain situations,when a Tunna webshell is used andthe “SOCKS Server” executable is not properly stopped and/or removed from the disk; then it will require a manual clean-up.


Presentation: Tunna Presentation.pdf

Download: SECFORCE::Tunna


Meet us in Brussels!

Wednesday, April 16th, 2014

We are liaising with UK Trade & Investment and the British Embassy in Brussels to deliver a seminar about “How Exposed are we to the Cyber Threat?” on Thursday 24 April

We will be talking about penetration testing and delivering a demo about the Heartbleed vulnerability. The purpose of the seminar is to inform Professional Service Providers about the potential threats of cyber attacks, providing clear information about the key strategies to minimize the risk of an unauthorised compromise.

To register, visit the following link:

Sparta – a Network Infrastructure Penetration Testing Tool

Tuesday, March 25th, 2014

What is it?

It is a known fact that all hackers like terminals but most (good) hackers also like efficiency and automating repetitive tasks. This is where SPARTA comes in.

SPARTA is a python GUI application which simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and enumeration phase. It allows the tester to save time by having point-and-click access to his toolkit and by displaying all tool output in a convenient way. If little time is spent setting up commands and tools, more time can be spent focusing on analysing results.

Have a look:

What are the goals?

– One of the most important goals of the project is the ability to fully customise what tools/commands you run from SPARTA. Every penetration tester has his/her own methods and toolkit and we do not want to change that. SPARTA tries to simplify the way you run tools and centralises their outputs, displaying them in a meaningful way.
– Automation of repetitive tasks is a must. You will always need to check for default credentials. You will always need to enumerate users. You always run certain tools when you find certain services. You can now perform these actions (on several hosts) in one click.

Any cool features?

– Nmap XML output importer
– Any tool that can be run from a terminal, can be run from SPARTA
– Default credentials check for most common services
– If any usernames/passwords are found by Hydra they are stored in internal wordlists which can then be used on other targets in the same network (breaking news: people reuse passwords)
– Ability to mark hosts that you have already worked on so that you don’t waste time looking at them again
– Screenshot taker so that you don’t waste time on less interesting web servers

What are the requirements?

– A Linux OS preferably Kali Linux as all the tools are already there
– A few extra python libraries

This project is very much a work in progress but hopefully the first release will be out in a few months. So stay tuned! :)

SECFORCE will be presenting at OWASP

Monday, March 17th, 2014

SECFORCE will present Tunna framework and a number of techniques penetration testers can benefit from to bypass network firewalls.

The presentation will include common scenarios in which HTTP tunnels can be use to bridge the gap between web application testing and infrastructure testing.

Please find information about the conference here.

Making Tunna (… or bypassing firewall restrictions with HTTP tunneling)

Friday, August 9th, 2013

A couple of months ago SECFORCE was set to create the ultimate webshell. The idea behind it was to include all the tools a pentester needs in one webshell and make our lifes easier by for example dropping a meterpreter shell on the remote webserver with as less user interaction as possible.

Soon it was apparent that it would be much “cooler” for the webshell to communicate with a meterpreter shell without the need for meterpreter to expose or bind an external port. The benefits of it are obvious – this would effectively bypass any firewall rules in place.

It was realised that this could be a nice tool on its own so the project was forked and development started. Some time later a set of webshells and the client proxies were created. The task was not as easy as it seems, mostly because it is hard to keep it simple and at the same time make the same code work across different languages. Still there are some “programming language” quirks that could not be bypassed or made transparent to the end user. Given the different technologies in play (web servers / web languages / client languages) and all the possible combinations it would be very hard to tackle some of the issues and make it seamless to the end user without loosing some of the tools flexibility. Having said that, Java proved to be the most problematic language of the whole bunch – this needs to be said. Java was eating bytes in large packets – reasons for this are still not obvious – making both debugging and optimisation a pain. Apart from that, the PHP webshell also works in a somehow different way where it stalls a thread on the remote server to keep the connection alive. However, the latter is seamless to the user.

Tunna Framework - Penetration Testing

Tunna Framework - Penetration Testing

What Tunna does is to open a TCP connection (socket) between the webserver (webshell) and a socket on the local machine (webserver). It is also possible to open a connection to any other machine but lets keep this example simple. The client also opens a local socket and starts listening for connections. When a connection is established on the local client any communication would be sent over to the webshell in an HTTP request. The webshell will extract the data and put write them its local socket (remote socket for the client). Now the problem with HTTP is that you cannot really have asynchronous responses. The easiest way to tackle this issue was to keep querying the webshell for data. This creates a lag but it is nothing a pentester cannot live with – at this point it must be noted once more that this is a tool “to get a remote meterpreter shell if the firewall is blocking external connections” and not for critical/real-time applications.

After that, we went back to the original idea and created the metasploit module. It is still under development and should be used with extreme caution. It is still recommended to upload a meterpreter shell and use Tunna main module to connect to it. The metasploit module can be summarised as a “half rewrite of the existing code to work with or around metasploit API” (mostly around). This means that “code hacks” were created as needed to make it work. To be architecturally correct with metasploit, the original idea was to create a new metasploit “handler” … however, this proved to be harder than expected and what you get is a bastardisation of handler-exploit … but it works.

Lastly, any comments, bugs or improvement ideas are welcome.

For more information, visit our Tunna Framework page.

Download: Tunna v0.1

Is traditional penetration testing effective at identifying risk?

Friday, December 14th, 2012

This September the Director General of GCHQ wrote to many business leaders providing them with a top ten list of priorities for achieving and maintaining a strong resilience to cyber attack.

The challenge for many board members is how to ascertain the validity of what they are being told in relation to the health of their defences. What unknown risks are being carried? There is a high risk of false assurance from internal departments reporting up the chain.

What is the state is your business in when it comes to cyber security?

Ask yourself the following questions;

· How effective are my perimeter defences?

· How much business impact can an anonymous attacker cause on my network?

· What is state of health of my internal systems and networks?

· What level of security awareness is held my staff?

· How effective are my IT and security team are at identifying and mitigating an attack?

If you are sure you know the answer and you are happy with it then you are doing well.

Many of the security assessments we are asked to undertake, although providing value, miss the point when it comes to identifying key risks. The reason is that an advanced and sophisticated attacker would not play by the rules set out in a typical test engagement. If I wanted to attack your organisation, I would carefully target your people, compromise their browsers, infiltrate their laptops or workstations, and from there begin to slowly gain a foothold and control of your network. In my 10 years working at the cutting edge of penetration testing, we have performed this testing but a handful of times; however the majority of successful extrusion attacks would use this method.

There is a miss-match therefore – the skills exist to measure organisations resilience to this form of attack method, the majority of successful breaches would use this technique, but penetration tests typically do not cater for this form of scenario.

A realistic attack would take the form of a discrete engagement to identify and quantify key areas of critical risk – We like to call it offensive security; the best form of defence is to know what the enemy are capable of. If you want to know the truth then you need to test combining the following elements;

· Physical – how easy would it be for an individual to gain access one of your premises/gain access to the network/steal a laptop, PDA device or similar (and attempt to extract the data) Can a remote access device be planted and will this go unnoticed?

· Technical– can your systems be penetrated? How effective are your perimeter and internal controls?

· Social – can your people be easily compromised, what level of control over your systems, data and networks can be achieved?

So to ask the question again – how well equipped are you for fending off an advanced and persistent cyber attack?

SECFORCE presented at the IGEM conference

Wednesday, November 14th, 2012

The gas and energy sectors face significant challenges in regard to IT security. An evolving industry where reliance on IT systems has become key, being a potential target of terrorism attacks and where high availability and business continuity is a must, IT security shouldn’t be overlooked.

SECFORCE presented the challenges faced by Gas and Energy corporations in the IGEM annual conference:

The talk provided an overview of the threats of the companies in the energy sector, the current threats affecting SCADA systems, attackers’ motivations and a roadmap towards an increase on security.

Should you protect your identify from cybercriminals and would be penetration testers?

Monday, October 29th, 2012

Andy Smith, an internet security chief at the Cabinet Office, has said people should only give accurate details to trusted sites such as government ones. (

Giving fake details to social networking sites is “a very sensible thing to do”

Andy Smith

The reason for this is the high volume of websites that ask for highly privileged information such as date birth on their users where this information is not strictly necessary. Because of the vast number of websites involved, the overall challenge of keeping an individual’s information confidential is becoming virtually impossible.

As an individual working for a well respected penetration testing company I see the effects of this on a daily basis when SECFORCE are asked to perform social engineering attacks and client side browser exploitation against unsuspecting company employees. For us, without the rich source of information leakage on organisation’s employees in social media and other websites, our job of either tricking the user, or using their identity to trick others would be much harder.

The trick with a client side attack is to encourage an individual to perform an action of some kind, the chances of this being successful are increased a thousand fold if you use specific information pertaining to that user that puts them at ease, and elevates their misplaced trust in you –  ‘the attacker’. This is why social media is so powerful – a message from a friend on Facebook, an email from a colleague on LinkedIn, each containing a specific piece of information (for example a happy birthday message on your birthday), and prompting an action to click or download such as – here is a picture of your daughter from the party last weekend, or good luck with the presentation today.

Messages that are backed by some truth and privileged information are likely to result in the desired result (compromise of the user).

Cyber criminals have exactly the same access to this information as legitimate penetration testers and they are putting it to good use. Client side browser attacks are exponentially increasing. The attacker’s goal is often being to form a bridgehead into an organisation for further significant impact. This form of attack can be sustained against an organisation and its employees for a period of months, so the odds of success are on the side of the attacker, and the only real countermeasures are the awareness and vigilance of your employees.

So, is Andy Smith from the Cabinet Office correct to give this advice? It is clear that there are a number of challenges to protect an individual’s identity online, however at the same time, websites such as Facebook, Twitter and LinkedIn as well as the hundreds of others that store information on you are here to stay. We are at a point of transition, not fully equipped or aware of the risks our online behaviour expose us to, but at the same time reliant on the benefits this new technology brings to our lives.

SECFORCE achieves ISO27001:2005

Thursday, October 11th, 2012

SECFORCE has been accredited to ISO27001:2005 by the British Assessment Bureau.

SECFORCE’s Operations and Commercial Director Sam Temple said:

“This marks an important milestone for us in security management. It is one thing to strive to operate in a secure manner, but fantastic to have it confirmed by a respected external auditing body. Having achieved ISO27001 will not mean that we can relax about our security though, although we can be confident that the systems and procedures put in place are effective now, we will continue to invest effort in to this area to ensure that they remain so. ”

SECFORCE iso27001

SECFORCE handles confidential information in a daily basis. This achievement contributes to ensure that our client’s information is kept secure.

SECFORCE Presents to European Banking Industry in Riederau

Wednesday, October 3rd, 2012

SECFORCE Technical Director, Rodrigo Marcos, impressed bankers at an IT Cyber-Security workshop in Germany on Tuesday treating them to a live hacking demonstration. The presentation comes as financial institutions focus more and more on how to foil the dangerous and cutting-edge cyber criminals hiding behind their computer screens around the globe.
During the two day conference Marcos demonstrated how an unsuspecting online banking customer could be targeted and their life-savings stolen without them even noticing that their browser had been compromised.

“It is not common to see competitors in the same industry sharing information security knowledge and organising events like this one. To my mind, it clearly shows the increasing security awareness in the market today.” said Rodrigo Marcos.

The experienced ethical hacker also advised the banks to provide more security tips to their customers such as opening a new browser session when conducting online banking.



November 2014
July 2014
April 2014
March 2014
February 2014
August 2013
June 2013
February 2013
January 2013
December 2012
November 2012
October 2012
January 2012
October 2011
September 2011
July 2011
June 2011
April 2011
February 2011
January 2011
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008


Aircraft security (1)
Business Continuity (2)
cyber security (2)
Embedded devices security (2)
exploit (9)
Fuzzing (1)
Penetration Testing (42)
Phishing (3)
Risk Management (5)
Security architecture (2)
Security Books (1)
Security Compliance (1)
Security research (10)
social engineering (1)
social media (1)
sql injection (3)
SQL Server (3)
Tools (14)
Uncategorized (3)
Vulnerabilities (10)
SECFORCE - penetration testing
  SECFORCE - penetration testing Aegon House, 13 Lanark Square
Canary Wharf - E14 9QD, London
SECFORCE - penetration testing Direct Line +44 (0) 845 056 8694
E-mail SECFORCE - penetration testing
  Follow us in Twitter Check us out in LinkedIn SECFORCE is CREST certified. Click on the logo for more information ISO9001 ISO27001
SECFORCE - penetration testing
    Copyright (c) 2014 SECFORCE Ltd · All Rights Reserved