Penetrating Networks

0 %
Navid Fazle Rabbi
Sr. Security Researcher
Offensive Security Research
bKash Ltd.
Research Interest
  • πŸ”’ Web & Mobile AppSec
  • πŸ’₯ Side-Channel Analysis
  • πŸ€– AI Attacks & AI Security
  • πŸ”— Blockchain & Web3 Security
  • 🌐 Browser Security
  • πŸ’» Source Code Analysis
  • πŸ” Real-world Cryptograpy
  • πŸ’£ Exploit Development
  • πŸ”„ Reverse Engineering
  • 🌐 IoT Security

Research Interest

My exploration within the realm of cybersecurity is driven by an unquenchable curiosity, and my passions encompass a diverse range:

Security Research & Developments​

AT A GLANCE

  • CrossDomain XML Exploit showcases how misconfigured crossdomain.xml files can be exploited to compromise sensitive data in Flash-like browsers. (Exploit)
  • Mobile Application Code Tampering – The MFS Mobile App faced susceptibility to reverse engineering, allowing for the modification of specific lines of code. Consequently, these altered codes could be signed and installed on a mobile device, leading to visible changes within the application. (Project)
  • dl_bfb (Authentication Bruteforce)dl_bfb tool is a powerful authentication brute-force attacker designed to perform brute-force attacks on servers with username and password-based authentication. (Tool)
  • Knock! Knock! (Subdomain & Directory Enumerator)powerful enumeration tool specifically designed to fuzz and identify probable directories or subdomains on a target website. (Tool)
  • Cookie Monster (Automated Cookie/Session Modifier)a powerful automated tool designed to test various cookie manipulation-based security flaws. (Tool)
  • NTLM_Spray (Password Sprayer)a specialized password-spraying tool designed for enumerating usernames on
    Microsoft’s Windows New Technology LAN Manager (NTLM) authentication system.
    (Tool)
  • Base64 Brute-Forcedesigned to perform efficient brute-forcing on services that utilize Base64 encoding for username and password authentication. (Tool)
  • IceWatch (WebRTC Connection Checker)Leveraging JavaScript and the RTCPeerConnection API, the tool examines WebRTC connection setups using provided credentials and logs the status of each connection. (Tool)
  • JWT Hawk (JSON Web Token Decoder)assists in decoding JWT tokens by attempting multiple secrets from a provided list. (Tool)
  • DevSecOps (CI/CD+Burp+Snyk)automating vulnerability assessments throughout the Development Lifecycle by integrating Burp Suite Enterprise with Snyk. (Project)

ONGOING

  • Fraud Replication, Analysis & Threat Modeling – Leveraging historical cases, the project aims to streamline the automation of simulating Fraud Cases. Additionally, the initiative will encompass thorough fraud analysis and threat modeling to enhance the overall effectiveness of the system.
  • Advance Malware Analysis & Antivirus The ongoing research and project aim to develop an advanced Malware Analysis and Antivirus Tool using Python.
  • Web Application Firewall Identification from Server Response using PythonThe project centers around developing a Python-based solution to identify Web Application Firewalls (WAFs) from server responses.
  • Web Application Vulnerability Scanner – The project aims to identify potential vulnerabilities and security weaknesses in web applications.
  • Advanced Analysis of Codes, Attribution Analysis and Malicious Intent Identification – The project focuses on advancing the analysis of codes to identify malicious intent in software components. It involves attribution analysis and code analysis techniques to deduce the intent behind certain codes and determine their authorship. Planning to use NLP models, Behavioral and Anomaly detection algorithms, and Graph algorithms for analysis of functions.
  • Service Worker Based Kerberos Token Generation – Using Service Worker to generate Web Tokens to grant access to the website. It will employ a similar architecture to the Kerberos authentication.
  • PWA WAFirewall – Implementing service workers to build a web application firewall and monitor request and responses.

Enterprise Tools Utilized

Burp Suite Professional (Pentesting), Postman (API Testing), Genymotion (Emulator), Netsparker (Web Application Vulnerability Scanner), Tenable.io (Cloud Vulnerability Management), Tenable.sc (Vulnerability Management), SysDig (Cloud Security Posture Management), Mandiant Advanced (Attack Surface Management, Cyber Threat Intelligence), Randori (Attack Surface Management), MobSF (Application Vulnerability Management), Wireshark (Packet Analyzer), Core Impact (Exploitation Framework), Metasploit Pro (Exploitation Framework), etc.

Security Frameworks

OWASP Web Application Testing Guide, OWASP Mobile Application Testing Guide, NIST Cybersecurity Framework, ISO27001:2013, ISO27001:2022, COBIT2019

Languages

Python, C, JavaScript, Bash, Assembly, HTML, SQL etc.

Undergraduate Thesis

Design and Implementation of Server Based Position and Angle Measurement and Control of DC Motor

The undergraduate thesis project focuses on developing a server-based system to accurately measure and control the position and angle of a DC motor. The research involves hardware schematic design, user interface development, JSON data parsing for calculations, and real-time communication between the server and the machine.

Created a Python (Flask) based receiving and processing server to handle data from the motor controller. The server effectively processed incoming data, providing accurate position and angle measurements. Notably, the system allowed dynamic adjustments to be made to these values, enabling real-time control and interaction with the motor controller.

Supervisor: Prof. Dr. Golam Sarowar

Preprint

Design, Implementation, Comparison, and Performance analysis between Analog Butterworth and Chebyshev-I Low Pass Filter Using Approximation, Python and Proteus

Β The research focuses on the design, implementation, comparison, and performance analysis of Analog Butterworth and Chebyshev-I Low Pass Filters. These filters play a crucial role in signal processing and communication systems. The study involves manual calculations using approximations, verification with Python programming language, simulation in Proteus 8 Professional, and practical implementation in the Hardware Lab using necessary components.