Portcullis Labs is managed by the Portcullis Security Technical Team to provide easy access to our public tools and papers.
We built this website to share some of our knowledge. You’ll find several tools, papers and presentations mostly by security geeks, but all for security geeks.
- Windows Named Pipes: There and back again (11/20/2015) - Inter Process Communication (IPC) is an ubiquitous part of modern computing. Processes often talk to each other and many software packages contain multiple components which need to exchange data to run properly. Named pipes are one of the many forms of IPC in use today and are extensively used on the Windows platform as a […]
- NOPC version 0.4.7 released (10/28/2015) - NOPC, the Nessus-based offline patch checker for Linux distributions and UNIX-based systems has had some changes made and been made available in our tools section. This article discusses the new features in detail and provides some working examples. Updated features and bug fixes Improvements to the interactive mode (e.g. asking for what format for results […]
- Locating SAT based C&Cs (10/28/2015) - Recently, Kaspersky published a research about how a russian APT group use hijacked satellite links to anonymise their malware command-and-control (C&C) servers (Satellite Turla: APT Command and Control in the Sky). As they say in their blog post, I researched and published how to abuse satellite DVB-S/2 internet communications, the technique used during the Epic […]
- padmin to root: Roles on AIX (10/2/2015) - Following a recent post from a consultant at IBM discussing how how privileged access should be performed on VIOS, I figured it was time to share some of our research in this arena. Those of you that are regular readers will know that I love root. For those of you that are new, welcome aboard. […]
- CVE-2015-5119 Flash ByteArray UaF: A beginner’s walkthrough (9/24/2015) - This document is a written form of a workshop and presentation I gave at Portcullis Labs in late July 2015. It is a beginner’s walkthrough to understand the recent Flash bug that was discovered in Hacking Team’s pocket and given the sweet name of CVE-2015-5119. It was found and exploited by Vitaliy Toropov. Disclaimer: If […]
- GET IN THE RING0 (9/24/2015) - Presentation on how Windows kernel drivers work and where to look for vulnerabilities (as given at 44CON 2015).
- Blood in the water: Phishing with BeEF (9/18/2015) - Those of you that have been following the UK infosec market recently will have noticed an upturn in talk relating to “Red Team” style engagements. Unlike a traditional penetration test, the object of such an exercise is not to locate vulnerabilities (though of course that helps) but rather to exercise the “Blue Team” i.e. the […]
- Graham “@gsuberland” Sutherland’s 44CON presentation (9/11/2015) - Graham recently gave a presentation at 44CON’s community night entitled “GET IN THE RING0″ on the subject of Windows kernel drivers. His talk covered: Same basic concepts as writing usermode apps Some additional bits Talking between usermode / kernelmode Major functions, IRPs, IOCTLs Special concepts like IRQLs (mostly) officially documented on MSDN! (most of) the […]
- Burp Extension (8/26/2015) - At Portcullis, one of the more frequent assessments we perform are web application assessments. One of the main challenges we face during these assessments is to look for information that can either help escalate our privileges or allow us to gain access to different functionalities of the web application. Unauthorised access to functionality can often […]
- NOPC version 0.4.5 released (6/12/2015) - NOPC, the Nessus-based offline UNIX patch checker has had some changes made and been made available in our tools section. This article discusses the new features in detail and provides some working examples. Introduction There have been some updates to the NOPC tool. The latest version is now 0.4.5. Updated features and bug fixes Added Output […]
- SSL and Export Ciphers: Logjam and FREAK (5/28/2015) - Recent attacks have shown the risks of leaving legacy TLS encryption modes enabled. In this blog post, the risks of having export-grade cryptography enabled will be addressed. During the 90s very strict export regulations regarding cryptography were present in the United States of America. Due to this issue, some SSL implementations have deliberately weakened ciphers […]
- VENOM vulnerability (5/14/2015) - VENOM (Virtualised Environment Neglected Operations Manipulation) is a vulnerability that could allow an attacker to escape a guest virtual machine and access the host system, along with other virtual machines running on this system, and access their data. This could potentially allow an attacker to steal sensitive data on any of these virtual machines and […]
- uid=0 is deprecated: A trick unix-privesc-check doesn’t yet know (5/5/2015) - Just like Linux, the modern Solaris install doesn’t simply rely on UID/GID to determine privilege. Instead there are roles and profiles to contend with. The following is a loose explanation of how they work: User = user + group + user_attr + /etc/security/auth_attr + /etc/security/auth_attr.d/* user = Raw privileges (PRIV_DEFAULT + !PRIV_LIMIT) user_attr = List […]
- This way to 10.10.10.1: Playing with labelled switching (4/17/2015) - As a pentester, there are days when you’ll get asked to look at the ordinary, and there are days that you’ll be asked to look at something more challenging. This week was full of days that met the latter criteria and not the former. Whilst I can’t share the scope, Portcullis was asked to examine […]
- Testing against the kill chain on non-”red team” assessments (4/7/2015) - The following is a braindump of an idea I had as a result of the work I have been doing on Portcullis’ STAR offering. The question I set myself was, what testing could we perform, under our normal terms of engagement which would contribute to the “blue team” i.e. the system administrators and developers better […]