Portcullis Labs is managed by the Portcullis Security Technical Team to provide easy access to our public tools and papers.
We built this website to share some of our knowledge. You’ll find several tools, papers and presentations mostly by security geeks, but all for security geeks.
- Burp Extension (8/26/2015) - At Portcullis, one of the more frequent assessments we perform are web application assessments. One of the main challenges we face during these assessments is to look for information that can either help escalate our privileges or allow us to gain access to different functionalities of the web application. Unauthorised access to functionality can often […]
- NOPC version 0.4.5 released (6/12/2015) - NOPC, the Nessus-based offline Unix patch checker has had some changes made and been made available in our tools section. This article discusses the new features in detail and provides some working examples. Introduction There have been some updates to the NOPC tool. The latest version is now 0.4.5. Updated features and bug fixes Added Output […]
- SSL and Export Ciphers: Logjam and FREAK (5/28/2015) - Recent attacks have shown the risks of leaving legacy TLS encryption modes enabled. In this blog post, the risks of having export-grade cryptography enabled will be addressed. During the 90s very strict export regulations regarding cryptography were present in the United States of America. Due to this issue, some SSL implementations have deliberately weakened ciphers […]
- VENOM vulnerability (5/14/2015) - VENOM (Virtualised Environment Neglected Operations Manipulation) is a vulnerability that could allow an attacker to escape a guest virtual machine and access the host system, along with other virtual machines running on this system, and access their data. This could potentially allow an attacker to steal sensitive data on any of these virtual machines and […]
- uid=0 is deprecated: A trick unix-privesc-check doesn’t yet know (5/5/2015) - Just like Linux, the modern Solaris install doesn’t simply rely on UID/GID to determine privilege. Instead there are roles and profiles to contend with. The following is a loose explanation of how they work: User = user + group + user_attr + /etc/security/auth_attr + /etc/security/auth_attr.d/* user = Raw privileges (PRIV_DEFAULT + !PRIV_LIMIT) user_attr = List […]
- This way to 10.10.10.1: Playing with labelled switching (4/17/2015) - As a pentester, there are days when you’ll get asked to look at the ordinary, and there are days that you’ll be asked to look at something more challenging. This week was full of days that met the latter criteria and not the former. Whilst I can’t share the scope, Portcullis was asked to examine […]
- Testing against the kill chain on non-”red team” assessments (4/7/2015) - The following is a braindump of an idea I had as a result of the work I have been doing on Portcullis’ STAR offering. The question I set myself was, what testing could we perform, under our normal terms of engagement which would contribute to the “blue team” i.e. the system administrators and developers better […]
- Beware of empty paths (3/26/2015) - Consider the case of a setUID binary that runs as root and allows the caller to execute certain other scripts and binaries from a given restricted directory. The Portcullis Labs team recently spotted such a case and I was asked to take a look to determine exploitablity. What follows is a short analysis of what […]
- Fixing the links: Hardening the linker (2/20/2015) - As many of our regular readers will know, the Portcullis Labs team have a good deal of experience with reviewing the security of POSIX alike OS, and as a result, we’ve made some interesting discoveries in terms of how easy it can be to escalate ones privileges. As I discussed some time ago at CRESTCon, […]
- Detecting windows horizontal password guessing attacks in near real-time (2/16/2015) - When attempting to gain a foothold into a Windows Domain, an attacker will often attempt one or two likely passwords against every user in the Active Directory, a so-called horizontal password guessing attack. A small number of failed logons per user will usually not trigger a user account lockout policy and can be very effective. […]
- MS SQL Server Audit: Extended Stored Procedures / Table Privileges (1/23/2015) - (If you excuse the pun), everyone has a different view on Extended Stored Procedures: Some might say they are stored procedures with extra functionality Some might say they can cause problems to a database if misused Some simply say they are stored procedures with a prefix of xp_ This post will hopefully give a better […]
- A year in the world of security advisories (12/18/2014) - Security researchers find vulnerabilities in products; it’s an important and almost inevitable part of the job. One of the side effects of these discoveries is that often new, unfixed zero day vulnerabilities are identified which the affected vendor may not be aware of. This can present a somewhat difficult situation: What should be done with […]
- Building a sandpit (11/18/2014) - Today I was looking at how plugins could safely be incorporated into a J2EE application server. The plugins in this instance are executed server side, rather than on the client and are, in the main, provided by 3rd parties (digital advertising agencies etc). The aim was to limit the scope in which they operate. The […]
- How Many Bugs Can a Time Server Have? (11/7/2014) - Presentation on vulnerabilities in the Symmetricom (Micro Semi) S350i time server (as given at EMF Camp 2014). YouTube has a recording of the presentation as given by Tim and Mike.
- RPDscan (11/6/2014) - RPDscan (Remmina Password Decrypt Scanner) is a tool to find and decrypt saved passwords in Remmina RDP configurations. Key features Finds every Remmina configuration file and preferences Decrypts every saved password for every user it finds Python based for easy access and speed Overview Remmina is a well used Linux based RDP connection software, as many people […]