Portcullis Labs is managed by the Portcullis Security Technical Team to provide easy access to our public tools and papers.
We built this website to share some of our knowledge. You’ll find several tools, papers and presentations mostly by security geeks, but all for security geeks.
- PowerOPS: PowerShell for Offensive Operations (6/3/2016) - At Portcullis, one of the most frequent assessments we perform are breakouts. One of the main challenges we face during these assessments is to get command execution that can either help escalate our privileges or allow us to gain access to different systems on the network. Sometimes we find harsh group policy restrictions in place […]
- Downgrading RDP connections and how to avoid it (4/22/2016) - This post describes how Remote Desktop Protocol (RDP) connections can be vulnerable to a downgrade attack if Terminal Servers are configured insecurely. We’re not aware of this issue being discussed before – googling only found pages about installing an earlier version of the RDP client, not about downgrading the protocol in the way described here. […]
- Keep your cookies safe (part 1) (4/22/2016) - What are cookies and why are they important? A cookie is a small piece of data sent from a website and stored in a user’s web browser and is subsequently includes with all authenticated requests that belong to that session. Some cookies contain the user session data in a website, which is vital. Others cookies […]
- Sandbox detection: Pafish overview (3/14/2016) - Here at Portcullis, we are frequently involved in “red team” exercises, which means we subject an organisation’s information security systems to rigorous testing and analysis. The opposite of a red team is a “blue team”. A blue team attempts to identify and stop the red team from compromising systems. One of the techniques used when […]
- Windows Named Pipes: There and back again (11/20/2015) - Inter Process Communication (IPC) is an ubiquitous part of modern computing. Processes often talk to each other and many software packages contain multiple components which need to exchange data to run properly. Named pipes are one of the many forms of IPC in use today and are extensively used on the Windows platform as a […]
- NOPC version 0.4.7 released (10/28/2015) - NOPC, the Nessus-based offline patch checker for Linux distributions and UNIX-based systems has had some changes made and been made available in our tools section. This article discusses the new features in detail and provides some working examples. Updated features and bug fixes Improvements to the interactive mode (e.g. asking for what format for results […]
- Locating SAT based C&Cs (10/28/2015) - Recently, Kaspersky published a research about how a russian APT group use hijacked satellite links to anonymise their malware command-and-control (C&C) servers (Satellite Turla: APT Command and Control in the Sky). As they say in their blog post, I researched and published how to abuse satellite DVB-S/2 internet communications, the technique used during the Epic […]
- padmin to root: Roles on AIX (10/2/2015) - Following a recent post from a consultant at IBM discussing how how privileged access should be performed on VIOS, I figured it was time to share some of our research in this arena. Those of you that are regular readers will know that I love root. For those of you that are new, welcome aboard. […]
- CVE-2015-5119 Flash ByteArray UaF: A beginner’s walkthrough (9/24/2015) - This document is a written form of a workshop and presentation I gave at Portcullis Labs in late July 2015. It is a beginner’s walkthrough to understand the recent Flash bug that was discovered in Hacking Team’s pocket and given the sweet name of CVE-2015-5119. It was found and exploited by Vitaliy Toropov. Disclaimer: If […]
- GET IN THE RING0 (9/24/2015) - Presentation on how Windows kernel drivers work and where to look for vulnerabilities (as given at 44CON 2015).
- Blood in the water: Phishing with BeEF (9/18/2015) - Those of you that have been following the UK infosec market recently will have noticed an upturn in talk relating to “Red Team” style engagements. Unlike a traditional penetration test, the object of such an exercise is not to locate vulnerabilities (though of course that helps) but rather to exercise the “Blue Team” i.e. the […]
- Graham “@gsuberland” Sutherland’s 44CON presentation (9/11/2015) - Graham recently gave a presentation at 44CON’s community night entitled “GET IN THE RING0″ on the subject of Windows kernel drivers. His talk covered: Same basic concepts as writing usermode apps Some additional bits Talking between usermode / kernelmode Major functions, IRPs, IOCTLs Special concepts like IRQLs (mostly) officially documented on MSDN! (most of) the […]
- Burp Extension (8/26/2015) - At Portcullis, one of the more frequent assessments we perform are web application assessments. One of the main challenges we face during these assessments is to look for information that can either help escalate our privileges or allow us to gain access to different functionalities of the web application. Unauthorised access to functionality can often […]
- NOPC version 0.4.5 released (6/12/2015) - NOPC, the Nessus-based offline UNIX patch checker has had some changes made and been made available in our tools section. This article discusses the new features in detail and provides some working examples. Introduction There have been some updates to the NOPC tool. The latest version is now 0.4.5. Updated features and bug fixes Added Output […]
- SSL and Export Ciphers: Logjam and FREAK (5/28/2015) - Recent attacks have shown the risks of leaving legacy TLS encryption modes enabled. In this blog post, the risks of having export-grade cryptography enabled will be addressed. During the 90s very strict export regulations regarding cryptography were present in the United States of America. Due to this issue, some SSL implementations have deliberately weakened ciphers […]