Portcullis Labs » RID https://labs.portcullis.co.uk Research and Development en-US hourly 1 http://wordpress.org/?v=3.8.5 Is that really you? The importance of identity in breach response and recovery https://labs.portcullis.co.uk/presentations/is-that-really-you-the-importance-of-identity-in-breach-response-and-recovery/ https://labs.portcullis.co.uk/presentations/is-that-really-you-the-importance-of-identity-in-breach-response-and-recovery/#comments Tue, 18 Jun 2019 08:56:23 +0000 https://labs.portcullis.co.uk/?p=6848 Presentation on Zero Trust and the importance of identity in breach response and recovery (as given at InfoSec Europe 2019 on the tech talk track). Richard Dean, Cisco’s EMEAR Head Of Security Advisory Services looks at Cisco’s approach to zero trust. This talk discusses the need to monitoring your users’ access and privileges and how […]

The post Is that really you? The importance of identity in breach response and recovery appeared first on Portcullis Labs.

]]>
Presentation on Zero Trust and the importance of identity in breach response and recovery (as given at InfoSec Europe 2019 on the tech talk track).

Richard Dean, Cisco’s EMEAR Head Of Security Advisory Services looks at Cisco’s approach to zero trust.

This talk discusses the need to monitoring your users’ access and privileges and how securing them as they interact with the Internet is core to a Zero Trust approach to cybersecurity. Richard doesn’t just stop there though but rather moves on to look at what happens if you’re facing a deliberate attempt to steal your users’ identities in order to take advantage of these privileges? In this talk, you’ll learn how to manage identity effectively, as well as the importance of software defined networks in the drive to zero trust and rapid threat containment.

Learning outcomes:

  1. Learn how to manage identity and access management effectively
  2. The importance of software defined networks in enabling rapid threat containment
  3. The first steps an organisation should take to start on the Zero Trust journey
  4. Aligning corporate and personal security practices to get better adoption from staff, identify and password management
  5. The importance of Software defined networks in the drive to Zero Trust
I2019ITRYTIOIIBR&R
I2019ITRYTIOIIBRR.pdf
June 18, 2019
1.6 MiB
MD5 hash: 14981f12020f7774971ef61b8229188a
Details

The post Is that really you? The importance of identity in breach response and recovery appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/presentations/is-that-really-you-the-importance-of-identity-in-breach-response-and-recovery/feed/ 0
NOPC https://labs.portcullis.co.uk/tools/nopc/ https://labs.portcullis.co.uk/tools/nopc/#comments Tue, 03 Jul 2012 12:53:26 +0000 http://wordpress.65535.com/blogtest/?p=201 NOPC (Nessus-based Offline Patch Checker) is a patch-checker for primarily Linux distribution and UNIX-based systems. It is a shell script that utilises Nessus’ nasls and gives instructions on what data is needed to be obtained from the system to perform to derive a list of missing security patches. This was developed for situations when network […]

The post NOPC appeared first on Portcullis Labs.

]]>
NOPC (Nessus-based Offline Patch Checker) is a patch-checker for primarily Linux distribution and UNIX-based systems. It is a shell script that utilises Nessus’ nasls and gives instructions on what data is needed to be obtained from the system to perform to derive a list of missing security patches. This was developed for situations when network connectivity to the systems under review is not possible.

Key features

  • The ability to perform analysis on the following Linux/Unix based distributions:
    • AIX
    • HP-UX
    • MacOS X
    • Solaris (Not 11)
    • Debian
    • FreeBSD
    • Gentoo
    • Mandrake
    • Redhat
    • Redhat Centos
    • Redhat Fedora
    • Slackware
    • SuSE
    • Ubuntu
  • The ability to perform analysis on Cisco IOS/ASA devices
  • Output in CSV format with CVSS scores

Overview

Ever tried to perform a patch analysis of a UNIX based machine without network access to it? It can be an eyesore and feel like a wrestling match to make reasonable sense of the output from tools like:

<br />$ /bin/rpm -qa –qf ‘%{NAME}-%{VERSION}-%{RELEASE}|%{EPOCH}\n’ &gt; patchlist.txt<br />

Out of this evolved NOPC, which utilises Nessus’ ability to perform an accurate patch analysis with the information extracted from the system. NOPC instructs you on how to manually recover this same information.

Installation

As NOPC is a shell script, it can be run anywhere. Unzip and extract the download in a directory. There are 2 files:

  • nopc.sh
  • README.txt

The only prerequisite is that the system where the shell script has Nessus running with up to date nessus plugins. The script assumes the default locations for the nasl command line (/opt/nessus/bin/nasl) and nessus plugins directory (/opt/nessus/lib/plugins)

These locations can be defined with the ‘d’ option for the directory where NOPC will look for nessus plugins and the ‘n’ option for the location of the nasl command line.

<br />$ ./nopc.sh -d '/Library/Nessus/run/lib/nessus/plugins/'<br />$ ./nopc.sh -n '/local/bin/nasl'<br />

Usage

Interactive Mode

Running through the interactive mode should be straight forward. NOPC asks for
the following:
* Output Type (e.g. list of missing patches, csv of missing patches)
* Distribution that missing patches to be checked against
* Specific system information required to perform checking (e.g. Patchlist, Release, OS Level, Hardware)

<br />$ nopc.sh<br />Version: nopc.sh  0.4.7d<br />[+] Which output format would you like to use?<br /><%%KEEPWHITESPACE%%> 0 - Displays Outdated Packages only<br /><%%KEEPWHITESPACE%%> 1 - Displays NASL name and Outdated Packages<br /><%%KEEPWHITESPACE%%> 2 - CSV output of CVE, KB and description (comma)<br /><%%KEEPWHITESPACE%%> 3 - CSV output of CVE, CVSSv2, Severity, KB, Description (comma)<br /><%%KEEPWHITESPACE%%> 4 - CSV output of CVE, KB and description (tab)<br /><%%KEEPWHITESPACE%%> 5 - CSV output of CVE, CVSSv2, Severity, KB, Description (tab)<br /><br />Enter 1-5? 3<br />[+] What type of system have you got the patch output for?<br /><%%KEEPWHITESPACE%%> 1 - AIX<br /><%%KEEPWHITESPACE%%> 2 - HP-UX<br /><%%KEEPWHITESPACE%%> 3 - MacOS X *<br /><%%KEEPWHITESPACE%%> 4 - Solaris (!11) *<br /><%%KEEPWHITESPACE%%> 5 - Debian<br /><%%KEEPWHITESPACE%%> 6 - FreeBSD<br /><%%KEEPWHITESPACE%%> 7 - Gentoo<br /><%%KEEPWHITESPACE%%> 8 - Mandrake<br /><%%KEEPWHITESPACE%%> 9 - Redhat<br /><%%KEEPWHITESPACE%%> 10 - Redhat (Centos)<br /><%%KEEPWHITESPACE%%> 11 - Redhat (Fedora)<br /><%%KEEPWHITESPACE%%> 12 - Slackware<br /><%%KEEPWHITESPACE%%> 13 - SuSE *<br /><%%KEEPWHITESPACE%%> 14 - Ubuntu<br /><%%KEEPWHITESPACE%%> 15 - Cisco IOS/ASA *<br /><br /><%%KEEPWHITESPACE%%> * EXPERIMENTAL!!<br /><br />Enter 1-15? 1<br />[+] AIX Selected<br />[+] Run 'lslpp -Lc &gt; patchlist.txt'<br />[+] Enter Location of file: aix-7.1-patchlist.txt<br />[+] Enter the AIX Release e.g. 6.1<br />[+] Enter Text Requested: 7.1<br />[+] Enter the output of 'oslevel -s' e.g. 6100-04-04-1441<br />[+] Enter Text Requested: 7100-03-04-1441<br />[+] To run this in a script the command would be:<br /><br />/opt/bin/nopc.sh -l '3' -s '1' 'aix-7.1-patchlist.txt' '7.1' '7100-03-04-1441'<br /><br />[+] Locating Nasls<br />[+] Checking for 11206 Missing Patches<br />NOPC, AIX<br />Plugin ID, CVE, CVSSv2, Severity, KB, Title<br />81920, "CVE-2014-8769", 6.4, Medium, "IV67588", "AIX 7.1 TL 3 : tcpdump (IV67588)"<br />82900, , 7.5, High, "openssl_advisory13", "AIX OpenSSL Advisory : openssl_advisory13.asc"<br />83135, "CVE-2015-0138, CVE-2015-2808", 4.3, Medium, "java_apr2015_advisory", "AIX Java Advisory : Multiple Vulnerabilities"<br />...<br />

In the above case, several missing patches were identified.

Note that the output type and distribution can be bypassed if these details are known.
For example, for a detailed report of missing Redhat patches in csv format:

<br />$ nopc.sh -l '3' -s '9'<br />Version: nopc.sh  0.4.7d<br />[+] Redhat Selected<br />[+] Run '/bin/rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE}|%{EPOCH}\n' &gt; patchlist.txt'<br />[+] Enter Location of file: patch-redhat-1.txt<br />[+] Enter the contents of /etc/redhat-release<br />[+] Enter Text Requested: Red Hat Enterprise Linux Server release 5<br />[+] Enter value of 'uname -m' e.g. x86_64, i686<br />[+] Enter Text Requested: i686<br />[+] To run this in a script the command would be:<br /><br />/opt/bin/nopc.sh -l '3' -s '9' 'patch-redhat-1.txt' 'Red Hat Enterprise Linux Server release 5' 'i686'<br /><br />[+] Locating Nasls<br />[+] Checking for 3620 Missing Patches<br />NOPC, Redhat<br />Plugin ID, CVE, CVSSv2, Severity, KB, Title<br />58262, "CVE-2012-0768, CVE-2012-0769", 10, High, "redhat-RHSA-2012-0359", "RHEL 5 / 6 : flash-plugin (RHSA-2012-0359)"<br />55813, "CVE-2011-2130, CVE-2011-2134, CVE-2011-2135, CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140, CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2424, CVE-2011-2425", 10, High, "redhat-RHSA-2011-1144", "RHEL 5 / 6 : flash-plugin (RHSA-2011-1144)"<br />
Nopc-0.4.7 Tar
nopc-0.4.7.tar.bz2
September 29, 2015
12.7 KiB
MD5 hash: 052c08188e61c9080cd84a421c966e7c
Details
Nopc-0.4.5 Tar
nopc-0.4.5.tar.bz2
February 20, 2014
17.7 KiB
MD5 hash: 180e64cce6a8bfee6d375bb796798c6e
Details
Nopc-0.4.2 Tar
nopc-0.4.2.tar.bz2
April 26, 2013
11.7 KiB
MD5 hash: 3912a7b8a7eea99c0313378dd0843bad
Details
Nopc-0.4.1 Tar
nopc-0.4.1.tar.bz2
April 26, 2013
11.6 KiB
MD5 hash: 9c82bddb9e214c5cf4fde1eccddc0096
Details
Nopc-0.4 Tar
nopc-0.4.tar.bz2
April 26, 2013
11.7 KiB
MD5 hash: 7da2f9f63e0c2efb051e4b18a92b8d73
Details
Nopc-0.3 Tar
nopc-0.3.tar.bz2
April 26, 2013
10.4 KiB
MD5 hash: b69d91c8e7bc2490391891926c48c8f8
Details

The post NOPC appeared first on Portcullis Labs.

]]> https://labs.portcullis.co.uk/tools/nopc/feed/ 0 secdump https://labs.portcullis.co.uk/tools/secdump/ https://labs.portcullis.co.uk/tools/secdump/#comments Fri, 26 Apr 2013 18:27:40 +0000 http://wordpress.65535.com/blogtest/?p=189 secdump is a simple meterpreter module that uploads and runs gsecdump. Nothing fancy, just a time saver. Usage

The post secdump appeared first on Portcullis Labs.

]]>
secdump is a simple meterpreter module that uploads and runs gsecdump. Nothing fancy, just a time saver.

Usage

meterpreter > run secdump
UploadExec gsecdump

OPTIONS:

    -a        Dump all creds
    -h        Help menu.
    -l        Dump LSA Secrets
    -p        Path on target to upload executable, default is %TEMP%.
    -s        Dump hashes from SAM/AD
    -u        Dump Active logon session hashes
    -w        Dump Wireless Creds {NOT IMPLEMENTED}
Secdump 0.1 Tar
secdump_0.1.tar.bz2
April 26, 2013
1.6 KiB
MD5 hash: d8385c6d279d34949fb104dc3c6e63e0
Details

The post secdump appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/tools/secdump/feed/ 0
hoppy https://labs.portcullis.co.uk/tools/hoppy/ https://labs.portcullis.co.uk/tools/hoppy/#comments Fri, 21 Jun 2013 15:32:11 +0000 https://labs.portcullis.co.uk/?p=971 hoppy is python script to probe HTTP options and perform scanning for information disclosure issues. hoppy is a http options prober written in python. It checks the availability of HTTP methods as well as probing them to see if they can be forced to disclose system information. Key features HTTP Method detection, TRACK, TRACE, PUT etc Internal IP address […]

The post hoppy appeared first on Portcullis Labs.

]]>
hoppy is python script to probe HTTP options and perform scanning for information disclosure issues.

hoppy is a http options prober written in python. It checks the availability of HTTP methods as well as probing them to see if they can be forced to disclose system information.

Key features

  • HTTP Method detection, TRACK, TRACE, PUT etc
  • Internal IP address disclosure detection
  • Internal Path Disclosure detection
  • Transparent working so you can see exactly what it did
  • Data extraction
  • Spider to find directories for webDAV detection
  • ms09-020 IIS auth bypass check on all discovered directories
Hoppy-1.8.1 Tar
hoppy-1.8.1.tar.bz2
April 26, 2013
28.3 KiB
MD5 hash: 29c9a9f1ee5b691f86c367e6144fbca7
Details
Hoppy-1.7.3 Tar
hoppy-1.7.3.tar.bz2
April 26, 2013
26.9 KiB
MD5 hash: 03971e8acf01f6fe747a24844494c1fd
Details
Hoppy-1.7.2 Tar
hoppy-1.7.2.tar.bz2
April 26, 2013
26.4 KiB
MD5 hash: 0585a312a4f4cb7e59e1ee83a082cb7b
Details
Hoppy-1.7.0 Tar
hoppy-1.7.0.tar.bz2
April 26, 2013
26.0 KiB
MD5 hash: 979426b0b3601991044a90e46e07378c
Details
Hoppy-1.6.4 Tar
hoppy-1.6.4.tar.bz2
April 26, 2013
22.9 KiB
MD5 hash: 952aea93c90571c19792f1e0c711c9a7
Details
Hoppy-1.6.3 Tar
hoppy-1.6.3.tar.bz2
April 26, 2013
22.9 KiB
MD5 hash: b54185838d18a8e5378a00ca033d1ce1
Details
Hoppy-1.6.2 Tar
hoppy-1.6.2.tar.bz2
April 26, 2013
22.7 KiB
MD5 hash: 3c585b1da40dfb57b52514f644c70b8e
Details
Hoppy-1.6.0 Tar
hoppy-1.6.0.tar.bz2
April 26, 2013
22.7 KiB
MD5 hash: 0deb4a49a55cae310110025bceea295e
Details
Hoppy-1.5.12 Tar
hoppy-1.5.12.tar.bz2
April 26, 2013
21.9 KiB
MD5 hash: 7e3b3e486f24c72833b2061b69058f33
Details
Hoppy-1.5.11 Tar
hoppy-1.5.11.tar.bz2
April 26, 2013
21.8 KiB
MD5 hash: 54cf9498ec1cd899d753f8b24a56226e
Details
Hoppy-1.5.10 Tar
hoppy-1.5.10.tar.bz2
April 26, 2013
21.7 KiB
MD5 hash: f01a87ded65e61d1aa03ee835bf15ef2
Details
Hoppy-1.5.9 Tar
hoppy-1.5.9.tar.bz2
April 26, 2013
21.4 KiB
MD5 hash: f222510f1a7c74b123a3f254b18a67b0
Details
Hoppy-1.5.8 Tar
hoppy-1.5.8.tar.bz2
April 26, 2013
20.5 KiB
MD5 hash: cd647bcaeb7dc28454d67cea0c4e107c
Details
Hoppy-1.5.7 Tar
hoppy-1.5.7.tar.bz2
April 26, 2013
20.5 KiB
MD5 hash: a7cbddcf834c2393c838124fead435a2
Details

The post hoppy appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/tools/hoppy/feed/ 0
polenum https://labs.portcullis.co.uk/tools/polenum/ https://labs.portcullis.co.uk/tools/polenum/#comments Fri, 26 Apr 2013 18:31:14 +0000 http://wordpress.65535.com/blogtest/?p=195 polenum is a python script which can be used to get the password policy from a Windows machine. It uses the Impacket library from CORE Security Technologies to extract the password policy information from a Windows machine. This allows a non-Windows (Linux, Mac OSX, BSD etc..) user to query the password policy of a remote Windows […]

The post polenum appeared first on Portcullis Labs.

]]>
polenum is a python script which can be used to get the password policy from a Windows machine.

It uses the Impacket library from CORE Security Technologies to extract the password policy information from a Windows machine. This allows a non-Windows (Linux, Mac OSX, BSD etc..) user to query the password policy of a remote Windows box without the need to have access to a Windows machine to perform the query.

Key features

  • Can extract password and associated information from a windows machine
  • Will connect over a NULL or authenticated share
  • Supports encrypted/signed sessions

Limitations

  • No NTLMv2 support
  • Has a problem with domain connected workstations
Polenum-0.2 Tar
polenum-0.2.tar.bz2
April 26, 2013
5.9 KiB
MD5 hash: 4101c2acfa5442bd75418afaa405624d
Details

The post polenum appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/tools/polenum/feed/ 0
vessl https://labs.portcullis.co.uk/tools/vessl/ https://labs.portcullis.co.uk/tools/vessl/#comments Fri, 26 Apr 2013 18:16:05 +0000 http://wordpress.65535.com/blogtest/?p=170 vessl is a bash script that can fetch and verify the SSL certificate of a remote server. It was originally written in order to script up the ability to verify SSL certificates across a large network. Key features vessl will connect to any service that OpenSSL can It will extract and verify against a given […]

The post vessl appeared first on Portcullis Labs.

]]>
vessl is a bash script that can fetch and verify the SSL certificate of a remote server.

It was originally written in order to script up the ability to verify SSL certificates across a large network.

Key features

  • vessl will connect to any service that OpenSSL can
  • It will extract and verify against a given CA Pem file
  • It will check that certificate matches the host it is on
  • It produce a map going from IPs to hostname
  • Checks to see if certificate is based on a blacklisted Debian key

Dependencies

Usage

vessl -h host [-p port] [-c certfile] [-v]

Output Files

By default the output will be 3 files:

ip:port.verify
ip:port.cert
sslmap

The first is the verification data, the second is the certificate and the third maps IP to SSL Hostname, e.g.

77.75.105.66:443, labs.portcullis.co.uk (77.75.105.66)

Generating a CA PEM file

Gentoo

emerge ca-certificates
mkdir /etc/certs
cat /usr/share/ca-certificates/mozilla/* > /etc/certs/mozilla.pem

Debian

apt-get install ca-certificates
mkdir /etc/certs
cat /usr/share/ca-certificates/mozilla/* > /etc/certs/mozilla.pem
Vessl-0.3.1 Tar
vessl-0.3.1.tar.bz2
April 26, 2013
8.0 KiB
MD5 hash: 9f9b0b942ea85b2f6fd2546870624803
Details
Vessl-0.2 Tar
vessl-0.2.tar.bz2
April 26, 2013
7.7 KiB
MD5 hash: 4b7a0bcfca6369836c79aa91b9079e2f
Details
Vessl-0.1 Tar
vessl-0.1.tar.bz2
April 26, 2013
7.5 KiB
MD5 hash: f267ae238c2adc58913579eee635ee0b
Details

The post vessl appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/tools/vessl/feed/ 0
Introduction To Format Strings https://labs.portcullis.co.uk/presentations/introduction-to-format-strings/ https://labs.portcullis.co.uk/presentations/introduction-to-format-strings/#comments Fri, 21 Jun 2013 15:38:55 +0000 https://labs.portcullis.co.uk/?p=980 A presentation introducing format string problems What? This presentation tries to cover the basics of format strings exploitation. Starting with an explanation of the legitimate use of Format Strings (Yin) moving onto how programming flaws can be exploited using this technique. Why? I spent many months getting my head around the nuances of FS exploitation […]

The post Introduction To Format Strings appeared first on Portcullis Labs.

]]>
A presentation introducing format string problems

What?

This presentation tries to cover the basics of format strings exploitation. Starting with an explanation of the legitimate use of Format Strings (Yin) moving onto how programming flaws can be exploited using this technique.

Why?

I spent many months getting my head around the nuances of FS exploitation so though I would put together a presentation on all the little things that I though were they key points when coming across this subject for the first time. This hopefully will act as a good basis for the  More Adventures In Format Strings presentation

IntroducingFormatStrings
759.5 KiB
MD5 hash: cfa7f521e90249bcdb0ce520bdf28f5a
Details

The post Introduction To Format Strings appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/presentations/introduction-to-format-strings/feed/ 0
More Adventures in Format Strings https://labs.portcullis.co.uk/presentations/more-adventures-in-format-strings/ https://labs.portcullis.co.uk/presentations/more-adventures-in-format-strings/#comments Fri, 26 Apr 2013 18:02:00 +0000 http://wordpress.65535.com/blogtest/?p=144 A follow up presentation to show more in-depth format string exploitation techniques. What? This presentation covers a method for exploiting format string vulnerabilities which is compared to techniques used for exploiting heap smashes. It does not not cover the basics of the vulnerability because these seem ten a panny. Why? Much work has been written […]

The post More Adventures in Format Strings appeared first on Portcullis Labs.

]]>
A follow up presentation to show more in-depth format string exploitation techniques.

What?

This presentation covers a method for exploiting format string vulnerabilities which is compared to techniques used for exploiting heap smashes. It does not not cover the basics of the vulnerability because these seem ten a panny.

Why?

Much work has been written about covering the underlying principles of format strings but not much seemed to be written concerning this specific technique. More over is was written to push forward a method and library that can be used to optimise format strings to fit into smaller buffer spaces.

Formatstringrevisited
formatstringrevisited.pdf
April 26, 2013
541.6 KiB
MD5 hash: e3fd1fbc64fe67b056a9001987bfc5ea
Details

The post More Adventures in Format Strings appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/presentations/more-adventures-in-format-strings/feed/ 0