Research and Development

Blog


  • PowerOPS: PowerShell for Offensive Operations (6/3/2016) - At Portcullis, one of the most frequent assessments we perform are breakouts. One of the main challenges we face during these assessments is to get command execution that can either help escalate our privileges or allow us to gain access to different systems on the network. Sometimes we find harsh group policy restrictions in place […]
  • Downgrading RDP connections and how to avoid it (4/22/2016) - This post describes how Remote Desktop Protocol (RDP) connections can be vulnerable to a downgrade attack if Terminal Servers are configured insecurely. We’re not aware of this issue being discussed before – googling only found pages about installing an earlier version of the RDP client, not about downgrading the protocol in the way described here. […]
  • Keep your cookies safe (part 1) (4/22/2016) - What are cookies and why are they important? A cookie is a small piece of data sent from a website and stored in a user’s web browser and is subsequently includes with all authenticated requests that belong to that session. Some cookies contain the user session data in a website, which is vital. Others cookies […]
  • Sandbox detection: Pafish overview (3/14/2016) - Here at Portcullis, we are frequently involved in “red team” exercises, which means we subject an organisation’s information security systems to rigorous testing and analysis. The opposite of a red team is a “blue team”. A blue team attempts to identify and stop the red team from compromising systems. One of the techniques used when […]
  • Windows Named Pipes: There and back again (11/20/2015) - Inter Process Communication (IPC) is an ubiquitous part of modern computing. Processes often talk to each other and many software packages contain multiple components which need to exchange data to run properly. Named pipes are one of the many forms of IPC in use today and are extensively used on the Windows platform as a […]
  • NOPC version 0.4.7 released (10/28/2015) - NOPC, the Nessus-based offline patch checker for Linux distributions and UNIX-based systems has had some changes made and been made available in our tools section. This article discusses the new features in detail and provides some working examples. Updated features and bug fixes Improvements to the interactive mode (e.g. asking for what format for results […]
  • Locating SAT based C&Cs (10/28/2015) - Recently, Kaspersky published a research about how a russian APT group use hijacked satellite links to anonymise their malware command-and-control (C&C) servers (Satellite Turla: APT Command and Control in the Sky). As they say in their blog post, I researched and published how to abuse satellite DVB-S/2 internet communications, the technique used during the Epic […]
  • padmin to root: Roles on AIX (10/2/2015) - Following a recent post from a consultant at IBM discussing how how privileged access should be performed on VIOS, I figured it was time to share some of our research in this arena. Those of you that are regular readers will know that I love root. For those of you that are new, welcome aboard. […]
  • CVE-2015-5119 Flash ByteArray UaF: A beginner’s walkthrough (9/24/2015) - This document is a written form of a workshop and presentation I gave at Portcullis Labs in late July 2015. It is a beginner’s walkthrough to understand the recent Flash bug that was discovered in Hacking Team’s pocket and given the sweet name of CVE-2015-5119. It was found and exploited by Vitaliy Toropov. Disclaimer: If […]
  • Blood in the water: Phishing with BeEF (9/18/2015) - Those of you that have been following the UK infosec market recently will have noticed an upturn in talk relating to “Red Team” style engagements. Unlike a traditional penetration test, the object of such an exercise is not to locate vulnerabilities (though of course that helps) but rather to exercise the “Blue Team” i.e. the […]
  • Graham “@gsuberland” Sutherland’s 44CON presentation (9/11/2015) - Graham recently gave a presentation at 44CON’s community night entitled “GET IN THE RING0″ on the subject of Windows kernel drivers. His talk covered: Same basic concepts as writing usermode apps Some additional bits Talking between usermode / kernelmode Major functions, IRPs, IOCTLs Special concepts like IRQLs (mostly) officially documented on MSDN! (most of) the […]
  • Burp Extension (8/26/2015) - At Portcullis, one of the more frequent assessments we perform are web application assessments. One of the main challenges we face during these assessments is to look for information that can either help escalate our privileges or allow us to gain access to different functionalities of the web application. Unauthorised access to functionality can often […]
  • NOPC version 0.4.5 released (6/12/2015) - NOPC, the Nessus-based offline UNIX patch checker has had some changes made and been made available in our tools section. This article discusses the new features in detail and provides some working examples. Introduction There have been some updates to the NOPC tool. The latest version is now 0.4.5. Updated features and bug fixes Added Output […]
  • SSL and Export Ciphers: Logjam and FREAK (5/28/2015) - Recent attacks have shown the risks of leaving legacy TLS encryption modes enabled. In this blog post, the risks of having export-grade cryptography enabled will be addressed. During the 90s very strict export regulations regarding cryptography were present in the United States of America. Due to this issue, some SSL implementations have deliberately weakened ciphers […]
  • VENOM vulnerability (5/14/2015) - VENOM (Virtualised Environment Neglected Operations Manipulation) is a vulnerability that could allow an attacker to escape a guest virtual machine and access the host system, along with other virtual machines running on this system, and access their data. This could potentially allow an attacker to steal sensitive data on any of these virtual machines and […]
  • uid=0 is deprecated: A trick unix-privesc-check doesn’t yet know (5/5/2015) - Just like Linux, the modern Solaris install doesn’t simply rely on UID/GID to determine privilege. Instead there are roles and profiles to contend with. The following is a loose explanation of how they work: User = user + group + user_attr + /etc/security/auth_attr + /etc/security/auth_attr.d/* user = Raw privileges (PRIV_DEFAULT + !PRIV_LIMIT) user_attr = List […]
  • This way to 10.10.10.1: Playing with labelled switching (4/17/2015) - As a pentester, there are days when you’ll get asked to look at the ordinary, and there are days that you’ll be asked to look at something more challenging. This week was full of days that met the latter criteria and not the former. Whilst I can’t share the scope, Portcullis was asked to examine […]
  • Testing against the kill chain on non-”red team” assessments (4/7/2015) - The following is a braindump of an idea I had as a result of the work I have been doing on Portcullis’ STAR offering. The question I set myself was, what testing could we perform, under our normal terms of engagement which would contribute to the “blue team” i.e. the system administrators and developers better […]
  • Beware of empty paths (3/26/2015) - Consider the case of a setUID binary that runs as root and allows the caller to execute certain other scripts and binaries from a given restricted directory. The Portcullis Labs team recently spotted such a case and I was asked to take a look to determine exploitablity. What follows is a short analysis of what […]
  • Fixing the links: Hardening the linker (2/20/2015) - As many of our regular readers will know, the Portcullis Labs team have a good deal of experience with reviewing the security of POSIX alike OS, and as a result, we’ve made some interesting discoveries in terms of how easy it can be to escalate ones privileges. As I discussed some time ago at CRESTCon, […]
  • Detecting windows horizontal password guessing attacks in near real-time (2/16/2015) - When attempting to gain a foothold into a Windows Domain, an attacker will often attempt one or two likely passwords against every user in the Active Directory, a so-called horizontal password guessing attack. A small number of failed logons per user will usually not trigger a user account lockout policy and can be very effective. […]
  • MS SQL Server Audit: Extended Stored Procedures / Table Privileges (1/23/2015) - (If you excuse the pun), everyone has a different view on Extended Stored Procedures: Some might say they are stored procedures with extra functionality Some might say they can cause problems to a database if misused Some simply say they are stored procedures with a prefix of xp_ This post will hopefully give a better […]
  • A year in the world of security advisories (12/18/2014) - Security researchers find vulnerabilities in products; it’s an important and almost inevitable part of the job. One of the side effects of these discoveries is that often new, unfixed zero day vulnerabilities are identified which the affected vendor may not be aware of. This can present a somewhat difficult situation: What should be done with […]
  • Building a sandpit (11/18/2014) - Today I was looking at how plugins could safely be incorporated into a J2EE application server. The plugins in this instance are executed server side, rather than on the client and are, in the main, provided by 3rd parties (digital advertising agencies etc). The aim was to limit the scope in which they operate. The […]
  • You can’t even trust your own reflection these days… (11/5/2014) - Recently, researchers at Trustwave’s SpiderLabs spoke at Black Hat Europe on the dangers of simply reflecting data back to the requesting user as part of an HTTP request/response exchange. When you think about it, this stands to reason, after all, it’s what Cross-site Scripting attacks are born from. What’s interesting is that the new research […]
  • Using Intel Pin tools for binary instrumentation (11/4/2014) - This article is continues the topic on dynamic instrumentation that it was presented before in a previous article. Yama LSM In this post, the basics of coding Intel Pin tools will be presented, but before we discuss this, you should be aware that a Linux Security Module exists that prevents binary instrumentation by default. Yama […]
  • POODLE: Padding Oracle On Downgraded Legacy Encryption (10/15/2014) - Last night, researchers from Google released details of a new attack that they have called the Padding Oracle On Downgrade Legacy Encryption (POODLE) attack which has been assigned CVE-2014-3566. The summary is, essentially, that SSLv3 uses a MAC-then-encrypt construction, which doesn’t authenticate the padding as it is applied on the plaintext message before padding or […]
  • Vanilla good security practice vs. BadUSB (10/9/2014) - This post discusses the BadUSB research published by Karsten Nohl recently at Black Hat. You might want to check out the slides and/or video before reading on. It’s also worth noting that more recently Adam Caudill and Brandon Wilson figured out how to implement the attacks and have published proof-of-concept code which makes the challenges […]
  • CVE-2014-6271 (Shellshock): The story of a permissive parser (9/29/2014) - Some bugs are so simple and so elegant that you wonder how it is possible that no one has found them until now. Those are my favorites. They are simple, they do not involve memory corruption and most of the time they do not even need an advanced exploit code to abuse it. Stéphane Chazelas’ […]
  • EMF Camp 2014 talk (8/28/2014) - We recently announced our sponsorship of EMF Camp 2014, were ready to go Portcullis flags in tow and will be heading on over to Milton Keynes to help get EMF ready. While there we will not only be sponsoring the Lounge where people can come and enjoy a space to relax and drink beer and […]
  • EMF Camp 2014 USB scavenger hunt (8/26/2014) - This year, Portcullis are running a USB Scavenger Hunt at EMF Camp. For those of you attending, we’ve written this post to give you all the instructions and rules you need to get underway. Good luck! Instructions This is a cross between a scavenger hunt and a CTF event. Each USB key will contain a […]
  • Could Sophos Antivirus Web Protection cause a privacy concern for your organisation? (6/2/2014) - Sophos provide Antivirus solutions for a number of platforms, including Windows, Mac and various flavors of Linux and Unix. This blog post however details a potential privacy concern when the “Web Protection” component is enabled within the Sophos Endpoint Security and Control software, which features within Sophos Antivirus for Windows (version 10.3.x). This is not […]
  • University outreach (5/30/2014) - As part of Portcullis’s ongoing commitment to filling the ever expanding lack of computing skills within the workplace, we have in the last year and a half been working together with Universities from across the country to provide a bridge between younger generations who may not be aware of even the existence of Penetration Testing […]
  • Accessing Cisco kit politely (5/30/2014) - We were recently asked to assess a risk adverse environment in which there was (I don’t know the collective noun) a “chunk” of Cisco kit, comprising both switches and ASA firewalls. We needed to make sure it was being accessed in a secure manner. The client had decided for this small isolated environment that implementing […]
  • An introduction to binary dynamic analysis (5/13/2014) - The term dynamic instrumentation refers to the act of monitoring the execution of a program in order to extract debug information, to measure code performance or to detect errors. Dynamic instrumentation can be used to generate measures of functions properties such as execution time, call counts, registers status or call graphs. Tools Several software solutions […]
  • Portcullis security consultants to present at BSides London (4/25/2014) - We are pleased to announce that two of our security consultants, Graham Sutherland and Tim Brown, will be presenting at the upcoming BSides London security conference on the 29th of April. BSides London is an annual community-driven security conference which, this year, will be taking place at the Kensington and Chelsea Town Hall in London. […]
  • Heartbleed (4/11/2014) - The Team has updated its SSL Good Practice Guide to incorporate the recent Heartbleed attack. In case you’ve been out of the loop, here’s a brief summary of the vulnerability: What is it? Heartbleed (AKA CVE-2014-0160) is an implementation flaw in TLS heartbeats for OpenSSL versions 1.0.1 through to 1.0.1f. It exposes an unpredictably addressed […]
  • Investigating the TimeLive application (4/4/2014) - Some time ago I was on an internal infrastructure pentest job where I found a web server that hosted the TimeLive application. I had never heard of this application, and since I was looking at a login page, I opened a browser to my favourite search engine. The following is a brief explanation of things […]
  • New SSL recommendations (4/1/2014) - As previously mentioned in SSL: Light at the end of the tunnel, today is the day that our SSL recommendations officially change. From today onwards the Team recommend only TLS versions 1.1 and 1.2. Up until now the Team have accepted the need for SSLv3 and TLSv1 for compatibility reasons, however the time has come […]
  • VMware vSphere basics – “The bits and pieces” (3/21/2014) - In this article, we will explore the various components that make up the VMware vSphere platform, and briefly touch on the most important of these from the perspective of the security professional. VMware vSphere Basics – “The bits and pieces” Everyone will have had some exposure to virtual technologies in their pentesting adventures. Due to […]
  • Retrospective decryption of SSL-encrypted RDP sessions (3/13/2014) - This post describes how network eavesdroppers might record encrypted RDP sessions and at some later time (after a server compromise) be able to decrypt them. This could expose any data sent over the RDP connection including keystrokes, usernames and passwords. Put in more technical language: This post is about Perfect Forward Secrecy, how SSL connections often lack […]
  • Raspberry ph0wn (3/11/2014) - Recently the technical team had a discussion about subversive attack vectors that could be utilised by social engineering attacks to provide a long term remote connection to a network whilst remaining undetected. After a spark of inspiration and half an evening later the following device was made as a proof of concept. We took an […]
  • SSL “Man-In-The-Middle” attacks on RDP (3/4/2014) - This post seeks to demonstrate why users learning to ignore those certificate warnings for SSL-based RDP connection could leave them open to “Man-In-The-Middle” attacks. The MiTM attack demonstrated displays keystrokes sent during an RDP session. We conclude with some advice on how to avoid being the victim of such an attack. Types of RDP connections […]
  • NTFS Alternate Data Streams for pentesters (part 1) (2/27/2014) - Alternate Data Streams (ADS) have been present in modern versions of Windows for a long time. If you are using a NTFS filesystem, you can bet that you are using them. As penetration testers, we can use that OS-specific feature in our advantage. In the following posts information required to understand and identify potential ADS-related issues […]
  • MS SQL Server audit: Surface area reduction (part 1) (2/26/2014) - SQL Server has a number of components that allow clients to connect and communicate with it. Microsoft introduced the term, “Surface Area Reduction” as a security measure that involves stopping or disabling unused components. Like the name suggests, it reduces the number of ways that an attacker could try to interrogate the SQL Server. This […]
  • CVE-2013-5795: Oracle Demantra database credentials leak vulnerability (2/20/2014) - The purpose of this post is to present a technical report of the CVE-2013-5795 vulnerability. This bug was found on a bug hunt weekend. Oracle Demantra is a demand management, sales & operations planning, and trade promotions management solutions, which was acquired by Oracle in 2006. It was curious to note no previously vulnerabilities had been identified, which made […]
  • CVE-2013-5880: Oracle Demantra authentication bypass vulnerability (2/19/2014) - The purpose of this post is to present a technical report of the CVE-2013-5880 vulnerability. This bug was found on a bug hunt weekend. Oracle Demantra is a demand management, sales and operations planning, and trade promotions management solutions, which was acquired by Oracle in 2006. It was curious to note no previously vulnerabilities had been identified, which made […]
  • Checking RDP support across an internal network (2/10/2014) - We’ve recently added some new features to rdp-sec-check, which is a Perl script to enumerate security settings of an RDP Service (AKA Terminal Services). The tool download is available in the rdp-sec-check page. The following new features were added to rdp-sec-check: Support for targets file Support for saving the tool output to a specified logfile […]
  • MS SQL Server Audit: Introduction (2/10/2014) - MS SQL Server is Microsoft’s relational database management system with a large number of features and services. With this coverage, there is a large surface area for attack and vulnerabilities. Fortunately, there are a number of security benchmarks and good practice documents available. This article gives an introduction to the security guidelines available and an […]
  • Audit services using Windows Programs only (2/10/2014) - There are many third-party tools in the security industry that can perform a security audit of your Windows system. Some are standalone executable, some are frameworks, some are free and some you have to shell out money for. But what if you these tools are not available to you, you are stuck with a Windows […]
  • Windows System Objects and Sophos Endpoint Security (2/3/2014) - Windows system objects are one of the interesting areas of binary application assessments that are often ignored or misunderstood. Many people don’t realise that abstract Windows application programming concepts such as mutexes, events, semaphores, shared memory sections, and jobs all come together under the purview of the Windows Object Manager. These objects, like those in […]
  • Se* and you (1/28/2014) - Inspired by GRSecurity‘s analysis of the Linux capabilities model, I thought I’d take a quick look at how Windows fares. The following is a brief analysis of the threats associated with each Se* privilege. To be clear, the context of this analysis is the case where you land in a service account that has one […]
  • Securi-Tay 3 wrap-up (1/24/2014) - Of all the conferences I’ve been to, Securi-Tay has always been a favourite. I don’t know whether it’s the mix of security professionals and students, the relaxed atmosphere, or the balance between technical and non-technical talks, but it’s always a great time. For those of you that aren’t familiar with it, Securi-Tay is a student […]
  • Improving the security in web sessions (part 2) (1/24/2014) - The previous post about session management was about how to improve the security of web sessions. An aspect which was not addressed in that post is how to identify that a session is not in active use any more but where the user has manually logged out. For example, a user who was using a […]
  • Improving the security in web sessions (part 1) (1/9/2014) - Session management is a crucial part of web applications and therefore it is also the target of numerous kinds of attacks. Critical web applications, such as banking applications, require complete control of the users’ sessions to prevent abuses or session hijacking attacks. One way to complicate these types of attack, is for the web application […]
  • URL shorteners: What link are you really clicking? (1/8/2014) - URL shorteners are a main-stay of Internet use these days, helping users to cut down unsightly long URLs to concise links that can be easily shared. Social media has helped to fuel the popularity of the various services available, but how do you know if you can trust the link you’re clicking? I’ve always been […]
  • Evaluating SteamOS’s security posture (a first look) (12/16/2013) - Security researchers love the new shiny and whilst some like playing games too, I am not one of those. That being said, I have researched UNIX like OS for a number of years and I’m constantly thrilled by the new uses people find for it. This security evaluation was performed against the beta tree of […]
  • In the lab, popping CVE-2013-2171 for FreeBSD 9.0… (12/11/2013) - As a security researcher, I’m keen to learn new exploitation techniques and the art of kernel exploitation is no exception. Whilst preparing my slides for 44CON 2013, I was looking for an easy kernel vulnerability to demonstrate. CVE-2013-2171 was a recent vulnerability that was reported in FreeBSD 9.0 which fitted the bill. As I explained […]
  • CVE-2013-5065: NDProxy array indexing error unpatched vulnerability (12/10/2013) - The purpose of this document is to present a technical report of the CVE-2013-5065 vulnerability. A few days ago, FireEye identified a 0 day kernel exploit embedded within a PDF document actively used in the wild. The vulnerability itself is present in the NDProxy kernel driver. Whilst this is present in all versions of Windows, […]
  • SSL: Light at the end of the tunnel (11/18/2013) - As it stands, SSL is in a bad way. First BEAST, then CRIME, followed by weaknesses highlighted in the RC4 cipher which was proprosed as a workaround to the previous attacks have left SSL version 3 and TLS version 1 in a bind. At present, the most practical recommendation is to use RC4 as the […]
  • Are you considering using Microsoft Group Policy Preferences?… Think again! (11/6/2013) - Windows 2008 Server introduced a new feature known as Group Policy Preferences that allows administrators to deploy specific configurations that affect computers/users within a domain. This post details a serious problem associated with the use of Group Policy Preferences, specifically when a policy includes a username and encrypted password, which can result in a normal […]
  • OHM 2013: Review of “Returning signals for fun and profit” (11/5/2013) - One interesting talk I’ve attended on OHM 2013 was titled “Returning Signals for fun and profit”. This talk was given by Erik Bosman. The talk refers to a new way exploiting binaries using the Linux signal’s stack frame. This post could be summarised with the following words: Return oriented programming has been proven to be […]
  • New “Restricted Admin” feature of RDP 8.1 allows pass-the-hash (10/20/2013) - Windows 2012 R2 servers use a newer version of the Remote Desktop Protocol (RDP) that has a feature that will be interest to both penetration testers and system administrators.  This post describes the new “Restricted Admin” feature, the security benefits it brings and a potential downside of the feature: Pass-the-Hash attacks.  We’ll briefly recap what […]
  • CVE-2013-0640: Adobe Reader XFA oneOfChild Un-initialized memory vulnerability (part 2) (10/15/2013) - The purpose of this document is to present the second part of a technical report of the CVE-2013-0640 vulnerability targeting Adobe Reader version 9, 10 and 11. It was first spotted in February 2013 and has been used actively in the wild. Warning: All function names in this article are purely fictional and were chosen […]
  • CVE-2013-0640: Adobe Reader XFA oneOfChild Un-initialized memory vulnerability (part 1) (9/26/2013) - This document aims to present a technical report of the CVE-2013-0640 vulnerability targeting Adobe Reader version 9, 10 and 11. It was first spotted in February 2013 and has been used actively in the wild. This is the first article of a set. It covers the full detailed analysis of the bug. Adobe Reader is […]
  • WARNING: May void warranty (9/3/2013) - Having just arrived back from a client engagement, I was in the pub with some colleagues earlier this evening, and one amongst them, a junior asked a really interesting question “How does one assess an embedded device?”. To qualify this, the subject of the project on which I had been engaged was such a device. […]
  • Mailpile: Well, they’re half right (8/27/2013) - Recently, there has been a lot of media buzz about Mailpile, a new startup which has raised over $100,000 on IndieGoGo for its eponymous locally hosted web mail project. Having been present at the talk at which this project was officially launched at OHM 2013, I was surprised to see the media’s reaction to the […]
  • OHM 2013: An overview (8/18/2013) - This summer, a few of us at Portcullis went for a trip to Holland where the OHM 2013 event took place. This is a large gathering for hackers, geeks, scientists, engineers, artists and crafters from all over the world living in small themed camping villages for 4 days. To any frequent attendant of camping festivals […]
  • Allowing low privileged users to create directories in C:\ (8/15/2013) - By default, Windows systems will allow low privileged users to create directories (but not files) in the root of the `C:’ drive. In this post we ask if that’s really a security problem and ultimately conclude that, yes sometimes it can be. Default permissions Depending on the version of Windows, various low privileged users are […]
  • We’re all going on our summer holidays… (7/26/2013) - We’re not really, but some of the Portcullis Labs Team are off to OHM 2013 in Holland. For those of you who don’t know, OHM is the latest in a long line of four yearly “hacker” conferences that take place in a field, with the participants camping out. Unlike more conventional conferences such as DEF […]
  • In the lab, popping CVE-2013-4011 for AIX 7.1… (7/20/2013) - Early this morning, whilst checking my mail, I saw an interesting advisory come out on one of the lists. The fact that it affects AIX 7.1 was particularly interesting because this is the most recent release. Unlike some of the other commercial UNIX vendors, IBM make their security patches nice and accessible, so I decided […]

Twitter Feed