Presentation on how Windows kernel drivers work and where to look for vulnerabilities (as given at 44CON 2015). Continue reading
Graham recently gave a presentation at 44CON’s community night entitled “GET IN THE RING0″ on the subject of Windows kernel drivers. Continue reading
When attempting to gain a foothold into a Windows Domain, an attacker will often attempt one or two likely passwords against every user in the Active Directory, a so-called horizontal password guessing attack. A small number of failed logons per user will usually not trigger a user account lockout policy and can be very effective. This post will provide an example solution to detecting such attacks in near real time, using only native Windows tools. Continue reading
Sophos provide Anti-Virus solutions for a number of platforms, including Windows, Mac and various flavors of Linux and Unix. This blog post however details a potential privacy concern when the “Web Protection” component is enabled within the Sophos Endpoint Security and Control software, which features within Sophos Anti-Virus for Windows (version 10.3.x). Continue reading
Alternate Data Streams (ADS) have been present in modern versions of Windows for a long time. If you are using a NTFS filesystem, you can bet that you are using them. As penetration testers, we can use that OS-specific feature in our advantage. In the following posts information required to understand and identify potential ADS-related issues will be provided. This post will provide the required background to understand some common scenarios that could be useful during the penetration testing engagements. Continue reading
We’ve recently added some new features to rdp-sec-check, which is a Perl script to enumerate security settings of an RDP Service (AKA Terminal Services). The tool download is available in the rdp-sec-check page. Continue reading
There are many third-party tools in the security industry that can perform a security audit of your Windows system. Some are standalone executable, some are frameworks, some are free and some you have to shell out money for. But what if you these tools are not available to you, you are stuck with a Windows servers and essentially what Windows has given you. This article will look at executable programs under Windows that can be use audit services. Continue reading
Windows system objects are one of the interesting areas of binary application assessments that are often ignored or misunderstood. Many people don’t realise that abstract Windows application programming concepts such as mutexes, events, semaphores, shared memory sections, and jobs all come together under the purview of the Windows Object Manager. These objects, like those in the filesystem and registry namespaces, have all sorts of interesting security impacts when not properly managed. Continue reading
Inspired by GRSecurity‘s analysis of the Linux capabilities model, I thought I’d take a quick look at how Windows fares. The following is a brief analysis of the threats associated with each Se* privilege. Continue reading
The purpose of this document is to present a technical report of the CVE-2013-5065 vulnerability. A few days ago, FireEye identified a 0 day kernel exploit embedded within a PDF document actively used in the wild. The vulnerability itself is present in the NDProxy kernel driver. Whilst this is present in all versions of Windows, the vulnerability itself is only present in Windows 2003 and XP. The NDProxy driver is responsible for interfacing NDISWAN and CoNDIS WAN drivers to the TAPI services. Continue reading