Are you over 18 and want to see adult content?
More Annotations
A complete backup of fourierandwavelets.org
Are you over 18 and want to see adult content?
A complete backup of kritikustomeg.org
Are you over 18 and want to see adult content?
A complete backup of literaltylerposeytrash.tumblr.com
Are you over 18 and want to see adult content?
A complete backup of kiosbacklink.com
Are you over 18 and want to see adult content?
Favourite Annotations
A complete backup of withlovemoni.com
Are you over 18 and want to see adult content?
A complete backup of dientudienlanhhanoi.com.vn
Are you over 18 and want to see adult content?
A complete backup of accenthomesnj.com
Are you over 18 and want to see adult content?
A complete backup of savingdessert.com
Are you over 18 and want to see adult content?
A complete backup of bowlertransmissions.com
Are you over 18 and want to see adult content?
A complete backup of mvpvolleyball.net
Are you over 18 and want to see adult content?
Text
CORELAN.BE
EXPLOIT WRITING TUTORIAL PART 11 : HEAP SPRAYING A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions. Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail. Of course, you can probably derive how it works by looking at those public exploits. With this tutorial FORUM | CORELAN CYBERSECURITY RESEARCHCORELAN If you would like to participate in an online community, ask questions and/or answer questions, please feel free to join our Slack workspace instead. Please send me a message on Twitter (@corelanconsult) or Facebook (Corelan Consulting) to get a Slack invite. FREE TOOL : FIND OUT WHERE YOUR AD USERS ARE LOGGED ON Hi, I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines. This should include local users, users that are logged in via RDP, user WINDOWS 10 X86/WOW64 USERLAND HEAP Introduction Hi all, Over the course of the past few weeks ago, I received a number of "emergency" calls from some relatives, asking me to look at their computer because "things were broken", "things looked different" and "I think my computer got hacked". I quickly realized that their computers got upgraded to Windows 10. We EXPLOIT WRITING TUTORIAL PART 6 : BYPASSING STACK COOKIES Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return WINDOWS 2008 PKI / CERTIFICATE AUTHORITY (AD CS) BASICS Keywords : Windows 2008 PKI Certificate Authority certutil certreq template root CA Enterprise CA convert pfx to pem generate custom certificate request subject alternate name san attribute Today’s blog post targets the deployment of a Windows 2008 server based Certificate Authority (AD CS) and will discuss some common scenario’s where certificates are used / required. EXPLOIT WRITING TUTORIAL PART 2 : STACK BASED OVERFLOWS eax=00000001 ebx=00104a58 ecx=7c91005d edx=00000040 esi=77c5fce0 edi=000067fa eip=42424242 esp=000ff730 ebp=00344200 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 Missing image name, possible paged-out or corrupt data.Missing image name, possible paged-out or corrupt data.. Missing image name, possible paged DEPS – PRECISE HEAP SPRAY ON FIREFOX AND IE10 DYNAMIC DISTRIBUTION LISTS NOT WORKING AS EXPECTED (0 Today, I encountered an interesting problem which appeared to be strange behaviour in Exchange 2007 at first, but fianlly ended up being a small configuration mistake. It just was not that easy to troubleshoot(but in the end, it all makes sense) This is what happened : I created a dynamic distribution list, based on company EXCHANGE 2007/2010 : RENAMING ATTACHMENTS ‘ON THE FLYSEE MORE ONCORELAN.BE
CORELAN CYBERSECURITY RESEARCH ::..CORELAN CYBERSECURITY iOS Browsers & UIWebview iOS is very popular (according to StatCounter, it’s the 3rd most popular platform used). Mobile browsers take about 20% to 25% of the market share. iOS offers integration with desktop browsers and cloud (so the same data is available to an attacker). EXPLOIT WRITING TUTORIAL PART 6 : BYPASSING STACK COOKIES Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return EXPLOIT WRITING TUTORIAL PART 2 : STACK BASED OVERFLOWS eax=00000001 ebx=00104a58 ecx=7c91005d edx=00000040 esi=77c5fce0 edi=000067fa eip=42424242 esp=000ff730 ebp=00344200 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 Missing image name, possible paged-out or corrupt data.Missing image name, possible paged-out or corrupt data.. Missing image name, possible paged JUNIPER SCREENOS : REDUNDANT MULTI-EXITPOINT ISP ROUTING Introduction As you most likely already know, Juniper screenOS supports a couple of dynamic routing protocols (OSPF, BGP, RIP). These protocols can be used to build very powerful and redundant networks, however there are some screenos specific issues with these implementations, and these issues may introduce a little bit of complexity in the design and STARTING TO WRITE IMMUNITY DEBUGGER PYCOMMANDS : MY When I started Win32 exploit development many years ago, my preferred debugger at the time was WinDbg (and some Olly). While Windbg is a great and fast debugger, I quickly figured out that some additional/external tools were required to improve my exploit development experience. Despite the fact that the command line oriented approach in windbg DYNAMIC DISTRIBUTION LISTS NOT WORKING AS EXPECTED (0 Today, I encountered an interesting problem which appeared to be strange behaviour in Exchange 2007 at first, but fianlly ended up being a small configuration mistake. It just was not that easy to troubleshoot(but in the end, it all makes sense) This is what happened : I created a dynamic distribution list, based on company BACKUP & RESTORE WINDOWS SERVER BASED PRINT SERVERS After having to recover a broken Windows Server based print server yesterday, I decided to write this small article on how to set up print server backups, and describe the simple process of recovering the print server after a crash (or even roll back printer drivers in case a newly installed driver messes up your CHEATSHEET : CRACKING WPA2 PSK WITH BACKTRACK 4, AIRCRACK Basic steps : Put interface in monitor mode Find wireless network (protected with WPA2 and a Pre Shared Key) Capture all packets Wait until you see a client and deauthenticate the client, so the handshake can be captured Crack the key using a dictionary file (or via John The Ripper) I’ll use a Dlink DEPS – PRECISE HEAP SPRAY ON FIREFOX AND IE10 Introduction. Last week, while doing my bi-weekly courseware review and update, I discovered that my heap spray script for Firefox 9 no longer works on recent versions. Looking back at the type of tricks I had to use to make a precise spray work under Firefox 9 and IE 9, and realizing that these changes don’t seem to have any useful effect on Firefox or IE 10, I think it’s fair to state EXCHANGE 2007/2010 : RENAMING ATTACHMENTS ‘ON THE FLY It may sound a bit extraordinary, but I needed to have the ability to change attachment filenames while they were being processed by the transport service on Exchange. I can’t really tell you why I needed this functionality, but I guess there could be EXPLOIT WRITING TUTORIAL PART 11 : HEAP SPRAYING A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions. Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail. Of course, you can probably derive how it works by looking at those public exploits. With this tutorial FORUM | CORELAN CYBERSECURITY RESEARCHCORELAN If you would like to participate in an online community, ask questions and/or answer questions, please feel free to join our Slack workspace instead. Please send me a message on Twitter (@corelanconsult) or Facebook (Corelan Consulting) to get a Slack invite. EXPLOIT WRITING TUTORIAL PART 5 : HOW DEBUGGER MODULES In the first parts of this exploit writing tutorial, I have mainly used Windbg as a tool to watch registers and stack contents while evaluating crashes and building exploits. Today, I will discuss some other debuggers and debugger plugins that will help you speed up this process. A typical exploit writing toolkit arsenal should at EXPLOIT WRITING TUTORIAL PART 6 : BYPASSING STACK COOKIES Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return CHEATSHEET : CRACKING WPA2 PSK WITH BACKTRACK 4, AIRCRACK Basic steps : Put interface in monitor mode Find wireless network (protected with WPA2 and a Pre Shared Key) Capture all packets Wait until you see a client and deauthenticate the client, so the handshake can be captured Crack the key using a dictionary file (or via John The Ripper) I’ll use a Dlink DYNAMIC DISTRIBUTION LISTS NOT WORKING AS EXPECTED (0 Today, I encountered an interesting problem which appeared to be strange behaviour in Exchange 2007 at first, but fianlly ended up being a small configuration mistake. It just was not that easy to troubleshoot(but in the end, it all makes sense) This is what happened : I created a dynamic distribution list, based on company FREE TOOL : FIND OUT WHERE YOUR AD USERS ARE LOGGED ON Hi, I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines. This should include local users, users that are logged in via RDP, user WINDOWS 2008 PKI / CERTIFICATE AUTHORITY (AD CS) BASICS Keywords : Windows 2008 PKI Certificate Authority certutil certreq template root CA Enterprise CA convert pfx to pem generate custom certificate request subject alternate name san attribute Today’s blog post targets the deployment of a Windows 2008 server based Certificate Authority (AD CS) and will discuss some common scenario’s where certificates are used / required. FREE TOOL – EXTRACTING EMAIL ADDRESSES FROM OUTLOOK MAIL I recently received the request to extract all email addresses from an Outlook pst file, not from the contacts, but from all emails within the Outlook folder structure. I opened the Outlook file (3,5Gb) and found a huge folder structure containing thousands of emails. Furthermore, I needed to get all unique email addresses from the SCRIPT TO BACKUP CISCO SWITCHES VIA TELNET / TFTP A couple of days ago, I have released a small perl script to back up Cisco IOS based switches via telnet. I know there are a couple of similar scripts available on the internet, but most of them either use the “expect” functionality (which does not work all the time), or use SendKeys (which only works when the application has the ‘focus’, and thus cannot be safely scripted.), or are EXPLOIT WRITING TUTORIAL PART 11 : HEAP SPRAYING A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions. Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail. Of course, you can probably derive how it works by looking at those public exploits. With this tutorial FORUM | CORELAN CYBERSECURITY RESEARCHCORELAN If you would like to participate in an online community, ask questions and/or answer questions, please feel free to join our Slack workspace instead. Please send me a message on Twitter (@corelanconsult) or Facebook (Corelan Consulting) to get a Slack invite. EXPLOIT WRITING TUTORIAL PART 5 : HOW DEBUGGER MODULES In the first parts of this exploit writing tutorial, I have mainly used Windbg as a tool to watch registers and stack contents while evaluating crashes and building exploits. Today, I will discuss some other debuggers and debugger plugins that will help you speed up this process. A typical exploit writing toolkit arsenal should at EXPLOIT WRITING TUTORIAL PART 6 : BYPASSING STACK COOKIES Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return CHEATSHEET : CRACKING WPA2 PSK WITH BACKTRACK 4, AIRCRACK Basic steps : Put interface in monitor mode Find wireless network (protected with WPA2 and a Pre Shared Key) Capture all packets Wait until you see a client and deauthenticate the client, so the handshake can be captured Crack the key using a dictionary file (or via John The Ripper) I’ll use a Dlink DYNAMIC DISTRIBUTION LISTS NOT WORKING AS EXPECTED (0 Today, I encountered an interesting problem which appeared to be strange behaviour in Exchange 2007 at first, but fianlly ended up being a small configuration mistake. It just was not that easy to troubleshoot(but in the end, it all makes sense) This is what happened : I created a dynamic distribution list, based on company FREE TOOL : FIND OUT WHERE YOUR AD USERS ARE LOGGED ON Hi, I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines. This should include local users, users that are logged in via RDP, user WINDOWS 2008 PKI / CERTIFICATE AUTHORITY (AD CS) BASICS Keywords : Windows 2008 PKI Certificate Authority certutil certreq template root CA Enterprise CA convert pfx to pem generate custom certificate request subject alternate name san attribute Today’s blog post targets the deployment of a Windows 2008 server based Certificate Authority (AD CS) and will discuss some common scenario’s where certificates are used / required. FREE TOOL – EXTRACTING EMAIL ADDRESSES FROM OUTLOOK MAIL I recently received the request to extract all email addresses from an Outlook pst file, not from the contacts, but from all emails within the Outlook folder structure. I opened the Outlook file (3,5Gb) and found a huge folder structure containing thousands of emails. Furthermore, I needed to get all unique email addresses from the SCRIPT TO BACKUP CISCO SWITCHES VIA TELNET / TFTP A couple of days ago, I have released a small perl script to back up Cisco IOS based switches via telnet. I know there are a couple of similar scripts available on the internet, but most of them either use the “expect” functionality (which does not work all the time), or use SendKeys (which only works when the application has the ‘focus’, and thus cannot be safely scripted.), or are FREE TOOL : FIND OUT WHERE YOUR AD USERS ARE LOGGED ON Hi, I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines. This should include local users, users that are logged in via RDP, user FORUM | CORELAN CYBERSECURITY RESEARCHCORELAN If you would like to participate in an online community, ask questions and/or answer questions, please feel free to join our Slack workspace instead. Please send me a message on Twitter (@corelanconsult) or Facebook (Corelan Consulting) to get a Slack invite. CHEATSHEET : CRACKING WPA2 PSK WITH BACKTRACK 4, AIRCRACK Basic steps : Put interface in monitor mode Find wireless network (protected with WPA2 and a Pre Shared Key) Capture all packets Wait until you see a client and deauthenticate the client, so the handshake can be captured Crack the key using a dictionary file (or via John The Ripper) I’ll use a Dlink EXPLOIT WRITING TUTORIAL PART 6 : BYPASSING STACK COOKIES Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return WINDOWS 10 X86/WOW64 USERLAND HEAP Introduction Hi all, Over the course of the past few weeks ago, I received a number of "emergency" calls from some relatives, asking me to look at their computer because "things were broken", "things looked different" and "I think my computer got hacked". I quickly realized that their computers got upgraded to Windows 10. We WINDOWS 2008 PKI / CERTIFICATE AUTHORITY (AD CS) BASICS Keywords : Windows 2008 PKI Certificate Authority certutil certreq template root CA Enterprise CA convert pfx to pem generate custom certificate request subject alternate name san attribute Today’s blog post targets the deployment of a Windows 2008 server based Certificate Authority (AD CS) and will discuss some common scenario’s where certificates are used / required. STARTING TO WRITE IMMUNITY DEBUGGER PYCOMMANDS : MY When I started Win32 exploit development many years ago, my preferred debugger at the time was WinDbg (and some Olly). While Windbg is a great and fast debugger, I quickly figured out that some additional/external tools were required to improve my exploit development experience. Despite the fact that the command line oriented approach in windbg JUNIPER SCREENOS : REDUNDANT MULTI-EXITPOINT ISP ROUTING Introduction As you most likely already know, Juniper screenOS supports a couple of dynamic routing protocols (OSPF, BGP, RIP). These protocols can be used to build very powerful and redundant networks, however there are some screenos specific issues with these implementations, and these issues may introduce a little bit of complexity in the design and EXPLOIT WRITING TUTORIAL PART 2 : STACK BASED OVERFLOWS eax=00000001 ebx=00104a58 ecx=7c91005d edx=00000040 esi=77c5fce0 edi=000067fa eip=42424242 esp=000ff730 ebp=00344200 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 Missing image name, possible paged-out or corrupt data.Missing image name, possible paged-out or corrupt data.. Missing image name, possible paged BACKUP & RESTORE WINDOWS SERVER BASED PRINT SERVERS After having to recover a broken Windows Server based print server yesterday, I decided to write this small article on how to set up print server backups, and describe the simple process of recovering the print server after a crash (or even roll back printer drivers in case a newly installed driver messes up your EXPLOIT WRITING TUTORIAL PART 11 : HEAP SPRAYING A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions. Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail. Of course, you can probably derive how it works by looking at those public exploits. With this tutorial FORUM | CORELAN CYBERSECURITY RESEARCHCORELAN If you would like to participate in an online community, ask questions and/or answer questions, please feel free to join our Slack workspace instead. Please send me a message on Twitter (@corelanconsult) or Facebook (Corelan Consulting) to get a Slack invite. EXPLOIT WRITING TUTORIAL PART 5 : HOW DEBUGGER MODULES In the first parts of this exploit writing tutorial, I have mainly used Windbg as a tool to watch registers and stack contents while evaluating crashes and building exploits. Today, I will discuss some other debuggers and debugger plugins that will help you speed up this process. A typical exploit writing toolkit arsenal should at EXPLOIT WRITING TUTORIAL PART 6 : BYPASSING STACK COOKIES Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return CHEATSHEET : CRACKING WPA2 PSK WITH BACKTRACK 4, AIRCRACK Basic steps : Put interface in monitor mode Find wireless network (protected with WPA2 and a Pre Shared Key) Capture all packets Wait until you see a client and deauthenticate the client, so the handshake can be captured Crack the key using a dictionary file (or via John The Ripper) I’ll use a Dlink DYNAMIC DISTRIBUTION LISTS NOT WORKING AS EXPECTED (0 Today, I encountered an interesting problem which appeared to be strange behaviour in Exchange 2007 at first, but fianlly ended up being a small configuration mistake. It just was not that easy to troubleshoot(but in the end, it all makes sense) This is what happened : I created a dynamic distribution list, based on company FREE TOOL : FIND OUT WHERE YOUR AD USERS ARE LOGGED ON Hi, I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines. This should include local users, users that are logged in via RDP, user WINDOWS 2008 PKI / CERTIFICATE AUTHORITY (AD CS) BASICS Keywords : Windows 2008 PKI Certificate Authority certutil certreq template root CA Enterprise CA convert pfx to pem generate custom certificate request subject alternate name san attribute Today’s blog post targets the deployment of a Windows 2008 server based Certificate Authority (AD CS) and will discuss some common scenario’s where certificates are used / required. FREE TOOL – EXTRACTING EMAIL ADDRESSES FROM OUTLOOK MAIL I recently received the request to extract all email addresses from an Outlook pst file, not from the contacts, but from all emails within the Outlook folder structure. I opened the Outlook file (3,5Gb) and found a huge folder structure containing thousands of emails. Furthermore, I needed to get all unique email addresses from the SCRIPT TO BACKUP CISCO SWITCHES VIA TELNET / TFTP A couple of days ago, I have released a small perl script to back up Cisco IOS based switches via telnet. I know there are a couple of similar scripts available on the internet, but most of them either use the “expect” functionality (which does not work all the time), or use SendKeys (which only works when the application has the ‘focus’, and thus cannot be safely scripted.), or are EXPLOIT WRITING TUTORIAL PART 11 : HEAP SPRAYING A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions. Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail. Of course, you can probably derive how it works by looking at those public exploits. With this tutorial FORUM | CORELAN CYBERSECURITY RESEARCHCORELAN If you would like to participate in an online community, ask questions and/or answer questions, please feel free to join our Slack workspace instead. Please send me a message on Twitter (@corelanconsult) or Facebook (Corelan Consulting) to get a Slack invite. EXPLOIT WRITING TUTORIAL PART 5 : HOW DEBUGGER MODULES In the first parts of this exploit writing tutorial, I have mainly used Windbg as a tool to watch registers and stack contents while evaluating crashes and building exploits. Today, I will discuss some other debuggers and debugger plugins that will help you speed up this process. A typical exploit writing toolkit arsenal should at EXPLOIT WRITING TUTORIAL PART 6 : BYPASSING STACK COOKIES Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return CHEATSHEET : CRACKING WPA2 PSK WITH BACKTRACK 4, AIRCRACK Basic steps : Put interface in monitor mode Find wireless network (protected with WPA2 and a Pre Shared Key) Capture all packets Wait until you see a client and deauthenticate the client, so the handshake can be captured Crack the key using a dictionary file (or via John The Ripper) I’ll use a Dlink DYNAMIC DISTRIBUTION LISTS NOT WORKING AS EXPECTED (0 Today, I encountered an interesting problem which appeared to be strange behaviour in Exchange 2007 at first, but fianlly ended up being a small configuration mistake. It just was not that easy to troubleshoot(but in the end, it all makes sense) This is what happened : I created a dynamic distribution list, based on company FREE TOOL : FIND OUT WHERE YOUR AD USERS ARE LOGGED ON Hi, I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines. This should include local users, users that are logged in via RDP, user WINDOWS 2008 PKI / CERTIFICATE AUTHORITY (AD CS) BASICS Keywords : Windows 2008 PKI Certificate Authority certutil certreq template root CA Enterprise CA convert pfx to pem generate custom certificate request subject alternate name san attribute Today’s blog post targets the deployment of a Windows 2008 server based Certificate Authority (AD CS) and will discuss some common scenario’s where certificates are used / required. FREE TOOL – EXTRACTING EMAIL ADDRESSES FROM OUTLOOK MAIL I recently received the request to extract all email addresses from an Outlook pst file, not from the contacts, but from all emails within the Outlook folder structure. I opened the Outlook file (3,5Gb) and found a huge folder structure containing thousands of emails. Furthermore, I needed to get all unique email addresses from the SCRIPT TO BACKUP CISCO SWITCHES VIA TELNET / TFTP A couple of days ago, I have released a small perl script to back up Cisco IOS based switches via telnet. I know there are a couple of similar scripts available on the internet, but most of them either use the “expect” functionality (which does not work all the time), or use SendKeys (which only works when the application has the ‘focus’, and thus cannot be safely scripted.), or are FREE TOOL : FIND OUT WHERE YOUR AD USERS ARE LOGGED ON Hi, I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines. This should include local users, users that are logged in via RDP, user FORUM | CORELAN CYBERSECURITY RESEARCHCORELAN If you would like to participate in an online community, ask questions and/or answer questions, please feel free to join our Slack workspace instead. Please send me a message on Twitter (@corelanconsult) or Facebook (Corelan Consulting) to get a Slack invite. CHEATSHEET : CRACKING WPA2 PSK WITH BACKTRACK 4, AIRCRACK Basic steps : Put interface in monitor mode Find wireless network (protected with WPA2 and a Pre Shared Key) Capture all packets Wait until you see a client and deauthenticate the client, so the handshake can be captured Crack the key using a dictionary file (or via John The Ripper) I’ll use a Dlink EXPLOIT WRITING TUTORIAL PART 6 : BYPASSING STACK COOKIES Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return WINDOWS 10 X86/WOW64 USERLAND HEAP Introduction Hi all, Over the course of the past few weeks ago, I received a number of "emergency" calls from some relatives, asking me to look at their computer because "things were broken", "things looked different" and "I think my computer got hacked". I quickly realized that their computers got upgraded to Windows 10. We WINDOWS 2008 PKI / CERTIFICATE AUTHORITY (AD CS) BASICS Keywords : Windows 2008 PKI Certificate Authority certutil certreq template root CA Enterprise CA convert pfx to pem generate custom certificate request subject alternate name san attribute Today’s blog post targets the deployment of a Windows 2008 server based Certificate Authority (AD CS) and will discuss some common scenario’s where certificates are used / required. STARTING TO WRITE IMMUNITY DEBUGGER PYCOMMANDS : MY When I started Win32 exploit development many years ago, my preferred debugger at the time was WinDbg (and some Olly). While Windbg is a great and fast debugger, I quickly figured out that some additional/external tools were required to improve my exploit development experience. Despite the fact that the command line oriented approach in windbg JUNIPER SCREENOS : REDUNDANT MULTI-EXITPOINT ISP ROUTING Introduction As you most likely already know, Juniper screenOS supports a couple of dynamic routing protocols (OSPF, BGP, RIP). These protocols can be used to build very powerful and redundant networks, however there are some screenos specific issues with these implementations, and these issues may introduce a little bit of complexity in the design and EXPLOIT WRITING TUTORIAL PART 2 : STACK BASED OVERFLOWS eax=00000001 ebx=00104a58 ecx=7c91005d edx=00000040 esi=77c5fce0 edi=000067fa eip=42424242 esp=000ff730 ebp=00344200 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 Missing image name, possible paged-out or corrupt data.Missing image name, possible paged-out or corrupt data.. Missing image name, possible paged BACKUP & RESTORE WINDOWS SERVER BASED PRINT SERVERS After having to recover a broken Windows Server based print server yesterday, I decided to write this small article on how to set up print server backups, and describe the simple process of recovering the print server after a crash (or even roll back printer drivers in case a newly installed driver messes up your EXPLOIT WRITING TUTORIAL PART 11 : HEAP SPRAYING A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions. Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail. Of course, you can probably derive how it works by looking at those public exploits. With this tutorial FORUM | CORELAN CYBERSECURITY RESEARCHCORELAN If you would like to participate in an online community, ask questions and/or answer questions, please feel free to join our Slack workspace instead. Please send me a message on Twitter (@corelanconsult) or Facebook (Corelan Consulting) to get a Slack invite. EXPLOIT WRITING TUTORIAL PART 5 : HOW DEBUGGER MODULES In the first parts of this exploit writing tutorial, I have mainly used Windbg as a tool to watch registers and stack contents while evaluating crashes and building exploits. Today, I will discuss some other debuggers and debugger plugins that will help you speed up this process. A typical exploit writing toolkit arsenal should at EXPLOIT WRITING TUTORIAL PART 6 : BYPASSING STACK COOKIES Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return CHEATSHEET : CRACKING WPA2 PSK WITH BACKTRACK 4, AIRCRACK Basic steps : Put interface in monitor mode Find wireless network (protected with WPA2 and a Pre Shared Key) Capture all packets Wait until you see a client and deauthenticate the client, so the handshake can be captured Crack the key using a dictionary file (or via John The Ripper) I’ll use a Dlink DYNAMIC DISTRIBUTION LISTS NOT WORKING AS EXPECTED (0 Today, I encountered an interesting problem which appeared to be strange behaviour in Exchange 2007 at first, but fianlly ended up being a small configuration mistake. It just was not that easy to troubleshoot(but in the end, it all makes sense) This is what happened : I created a dynamic distribution list, based on company FREE TOOL : FIND OUT WHERE YOUR AD USERS ARE LOGGED ON Hi, I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines. This should include local users, users that are logged in via RDP, user WINDOWS 2008 PKI / CERTIFICATE AUTHORITY (AD CS) BASICS Keywords : Windows 2008 PKI Certificate Authority certutil certreq template root CA Enterprise CA convert pfx to pem generate custom certificate request subject alternate name san attribute Today’s blog post targets the deployment of a Windows 2008 server based Certificate Authority (AD CS) and will discuss some common scenario’s where certificates are used / required. FREE TOOL – EXTRACTING EMAIL ADDRESSES FROM OUTLOOK MAIL I recently received the request to extract all email addresses from an Outlook pst file, not from the contacts, but from all emails within the Outlook folder structure. I opened the Outlook file (3,5Gb) and found a huge folder structure containing thousands of emails. Furthermore, I needed to get all unique email addresses from the SCRIPT TO BACKUP CISCO SWITCHES VIA TELNET / TFTP A couple of days ago, I have released a small perl script to back up Cisco IOS based switches via telnet. I know there are a couple of similar scripts available on the internet, but most of them either use the “expect” functionality (which does not work all the time), or use SendKeys (which only works when the application has the ‘focus’, and thus cannot be safely scripted.), or are EXPLOIT WRITING TUTORIAL PART 11 : HEAP SPRAYING A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions. Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail. Of course, you can probably derive how it works by looking at those public exploits. With this tutorial FORUM | CORELAN CYBERSECURITY RESEARCHCORELAN If you would like to participate in an online community, ask questions and/or answer questions, please feel free to join our Slack workspace instead. Please send me a message on Twitter (@corelanconsult) or Facebook (Corelan Consulting) to get a Slack invite. EXPLOIT WRITING TUTORIAL PART 5 : HOW DEBUGGER MODULES In the first parts of this exploit writing tutorial, I have mainly used Windbg as a tool to watch registers and stack contents while evaluating crashes and building exploits. Today, I will discuss some other debuggers and debugger plugins that will help you speed up this process. A typical exploit writing toolkit arsenal should at EXPLOIT WRITING TUTORIAL PART 6 : BYPASSING STACK COOKIES Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return CHEATSHEET : CRACKING WPA2 PSK WITH BACKTRACK 4, AIRCRACK Basic steps : Put interface in monitor mode Find wireless network (protected with WPA2 and a Pre Shared Key) Capture all packets Wait until you see a client and deauthenticate the client, so the handshake can be captured Crack the key using a dictionary file (or via John The Ripper) I’ll use a Dlink DYNAMIC DISTRIBUTION LISTS NOT WORKING AS EXPECTED (0 Today, I encountered an interesting problem which appeared to be strange behaviour in Exchange 2007 at first, but fianlly ended up being a small configuration mistake. It just was not that easy to troubleshoot(but in the end, it all makes sense) This is what happened : I created a dynamic distribution list, based on company FREE TOOL : FIND OUT WHERE YOUR AD USERS ARE LOGGED ON Hi, I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines. This should include local users, users that are logged in via RDP, user WINDOWS 2008 PKI / CERTIFICATE AUTHORITY (AD CS) BASICS Keywords : Windows 2008 PKI Certificate Authority certutil certreq template root CA Enterprise CA convert pfx to pem generate custom certificate request subject alternate name san attribute Today’s blog post targets the deployment of a Windows 2008 server based Certificate Authority (AD CS) and will discuss some common scenario’s where certificates are used / required. FREE TOOL – EXTRACTING EMAIL ADDRESSES FROM OUTLOOK MAIL I recently received the request to extract all email addresses from an Outlook pst file, not from the contacts, but from all emails within the Outlook folder structure. I opened the Outlook file (3,5Gb) and found a huge folder structure containing thousands of emails. Furthermore, I needed to get all unique email addresses from the SCRIPT TO BACKUP CISCO SWITCHES VIA TELNET / TFTP A couple of days ago, I have released a small perl script to back up Cisco IOS based switches via telnet. I know there are a couple of similar scripts available on the internet, but most of them either use the “expect” functionality (which does not work all the time), or use SendKeys (which only works when the application has the ‘focus’, and thus cannot be safely scripted.), or are FREE TOOL : FIND OUT WHERE YOUR AD USERS ARE LOGGED ON Hi, I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines. This should include local users, users that are logged in via RDP, user FORUM | CORELAN CYBERSECURITY RESEARCHCORELAN If you would like to participate in an online community, ask questions and/or answer questions, please feel free to join our Slack workspace instead. Please send me a message on Twitter (@corelanconsult) or Facebook (Corelan Consulting) to get a Slack invite. CHEATSHEET : CRACKING WPA2 PSK WITH BACKTRACK 4, AIRCRACK Basic steps : Put interface in monitor mode Find wireless network (protected with WPA2 and a Pre Shared Key) Capture all packets Wait until you see a client and deauthenticate the client, so the handshake can be captured Crack the key using a dictionary file (or via John The Ripper) I’ll use a Dlink EXPLOIT WRITING TUTORIAL PART 6 : BYPASSING STACK COOKIES Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return WINDOWS 10 X86/WOW64 USERLAND HEAP Introduction Hi all, Over the course of the past few weeks ago, I received a number of "emergency" calls from some relatives, asking me to look at their computer because "things were broken", "things looked different" and "I think my computer got hacked". I quickly realized that their computers got upgraded to Windows 10. We WINDOWS 2008 PKI / CERTIFICATE AUTHORITY (AD CS) BASICS Keywords : Windows 2008 PKI Certificate Authority certutil certreq template root CA Enterprise CA convert pfx to pem generate custom certificate request subject alternate name san attribute Today’s blog post targets the deployment of a Windows 2008 server based Certificate Authority (AD CS) and will discuss some common scenario’s where certificates are used / required. STARTING TO WRITE IMMUNITY DEBUGGER PYCOMMANDS : MY When I started Win32 exploit development many years ago, my preferred debugger at the time was WinDbg (and some Olly). While Windbg is a great and fast debugger, I quickly figured out that some additional/external tools were required to improve my exploit development experience. Despite the fact that the command line oriented approach in windbg JUNIPER SCREENOS : REDUNDANT MULTI-EXITPOINT ISP ROUTING Introduction As you most likely already know, Juniper screenOS supports a couple of dynamic routing protocols (OSPF, BGP, RIP). These protocols can be used to build very powerful and redundant networks, however there are some screenos specific issues with these implementations, and these issues may introduce a little bit of complexity in the design and EXPLOIT WRITING TUTORIAL PART 2 : STACK BASED OVERFLOWS eax=00000001 ebx=00104a58 ecx=7c91005d edx=00000040 esi=77c5fce0 edi=000067fa eip=42424242 esp=000ff730 ebp=00344200 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 Missing image name, possible paged-out or corrupt data.Missing image name, possible paged-out or corrupt data.. Missing image name, possible paged BACKUP & RESTORE WINDOWS SERVER BASED PRINT SERVERS After having to recover a broken Windows Server based print server yesterday, I decided to write this small article on how to set up print server backups, and describe the simple process of recovering the print server after a crash (or even roll back printer drivers in case a newly installed driver messes up your EXPLOIT WRITING TUTORIAL PART 11 : HEAP SPRAYING A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions. Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail. Of course, you can probably derive how it works by looking at those public exploits. With this tutorial FREE TOOL : FIND OUT WHERE YOUR AD USERS ARE LOGGED ON Hi, I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines. This should include local users, users that are logged in via RDP, user FORUM | CORELAN CYBERSECURITY RESEARCHCORELAN If you would like to participate in an online community, ask questions and/or answer questions, please feel free to join our Slack workspace instead. Please send me a message on Twitter (@corelanconsult) or Facebook (Corelan Consulting) to get a Slack invite. USING OSPF ON JUNIPER NETSCREEN FIREWALLS Introduction to OSPF OSPF is a link-state (dynamic) routing protocol that operates within an autonomous system. OSPF falls within the group of Interior Gateway Protocols. Devices that use OSPF will advertise link state information. The devices generate Link State Advertisements (LSA’s) for directly connected links, and will forward LSAs received from other devices to ensure CHEATSHEET : CRACKING WPA2 PSK WITH BACKTRACK 4, AIRCRACK Basic steps : Put interface in monitor mode Find wireless network (protected with WPA2 and a Pre Shared Key) Capture all packets Wait until you see a client and deauthenticate the client, so the handshake can be captured Crack the key using a dictionary file (or via John The Ripper) I’ll use a Dlink WINDOWS 2008 PKI / CERTIFICATE AUTHORITY (AD CS) BASICS Keywords : Windows 2008 PKI Certificate Authority certutil certreq template root CA Enterprise CA convert pfx to pem generate custom certificate request subject alternate name san attribute Today’s blog post targets the deployment of a Windows 2008 server based Certificate Authority (AD CS) and will discuss some common scenario’s where certificates are used / required. EXPLOIT WRITING TUTORIAL PART 2 : STACK BASED OVERFLOWS eax=00000001 ebx=00104a58 ecx=7c91005d edx=00000040 esi=77c5fce0 edi=000067fa eip=42424242 esp=000ff730 ebp=00344200 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 Missing image name, possible paged-out or corrupt data.Missing image name, possible paged-out or corrupt data.. Missing image name, possible paged DYNAMIC DISTRIBUTION LISTS NOT WORKING AS EXPECTED (0 Today, I encountered an interesting problem which appeared to be strange behaviour in Exchange 2007 at first, but fianlly ended up being a small configuration mistake. It just was not that easy to troubleshoot(but in the end, it all makes sense) This is what happened : I created a dynamic distribution list, based on company PERFORMING AD SCHEMA UPDATES IN A SAFE WAY Updating from 2003 to 2003 R2 & implementing Exchange are 2 common administrative tasks which both require a schema update. Since I’ve mentioned "updating from 2003 to 2003 R2", I’ll take the opportunity to add some "notes from the field" to this blog post, which will increase success rate of the update and limit the risk of the schemaupdate itself.
FIXING EXCHANGE 2007 OFFLINE ADDRESS BOOK GENERATIONSEE MORE ONCORELAN.BE
EXPLOIT WRITING TUTORIAL PART 11 : HEAP SPRAYING A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions. Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail. Of course, you can probably derive how it works by looking at those public exploits. With this tutorial FREE TOOL : FIND OUT WHERE YOUR AD USERS ARE LOGGED ON Hi, I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines. This should include local users, users that are logged in via RDP, user FORUM | CORELAN CYBERSECURITY RESEARCHCORELAN If you would like to participate in an online community, ask questions and/or answer questions, please feel free to join our Slack workspace instead. Please send me a message on Twitter (@corelanconsult) or Facebook (Corelan Consulting) to get a Slack invite. USING OSPF ON JUNIPER NETSCREEN FIREWALLS Introduction to OSPF OSPF is a link-state (dynamic) routing protocol that operates within an autonomous system. OSPF falls within the group of Interior Gateway Protocols. Devices that use OSPF will advertise link state information. The devices generate Link State Advertisements (LSA’s) for directly connected links, and will forward LSAs received from other devices to ensure CHEATSHEET : CRACKING WPA2 PSK WITH BACKTRACK 4, AIRCRACK Basic steps : Put interface in monitor mode Find wireless network (protected with WPA2 and a Pre Shared Key) Capture all packets Wait until you see a client and deauthenticate the client, so the handshake can be captured Crack the key using a dictionary file (or via John The Ripper) I’ll use a Dlink WINDOWS 2008 PKI / CERTIFICATE AUTHORITY (AD CS) BASICS Keywords : Windows 2008 PKI Certificate Authority certutil certreq template root CA Enterprise CA convert pfx to pem generate custom certificate request subject alternate name san attribute Today’s blog post targets the deployment of a Windows 2008 server based Certificate Authority (AD CS) and will discuss some common scenario’s where certificates are used / required. EXPLOIT WRITING TUTORIAL PART 2 : STACK BASED OVERFLOWS eax=00000001 ebx=00104a58 ecx=7c91005d edx=00000040 esi=77c5fce0 edi=000067fa eip=42424242 esp=000ff730 ebp=00344200 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 Missing image name, possible paged-out or corrupt data.Missing image name, possible paged-out or corrupt data.. Missing image name, possible paged DYNAMIC DISTRIBUTION LISTS NOT WORKING AS EXPECTED (0 Today, I encountered an interesting problem which appeared to be strange behaviour in Exchange 2007 at first, but fianlly ended up being a small configuration mistake. It just was not that easy to troubleshoot(but in the end, it all makes sense) This is what happened : I created a dynamic distribution list, based on company PERFORMING AD SCHEMA UPDATES IN A SAFE WAY Updating from 2003 to 2003 R2 & implementing Exchange are 2 common administrative tasks which both require a schema update. Since I’ve mentioned "updating from 2003 to 2003 R2", I’ll take the opportunity to add some "notes from the field" to this blog post, which will increase success rate of the update and limit the risk of the schemaupdate itself.
FIXING EXCHANGE 2007 OFFLINE ADDRESS BOOK GENERATIONSEE MORE ONCORELAN.BE
ARTICLES | CORELAN CYBERSECURITY RESEARCHCORELAN HITB2012AMS Day 1 – Intro and Keynote. Hack In The Box Amsterdam 2012 – Preview. BlackHat EU 2012 – Day 3. BlackHat EU 2012 – Day 2. Corelan T-Shirt Contest – Derbycon 2011. ROP your way into B-Sides Las Vegas 2011. Honeynet Workshop 2011. BlackHat Europe 2011 / Day 02. BlackHat Europe 2011 / FORUM | CORELAN CYBERSECURITY RESEARCHCORELAN If you would like to participate in an online community, ask questions and/or answer questions, please feel free to join our Slack workspace instead. Please send me a message on Twitter (@corelanconsult) or Facebook (Corelan Consulting) to get a Slack invite. EXPLOIT WRITING TUTORIAL PART 3 : SEH BASED EXPLOITS A quick look on the stack on how the try & catch blocks are related to each other and placed on the stack : (Note : "Address of exception handler" is just one part of a SEH record – the image above is an abstract representation, merely showing the various components) EXPLOIT WRITING TUTORIAL PART 6 : BYPASSING STACK COOKIES Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return EXPLOIT WRITING TUTORIAL PART 1 : STACK BASED OVERFLOWS Run the perl script to create the m3u file. The fill will be filled with 10000 A’s (\x41 is the hexadecimal representation of A) and open this m3u file with Easy RM to MP3. DYNAMIC DISTRIBUTION LISTS NOT WORKING AS EXPECTED (0 Today, I encountered an interesting problem which appeared to be strange behaviour in Exchange 2007 at first, but fianlly ended up being a small configuration mistake. It just was not that easy to troubleshoot(but in the end, it all makes sense) This is what happened : I created a dynamic distribution list, based on company WINDOWS 10 X86/WOW64 USERLAND HEAP Introduction Hi all, Over the course of the past few weeks ago, I received a number of "emergency" calls from some relatives, asking me to look at their computer because "things were broken", "things looked different" and "I think my computer got hacked". I quickly realized that their computers got upgraded to Windows 10. We WINDOWS 2008 PKI / CERTIFICATE AUTHORITY (AD CS) BASICS Keywords : Windows 2008 PKI Certificate Authority certutil certreq template root CA Enterprise CA convert pfx to pem generate custom certificate request subject alternate name san attribute Today’s blog post targets the deployment of a Windows 2008 server based Certificate Authority (AD CS) and will discuss some common scenario’s where certificates are used / required. EXCHANGE 2007 : INDEXING AND SEARCHING MAILBOXES The Exchange 2007 search engine has much improved over the index/search engines that were available in Exchange 2000/2003. The new search is less resource-hungry, fast, searched inside attachments, and is enabled out of the box. Enable/Disable search To enable or disable Exchange search, open the Exchange Management Shell Run the following command to see if FIXING EXCHANGE 2007 OFFLINE ADDRESS BOOK GENERATION Today, I’m going to share some ‘notes from the field’ about fixing oab issues in Exchange 2007 In order to fully understand the oab generation and distribution process, I will assume that you are running the Mailbox server role and HUB/CAS server roles on different servers. Of course, this is not a requirement to run EXPLOIT WRITING TUTORIAL PART 11 : HEAP SPRAYING A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions. Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail. Of course, you can probably derive how it works by looking at those public exploits. With this tutorial FORUM | CORELAN CYBERSECURITY RESEARCHCORELAN If you would like to participate in an online community, ask questions and/or answer questions, please feel free to join our Slack workspace instead. Please send me a message on Twitter (@corelanconsult) or Facebook (Corelan Consulting) to get a Slack invite. EXPLOIT WRITING TUTORIAL PART 5 : HOW DEBUGGER MODULES In the first parts of this exploit writing tutorial, I have mainly used Windbg as a tool to watch registers and stack contents while evaluating crashes and building exploits. Today, I will discuss some other debuggers and debugger plugins that will help you speed up this process. A typical exploit writing toolkit arsenal should at FREE TOOL : FIND OUT WHERE YOUR AD USERS ARE LOGGED ON Hi, I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines. This should include local users, users that are logged in via RDP, user CHEATSHEET : CRACKING WPA2 PSK WITH BACKTRACK 4, AIRCRACK Basic steps : Put interface in monitor mode Find wireless network (protected with WPA2 and a Pre Shared Key) Capture all packets Wait until you see a client and deauthenticate the client, so the handshake can be captured Crack the key using a dictionary file (or via John The Ripper) I’ll use a Dlink EXPLOIT WRITING TUTORIAL PART 6 : BYPASSING STACK COOKIES Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return FREE TOOL – EXTRACTING EMAIL ADDRESSES FROM OUTLOOK MAIL I recently received the request to extract all email addresses from an Outlook pst file, not from the contacts, but from all emails within the Outlook folder structure. I opened the Outlook file (3,5Gb) and found a huge folder structure containing thousands of emails. Furthermore, I needed to get all unique email addresses from the WINDOWS 2008 PKI / CERTIFICATE AUTHORITY (AD CS) BASICS Keywords : Windows 2008 PKI Certificate Authority certutil certreq template root CA Enterprise CA convert pfx to pem generate custom certificate request subject alternate name san attribute Today’s blog post targets the deployment of a Windows 2008 server based Certificate Authority (AD CS) and will discuss some common scenario’s where certificates are used / required. PERFORMING AD SCHEMA UPDATES IN A SAFE WAY Updating from 2003 to 2003 R2 & implementing Exchange are 2 common administrative tasks which both require a schema update. Since I’ve mentioned "updating from 2003 to 2003 R2", I’ll take the opportunity to add some "notes from the field" to this blog post, which will increase success rate of the update and limit the risk of the schemaupdate itself.
SCRIPT TO BACKUP CISCO SWITCHES VIA TELNET / TFTP A couple of days ago, I have released a small perl script to back up Cisco IOS based switches via telnet. I know there are a couple of similar scripts available on the internet, but most of them either use the “expect” functionality (which does not work all the time), or use SendKeys (which only works when the application has the ‘focus’, and thus cannot be safely scripted.), or are EXPLOIT WRITING TUTORIAL PART 11 : HEAP SPRAYING A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions. Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail. Of course, you can probably derive how it works by looking at those public exploits. With this tutorial FORUM | CORELAN CYBERSECURITY RESEARCHCORELAN If you would like to participate in an online community, ask questions and/or answer questions, please feel free to join our Slack workspace instead. Please send me a message on Twitter (@corelanconsult) or Facebook (Corelan Consulting) to get a Slack invite. EXPLOIT WRITING TUTORIAL PART 5 : HOW DEBUGGER MODULES In the first parts of this exploit writing tutorial, I have mainly used Windbg as a tool to watch registers and stack contents while evaluating crashes and building exploits. Today, I will discuss some other debuggers and debugger plugins that will help you speed up this process. A typical exploit writing toolkit arsenal should at FREE TOOL : FIND OUT WHERE YOUR AD USERS ARE LOGGED ON Hi, I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines. This should include local users, users that are logged in via RDP, user CHEATSHEET : CRACKING WPA2 PSK WITH BACKTRACK 4, AIRCRACK Basic steps : Put interface in monitor mode Find wireless network (protected with WPA2 and a Pre Shared Key) Capture all packets Wait until you see a client and deauthenticate the client, so the handshake can be captured Crack the key using a dictionary file (or via John The Ripper) I’ll use a Dlink EXPLOIT WRITING TUTORIAL PART 6 : BYPASSING STACK COOKIES Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return FREE TOOL – EXTRACTING EMAIL ADDRESSES FROM OUTLOOK MAIL I recently received the request to extract all email addresses from an Outlook pst file, not from the contacts, but from all emails within the Outlook folder structure. I opened the Outlook file (3,5Gb) and found a huge folder structure containing thousands of emails. Furthermore, I needed to get all unique email addresses from the WINDOWS 2008 PKI / CERTIFICATE AUTHORITY (AD CS) BASICS Keywords : Windows 2008 PKI Certificate Authority certutil certreq template root CA Enterprise CA convert pfx to pem generate custom certificate request subject alternate name san attribute Today’s blog post targets the deployment of a Windows 2008 server based Certificate Authority (AD CS) and will discuss some common scenario’s where certificates are used / required. PERFORMING AD SCHEMA UPDATES IN A SAFE WAY Updating from 2003 to 2003 R2 & implementing Exchange are 2 common administrative tasks which both require a schema update. Since I’ve mentioned "updating from 2003 to 2003 R2", I’ll take the opportunity to add some "notes from the field" to this blog post, which will increase success rate of the update and limit the risk of the schemaupdate itself.
SCRIPT TO BACKUP CISCO SWITCHES VIA TELNET / TFTP A couple of days ago, I have released a small perl script to back up Cisco IOS based switches via telnet. I know there are a couple of similar scripts available on the internet, but most of them either use the “expect” functionality (which does not work all the time), or use SendKeys (which only works when the application has the ‘focus’, and thus cannot be safely scripted.), or are ARTICLES | CORELAN CYBERSECURITY RESEARCHCORELAN HITB2012AMS Day 1 – Intro and Keynote. Hack In The Box Amsterdam 2012 – Preview. BlackHat EU 2012 – Day 3. BlackHat EU 2012 – Day 2. Corelan T-Shirt Contest – Derbycon 2011. ROP your way into B-Sides Las Vegas 2011. Honeynet Workshop 2011. BlackHat Europe 2011 / Day 02. BlackHat Europe 2011 / WINDOWS 2008 PKI / CERTIFICATE AUTHORITY (AD CS) BASICS Keywords : Windows 2008 PKI Certificate Authority certutil certreq template root CA Enterprise CA convert pfx to pem generate custom certificate request subject alternate name san attribute Today’s blog post targets the deployment of a Windows 2008 server based Certificate Authority (AD CS) and will discuss some common scenario’s where certificates are used / required. EXPLOIT WRITING TUTORIAL PART 6 : BYPASSING STACK COOKIES Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return JUNIPER FIREWALL SCREENOS BASICS (CJFV) ScreenOS Concepts & Terminology The following document is based on ScreenOS v5.4.0r7.0 – Interface = connection to a specific subnet. An interface is assigned an IP address only if firewall is operating in L3 mode. Default interface names can vary on different Netscreen devices. – Zone : logical grouping of subnets and interfaces. Alldevices
FREE TOOL – FREE POP3 COLLECTOR Keywords : Free generic POP3 collector for Microsoft Exchange 2000 Exchange 2003 Exchange 2007 Lotus Domino Server download email from POP3 and forward to SMTP server Over the last 12 years, I have created multiple email addresses hosted with various Internet Providers, or other companies. I’m still using some of those addresses, and mywife
STARTING TO WRITE IMMUNITY DEBUGGER PYCOMMANDS : MY When I started Win32 exploit development many years ago, my preferred debugger at the time was WinDbg (and some Olly). While Windbg is a great and fast debugger, I quickly figured out that some additional/external tools were required to improve my exploit development experience. Despite the fact that the command line oriented approach in windbg BACKUP & RESTORE WINDOWS SERVER BASED PRINT SERVERS After having to recover a broken Windows Server based print server yesterday, I decided to write this small article on how to set up print server backups, and describe the simple process of recovering the print server after a crash (or even roll back printer drivers in case a newly installed driver messes up your DYNAMIC DISTRIBUTION LISTS NOT WORKING AS EXPECTED (0 Today, I encountered an interesting problem which appeared to be strange behaviour in Exchange 2007 at first, but fianlly ended up being a small configuration mistake. It just was not that easy to troubleshoot(but in the end, it all makes sense) This is what happened : I created a dynamic distribution list, based on company SCRIPT TO BACKUP CISCO SWITCHES VIA TELNET / TFTP A couple of days ago, I have released a small perl script to back up Cisco IOS based switches via telnet. I know there are a couple of similar scripts available on the internet, but most of them either use the “expect” functionality (which does not work all the time), or use SendKeys (which only works when the application has the ‘focus’, and thus cannot be safely scripted.), or are CHEATSHEET : CRACKING WEP WITH BACKTRACK 4 AND AIRCRACK-NG I know, there a probably already a zillion number of websites that show how to crack WEP. So I guess this will be website zillion+1 learning how to audit your own WEP security. To be honest, the main reason I’m putting this info on this blog because I just wanted it as a quick reference- ARTICLES | CORELAN CYBERSECURITY RESEARCHCORELAN HITB2012AMS Day 1 – Intro and Keynote. Hack In The Box Amsterdam 2012 – Preview. BlackHat EU 2012 – Day 3. BlackHat EU 2012 – Day 2. Corelan T-Shirt Contest – Derbycon 2011. ROP your way into B-Sides Las Vegas 2011. Honeynet Workshop 2011. BlackHat Europe 2011 / Day 02. BlackHat Europe 2011 / EXPLOIT WRITING TUTORIAL PART 11 : HEAP SPRAYING A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions. Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail. Of course, you can probably derive how it works by looking at those public exploits. With this tutorial FREE TOOL : FIND OUT WHERE YOUR AD USERS ARE LOGGED ON Hi, I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines. This should include local users, users that are logged in via RDP, user USING OSPF ON JUNIPER NETSCREEN FIREWALLS Introduction to OSPF OSPF is a link-state (dynamic) routing protocol that operates within an autonomous system. OSPF falls within the group of Interior Gateway Protocols. Devices that use OSPF will advertise link state information. The devices generate Link State Advertisements (LSA’s) for directly connected links, and will forward LSAs received from other devices to ensure WINDOWS 10 X86/WOW64 USERLAND HEAP Introduction Hi all, Over the course of the past few weeks ago, I received a number of "emergency" calls from some relatives, asking me to look at their computer because "things were broken", "things looked different" and "I think my computer got hacked". I quickly realized that their computers got upgraded to Windows 10. We EXPLOIT WRITING TUTORIAL PART 6 : BYPASSING STACK COOKIES Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return JUNIPER SCREENOS : REDUNDANT MULTI-EXITPOINT ISP ROUTING Introduction As you most likely already know, Juniper screenOS supports a couple of dynamic routing protocols (OSPF, BGP, RIP). These protocols can be used to build very powerful and redundant networks, however there are some screenos specific issues with these implementations, and these issues may introduce a little bit of complexity in the design and DYNAMIC DISTRIBUTION LISTS NOT WORKING AS EXPECTED (0 Today, I encountered an interesting problem which appeared to be strange behaviour in Exchange 2007 at first, but fianlly ended up being a small configuration mistake. It just was not that easy to troubleshoot(but in the end, it all makes sense) This is what happened : I created a dynamic distribution list, based on company PERFORMING AD SCHEMA UPDATES IN A SAFE WAY Updating from 2003 to 2003 R2 & implementing Exchange are 2 common administrative tasks which both require a schema update. Since I’ve mentioned "updating from 2003 to 2003 R2", I’ll take the opportunity to add some "notes from the field" to this blog post, which will increase success rate of the update and limit the risk of the schemaupdate itself.
FIXING EXCHANGE 2007 OFFLINE ADDRESS BOOK GENERATIONSEE MORE ONCORELAN.BE
ARTICLES | CORELAN CYBERSECURITY RESEARCHCORELAN HITB2012AMS Day 1 – Intro and Keynote. Hack In The Box Amsterdam 2012 – Preview. BlackHat EU 2012 – Day 3. BlackHat EU 2012 – Day 2. Corelan T-Shirt Contest – Derbycon 2011. ROP your way into B-Sides Las Vegas 2011. Honeynet Workshop 2011. BlackHat Europe 2011 / Day 02. BlackHat Europe 2011 / EXPLOIT WRITING TUTORIAL PART 11 : HEAP SPRAYING A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions. Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail. Of course, you can probably derive how it works by looking at those public exploits. With this tutorial FREE TOOL : FIND OUT WHERE YOUR AD USERS ARE LOGGED ON Hi, I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines. This should include local users, users that are logged in via RDP, user USING OSPF ON JUNIPER NETSCREEN FIREWALLS Introduction to OSPF OSPF is a link-state (dynamic) routing protocol that operates within an autonomous system. OSPF falls within the group of Interior Gateway Protocols. Devices that use OSPF will advertise link state information. The devices generate Link State Advertisements (LSA’s) for directly connected links, and will forward LSAs received from other devices to ensure WINDOWS 10 X86/WOW64 USERLAND HEAP Introduction Hi all, Over the course of the past few weeks ago, I received a number of "emergency" calls from some relatives, asking me to look at their computer because "things were broken", "things looked different" and "I think my computer got hacked". I quickly realized that their computers got upgraded to Windows 10. We EXPLOIT WRITING TUTORIAL PART 6 : BYPASSING STACK COOKIES Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return JUNIPER SCREENOS : REDUNDANT MULTI-EXITPOINT ISP ROUTING Introduction As you most likely already know, Juniper screenOS supports a couple of dynamic routing protocols (OSPF, BGP, RIP). These protocols can be used to build very powerful and redundant networks, however there are some screenos specific issues with these implementations, and these issues may introduce a little bit of complexity in the design and DYNAMIC DISTRIBUTION LISTS NOT WORKING AS EXPECTED (0 Today, I encountered an interesting problem which appeared to be strange behaviour in Exchange 2007 at first, but fianlly ended up being a small configuration mistake. It just was not that easy to troubleshoot(but in the end, it all makes sense) This is what happened : I created a dynamic distribution list, based on company PERFORMING AD SCHEMA UPDATES IN A SAFE WAY Updating from 2003 to 2003 R2 & implementing Exchange are 2 common administrative tasks which both require a schema update. Since I’ve mentioned "updating from 2003 to 2003 R2", I’ll take the opportunity to add some "notes from the field" to this blog post, which will increase success rate of the update and limit the risk of the schemaupdate itself.
FIXING EXCHANGE 2007 OFFLINE ADDRESS BOOK GENERATIONSEE MORE ONCORELAN.BE
FORUM | CORELAN CYBERSECURITY RESEARCHCORELAN If you would like to participate in an online community, ask questions and/or answer questions, please feel free to join our Slack workspace instead. Please send me a message on Twitter (@corelanconsult) or Facebook (Corelan Consulting) to get a Slack invite. EXPLOIT WRITING TUTORIAL PART 6 : BYPASSING STACK COOKIES Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return WINDOWS 10 X86/WOW64 USERLAND HEAP Introduction Hi all, Over the course of the past few weeks ago, I received a number of "emergency" calls from some relatives, asking me to look at their computer because "things were broken", "things looked different" and "I think my computer got hacked". I quickly realized that their computers got upgraded to Windows 10. We EXPLOIT WRITING TUTORIAL PART 3 : SEH BASED EXPLOITS A quick look on the stack on how the try & catch blocks are related to each other and placed on the stack : (Note : "Address of exception handler" is just one part of a SEH record – the image above is an abstract representation, merely showing the various components) JUNIPER SCREENOS : REDUNDANT MULTI-EXITPOINT ISP ROUTING Introduction As you most likely already know, Juniper screenOS supports a couple of dynamic routing protocols (OSPF, BGP, RIP). These protocols can be used to build very powerful and redundant networks, however there are some screenos specific issues with these implementations, and these issues may introduce a little bit of complexity in the design and CHEATSHEET : CRACKING WPA2 PSK WITH BACKTRACK 4, AIRCRACK Basic steps : Put interface in monitor mode Find wireless network (protected with WPA2 and a Pre Shared Key) Capture all packets Wait until you see a client and deauthenticate the client, so the handshake can be captured Crack the key using a dictionary file (or via John The Ripper) I’ll use a Dlink STARTING TO WRITE IMMUNITY DEBUGGER PYCOMMANDS : MY When I started Win32 exploit development many years ago, my preferred debugger at the time was WinDbg (and some Olly). While Windbg is a great and fast debugger, I quickly figured out that some additional/external tools were required to improve my exploit development experience. Despite the fact that the command line oriented approach in windbg WINDOWS 2008 PKI / CERTIFICATE AUTHORITY (AD CS) BASICS Keywords : Windows 2008 PKI Certificate Authority certutil certreq template root CA Enterprise CA convert pfx to pem generate custom certificate request subject alternate name san attribute Today’s blog post targets the deployment of a Windows 2008 server based Certificate Authority (AD CS) and will discuss some common scenario’s where certificates are used / required. BACKUP & RESTORE WINDOWS SERVER BASED PRINT SERVERS After having to recover a broken Windows Server based print server yesterday, I decided to write this small article on how to set up print server backups, and describe the simple process of recovering the print server after a crash (or even roll back printer drivers in case a newly installed driver messes up your EXPLOIT WRITING TUTORIAL PART 2 : STACK BASED OVERFLOWS eax=00000001 ebx=00104a58 ecx=7c91005d edx=00000040 esi=77c5fce0 edi=000067fa eip=42424242 esp=000ff730 ebp=00344200 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 Missing image name, possible paged-out or corrupt data.Missing image name, possible paged-out or corrupt data.. Missing image name, possible paged ARTICLES | CORELAN CYBERSECURITY RESEARCHCORELAN HITB2012AMS Day 1 – Intro and Keynote. Hack In The Box Amsterdam 2012 – Preview. BlackHat EU 2012 – Day 3. BlackHat EU 2012 – Day 2. Corelan T-Shirt Contest – Derbycon 2011. ROP your way into B-Sides Las Vegas 2011. Honeynet Workshop 2011. BlackHat Europe 2011 / Day 02. BlackHat Europe 2011 / EXPLOIT WRITING TUTORIAL PART 11 : HEAP SPRAYING A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions. Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail. Of course, you can probably derive how it works by looking at those public exploits. With this tutorial FREE TOOL : FIND OUT WHERE YOUR AD USERS ARE LOGGED ON Hi, I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines. This should include local users, users that are logged in via RDP, user USING OSPF ON JUNIPER NETSCREEN FIREWALLS Introduction to OSPF OSPF is a link-state (dynamic) routing protocol that operates within an autonomous system. OSPF falls within the group of Interior Gateway Protocols. Devices that use OSPF will advertise link state information. The devices generate Link State Advertisements (LSA’s) for directly connected links, and will forward LSAs received from other devices to ensure WINDOWS 10 X86/WOW64 USERLAND HEAP Introduction Hi all, Over the course of the past few weeks ago, I received a number of "emergency" calls from some relatives, asking me to look at their computer because "things were broken", "things looked different" and "I think my computer got hacked". I quickly realized that their computers got upgraded to Windows 10. We EXPLOIT WRITING TUTORIAL PART 6 : BYPASSING STACK COOKIES Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return JUNIPER SCREENOS : REDUNDANT MULTI-EXITPOINT ISP ROUTING Introduction As you most likely already know, Juniper screenOS supports a couple of dynamic routing protocols (OSPF, BGP, RIP). These protocols can be used to build very powerful and redundant networks, however there are some screenos specific issues with these implementations, and these issues may introduce a little bit of complexity in the design and DYNAMIC DISTRIBUTION LISTS NOT WORKING AS EXPECTED (0 Today, I encountered an interesting problem which appeared to be strange behaviour in Exchange 2007 at first, but fianlly ended up being a small configuration mistake. It just was not that easy to troubleshoot(but in the end, it all makes sense) This is what happened : I created a dynamic distribution list, based on company PERFORMING AD SCHEMA UPDATES IN A SAFE WAY Updating from 2003 to 2003 R2 & implementing Exchange are 2 common administrative tasks which both require a schema update. Since I’ve mentioned "updating from 2003 to 2003 R2", I’ll take the opportunity to add some "notes from the field" to this blog post, which will increase success rate of the update and limit the risk of the schemaupdate itself.
FIXING EXCHANGE 2007 OFFLINE ADDRESS BOOK GENERATIONSEE MORE ONCORELAN.BE
ARTICLES | CORELAN CYBERSECURITY RESEARCHCORELAN HITB2012AMS Day 1 – Intro and Keynote. Hack In The Box Amsterdam 2012 – Preview. BlackHat EU 2012 – Day 3. BlackHat EU 2012 – Day 2. Corelan T-Shirt Contest – Derbycon 2011. ROP your way into B-Sides Las Vegas 2011. Honeynet Workshop 2011. BlackHat Europe 2011 / Day 02. BlackHat Europe 2011 / EXPLOIT WRITING TUTORIAL PART 11 : HEAP SPRAYING A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions. Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail. Of course, you can probably derive how it works by looking at those public exploits. With this tutorial FREE TOOL : FIND OUT WHERE YOUR AD USERS ARE LOGGED ON Hi, I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines. This should include local users, users that are logged in via RDP, user USING OSPF ON JUNIPER NETSCREEN FIREWALLS Introduction to OSPF OSPF is a link-state (dynamic) routing protocol that operates within an autonomous system. OSPF falls within the group of Interior Gateway Protocols. Devices that use OSPF will advertise link state information. The devices generate Link State Advertisements (LSA’s) for directly connected links, and will forward LSAs received from other devices to ensure WINDOWS 10 X86/WOW64 USERLAND HEAP Introduction Hi all, Over the course of the past few weeks ago, I received a number of "emergency" calls from some relatives, asking me to look at their computer because "things were broken", "things looked different" and "I think my computer got hacked". I quickly realized that their computers got upgraded to Windows 10. We EXPLOIT WRITING TUTORIAL PART 6 : BYPASSING STACK COOKIES Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return JUNIPER SCREENOS : REDUNDANT MULTI-EXITPOINT ISP ROUTING Introduction As you most likely already know, Juniper screenOS supports a couple of dynamic routing protocols (OSPF, BGP, RIP). These protocols can be used to build very powerful and redundant networks, however there are some screenos specific issues with these implementations, and these issues may introduce a little bit of complexity in the design and DYNAMIC DISTRIBUTION LISTS NOT WORKING AS EXPECTED (0 Today, I encountered an interesting problem which appeared to be strange behaviour in Exchange 2007 at first, but fianlly ended up being a small configuration mistake. It just was not that easy to troubleshoot(but in the end, it all makes sense) This is what happened : I created a dynamic distribution list, based on company PERFORMING AD SCHEMA UPDATES IN A SAFE WAY Updating from 2003 to 2003 R2 & implementing Exchange are 2 common administrative tasks which both require a schema update. Since I’ve mentioned "updating from 2003 to 2003 R2", I’ll take the opportunity to add some "notes from the field" to this blog post, which will increase success rate of the update and limit the risk of the schemaupdate itself.
FIXING EXCHANGE 2007 OFFLINE ADDRESS BOOK GENERATIONSEE MORE ONCORELAN.BE
FORUM | CORELAN CYBERSECURITY RESEARCHCORELAN If you would like to participate in an online community, ask questions and/or answer questions, please feel free to join our Slack workspace instead. Please send me a message on Twitter (@corelanconsult) or Facebook (Corelan Consulting) to get a Slack invite. EXPLOIT WRITING TUTORIAL PART 6 : BYPASSING STACK COOKIES Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return WINDOWS 10 X86/WOW64 USERLAND HEAP Introduction Hi all, Over the course of the past few weeks ago, I received a number of "emergency" calls from some relatives, asking me to look at their computer because "things were broken", "things looked different" and "I think my computer got hacked". I quickly realized that their computers got upgraded to Windows 10. We EXPLOIT WRITING TUTORIAL PART 3 : SEH BASED EXPLOITS A quick look on the stack on how the try & catch blocks are related to each other and placed on the stack : (Note : "Address of exception handler" is just one part of a SEH record – the image above is an abstract representation, merely showing the various components) JUNIPER SCREENOS : REDUNDANT MULTI-EXITPOINT ISP ROUTING Introduction As you most likely already know, Juniper screenOS supports a couple of dynamic routing protocols (OSPF, BGP, RIP). These protocols can be used to build very powerful and redundant networks, however there are some screenos specific issues with these implementations, and these issues may introduce a little bit of complexity in the design and CHEATSHEET : CRACKING WPA2 PSK WITH BACKTRACK 4, AIRCRACK Basic steps : Put interface in monitor mode Find wireless network (protected with WPA2 and a Pre Shared Key) Capture all packets Wait until you see a client and deauthenticate the client, so the handshake can be captured Crack the key using a dictionary file (or via John The Ripper) I’ll use a Dlink STARTING TO WRITE IMMUNITY DEBUGGER PYCOMMANDS : MY When I started Win32 exploit development many years ago, my preferred debugger at the time was WinDbg (and some Olly). While Windbg is a great and fast debugger, I quickly figured out that some additional/external tools were required to improve my exploit development experience. Despite the fact that the command line oriented approach in windbg WINDOWS 2008 PKI / CERTIFICATE AUTHORITY (AD CS) BASICS Keywords : Windows 2008 PKI Certificate Authority certutil certreq template root CA Enterprise CA convert pfx to pem generate custom certificate request subject alternate name san attribute Today’s blog post targets the deployment of a Windows 2008 server based Certificate Authority (AD CS) and will discuss some common scenario’s where certificates are used / required. BACKUP & RESTORE WINDOWS SERVER BASED PRINT SERVERS After having to recover a broken Windows Server based print server yesterday, I decided to write this small article on how to set up print server backups, and describe the simple process of recovering the print server after a crash (or even roll back printer drivers in case a newly installed driver messes up your EXPLOIT WRITING TUTORIAL PART 2 : STACK BASED OVERFLOWS eax=00000001 ebx=00104a58 ecx=7c91005d edx=00000040 esi=77c5fce0 edi=000067fa eip=42424242 esp=000ff730 ebp=00344200 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 Missing image name, possible paged-out or corrupt data.Missing image name, possible paged-out or corrupt data.. Missing image name, possible paged CORELAN CYBERSECURITY RESEARCH :: KNOWLEDGE IS NOT AN OBJECT, IT'S A FLOW ::* Home
*
* Articles
*
* Free Tools
* AD & CS
* AD Disable Users
* Certificate List Utility* PVE Find AD User
* Exchange Transport Agents* Attachment filter
* Attachment rename
* Networking
* Cisco switch backup utility * Network monitoring with powershell* TCP Ping
* Security Related Tools*
* Security
* Corelan Team Members * Corelan Team Membership * __Corelan Training "Corelan Live… * Exploit writing tutorials* Metasploit
* FTP Client fuzzer
* HTTP Form field fuzzer * Simple FTP Fuzzer – Metasploit… * Nessus/Openvas ike-scan wrapper * Vulnerability Disclosure Policy * __mona.py PyCommand for Immunity Debugger * __Download mona.py * Mona.py – documentation* Corelan ROPdb
* Mirror for BoB’s Immunity Debugger…*
* Terms of use
*
* Donate
*
* About…
* About Corelan Team* About me
* Antivirus/antimalware * Corelan public keys* Sitemap
WINDOWS 10 EGGHUNTER (WOW64) AND MORE Published April 23, 2019 | By Peter Van Eeckhoutte (corelanc0d3r) Introduction Ok, I have a confession to make, I have always been somewhat intrigued by egghunters. That doesn’t mean that I like to use (or abuse) an egghunter just because I fancy what it does. In fact, I believe it’s a good practise to try to avoid egghunters if you can, as they tend to Posted in Exploit Writing Tutorials,
Exploits
|
Tagged asm , assembly, corelan-tutorial
, egg
, egghunter
, exception handling, getpc
, httpslnkd-indhauzer, nasm
,
ntaccesscheckandauditalarm,
pentester , seh
, shellcode
, structured
exception handler
,
syscall , tools-mail, w00t
, w00tw00t
, windows 10
, wow64
WINDOWS 10 X86/WOW64 USERLAND HEAP Published July 5, 2016 | By Peter Van Eeckhoutte (corelanc0d3r) Introduction Hi all, Over the course of the past few weeks ago, I received a number of “emergency” calls from some relatives, asking me to look at their computer because “things were broken”, “things looked different” and “I think my computer got hacked”. I quickly realized that their computers got upgraded toWindows 10. We
Posted in Exploit Writing Tutorials,
Windows Internals
|
Tagged back-end allocator, bea
, block
, breakpoint
, C#
, chunk
, fea
, front-end allocator, heap
, heap management
, heap spray
, lfh
, low fragmentation heap,
rtlallocateheap
, rtlfreeheap
, spray
, userland
, visual studio
, windbg
, windows 10
, wow64
, x86
ENCFSGUI – GUI WRAPPER AROUND ENCFS FOR OSX Published January 31, 2016 | By Peter Van Eeckhoutte (corelanc0d3r) Introduction 3 weeks ago, I posted a rant about my frustration/concern related with crypto tools, more specifically the lack of tools to implement crypto-based protection for files on OSX, in a point-&-click user-friendly way. I listed my personal functional and technical criteria for such tools and came to the conclusion that the industryseem to
Posted in 001_Security, Crypto
, My Free
Tools ,
Scripts | Tagged
boxcryptor classic
, C#
, corelan
, cplusplus
, crypto
, el capitan
, encfs
, encfs6.xml
, encfsctl
, encfsgui
, encryption
, file encryption
, folder
encryption ,
github , gui
, keychain
, mount
, osx
, osxfuse
, umount
, volume
, wrapper
, wxWidgets
, yosemite
CRYPTO IN THE BOX, STONE AGE EDITION Published January 6, 2016 | By Peter Van Eeckhoutte (corelanc0d3r) Introduction First of all, Happy New Year to everyone! I hope 2016 will be a fantastic and healthy year, filled with fun, joy, energy, and lots of pleasant surprises. I remember when all of my data would fit on a single floppy disk. 10 times. The first laptops looked like (and felt like) mainframes on Posted in 001_Security, Crypto
| Tagged
boxcryptor ,
container ,
cryptio-in-box-com
, crypto
, crypto-in-box-com
,
cusersadministratordesktopoutlook-test-txt,
difference-between-open-whisper-signal-and-encfs,
encryption , forum
, innovation
,
pastebin-email-list
, signal
, stone-age-cipher
, truecrypt
, UI
, url-addressmailbox, usability
, veracrypt
, whisper systems
HOW TO BECOME A PENTESTER Published October 13, 2015 | By Peter Van Eeckhoutte (corelanc0d3r) Intro I receive a lot of emails. (Please don’t make it worse, thanks!) Unfortunately I don’t have as much spare time as I used to, or would like to, so I often have no other choice than to redirect questions to our forums or our IRC channel (#corelan on freenode), hoping that other members Posted in 001_Security, Penetration
testing
, Web
Application Security | Tagged asking questions, carreer
, efforts
, ethical hacker
,
free-list-of-email-addresses,
goal , how to become,
how-do-i-become-a-pentester,
httpswww-corelan-beindex-php20151013how-to-become-a-pentester,
httpswww-corelan-beindex-php20151013how-to-become-a-pentesterutm_contentbufferc2731,
industry , infosec
, internship
, junior
, penetration tester, pentester
, security assessment, security
audit ,
vulnerability assessment,
where to start
ANALYZING HEAP OBJECTS WITH MONA.PY Published August 16, 2014 | By Peter Van Eeckhoutte (corelanc0d3r) Introduction Hi all, While preparing for my Advanced exploit dev course at Derbycon, I’ve been playing with heap allocation primitives in IE. One of the things that causes some frustration (or, at least, tends to slow me down during the research) is the ability to quickly identify objects that may be useful. After all,I’m
Posted in Exploit Writing Tutorials,
Exploits
, mona
| Tagged
15-20211 ,
178-79-152-9 ,
anything , bit-ly
, breakpoint
, dumplog
, dumpobj
,
facebook-extract-email-addresses-software,
gem-install-linkedin-scraper,
log , mona-py-exploit-2014,
mona-py-only-win32
, mona.py
, pykd-find-pointers,
rtlallocateheap
, rtlfreeheap
,
suricara-git-ids-ips,
ttpwww-wintrusts-com, windbg
,
windbg-dump-heap-objects CSO : COMMON SENSE OPERATOR/OPERATIONS Published June 3, 2014 | By Peter Van Eeckhoutte (corelanc0d3r) As the CSO/CISO/person responsible for Information Security, your job is to… well … do you even know? Does upper management know? “Our crappy CSO …” and “Our stupid CSO …” are statements commonly used by various (techie) people, throwing their hands up in despair, attempting to prove that their CSO doesn’t understandtechnology and has
Posted in CSO
| Tagged
178-79-152-9 ,
attitude , bcp
, business continiuty, ciso
, coleran-team
, common sense
, corelan
, cso
, defense
, disaster recovery
, drp
, emet
, experience
, mona-download
, positive
, priorities
, protection
, sla
, user awareness
HITB2014AMS – DAY 2 – ON HER MAJESTY’S SECRET SERVICE: GRX & ASPY AGENCY
Published May 30, 2014 | By Peter Van Eeckhoutte (corelanc0d3r) Last year, Belgacom got hacked by an intelligence service (GCHQ?), Rob says. “What is so interesting about this hack, why did they hack into Belgacom, what would or could be the purpose of a similar hack?” Before answering those questions, we need to take a quick look on how mobile networks work and how mobile Posted in Cons and Seminars|
Tagged amazon , Belgacom, BICS
, corelan-be-grx
, GCHQ
, gprs
, GPRS roaming exchange,
grx-and-spy-agency
, GTP
, hitb2014ams
,
httpswww-corelan-beindex-php20140530hitb2014ams-day-2-on-her-majestys-secret-service-grx-a-spy-agency,
KPN ,
mobile-grx-network-hack,
openggsn-hack ,
rob kuiters , SCTP
, stephen kho
, szpy-kpnm
HITB2014AMS – DAY 2 – EXPLORING AND EXPLOITING IOS WEB BROWSERS Published May 30, 2014 | By Peter Van Eeckhoutte (corelanc0d3r) iOS Browsers & UIWebview iOS is very popular (according to StatCounter, it’s the 3rd most popular platform used). Mobile browsers take about 20% to 25% of the market share. iOS offers integration with desktop browsers and cloud (so the same data is available to an attacker). Many 3rd party IOS browsers have similarweaknesses which
Posted in Cons and Seminars|
Tagged ABS , Address BarSpoofing ,
apple , chrome
, exploit
, f-secure-browser-ios, hitb2014ams
, ios
, iosweb
, javascript
, Mercury
, mobile safari
,
post-a-commentiphone-app-allow-html-tag,
same-origin policy
, sop
, UXSS
, web browser
, webkit
, Yandex
HITB2014AMS – DAY 2 – KEYNOTE 4: HACK IT FORWARD Published May 30, 2014 | By Peter Van Eeckhoutte (corelanc0d3r) Good morning Amsterdam, good morning readers, welcome to the second day of the Hack In The Box conference. The speaker for the first keynote didn’t show up, so we’ll jump right into the next keynote. Jennifer starts her keynote by explaining that she’s fortunate to be able to travel to a lot of conferences and Posted in Cons and Seminars|
Tagged amazon , corelan, corelan team
, corelan-be
, corelean
, corelean-team
, depalsr
, download-mona
,
easy-rm-exploit-tutorial,
exploit-writing-in-c,
hitb2014ams ,
httpswww-corelan-be
, IOActive
, Jennifer Steffens
,
jennifer-steffens-ioactive,
keynote , mona-download, motivation
,
nlp-secrets-index-ofebooks,
win10-ldrpchecknxcompatibilityPage 1 of 2412 3
4
5
...10
20
...»
Last »
CORELAN TRAINING
We have been teaching our win32 exploit dev classes at various security cons and private companies & organizations since 2011 Check out our schedules page __HERE AND SIGN UP FOR ONE OF OUR CLASSES NOW!DONATE
Want to support the Corelan Team community ? CLICK HERE TO GO TO OURDONATIONS PAGE.
Want to donate BTC to Corelan Team? Your donation will help funding server hosting. CORELAN TEAM MERCHANDISE You can support Corelan Team by donating or purchasing items from __THE OFFICIAL CORELAN TEAM MERCHANDISING STORE.CORELAN ON SLACK
You can chat with us and our friends on our Slack workspace: * Go to __our facebook page * Browse through the posts and find the invite to Slack * Use the invite to access our Slack workspaceACTIONS
* Log in
* Entries feed
* Comments feed
* __WordPress.org
CATEGORIES
Categories Select Category 001_Security Cons and Seminars Crypto CSO Exploit Writing Tutorials Exploits Fuzzing Malware and Reversing Metasploit mona Papers Pentesting Root Cause Analysis Tools Video Web Application Security SQL Injection Active Directory Certificates Cisco Development Juniper Legal Linux and Unix MS Exchange My Free Tools Networking OpsMgr Outlook Penetration testing Private Scripts Powershell Sharepoint Storage Uncategorized Virtualization Windows Client OS Windows Internals Windows Server Wordpress Copyright Peter Van Eeckhoutte © 2007 - 2021 | All Rights Reserved |Terms of use
7ads6x98y
HI THERE!
Do you like our free content? Enjoying the materials we put together? Are you interested in learning how to write exploits for Windows, but perhaps looking for updated materials? Are you struggling to fully grasp the concepts based on what you find online? Would you perhaps prefer to learn in a classroom settinginstead?
_WE HAVE GOOD NEWS FOR YOU!_ Did you know that we travel to strategic places around the world, to teach our world-renowned exploit development classes. In order to preserve and ensure a top-quality learning experience, all of our classes are delivered in-person. (Corona-proof, of course!) We currently offer 2 classes:Our “__Bootcamp
”
classes covers the basics of exploit development for Windows 10.The “__Advanced
”
class covers heap exploitation for Windows 7 & Windows 10. Both classes contain a short introduction on x64 exploitation! You can find our schedules here: __https://www.corelan-training.com/index.php/training-schedules.
> _>>> OUR CLASSES TEND TO SELL OUT FAST, SO SIGN UP TODAY AND SECURE > YOUR SEAT IN ONE OF OUR CLASSES !! <<<_ And if you’re not sure – __feel free to check what our students have to say about our classes.
Enjoy!
X
We are using cookies to give you the best experience on our website. You can find out more about which cookies we are using or switch themoff in settings.
Accept Change cookie settings Close GDPR Cookie Settings* Privacy Overview
* Strictly Necessary Cookies* Cookie Policy
Privacy Overview
a. Corelan respects your privacy. Most information accessible on orvia the
Corelan Website is available without the need to provide personalinformation.
In certain cases you may however be requested to submit personalinformation. In
such case your personal information shall be treated in accordance with the General Data Protection Regulation and any amendments hereof. b. All personal information made available by you will be treatedsolely for
the purpose of making available to you the requested information orservices.
Your personal information will not be shared with third parties, but it may be used for authentication, support & marketing purposes in relation with services provided by Corelan. c. We will only keep your personal information for as long as isrequired to
provide you with the requested information or services, or for anylonger period
as may legally be required. d. It is our goal to reasonably protect the personal information made available by you from third parties. e. You have the right to consult, correct, adjust or have removed your personal details by written request to Corelan. If you decide to get your information removed, you understand and accept that you will lose all access to any resources that require the use of these personal details, such as parts of the website that require authentication. f. When using the Corelan Website, cookies may possible be used. You do not have to accept cookies to be able to use the publicly accessible parts of Corelan Websites. If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser. When you log in, we will also set up several cookies to save your login information and your screen display choices. Cookies may be used to display advertisements or to collect statistics about the use of the Corelan website. g. This privacy policy may be amended by Corelan at any time. Strictly Necessary Cookies Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings. Enable or Disable Cookies If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.Cookie Policy
When using the Corelan Website, cookies may possible be used. You do not have to accept cookies to be able to use the publicly accessible parts of the Corelan Website. If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser. When you log in, we will also set up several cookies to save your login information and your screendisplay choices.
We may use third party cookies to show ads and to collect anonymous information such as the number of visitors to the site, and the most popular pages. The ability to show ads is an important source of income to cover the hosting fees to keep this website alive. If you prevent ads from being displayed, this website will eventuallydisappear.
Enable All Save ChangesDetails
Copyright © 2024 ArchiveBay.com. All rights reserved. Terms of Use | Privacy Policy | DMCA | 2021 | Feedback | Advertising | RSS 2.0