Are you over 18 and want to see adult content?
More Annotations
A complete backup of https://tcapselementarytech.weebly.com/
Are you over 18 and want to see adult content?
A complete backup of https://trikepatrol.com/galleries/boochi-photo/
Are you over 18 and want to see adult content?
A complete backup of https://www.creta.gr/company/auto-liousia/41450
Are you over 18 and want to see adult content?
A complete backup of https://www.mutaz.net/free-programs/en/download/?1159
Are you over 18 and want to see adult content?
A complete backup of https://www.urajp.eu/category/urajp/page/35/
Are you over 18 and want to see adult content?
A complete backup of https://sehuatang.net/thread-478982-1-1.html
Are you over 18 and want to see adult content?
A complete backup of http://www.hotelplazalucchesi.it/en/
Are you over 18 and want to see adult content?
Favourite Annotations
A complete backup of https://airforcetimes.com
Are you over 18 and want to see adult content?
A complete backup of https://internet-loannow.net
Are you over 18 and want to see adult content?
A complete backup of https://soulshine.ca
Are you over 18 and want to see adult content?
A complete backup of https://hbowatch.com
Are you over 18 and want to see adult content?
A complete backup of https://backpacksciences.com
Are you over 18 and want to see adult content?
A complete backup of https://arpost.co
Are you over 18 and want to see adult content?
A complete backup of https://campingrovinjvrsar.com
Are you over 18 and want to see adult content?
A complete backup of https://xplorefreerunning.nl
Are you over 18 and want to see adult content?
A complete backup of https://atablefullofjoy.com
Are you over 18 and want to see adult content?
A complete backup of https://blue-zoo.co.uk
Are you over 18 and want to see adult content?
A complete backup of https://historianet.nl
Are you over 18 and want to see adult content?
Text
providing too
CISCO AND THE MAINTENANCE OPERATION PROTOCOL (MOP Howdy, this is a short write up about the Maintenance Operation Protocol (MOP), an ancient remote management protocol from the DECnet protocol suite. It's old, rarely used and in most cases not needed at all. But as we stumbled across this protocol in some network assessments, it seems like a lot of network admins and other users don't know about it. Even various hardening guides we've seen HOW TO TEST KERBEROS AUTHENTICATED WEB First of all: This is not an in-depth Kerberos how-to, nor is this tutorial about the different aspects of web application testing. This tutorial is just to give support in testing Kerberos authenticated web applications. The goal is to hand over the right tools and steps to be able to perform the configuration and be able to test the application. When to use it? When there is a 401 seONE STEP CLOSER
Good Afternoon, It is a pleasant surprise for many (us included) that Microsoft implemented support for the RDNSS (RFC 8106) option in Router Advertisements beginning with the Windows 10 Creators Update. Interestingly, I wasn't able to find any official documents from Microsoft stating this. As we are involved in a lot of IPv6 related projects for our customers, the lack of RDNSS support fo JENKINS REMOTING RCE II Jenkins Remoting RCE II – The return of the ysoserial. Jenkins is a continuous integration server, widely used in Java environments for building automation and deployment. The project recently disclosed an unauthenticated remote code execution vulnerability discovered by Moritz Bechler. Depending on the development environment, a Jenkins NEW RELEASE OF GLIBC HEAP ANALYSIS PLUGINS New Release of Glibc Heap Analysis Plugins. After quite some time and work, I’m happy to announce the new release of the Linux Heap Analysis Plugins, which are now part of the Rekall project, but not yet part of an official Rekall release, so you have to grab them manually. Support for Glibc version 2.26 (tcache chunks) and 2.27. DOING IT SERVER-SIDE WITH CYPHERDOG 4.0 Indeed, when Bloodhound 3 came out, I quickly updated CypherDog 2 to CypherDog 3 to be compatible with it. But Bloodhound 3 is compatible with neo4j 3 and 4, however the neo4j REST API has been deprecated in neo4j 4 and CypherDog 3 relied on it. Long story short, CypherDog 4.0 is a full rewrite compatible with the new neo4j 4 HTTP API, and DOGWHISPERER’S SHARPHOUND CHEAT SHEET BloodHound data collection, aka Sharphound, is quite a complex beast. When giving BloodHound workshops, the part where I get the most questions is always data collection. How is the BloodHound data collected? What methods do what? Who am I talking to? How do I fly under the radar? These are all very relevant questions when you think about it. After all, the rest is just a gorgeous UI sit HOW CAN DATA FROM FITNESS TRACKERS BE OBTAINED AND The use of Internet of Things devices is continuously increasing: People buy devices, such as smart assistants, to make their lives more comfortable or fitness trackers to assess sports activities. According to the Pew Research Center , every fifth American wears a device to track their fitness. In Germany, the number increases likewise. The increasing number of fitness trackers in use can WINDOWS INSIGHT: THE WINDOWS TELEMETRY ETW MONITOR The TIV framework is a set of Python scripts that visualize information and statistics based on the data produced by the Windbg Framework. The output of the TIV framework is a report in the form of a web page. The Windows Telemetry ETW Monitor has been tested on Windows 10, version 1909. IPV6 PROPERTIES OF WINDOWS SERVER 2019 / WINDOWS 10 (1809 IPv6 Properties of Windows Server 2019 / Windows 10 (1809) In this post I’ll cover some properties of the Windows Server 2019 IPv6 stack. It is an update of a similar post I wrote on the IPv6 properties of Server 2016 a while ago. For this reason I will mostly look at the same properties I did at the time (read: at times withoutproviding too
CISCO AND THE MAINTENANCE OPERATION PROTOCOL (MOP Howdy, this is a short write up about the Maintenance Operation Protocol (MOP), an ancient remote management protocol from the DECnet protocol suite. It's old, rarely used and in most cases not needed at all. But as we stumbled across this protocol in some network assessments, it seems like a lot of network admins and other users don't know about it. Even various hardening guides we've seen HOW TO TEST KERBEROS AUTHENTICATED WEB First of all: This is not an in-depth Kerberos how-to, nor is this tutorial about the different aspects of web application testing. This tutorial is just to give support in testing Kerberos authenticated web applications. The goal is to hand over the right tools and steps to be able to perform the configuration and be able to test the application. When to use it? When there is a 401 seONE STEP CLOSER
Good Afternoon, It is a pleasant surprise for many (us included) that Microsoft implemented support for the RDNSS (RFC 8106) option in Router Advertisements beginning with the Windows 10 Creators Update. Interestingly, I wasn't able to find any official documents from Microsoft stating this. As we are involved in a lot of IPv6 related projects for our customers, the lack of RDNSS support fo JENKINS REMOTING RCE II Jenkins Remoting RCE II – The return of the ysoserial. Jenkins is a continuous integration server, widely used in Java environments for building automation and deployment. The project recently disclosed an unauthenticated remote code execution vulnerability discovered by Moritz Bechler. Depending on the development environment, a Jenkins NEW RELEASE OF GLIBC HEAP ANALYSIS PLUGINS New Release of Glibc Heap Analysis Plugins. After quite some time and work, I’m happy to announce the new release of the Linux Heap Analysis Plugins, which are now part of the Rekall project, but not yet part of an official Rekall release, so you have to grab them manually. Support for Glibc version 2.26 (tcache chunks) and 2.27. WINDOWS INSIGHT: THE WINDOWS TELEMETRY ETW MONITOR The TIV framework is a set of Python scripts that visualize information and statistics based on the data produced by the Windbg Framework. The output of the TIV framework is a report in the form of a web page. The Windows Telemetry ETW Monitor has been tested on Windows 10, version 1909. HOW FUZZERS DECIDE IF A CRASH IS UNIQUE This blogpost sheds some light on how fuzzers handle crash deduplication and what a unique crash is for a fuzzer. For this, we take a look at two contrived examples and compare the unique crashes identified by AFL++ and honggfuzz. Both examples are similar. They read from STDIN, check if the first character of the read data is a digit, then call a vulnerable function. The main differenc A BRIEF HISTORY OF THE IPV4 ADDRESS SPACE A Brief History of the IPv4 Address Space. This is meant to be the first part of a 3-part series discussing the space & types of IP addresses, with a particular focus on what has changed between IPv4 and IPv6. In this first post I’ll take the audience through a historical tour of some developments within the IPv4 address space. JAN RUGE – INSINUATOR.NET The initial flaw used for this exploit is still present in Android 10, but we utilize an additional bug in Bionic (Android’s libc implementation), which makes exploitation way easier. The bug was finally fixed in the security patch from 1.2.2020 in A-143894715. Here is a demo of the full proof of concept: Continue reading. SECURITY ASSESSMENT OF MICROSOFT DIRECTACCESS A talk about DirectAccess (an IPv6-only VPN solution) was given by our colleague Ali Hardudi during IPv6 summit. Ali has recently finished his master thesis on this topic. The DirectAccess VPN technology was introduced by Microsoft starting from Windows server 2008. It allows users remotely, seamlessly and securely connect to their internal network resources without a need to IPV6 PROPERTIES OF WINDOWS SERVER 2016 IPv6 Properties of Windows Server 2016 / Windows 10. In this post we’ll take a detailed look at the properties of the Windows Server 2016 IPv6 stack. Server 2016 is the latest OS released by Microsoft so this might give an indication as for their plans & strategy when it comes to supporting certain specifications. HOW TO TEST KERBEROS AUTHENTICATED WEB First of all: This is not an in-depth Kerberos how-to, nor is this tutorial about the different aspects of web application testing. This tutorial is just to give support in testing Kerberos authenticated web applications. The goal is to hand over the right tools and steps to be able to perform the configuration and be able to test the application. When to use it? When there is a 401 se BLUEFRAG – INSINUATOR.NET Nowadays, Bluetooth is an integral part of mobile devices. Smartphones interconnect with smartwatches and wireless headphones. By default, most devices are configured to accept Bluetooth connections from anyONE STEP CLOSER
Good Afternoon, It is a pleasant surprise for many (us included) that Microsoft implemented support for the RDNSS (RFC 8106) option in Router Advertisements beginning with the Windows 10 Creators Update. Interestingly, I wasn't able to find any official documents from Microsoft stating this. As we are involved in a lot of IPv6 related projects for our customers, the lack of RDNSS support fo POSH_ATTCK – ATT&CK KNOWLEDGE AT YOUR POWERSHELL When I recently joined the Windows Security team at ERNW, Enno asked me if I wanted to write a 'welcome' blogpost on a topic of my choosing Up for the challenge, and since I had been playing with BloodHound & Cypher for the last couple of months, I first thought I would do something on that topic. However, after gathering my thoughts and some Cypher I had collected here and there, IINSINUATOR.NET
This is a pretty rare edge case as llvmpipe has no widespread use. An estimate by Google is that approx 0.06% of the Chromium users are affected by this. However, as this is a simple but valid Chromium bug, we want to give you a quick walkthrough. The issue is tracked as CVE-2021-21153 and was fixed in February 2020. DOGWHISPERER’S SHARPHOUND CHEAT SHEET BloodHound data collection, aka Sharphound, is quite a complex beast. When giving BloodHound workshops, the part where I get the most questions is always data collection. How is the BloodHound data collected? What methods do what? Who am I talking to? How do I fly under the radar? These are all very relevant questions when you think about it. After all, the rest is just a gorgeous UI sit HOW FUZZERS DECIDE IF A CRASH IS UNIQUE This blogpost sheds some light on how fuzzers handle crash deduplication and what a unique crash is for a fuzzer. For this, we take a look at two contrived examples and compare the unique crashes identified by AFL++ and honggfuzz. Both examples are similar. They read from STDIN, check if the first character of the read data is a digit, then call a vulnerable function. The main differenc JAN RUGE – INSINUATOR.NET The initial flaw used for this exploit is still present in Android 10, but we utilize an additional bug in Bionic (Android’s libc implementation), which makes exploitation way easier. The bug was finally fixed in the security patch from 1.2.2020 in A-143894715. Here is a demo of the full proof of concept: Continue reading. HOW TO TEST KERBEROS AUTHENTICATED WEB First of all: This is not an in-depth Kerberos how-to, nor is this tutorial about the different aspects of web application testing. This tutorial is just to give support in testing Kerberos authenticated web applications. The goal is to hand over the right tools and steps to be able to perform the configuration and be able to test the application. When to use it? When there is a 401 se SECURITY ASSESSMENT OF MICROSOFT DIRECTACCESS A talk about DirectAccess (an IPv6-only VPN solution) was given by our colleague Ali Hardudi during IPv6 summit. Ali has recently finished his master thesis on this topic. The DirectAccess VPN technology was introduced by Microsoft starting from Windows server 2008. It allows users remotely, seamlessly and securely connect to their internal network resources without a need to CISCO AND THE MAINTENANCE OPERATION PROTOCOL (MOP Howdy, this is a short write up about the Maintenance Operation Protocol (MOP), an ancient remote management protocol from the DECnet protocol suite. It's old, rarely used and in most cases not needed at all. But as we stumbled across this protocol in some network assessments, it seems like a lot of network admins and other users don't know about it. Even various hardening guides we've seen SS7MAPER – A SS7 PEN TESTING TOOLKIT – INSINUATOR.NET While running some SS7 pentests last year, I developed a small tool automating some of the well-known SS7 attack cases. Today I'm releasing the first version of ss7MAPer, a SS7 MAP (pen-)testing toolkit. The toolkit is build upon the Osmocom SS7 stack and implements some basic MAP messages. At its current state tests against the HLR are ready for use, in future versions tests against VLR, JENKINS REMOTING RCE II Jenkins Remoting RCE II – The return of the ysoserial. Jenkins is a continuous integration server, widely used in Java environments for building automation and deployment. The project recently disclosed an unauthenticated remote code execution vulnerability discovered by Moritz Bechler. Depending on the development environment, a Jenkins EXTRACT NON-EXPORTABLE CERTIFICATES AND EVADE ANTI-VIRUS Some time ago, one of our customers contacted us with a special request. For some legitimate reason, they needed to centrally collect certain certificates including their private keys which were distributed across many client systems running Windows and stored in the corresponding user stores. Unfortunately (only in this case, but actually good from a security perspective), the particularINSINUATOR.NET
This is a pretty rare edge case as llvmpipe has no widespread use. An estimate by Google is that approx 0.06% of the Chromium users are affected by this. However, as this is a simple but valid Chromium bug, we want to give you a quick walkthrough. The issue is tracked as CVE-2021-21153 and was fixed in February 2020. DOGWHISPERER’S SHARPHOUND CHEAT SHEET BloodHound data collection, aka Sharphound, is quite a complex beast. When giving BloodHound workshops, the part where I get the most questions is always data collection. How is the BloodHound data collected? What methods do what? Who am I talking to? How do I fly under the radar? These are all very relevant questions when you think about it. After all, the rest is just a gorgeous UI sit HOW FUZZERS DECIDE IF A CRASH IS UNIQUE This blogpost sheds some light on how fuzzers handle crash deduplication and what a unique crash is for a fuzzer. For this, we take a look at two contrived examples and compare the unique crashes identified by AFL++ and honggfuzz. Both examples are similar. They read from STDIN, check if the first character of the read data is a digit, then call a vulnerable function. The main differenc JAN RUGE – INSINUATOR.NET The initial flaw used for this exploit is still present in Android 10, but we utilize an additional bug in Bionic (Android’s libc implementation), which makes exploitation way easier. The bug was finally fixed in the security patch from 1.2.2020 in A-143894715. Here is a demo of the full proof of concept: Continue reading. HOW TO TEST KERBEROS AUTHENTICATED WEB First of all: This is not an in-depth Kerberos how-to, nor is this tutorial about the different aspects of web application testing. This tutorial is just to give support in testing Kerberos authenticated web applications. The goal is to hand over the right tools and steps to be able to perform the configuration and be able to test the application. When to use it? When there is a 401 se SECURITY ASSESSMENT OF MICROSOFT DIRECTACCESS A talk about DirectAccess (an IPv6-only VPN solution) was given by our colleague Ali Hardudi during IPv6 summit. Ali has recently finished his master thesis on this topic. The DirectAccess VPN technology was introduced by Microsoft starting from Windows server 2008. It allows users remotely, seamlessly and securely connect to their internal network resources without a need to CISCO AND THE MAINTENANCE OPERATION PROTOCOL (MOP Howdy, this is a short write up about the Maintenance Operation Protocol (MOP), an ancient remote management protocol from the DECnet protocol suite. It's old, rarely used and in most cases not needed at all. But as we stumbled across this protocol in some network assessments, it seems like a lot of network admins and other users don't know about it. Even various hardening guides we've seen SS7MAPER – A SS7 PEN TESTING TOOLKIT – INSINUATOR.NET While running some SS7 pentests last year, I developed a small tool automating some of the well-known SS7 attack cases. Today I'm releasing the first version of ss7MAPer, a SS7 MAP (pen-)testing toolkit. The toolkit is build upon the Osmocom SS7 stack and implements some basic MAP messages. At its current state tests against the HLR are ready for use, in future versions tests against VLR, JENKINS REMOTING RCE II Jenkins Remoting RCE II – The return of the ysoserial. Jenkins is a continuous integration server, widely used in Java environments for building automation and deployment. The project recently disclosed an unauthenticated remote code execution vulnerability discovered by Moritz Bechler. Depending on the development environment, a Jenkins EXTRACT NON-EXPORTABLE CERTIFICATES AND EVADE ANTI-VIRUS Some time ago, one of our customers contacted us with a special request. For some legitimate reason, they needed to centrally collect certain certificates including their private keys which were distributed across many client systems running Windows and stored in the corresponding user stores. Unfortunately (only in this case, but actually good from a security perspective), the particular VMWARE NSX-T MITM VULNERABILITY (CVE-2020-3993 VMware NSX-T MITM Vulnerability (CVE-2020-3993) NSX-T is a Software-Defined-Networking (SDN) solution of VMware which, as its basic functionality, supports spanning logical networks across VMs on distributed ESXi and KVM hypervisors. The central controller of the SDN is the NSX-T Manager Cluster which is responsible for deployingthe network
HOW FUZZERS DECIDE IF A CRASH IS UNIQUE This blogpost sheds some light on how fuzzers handle crash deduplication and what a unique crash is for a fuzzer. For this, we take a look at two contrived examples and compare the unique crashes identified by AFL++ and honggfuzz. Both examples are similar. They read from STDIN, check if the first character of the read data is a digit, then call a vulnerable function. The main differenc WINDOWS INSIGHT: THE WINDOWS TELEMETRY ETW MONITOR The TIV framework is a set of Python scripts that visualize information and statistics based on the data produced by the Windbg Framework. The output of the TIV framework is a report in the form of a web page. The Windows Telemetry ETW Monitor has been tested on Windows 10, version 1909. HOW TO TEST KERBEROS AUTHENTICATED WEB First of all: This is not an in-depth Kerberos how-to, nor is this tutorial about the different aspects of web application testing. This tutorial is just to give support in testing Kerberos authenticated web applications. The goal is to hand over the right tools and steps to be able to perform the configuration and be able to test the application. When to use it? When there is a 401 se GTP – INSINUATOR.NET GTP_SCAN released. gtp_scan is a small python script that scans for GTP (GPRS tunneling protocol) speaking hosts. To discover those hosts it uses the GTP build in PING mechanism, it sends a GTP packet of the type ECHO_REQUEST and listens for an incoming GTP ECHO_REPLY. Its capable of generating ECHO_REQUESTS for GTP version 1 and GTP version2.
IPV6 PROPERTIES OF WINDOWS SERVER 2019 / WINDOWS 10 (1809 IPv6 Properties of Windows Server 2019 / Windows 10 (1809) In this post I’ll cover some properties of the Windows Server 2019 IPv6 stack. It is an update of a similar post I wrote on the IPv6 properties of Server 2016 a while ago. For this reason I will mostly look at the same properties I did at the time (read: at times withoutproviding too
SS7MAPER – A SS7 PEN TESTING TOOLKIT – INSINUATOR.NET While running some SS7 pentests last year, I developed a small tool automating some of the well-known SS7 attack cases. Today I'm releasing the first version of ss7MAPer, a SS7 MAP (pen-)testing toolkit. The toolkit is build upon the Osmocom SS7 stack and implements some basic MAP messages. At its current state tests against the HLR are ready for use, in future versions tests against VLR, BLUEFRAG – INSINUATOR.NET Nowadays, Bluetooth is an integral part of mobile devices. Smartphones interconnect with smartwatches and wireless headphones. By default, most devices are configured to accept Bluetooth connections from anyONE STEP CLOSER
Good Afternoon, It is a pleasant surprise for many (us included) that Microsoft implemented support for the RDNSS (RFC 8106) option in Router Advertisements beginning with the Windows 10 Creators Update. Interestingly, I wasn't able to find any official documents from Microsoft stating this. As we are involved in a lot of IPv6 related projects for our customers, the lack of RDNSS support fo ANALYSIS OF HYPERVISOR BREAKOUTS Analysis of Hypervisor Breakouts. In the course of a current virtualization research project, I was reviewing a lot of documentation on hypervisor security. While “hypervisor security” is a very wide field, hypervisor breakouts are usually one of the most (intensely) discussed topics. I don’t want to go down the road ofrating the risk of
INSINUATOR.NET
This is a pretty rare edge case as llvmpipe has no widespread use. An estimate by Google is that approx 0.06% of the Chromium users are affected by this. However, as this is a simple but valid Chromium bug, we want to give you a quick walkthrough. The issue is tracked as CVE-2021-21153 and was fixed in February 2020. DOGWHISPERER’S SHARPHOUND CHEAT SHEET BloodHound data collection, aka Sharphound, is quite a complex beast. When giving BloodHound workshops, the part where I get the most questions is always data collection. How is the BloodHound data collected? What methods do what? Who am I talking to? How do I fly under the radar? These are all very relevant questions when you think about it. After all, the rest is just a gorgeous UI sit HOW CAN DATA FROM FITNESS TRACKERS BE OBTAINED AND The use of Internet of Things devices is continuously increasing: People buy devices, such as smart assistants, to make their lives more comfortable or fitness trackers to assess sports activities. According to the Pew Research Center , every fifth American wears a device to track their fitness. In Germany, the number increases likewise. The increasing number of fitness trackers in use can HOW FUZZERS DECIDE IF A CRASH IS UNIQUE This blogpost sheds some light on how fuzzers handle crash deduplication and what a unique crash is for a fuzzer. For this, we take a look at two contrived examples and compare the unique crashes identified by AFL++ and honggfuzz. Both examples are similar. They read from STDIN, check if the first character of the read data is a digit, then call a vulnerable function. The main differenc VMWARE NSX-T MITM VULNERABILITY (CVE-2020-3993SEE MORE ONINSINUATOR.NET
SS7MAPER – A SS7 PEN TESTING TOOLKIT – INSINUATOR.NET While running some SS7 pentests last year, I developed a small tool automating some of the well-known SS7 attack cases. Today I'm releasing the first version of ss7MAPer, a SS7 MAP (pen-)testing toolkit. The toolkit is build upon the Osmocom SS7 stack and implements some basic MAP messages. At its current state tests against the HLR are ready for use, in future versions tests against VLR, CISCO AND THE MAINTENANCE OPERATION PROTOCOL (MOP Howdy, this is a short write up about the Maintenance Operation Protocol (MOP), an ancient remote management protocol from the DECnet protocol suite. It's old, rarely used and in most cases not needed at all. But as we stumbled across this protocol in some network assessments, it seems like a lot of network admins and other users don't know about it. Even various hardening guides we've seen SECURITY ASSESSMENT OF MICROSOFT DIRECTACCESS A talk about DirectAccess (an IPv6-only VPN solution) was given by our colleague Ali Hardudi during IPv6 summit. Ali has recently finished his master thesis on this topic. The DirectAccess VPN technology was introduced by Microsoft starting from Windows server 2008. It allows users remotely, seamlessly and securely connect to their internal network resources without a need to JENKINS REMOTING RCE II Jenkins Remoting RCE II – The return of the ysoserial. Jenkins is a continuous integration server, widely used in Java environments for building automation and deployment. The project recently disclosed an unauthenticated remote code execution vulnerability discovered by Moritz Bechler. Depending on the development environment, a Jenkins EXTRACT NON-EXPORTABLE CERTIFICATES AND EVADE ANTI-VIRUS Some time ago, one of our customers contacted us with a special request. For some legitimate reason, they needed to centrally collect certain certificates including their private keys which were distributed across many client systems running Windows and stored in the corresponding user stores. Unfortunately (only in this case, but actually good from a security perspective), the particularINSINUATOR.NET
This is a pretty rare edge case as llvmpipe has no widespread use. An estimate by Google is that approx 0.06% of the Chromium users are affected by this. However, as this is a simple but valid Chromium bug, we want to give you a quick walkthrough. The issue is tracked as CVE-2021-21153 and was fixed in February 2020. DOGWHISPERER’S SHARPHOUND CHEAT SHEET BloodHound data collection, aka Sharphound, is quite a complex beast. When giving BloodHound workshops, the part where I get the most questions is always data collection. How is the BloodHound data collected? What methods do what? Who am I talking to? How do I fly under the radar? These are all very relevant questions when you think about it. After all, the rest is just a gorgeous UI sit HOW CAN DATA FROM FITNESS TRACKERS BE OBTAINED AND The use of Internet of Things devices is continuously increasing: People buy devices, such as smart assistants, to make their lives more comfortable or fitness trackers to assess sports activities. According to the Pew Research Center , every fifth American wears a device to track their fitness. In Germany, the number increases likewise. The increasing number of fitness trackers in use can HOW FUZZERS DECIDE IF A CRASH IS UNIQUE This blogpost sheds some light on how fuzzers handle crash deduplication and what a unique crash is for a fuzzer. For this, we take a look at two contrived examples and compare the unique crashes identified by AFL++ and honggfuzz. Both examples are similar. They read from STDIN, check if the first character of the read data is a digit, then call a vulnerable function. The main differenc VMWARE NSX-T MITM VULNERABILITY (CVE-2020-3993SEE MORE ONINSINUATOR.NET
SS7MAPER – A SS7 PEN TESTING TOOLKIT – INSINUATOR.NET While running some SS7 pentests last year, I developed a small tool automating some of the well-known SS7 attack cases. Today I'm releasing the first version of ss7MAPer, a SS7 MAP (pen-)testing toolkit. The toolkit is build upon the Osmocom SS7 stack and implements some basic MAP messages. At its current state tests against the HLR are ready for use, in future versions tests against VLR, CISCO AND THE MAINTENANCE OPERATION PROTOCOL (MOP Howdy, this is a short write up about the Maintenance Operation Protocol (MOP), an ancient remote management protocol from the DECnet protocol suite. It's old, rarely used and in most cases not needed at all. But as we stumbled across this protocol in some network assessments, it seems like a lot of network admins and other users don't know about it. Even various hardening guides we've seen SECURITY ASSESSMENT OF MICROSOFT DIRECTACCESS A talk about DirectAccess (an IPv6-only VPN solution) was given by our colleague Ali Hardudi during IPv6 summit. Ali has recently finished his master thesis on this topic. The DirectAccess VPN technology was introduced by Microsoft starting from Windows server 2008. It allows users remotely, seamlessly and securely connect to their internal network resources without a need to JENKINS REMOTING RCE II Jenkins Remoting RCE II – The return of the ysoserial. Jenkins is a continuous integration server, widely used in Java environments for building automation and deployment. The project recently disclosed an unauthenticated remote code execution vulnerability discovered by Moritz Bechler. Depending on the development environment, a Jenkins EXTRACT NON-EXPORTABLE CERTIFICATES AND EVADE ANTI-VIRUS Some time ago, one of our customers contacted us with a special request. For some legitimate reason, they needed to centrally collect certain certificates including their private keys which were distributed across many client systems running Windows and stored in the corresponding user stores. Unfortunately (only in this case, but actually good from a security perspective), the particularINSINUATOR.NET
This is a pretty rare edge case as llvmpipe has no widespread use. An estimate by Google is that approx 0.06% of the Chromium users are affected by this. However, as this is a simple but valid Chromium bug, we want to give you a quick walkthrough. The issue is tracked as CVE-2021-21153 and was fixed in February 2020. WINDOWS INSIGHT: THE WINDOWS TELEMETRY ETW MONITOR The TIV framework is a set of Python scripts that visualize information and statistics based on the data produced by the Windbg Framework. The output of the TIV framework is a report in the form of a web page. The Windows Telemetry ETW Monitor has been tested on Windows 10, version 1909. HOW FUZZERS DECIDE IF A CRASH IS UNIQUE This blogpost sheds some light on how fuzzers handle crash deduplication and what a unique crash is for a fuzzer. For this, we take a look at two contrived examples and compare the unique crashes identified by AFL++ and honggfuzz. Both examples are similar. They read from STDIN, check if the first character of the read data is a digit, then call a vulnerable function. The main differenc GTP – INSINUATOR.NET GTP_SCAN released. gtp_scan is a small python script that scans for GTP (GPRS tunneling protocol) speaking hosts. To discover those hosts it uses the GTP build in PING mechanism, it sends a GTP packet of the type ECHO_REQUEST and listens for an incoming GTP ECHO_REPLY. Its capable of generating ECHO_REQUESTS for GTP version 1 and GTP version2.
IPV6 PROPERTIES OF WINDOWS SERVER 2019 / WINDOWS 10 (1809 IPv6 Properties of Windows Server 2019 / Windows 10 (1809) In this post I’ll cover some properties of the Windows Server 2019 IPv6 stack. It is an update of a similar post I wrote on the IPv6 properties of Server 2016 a while ago. For this reason I will mostly look at the same properties I did at the time (read: at times withoutproviding too
REVERSE ENGINEERING WITH RADARE2 Welcome back to the radare2 reversing tutorials. If you’ve missed the previous parts, you can find them here and here. Last time we've used the rabin2 application to view the strings found inside the challenge01 binary to find password candidates. Based on the results we looked into the assembly to find the correct password. In this post, we'll go through the next challenge and try out som SS7MAPER – A SS7 PEN TESTING TOOLKIT – INSINUATOR.NET While running some SS7 pentests last year, I developed a small tool automating some of the well-known SS7 attack cases. Today I'm releasing the first version of ss7MAPer, a SS7 MAP (pen-)testing toolkit. The toolkit is build upon the Osmocom SS7 stack and implements some basic MAP messages. At its current state tests against the HLR are ready for use, in future versions tests against VLR, BLUEFRAG – INSINUATOR.NET Nowadays, Bluetooth is an integral part of mobile devices. Smartphones interconnect with smartwatches and wireless headphones. By default, most devices are configured to accept Bluetooth connections from any HOW TO TEST KERBEROS AUTHENTICATED WEB First of all: This is not an in-depth Kerberos how-to, nor is this tutorial about the different aspects of web application testing. This tutorial is just to give support in testing Kerberos authenticated web applications. The goal is to hand over the right tools and steps to be able to perform the configuration and be able to test the application. When to use it? When there is a 401 se ANALYSIS OF HYPERVISOR BREAKOUTS Analysis of Hypervisor Breakouts. In the course of a current virtualization research project, I was reviewing a lot of documentation on hypervisor security. While “hypervisor security” is a very wide field, hypervisor breakouts are usually one of the most (intensely) discussed topics. I don’t want to go down the road ofrating the risk of
INSINUATOR.NET
This is a pretty rare edge case as llvmpipe has no widespread use. An estimate by Google is that approx 0.06% of the Chromium users are affected by this. However, as this is a simple but valid Chromium bug, we want to give you a quick walkthrough. The issue is tracked as CVE-2021-21153 and was fixed in February 2020. DOGWHISPERER’S SHARPHOUND CHEAT SHEET BloodHound data collection, aka Sharphound, is quite a complex beast. When giving BloodHound workshops, the part where I get the most questions is always data collection. How is the BloodHound data collected? What methods do what? Who am I talking to? How do I fly under the radar? These are all very relevant questions when you think about it. After all, the rest is just a gorgeous UI sit HOW CAN DATA FROM FITNESS TRACKERS BE OBTAINED AND The use of Internet of Things devices is continuously increasing: People buy devices, such as smart assistants, to make their lives more comfortable or fitness trackers to assess sports activities. According to the Pew Research Center , every fifth American wears a device to track their fitness. In Germany, the number increases likewise. The increasing number of fitness trackers in use can HOW FUZZERS DECIDE IF A CRASH IS UNIQUE This blogpost sheds some light on how fuzzers handle crash deduplication and what a unique crash is for a fuzzer. For this, we take a look at two contrived examples and compare the unique crashes identified by AFL++ and honggfuzz. Both examples are similar. They read from STDIN, check if the first character of the read data is a digit, then call a vulnerable function. The main differenc VMWARE NSX-T MITM VULNERABILITY (CVE-2020-3993SEE MORE ONINSINUATOR.NET
SS7MAPER – A SS7 PEN TESTING TOOLKIT – INSINUATOR.NET While running some SS7 pentests last year, I developed a small tool automating some of the well-known SS7 attack cases. Today I'm releasing the first version of ss7MAPer, a SS7 MAP (pen-)testing toolkit. The toolkit is build upon the Osmocom SS7 stack and implements some basic MAP messages. At its current state tests against the HLR are ready for use, in future versions tests against VLR, CISCO AND THE MAINTENANCE OPERATION PROTOCOL (MOP Howdy, this is a short write up about the Maintenance Operation Protocol (MOP), an ancient remote management protocol from the DECnet protocol suite. It's old, rarely used and in most cases not needed at all. But as we stumbled across this protocol in some network assessments, it seems like a lot of network admins and other users don't know about it. Even various hardening guides we've seen SECURITY ASSESSMENT OF MICROSOFT DIRECTACCESS A talk about DirectAccess (an IPv6-only VPN solution) was given by our colleague Ali Hardudi during IPv6 summit. Ali has recently finished his master thesis on this topic. The DirectAccess VPN technology was introduced by Microsoft starting from Windows server 2008. It allows users remotely, seamlessly and securely connect to their internal network resources without a need to JENKINS REMOTING RCE II Jenkins Remoting RCE II – The return of the ysoserial. Jenkins is a continuous integration server, widely used in Java environments for building automation and deployment. The project recently disclosed an unauthenticated remote code execution vulnerability discovered by Moritz Bechler. Depending on the development environment, a Jenkins EXTRACT NON-EXPORTABLE CERTIFICATES AND EVADE ANTI-VIRUS Some time ago, one of our customers contacted us with a special request. For some legitimate reason, they needed to centrally collect certain certificates including their private keys which were distributed across many client systems running Windows and stored in the corresponding user stores. Unfortunately (only in this case, but actually good from a security perspective), the particularINSINUATOR.NET
This is a pretty rare edge case as llvmpipe has no widespread use. An estimate by Google is that approx 0.06% of the Chromium users are affected by this. However, as this is a simple but valid Chromium bug, we want to give you a quick walkthrough. The issue is tracked as CVE-2021-21153 and was fixed in February 2020. DOGWHISPERER’S SHARPHOUND CHEAT SHEET BloodHound data collection, aka Sharphound, is quite a complex beast. When giving BloodHound workshops, the part where I get the most questions is always data collection. How is the BloodHound data collected? What methods do what? Who am I talking to? How do I fly under the radar? These are all very relevant questions when you think about it. After all, the rest is just a gorgeous UI sit HOW CAN DATA FROM FITNESS TRACKERS BE OBTAINED AND The use of Internet of Things devices is continuously increasing: People buy devices, such as smart assistants, to make their lives more comfortable or fitness trackers to assess sports activities. According to the Pew Research Center , every fifth American wears a device to track their fitness. In Germany, the number increases likewise. The increasing number of fitness trackers in use can HOW FUZZERS DECIDE IF A CRASH IS UNIQUE This blogpost sheds some light on how fuzzers handle crash deduplication and what a unique crash is for a fuzzer. For this, we take a look at two contrived examples and compare the unique crashes identified by AFL++ and honggfuzz. Both examples are similar. They read from STDIN, check if the first character of the read data is a digit, then call a vulnerable function. The main differenc VMWARE NSX-T MITM VULNERABILITY (CVE-2020-3993SEE MORE ONINSINUATOR.NET
SS7MAPER – A SS7 PEN TESTING TOOLKIT – INSINUATOR.NET While running some SS7 pentests last year, I developed a small tool automating some of the well-known SS7 attack cases. Today I'm releasing the first version of ss7MAPer, a SS7 MAP (pen-)testing toolkit. The toolkit is build upon the Osmocom SS7 stack and implements some basic MAP messages. At its current state tests against the HLR are ready for use, in future versions tests against VLR, CISCO AND THE MAINTENANCE OPERATION PROTOCOL (MOP Howdy, this is a short write up about the Maintenance Operation Protocol (MOP), an ancient remote management protocol from the DECnet protocol suite. It's old, rarely used and in most cases not needed at all. But as we stumbled across this protocol in some network assessments, it seems like a lot of network admins and other users don't know about it. Even various hardening guides we've seen SECURITY ASSESSMENT OF MICROSOFT DIRECTACCESS A talk about DirectAccess (an IPv6-only VPN solution) was given by our colleague Ali Hardudi during IPv6 summit. Ali has recently finished his master thesis on this topic. The DirectAccess VPN technology was introduced by Microsoft starting from Windows server 2008. It allows users remotely, seamlessly and securely connect to their internal network resources without a need to JENKINS REMOTING RCE II Jenkins Remoting RCE II – The return of the ysoserial. Jenkins is a continuous integration server, widely used in Java environments for building automation and deployment. The project recently disclosed an unauthenticated remote code execution vulnerability discovered by Moritz Bechler. Depending on the development environment, a Jenkins EXTRACT NON-EXPORTABLE CERTIFICATES AND EVADE ANTI-VIRUS Some time ago, one of our customers contacted us with a special request. For some legitimate reason, they needed to centrally collect certain certificates including their private keys which were distributed across many client systems running Windows and stored in the corresponding user stores. Unfortunately (only in this case, but actually good from a security perspective), the particularINSINUATOR.NET
This is a pretty rare edge case as llvmpipe has no widespread use. An estimate by Google is that approx 0.06% of the Chromium users are affected by this. However, as this is a simple but valid Chromium bug, we want to give you a quick walkthrough. The issue is tracked as CVE-2021-21153 and was fixed in February 2020. WINDOWS INSIGHT: THE WINDOWS TELEMETRY ETW MONITOR The TIV framework is a set of Python scripts that visualize information and statistics based on the data produced by the Windbg Framework. The output of the TIV framework is a report in the form of a web page. The Windows Telemetry ETW Monitor has been tested on Windows 10, version 1909. HOW FUZZERS DECIDE IF A CRASH IS UNIQUE This blogpost sheds some light on how fuzzers handle crash deduplication and what a unique crash is for a fuzzer. For this, we take a look at two contrived examples and compare the unique crashes identified by AFL++ and honggfuzz. Both examples are similar. They read from STDIN, check if the first character of the read data is a digit, then call a vulnerable function. The main differenc GTP – INSINUATOR.NET GTP_SCAN released. gtp_scan is a small python script that scans for GTP (GPRS tunneling protocol) speaking hosts. To discover those hosts it uses the GTP build in PING mechanism, it sends a GTP packet of the type ECHO_REQUEST and listens for an incoming GTP ECHO_REPLY. Its capable of generating ECHO_REQUESTS for GTP version 1 and GTP version2.
IPV6 PROPERTIES OF WINDOWS SERVER 2019 / WINDOWS 10 (1809 IPv6 Properties of Windows Server 2019 / Windows 10 (1809) In this post I’ll cover some properties of the Windows Server 2019 IPv6 stack. It is an update of a similar post I wrote on the IPv6 properties of Server 2016 a while ago. For this reason I will mostly look at the same properties I did at the time (read: at times withoutproviding too
REVERSE ENGINEERING WITH RADARE2 Welcome back to the radare2 reversing tutorials. If you’ve missed the previous parts, you can find them here and here. Last time we've used the rabin2 application to view the strings found inside the challenge01 binary to find password candidates. Based on the results we looked into the assembly to find the correct password. In this post, we'll go through the next challenge and try out som SS7MAPER – A SS7 PEN TESTING TOOLKIT – INSINUATOR.NET While running some SS7 pentests last year, I developed a small tool automating some of the well-known SS7 attack cases. Today I'm releasing the first version of ss7MAPer, a SS7 MAP (pen-)testing toolkit. The toolkit is build upon the Osmocom SS7 stack and implements some basic MAP messages. At its current state tests against the HLR are ready for use, in future versions tests against VLR, BLUEFRAG – INSINUATOR.NET Nowadays, Bluetooth is an integral part of mobile devices. Smartphones interconnect with smartwatches and wireless headphones. By default, most devices are configured to accept Bluetooth connections from any HOW TO TEST KERBEROS AUTHENTICATED WEB First of all: This is not an in-depth Kerberos how-to, nor is this tutorial about the different aspects of web application testing. This tutorial is just to give support in testing Kerberos authenticated web applications. The goal is to hand over the right tools and steps to be able to perform the configuration and be able to test the application. When to use it? When there is a 401 se ANALYSIS OF HYPERVISOR BREAKOUTS Analysis of Hypervisor Breakouts. In the course of a current virtualization research project, I was reviewing a lot of documentation on hypervisor security. While “hypervisor security” is a very wide field, hypervisor breakouts are usually one of the most (intensely) discussed topics. I don’t want to go down the road ofrating the risk of
INSINUATOR.NET
This is a pretty rare edge case as llvmpipe has no widespread use. An estimate by Google is that approx 0.06% of the Chromium users are affected by this. However, as this is a simple but valid Chromium bug, we want to give you a quick walkthrough. The issue is tracked as CVE-2021-21153 and was fixed in February 2020. DOGWHISPERER’S SHARPHOUND CHEAT SHEET BloodHound data collection, aka Sharphound, is quite a complex beast. When giving BloodHound workshops, the part where I get the most questions is always data collection. How is the BloodHound data collected? What methods do what? Who am I talking to? How do I fly under the radar? These are all very relevant questions when you think about it. After all, the rest is just a gorgeous UI sit HOW CAN DATA FROM FITNESS TRACKERS BE OBTAINED AND The use of Internet of Things devices is continuously increasing: People buy devices, such as smart assistants, to make their lives more comfortable or fitness trackers to assess sports activities. According to the Pew Research Center , every fifth American wears a device to track their fitness. In Germany, the number increases likewise. The increasing number of fitness trackers in use can HOW FUZZERS DECIDE IF A CRASH IS UNIQUE This blogpost sheds some light on how fuzzers handle crash deduplication and what a unique crash is for a fuzzer. For this, we take a look at two contrived examples and compare the unique crashes identified by AFL++ and honggfuzz. Both examples are similar. They read from STDIN, check if the first character of the read data is a digit, then call a vulnerable function. The main differenc VMWARE NSX-T MITM VULNERABILITY (CVE-2020-3993SEE MORE ONINSINUATOR.NET
SS7MAPER – A SS7 PEN TESTING TOOLKIT – INSINUATOR.NET While running some SS7 pentests last year, I developed a small tool automating some of the well-known SS7 attack cases. Today I'm releasing the first version of ss7MAPer, a SS7 MAP (pen-)testing toolkit. The toolkit is build upon the Osmocom SS7 stack and implements some basic MAP messages. At its current state tests against the HLR are ready for use, in future versions tests against VLR, CISCO AND THE MAINTENANCE OPERATION PROTOCOL (MOP Howdy, this is a short write up about the Maintenance Operation Protocol (MOP), an ancient remote management protocol from the DECnet protocol suite. It's old, rarely used and in most cases not needed at all. But as we stumbled across this protocol in some network assessments, it seems like a lot of network admins and other users don't know about it. Even various hardening guides we've seen SECURITY ASSESSMENT OF MICROSOFT DIRECTACCESS A talk about DirectAccess (an IPv6-only VPN solution) was given by our colleague Ali Hardudi during IPv6 summit. Ali has recently finished his master thesis on this topic. The DirectAccess VPN technology was introduced by Microsoft starting from Windows server 2008. It allows users remotely, seamlessly and securely connect to their internal network resources without a need to JENKINS REMOTING RCE II Jenkins Remoting RCE II – The return of the ysoserial. Jenkins is a continuous integration server, widely used in Java environments for building automation and deployment. The project recently disclosed an unauthenticated remote code execution vulnerability discovered by Moritz Bechler. Depending on the development environment, a Jenkins EXTRACT NON-EXPORTABLE CERTIFICATES AND EVADE ANTI-VIRUS Some time ago, one of our customers contacted us with a special request. For some legitimate reason, they needed to centrally collect certain certificates including their private keys which were distributed across many client systems running Windows and stored in the corresponding user stores. Unfortunately (only in this case, but actually good from a security perspective), the particularINSINUATOR.NET
This is a pretty rare edge case as llvmpipe has no widespread use. An estimate by Google is that approx 0.06% of the Chromium users are affected by this. However, as this is a simple but valid Chromium bug, we want to give you a quick walkthrough. The issue is tracked as CVE-2021-21153 and was fixed in February 2020. DOGWHISPERER’S SHARPHOUND CHEAT SHEET BloodHound data collection, aka Sharphound, is quite a complex beast. When giving BloodHound workshops, the part where I get the most questions is always data collection. How is the BloodHound data collected? What methods do what? Who am I talking to? How do I fly under the radar? These are all very relevant questions when you think about it. After all, the rest is just a gorgeous UI sit HOW CAN DATA FROM FITNESS TRACKERS BE OBTAINED AND The use of Internet of Things devices is continuously increasing: People buy devices, such as smart assistants, to make their lives more comfortable or fitness trackers to assess sports activities. According to the Pew Research Center , every fifth American wears a device to track their fitness. In Germany, the number increases likewise. The increasing number of fitness trackers in use can HOW FUZZERS DECIDE IF A CRASH IS UNIQUE This blogpost sheds some light on how fuzzers handle crash deduplication and what a unique crash is for a fuzzer. For this, we take a look at two contrived examples and compare the unique crashes identified by AFL++ and honggfuzz. Both examples are similar. They read from STDIN, check if the first character of the read data is a digit, then call a vulnerable function. The main differenc VMWARE NSX-T MITM VULNERABILITY (CVE-2020-3993SEE MORE ONINSINUATOR.NET
SS7MAPER – A SS7 PEN TESTING TOOLKIT – INSINUATOR.NET While running some SS7 pentests last year, I developed a small tool automating some of the well-known SS7 attack cases. Today I'm releasing the first version of ss7MAPer, a SS7 MAP (pen-)testing toolkit. The toolkit is build upon the Osmocom SS7 stack and implements some basic MAP messages. At its current state tests against the HLR are ready for use, in future versions tests against VLR, CISCO AND THE MAINTENANCE OPERATION PROTOCOL (MOP Howdy, this is a short write up about the Maintenance Operation Protocol (MOP), an ancient remote management protocol from the DECnet protocol suite. It's old, rarely used and in most cases not needed at all. But as we stumbled across this protocol in some network assessments, it seems like a lot of network admins and other users don't know about it. Even various hardening guides we've seen SECURITY ASSESSMENT OF MICROSOFT DIRECTACCESS A talk about DirectAccess (an IPv6-only VPN solution) was given by our colleague Ali Hardudi during IPv6 summit. Ali has recently finished his master thesis on this topic. The DirectAccess VPN technology was introduced by Microsoft starting from Windows server 2008. It allows users remotely, seamlessly and securely connect to their internal network resources without a need to JENKINS REMOTING RCE II Jenkins Remoting RCE II – The return of the ysoserial. Jenkins is a continuous integration server, widely used in Java environments for building automation and deployment. The project recently disclosed an unauthenticated remote code execution vulnerability discovered by Moritz Bechler. Depending on the development environment, a Jenkins EXTRACT NON-EXPORTABLE CERTIFICATES AND EVADE ANTI-VIRUS Some time ago, one of our customers contacted us with a special request. For some legitimate reason, they needed to centrally collect certain certificates including their private keys which were distributed across many client systems running Windows and stored in the corresponding user stores. Unfortunately (only in this case, but actually good from a security perspective), the particularINSINUATOR.NET
This is a pretty rare edge case as llvmpipe has no widespread use. An estimate by Google is that approx 0.06% of the Chromium users are affected by this. However, as this is a simple but valid Chromium bug, we want to give you a quick walkthrough. The issue is tracked as CVE-2021-21153 and was fixed in February 2020. WINDOWS INSIGHT: THE WINDOWS TELEMETRY ETW MONITOR The TIV framework is a set of Python scripts that visualize information and statistics based on the data produced by the Windbg Framework. The output of the TIV framework is a report in the form of a web page. The Windows Telemetry ETW Monitor has been tested on Windows 10, version 1909. HOW FUZZERS DECIDE IF A CRASH IS UNIQUE This blogpost sheds some light on how fuzzers handle crash deduplication and what a unique crash is for a fuzzer. For this, we take a look at two contrived examples and compare the unique crashes identified by AFL++ and honggfuzz. Both examples are similar. They read from STDIN, check if the first character of the read data is a digit, then call a vulnerable function. The main differenc GTP – INSINUATOR.NET GTP_SCAN released. gtp_scan is a small python script that scans for GTP (GPRS tunneling protocol) speaking hosts. To discover those hosts it uses the GTP build in PING mechanism, it sends a GTP packet of the type ECHO_REQUEST and listens for an incoming GTP ECHO_REPLY. Its capable of generating ECHO_REQUESTS for GTP version 1 and GTP version2.
IPV6 PROPERTIES OF WINDOWS SERVER 2019 / WINDOWS 10 (1809 IPv6 Properties of Windows Server 2019 / Windows 10 (1809) In this post I’ll cover some properties of the Windows Server 2019 IPv6 stack. It is an update of a similar post I wrote on the IPv6 properties of Server 2016 a while ago. For this reason I will mostly look at the same properties I did at the time (read: at times withoutproviding too
REVERSE ENGINEERING WITH RADARE2 Welcome back to the radare2 reversing tutorials. If you’ve missed the previous parts, you can find them here and here. Last time we've used the rabin2 application to view the strings found inside the challenge01 binary to find password candidates. Based on the results we looked into the assembly to find the correct password. In this post, we'll go through the next challenge and try out som SS7MAPER – A SS7 PEN TESTING TOOLKIT – INSINUATOR.NET While running some SS7 pentests last year, I developed a small tool automating some of the well-known SS7 attack cases. Today I'm releasing the first version of ss7MAPer, a SS7 MAP (pen-)testing toolkit. The toolkit is build upon the Osmocom SS7 stack and implements some basic MAP messages. At its current state tests against the HLR are ready for use, in future versions tests against VLR, BLUEFRAG – INSINUATOR.NET Nowadays, Bluetooth is an integral part of mobile devices. Smartphones interconnect with smartwatches and wireless headphones. By default, most devices are configured to accept Bluetooth connections from any HOW TO TEST KERBEROS AUTHENTICATED WEB First of all: This is not an in-depth Kerberos how-to, nor is this tutorial about the different aspects of web application testing. This tutorial is just to give support in testing Kerberos authenticated web applications. The goal is to hand over the right tools and steps to be able to perform the configuration and be able to test the application. When to use it? When there is a 401 se ANALYSIS OF HYPERVISOR BREAKOUTS Analysis of Hypervisor Breakouts. In the course of a current virtualization research project, I was reviewing a lot of documentation on hypervisor security. While “hypervisor security” is a very wide field, hypervisor breakouts are usually one of the most (intensely) discussed topics. I don’t want to go down the road ofrating the risk of
DOING IT SERVER-SIDE WITH CYPHERDOG 4.0 Indeed, when Bloodhound 3 came out, I quickly updated CypherDog 2 to CypherDog 3 to be compatible with it. But Bloodhound 3 is compatible with neo4j 3 and 4, however the neo4j REST API has been deprecated in neo4j 4 and CypherDog 3 relied on it. Long story short, CypherDog 4.0 is a full rewrite compatible with the new neo4j 4 HTTP API, and DOGWHISPERER’S SHARPHOUND CHEAT SHEET BloodHound data collection, aka Sharphound, is quite a complex beast. When giving BloodHound workshops, the part where I get the most questions is always data collection. How is the BloodHound data collected? What methods do what? Who am I talking to? How do I fly under the radar? These are all very relevant questions when you think about it. After all, the rest is just a gorgeous UI sit HOW CAN DATA FROM FITNESS TRACKERS BE OBTAINED AND The use of Internet of Things devices is continuously increasing: People buy devices, such as smart assistants, to make their lives more comfortable or fitness trackers to assess sports activities. According to the Pew Research Center , every fifth American wears a device to track their fitness. In Germany, the number increases likewise. The increasing number of fitness trackers in use can WINDOWS INSIGHT: THE WINDOWS TELEMETRY ETW MONITOR The TIV framework is a set of Python scripts that visualize information and statistics based on the data produced by the Windbg Framework. The output of the TIV framework is a report in the form of a web page. The Windows Telemetry ETW Monitor has been tested on Windows 10, version 1909. IPV6 PROPERTIES OF WINDOWS SERVER 2019 / WINDOWS 10 (1809 IPv6 Properties of Windows Server 2019 / Windows 10 (1809) In this post I’ll cover some properties of the Windows Server 2019 IPv6 stack. It is an update of a similar post I wrote on the IPv6 properties of Server 2016 a while ago. For this reason I will mostly look at the same properties I did at the time (read: at times withoutproviding too
CISCO AND THE MAINTENANCE OPERATION PROTOCOL (MOP Howdy, this is a short write up about the Maintenance Operation Protocol (MOP), an ancient remote management protocol from the DECnet protocol suite. It's old, rarely used and in most cases not needed at all. But as we stumbled across this protocol in some network assessments, it seems like a lot of network admins and other users don't know about it. Even various hardening guides we've seenONE STEP CLOSER
Good Afternoon, It is a pleasant surprise for many (us included) that Microsoft implemented support for the RDNSS (RFC 8106) option in Router Advertisements beginning with the Windows 10 Creators Update. Interestingly, I wasn't able to find any official documents from Microsoft stating this. As we are involved in a lot of IPv6 related projects for our customers, the lack of RDNSS support fo JENKINS REMOTING RCE II Jenkins Remoting RCE II – The return of the ysoserial. Jenkins is a continuous integration server, widely used in Java environments for building automation and deployment. The project recently disclosed an unauthenticated remote code execution vulnerability discovered by Moritz Bechler. Depending on the development environment, a Jenkins NEW RELEASE OF GLIBC HEAP ANALYSIS PLUGINS New Release of Glibc Heap Analysis Plugins. After quite some time and work, I’m happy to announce the new release of the Linux Heap Analysis Plugins, which are now part of the Rekall project, but not yet part of an official Rekall release, so you have to grab them manually. Support for Glibc version 2.26 (tcache chunks) and 2.27. CISCO: MAGIC WEBEX URL ALLOWS ARBITRARY REMOTE COMMAND Cisco: Magic WebEx URL Allows Arbitrary Remote Command Execution – Project Zero. Tavis did it again . As stated in the title it is possible to remotely execute commands via the Chrome extension for the popular meeting software Cisco WebEx. This post summarizes the most relevant information for you. A test page with working demo code is DOING IT SERVER-SIDE WITH CYPHERDOG 4.0 Indeed, when Bloodhound 3 came out, I quickly updated CypherDog 2 to CypherDog 3 to be compatible with it. But Bloodhound 3 is compatible with neo4j 3 and 4, however the neo4j REST API has been deprecated in neo4j 4 and CypherDog 3 relied on it. Long story short, CypherDog 4.0 is a full rewrite compatible with the new neo4j 4 HTTP API, and DOGWHISPERER’S SHARPHOUND CHEAT SHEET BloodHound data collection, aka Sharphound, is quite a complex beast. When giving BloodHound workshops, the part where I get the most questions is always data collection. How is the BloodHound data collected? What methods do what? Who am I talking to? How do I fly under the radar? These are all very relevant questions when you think about it. After all, the rest is just a gorgeous UI sit HOW CAN DATA FROM FITNESS TRACKERS BE OBTAINED AND The use of Internet of Things devices is continuously increasing: People buy devices, such as smart assistants, to make their lives more comfortable or fitness trackers to assess sports activities. According to the Pew Research Center , every fifth American wears a device to track their fitness. In Germany, the number increases likewise. The increasing number of fitness trackers in use can WINDOWS INSIGHT: THE WINDOWS TELEMETRY ETW MONITOR The TIV framework is a set of Python scripts that visualize information and statistics based on the data produced by the Windbg Framework. The output of the TIV framework is a report in the form of a web page. The Windows Telemetry ETW Monitor has been tested on Windows 10, version 1909. IPV6 PROPERTIES OF WINDOWS SERVER 2019 / WINDOWS 10 (1809 IPv6 Properties of Windows Server 2019 / Windows 10 (1809) In this post I’ll cover some properties of the Windows Server 2019 IPv6 stack. It is an update of a similar post I wrote on the IPv6 properties of Server 2016 a while ago. For this reason I will mostly look at the same properties I did at the time (read: at times withoutproviding too
CISCO AND THE MAINTENANCE OPERATION PROTOCOL (MOP Howdy, this is a short write up about the Maintenance Operation Protocol (MOP), an ancient remote management protocol from the DECnet protocol suite. It's old, rarely used and in most cases not needed at all. But as we stumbled across this protocol in some network assessments, it seems like a lot of network admins and other users don't know about it. Even various hardening guides we've seenONE STEP CLOSER
Good Afternoon, It is a pleasant surprise for many (us included) that Microsoft implemented support for the RDNSS (RFC 8106) option in Router Advertisements beginning with the Windows 10 Creators Update. Interestingly, I wasn't able to find any official documents from Microsoft stating this. As we are involved in a lot of IPv6 related projects for our customers, the lack of RDNSS support fo JENKINS REMOTING RCE II Jenkins Remoting RCE II – The return of the ysoserial. Jenkins is a continuous integration server, widely used in Java environments for building automation and deployment. The project recently disclosed an unauthenticated remote code execution vulnerability discovered by Moritz Bechler. Depending on the development environment, a Jenkins NEW RELEASE OF GLIBC HEAP ANALYSIS PLUGINS New Release of Glibc Heap Analysis Plugins. After quite some time and work, I’m happy to announce the new release of the Linux Heap Analysis Plugins, which are now part of the Rekall project, but not yet part of an official Rekall release, so you have to grab them manually. Support for Glibc version 2.26 (tcache chunks) and 2.27. CISCO: MAGIC WEBEX URL ALLOWS ARBITRARY REMOTE COMMAND Cisco: Magic WebEx URL Allows Arbitrary Remote Command Execution – Project Zero. Tavis did it again . As stated in the title it is possible to remotely execute commands via the Chrome extension for the popular meeting software Cisco WebEx. This post summarizes the most relevant information for you. A test page with working demo code isINSINUATOR.NET
This is a pretty rare edge case as llvmpipe has no widespread use. An estimate by Google is that approx 0.06% of the Chromium users are affected by this. However, as this is a simple but valid Chromium bug, we want to give you a quick walkthrough. The issue is tracked as CVE-2021-21153 and was fixed in February 2020. WINDOWS INSIGHT: THE WINDOWS TELEMETRY ETW MONITOR The TIV framework is a set of Python scripts that visualize information and statistics based on the data produced by the Windbg Framework. The output of the TIV framework is a report in the form of a web page. The Windows Telemetry ETW Monitor has been tested on Windows 10, version 1909. IPV6 PROPERTIES OF WINDOWS SERVER 2019 / WINDOWS 10 (1809 IPv6 Properties of Windows Server 2019 / Windows 10 (1809) In this post I’ll cover some properties of the Windows Server 2019 IPv6 stack. It is an update of a similar post I wrote on the IPv6 properties of Server 2016 a while ago. For this reason I will mostly look at the same properties I did at the time (read: at times withoutproviding too
VMWARE NSX-T MITM VULNERABILITY (CVE-2020-3993 VMware NSX-T MITM Vulnerability (CVE-2020-3993) NSX-T is a Software-Defined-Networking (SDN) solution of VMware which, as its basic functionality, supports spanning logical networks across VMs on distributed ESXi and KVM hypervisors. The central controller of the SDN is the NSX-T Manager Cluster which is responsible for deployingthe network
HOW FUZZERS DECIDE IF A CRASH IS UNIQUE This blogpost sheds some light on how fuzzers handle crash deduplication and what a unique crash is for a fuzzer. For this, we take a look at two contrived examples and compare the unique crashes identified by AFL++ and honggfuzz. Both examples are similar. They read from STDIN, check if the first character of the read data is a digit, then call a vulnerable function. The main differenc HOW TO TEST KERBEROS AUTHENTICATED WEB First of all: This is not an in-depth Kerberos how-to, nor is this tutorial about the different aspects of web application testing. This tutorial is just to give support in testing Kerberos authenticated web applications. The goal is to hand over the right tools and steps to be able to perform the configuration and be able to test the application. When to use it? When there is a 401 seONE STEP CLOSER
Good Afternoon, It is a pleasant surprise for many (us included) that Microsoft implemented support for the RDNSS (RFC 8106) option in Router Advertisements beginning with the Windows 10 Creators Update. Interestingly, I wasn't able to find any official documents from Microsoft stating this. As we are involved in a lot of IPv6 related projects for our customers, the lack of RDNSS support fo SECURITY ASSESSMENT OF MICROSOFT DIRECTACCESS A talk about DirectAccess (an IPv6-only VPN solution) was given by our colleague Ali Hardudi during IPv6 summit. Ali has recently finished his master thesis on this topic. The DirectAccess VPN technology was introduced by Microsoft starting from Windows server 2008. It allows users remotely, seamlessly and securely connect to their internal network resources without a need to LOKI FOR WINDOWS RELEASED Today is a great day, its the day, Loki finally runs on all big operating systems. Im proud to announce the first Loki release for Windows! There are a few things not working (yet / at all) under Windows. Those are: The WLCCP Module - ive not yet managed to build and link against asleap on windows TCP-MD5 Auth for BGP - This will never work, as Windows has no POSH_ATTCK – ATT&CK KNOWLEDGE AT YOUR POWERSHELL When I recently joined the Windows Security team at ERNW, Enno asked me if I wanted to write a 'welcome' blogpost on a topic of my choosing Up for the challenge, and since I had been playing with BloodHound & Cypher for the last couple of months, I first thought I would do something on that topic. However, after gathering my thoughts and some Cypher I had collected here and there, I DOING IT SERVER-SIDE WITH CYPHERDOG 4.0 Indeed, when Bloodhound 3 came out, I quickly updated CypherDog 2 to CypherDog 3 to be compatible with it. But Bloodhound 3 is compatible with neo4j 3 and 4, however the neo4j REST API has been deprecated in neo4j 4 and CypherDog 3 relied on it. Long story short, CypherDog 4.0 is a full rewrite compatible with the new neo4j 4 HTTP API, and DOGWHISPERER’S SHARPHOUND CHEAT SHEET BloodHound data collection, aka Sharphound, is quite a complex beast. When giving BloodHound workshops, the part where I get the most questions is always data collection. How is the BloodHound data collected? What methods do what? Who am I talking to? How do I fly under the radar? These are all very relevant questions when you think about it. After all, the rest is just a gorgeous UI sit HOW CAN DATA FROM FITNESS TRACKERS BE OBTAINED AND The use of Internet of Things devices is continuously increasing: People buy devices, such as smart assistants, to make their lives more comfortable or fitness trackers to assess sports activities. According to the Pew Research Center , every fifth American wears a device to track their fitness. In Germany, the number increases likewise. The increasing number of fitness trackers in use can WINDOWS INSIGHT: THE WINDOWS TELEMETRY ETW MONITOR The TIV framework is a set of Python scripts that visualize information and statistics based on the data produced by the Windbg Framework. The output of the TIV framework is a report in the form of a web page. The Windows Telemetry ETW Monitor has been tested on Windows 10, version 1909. IPV6 PROPERTIES OF WINDOWS SERVER 2019 / WINDOWS 10 (1809 IPv6 Properties of Windows Server 2019 / Windows 10 (1809) In this post I’ll cover some properties of the Windows Server 2019 IPv6 stack. It is an update of a similar post I wrote on the IPv6 properties of Server 2016 a while ago. For this reason I will mostly look at the same properties I did at the time (read: at times withoutproviding too
CISCO AND THE MAINTENANCE OPERATION PROTOCOL (MOP Howdy, this is a short write up about the Maintenance Operation Protocol (MOP), an ancient remote management protocol from the DECnet protocol suite. It's old, rarely used and in most cases not needed at all. But as we stumbled across this protocol in some network assessments, it seems like a lot of network admins and other users don't know about it. Even various hardening guides we've seenONE STEP CLOSER
Good Afternoon, It is a pleasant surprise for many (us included) that Microsoft implemented support for the RDNSS (RFC 8106) option in Router Advertisements beginning with the Windows 10 Creators Update. Interestingly, I wasn't able to find any official documents from Microsoft stating this. As we are involved in a lot of IPv6 related projects for our customers, the lack of RDNSS support fo JENKINS REMOTING RCE II Jenkins Remoting RCE II – The return of the ysoserial. Jenkins is a continuous integration server, widely used in Java environments for building automation and deployment. The project recently disclosed an unauthenticated remote code execution vulnerability discovered by Moritz Bechler. Depending on the development environment, a Jenkins NEW RELEASE OF GLIBC HEAP ANALYSIS PLUGINS New Release of Glibc Heap Analysis Plugins. After quite some time and work, I’m happy to announce the new release of the Linux Heap Analysis Plugins, which are now part of the Rekall project, but not yet part of an official Rekall release, so you have to grab them manually. Support for Glibc version 2.26 (tcache chunks) and 2.27. CISCO: MAGIC WEBEX URL ALLOWS ARBITRARY REMOTE COMMAND Cisco: Magic WebEx URL Allows Arbitrary Remote Command Execution – Project Zero. Tavis did it again . As stated in the title it is possible to remotely execute commands via the Chrome extension for the popular meeting software Cisco WebEx. This post summarizes the most relevant information for you. A test page with working demo code is DOING IT SERVER-SIDE WITH CYPHERDOG 4.0 Indeed, when Bloodhound 3 came out, I quickly updated CypherDog 2 to CypherDog 3 to be compatible with it. But Bloodhound 3 is compatible with neo4j 3 and 4, however the neo4j REST API has been deprecated in neo4j 4 and CypherDog 3 relied on it. Long story short, CypherDog 4.0 is a full rewrite compatible with the new neo4j 4 HTTP API, and DOGWHISPERER’S SHARPHOUND CHEAT SHEET BloodHound data collection, aka Sharphound, is quite a complex beast. When giving BloodHound workshops, the part where I get the most questions is always data collection. How is the BloodHound data collected? What methods do what? Who am I talking to? How do I fly under the radar? These are all very relevant questions when you think about it. After all, the rest is just a gorgeous UI sit HOW CAN DATA FROM FITNESS TRACKERS BE OBTAINED AND The use of Internet of Things devices is continuously increasing: People buy devices, such as smart assistants, to make their lives more comfortable or fitness trackers to assess sports activities. According to the Pew Research Center , every fifth American wears a device to track their fitness. In Germany, the number increases likewise. The increasing number of fitness trackers in use can WINDOWS INSIGHT: THE WINDOWS TELEMETRY ETW MONITOR The TIV framework is a set of Python scripts that visualize information and statistics based on the data produced by the Windbg Framework. The output of the TIV framework is a report in the form of a web page. The Windows Telemetry ETW Monitor has been tested on Windows 10, version 1909. IPV6 PROPERTIES OF WINDOWS SERVER 2019 / WINDOWS 10 (1809 IPv6 Properties of Windows Server 2019 / Windows 10 (1809) In this post I’ll cover some properties of the Windows Server 2019 IPv6 stack. It is an update of a similar post I wrote on the IPv6 properties of Server 2016 a while ago. For this reason I will mostly look at the same properties I did at the time (read: at times withoutproviding too
CISCO AND THE MAINTENANCE OPERATION PROTOCOL (MOP Howdy, this is a short write up about the Maintenance Operation Protocol (MOP), an ancient remote management protocol from the DECnet protocol suite. It's old, rarely used and in most cases not needed at all. But as we stumbled across this protocol in some network assessments, it seems like a lot of network admins and other users don't know about it. Even various hardening guides we've seenONE STEP CLOSER
Good Afternoon, It is a pleasant surprise for many (us included) that Microsoft implemented support for the RDNSS (RFC 8106) option in Router Advertisements beginning with the Windows 10 Creators Update. Interestingly, I wasn't able to find any official documents from Microsoft stating this. As we are involved in a lot of IPv6 related projects for our customers, the lack of RDNSS support fo JENKINS REMOTING RCE II Jenkins Remoting RCE II – The return of the ysoserial. Jenkins is a continuous integration server, widely used in Java environments for building automation and deployment. The project recently disclosed an unauthenticated remote code execution vulnerability discovered by Moritz Bechler. Depending on the development environment, a Jenkins NEW RELEASE OF GLIBC HEAP ANALYSIS PLUGINS New Release of Glibc Heap Analysis Plugins. After quite some time and work, I’m happy to announce the new release of the Linux Heap Analysis Plugins, which are now part of the Rekall project, but not yet part of an official Rekall release, so you have to grab them manually. Support for Glibc version 2.26 (tcache chunks) and 2.27. CISCO: MAGIC WEBEX URL ALLOWS ARBITRARY REMOTE COMMAND Cisco: Magic WebEx URL Allows Arbitrary Remote Command Execution – Project Zero. Tavis did it again . As stated in the title it is possible to remotely execute commands via the Chrome extension for the popular meeting software Cisco WebEx. This post summarizes the most relevant information for you. A test page with working demo code isINSINUATOR.NET
This is a pretty rare edge case as llvmpipe has no widespread use. An estimate by Google is that approx 0.06% of the Chromium users are affected by this. However, as this is a simple but valid Chromium bug, we want to give you a quick walkthrough. The issue is tracked as CVE-2021-21153 and was fixed in February 2020. WINDOWS INSIGHT: THE WINDOWS TELEMETRY ETW MONITOR The TIV framework is a set of Python scripts that visualize information and statistics based on the data produced by the Windbg Framework. The output of the TIV framework is a report in the form of a web page. The Windows Telemetry ETW Monitor has been tested on Windows 10, version 1909. IPV6 PROPERTIES OF WINDOWS SERVER 2019 / WINDOWS 10 (1809 IPv6 Properties of Windows Server 2019 / Windows 10 (1809) In this post I’ll cover some properties of the Windows Server 2019 IPv6 stack. It is an update of a similar post I wrote on the IPv6 properties of Server 2016 a while ago. For this reason I will mostly look at the same properties I did at the time (read: at times withoutproviding too
VMWARE NSX-T MITM VULNERABILITY (CVE-2020-3993 VMware NSX-T MITM Vulnerability (CVE-2020-3993) NSX-T is a Software-Defined-Networking (SDN) solution of VMware which, as its basic functionality, supports spanning logical networks across VMs on distributed ESXi and KVM hypervisors. The central controller of the SDN is the NSX-T Manager Cluster which is responsible for deployingthe network
HOW FUZZERS DECIDE IF A CRASH IS UNIQUE This blogpost sheds some light on how fuzzers handle crash deduplication and what a unique crash is for a fuzzer. For this, we take a look at two contrived examples and compare the unique crashes identified by AFL++ and honggfuzz. Both examples are similar. They read from STDIN, check if the first character of the read data is a digit, then call a vulnerable function. The main differenc HOW TO TEST KERBEROS AUTHENTICATED WEB First of all: This is not an in-depth Kerberos how-to, nor is this tutorial about the different aspects of web application testing. This tutorial is just to give support in testing Kerberos authenticated web applications. The goal is to hand over the right tools and steps to be able to perform the configuration and be able to test the application. When to use it? When there is a 401 seONE STEP CLOSER
Good Afternoon, It is a pleasant surprise for many (us included) that Microsoft implemented support for the RDNSS (RFC 8106) option in Router Advertisements beginning with the Windows 10 Creators Update. Interestingly, I wasn't able to find any official documents from Microsoft stating this. As we are involved in a lot of IPv6 related projects for our customers, the lack of RDNSS support fo SECURITY ASSESSMENT OF MICROSOFT DIRECTACCESS A talk about DirectAccess (an IPv6-only VPN solution) was given by our colleague Ali Hardudi during IPv6 summit. Ali has recently finished his master thesis on this topic. The DirectAccess VPN technology was introduced by Microsoft starting from Windows server 2008. It allows users remotely, seamlessly and securely connect to their internal network resources without a need to LOKI FOR WINDOWS RELEASED Today is a great day, its the day, Loki finally runs on all big operating systems. Im proud to announce the first Loki release for Windows! There are a few things not working (yet / at all) under Windows. Those are: The WLCCP Module - ive not yet managed to build and link against asleap on windows TCP-MD5 Auth for BGP - This will never work, as Windows has no POSH_ATTCK – ATT&CK KNOWLEDGE AT YOUR POWERSHELL When I recently joined the Windows Security team at ERNW, Enno asked me if I wanted to write a 'welcome' blogpost on a topic of my choosing Up for the challenge, and since I had been playing with BloodHound & Cypher for the last couple of months, I first thought I would do something on that topic. However, after gathering my thoughts and some Cypher I had collected here and there, IINSINUATOR.NET
Introduction. In this post, I will introduce fpicker. Fpicker is a Frida-based coverage-guided, mostly in-process, blackbox fuzzing suite. Its most significant feature is the AFL++ proxy mode which enables blackbox in-process fuzzing with AFL++ on platforms supportedby Frida.
DOGWHISPERER’S SHARPHOUND CHEAT SHEET BloodHound data collection, aka Sharphound, is quite a complex beast. When giving BloodHound workshops, the part where I get the most questions is always data collection. How is the BloodHound data collected? What methods do what? Who am I talking to? How do I fly under the radar? These are all very relevant questions when you think about it. After all, the rest is just a gorgeous UI sit HOW CAN DATA FROM FITNESS TRACKERS BE OBTAINED AND The use of Internet of Things devices is continuously increasing: People buy devices, such as smart assistants, to make their lives more comfortable or fitness trackers to assess sports activities. According to the Pew Research Center , every fifth American wears a device to track their fitness. In Germany, the number increases likewise. The increasing number of fitness trackers in use can CISCO AND THE MAINTENANCE OPERATION PROTOCOL (MOPCISCO INTERFACE COMMAND LISTCISCO INTERFACE CONFIGURATIONCISCO NO MOP ENABLEDCISCO SWITCH SHOW INTERFACES Howdy, this is a short write up about the Maintenance Operation Protocol (MOP), an ancient remote management protocol from the DECnet protocol suite. It's old, rarely used and in most cases not needed at all. But as we stumbled across this protocol in some network assessments, it seems like a lot of network admins and other users don't know about it. Even various hardening guides we've seen BLUEFRAG – INSINUATOR.NET Nowadays, Bluetooth is an integral part of mobile devices. Smartphones interconnect with smartwatches and wireless headphones. By default, most devices are configured to accept Bluetooth connections from any SECURITY ASSESSMENT OF MICROSOFT DIRECTACCESS A talk about DirectAccess (an IPv6-only VPN solution) was given by our colleague Ali Hardudi during IPv6 summit. Ali has recently finished his master thesis on this topic. The DirectAccess VPN technology was introduced by Microsoft starting from Windows server 2008. It allows users remotely, seamlessly and securely connect to their internal network resources without a need to IPV6 PROPERTIES OF WINDOWS SERVER 2016 In this post we'll take a detailed look at the properties of the Windows Server 2016 IPv6 stack. I perform(ed) this exercise for several reasons: Server 2016 is the latest OS released by Microsoft so this might give an indication as for their plans & strategy when it comes to supporting certain specifications. (here you may keep in mind that the ~50 IETF meetings having passed s LOKI FOR WINDOWS RELEASED Today is a great day, its the day, Loki finally runs on all big operating systems. Im proud to announce the first Loki release for Windows! There are a few things not working (yet / at all) under Windows. Those are: The WLCCP Module - ive not yet managed to build and link against asleap on windows TCP-MD5 Auth for BGP - This will never work, as Windows has no NEW RELEASE OF GLIBC HEAP ANALYSIS PLUGINS After quite some time and work, I'm happy to announce the new release of the Linux Heap Analysis Plugins, which are now part of the Rekall project, but not yet part of an official Rekall release, so you have to grab them manually. This release fixes several bugs and adds the following features: Support for Glibc version 2.26 (tcache chunks) and 2.27 Heapsearch now includes Rekall's EVASION OF CISCO ACLS BY (AB)USING IPV6 When we wrote our initial blogpost regarding the evasion of Cisco ACLs by (Ab)Using IPv6, where we described (known to Cisco) cases of Access Control Lists (ACL) circumvention, we also suggested some mitigation techniques including the blocking of some (if not all) IPv6 Extension Headers. Almost a month later, we got a comment from Matej Gregr that, even if the ACLs of certain CiscoINSINUATOR.NET
Introduction. In this post, I will introduce fpicker. Fpicker is a Frida-based coverage-guided, mostly in-process, blackbox fuzzing suite. Its most significant feature is the AFL++ proxy mode which enables blackbox in-process fuzzing with AFL++ on platforms supportedby Frida.
DOGWHISPERER’S SHARPHOUND CHEAT SHEET BloodHound data collection, aka Sharphound, is quite a complex beast. When giving BloodHound workshops, the part where I get the most questions is always data collection. How is the BloodHound data collected? What methods do what? Who am I talking to? How do I fly under the radar? These are all very relevant questions when you think about it. After all, the rest is just a gorgeous UI sit HOW CAN DATA FROM FITNESS TRACKERS BE OBTAINED AND The use of Internet of Things devices is continuously increasing: People buy devices, such as smart assistants, to make their lives more comfortable or fitness trackers to assess sports activities. According to the Pew Research Center , every fifth American wears a device to track their fitness. In Germany, the number increases likewise. The increasing number of fitness trackers in use can CISCO AND THE MAINTENANCE OPERATION PROTOCOL (MOPCISCO INTERFACE COMMAND LISTCISCO INTERFACE CONFIGURATIONCISCO NO MOP ENABLEDCISCO SWITCH SHOW INTERFACES Howdy, this is a short write up about the Maintenance Operation Protocol (MOP), an ancient remote management protocol from the DECnet protocol suite. It's old, rarely used and in most cases not needed at all. But as we stumbled across this protocol in some network assessments, it seems like a lot of network admins and other users don't know about it. Even various hardening guides we've seen BLUEFRAG – INSINUATOR.NET Nowadays, Bluetooth is an integral part of mobile devices. Smartphones interconnect with smartwatches and wireless headphones. By default, most devices are configured to accept Bluetooth connections from any SECURITY ASSESSMENT OF MICROSOFT DIRECTACCESS A talk about DirectAccess (an IPv6-only VPN solution) was given by our colleague Ali Hardudi during IPv6 summit. Ali has recently finished his master thesis on this topic. The DirectAccess VPN technology was introduced by Microsoft starting from Windows server 2008. It allows users remotely, seamlessly and securely connect to their internal network resources without a need to IPV6 PROPERTIES OF WINDOWS SERVER 2016 In this post we'll take a detailed look at the properties of the Windows Server 2016 IPv6 stack. I perform(ed) this exercise for several reasons: Server 2016 is the latest OS released by Microsoft so this might give an indication as for their plans & strategy when it comes to supporting certain specifications. (here you may keep in mind that the ~50 IETF meetings having passed s LOKI FOR WINDOWS RELEASED Today is a great day, its the day, Loki finally runs on all big operating systems. Im proud to announce the first Loki release for Windows! There are a few things not working (yet / at all) under Windows. Those are: The WLCCP Module - ive not yet managed to build and link against asleap on windows TCP-MD5 Auth for BGP - This will never work, as Windows has no NEW RELEASE OF GLIBC HEAP ANALYSIS PLUGINS After quite some time and work, I'm happy to announce the new release of the Linux Heap Analysis Plugins, which are now part of the Rekall project, but not yet part of an official Rekall release, so you have to grab them manually. This release fixes several bugs and adds the following features: Support for Glibc version 2.26 (tcache chunks) and 2.27 Heapsearch now includes Rekall's EVASION OF CISCO ACLS BY (AB)USING IPV6 When we wrote our initial blogpost regarding the evasion of Cisco ACLs by (Ab)Using IPv6, where we described (known to Cisco) cases of Access Control Lists (ACL) circumvention, we also suggested some mitigation techniques including the blocking of some (if not all) IPv6 Extension Headers. Almost a month later, we got a comment from Matej Gregr that, even if the ACLs of certain CiscoINSINUATOR.NET
Introduction. In this post, I will introduce fpicker. Fpicker is a Frida-based coverage-guided, mostly in-process, blackbox fuzzing suite. Its most significant feature is the AFL++ proxy mode which enables blackbox in-process fuzzing with AFL++ on platforms supportedby Frida.
WINDOWS INSIGHT: THE WINDOWS TELEMETRY ETW MONITOR The Windows Insight repository now hosts the Windows Telemetry ETW Monitor framework. The framework monitors and reports on Windows Telemetry ETW (Event Tracing for Windows) activities - ETW activities for providing data to Windows Telemetry. It consists of two components: the Windbg Framework: a set of scripts for monitoring Windows Telemetry ETW IPV6 PROPERTIES OF WINDOWS SERVER 2019 / WINDOWS 10 (1809 In this post I’ll cover some properties of the Windows Server 2019 IPv6 stack. It is an update of a similar post I wrote on the IPv6 properties of Server 2016 a while ago.. For this reason I will mostly look at the same properties I did at the time (read: at times without providing too much technical background information; that can be found in the other post) and I’ve hence performed the GTP – INSINUATOR.NET gtp_scan is a small python script that scans for GTP (GPRS tunneling protocol) speaking hosts. To discover those hosts it uses the GTP build in PING mechanism, it sends a GTP packet of the type ECHO_REQUEST and listens for an incoming GTP ECHO_REPLY. IPV6 PROPERTIES OF WINDOWS SERVER 2016 In this post we'll take a detailed look at the properties of the Windows Server 2016 IPv6 stack. I perform(ed) this exercise for several reasons: Server 2016 is the latest OS released by Microsoft so this might give an indication as for their plans & strategy when it comes to supporting certain specifications. (here you may keep in mind that the ~50 IETF meetings having passed s DIZZY VERSION 2.0 RELEASED A new major version of our fuzzing framework dizzy has been released.. This blog post will cover the biggest changes and new features, aswell as give you a
REVERSE ENGINEERING WITH RADARE2 As some of you may know, there is a "new" reverse engineering toolkit out there which tries to compete with IDA Pro in terms of reverse engineering. I'm talking about radare2, a framework for reversing, patching, debugging and exploiting. It has large scripting capabilities, runs on all major plattforms (Android, GNU/Linux, BSD, iOS, OSX, QNX, w32, w64, Solaris, Haiku, Firefo LOKI FOR WINDOWS RELEASED Today is a great day, its the day, Loki finally runs on all big operating systems. Im proud to announce the first Loki release for Windows! There are a few things not working (yet / at all) under Windows. Those are: The WLCCP Module - ive not yet managed to build and link against asleap on windows TCP-MD5 Auth for BGP - This will never work, as Windows has no ERLANG DISTRIBUTION RCE AND A COOKIE BRUTEFORCER In one of the last pentests we've found an epmd (Erlang port mapper daemon) listening on a target system (tcp/4369). It is used to coordinate distributed erlang instances, but also can lead to a RCE, given one knows the so called "authentication cookie". Usually, this cookie is located in ~/.erlang.cookie and is generated by erlang at the first start. If not modified or set manually it is a ra EVASION OF CISCO ACLS BY (AB)USING IPV6 When we wrote our initial blogpost regarding the evasion of Cisco ACLs by (Ab)Using IPv6, where we described (known to Cisco) cases of Access Control Lists (ACL) circumvention, we also suggested some mitigation techniques including the blocking of some (if not all) IPv6 Extension Headers. Almost a month later, we got a comment from Matej Gregr that, even if the ACLs of certain CiscoINSINUATOR.NET
Bold Statements
Primary Menu
* About
* RSS Feed
* Follow us
CATEGORIES
* Breaking
* Building
* Events
* Incident Response
* Misc
TAGS
4G Active Directoryadvisory
Android
Black Hat
C3
Cisco
cloud
Day-Con
DHCPv6
disclosure
Docker
ERNW white paper
extension headers
forensics
fuzzing
GSM
hardening
hardware
HITB
iOS
IoT
IPv6
Linux
malware
medical
Microsoft
MLD
network
pentest
reversing
RIPE
risk
SAP
SDR
Telco
TelcoSecDay
tool
TROOPERS
trust
virtualization
VMware
VoIP
web application
Windows
ARCHIVES
Archives Select Month August 2019 (2) July 2019 (6) June 2019 (6) May 2019 (7) April 2019 (7) March 2019 (2) February 2019 (4) January 2019 (14) December 2018 (4) November 2018 (11) October 2018 (6) September 2018 (1) August 2018 (4) July 2018 (3) June 2018 (3) May 2018 (3) April 2018 (5) March 2018 (8) February 2018 (12) January 2018 (2) December 2017 (2) November 2017 (3) October 2017 (7) September 2017 (5) August 2017 (3) July 2017 (3) June 2017 (6) May 2017 (5) April 2017 (3) March 2017 (8) February 2017 (6) January 2017 (8) December 2016 (12) November 2016 (14) October 2016 (12) September 2016 (12) August 2016 (9) July 2016 (9) June 2016 (7) May 2016 (10) April 2016 (23) March 2016 (29) February 2016 (14) January 2016 (12) December 2015 (15) November 2015 (6) October 2015 (9) September 2015 (7) August 2015 (5) July 2015 (6) June 2015 (14) May 2015 (9) April 2015 (9) March 2015 (13) February 2015 (10) January 2015 (18) December 2014 (10) November 2014 (10) October 2014 (7) September 2014 (3) August 2014 (9) July 2014 (5) June 2014 (1) May 2014 (9) April 2014 (1) March 2014 (3) February 2014 (5) January 2014 (13) December 2013 (5) November 2013 (5) October 2013 (4) September 2013 (1) August 2013 (10) July 2013 (10) June 2013 (5) May 2013 (4) April 2013 (10) March 2013 (4) February 2013 (12) January 2013 (6) December 2012 (2) November 2012 (4) October 2012 (1) September 2012 (3) July 2012 (3) June 2012 (3) May 2012 (8) April 2012 (2) March 2012 (5) February 2012 (6) January 2012 (4) December 2011 (7) November 2011 (7) October 2011 (6) September 2011 (3) August 2011 (3) July 2011 (6) June 2011 (4) May 2011 (4) April 2011 (5) March 2011 (5) January 2011 (2) December 2010 (6) November 2010 (5) October 2010 (3) September 2010 (4) August 2010 (5) July 2010 (6) June 2010 (2) December 2009 (1) November 2009 (1) October2009 (3) 0 (1)
Search for: Search
* ERNW
* ERNW Insight
* ERNW Research
* ERNW Sectools
Events
August 13, 2019
by Enno
Rey
BLACK HAT US 2019 / SOME TALKS I’ve been at Black Hat Vegas last week and in the following I’ll shortly discuss some talks I’ve attended and which I foundinteresting.
Continue reading “Black Hat US 2019 / Some Talks”Continue reading
Black
Hat Conferences
Misc
August 9, 2019
by Friedwart Kuhn
A FOLLOW-UP ON THE HEISEC WEBINAR ON EMOTET & SOME ACTIVE DIRECTORYSECURITY SOURCES
Some weeks ago, Heinrich and I had the pleasure to participate in the heisec-Webinar “Emotet bei Heise – Lernen aus unseren Fehlern”.
We really enjoyed the webinar and the (alas, due to the format: too short) discussions and we hope we could contribute to understand how to make Active Directory implementations out there a bit safer in thefuture.
Continue reading “A Follow-Up on the Heisec Webinar on Emotet & Some Active Directory Security Sources”Continue reading
Breaking
July 29, 2019
by Oliver Matula
HOW TO BREAK OUT OF RESTRICTED SHELLS WITH TCPDUMP During security assessments we sometimes obtain access to a restricted shell on a target system. To advance further and gain complete control of the system, the next step is usually to break out of this shell. If the restricted shell provides access to certain system binaries, these binaries can often be exploited to perform such a break out. Here we would like to show an interesting example of such a break out by using the tcpdump binary. Continue reading “How to break out of restricted shells with tcpdump”Continue reading
Break Out Restricted ShellMisc
July 26, 2019
by Nils Emmerich
LIBREOFFICE – A PYTHON INTERPRETER (CODE EXECUTION VULNERABILITYCVE-2019-9848)
While waiting for a download to complete, I stumbled across an interesting blogpost.
The author describes a flaw in LibreOffice that allowed an attacker to execute code. Since this was quite recent, I was interested if my version is vulnerable to this attack and how they fixed it. Thus, I looked at the sources and luckily it was fixed. What I didn’t know before however was, that macros shipped with LibreOffice are executed without prompting the user, even on the highest macro security setting. So, if there would be a system macro from LibreOffice with a bug that allows to execute code, the user would not even get a prompt and the code would be executed right away. Therefor, I started to have a closer look at the source code and found out that exactly this isthe case!
Continue reading “LibreOffice – A Python Interpreter (code execution vulnerability CVE-2019-9848)”Continue reading
Misc
July 18, 2019
by Malte
Heinzelmann
TROOPERS 19 – BADGE HARDWARE This post by Jeff (@jeffmakes) was delayed due to interferences with other projects but nevertheless, enjoy! This year, it was my great honour to design the hardware for theTroopers19 badge.
We wanted to make a wifi-connected MicroPython-powered badge; something that would be fun to take home and hack on. It was a nice opportunity to use a microcontroller platform that I hadn’t tried before. I also used the project as a chance to finally migrate my PCB workflow from Eagle to Kicad. Inevitably it was a painful transition, which resulted in quite some delay to the project as I floundered around in the new tool, but it does mean the design files are in an open format which I hope will benefit the community of Troopers attendees and future badge designers! Continue reading “Troopers 19 – Badge Hardware”Continue reading
Incident Response
, Misc
July 18, 2019
by Dr. Andreas Dewald EMOTET AT HEISE, EMOTET THERE, EMOTET EVERYWHERE – DISSECTION OF ANINCIDENT
After the Emotet Incident at Heise, where
ERNW has been consulted for Incident Response,
we decided to start a blogpost series, in which we want to regularly report on current attacks that we observe. In particular we want to provide details about the utilized pieces of malware, different stages, and techniques used for the initial infection and lateral movement. We hope that this information might help you to detect ongoing incidents, apply countermeasures, and in the best case to figure out proactive countermeasures and security controls beforehand. Continue reading “Emotet at Heise, Emotet there, Emotet everywhere – Dissection of an Incident”Continue reading
emotet heise
incident
incident analysis
incident response
malware
malware analysis
Breaking
July 8, 2019
by Niklaus Schiess
MULTIPLE VULNERABILITIES IN INNOVAPHONE VOIP PRODUCTS FIXEDDear all,
innovaphone fixed several vulnerabilities in two VoIP products that we disclosed a while ago. The affected products are the Linux Application Platformand the IPVA
.
Unfortunately, the release notes are not public (yet?) and the vendor does not include information about the vulnerabilities for the Linux Application Platform. Therefore, we decided to publish some more technical details for the issues. Continue reading “Multiple Vulnerabilities in innovaphone VoIP Products Fixed”Continue reading
VoIP
Misc
July 4, 2019
by
Oliver Matula
SECURITY ADVISORIES FOR CISCO ACI Again, Cisco released security advisories for their software-defined networking (SDN) solution called Application Centric Infrastructure (ACI). As before (see blog post here),
the published advisories originated from research performed in our ACI lab. Continue reading “Security Advisories for Cisco ACI”Continue reading
Misc
June 30, 2019
by
Enno Rey
IPV6 SURVEYS / APPLICATION SPACE In some organizations we work with a certain state of IPv6 deployment has been reached in the interim which includes, among others, thefollowing aspects:
* the network infrastructure is IPv6-enabled (incl. interface addressing, routing and the like). * parts of supporting services (security functions, monitoring, system management) include IPv6 in a proper way. * 3rd party providers have been contractually obliged to deliver their services in an “IPv6-enabled” mode (as opposed to only being “IPv6-capable” which was the standard requirement in many RFIs during earlier years). It might then happen that networking people (who often are the initial motivators for deploying IPv6) in such organizations are stating, when asked about IPv6: “it’s done”. Point is that, alas, this does not necessarily mean that a single service or application is *actually using* IPv6, so while the above certainly constitutes an achievement it might not even be halfwaythrough.
Continue reading “IPv6 Surveys / Application Space”Continue reading
IPv6
Building
June 13, 2019
by Michael Thumann
DIRECTORYRANGER 1.5.0 IS AVAILABLE The next major release of DirectoryRanger is now available for customers, and for everyone who would like to try it ;-). Current attacks show that quite often the topic of Active Directory Security is not on the security agenda, but it should be, and this was the reason for us to build the tool and, of course, to maintain and improve it. So what are the major new features released with DirectoryRanger 1.5.0? Here we go: Continue reading “DirectoryRanger 1.5.0 Is Available”Continue reading
Active Directory
DirectoryRanger
SecTools
POSTS NAVIGATION
1 2 3
4
… 74 Next
* RSS Feed
* Follow us
CATEGORIES
* Breaking
* Building
* Events
* Incident Response
* Misc
TAGS
4G Active Directoryadvisory
Android
Black Hat
C3
Cisco
cloud
Day-Con
DHCPv6
disclosure
Docker
ERNW white paper
extension headers
forensics
fuzzing
GSM
hardening
hardware
HITB
iOS
IoT
IPv6
Linux
malware
medical
Microsoft
MLD
network
pentest
reversing
RIPE
risk
SAP
SDR
Telco
TelcoSecDay
tool
TROOPERS
trust
virtualization
VMware
VoIP
web application
Windows
ARCHIVES
Archives Select Month August 2019 (2) July 2019 (6) June 2019 (6) May 2019 (7) April 2019 (7) March 2019 (2) February 2019 (4) January 2019 (14) December 2018 (4) November 2018 (11) October 2018 (6) September 2018 (1) August 2018 (4) July 2018 (3) June 2018 (3) May 2018 (3) April 2018 (5) March 2018 (8) February 2018 (12) January 2018 (2) December 2017 (2) November 2017 (3) October 2017 (7) September 2017 (5) August 2017 (3) July 2017 (3) June 2017 (6) May 2017 (5) April 2017 (3) March 2017 (8) February 2017 (6) January 2017 (8) December 2016 (12) November 2016 (14) October 2016 (12) September 2016 (12) August 2016 (9) July 2016 (9) June 2016 (7) May 2016 (10) April 2016 (23) March 2016 (29) February 2016 (14) January 2016 (12) December 2015 (15) November 2015 (6) October 2015 (9) September 2015 (7) August 2015 (5) July 2015 (6) June 2015 (14) May 2015 (9) April 2015 (9) March 2015 (13) February 2015 (10) January 2015 (18) December 2014 (10) November 2014 (10) October 2014 (7) September 2014 (3) August 2014 (9) July 2014 (5) June 2014 (1) May 2014 (9) April 2014 (1) March 2014 (3) February 2014 (5) January 2014 (13) December 2013 (5) November 2013 (5) October 2013 (4) September 2013 (1) August 2013 (10) July 2013 (10) June 2013 (5) May 2013 (4) April 2013 (10) March 2013 (4) February 2013 (12) January 2013 (6) December 2012 (2) November 2012 (4) October 2012 (1) September 2012 (3) July 2012 (3) June 2012 (3) May 2012 (8) April 2012 (2) March 2012 (5) February 2012 (6) January 2012 (4) December 2011 (7) November 2011 (7) October 2011 (6) September 2011 (3) August 2011 (3) July 2011 (6) June 2011 (4) May 2011 (4) April 2011 (5) March 2011 (5) January 2011 (2) December 2010 (6) November 2010 (5) October 2010 (3) September 2010 (4) August 2010 (5) July 2010 (6) June 2010 (2) December 2009 (1) November 2009 (1) October2009 (3) 0 (1)
Imprint | ©2019 ERNW GmbH*
*
Details
Copyright © 2024 ArchiveBay.com. All rights reserved. Terms of Use | Privacy Policy | DMCA | 2021 | Feedback | Advertising | RSS 2.0