The Research Blog

  • 5 Apr 2016

Windows Kernel Exploitation 101: Exploiting CVE-2014-4113

This article provides a detailed walkthrough of exploiting CVE-2014-4113, a Windows kernel vulnerability. The guide demonstrates the process of creating an exploit for Windows 7 SP1 32-bit by analyzing an original Anti-Virus vendor report. The goal is to make kernel exploitation more accessible to cybersecurity researchers.

Egress Checking

The EgressCheck Framework is a tool designed to help penetration testers and system administrators identify network egress opportunities. It generates traffic across multiple ports and protocols, capturing connection attempts using tcpdump. The framework supports both TCP and UDP scanning, and can generate one-liner scripts for Python and PowerShell.

Persistence Architecture Matters

This article explores the Windows-on-Windows (WOW) redirection layer in 64-bit Windows systems. It explains how filesystem and registry paths are dynamically remapped depending on the process architecture. The technical explanation reveals how 32-bit and 64-bit processes interact with system directories and registry keys differently.

  • 23 Mar 2016

LoRa Security: Building a secure LoRa solution

A whitepaper by Rob Miller explores the security aspects of LoRaWAN technology. The document provides insights into securing LoRa systems and understanding potential attack methodologies. It aims to help developers comprehend their security responsibilities when building LoRa solutions.

Abusing PuTTY & Pageant through native functionality

A technique for remotely interacting with SSH keys stored in PuTTY's Pageant SSH agent on Windows is explored. The method leverages native functionality to proxy SSH authentication requests through a compromised workstation without traditional exploitation. An attack tool called PageantJacker enables forwarding authentication requests to a remote Pageant instance, allowing an attacker to use a target's SSH keys from their own machine.

QNX: 99 Problems but a Microkernel ain't one!

This presentation explores security research on the QNX microkernel operating system used in critical systems like automotive and consumer devices. The talk examined QNX's security architecture through reverse engineering and fuzzing techniques. The goal was to provide insights into QNX subsystems and potential attack surfaces for privilege escalation.

QNX: Security Architecture Whitepaper

A whitepaper by Alex Plaskett and Georgi Geshev examines the security architecture of QNX, a microkernel operating system. The document explores key operating system features and potential attack vectors against QNX-based platforms. The research identifies security weaknesses and suggests opportunities for further investigation into the QNX platform's security.

When LanMan history reveals the present and future, but might just be lying to you

Windows password history hashes may contain seemingly random data even when LanMan hash storage is disabled. Analysis of these historical hashes can reveal password patterns and potentially help guess current user credentials during security assessments. Password history examination demonstrates how users often create predictable password sequences despite technical controls.

The Pageantry of Lateral Movement

A presentation on lateral movement techniques in network penetration testing explores abusing Pageant (PuTTY's SSH agent) on Windows hosts. The talk demonstrates a nearly undetectable method of tunneling SSH agent traffic using a meterpreter extension. Improvements were made to an existing reconnaissance tool to enhance its utility during simulated attacks.

Warranty Void If Label Removed: Attacking MPLS Networks

A presentation on MPLS network vulnerabilities revealed critical security weaknesses in service provider network infrastructures. Network reconnaissance techniques were demonstrated that could expose internal Label Switching Router interconnections. The research highlighted potential VRF hopping attacks that could allow unauthorized traffic injection between different customer networks in shared MPLS environments.

EMV Protocol Fuzzer

An EMV protocol fuzzer was developed to evaluate the security of point-of-sale devices and smartcard systems. The fuzzer enables real-time monitoring and modification of EMV communication streams to identify potential vulnerabilities. The tool includes Python interfaces and robotic automation to facilitate comprehensive security testing of financial transaction technologies.

  • 16 Oct 2015

Journey Into Hunting The Attackers

A presentation at BSides Manchester 2015 explored stealthy credential retrieval techniques used by attackers targeting Windows systems. The talk focused on methods for extracting credentials that can bypass Anti-Virus detection. Techniques discussed included using built-in Windows commands and attacker tools designed to remain undetected during system intrusions.