The Research Blog

Active Directory: Users in Nested Groups Reconnaissance

The article discusses a technique for efficiently discovering users in nested Active Directory groups using the LDAP_MATCHING_RULE_IN_CHAIN OID. New Metasploit commands were introduced to perform comprehensive Active Directory user and group reconnaissance, allowing identification of users in complex nested group structures. The method enables penetration testers to quickly identify users with administrative privileges across nested group hierarchies.

Mass HTTP Enumeration with Metasploit

A Metasploit module enables mass HTTP enumeration of web servers during penetration testing. The module efficiently extracts server headers, HTTP status codes, and page titles across large networks. It allows quick identification of interesting or anomalous hosts using Metasploit's database and multithreading capabilities.

Memory Allocation: How injecting into your own tools might help you compromise a Windows domain

ADEGrab is a memory injection tool designed to extract search results from Sysinternals' AD Explorer by directly accessing the application's memory. The tool allows penetration testers to copy search results from Active Directory exploration tools that do not natively support result export. It uses Windows API calls to read and manipulate memory within the AD Explorer process, enabling users to capture and save search results.

  • 25 Sep 2015

A Practical Guide to Cracking Password Hashes

This article provides a comprehensive guide to password hash cracking techniques using Hashcat. It demonstrates how rule-based attacks can efficiently generate password variations from wordlists, significantly improving password guessing success rates. By empirically testing and developing targeted rulesets, password crackers can dramatically increase the number of cracked hashes.

Mission mPOSsible

A security presentation examined the vulnerabilities of mobile Point-of-Sale (mPOS) devices used with mobile platforms. The study investigated potential risks to sensitive customer payment data in emerging payment technologies. Findings were presented at Syscan 2014 and Blackhat USA 2014 by Nils and Jon.

  • 28 Aug 2015

44Con 2015 Challenge

A cryptic cybersecurity challenge from 44Con 2015 presents a mysterious scenario involving a ransacked room and a complex puzzle. The challenge includes a circuit diagram and a long binary string, suggesting a decoding challenge that requires careful investigation to uncover hidden information.

Understanding the Protected-View Sandbox

The whitepaper analyzes the Microsoft Office 2013 Protected-View sandbox architecture. It explores the sandbox's initialization, system resource restrictions, and Inter-Process Communication (IPC) mechanism. The technical analysis was originally presented at the REcon 2015 Security Conference.

  • 25 Jun 2015

Set Fire to the Phone

Two security researchers from MWRLabs discovered multiple vulnerabilities in the Amazon Fire Phone's AppStore ecosystem. By chaining three distinct vulnerabilities, they achieved remote code execution without using native or memory-based attacks. The exploit allowed installation of malware, extraction of device data, and demonstrated significant application security risks in the Fire Phone's software.

Why Bother Assessing Popular Software?

A presentation at BSides London 2015 examined software security vulnerabilities through a case study of Adobe Reader. The analysis focused on investigating the attack surface of the software by examining its JavaScript API, PDF Rendering Engine, and Sandbox. High-risk security vulnerabilities were identified during the detailed technical assessment.

Android Wear Security Analysis

A security analysis of Android Wear reveals robust security controls in WearableListenerService and WearableService. The research examined how Android Wear applications communicate and found strict checks preventing unauthorized message delivery between applications. Security mechanisms effectively block low-privileged malware from interfering with inter-application communication on wearable devices.

How to own any Windows network with group policy hijacking attacks

Group policy hijacking attacks can compromise Windows networks by intercepting and manipulating group policy traffic. The attacks exploit vulnerabilities in SMB signing and Kerberos authentication to gain SYSTEM-level access on domain-joined systems. Multiple attack vectors allow attackers to modify group policy settings and execute arbitrary code on target networks.

  • 27 Mar 2015

Disgusting Code: GeoIP lookups in Excel

A blog post describes an unconventional method for performing GeoIP lookups in Excel using native formulas and Maxmind's GeoIP database. The technique involves complex nested Excel formulas to convert IP addresses to decimal and perform lookups without external dependencies or macros. The approach is designed for use on locked-down corporate machines with limited computational resources.