The Research Blog

  • 23 Mar 2016

LoRa Security: Building a secure LoRa solution

A whitepaper by Rob Miller explores the security aspects of LoRaWAN technology. The document provides insights into securing LoRa systems and understanding potential attack methodologies. It aims to help developers comprehend their security responsibilities when building LoRa solutions.

Abusing PuTTY & Pageant through native functionality

A technique for remotely interacting with SSH keys stored in PuTTY's Pageant SSH agent on Windows is explored. The method leverages native functionality to proxy SSH authentication requests through a compromised workstation without traditional exploitation. An attack tool called PageantJacker enables forwarding authentication requests to a remote Pageant instance, allowing an attacker to use a target's SSH keys from their own machine.

QNX: 99 Problems but a Microkernel ain't one!

This presentation explores security research on the QNX microkernel operating system used in critical systems like automotive and consumer devices. The talk examined QNX's security architecture through reverse engineering and fuzzing techniques. The goal was to provide insights into QNX subsystems and potential attack surfaces for privilege escalation.

QNX: Security Architecture Whitepaper

A whitepaper by Alex Plaskett and Georgi Geshev examines the security architecture of QNX, a microkernel operating system. The document explores key operating system features and potential attack vectors against QNX-based platforms. The research identifies security weaknesses and suggests opportunities for further investigation into the QNX platform's security.

When LanMan history reveals the present and future, but might just be lying to you

Windows password history hashes may contain seemingly random data even when LanMan hash storage is disabled. Analysis of these historical hashes can reveal password patterns and potentially help guess current user credentials during security assessments. Password history examination demonstrates how users often create predictable password sequences despite technical controls.

The Pageantry of Lateral Movement

A presentation on lateral movement techniques in network penetration testing explores abusing Pageant (PuTTY's SSH agent) on Windows hosts. The talk demonstrates a nearly undetectable method of tunneling SSH agent traffic using a meterpreter extension. Improvements were made to an existing reconnaissance tool to enhance its utility during simulated attacks.

Warranty Void If Label Removed: Attacking MPLS Networks

A presentation on MPLS network vulnerabilities revealed critical security weaknesses in service provider network infrastructures. Network reconnaissance techniques were demonstrated that could expose internal Label Switching Router interconnections. The research highlighted potential VRF hopping attacks that could allow unauthorized traffic injection between different customer networks in shared MPLS environments.

EMV Protocol Fuzzer

An EMV protocol fuzzer was developed to evaluate the security of point-of-sale devices and smartcard systems. The fuzzer enables real-time monitoring and modification of EMV communication streams to identify potential vulnerabilities. The tool includes Python interfaces and robotic automation to facilitate comprehensive security testing of financial transaction technologies.

  • 16 Oct 2015

Journey Into Hunting The Attackers

A presentation at BSides Manchester 2015 explored stealthy credential retrieval techniques used by attackers targeting Windows systems. The talk focused on methods for extracting credentials that can bypass Anti-Virus detection. Techniques discussed included using built-in Windows commands and attacker tools designed to remain undetected during system intrusions.

Active Directory: Users in Nested Groups Reconnaissance

The article discusses a technique for efficiently discovering users in nested Active Directory groups using the LDAP_MATCHING_RULE_IN_CHAIN OID. New Metasploit commands were introduced to perform comprehensive Active Directory user and group reconnaissance, allowing identification of users in complex nested group structures. The method enables penetration testers to quickly identify users with administrative privileges across nested group hierarchies.

Mass HTTP Enumeration with Metasploit

A Metasploit module enables mass HTTP enumeration of web servers during penetration testing. The module efficiently extracts server headers, HTTP status codes, and page titles across large networks. It allows quick identification of interesting or anomalous hosts using Metasploit's database and multithreading capabilities.

Memory Allocation: How injecting into your own tools might help you compromise a Windows domain

ADEGrab is a memory injection tool designed to extract search results from Sysinternals' AD Explorer by directly accessing the application's memory. The tool allows penetration testers to copy search results from Active Directory exploration tools that do not natively support result export. It uses Windows API calls to read and manipulate memory within the AD Explorer process, enabling users to capture and save search results.