Bold Statements
the last post was about a fuse filesystem which provides a read-only access to the proprietary bluecoat filesystem. After some further investigations based on the possibilities this offered us, I started to implement a tool which allows to modify parts of the filesystem.
Continue reading “Interacting with the BlueCoat Filesystem”
Continue readingSome time ago, one of our customers contacted us with a special request. For some legitimate reason, they needed to centrally collect certain certificates including their private keys which were distributed across many client systems running Windows and stored in the corresponding user stores. Unfortunately (only in this case, but actually good from a security perspective), the particular private keys were marked non-exportable making a native export in the context of the user impossible. As if this wasn’t enough, the extraction was supposed to be executed in the context of the current user (i.e. without administrative privileges) while not triggering the existing Anti Virus solution at all. Also, the certificates needed to be transferred to some trusted system where they could not be accessed in an unauthorized way. So let’s have a look how we tackled these problems:
Continue readingWe are super excited for TROOPERS18 (March 12-16th, 2018) as are many of you! We even have this great saying that “after TROOPERS is before TROOPERS”, which means we spend a lot of time looking through feedback from attendees, speakers/trainers, and our own Crew for ways to not only top what we’ve done in the years before, but also how to simply make it better for everyone involved. Looking around at our Crew we realized how many have either attended TROOPERS or other conferences as students. We heard from them, as well as other students, how life changing it was to be able, as a student, to attend an IT-Security conference. How they got to meet a speaker whose work they’d read about in class. How people felt even more a part of the community they were studying hard to belong to. Continue reading “TROOPERS for Students!”
Continue readingA while ago I wrote a short paper laying out options for an enterprise organization to get global IPv6 address space from the RIPE NCC, discussing the advantages and disadvantages of different approaches. As I think the topic may be of interest for others, too, I’ve distilled an anonymized version. It can be found here. I hope some of you find it useful.
Cheers, Enno
Continue readingIn one of the last pentests we’ve found an epmd (Erlang port mapper daemon) listening on a target system (tcp/4369). It is used to coordinate distributed erlang instances, but also can lead to a RCE, given one knows the so called “authentication cookie”. Usually, this cookie is located in ~/.erlang.cookie and is generated by erlang at the first start. If not modified or set manually it is a random string [A:Z] with a length of 20 characters. If an attacker gains this cookie, a RCE is quite easy – as I like to describe below.
Continue reading “Erlang distribution RCE and a cookie bruteforcer”
Continue readingYou may remember our last post regarding the SGOS system and the proprietary file system. Since then, we got access to a newer version of the system (6.6.4.2). Still not the most current one (which seems to be 6.7.1.1) nor of the 6.6.x branch (which seems to be 6.6.5.1) though. As this system version also used the same proprietary filesystem (although it initially booted from a FAT32 partition), I decided to take a deeper look into this.
Continue reading “Reading the BlueCoat FileSystem”
Continue readingThis is my short write up on Daycon X1, 2017. The summit was held at Dayton, the land where Wright brothers were born. Apart from being my first US trip, I also gave my first training on Hacking 101 also called the Bootcamp.
Continue readingLast week I had the pleasure to participate at the first RIPE IoT Roundtable Meeting in Leeds (thanks! to Marco Hogewoning for organising it). It was a day with many fruitful discussions. I particularly enjoyed Robert Kisteleki‘s talk on RIPE NCC’s own design & (security) process considerations in the context of RIPE Atlas (at TR17 NGI there was an intro to Atlas, too).
In this post I’d like to quickly lay out the main points of my own contribution on “Balanced Security for IPv6 CPE Revisited” (the slides can be found here).
Continue reading “RIPE IoT Roundtable Meeting / Balanced Security for IPv6 CPE Revisited”
Continue readingSome of our Troopers had the chance to visit HITCON conference in Taiwan this year. There are two main events: HITCON Pacific, which is aimed more at corporate attendees and HITCON CMT, the community edition, which aims at students and the general Infosec community. HITCON is the biggest security conference in Taiwan.
Continue reading “HITCON CMT 2017”
Continue readingAs you may remember, back in 2014 we published a whitepaper (compiled by Antonis Atlasis) on the support of IPv6 in different pentesting tools. This is almost three years ago and we thought it is time for an update. In short not much has changed. Most of the tools which didn’t support IPv6 are still not supporting it or haven’t got any update since then.
This post will cover the tools where we could identify some progress on supporting IPv6.
Continue reading “An Update of PenTesting Tools that (do not) Support IPv6”
Continue reading