Building – Page 2 – Insinuator.net

July 26, 2020 by Dennis Heinze

ACM WiSec 2020

Last week I attended ACM WiSec. Of course, only virtually. The first virtual conference I attended. Coincidentally, it was also the first conference I presented at. While the experience was quite different from a “real” conference, the organizers did a great job to make the experience as good as possible with, for example, a mattermost instance to interact with other conference participants.

In the following, I will list a few talks and papers that I either found very interesting or that generally stood out to me:

Continue reading “ACM WiSec 2020”

Building

May 6, 2020 by SadProcessor

Back from the ATT&CK jungle…

So there was a pandemic, the whole world was under lockdown, and I got a bit depressed.
I needed something new in my life, so I decided to take my favorite dog out for a walk in the ATT&CK jungle to check out the newly added sub-techniques…

Continue reading “Back from the ATT&CK jungle…”

Breaking, Building

March 4, 2020 by Malte Heinzelmann

DNS exfiltration case study

Lately, we came across a remote code execution in a Tomcat web service by utilizing Expression Language. The vulnerable POST body field expected a number. When sending ${1+2} instead, the web site included a Java error message about a failed conversion to java.lang.Long from java.lang.String with value "3".

From that error message we learned a couple of things:

The application uses Java
We are able to execute EL expressions
Output from the EL engine is always returned as String

Whenever you are able to execute code within a Java Context, the most interesting part is to check whether we can get a Runtime object and execute arbitrary OS commands.

Sending ${Runtime.getRuntime()} resolves to java.lang.Runtime@de30bb. Great, so we can use Runtime.exec(String cmd) to execute arbitrary code? Continue reading “DNS exfiltration case study”

Building, Events

November 28, 2019 by Jan Harrie

BASTA! Autumn 2019 – Security in DevOps

Some time ago I had the pleasure to speak at the BASTA! Autumn 2019 conference. There, I promised to publish my slides such that they can be used as a reference for developers and security guys like me. And with this blog post I would like to hold up to my promise.

Continue reading “BASTA! Autumn 2019 – Security in DevOps”

Building

October 18, 2019 by SadProcessor

Blue Hands On Bloodhound

Hi there,

SadProcessor here, happy to be back on the Insinuator to share with you some of my latest BloodHound adventures and experiments…

TL;DR Well too bad for you… Continue reading “Blue Hands On Bloodhound”

Building

August 26, 2019 by Enno Rey

A Brief History of the IPv4 Address Space

This is meant to be the first part of a 3-part series discussing the space & types of IP addresses, with a particular focus on what has changed between IPv4 and IPv6. In this first post I’ll take the audience through a historical tour of some developments within the IPv4 address space.

Continue reading “A Brief History of the IPv4 Address Space”

Building

July 18, 2019 by Malte Heinzelmann

Troopers 19 – Badge Hardware

This post by Jeff (@jeffmakes) was delayed due to interferences with other projects but nevertheless, enjoy!

This year, it was my great honour to design the hardware for the Troopers19 badge.

We wanted to make a wifi-connected MicroPython-powered badge; something that would be fun to take home and hack on. It was a nice opportunity to use a microcontroller platform that I hadn’t tried before. I also used the project as a chance to finally migrate my PCB workflow from Eagle to Kicad. Inevitably it was a painful transition, which resulted in quite some delay to the project as I floundered around in the new tool, but it does mean the design files are in an open format which I hope will benefit the community of Troopers attendees and future badge designers!

Continue reading “Troopers 19 – Badge Hardware”

Building

June 13, 2019 by Michael Thumann

DirectoryRanger 1.5.0 Is Available

The next major release of DirectoryRanger is now available for customers, and for everyone who would like to try it ;-). Current attacks show that quite often the topic of Active Directory Security is not on the security agenda, but it should be, and this was the reason for us to build the tool and, of course, to maintain and improve it. So what are the major new features released with DirectoryRanger 1.5.0? Here we go:

Continue reading “DirectoryRanger 1.5.0 Is Available”

Building

April 15, 2019 by Malte Heinzelmann

Troopers 19 – Hack your badge

Sadly, TROOPERS 19 is already over. I had great fun meeting all of you, helping you with your badge problems and seeing others hacking on their badges for example to get custom images on there.

With this year’s badge we wanted to give you something you can reuse after the conference, learn new things new build something on your own.

As promised in our talk Jeff and I would like to give you a short introduction into the badge internals. Along with this post we will release the source code for the badge firmware, the provisioning server and the schematics for the PCB.

Continue reading “Troopers 19 – Hack your badge”

Building

January 28, 2019 by SadProcessor

2019 – Year Of The Blue Dog…

Back from Holidays, you started the year well motivated to make the world a safer place.
However, sitting at your desk today you realize nothing really changed since last year, and you are surfing the web, feeling a bit blue, trying to avoid that pile of emails waiting for you and wondering how you could gain some visibility on your domain in order to better defend it.
No worries, emails can wait a bit longer. All you need is some fresh air and something cool to keep your defensive mind motivated for the year, and I might have just what you need; so put on your shoes and let me take you on a 15 minute Cypher walk with a cool blue dog…

Continue reading “2019 – Year Of The Blue Dog…”