TROOPERS for Students!

We are super excited for TROOPERS18 (March 12-16th, 2018) as are many of you! We even have this great saying that “after TROOPERS is before TROOPERS”, which means we spend a lot of time looking through feedback from attendees, speakers/trainers, and our own Crew for ways to not only top what we’ve done in the years before, but also how to simply make it better for everyone involved.  Looking around at our Crew we realized how many have either attended TROOPERS or other conferences as students. We heard from them, as well as other students, how life changing it was to be able, as a student, to attend an IT-Security conference. How they got to meet a speaker whose work they’d read about in class. How people felt even more a part of the community they were studying hard to belong to.  Continue reading “TROOPERS for Students!”

Continue reading

Erlang distribution RCE and a cookie bruteforcer

In one of the last pentests we’ve found an epmd (Erlang port mapper daemon) listening on a target system (tcp/4369). It is used to coordinate distributed erlang instances, but also can lead to a RCE, given one knows the so called “authentication cookie”. Usually, this cookie is located in ~/.erlang.cookie and is generated by erlang at the first start. If not modified or set manually it is a random string [A:Z] with a length of 20 characters. If an attacker gains this cookie, a RCE is quite easy – as I like to describe below.

Continue reading “Erlang distribution RCE and a cookie bruteforcer”

Continue reading

Reading the BlueCoat FileSystem

You may remember our last post regarding the SGOS system and the proprietary file system. Since then, we got access to a newer version of the system ( Still not the most current one (which seems to be nor of the 6.6.x branch (which seems to be though. As this system version also used the same proprietary filesystem (although it initially booted from a FAT32 partition), I decided to take a deeper look into this.

Continue reading “Reading the BlueCoat FileSystem”

Continue reading

RIPE IoT Roundtable Meeting / Balanced Security for IPv6 CPE Revisited

Last week I had the pleasure to participate at the first RIPE IoT Roundtable Meeting in Leeds (thanks! to Marco Hogewoning for organising it). It was a day with many fruitful discussions. I particularly enjoyed Robert Kisteleki‘s talk on RIPE NCC’s own design & (security) process considerations in the context of RIPE Atlas (at TR17 NGI there was an intro to Atlas, too).
In this post I’d like to quickly lay out the main points of my own contribution on “Balanced Security for IPv6 CPE Revisited” (the slides can be found here).

Continue reading “RIPE IoT Roundtable Meeting / Balanced Security for IPv6 CPE Revisited”

Continue reading

An Update of PenTesting Tools that (do not) Support IPv6

As you may remember, back in 2014 we published a whitepaper (compiled by Antonis Atlasis) on the support of IPv6 in different pentesting tools. This is almost three years ago and we thought it is time for an update. In short not much has changed. Most of the tools which didn’t support IPv6 are still not supporting it or haven’t got any update since then.
This post will  cover the tools where we could identify some progress on supporting IPv6.

Continue reading “An Update of PenTesting Tools that (do not) Support IPv6”

Continue reading

FireEye Security Bug: Connection to physical host and adjacent network possible during analysis in Live-Mode

We recently identified a security issue in FireEye AX 5400, that also affected other products. We responsibly disclosed the bug to FireEye and a fix that addresses the issue has been released with version 7.7.7. The fix was also merged into the common core and is available as 8.0.1 for other products (i.e. FireEye EX).

The related release notes can be found here:

FireEye announced to post a 2017 Q3 notice with credit to us, too.

Continue reading “FireEye Security Bug: Connection to physical host and adjacent network possible during analysis in Live-Mode”

Continue reading


As mentioned in my last blogpost, I had the pleasure to participate in this years DFRWS USA and present our paper. The paper and presentation can be freely viewed and downloaded here or here. Note that there is also an extended version of the paper, which can be downloaded here.

The keepassx, zsh and heap analysis plugins are now also part of the Rekall release candidate 1.7.0RC1, so it’s easier to get started.

The conference had some great talks and workshops, which I’m going to briefly sum up.
Continue reading “DFRWS USA 2017”

Continue reading