PoSh_ATTCK – ATT&CK Knowledge at your PowerShell Fingertips…


When I recently joined the Windows Security team at ERNW, Enno asked me if I wanted to write a ‘welcome’ blogpost on a topic of my choosing… Up for the challenge, and since I had been playing with BloodHound & Cypher for the last couple of months, I first thought I would do something on that topic.

However, after gathering my thoughts and some Cypher I had collected here and there, I realized that the topic of Bloodhound Cypher might actually require several blog posts… And so I changed my mind. I will keep the joys of Cypher for later, and in this post, I will talk about a tiny tool I wrote to query the Mitre ATT&CK™ knowledge base from the comfort of a PowerShell prompt.

Small, Simple and hopefully useful: should be suited for this first post…
Continue reading “PoSh_ATTCK – ATT&CK Knowledge at your PowerShell Fingertips…”

Continue reading

Erlang distribution RCE and a cookie bruteforcer

In one of the last pentests we’ve found an epmd (Erlang port mapper daemon) listening on a target system (tcp/4369). It is used to coordinate distributed erlang instances, but also can lead to a RCE, given one knows the so called “authentication cookie”. Usually, this cookie is located in ~/.erlang.cookie and is generated by erlang at the first start. If not modified or set manually it is a random string [A:Z] with a length of 20 characters. If an attacker gains this cookie, a RCE is quite easy – as I like to describe below.

Continue reading “Erlang distribution RCE and a cookie bruteforcer”

Continue reading

(Mostly) New, Interesting, and Security-focused Open Source Projects

Troopers ’17 – the 10th edition – madness is over and hopefully all of you are well rested and recovered after this special week. Of course the rest of the world did not stand still and thus Google lifted the curtains on a new public portal collecting and promoting the Open Source Software projects developed by employees of Google: There are a lot of interesting projects that might incubate new interesting developments. And even security oriented tools and projects (51 at the time of writing to be precise) are publically available Continue reading “(Mostly) New, Interesting, and Security-focused Open Source Projects”

Continue reading

KNXmap: A KNXnet/IP Scanning and Auditing Tool

Users of the KNX, a standard for home automation bus systems, may already have come across KNXnet/IP (also known as EIBnet/IP): It is an extension for KNX that defines Ethernet as a communication medium for KNX which allows communication with KNX buses over IP driven networks. Additionally, it enables one to couple multiple bus installations over IP gateways, or so called KNXnet/IP gateways.

In the course of some KNX related research we’ve had access to various KNXnet/IP gateways from different vendors, most of them coupled in a lab setup for testing purposes. The typical tools used for such tasks are ETS, the professional software developed by the creators of KNX (proprietary, test licenses available) and eibd, an open source implementation of the KNX standard developed by the TU Vienna.

Continue reading “KNXmap: A KNXnet/IP Scanning and Auditing Tool”

Continue reading

Pentesting Webservices with Net.TCP Binding

Hi all,

Most of you that are  pentesters  may have already tested plenty of webservices using SOAP (Simple Object Access Protocol) for communication. Typically, such SOAP messages are transferred over HTTP (Hypertext Transfer Protocol) and are encapsulated in XML (Extensible Markup Language). Microsoft has developed different representations of this protocols to reduce the network load. As these representations/protocols aren’t really covered by typical tools out there, this post will show you some of them, and a proxy which can be used to simplify the testing.

Continue reading “Pentesting Webservices with Net.TCP Binding”

Continue reading

SAMLReQuest Burpsuite Extention

Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between a Service Provider (SP) and an  Identification Provider (IdP). SAML is used in many Single Sign-On (SSO) implementations, when a user is authenticated once by IdP to access multiple related SPs. When a user requests to access a SP, it creates a SAML Authentication Request and redirects the user to IdP to be authenticated according to this authentication request. If the user is successfully authenticated, IdP creates a SAML authentication response and sends it back to SP through the user’s browser.

Continue reading “SAMLReQuest Burpsuite Extention”

Continue reading

unrubby: reversing without reversing

The talk “unrubby: reversing without reversing” was part of the Troopers conference in Heidelberg, 16 March 2016. The talk was done by Richo Healey, who is currently working on the security engineering team at the Irish payment company Stripe. Richo Healey is an experienced conference speaker. Amongst other he has spoken at Kiwicon, DEF CON and 44con.
In his talk Richo Healey spoke about reverse engineering of Ruby software. First he talked about existing tools and techniques to regenerate source code from Ruby bytecode. Then he presented a new concept, which is implemented in his tool “unrubby”.

Continue reading “unrubby: reversing without reversing”

Continue reading

Check your SAP landscape for default Solution Manager users

This is a guest post from Joris van de Vis @jvis,  on his upcoming Troopers talk. Additional credits go to: Robin Vleeschhouwer, and Fred van de Langenberg.



As presented at Troopers this year, ERP-SEC research has uncovered a set of potential default accounts related to the use of SAP Solution Manager. These default accounts might pose a big risk to your SAP supported business as some of them have wide authorisations. It is therefore important to check if they exist in your landscape and change the default passwords.

Continue reading “Check your SAP landscape for default Solution Manager users”

Continue reading