Category: Security

Microsoft EMET 5 Configuration to Mitigate PowerPoint Zero Day

Microsoft Security Advisory 3010060: Vulnerability in Microsoft OLE Could Allow Remote Code Execution (Published: October 21, 2014) PowerPoint Zero Day Vulnerability Executive Summary: Microsoft is aware of a vulnerability affecting all supported releases of Microsoft Windows, excluding Windows Server 2003. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft …

Continue reading

Comparing ASLR on Windows & Linux

Two key differences regarding Linux & Windows Address Space Layout Randomization (ASLR): ASLR is not as prevalent in most Linux distributions as it is on modern Windows systems. ASLR cannot be force-enabled for applications on Linux, as EMET can do on Windows. Read the entire article at

XEN Hypervisor Vulnerabilities

And you were wondering why Amazon had rolling reboots of EC2 recently… From the Whitepaper “FROM RING 3 TO RING0: EXPLOITING THE XEN X86 INSTRUCTION EMULATOR” (bitdefender): ABSTRACT While a VMM can provide a considerable level of security by isolation, it is generally true that by increasing the code-base that runs on a given host …

Continue reading

BadUSB Overview (Presentation & Slides) & Recent Release of BadUSB Exploit Code

BadUSB – The problems with USB One of the best talks I saw at BlackHat USA 2014 was on security issues with USB that are built into the spec (i.e. can’t be changed easily). BadUSB Black Hat USA 2014 Presentation Slides BadUSB Black Hat USA 2014 Presentation Video Here are the primary reasons why USB …

Continue reading

Using PowerShell to Perform a Reverse DNS Lookup in Active Directory

Typically, one would use ping -a to get the hostname for a specific IP address which performs a DNS reverse lookup. Querying AD for a computer with an IP works great for computers joined to the Active Directory domain since most computers in AD have the IP Address configured on the computer account. When the …

Continue reading

Black Hat USA 2014 Presentation: Investigating PowerShell Attacks

Black Hat USA 2014 Presentation: Investigating PowerShell Attacks This is an excellent presentation and I highly recommend anyone who is an admin or who is responsible for AD security. Investigating PowerShell Attacks Ryan Kazanciyan Technical Director, Mandiant Matt Hastings Consultant, Mandiant Over the past two years, we’ve seen targeted attackers increasingly utilize PowerShell to conduct …

Continue reading

ShellShock/BashBug – Bash Vulnerability Affects Linux, Unix, & Mac OSX

10/01/2014 Updates: Shellshock: Vulnerable Systems you may have missed and how to move forward VMware Begins to Patch Bash Issues Across Product Line Honeypot Snares Two Bots Exploiting Bash Vulnerability Updated (9/29/2014): PowerCLI script for checking VMWare systems.for BashBug vulnerability ShellShock webscanner Dark Reading: New BashBug vulnerabilities surface Dark Reading: Making Sense of ShellShock Chaos …

Continue reading

Disarming EMET 5

EMET version 5 has been out for only a few months and Offensive Security has identified bypass methods: INTRODUCTION In our previous Disarming Emet 4.x blog post, we demonstrated how to disarm the ROP mitigations introduced in EMET 4.x by abusing a global variable in the .data section located at a static offset. A general …

Continue reading

Active Directory Pentest Recon Part 1: SPN Scanning aka Mining Kerberos Service Principal Names

I wrote a lengthy post on Kerberos earlier which describes the Kerberos protocol as well as how Active Directory leverages Kerberos. There are several interesting Active Directory components useful to the pentester. The one I cover here relates to how Kerberos works, specifically Service Principal Names. As I mentioned in my Kerberos post, Service Principal Names …

Continue reading

Kerberos, Active Directory’s Secret Decoder Ring

Kerberos Overview Kerberos is a protocol with roots in MIT named after the three-headed dog, Cerberus. Named because there are 3 parties: the client, the resource server, and a 3rd party (the Key Distribution Center, KDC). Kerberos can be a difficult authentication protocol to describe, so I will attempt to simplify it as best as …

Continue reading