FTimes 3.11.0 Released
Version 3.11.0 is a minor release of FTimes. Generally, code was cleaned up and refined as necessary. Several bugs have been fixed -- see the ChangeLog for details. This release introduces file hooks...
View ArticleCISO's Corner: Password Cracking Best Practices and Myths
Despite repeated breaches of password repositories, most recently the rumored cause of the Apple iCloud celebrity image theft, password-based authentication remains the norm for most users even though...
View ArticleClik here to view.
Vuln Analysis: Classic write-what-where in XP's BthPan
Recently, we came across the BthPan.sys driver while researching Microsoft's Bluetooth implementation within 32-bit Windows XP (SP3), and after conducting a number of fuzzing tests, we discovered that...
View ArticlePassword Security Research Featured in the Huffington Post
Check out the recent Huffington Post article The Big Password Mistake That Hackers Are Hoping You'll Make by Jeff Fox that talks about the need to "avoid a little-known mistake recently uncovered by...
View Articleim in ur scm, bein a ninja
A few months ago I posted a high-level overview of some source code repository tampering risks. The other day I presented a much deeper dive at BSides DC, with examples of multiple ways to manipulate...
View ArticleVMware: "It's not a vulnerability, mmkkkayyy"
During a recent review of the VMWare Workstation application, I discovered a method that allows any member of the __vmware__ group to extract arbitrary sections of kernel memory. When you consider the...
View ArticleClik here to view.
Using Windows Resource Language Codes for Attribution
img { border: 1px black solid; } img.aligncenter { display: block; margin-left: auto; margin-right: auto} img.alignright {float:right; margin:0 0 1em 1em; max-width:25%;} Since news of the Sony hack...
View ArticleClik here to view.
Brain Bleeding JavaScript Obfuscation
img { border: 1px black solid; } img.aligncenter { display: block; margin-left: auto; margin-right: auto} img.alignright {float:right; margin:0 0 1em 1em; max-width:25%;} .code { color: red; }...
View ArticleGiles 3.0.0 Released
The Giles production rule system compiler has just been released! It is available for download here.Production rule systems (or "engines" in Giles parlance) are tools that are commonly used to...
View ArticleWindows 2003 Privilege Escalation via tcpip.sys
In my post for today, I will be discussing a vulnerability that I found within the TCP/IP driver as implemented by Microsoft within their Windows 2003 Operating System with Service Pack 2 installed...
View ArticleSSD Storage - Ignorance of Technology is No Excuse
Digital evidence storage for legal matters is a common practice. As the use of Solid State Drives (SSD) in consumer and enterprise computers has increased, so too has the number of SSDs in storage...
View ArticleMASTIFF Online Free 1.0.0 Released
KoreLogic is pleased to announce the release of MASTIFF Online, a web interface into the open source MASTIFF static analysis framework. With this free online tool, anyone can upload files to be...
View ArticleWhat Did CCleaner Wipe?
The use of CCleaner is encountered at times during forensic investigations of computer systems. It has been labeled an "anti-forensics" tool as it has a secure deletion mode where it can overwrite...
View ArticleOne Month of MASTIFF Online!
It has been exactly one month since MASTIFF Online was opened, and to celebrate, we have released the next stable version of MASTIFF! Version 0.7.1 includes a large number of bug fixes, as well as some...
View ArticleThe WebJob Framework: An Endpoint Security Solution
The WebJob framework is a next generation endpoint security solution that, from a centralized management location, can execute virtually any program on an arbitrary number of end systems at any time....
View ArticleMASTIFF Online Updated to Add pyOLEScanner
The MASTIFF Online site was updated on 2015-06-05 which included the following: Enabled pyOLEScanner version 1.2 tool as part of processing samples. pyOLEScanner is a python based script written by...
View ArticleGiles at Black Hat and in the ISSA Journal
The Giles production rule system compiler (which we described here) has gotten some good press lately!An article describing Giles and its use has been published in the June 2015 issue of The ISSA...
View ArticleHacking Team Documents Claim BIOS-based Persistence
A search through the online mirror of the information stolen from Hacking Team shows indications that a BIOS-based infection capability was developed as part of the Remote Control System software. This...
View ArticleLibPathWell 0.6.1 Released
I am thrilled to announce the first public release of the Password Topology Histogram Wear-Leveling (PathWell) library and PAM module for dynamic password-strength enforcement. Version 0.6.1 is...
View ArticleHow I Solved (Most Of) the Yara CTF Puzzles: Puzzle #1 - #4
During Black Hat, Ron Tokazowski of phishme.com put together a Yara Capture The Flag (CTF) contest for Black Hat 2015. This CTF consisted of 11 logic and Yara-based puzzles that participants had to...
View ArticleClik here to view.
How I Solved (Most Of) the Yara CTF Puzzles: Puzzle #5 - #8
Previously, I posted how I solved puzzles #1-#4 of the Yara CTF for Black Hat 2015, sponsored by phishme.com. In this post, I'll go into how I solved puzzles #5-#8.As noted before, the puzzles are...
View ArticleClik here to view.
How I Solved (Most Of) the Yara CTF Puzzles: Puzzle #9 - #11
So far I've discussed how puzzles #1-#4 and puzzles #5-#8 in the Yara CTF for Black Hat 2015 contest were solved. In this post, I'll go over the final three puzzles.As noted before, the puzzles are...
View ArticleClik here to view.
MASTIFF Output Plug-ins
img { border: 1px black solid; } img.aligncenter { display: block; margin-left: auto; margin-right: auto} img.alignright {float:right; margin:0 0 1em 1em; max-width:25%;} .code { color: red; } MASTIFF...
View ArticleLibPathWell 0.6.3 Released
I am pleased to announce that a new release of the Password Topology Histogram Wear-Leveling (PathWell) library and PAM module for dynamic password-strength enforcement is now available for download...
View ArticleQ: Can I have your password? A: Yes you can.
Hello folks, welcome to the first of a four part blog mini-series on firmware and embedded devices. My name is Matt Bergin and i'll be guiding you through the series. We plan to release each part of...
View ArticleClik here to view.
Unplugging An IoT Device From The Cloud
Hello again and welcome back. This is part two in our four-part series on firmware and embedded devices. Today, I will be discussing home automation and the Internet of Things (IoT). More...
View ArticleThe importance of access to firmware files
Welcome to the third part of our series! Today I hope to spark a conversation amongst the readers about an important topic in a world filled with IoT: access to device firmware. And not just (at best)...
View ArticleClik here to view.
Hacking an Arris Cablemodem
Welcome to part four in our four part series on firmware and embedded devices. In our final part, we will discuss a remote root vulnerability in a popular cable modem. Awhile ago, we were shown the...
View ArticleUpdate on Crack Me If You Can - DEFCON 2016
The @CrackMeIfYouCan team at KoreLogic has had a lot of questions about this year's DEFCON Crack Me If You Can (CMIYC) contest ... The short answer is, we are not doing a CMIYC this year at DEFCON....
View ArticleLinkedIn Revisited - Full 2012 Hash Dump Analysis
As you may know, a "full" dump of email addresses and password hashes for the Linkedin.com attack that occured in 2012 has become available. Here at KoreLogic, we got our hands on the list of emails...
View ArticleCracking Grid — Essential Attributes
Here at KoreLogic, we are constantly cracking passwords — it's just one of the things we do. While we haven't made a concerted effort to track it, I'd venture to say that cracking for us is pretty...
View ArticleClik here to view.
Nothing To See Here, Move Along
Vendors often have interesting ways to facilitate support for their appliances. Today, I'll discuss a few ways we have seen it implemented: one that is vulnerable to exploitation and others that...
View ArticleVirtual Appliance Spelunking
Hello again and welcome back. Today I want to talk about a Sunday I spent reversing the Cisco Firepower Management Console virtual appliance that resulted in multiple CVEs being issued. The tricks I...
View ArticleNew LibPathWell Release, and an Updated Talk
A couple of weeks ago we released a PathWell update, version 0.7.0, available here. I had the pleasure of giving a talk about it at RMISC yesterday that highlighted the new features; the slides are...
View ArticleFTimes 3.12.0 Released
Version 3.12.0 is a minor release of FTimes. Basically, the various changes, enhancements, additions, and bug fixes that have accumulated over the past few years reached critical mass. Some of the...
View ArticleBuilding FTimes With Perl
This is a first in a series of blog posts focusing on the open-source tool FTimes. This blog post will demonstrate building FTimes with XMagic and an embedded Perl interpreter. In so doing, FTimes...
View ArticleBuilding FTimes With Python3
This is the next part in a series of blog posts focusing on the open-source tool FTimes. This blog post will demonstrate building FTimes with XMagic and an embedded Python interpreter. In so doing,...
View ArticleClik here to view.
Password Audits – Focus on the Admins
Have you considered adding periodic password audits to your corporate security plan? Compared to the cost of a security breach or standard pentest, periodic password audits are relatively inexpensive...
View ArticleUnpatched Fringe Infrastructure Bits
Typically during internal network penetration tests, pentesters come across many different types of devices. Much of the focus is likely on the Windows/UNIX-like systems and critical infrastructure...
View ArticleFTimes 3.12.0 Released
Version 3.13.0 is a minor release of FTimes. Generally, code was cleaned up and refined as necessary. Several bugs have been fixed -- see the ChangeLog for details. The most significant changes in...
View ArticleClik here to view.
Callback Functions in Malware
img { border: 1px black solid; } img.aligncenter { display: block; margin-left: auto; margin-right: auto} img.alignright {float:right; margin:0 0 1em 1em; max-width:25%;} Recently, KoreLogic examined...
View ArticleRepository Tampering: What You Don't Know Can Hurt You
Consider this security scenario: Attackers gain access to developer or sysadmin accounts. They find and target the revision control system that is used to manage system configurations, internal code,...
View ArticleKLogTail 1.2.0 Released
Version 1.2.0 is a minor release of KLogTail. Generally, code was cleaned up and refined as necessary. Several bugs have been fixed; all warning and error messages have been enhanced to facilitate...
View ArticleBuilding FTimes With Lua
This is the next part in a series of blog posts focusing on the open-source tool FTimes. This blog post will demonstrate building FTimes with XMagic and an embedded Lua interpreter. In so doing,...
View ArticleFTimes, KLEL, and File Hooks
This is another blog post in the FTimes series showcasing various aspects and controls that can be utilized within the FTimes framework. This blog post will focus on using file hooks, a feature that...
View ArticleClik here to view.
Cellebrite Good Times, Come On: Reverse-Engineering Phone Forensics Tools
How can vulnerabilities in technologies used by our judicial system affect the outcome of cases brought to the courts? The Universal Forensic Extraction Device (UFED) device from Cellebrite is used by...
View ArticleWePresent... vulnerabilities!
This blog post describes an exploit chain to go from a completely unauthenticated attacker to a root shell on a WePresent WiPG-1600. The device was running firmware version 2.5.1.8, which was the...
View ArticleWMkick - MITM MS-RPC, WMI, WinRM to Capture NetNTLMv2 Hashes
WMkick is a tool we recently released to MITM and capture NetNTLMv2 hashes for some protocols not (yet?) supported by other tools like Responder, such as WMI access to MS-RPC (135/tcp) and Powershell...
View Article2024: What KoreLogic Has Been Up To
It's been a busy year! This year we: Hosted the 14th annual Crack Me If You Can (CMIYC) contest at DEF CON as well as sponsored and staffed the Password Village. Led the planning and delivery of...
View ArticleCyberConVA 2025!
Looking for an innovative cybersecurity conference? Consider CyberConVA 2025!Reasons to attend: Build your network: In its 3rd year, CyberConVA will bring together an estimated 500+ cybersecurity...
View Article