researchcategories

network

packet filtering

Packet filtering is an important skill when capturing and managing large network dumps. In this article you will learn several tools and techniques used to simplify searching and extraction of useful data from captured data. Read more.

network reconnaissance

host discovery

In this article you will learn several active and stealth techniques used to discover even highly cloaked hosts. Read more.

port scanning

Discovering open ports on a networked system is an important reconnaissance step used to enumerate potentially vulnerable services. In this article you will learn a number of techniques used to perform fast and reliable port scans while bypassing many trivial defenses. Read more.

network attacks

denial of service

A Denial of Service (DoS) attack is designed to prevent legitimate access to a target system. This article will cover techniques used to DoS a machine or service. Read more.

network tools

writing nmap nse scripts for vulnerability scanning

The article discusses capabilities and application of Nmap Scripting Engine for the purpose of vulnerability scanning. By adapting code snippets covered here, you will be able to quickly develop, scan and generate reports for new vulnerabilities without waiting for mainstream scanners. Read more.

scapy

Scapy is a packet forging tool using Python as its domain specific language. It was developed by Philippe Biondi in 2003. Read more.

nmap

nmap (Network MAPper) is a network port scanner with service version and operating system detection engines. The tool was originally developed by Fyodor and published in Phrack Issue 51 in 1997. The tool is command line although a number of GUIs exist. nmap runs on a variety of platforms including Linux, *BSD, Windows, and others. Read more.

hping

hping is a TCP/IP packet forging tool with embedded Tcl scripting functionality. Developed by antirez in 1998, it is now in its 3rd release. The tool runs on all major operatings systems including Linux, *BSD, and Windows. Read more.

tor

tor control protocol

tor

Tor implements a highly customizable control protocol which can be used to tune almost all aspects of its operation. In this article you will learn how to fine tune Tor client's operation, query runtime information, as well as create circuits of arbitrary size. Read more.

cryptography tls/ssl

tls and ssl cipher suites

TLS/SSL protocols support a large number of cipher suites. A cipher suite is a collection of symmetric and asymmetric encryption algorithms used by hosts to establish a secure communication. Supported cipher suites can be classified based on encryption algorithm strength, key length, key exchange and authentication mechanisms. Some cipher suites offer better level of security than others (e.g. Several weak cipher suites were developed for export to comply with US export law). There are more than 200 known cipher suites. Read more.

stunnel

tls, ssl

Stunnel allows a user to tunnel any TCP based application protocol through a connection secured by TLS/SSL. Read more.

openssl

OpenSSL is an open-source TLS/SSL toolkit implemented for a variety of platforms. In this article you will learn several openssl client and server commands useful in working with TLS/SSL protocol. Read more.

decrypting tls/ssl traffic with wireshark

Wireshark is capable of decrypting TLS/SSL traffic. This article will discuss the required conditions necessary for the decryption and walk you through the exact steps. Read more.

tls/ssl protocol

ssl, tls

Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are two closely related protocols designed to protect confidentiality and integrity of data in transit between two hosts. Read more.

cryptography password cracking

automatic password rule analysis and generation

The field of password cracking has evolved by leaps an bounds over the last decade with the introduction of new cracking techniques, more advanced software and significantly faster hardware. One area which I find most fascinating is rule-based cracking. An attacker can develop a set of word mangling rules (e.g. substitute all 'a's to '@'s, upper-case every third letter, etc.) in order to attack non-random passwords which use slightly modified dictionary words. The purpose of this research is to develop an automated method of analyzing a large body of leaked passwords in order to come up with a list of frequently used words and rules to make up passwords. Read more.

john the ripper

John the Ripper is a multi-platform password cracking tool. Read more.

telephony

telephony tones

This article lists known tones that occur on the telephone line. Tones include the ones generate by the phone company, consumer products (e.g. answering machines, faxes, etc.), dialup services, etc. Read more.

oracle

oracle authentication

Oracle Authentication process requires users to provide correct username, password, database hostname, and instance name (SID). Read more.

oracle default ports

Oracle Database is a complex system requiring a large number of services running on a single system. This article attempts to enumerate common Oracle services and associated network ports found on live systems. Read more.

oracle tns protocol

Oracle's proprietary TNS (Transparent Network Substrate) protocol is used to interact with Oracle's RDBMS. In this article you will learn about different TNS packet types and their structure. Read more.

oracle database commands

Useful Oracle PL/SQL commands: Read more.

oracle rdbms

Oracle Database or RDBMS (Object-Relational Database Management System) is a complex system for storage and retrieval of relational data. In this article you will learn the basic architecture of the Oracle Databases as well as common attacks against it. Read more.

oracle tns listener

Oracle Listener serves as a main communication point for the database. It provides necessary abstraction to host's transport protocols in order to allow Oracle's higher level session protocols to function across multiple platforms. This article covers different commands used to interact with the TNS Listener as well as common attacks against it. Read more.

exploitation windows

corelan - integer overflows - exercise solution

A solution to the exercise in the Corelan article Root Cause Analysis - Integer Overflows on exploiting integer and heap overflows. The solution illustrates massaging the heap into a vulnerable state by corrupting the Windows front-end allocator and finally exploiting it to gain arbitrary code execution. Read more.

heap overflows for humans - 102 - exercise solution

Heap Overflows For Humans is a series of articles by Steven Seeley that explore heap exploitation on Windows. In this article I will go over the exact reasoning and exploitation steps for an exercise created by Steven in the second article of the series. Read more.

open security training - introductory x86 - buffer overflow mystery box

A walkthrough for the Mystery Box Buffer Overflow challenge in the Open Security Training - Introductory x86 class. Read more.

corelan - tutorial 10 - exercise solution

A solution to an exercise in Corelan Tutorial 10 on writing DEP and ASLR bypassing exploits. The solution illustrates grabbing leaked kernel32 address from memory, calculating an offset to VirtualProtect() and at last setting up a ROP chain to make a memory location with shellcode executable. Read more.

corelan - tutorial 9 - exercise solution

A solution to a small exercise in Corelan's Tutorial 9 on writing Windows 32-bit shellcode. The solution illustrates some techniques in removing null-bytes from a sample shellcode as well as a few tricks to keep the shellcode modular and easy to modify. Read more.

corelan - tutorial 7 - exercise solution

A solution to the AIMP2 exercise at the end of the Exploit Writing Tutorial Part 7 by Corelan Team. The solution illustrates a exploitation of Unicode applications using Venetian shellcoding techniques. Read more.

getting from seh to nseh

A collection of techniques on Windows SEH exploitation. Specifically the article covers methods of reliable exploit development by getting from a successfully overwritten pointer to Exception Handler (SEH) to the pointer to the Next Exception Handler (NSEH) struct. Read more.

corelan - tutorial 3b - exercise solution

A solution to the MP3 Studio exercise at the end of the Exploit Writing Tutorial Part 3b by Corelan Team. The solution illustrates a sample buffer overflow exploitation of a Windows application. Read more.

exploitation linux

exploit exercises - protostar - final levels

Exploit Exercises' Protostar wargame includes a number of carefully prepared exercises to help hone your basic exploitation skills. The final portion of the wargame combines Stack, Format String, Heap, and Network exploitation techniques into three excellent challenges to help solidify knowledge gained from previous exercises. Read more.

exploit exercises - protostar - network levels

Exploit Exercises' Protostar wargame includes a number of carefully prepared exercises to help hone your basic exploitation skills. In this walkthrough I will go over the network exploitation portion of the wargame. Read more.

exploit exercises - protostar - heap levels

Exploit Exercises' Protostar wargame includes a number of carefully prepared exercises to help hone your basic exploitation skills. In this walkthrough I will go over the heap exploitation portion of the wargame. Read more.

exploit exercises - protostar - format string levels

Exploit Exercises' Protostar wargame includes a number of carefully prepared exercises to help hone your basic exploitation skills. In this walkthrough I will go over the format string exploitation portion of the wargame. Read more.

exploit exercises - protostar - stack levels

Exploit Exercises' Protostar wargame includes a number of carefully prepared exercises to help hone your basic exploitation skills. In this walkthrough I will go over the stack exploitation portion of the wargame. Read more.

open security training - introduction to software exploits - uninitialized variable overflow

Open Security Training's Introduction to Software Exploits course has a number of vulnerability examples designed to illustrate unconventional exploitation techniques. One such example is an uninitialized variable condition which may be exploitable under certain conditions. The following walkthrough goes into the exact exploitation steps for this class of vulnerabilities. Read more.

open security training - introduction to software exploits - off-by-one

A walkthrough for the Off-by-One exploit in the Open Security Training - Introduction to Software Exploits class. Read more.

reversing crackme

open security training - introduction to re - bomb lab secret phase

A walkthrough for the Secret Phase of the Bomb Lab covered in Open Security Training's Introduction to Reverse Engineering class. Read more.

nlxx crackme solution

Crackmes.de has a nice of collection crackmes, fun and educational challenges useful for honing your reversing skills. Looking at the latest submissions section there was a recently published Crackme by nlxx rated at difficulty 2. In this guide I will go over the static analysis based solution to this crackme and explain how to write a key generator. Read more.

π
///\oo/\\\