NCC Group Publication Archive

This whitepaper details the vulnerability and examines some of the concepts needed for browser exploitation before describing how to construct a working exploit that exits gracefully. Download Whitepaper: Click to access cve-2014-0282.pdf Authored by Katy Winterborn

Vendor: KineticaVendor URL: https://www.kinetica.com/Versions affected: 7.0.9.2.20191118151947Systems Affected: AllAuthor: Gary Swales Gary.Swales@nccgroup.com Advisory URL / CVE Identifier: CVE-2020-8429Risk: High (Command Injection on the underlying operating system) Summary The Kinetica Admin web application version 7.0.9.2.20191118151947 did not properly sanitise the input for the function getLogs. This lack of sanitisation could be exploited…

Vendor: SumppleVendor URL: http://www.sumpple.comVersions affected: S610 firmware 9063.SUMPPLE.7601 - 9067.SUMPPLE.7601 Sumpple IP Cam Android V1.1.33 – V1.11 IOS 1.51.5986 (Previous versions are also likely to be affected)Systems Affected: Sumpple S610 WiFi Wireless PTZ Outdoor Security Video Network IP Camera Summple IP Cam Android and IOS mobile application.Author: Sebastian Parker-Fitch (@scorpioitsec)Advisory…

We are moving to a time where many ‘things’ that we know and use have the capability to be connected to a network either wired or wirelessly. The way we use technology is becoming more integrated in all aspects of our daily lives and is steadily integrating within the enterprise…

Over the past few years there has been an increase in the use of sound as a communications channel for device-to-device communications. This practice has been termed Data-Over-Sound (DOS) and has been billed as a cheap and easy to use alternative to traditional communications protocols such as Wi-Fi and Bluetooth.…

Quantum computing is still in its infancy but is expected to cause major changes to the technology landscape in coming years. Its ability to massively reduce the time taken for processes normally requiring large amounts of processing power is already causing concerns about the future of cryptography and the resistance…

Vendor: LansweeperVendor URL: https://www.lansweeper.com/Versions affected: prior to 7.1.117.4Systems Affected: Lansweeper applicationAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://www.lansweeper.com/changelog/ - CVE-2019-13462Risk: Critical when MSSQL database is in use (not default) Summary The Lansweeper application is agentless network inventory software that can be used for IT asset management. It uses the…

15 Security Advisories, 128 Jenkins Plugin Vulnerabilities and 1 Core Vulnerability118 CVEs, 1 CVE pending, 10 issues with no CVE requested About the Vulnerabilities NCC Group Security Consultant Viktor Gazdag has identified 128 security vulnerabilities across Jenkins plugins and one within the Jenkins core with the following distribution: Credentials stored…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in some Ricoh printers. The vulnerability list below was found affecting to some Ricoh printers: Multiple Buffer Overflows Parsing HTTP Cookie Headers (CVE-2019-14300) Multiple Buffer Overflows Parsing HTTP Parameters (CVE-2019-14305, CVE-2019-14307) Buffer Overflow Parsing LPD Packets (CVE-2019-14308) No…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Brother printers. The vulnerability list below was found affecting to several Brother printers: Stack Buffer Overflow in Cookie Values (CVE-2019-13193) Heap Overflow in IPP Attribute Name (CVE-2019-13192) Information Disclosure Vulnerability (CVE-2019-13194) Technical Advisories: Stack Buffer Overflow…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Xerox printers. The vulnerability list below was found affecting to several Xerox printers: Buffer Overflow in Google Cloud Print Implementation (CVE-2019-13171) Multiple Buffer Overflows in IPP Service (CVE-2019-13165, CVE-2019-13168) Multiple Buffer Overflows in Web Server (CVE-2019-13169,…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Kyocera printers. The vulnerability list below was found affecting to several Kyocera printers: Multiple Buffer Overflows in Web Server (CVE-2019-13196, CVE-2019-13197, CVE-2019-13202, CVE-2019-13203, CVE-2019-13206) Multiple Buffer Overflows in IPP Service (CVE-2019-13204) Buffer Overflow in LPD Service…

Multiple vulnerabilities, ranging Cross-Site Scripting to buffer overflows, were found in several HP printers: Multiple Buffer Overflows in IPP Service (CVE-2019-6327) Buffer Overflow in Web Server (CVE-2019-6326) Multiple Cross-Site Scripting Vulnerabilities (CVE-2019-6323, CVE-2019-6324) Cross-Site Request Forgery Countermeasures Bypass (CVE-2019-6325)   Technical Advisories: Multiple Buffer Overflows in IPP Service (CVE-2019-6327) Vendor:…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Lexmark printers. The vulnerability list below was found affecting to several Lexmark printers: SNMP Denial of Service Vulnerability (CVE-2019-9931) Multiple Overflows in Lexmark Web Server (CVE-2019-9930, CVE-2019-9932, CVE-2019-9933) Information Disclosure Vulnerabilities (CVE-2019-9934, CVE-2019-9935) Information Disclosure Vulnerability…

Vendor: IntelVendor URL: http://www.intel.com/Versions affected: Intel Driver Support Assistance prior to version 19.4.18Systems Affected: Microsoft WindowsAuthor: Richard Warren <richard.warren[at]nccgroup[dot]com>Advisory URL / CVE Identifier: CVE-2019-11114.Risk: Medium Summary This vulnerability allows a low privileged user to escalate their privileges to SYSTEM. Location Intel Driver Support Assistance – DSAService (DSACore.dll) Impact Upon successful…

Vendor: CitrixVendor URL: http://www.citrix.com/Versions affected: Citrix Workspace App versions prior to 1904 and Receiver for Windows versions prior to LTSR 4.9 CU6 version 4.9.6001Systems Affected: Microsoft WindowsAuthor: Ollie Whitehouse <ollie.whitehouse[at]nccgroup[dot]com> Richard Warren <richard.warren[at]nccgroup[dot]com> Martin Hill <martin.hill[at]nccgroup[dot]com>Advisory URL / CVE Identifier: CVE-2019-11634.Risk: Critical Summary The Citrix Workspace / Receiver client suffers…

This whitepaper addresses the cyber security threat to agriculture and the wider food network. The perspective and primary focus is the United Kingdom but the majority of observations on the structure of markets, technologies and related issues are largely applicable to other countries. Furthermore, some of the recommended actions identified in…

Connected Health is a rapidly growing area with huge innovative possibilities and potential. This is mostly due to the uptake of digital technologies in the health and medical fields that support diagnosis, treatment and management of health conditions. It is however crucially important that security of Connected Health products, systems…

Vendor: SmarterToolsVendor URL: https://www.smartertools.com/ Versions affected: prior to Build 6985 (CVE-2019-7214), prior to Build 7040 (CVE-2019-7211, CVE-2019-7212, CVE-2019-7213)Systems Affected: SmarterMailAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: CVE-2019-7214, CVE-2019-7213, CVE-2019-7212, CVE-2019-7211 https://www.smartertools.com/smartermail/release-notes/current Risk: Critical and High Summary The SmarterMail application is a popular mail server with rich features for normal…

Vendor: MailEnableVendor URL: https://www.mailenable.com/ Versions affected: versions before 10.24, 9.83, 8.64, 7.62, 6.90 (20th June 2019)Systems Affected: tested on Enterprise Premium but all versions have been patchedAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: CVE-2019-12923, CVE-2019-12924, CVE-2019-12925, CVE-2019-12926, CVE-2019-12927 http://www.mailenable.com/Premium-ReleaseNotes.txt http://www.mailenable.com/Premium-ReleaseNotes9.txt http://www.mailenable.com/Premium-ReleaseNotes8.txt http://www.mailenable.com/Premium-ReleaseNotes7.txt http://www.mailenable.com/Premium-ReleaseNotes6.txtRisk: Critical, High, Medium Summary The MailEnable…

Abstract Unikernels are small, specialized, single-address-space machine images constructed by treating component applications and drivers like libraries and compiling them, along with a kernael and a thin OS layer, into a single binary blob. Proponents of unikernels claim that their smaller codebase and lack of excess services make them more efficient and secure than…

Vendor: AvayaVendor URL: https://www.avaya.com/Versions affected: 10.0 through 10.1 SP3, 11.0Systems Affected: Avaya IP OfficeAuthor: Mattia Reggiani mattia.reggiani[at]nccgroup[dot]comAdvisory URL: https://downloads.avaya.com/css/P8/documents/101054317Advisory URL / CVE Identifier: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15614Risk: Medium Summary The One-X Web Portal was vulnerable to multiple persistent or stored cross-site scripting (XSS) vulnerabilities. This occurs when JavaScript or HTML code entered as…

Executive Summary In the spring of 2018, The Zerocoin Electric Coin Company engaged NCC Group to perform a two-pronged review of recent changes to the Zcash cryptocurrency. The first prong focused on updates to the Overwinter consensus code, such as architectural changes facilitating future network upgrades, and new features, such as transaction expiry. The second prong…

xendbg is a full-featured debugger for both HVM and PV Xen guests. It can act as a stub server for LLDB, allowing users to do their work in a familiar environment, and also provides a standalone REPL with all the standard comfort features of popular debuggers: contextual tab-completion, expressions, and variables.…

These days it is quite common to see a deserialisation flaw in a product. Although awareness around finding and exploiting this type of vulnerability is out there for security researchers, developers can still struggle with securing their code especially when they are not fully aware of dangerous methods and functionalities…

  As part of our vulnerability research work at NCC Group we find many vulnerabilities (bugs) in commercial products and systems and for the past nine years we have kept a detailed internal log of these bugs. In this whitepaper prepared by Matt Lewis, Research Director at NCC Group, we…

In this whitepaper*, nine different implementations of TLS were tested against cache attacks and seven were found to be vulnerable: OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL, and GnuTLS. The cat remains alive, with two lives left thanks to BearSSL (developed by NCC Group’s Thomas Pornin) and Google’s BoringSSL. The issues were disclosed back in August, and the teams…

Third parties can provide an invaluable resource and service for your organisation. But how far should you go when validating a third party supplier? What does the third party need to be validated against? How can you be confident that the validation process is effective? Is the validating process detrimental…

Whenever an outage on one of these cloud providers occurs, or a data breach of information held by them, the immediate press coverage starts asking whether they really are as secure and reliable as traditionally managed servers. This whitepaper provides an overview of public cloud services and the steps to…

In the summer of 2018, Google engaged NCC Group to conduct a security assessment of the Android Cloud Backup/Restore feature, which premiered in Android Pie. This engagement focused on a threat model that included attacks by rogue Google employees (or other malicious insiders) with privileges up to and including root-in-production. The Android…

Vendor: MicrosoftVendor URL: https://www.microsoft.com/Systems Affected: Microsoft OutlookAuthor: Soroush DaliliCVE Identifiers: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8572, https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11927Risk: Medium – Possible SMB Hash Hijacking or User Tracking Summary Microsoft Outlook could be abused to send SMB handshakes externally after a victim opening or simply viewing an email. A WebDAV request was sent even when the SMB…

Vendor: libSSHVendor URL: https://www.libssh.org/Versions affected: Versions of libSSH 0.6 and above, prior to 0.7.6 or 0.8.4.Author: Peter Winter-Smith peter.winter-smith[at]nccgroup.comAdvisory URL / CVE Identifier: CVE-2018-10933 - https://www.libssh.org/security/advisories/CVE-2018-10933.txtRisk: Critical – Authentication Bypass Summary libSSH is a library written in C which implements the SSH protocol and can be used to implement both…

Vendor: MicrosoftVendor URL: https://www.microsoft.com/Versions affected: .NET Framework before July 2018 patchSystems Affected: .NET Framework Workflow libraryAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8284 Risk: Critical Summary In the .NET Framework, workflows can be created by compiling an XOML file using the libraries within the System.Workflow namespace. The workflow compiler…

Vendor: Mitel Vendor URL: https://www.mitel.com Versions affected: 5330e IP Phone Systems Affected: Mitel MiVoice Author: Mattia Reggiani mattia.reggiani[at]nccgroup[dot]trust Advisory URL: https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-18-0009 CVE Identifier: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15497 Risk: Low-High (case dependent) – Denial of Service and possible Remote Code Execution Summary The Mitel MiVoice 5330e VoIP device is affected by a memory corruption…

Singularity of Origin is a robust and easy-to-use tool to perform DNS rebinding attacks. It consists of a DNS and a web server, a web interface to configure and launch an attack, and sample attack payloads. We plan to support this tool and continue to add features and payloads. Singularity…

From February 26 to March 18, 2018, IronCore Labs engaged NCC Group’s Cryptographic Services Practice to perform a review of their proxy re-encryption protocol and implementation. IronCore’s Proxy re-encryption scheme allows delegation of decryption rights from one entity to another without sharing private keys. IronCore uses this to delegate access…

Vendor: MicrosoftVendor URL: https://www.microsoft.com/Versions affected: .NET Framework before September 2018 patchSystems Affected: .NET Framework Workflow libraryAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8421 Risk: Critical Summary In the .NET Framework, workflows can be created by compiling an XOML file using the libraries within the System.Workflow namespace. The workflow compiler…

Author: Robert C. Seacord The Jackson JSON processor offers an alternative to Java serialization by providing data binding capabilities to serialize Java objects to JSON and deserialize JSON back to Java objects. Poorly written Java code that deserializes JSON strings from untrusted sources can be vulnerable to a range of…

It’s not uncommon to find websites that attempt to validate user input and block code injection attacks using a blacklist of dangerous characters or keywords. Superficially, this might seem like a common-sense way to protect a website with minimum effort but it can prove to be extremely difficult to comprehensively…

Vendor: Virgin MediaVendor URL: https://www.virginmedia.com/Versions affected: products before Aug 2018 rollout / 9.1.116V and 9.1.885JSystems Affected: Hub 3.0Author: Balazs Bucsay (@xoreipeip)Advisory URL / CVE Identifier: NoneRisk: Critical Summary Multiple security vulnerabilities were found in the device’s firmware that could be chained and led to unauthenticated remote command execution. Location Multiple…

This paper discusses the similarities and differences between professional ethics in the information security industry and ethics in the hacker community. Sources of conflict and shared values of the two are discussed in order to find some reconciliation and come to an understanding of how a shared set of ethics…

It has been known for a while that deserialisation of untrusted data can often lead to serious security issues such as code execution. However, finding such issues might not be a trivial task during time-limited penetration testing. As a result, NCC Group has developed a Burp Suite extension called Freddy [1]…

Sobelow, released in 2017, is the first security-focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent the introduction of a number of common vulnerabilities. Over the last…

House is an open source web application that simplifies the testing process with Frida. With House, security researchers can easily generate Frida scripts to perform various tasks including enumeration, function hooking and intercepting. It also provides an easy-to-use web UI for researchers to generate, customise, and manage their Frida scripts. House…

How can we quickly identify which users and roles have access to a given action (and resource) in an AWS account? Erik Steringer built the Principal Mapper (pmapper) as the answer to that question. It uses the existing simulator APIs to determine which users and roles have access to each…

Abstract Side channels have long been recognised as a threat to the security of cryptographic applications. Implementations can unintentionally leak secret information through many channels, such as microarchitectural state changes in processors, changes in power consumption, or electromagnetic radiation. As a result of these threats, many implementations have been hardened to defend against these…

Vendors affected: Multiple Versions affected: Multiple Author: Keegan Ryan <keegan.ryan[at]nccgroup[dot]trust> <@inf_0_> Advisory URL / CVE Identifier: CVE-2018-0495 Risk: Medium (Key disclosure is possible, but only through certain side channels) Summary We have discovered an implementation flaw in multiple cryptographic libraries that allows a side-channel based attacker to recover ECDSA or…

Over the past few months, we have put Mallory through its paces. Scores of mobile applications have had their network streams MiTMd by Mallory. It has become one of a few important tools that we use on a daily basis. Because we use it so often, we sometimes forget that it may seem…

Welcome to the home of Mallory! Mallory is a transparent TCP and UDP proxy. It can be used to get at those hard to intercept network streams, assess those tricky mobile web applications, or maybe just pull a prank on your friend. You are probably here to get Mallory up…

The CyberVillainsCA is a small Java library for on-the-fly generation, duplication and substitution of X.509 certificates. It is intended for use in building or extending security testing tools, for example, WebScarab (example included). Generates a Certification Authority certificate for importation as a Trusted Root Automatically generates standard SSL server certificates…

DECTbeacon is a war driving application for DECT that includes support for GPS tracking of DECT fixed points. DECTbeacon can augment a wireless security assessment by detecting the presence and location of DECT fixed points, which may then be analyzed further to determine points of vulnerability including a gaps in…

Fuzzbox is a multi-codec media fuzzer. Prerequisites: Python py-vorbis 1.4 mutagen 1.11 Download Tool

Gizmo is a graphical web proxy written in Java. It is designed to be speedy, with the user interfaced centered around keyboard use. It should do what you want, and then get out of your way. Pre-Requisites: Java 1.6 Download Gizmo from Google Code.

Intent Sniffer is a tool that can be used on any device using the Google Android operating system (OS). On the Android OS, an Intent is description of an action to be performed, such as startService to start a service. The Intent Sniffer tool performs monitoring of runtime routed broadcasts Intents.…

HTTP Profiler is a simple program that summarizes packet traces of HTTP traffic, to highlight performance problems caused by excessive network traffic. Many web sites and applications cost more than they should, due to unoptimized network behavior.The original goal of httprof was to help people understand that, of all the…

Intent Fuzzer is a tool that can be used on any device using the Google Android operating system (OS). Intent Fuzzer is exactly what is seems, which is a fuzzer. It often finds bugs that cause the system to crash or performance issues on the device. The tool can either…

Transport Layer Security (TLS), commonly called SSL, is one of the most widely used protocols to secure network communications. As costs fall and user security and privacy expectations rise companies are deploying it more widely every year. Attacks against the CA system, SSL implementation flaws and aging protocol versions have…

Jailbreak is a tool for exporting certificates marked as non-exportable from the Windows certificate store. This can help when you need to extract certificates for backup or testing. You must have full access to the private key on the filesystem in order for jailbreak to work. Prerequisites: Win32   Please…

Package Play is a tool that can be used on any device using the Google Android operating system (OS). Package Play shows the user all installed packages on the mobile device. This helps the user in the following ways: Easy way to start exported Activities Shows defined and used permissions…

Manifest Explorer is a tool that can be used on any device using the Google Android operating system (OS). On Android, every application must have an AndroidManifest.xml file in its root directory. The AndroidManifest.xml files does a few things, which is all explained  here. From a security perspective, the file is…

ProxMon is an extensible Python based framework that reduces testing effort, improves consistency and reduces errors. Its use requires limited additional effort as it processes the proxy logs that you’re already generating and reports discovered issues. In addition to penetration testing, ProxMon is useful in QA, developer testing and regression…

This is a modified version of Todd Whiteman’s PySimReader code. This modified version allows users to write out arbitrary raw SMS PDUs to a SIM card. Additionally, debugging output has been added to allow the user to view all APDUs that are sent between the SIM card and PySimReader. Usage:#…

SAML Pummel is a BeanShell plug-in for WebScarab. It automates eight different injection attacks to assist in auditing the implementation of SAML 2.0 single sign-on systems. C14N Entity Expansion C14N Transforms Remote DTD Remote KeyInfo RetrievalMethod Remote KeyInfo WSSE Security Token Reference SignedInfo Remote Reference XSLT Transform URL Retrieval (Xalan)…

SecureBigIP is a command line tool to analyze the management security aspects of a F5 Big IP Load Balancer. Prerequisites: Win32 Download Tool

SecureCisco is a product that analyzes several security settings of a Cisco Router. SecureCisco’s analyzer includes over 25 checks for security. Additionally, for each finding, SecureCisco will provide a detailed recommendation with the exact syntax to mitigate any insecure security setting. The product is able to evaluate both global security…

SecureCookies is a tool to evaluate whether a given URL is utilizing the security options in the cookie. Prerequisites: Win32 Download Tool

SecureIE.ActiveX is a tool to evaluate the ActiveX security settings on Internet Explorer. Prerequisites: Win32 Download Tool

WebRATS is an homage to RATS, a tool to scan code and flag the use of dangerous APIs, identified hazards, and provide secure coding alternatives (RATS was originally created by Secure Software). WebRATS is intended for today’s web-enabled, distributed development methodologies. It was designed to integrate transparently into ordinary code…

Overview AWS Inventory is a tool that scans an AWS account looking for AWS resources. There are constantly new services being added to AWS and existing ones are being expanded upon with new features. This ecosystem allows users to piece together many different services to form a customized cloud experience.…

Extractor is a Burp Suite tool that allows users to define one or more decode steps and automatically apply them to all requests and responses. Users can then alter the decoded payload to have it properly re-encoded and injected back into the request. (This applies to modifiable requests, such as in…

CMakerer is a small open source tool that was created to deal with the problem of tricky-to-load C/C++ codebases. CMakerer scans for C/C++ files and parses their #include directives to identify potential include paths. It then generates a CMakeLists.txt file for the entire codebase. While such files will not likely…

This is a collection of tools used to attack applications that use Windows Interprocess Communication mechanisms. This package includes tools to intercept and fuzz named pipes, as well as a shared memory section fuzzer. Prerequisites: Windows Python Download Tool

WSBang is a Python-based tool used to perform automated security testing of SOAP based web services. Takes URL of WSDL as input Fuzzes all methods and parameters in the service Identifies all methods and parameters, including complex parameters Fuzzes parameters based on type specified in WSDL Reports SOAP responses and…

WSMap is a Python-based tool that helps penetration testers find web service endpoints and discovery files. Parses WebScarab logs to find testing targets Tests URLs and implies URLs found in log Tests for WSDL and DISCO web service discovery formats Prerequisites: WebScarab Python 2.4 pyCurl Download Tool

Nerve is a cross platform scriptable debugger built using our Ragweed library. Nerve consumes your breakpoint configuration files and then executes the ruby scripts you specify as debugger events occur. Nerve scripts have been used to implement hit tracers, in memory fuzzers and code coverage tools. You can find detailed documentation on…

Ragweed is our native code debugging library written in Ruby. It runs on Win32, OSX and Linux. That’s right, we implemented a native code debugger from the ground up using nothing but Ruby and FFI. You read that right, no 3rd party dependencies! Ragweed can be used to build powerful…

Kivlad is a decompiler for Android’s Dalvik binaries, with a highly customizable web-based navigation interface. Unlike existing decompilers for Dalvik, it works natively on Dalvik bytecode rather than converting back to Java bytecode; this means much higher quality results. Also unlike other tools having a static GUI, it takes in…

These tools are useful for testing any program which processes binary file inputs such as archivers and image file viewers. FileP is a python-based file fuzzer. It generates mutated files from a list of source files and feeds them to an external program in batches. Prerequisites: Python 2.4 FileH is a haskell-based…

Android SSL Bypass is an Android debugging tool that can be used for bypassing SSL verification on network connections, even when certificate pinning is implemented – as well as other debugging tasks. It runs as an interactive console. The tool is based on a scriptable JDWP debugger using the JDI…

Hiccupy is a Jython binding for the PortSwigger Burp Suite’s BurpExtender interface. It is intended to facilitate realtime traffic analysis and modification of plain text protocols using simple plugins. The tool hooks BurpExtender::processProxyMessage and executes plugin modules on both requests and responses. Plugins are written in Python and can be…

When performing a black box assessment of an iOS App, one of the main tasks of the tester is to intercept the application’s network communications using a proxy. This gives the tester the ability to see what is happening behind the scenes and how the application and the server communicate…

Correct implementation of SSL is crucial to secure transmission of data between clients and servers. However, this crucial task is frequently done improperly, due to complex APIs and lack of understanding of SSL fundamentals. The SSL Conservatory is intended to be a clearinghouse for well-documented and secure sample code to…

TLSPretense is a framework for testing client-side SSL/TLS certificate validation. Software that uses HTTPS and TLS, such as mobile applications and web service clients, often make mistakes configuring and implementing client-side TLS code. These mistakes are usually severe enough to allow an attacker to intercept the supposedly protected network traffic.…

Tcpprox is a simple command line tcp proxy written in Python. It is designed to have very minimal requirements – it runs directly from Python (tested in Python 2.7) from a single source file (unless the auto-certificate option is used). When running, the proxy accepts incoming TCP connections and copies…

YoNTMA (You’ll Never Take Me Alive!) is a tool designed to enhance BitLocker’s data protection on Windows laptops. YoNTMA ensures that if your laptop is physically stolen while it is powered on, sensitive data (such as disk encryption keys) does not persist in memory for an attacker to recover via…

Welcome to the Intrepidus Group Tattler project information page. Tattler is aSkype power tool that lets users track and monitor message modification in Skype. Tattler also provides a shell to the raw Skype API commands to allow for the manipulation and monitoring of many other Skype behaviors and activities. Features:  …

PeachFarmer facilitates fuzz testing in the cloud. PeachFarmer is designed to be used in conjunction with the Peach fuzzing framework. Peach allows the user to split up a fuzzing job among many machines, but does not offer a built-in way to gather the logs and crash dumps from all these separate…

This tool disables signature and permission checks for Android IPCs. This can be useful to test internal or restricted IPCs in specific cases/scenarios. The tool is available on Github project page.

This extension makes all applications running on the device debuggable; once installed, any application will accept a debugger to attach to them. The tool is available on Github here.

This tool hooks various methods in order to disable SSL certificate pinning, by forcing the Android application to accept any SSL certificate. Once installed, it works across all applications on a device. The tool is available on Github here.

Introspy for Android is a tool designed to help penetration testers understand what an Android application does at runtime, and to greatly facilitate the process of reviewing the application’s security mechanisms. Further details can be found here

RtspFuzzer, an open-source fuzzer for the real-time streaming protocol (RTSP) is now available on our Github page here.

A new version of SSLyze is now available. SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it. The tool is available on Github here.

enced by a constant “2131099692”, which cannot be dereferenced and this is where apktool is very helpful. Before we get into apktool, we will try to understand what is being passed. getAction() will get whatever was set using setAction() in the MainActivity class. putExtra() sends additional parameters in the form of a…

Tools Required:   Android SDK (ADT bundle). Will use adb mostly. Dex2jar. (Used for unpacking .apk file) jd-gui. (Java Decompiler) apktool Mercury. Link Extractor tool like Winrar. Burp Suite free Virtuous Ten Studio (optional but highly recommended)   Preparation for taking apart the app:   Get your hands on the apk…

This is a collection of scripts that can be used to generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files. These can be used to test the robustness of forensics tools and examination systems. Prerequisites: Linux/Python Download Tool

Open Technology Fund (OTF) engaged iSEC Partners (iSEC) to perform a source code assisted white box security assessment of Security First’s Umbrella mobile application. One iSEC consultant performed the engagement remotely over two weeks, from June 15th, 2015 to June 26th, 2015. Security First provided iSEC access to the mobile…

How does it work? Autochrome is simply a script that fetches the latest version of Google’s Chromium, creates a number of test profiles, and installs it. Rather than do extensive modifications to the Chromium source, we rely on the base executable built by Google and only modified the profiles so…

WSSiP is a tool for viewing, interacting with, and manipulating WebSocket messages between a browser and web server. WebSockets themselves are a newer option for client-side JavaScript code that allows browsers to connect to the web server in order to signify that the connection should be a TCP connection. As defined…

Summary AssetHook is a tool that enables Android security researchers and pentesters to modify the asset portions of Android applications on the fly, without modifying the APK itself. Such modifications allow researchers to alter embedded data to better assess and test mobile applications. AssetHook is easier to use than existing methods…

Call Map is a tool for navigating call graphs in Python, with plans to support other languages. A call graph is a natural way to traverse code, where the nodes are procedures and directed edges connect procedures that call each other. Many editors and IDEs prioritize first the text, then…

Sobelow is the first security‐focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for getting a quick view of points‐of‐interest. For project maintainers, it can be used to prevent the introduction of a number of common vulnerabilities. Currently Sobelow detects some types of…

G-Scout is a tool made to help assess the security of Google Cloud Platform (GCP) environment configurations. By leveraging the Google Cloud API, G-Scout automatically gathers a variety of configuration data, and analyzes this data to determine security risks. It produces HTML output, which allows for convenient browsing of results.…

Burp Suite’s built-in decoder component, while useful, is missing important features and cannot be extended. To remedy this, Justin Moore developed Decoder Improved, a drop-in replacement Burp Suite plugin. It includes all of decoder’s functionality while fixing bugs, adding tabs, and includes an improved hex editor. Additionally, the plugin’s functionality…

RTTI can be an extremely helpful way to gain insight about a C++ binary during reverse engineering, and Python Class Informer’s visualization of the class hierarchies can strengthen these insights even further. We hope reverse engineers’ lives will become a little easier using the visualizations produced by this plugin. Currently,…

Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. While Burp Suite is a very useful tool, using it to perform authorization testing is often a tedious effort involving a “change request and resend” loop, which can miss vulnerabilities and…

TPM Genie is an Arduino-based man-in-the-middle (“interposer”) for the Trusted Platform Module I2C serial bus. This tool has been designed to aid in the security research of TPM hardware as well as the host-side drivers that communicate the with them. In its simplest usage scenario, TPM Genie is capable of…

The concept of Open Banking is an innovative one. However, as with any new developments surrounding sensitive financial information it is imperative to assess the security implications of these actions. Matthew Pettitt discusses the pros and cons of the planned implementation and potential risks of Open Banking in NCC Group’s…

Scenester – a tool to visually snapshot a website by supplying multiple user-agent. Designed to aid in discovery of different entry points into an application. For more information and to download the tool, visit our GitHub page here.

Automate NMAP scans and custom Nessus polices. Features include:  Discovers live devices Auto launches port scans on only the discoverd live devices Can run mulitple instances on multiple adaptors at once Creates client Ref directory for each scan Outputs all unique open ports in a Nessus ready format. Much faster…

A collection of tools to enumerate and analyse Windows DACLs: Tool 1: Process Perms Tool 2: Windows Stations and Desktops  Tool 3: Services  Tool 4: File Sytem  Tool 5 Registry   For more information and to download the tool visit our GitHub page here. 

umap is a USB host security assessment tool, based on Facedancer by Travis Goodspeed.  For more information and to download the tool visit our GitHub page here.

A tool to find and exploit servers vulnerable to Shellshock. To download the tool, please visit our Github page here.

Zulu is an interactive GUI based fuzzer. The tool is input and output agnostic, therefore when you are happy with using the fuzzing engine that’s driven by the GUI you are only limited by the input and output modules that have been developed for it. To download the tool, please…

This proto-type was originally designed a developed during Christmas 2008 / 2009 to show how a non signature based AV could reliably detect malicious code. For more information and to download the tool, visit our GitHub page here. 

vlan-hopping is a simple VLAN enumeration and hopping script, developed by Daniel Compton.  For more information and to download the tool, visit our GitHub page here. 

Tybocer is a new view on code review. When presented with a new piece of code to review it is useful to search through for common terms, or to hunt down specific definitions of particular functions. For more information and to download the tool visit our GitHub page here.

A network data locator using credentials obtained during penetration tests. Xcavator is a tool that scans a range of IP addresses for services that host files (FTP, FTPS and SMB at the moment) and for given credentials it will try to download everything it can and scan within the files…

A Microsoft Windows Process Lockdown Tool using Job Objects, developed by Ollie Whitehouse.  To download the tool visit our GitHub page here.

Azucar is a multi-threaded plugin-based tool to help assess the security of Azure Cloud environment subscription. By leveraging the Azure API , Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks. The script will not change…

Vendor: ManageEngineVendor URL: https://www.manageengine.com/products/desktop-central/Versions affected: 10.0.124 and 10.0.184 verified, all versions <= 10.0.184 suspectedSystems Affected: AllAuthor: Ben Lincoln <ben.lincoln[at]nccgroup[dot]trust>Advisory URLs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5337, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5338, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5339, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5340, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5341, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5342Risk: Critical (unauthenticated remote code execution) Summary Desktop Central is integrated desktop and mobile device management software that helps in managing servers, laptops, desktops, smartphones,…

The rise of blockchain technology has brought about the invention of Ethereum. The Ethereum Virtual Machine (EVM) is a trustless, distributed computer that stores its state on a blockchain. Developers can define logic in the form of smart contracts, which are pieces of code that can be executed by the…

BLEBoy is a great resource for learning about BLE security and provides a single BLE peripheral that can be used to experiment with each BLE pairing method. This release of BLEBoy includes a parts list, instructions for how to construct the device, source code that needs to be compiled and…

Vendor: MicrosoftVendor URL: https://www.microsoft.com/Versions affected: products before July 2018 patchSystems Affected: Visual Studio, .NET Framework, SharePointAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8172 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8260 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8300Risk: Medium to High Summary A number of deserialisation issues within the resource files (.resx and .resources) were reported to Microsoft in January 2018 by…

Vendor: RedgateVendor URL: https://www.red-gate.com/Versions affected: prior to 10.0.7.774 (24th July, 2018)Systems Affected: .NET ReflectorAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://documentation.red-gate.com/ref10/release-notes-and-other-versions/net-reflector-10-0-release-notes (CVE-2018-14581)Risk: Critical Summary It was possible to execute code by decompiling a compiled .Net object (such as DLL or EXE) with an embedded resource file. An attacker could…

Vendor: Jenkins Delivery Pipeline Plugin Vendor URL: https://plugins.jenkins.io/delivery-pipeline-plugin Versions affected: 1.0.7 (up to and including) Systems Affected: Jenkins Author: Viktor Gazdag viktor.gazdag[at]nccgroup[dot]trust Advisory URL / CVE Identifier: https://jenkins.io/security/advisory/2017-11-16/ Risk: Medium – 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (Reflected Cross-Site Scripting) Summary The Delivery Pipeline Plugin is a Jenkins plugin that helps visualizing the delivery/build…

While there are many claims that cyber security is an indispensable necessary cost, there is also a body of opinion that cyber security does not always justify its costs and the financial impacts of a breach are frequently either exaggerated or unclear. As a response to these concerns, this whitepaper…

“We’re entering a new world in which data may be more important than software.” Tim O’Reilly Following from our recent CISO research council, our research team have put together this whitepaper, which explores the evolutionary steps in ransomware and malicious code and what NCC Group’s current perspective is. Ransomware as…

With the exponential increase of online services over the last decade, it is no surprise that the theft of credentials from poorly-secured applications is a growing concern and data breaches are becoming more of a regular occurrence. Even if we manage to secure and lock down these applications, do we…

Security is a high priority for most organisations. A string of high priority breaches in big multinational companies has brought home the threat that all organisations face in the modern world. Therefore, a growing number of companies are considering how to best protect themselves and reduce the impact of a…