Tool Release

Author: Axel Boesenach and Erik Schamper In this blog post we will go into a user-friendly memory scanning Python library that was created out of the necessity of having more control during memory scanning. We will give an overview of how this library works, share the thought process and the…

Overview Android 14 introduced a new feature which allows to remotely install CA certificates. This change implies that instead of using the /system/etc/security/cacerts directory to check the trusted CA’s, this new feature uses the com.android.conscrypt APEX module, and reads the certificates from the directory /apex/com.android.conscrypt/cacerts. Inspired by this blog post by Tim Perry,…

Cartographer is a Ghidra plugin that creates a visual "map" of code coverage data, enabling researchers to easily see what parts of a program are executed. It has a wide range of uses, such as better understanding a program, honing in on target functionality, or even discovering unused content in…

We are excited to announce the release of a new version of our open-source, multi-cloud auditing tool ScoutSuite (on GitHub)! This version includes multiple new rules and findings for Azure, which align with some of the latest CIS Benchmark checks, multiple bug fixes and feature enhancements, and minor finding template…

TL;DR – 31 usernames extracted vs 13 from the next leading brand! Introduction Open Source Intelligence Gathering (OSINT) can be an activity in itself and can also form a solid foundation for Full Spectrum Attack Simulations. Getting an idea of username formats as well as a number of known usernames…

Code Query is a new, open source universal code security scanning tool. CQ scans code for security vulnerabilities and other items of interest to security-focussed code reviewers. It outputs text files containing references to issues found, into an output directory. These output files can then be reviewed, filtered by unix…

A common challenge technical teams (e.g. penetration testers) face is centralized deployment and pipelining execution of security tools. It is possible that at some point you have thought about customising several tools, buying their commercial licenses, and allowing a number of people to run the tools from AWS. The problem…

Code Credential Scanner is a new open source tool designed to detect hardcoded credentials, or credentials present in configuration files within a repository. These represent a serious security issue, and can be extremely hard to detect and manage. The tool is intended to be used directly by dev teams in…

This executable blog post is the third in a series related to machine learning and explores code generation from a 16 billion parameter large language model (LLM). After a brief look under the hood at the LLM structure and parameter allocation, we generate a variety of Python functions and make…

The Cisco AnyConnect client has received a fair amount of scrutiny from the security community over the years, with a particular focus on leveraging the vpnagent.exe service for privilege escalation. A while ago, we started to look at whether AnyConnect could be used to deliver payloads during red team engagements…

This blog post is the second in a series related to machine learning, and demonstrates exactly how a data poisoning attack might work to insert a backdoor into a facial authentication system. The simplified system has similarities to that which the TSA is running a proof of concept trial at the Detroit…

If you frequently deliver source code review assessments of products, including machine learning components, I’m sure you are used to reviewing Jupyter Notebook files (usually python). Although I spend most of my time reviewing the source code manually, I also use static analysis tools such as semgrep, using both public…

Web3 Decoder is a Burp Suite Extension that allows to decode “web3” JSON-RPC calls that interact with smart contracts in a EVM blockchain. As it is said that a picture is worth a thousand words, the following two screenshots shows a Raw JSON-RPC call, and its decoded function call: Background…

New Microcorruption challenges created by Nick Galloway and Davee Morgan Today we are releasing several new challenges for the embedded security CTF, Microcorruption. These challenges highlight types of vulnerabilities that NCC Group’s Hardware and Embedded Systems practice have discovered in real products. The new challenges provide a simple interface to…

In 2015 Raphael Mudge released an article [1] that detailed that versions of mimikatz released after 8th of October, 2015 had a new module that was utilising certain types of external USB devices to flash lights in different colours if mimikatz was executed. The technique presented in the article required…

tl;dr You can now have Scout Suite scan not only your cloud environments, but your Kubernetes clusters. Just have your kubeconfig ready and run the following commands: $ pip3 install ScoutSuite $ scout kubernetes Background NCC Group’s Container Orchestration Security Service (COSS) practice regularly conducts Kubernetes cluster configuration reviews spanning…

We are excited to announce the release of a new version of our open-source, multi-cloud auditing tool ScoutSuite (on Github)! This version includes multiple bug fixes, dependency updates and feature enhancements for AWS, Azure and GCP. It also adds and updates several rules for these three cloud providers, alongside improved…

by Juan Garrido Editor’s note: This tool was originally released at Black Hat USA 2022 (Arsenal) in August 2022, and was created by Juan Garrido (GitHub: @silverhack, Twitter: @tr1ana). Monkey 365 is an Open Source security tool that can be used to easily conduct not only Microsoft 365, but also Azure…

Introduction NCC Group Cryptography Services team assessed security aspects of several implementations of the QUIC protocol. During the course of their reviews, the team found a number of recurrent cryptography side channel findings of arguably negligible privacy risk to users, across these implementations. However, repetition in itself makes these findings…

At present all major operating system kernels are written in C/C++, languages which provide no or minimal assistance in avoiding common security problems. Modern languages such as Rust provide better security guarantees by default and prevent many of the common classes of memory safety security bugs. In this post we…

[Editor’s note: This post is a part of our blog series from our NCC Group summer interns! You can see more posts from consultants in our internship program here.] When testing APIs with short-lived authentication tokens, it can be frustrating to login every few minutes, taking up a consultant’s time…

Editor’s note: since the publication of this blog post, an expanded and more technical discussion of the implementation process has been written, and is available on eprint: https://eprint.iacr.org/2022/1283. Introduction Last weekend (July 30th) a truly incredible piece of mathematical/cryptanalysis research was put onto eprint. Wouter Castryck and Thomas Decru of KU…

tl;dr Grab the release binary from our repo and have fun. Also, happy new year; 2021 couldn’t end soon enough. Background A while back, I was asked by one of my coworkers on the PSC team about ways in which to make their custom credit card data scanner cloud native…

Introduction Ghostrings is a collection of Ghidra scripts for recovering string definitions in Go binaries with P-Code analysis. A well-known issue with reverse engineering Go programs is that the lack of null terminators in Go strings makes recovering string definitions from compiled binaries difficult. Within a compiled Go program, many…

Since we published about identifying Cobalt Strike Team Servers in the wild just over three years ago, we’ve collected over 128,000 beacons from over 24,000 active Team Servers. Today, RIFT is making this extensive beacon dataset publicly available in combination with the open-source release of dissect.cobaltstrike, our Python library for…

We’re proud to announce the release of a new version of our open-source, multi-cloud auditing tool ScoutSuite (on Github)! The most significant improvements and features added include: Core Improved CLI options, test coverage and some dependencies AWS Added new findings for multiple services Bug fixes Added ARNs for all resources…

Erik Steringer, NCC Group Overview TL;DR: Go check out https://github.com/ncc-erik-steringer/Aerides As public cloud service consumption has grown, engineering and security professionals have responded with different tools and techniques to achieve security in the cloud. As a consultancy, we at NCC Group have published multiple tools that we use to guide…

We released ruby-trace back in August to coincide with my DEF CON 29 talk on it and parasitic tracing in general. Back then, it supported (c)Ruby 2.6 through 3.0. A few days ago, Ruby 3.1 was released. We have updated ruby-trace to add support for Ruby 3.1 and reorganized our…

Background Java Virtual Machines (JVMs) provide a number of mechanisms to inspect and modify the Java applications and the runtime they stand on. These include Java agents, JARs that are capable of modifying Java class files at runtime; and JVMTI agents, native libraries that can perform deep hooking into the…

tl;dr Run our new tool by adding -javaagent:log4j-jndi-be-gone-1.0.0-standalone.jar to all of your JVM Java stuff to stop log4j from loading classes remotely over LDAP. This will prevent malicious inputs from triggering the “Log4Shell” vulnerability and gaining remote code execution on your systems. . In this post, we first offer some…

This is the second blog post in a new code-centric series about selected optimizations found in pairing-based cryptography. Pairing operations are foundational to the BLS Signatures central to Ethereum 2.0, the zero-knowledge arguments underpinning Filecoin, and a wide variety of other emerging applications. While my prior blog series, “Pairing over…

NCC Group's Exploit Development Group document exploiting the sudo vulnerability on VMWare vCenter Server

by Robert C. Seacord Memory Safety Reliably-checked Strings is a library binding I created that uses static array extents to improve diagnostics that can help identify memory safety flaws. This is part of broader initiative in the C Standards Committee to improve bounds checking for array types. See my blog…

Unauthorised access to data is a primary concern of clients who commission a Salesforce assessment. The Salesforce documentation acknowledges that the sharing model is a “complex relationship between role hierarchies, user permissions, sharing rules, and exceptions for certain situations”[1]. It is often said that complexity and security are natural enemies.…

We have been filling the knowledge gap by tracking all the exploit mitigations in summary tables present in modern operating systems

Principal Mapper, or PMapper, is a tool and library for in-depth analysis with AWS Identity and Access Management, as well as AWS Organizations. PMapper stores data about AWS accounts and organizations, then provides options to query, visualize, and analyze that data. The library, written in Python, enables users to extend…

Created by Dan Hastings and Emanuel Flores Solitude is an open source privacy analysis tool that enables you to conduct your own privacy investigations into where your private data goes once it leaves your web browser or mobile device. Whether a curious novice or a more advanced researcher, Solitude makes…

Introduction Covenant [1] is an open source .NET command and control framework to support Red Team operations, similar in many ways to the well-known Cobalt Strike threat emulation software. Covenant is an ASP.NET Core, cross-platform application that includes a web-based interface that allows for multi-user collaboration. It has two main…

Wubes is like Qubes but for Microsoft Windows. The idea is to leverage the Windows Sandbox technology to spawn applications in isolation. We currently support spawning a Windows Sandbox for the Firefox browser, with other applications easily added.

Using discovered credentials to move laterally in an environment is a common goal for the NCC Group FSAS team. The ability to quickly and reliably use a newly gained set of credentials is essential during time-constrained operations. This blog post explains how to automate lateral movement via MSSQL CLR without…

In your emails, getting your hashes  Capturing NetNTLM hashes from network communications is nothing new; a quick Google for ‘Capture NTLM Hashes’ throws up blog posts discussing the various ways to force SMB communications to an attacker and the numerous existing tools to capture the authentication attempt and extract the password hash. Sniffing…

Depthcharge v0.2.0 is now available on GitHub and PyPi. This release introduces new “configuration checker” functionality and includes some major updates intended to improve usability. A tl;dr summary can be found in the CHANGELOG file. This blog post dives a bit more into the motivations for the changes, envisioned use-cases,…

HTTPSignatures is a PortSwigger Burp Suite extension that implements the Signing HTTP Messages draft-ietf-httpbis-message-signatures-01 specification draft document. What motivated my creation in this tool was the lack of an easy way to test applications and services using HTTP Signatures. This extension allows Burp Suite users to seamlessly test applications that…

Carnivore is a tool for assessing on-premises Microsoft servers such as ADFS, Skype, Exchange, and RDWeb. Carnivore’s functionality covers every stage an attacker would follow – from discovering relevant subdomains, to uncovering username format and username enumeration, to password spraying and additional post authentication activities for Skype such as retrieving…

One true constant (until someone schools me) is that threat actors need executable memory of some kind to operate from for their endpoint implant even if fleeting. Given this we've released an open source Microsoft Windows Service that aims to facilitate detection of anomalous executable memory

We’re proud to announce the release of a new version of our open-source, multi-cloud auditing tool ScoutSuite (on Github)! Notable improvements and features include: Core Breaking change: support for Python 3.5 has been deprecated Moved unit tests from nose to pytest improved coverage Bug fixes and improved error handling AWS Created…

by Nicolas Guigo ICPin is an Intel pintool leveraging the framework’s JIT mode designed to track a binary’s integrity checks. It records all reads and all writes performed by the target executable or dynamically loaded library on its text section and outputs a human readable text file describing each memory…

Author: Jelle Vergeer The first part of this blog will be the story of how this tool found it’s way into existence, the problems we faced and the thought process followed. The second part will be a more technical deep dive into the tool itself, how to use it, and…

This month, NCC Group researchers will be presenting their work at the following conferences: Dirk-Jan Mollema, “ROADtools and ROADrecon,” to be presented at Black Hat USA 2020 (Virtual – August 1-6 2020) Chris Nevin, “Carnivore: Microsoft External Attack Tool” to be presented at Black Hat USA 2020 (Virtual – August…

by George Osterweil Winstrument is a modular framework built on top of Frida designed to help testers reverse engineer Windows applications and assess their attack surface. Motivation Winstrument is built on top of Frida, a powerful dynamic instrumentation framework which aids reverse engineering and debugging by injecting into a process…

Depthcharge is an extensible Python 3 toolkit designed to aid security researchers when analyzing a customized, product-specific build of the U-Boot bootloader. This blog post details the motivations for Depthcharge’s creation, highlights some key features, and exemplifies its use in a “tethered jailbreak” of a smart speaker that leverages secure…

The Thinkst Canary is best described as a digital tripwire for physical and virtual environments. It sits there waiting for a threat actor to tip you off they are mooching around your environment. What is less appreciated however is it is extensible with custom user modules. This post is the…

We’re proud to announce the release of a new version of our open-source, multi-cloud auditing tool ScoutSuite (on Github)! Since the release of 5.8.0 back in late March, we’ve had over 300 commits from 8 different contributors, and closed 30 PRs. Notable improvements and features include: AWS Added 4 new…

Have you ever faced a situation where you have a number of web services to test but no one is able to provide full working examples of each API call? WStalker is a work aid to help developers / functional testers record API traffic to help facilitate security assessments by…

Introduction A month ago, we released a new tool that made it possible to tunnel traffic over an existing Remote Desktop Connection without the need to alter the configuration of the environment. This tool enables penetration testers to conduct their assessments over Windows-based jump boxes. Remote Access technologies are quite…

Introduction Remote Desktop Protocol (RDP) is used to create an interactive session on a remote Windows machine. This is a widely used protocol mostly used by Administrators to remotely access the resources of the operating system or network based services. As penetration testers we frequently find ourselves in a situation…

Quick note to say we’ve released ScoutSuite 5.8.0 on Github with the following features: Improved support for AWS Added support for KMS Added basic support for Secrets Manager Simplified evaluation of IAM policies in multiple rules Improved support for Azure Added support for App Service Web Apps Added support for…

When testing for out-of-band vulnerabilities, Collaborator has been an invaluable tool since its initial release in 2015. By acting as a HTTP, DNS and SMTP server, Collaborator allows researchers to identify complex out-of-band interactions between target applications and external services aiding in the discovery of vulnerabilities such as server-side request…

Containerization solutions are becoming increasingly common throughout the industry due to their vast applications in logically separating and packaging processes to run consistently across environments. Docker represents these processes as images by packaging a base filesystem and initialization instructions for the runtime environment. Developers can use common base images and…

As a security consultant at NCC Group, sometimes our clients hire us to perform red team engagements. Essentially, the goal is to sneak into one or more of their office locations however possible (think tailgating, social engineering, even delivering delicious pizzas). Once inside, we use this privileged access to conduct…

Sniffle is the world’s first open source sniffer for Bluetooth 5. Sniffle also backwards compatible with Bluetooth 4.x LE. It is runs on Texas Instruments CC26x2 and CC1352 microcontrollers, including the low cost CC26x2R and CC1352R Launchpad development boards. The host side software for Sniffle is written in Python, enabling…

Introduction During a recent Active Directory assessment we had access as a low-privilege user to a fully-patched and secured domain workstation. After trying a number of different approaches to elevate privileges locally, we came across the blog post “Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory” [1]…

Introduction A few weeks ago we published a config decrypter[1] for a sample that we believe is related with the Chafer group. Chafer is a well-known group which has primarily been operating in the Middle East. Their arsenal includes several custom-made tools, variants of the Remexi malware and open-source/publically available…

In July 2018 a security researcher named Simon Choi reported that a group, which goes by the name Group123 (also known as APT37 or Reaper), used spear-phishing emails to spread their malicious payload [1]. Shortly afterwards it was revealed that the attacker was using an exploit for a vulnerability in…

Readable Thrift makes binary Thrift protocol messages easy to work with by converting them to and from a human-friendly format. This makes the manual analysis of and tampering with binary format Thrift messages just as easy as working with plaintext protocols like HTTP.

Conducting a thorough Azure security build review or Azure security assessment can be difficult. Clicking through the Azure Ibiza [1] portal to review the details on many of its services, including, but not limited to, Azure Active Directory (Azure AD), resource groups, virtual machines, storage accounts, databases, database servers and…

During a forensic investigation in March 2018 we were able to retrieve some files which appeared to be linked with a well-known group named Iron Tiger. From our research, we believe that the perpetrator hasn’t shown any advanced technical capabilities in this attack. In fact, the main goal was to…

TPM Genie is a serial bus interposer which has been designed to aid in the security research of Trusted Platform Module hardware. The tool demonstrates that a man-in-the-middle on the TPM serial bus can undermine many of the stated purposes of the TPM such as measured boot, remote attestation, sealed…

Summary In the previous blog post, we walked through the primary benefits of using Decoder Improved over the Burp Suite’s built-in decoder. This blog post will focus on adding new functionality to Decoder Improved by walking through implementing new trivial text modifiers and modes. At the end of this blog…

Burp Suite’s built-in decoder component, while useful, is missing important features and cannot be extended. To remedy this, I developed Decoder Improved, a drop-in replacement Burp Suite plugin. It includes all of decoder’s functionality while fixing bugs, adding tabs, and includes an improved hex editor. Additionally, the plugin’s functionality is…

This is short and quick blog to share with you, as promised, the IDAPython script used to decrypt the strings in the Poison Ivy sample discussed in our previous blog post [1]. Before we can start decrypting the strings, we first need to locate the string decoding function. Looking through Poison Ivy’s…

In a recent blog post, Fortinet discussed a new version of Poison Ivy[1] spreading through malicious PowerPoint files. The PowerPoint file includes a .NET loader in a stream which goes on to load a variant of Poison Ivy. But there is some debate regarding whether this is a pure Poison…

We’ve released a new tool called Berserko, which is a Burp Suite extension to perform Kerberos authentication. We use Burp Suite for web application security assessments and it gives us excellent results. However, anyone that has experience in pen testing in enterprise environments will be able to tell you that…

This article describes a process of instrumenting an iOS application without a jailbroken device. Because of the absence of jailbreak in the latest versions of iOS and the requirement for testing applications on the latest versions of iOS, it is necessary to find ways of assessing iOS applications in non-jailbroken…

TL;DR A full technical note explaining the analysis of a Flash file part of the Neutrino Exploit kit has been uploaded to our Cyber Defence Github repository. This document details a methodology to analyse all components of the original Flash file. It details how we manually deobfuscate most of its…

Threat mitigation is an important part of the security development lifecycle (SDL) and at NCC Group we have been performing a number of threat modeling workshops focused specifically on the automotive sector. Considering the increasing research and media attention in relation to connected cars, it is fundamental to understand the threats…

TL;DR; Ransomware has grown into a significant industry for criminal enterprises due to its relatively low sophistication and the ability for it to be performed remotely, and the fact that it is supported by the existence of crypto currencies which facilitate remuneration. As a result, the likelihood of the perpetrators…

tl;dr This is a pretty long blogpost, so for those who want to jump right to the code: TriforceAFL: A modified version of AFL that supports fuzzing using QEMU’s full system emulation.TriforceLinuxSyscallFuzzer: A Linux syscall fuzzer built on-top of TriforceAFL. It has already found several bugs: We will be releasing…

The ongoing breach stories of targeted email campaigns harbouring malicious attachments made me think of writing up a summary of a presentation I gave at the amazing NCC Con held in Dublin in January this year. The talk was based on a pentesting war story that started off exploiting the old (but…

Service Message Block (SMB) is a protocol used for accessing shared resources; most corporate Windows networks use SMB to access shared folders and printers. Digital signing is a feature of SMB designed to allow a recipient to confirm the authenticity of SMB packets and to prevent tampering during transit –…

tl;dr This post is about a GDB plugin I wrote while researching the Samba exploitation earlier in 2015. There is a python script available. See the README for usage examples. Note that the plugin was thrown together while hacking on bugs. Introduction The Samba project developed a custom heap dubbed…

Introducing opinel: Scout2’s favorite tool 03 Aug 2015 – Loïc Simon With boto3 being stable and generally available1, NCC took the opportunity to migrate Scout2 and AWS-recipes to boto3. As part of that migration effort, we decided to publish the formerly-known-as AWSUtils repository – used by Scout2 and AWS-recipes –…

Introduction As security consultants we often come across situations where we have access to an RDP server that has been locked down fairly well by an administrator, which generally inhibits our ability to test the target. This blog looks at what a tester can do given the following scenario: Tester…

tl;dr We’re going to look in detail at Microsoft Windows Firewall Hook drivers from Windows 2000, XP and 2003. This functionality was leveraged by the Derusbi family of malicious code to implement port-knocking like functionality. We’re going to discuss the problem we faced, the required reverse engineering to understand how…

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity. Calculating SQL Permissions 09 Feb 2015 – Peter Oehlert iSEC Partners is happy to announce the availability of a tool to help those wishing to better secure their database applications and…

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity. A Simple DLL Injection Utility 29 Oct 2014 – Nicolas Guigo NCLoader is a simple command-line DLL injection tool for windows. It takes a PID or process name as…

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity. Tool Release: You’ll Never (Ever) Take Me Alive! 09 May 2014 – Tom Ritter A year ago, we released You’ll Never Take Me Alive — a tool that helps protects Full…

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity. SSLyze v 0.9 released – Heartbleed edition 16 Apr 2014 – Alban Diquet A new version of SSLyze is now available. SSLyze is a Python tool that can analyze the SSL…

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity. DIBF Tool Suite 16 Apr 2014 – Nicolas Guigo Introducing iSEC Partners’ Windows driver testing suite. The source, binaries and example output are available at https://github.com/iSECPartners/DIBF under the GPLv2 license. Currently…

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity. Announcing the Release of RtspFuzzer 07 Jan 2014 – Michael Lynch iSEC Partners is pleased to announce the release of RtspFuzzer, an open-source fuzzer for the real-time streaming protocol…

tl;dr Anti-Fuzzing is a set of concepts and techniques that are designed to slowdown and frustrate threat actors looking to fuzz test software products by deliberately misbehaving, misdirecting, misinforming and otherwise hindering their efforts. The goal is to drive down the return of investment seen in fuzzing today by virtue…

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity. SSLyze v0.8 released 30 Dec 2013 – Alban Diquet A new version of SSLyze is now available. SSLyze is a Python tool that can analyze the SSL configuration of a server…

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity, and can be downloaded below. SSL pinning bypass and other Android tools 13 Dec 2013 – Marc Blanchou iSEC is releasing several Cydia Substrate extensions to facilitate the black box testing…

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity. Blackbox Android App Analysis with Introspy 13 Dec 2013 – Marc Blanchou Alban Diquet As previously announced during our Ruxcon presentation, we’re now releasing Introspy for Android. The final version of…

tl;dr The Windows program loader isn’t the only PE parser in Windows. The .NET runtime has its own used for loading modules as well. We can find yester years code for on the Internet for the implementation which shows some interesting defensive properties. Examples include obvious defences against import, entry…

A quick post to announce NCC Group’s new web application security assessment tool has been pushed to our Gifthub repo at https://github.com/nccgroup/. So what is Scenester?  It is a simple Java application to discover different web application front ends based on web browser user-agents. The goal is to ensure coverage during…

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity. iOS Secure State Preservation 18 Sep 2013 – Tom Daniels iOS 6 introduced the concept of application state preservation. The purpose of state preservation is to hide unexpected application…

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity. Redirecting traffic with dnsRedir.py 05 Sep 2013 – Tim Newsham Often while performing network protocol testing, we want to be able to redirect traffic going to a legitimate server…

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity. Blackbox iOS App Analysis with Introspy 21 Aug 2013 – Tom Daniels Alban Diquet In 2013, assessing the security of iOS applications still involves a lot of manual, time-consuming…

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity iOS SSL Kill Switch v0.5 Released 20 Aug 2013 – Alban Diquet Version 0.5 of the iOS SSL Kill Switch is now available. iOS SSL Kill Switch is a tool to…

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity. Tool Release: PeachFarmer 14 Jun 2013 – Michael Lynch Cloud-based Fuzzing with Peach Several of the consultants here at iSEC perform fuzz testing using the Peach fuzzing framework. One of…

For people who regularly conduct internal penetration tests on Windows domains, typically you will see common issues arise such as common passwords. If you are able to obtain a local administrator hash, in most instances you can normally compromise the entire domain. Typically the hash will be common with other…

Here at NCC Group we work with raw bytes a lot! As I couldn’t find a good tool to manipulate, encode and decode easily I set about writing Pip3line a while back. While it has been available for a while as open source I’ve not really discussed it outside of…

A quick post to announce NCC Group’s first tool has been pushed to our Github repo at https://github.com/nccgroup/. So what is Grepify? It’s basically a regex engine with a Windows GUI with some short cuts and pre-defined profiles to aid in security focused code reviews. It’s not very clever but for…

Managing firewall rulesets in any moderately-sized environment can be a complicated task. As IT infrastructures perpetuate change, firewall rules often become more complicated, overlapped and difficult to manage. We’ve been working on a prototype of a tool which seeks to provide more assurance over firewall rulesets; by providing better insight…

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity. Tool Release: YoNTMA 18 Mar 2013 – Michael Lynch You’re a responsible defender of your data. You keep all of your disks encrypted. You hibernate your laptop when you’re…

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity. Tool Release: tcpprox 21 Feb 2013 – Tim Newsham Tcpprox is a simple command line tcp proxy written in Python. It is designed to have very minimal requirements – it…