Labs
Take a look at our tools, presentations, and policies.
Advisories
- Edison Mail Advisory – August 2019
- Qolsys Advisory – October 2015
- Systech Advisory – April 2016
- Sierra Wireless Advisory – June 2016
- Netcomm Wireless Advisory – June 2016
Slides
- 2016 April – Computers Everywhere (IoT)
- 2016 August – pin2pwn Howto Root an Embedded Linux Box With A Sewing Needle
Tools
Disclosure Policy
Whitepapers
Credentialed Windows Remote Code Execution techniques
In this article, we’ll discuss some of the different ways we can execute arbitrary code or commands when we have already obtained Windows domain credentials, either in their plaintext form (user + password) or NTLM hashes. Even though the techniques described here are...
How we use BloodHound, and how it can help defenders: 3 ways IT analysts could use BloodHound to improve Windows domain security
BloodHound, available at bloodhound.readthedocs.io, maps Windows Active Directory permissions to a graph database that lets users trace attack paths using a GUI and a query system. To make that more concrete, BloodHound can answer questions such as: Who is allowed to...
Scanning SMB shares with SMBLS
In Carve's internal engagement service line, we simulate an attacker on a corporate network, which is usually Windows-based. We use a variety of tools to gather information, but we were frustrated by reliability, performance and logging of tools dealing with scanning...
The 5 Most Common GraphQL Security Vulnerabilities
Intro - GraphQL GraphQL (GQL) is a popular data query language that makes it easier to get data from a server to a client via an API call. GQL is commonly deployed as a critical piece of the technology stack for modern web and mobile applications, and as a result,...
Rule-Based Highlighter Plugin for BurpSuite
BurpSuite is one of those must-have tools when dealing with web application or API security assessments. Usually, when proxying applications through Burp, a fair amount of noise (advertising and user-tracking 3rd party services, CORS preflight checks, etc.) is also...
Owning a device with a single jump
Back when I first read about this thing called “hacking” I thought I’d be spending all my days overflowing NSA buffers with plagiarized shell code and going by some cool hacker name like “1337BadGeR”. Sadly for me, upon entering the actual world, I had to get back in...