List of All Posts

SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP

SSRF protocol smuggling involves an attacker injecting one TCP protocol into a dissimilar TCP protocol. A classic example is using gopher (i.e. the first protocol) to smuggle SMTP (i.e. the second protocol):

gopher:// ....

The keypoint above is the use of the CRLF character (i.e. %0D%0A) which breaks up the commands of the second protocol. This attack is only possible with the ability to inject CRLF characters into a protocol.

Almost all LDAP client libraries support plaintext authentication or a non-ssl simple bind. For example, the following is an LDAP authentication example using Python 2.7 and the python-ldap library:

import ldap
conn = ldap.initialize("ldap://[SERVER]:[PORT]")
conn.simple_bind_s("[USERNAME]", "[PASSWORD]")

Read on →

odle: piping security data

I recently published odle which is a Ruby gem and binary that takes XML data from various security tools and outputs their JSON equivalent. The goal is to be (1) simple, (2) fast, and (3) work on many platforms with only one dependency – nokogiri.

Below are two examples using odle to convert output from one tool (e.g. burpsuite) as input for something else (e.g. nmap scans).

Read on →

Blackhat 2015 Arsenal

Last month at Blackhat Arsenal 2015, Pete and I (@will_is) presented on Serpico. This was our second time at Arsenal. Yet again, awesome people, great venue, and overall a highlight for me of BH/DC/LV. We got some excellent feedback on the project, so thank you to anyone who stopped by

Read on →

ldapsearch notes

I seem to find open LDAP servers on the Internet more often than I should. Here are some notes on using ldapsearch

Read on →

XML Entity Cheatsheet

An XML Entity testing cheatsheet. Testing was done using an older vulnerable version of nokogiri. In IRB you can require previous versions of gems. Certain techniques (e.g. XInclude) may require additional settings in Nokogiri.

Read on →

IPv6 DNS Guessing Notes

A hostname with an IPv6 address is stored as a AAAA resource record in DNS (see AAAA record). There are many DNS hostname bruteforcing tools, personally I like Fierce. Suppose we have already run our hostname bruteforcing tool against a target domain (e.g. Below we use dig to do a AAAA record lookup for each hostname.

Read on →

Blackhat 2014 Arsenal Experience

Last week at Blackhat Arsenal 2014, Pete and I (@will_is) presented on Serpico. Arsenal was a great experience and I would highly recommend to anyone as an attendee or presenter. We got some great feedback on the project, so thank you to anyone who stopped by

Read on →