About

Bordergate is a security blog based in the United Kingdom.

This site currently has 143 articles on various security topics including; penetration testing, exploit & malware development.

Infrastructure

• VLAN Attacks
  Performing VLAN hopping attacks.
• First Hop Redundancy Protocols
  Exploiting VRRP & HSRP.
• CAM Table Overflow Attacks
  Exceeding a network switches CAM table to intercept traffic.
• WebClient Privilege Escalation
  Relaying WebClient Connections to LDAP become a local administrator.
• Microsoft Configuration Manager
  Pentesting SCCM.
• Remote Registry Service User Enumeration
  Identifying users logged into a remote host.
• Pentesting X11
  Compromising open X Window System servers.
• Obfuscating Command Line Arguments
  Encoding command line arguments to evade detection.
• Active Directory Persistence
  Maintaining access to an Active Directory environment.
• Forged Kerberos Tickets
  Generating forged Kerberos gold, silver and diamond tickets.
• Active Directory Schema Modification
  Changing default security descriptor properties to escalate from a child to parent domain.
• Attacking MSSQL
  Compromising MSSQL databases, and escalating privileges.
• Golden gMSA Attacks
  Extracting gMSA service accounts from child domains.
• SID History Abuse
  Modifying SID History values to compromise parent domains.
• Backup Operator Privilege Escalation
  Extracting domain controller credentials using the Backup Operators group.
• Active Directory Explorer
  Using Microsoft AD Explorer to collect Active Directory attack path information.
• Active Directory DACL Attacks
  Exploiting misconfigured Active Directory access control lists.
• Entra ID Connect
  Extracting credentials from Azure Entra Connect.
• Coerced Authentication
  Persuading Windows hosts to provide machine account credentials.
• IPv6 Penetration Testing
  Testing IPv6 security.
• Bypassing Multi Factor Authentication
  Intercepting multi factor authentication credentials using an Nginx reverse proxy.
• Phishing
  Sending Phishing emails to capture login credentials.
• Terraform
  Using Terraform to deploy testing infrastructure & auditing Terraform configuration files.
• 802.11 Wireless Attacks
  Ways of gaining access to WPA-PSK networks.
• Cobalt Strike
  Getting started with Cobalt Strike.
• Kerberos Delegation Attacks
  Exploiting constrained, unconstrained and resource based delegation.
• Kubernetes Penetration Testing
  Security testing for Kubernetes clusters.
• Docker Penetration Testing
  Performing security audits of Docker instances.
• Linux Privilege Escalation
  Privilege escalation techniques for Linux hosts.
• Windows Privilege Escalation
  Privilege escalation techniques for Windows hosts.
• Bypassing LSA Protections
  LSA protections and related bypass methods.
• Packet Capture with Native Tools
  Capturing network traffic with pktmon and netsh.
• Password Cracking
  Using hashcat to reveal Windows passwords.
• Certificate Based Persistence
  Using AD CS certificates to achieve persistence in an Active Directory environment.
• Extracting NTLM Hashes With User Privileges
  Extracting NTLM hashes without the need for Mimikatz.
• Offensive Security Experienced Penetration Tester (OSEP) Review
  A review of the Evasion Techniques and Breaching Defences course by Offensive Security.
• NTLM Relay Attacks
  Performing NTLM relay attacks using SMB and LDAP.
• Pentest One Liners
  A list of one line commands for Windows to download and execute payloads.
• Credential Interception Using Malicious SMB Shares
  How to intercept NTLM-SSP hashed credentials for offline cracking.
• Casino Royale CTF Walkthrough
  A walkthrough for VulnHub’s Casino Royale CTF.
• GoldenEye CTF
  A writeup of the VulnHub GoldenEye capture the flag (CTF) challenge.
• Extracting Windows Credentials Using Native Tools
  How to extract credentials from Windows systems using built in commands.
• What You Need to Know About Kerberoasting
  An overview of Kerbroasting to extract service account credentials.
• Lateral Movement With Named Pipes
  A demonstraton of named pipe communication using Meterpreter.
• Session Enumeration With NetSessionEnum API
  How to take advantage of the NetSessionEnum API to determine remotely logged in users.
• BloodHound by Example
  A demonstration of how BloodHound can be used to exploit Active Directory based networks.

Web Application

• PHP Type Confusion
  Exploiting loose comparison operations.
• PHP Deserialisation
  Triggering code execution through object deserialisation.
• Command Injection
  Exploiting command injection vulnerabilities.
• Exploiting Tomcat
  Exploiting common Tomcat vulnerabilities.
• File Upload Vulnerabilities
  Exploiting file upload vulnerabilities to execute arbitrary code.
• SQL Injection
  SQL Injection for MySQL databases.
• XML External Entity Injection (XXE)
  Exploiting XML parsers.
• Web Content Discovery
  Identifying web content to launch further attacks.
• Cross Site Scripting (XSS)
  Injecting malicious code into web applications.
• Hack The Box Certified Bug Bounty Hunter (HTB CBBH)
  A review of the CBBH course and exam.
• Local File Inclusion (LFI) Attacks
  Exploiting LFI vulnerabilities in web applications.
• Flask Session Cookies
  Decoding Flask signed session cookies.
• Server Side Template Injection (SSTI)
  SSTI attacks against Python Flask applications.

Malware Development

• DLL Proxying
  Using DLL’s as a persistence mechanism.
• LLVM Obfuscation
  Setting up Obfuscator LLVM with Visual Studio 2022.
• Encoding Shellcode as IP Addresses
  Converting shellcode to look like a series of IP addresses.
• Function Name Hashing
  Replacing existing ROR13 function hash names in shellcode to evade signature based detection.
• Module Stomping
  Executing Shellcode from the address space of known good DLL’s.
• Callback Shellcode Execution
  Executing Shellcode using function callbacks.
• Inline Function Hooking
  Creating a C++ DLL to modify a target applications behaviour.
• Disguising Client Side Payloads
  Ways of making payloads a little less suspicious.
• User Mode APC Queue Injection
  Using user-mode APC functions to execute code in remote processes.
• Sleep Masks
  Writing sleep masks in x64 assembly.
• Offensive PowerShell
  Using GetDelegateForFunctionPointer to execute Win32 API’s from memory in Powershell.
• Reflective DLL Injection
  Executing DLL’s from memory.
• DLL Injection
  Injecting DLL’s into remote processes.
• Interacting with Foreign Handlers
  Writing stagers to interact with foreign C2 frameworks.
• Persistence Mechanisms
  Maintaining access to a target system.
• Password Filters
  Using password filters to intercept logon credentials.
• Keystroke Logging
  Logging Keystrokes with SetWindowHookEx.
• Process Mitigation Policies & ACG
  Attempting to use binary signature policies and arbitrary code guard to bypass userland hooks.
• Parent Process ID Spoofing
  Supplying arbitrary PPID values to CreateProcess.
• Shellcode Obfuscation
  Encoding Shellcode for use within malware.
• Import Address Tables
  Hiding IAT entries to evade detection.
• Malicious Nim Code
  Using Nim to write some simple tools.
• System Call Execution
  Writing a process injection tool using direct system calls.
• ClickOnce Droppers
  Creating a ClickOnce installer for Phishing campaigns.
• NT API Shellcode Execution
  Process Injection using NtCreateSection and NtMapViewOfSection.
• Access Token Manipulation
  Assuming other users identities by copying access tokens.
• Shellcode Execution via Fibers
  Using fibers instead of threads to run shellcode.
• Process Argument Spoofing
  Modifying the Process Environment Block for process argument spoofing.
• Windows Defender Memory Scanning Evasion
  Evading Windows Defender memory scanning.
• Process Injection
  CreateRemoteThread Process Injection in C#
• Unhooking Event Tracing for Windows
  Bypassing ETW userland hooks.
• Assembly.Load & AMSI
  Bypassing AMSI when using Assembly.Load.
• DNS Tunneling
  Using the Domain Name System as a Command & Control mechanism.
• ICMP Tunneling
  Tunneling C2 messages in ICMP traffic.

Exploit Development

• Integer Security
  Common security issues with integer variables.
• Linux x64 Reverse Shellcode
  Reverse shells in x64 assembly.
• Position Independent Executables
  Exploiting PIE enabled executables.
• Execve Shellcode
  Executing the execve syscall on x64 Linux using Shellcode.
• ARM64 ROP Chaining
  Performing a Return-to-libc attack on ARM64 systems.
• x64 MPROTECT ROP
  Calling mprotect on x64 Linux.
• MIPS32 Buffer Overflows
  Exploiting memory corruption vulnerabilities on MIPS32 systems.
• LD_PRELOAD Exploitation
  Using LD_PRELOAD for dynamic function hooking and privilege escalation.
• Cyber Apocalypse 2023
  Cyber Apocalypse CTF 2023 challenge writeups.
• Windows x64 Reverse Shellcode
  Reverse shells in x64 assembly.
• Windows x64 Shellcode Development
  Writing Shellcode for Windows 11.
• Fuzzing Network Protocols
  Fuzzing Network Protocols with the BooFuzz Python library.
• Fuzzing with AFL++
  File format fuzzing with American Fuzzy Lop++.
• Reverse Engineering Network Protocols
  Analysing Network Protocols to identify vulnerabilities.
• Use After Free Vulnerabilities
  Exploiting use-after-free vulnerabilities.
• Heap Exploitation: The House of Force
  Tampering with the top chunk size field for an arbitrary write primitive.
• Ubuntu 20.04 Heap Exploitation
  Exploiting heap corruption on Ubuntu 20.04.
• Heap Thread Cache Exploitation
  Exploiting heap thread caching on glibc 2.26.
• Heap Fastbin Exploitation
  Double free exploitation of glibc heap fastbins.
• Dealing with Small Buffer Space
  Using relative JMP instructions to escape small buffers.
• 64-Bit Return-to-libc Attacks
  Bypassing NX on 64-bit Linux.
• Bypassing DEP & ASLR in Linux
  Bypassing DEP & ASLR using pointer leakage and return orientated programming.
• Format String Exploitation
  A quick tutorial on exploiting format string vulnerabilities to read and write memory.

Security Engineering

• x64 Call Stack Walking
  Walking an x64 call stack using UNWIND data structures.
• Headless Linux Disk Encryption
  Unlocking LUKS encrypted disks remotely.
• Blocking Outbound Docker Traffic
  Blocking outbound docker traffic using an IPTables firewall.
• PowerShell Constrained Mode
  A guide to enabling PowerShell constrained mode.
• Kali Linux – Ensuring Traffic is Only Sent via OpenVPN
  A guide on configuring Kali so all network traffic is routed over an OpenVPN connection.
• Windows 10 Software Restriction Policies
  Configuring Software Restriction Policies (SRP) in Windows 10.
• Active Directory Honey Tokens
  Configuring Active Directory honey tokens to detect account enumeration.
• Creating a WPA2 Enterprise Access Point Using Linux
  A guide to configure a Linux system as a WPA2 Enterprise wireless access point using an Alpha wireless adapter.

Hardware

• Physical Intrusion Detection
  Configuring sensors to detect physical intrusion.
• EvilCrowRF V2
  Using the EvilCrowRF to transmit Sub-Ghz signals.
• GPIO
  Interacting with GPIO’s using Python.
• Bluetooth Low Energy
  Completing BLE CTF.
• Serial Peripheral Interfaces
  Interacting with SPI to extract the contents of a ROM.
• TEMPEST SDR
  Intercepting signals from a HDMI monitor.
• UART Connections
  Interfacing with UART to gain command line access on a embedded device.
• GPS Signal Spoofing
  Falsifying Global Positioning System signals.
• Modbus Security
  Pentesting the Modbus protocol.
• Configuring an ESP32 in Ubuntu 22.04
  Getting an ESP32 to work with Ubuntu and Visual Studio Code.
• Getting Started with Bash Bunny
  Stealing credentials using Quick Creds.
• Windows Domain Authentication With YubiKey
  Configuring YubiKey two factor authenticaton for interactive login to a Windows domain.

Cheat Sheets

• GDB
  A GNU debugger command reference.
• Custom Wordlists
  Creating custom wordlists for use in password brute force attacks.
• Mimikatz
  A Mimikatz command reference.
• PowerView
  A PowerView command reference.
• WinDBG
  A list of common WinDBG commands.
• Metasploit
  A Metasploit command reference.
• Configuring Kali
  Adding additional security auditing tools to Kali.