Bordergate covers a number of security topics including; penetration testing, exploit & malware development.
There are currently 127 articles on this site. Below is the complete listing of them by category.
Infrastructure
- VLAN AttacksPerforming VLAN hopping attacks.
- First Hop Redundancy ProtocolsExploiting VRRP & HSRP.
- CAM Table Overflow AttacksExceeding a network switches CAM table to intercept traffic.
- WebClient Privilege EscalationRelaying WebClient Connections to LDAP become a local administrator.
- Microsoft Configuration ManagerPentesting SCCM.
- Remote Registry Service User EnumerationIdentifying users logged into a remote host.
- Pentesting X11Compromising open X Window System servers.
- Obfuscating Command Line ArgumentsEncoding command line arguments to evade detection.
- Active Directory PersistenceMaintaining access to an Active Directory environment.
- Forged Kerberos TicketsGenerating forged Kerberos gold, silver and diamond tickets.
- Active Directory Schema ModificationChanging default security descriptor properties to escalate from a child to parent domain.
- Exploiting TomcatExploiting common Tomcat vulnerabilities.
- Attacking MSSQLCompromising MSSQL databases, and escalating privileges.
- Golden gMSA AttacksExtracting gMSA service accounts from child domains.
- SID History AbuseModifying SID History values to compromise parent domains.
- Backup Operator Privilege EscalationExtracting domain controller credentials using the Backup Operators group.
- Active Directory ExplorerUsing Microsoft AD Explorer to collect Active Directory attack path information.
- Active Directory DACL AttacksExploiting misconfigured Active Directory access control lists.
- Entra ID ConnectExtracting credentials from Azure Entra Connect.
- Coerced AuthenticationPersuading Windows hosts to provide machine account credentials.
- IPv6 Penetration TestingTesting IPv6 security.
- Bypassing Multi Factor AuthenticationIntercepting multi factor authentication credentials using an Nginx reverse proxy.
- PhishingSending Phishing emails to capture login credentials.
- TerraformUsing Terraform to deploy testing infrastructure & auditing Terraform configuration files.
- 802.11 Wireless AttacksWays of gaining access to WPA-PSK networks.
- Cobalt StrikeGetting started with Cobalt Strike.
- Kerberos Delegation AttacksExploiting constrained, unconstrained and resource based delegation.
- Modbus SecurityPentesting the Modbus protocol.
- Kubernetes Penetration TestingSecurity testing for Kubernetes clusters.
- Docker Penetration TestingPerforming security audits of Docker instances.
- Linux Privilege EscalationPrivilege escalation techniques for Linux hosts.
- Windows Privilege EscalationPrivilege escalation techniques for Windows hosts.
- Bypassing LSA ProtectionsLSA protections and related bypass methods.
- Packet Capture with Native ToolsCapturing network traffic with pktmon and netsh.
- Password CrackingUsing hashcat to reveal Windows passwords.
- Certificate Based PersistenceUsing AD CS certificates to achieve persistence in an Active Directory environment.
- Extracting NTLM Hashes With User PrivilegesExtracting NTLM hashes without the need for Mimikatz.
- Offensive Security Experienced Penetration Tester (OSEP) ReviewA review of the Evasion Techniques and Breaching Defences course by Offensive Security.
- NTLM Relay AttacksPerforming NTLM relay attacks using SMB and LDAP.
- Pentest One LinersA list of one line commands for Windows to download and execute payloads.
- Credential Interception Using Malicious SMB SharesHow to intercept NTLM-SSP hashed credentials for offline cracking.
- Casino Royale CTF WalkthroughA walkthrough for VulnHub’s Casino Royale CTF.
- GoldenEye CTFA writeup of the VulnHub GoldenEye capture the flag (CTF) challenge.
- Extracting Windows Credentials Using Native ToolsHow to extract credentials from Windows systems using built in commands.
- What You Need to Know About KerberoastingAn overview of Kerbroasting to extract service account credentials.
- Lateral Movement With Named PipesA demonstraton of named pipe communication using Meterpreter.
- Session Enumeration With NetSessionEnum APIHow to take advantage of the NetSessionEnum API to determine remotely logged in users.
- BloodHound by ExampleA demonstration of how BloodHound can be used to exploit Active Directory based networks.
Web Application
- File Upload VulnerabilitiesExploiting file upload vulnerabilities to execute arbitrary code.
- SQL InjectionSQL Injection for MySQL databases.
- XML External Entity Injection (XXE)Exploiting XML parsers.
- Web Content DiscoveryIdentifying web content to launch further attacks.
- Cross Site Scripting (XSS)Injecting malicious code into web applications.
- Hack The Box Certified Bug Bounty Hunter (HTB CBBH)A review of the CBBH course and exam.
- Local File Inclusion (LFI) AttacksExploiting LFI vulnerabilities in web applications.
- Flask Session CookiesDecoding Flask signed session cookies.
- Server Side Template Injection (SSTI)SSTI attacks against Python Flask applications.
Malware Development
- DLL ProxyingUsing DLL’s as a persistence mechanism.
- LLVM ObfuscationSetting up Obfuscator LLVM with Visual Studio 2022.
- Encoding Shellcode as IP AddressesConverting shellcode to look like a series of IP addresses.
- Function Name HashingReplacing existing ROR13 function hash names in shellcode to evade signature based detection.
- Module StompingExecuting Shellcode from the address space of known good DLL’s.
- Callback Shellcode ExecutionExecuting Shellcode using function callbacks.
- Inline Function HookingCreating a C++ DLL to modify a target applications behaviour.
- Disguising Client Side PayloadsWays of making payloads a little less suspicious.
- User Mode APC Queue InjectionUsing user-mode APC functions to execute code in remote processes.
- Sleep MasksWriting sleep masks in x64 assembly.
- Offensive PowerShellUsing GetDelegateForFunctionPointer to execute Win32 API’s from memory in Powershell.
- Reflective DLL InjectionExecuting DLL’s from memory.
- DLL InjectionInjecting DLL’s into remote processes.
- Interacting with Foreign HandlersWriting stagers to interact with foreign C2 frameworks.
- Persistence MechanismsMaintaining access to a target system.
- Password FiltersUsing password filters to intercept logon credentials.
- Keystroke LoggingLogging Keystrokes with SetWindowHookEx.
- Process Mitigation Policies & ACGAttempting to use binary signature policies and arbitrary code guard to bypass userland hooks.
- Parent Process ID SpoofingSupplying arbitrary PPID values to CreateProcess.
- Shellcode ObfuscationEncoding Shellcode for use within malware.
- Import Address TablesHiding IAT entries to evade detection.
- Malicious Nim CodeUsing Nim to write some simple tools.
- System Call ExecutionWriting a process injection tool using direct system calls.
- ClickOnce DroppersCreating a ClickOnce installer for Phishing campaigns.
- NT API Shellcode ExecutionProcess Injection using NtCreateSection and NtMapViewOfSection.
- Access Token ManipulationAssuming other users identities by copying access tokens.
- Shellcode Execution via FibersUsing fibers instead of threads to run shellcode.
- Process Argument SpoofingModifying the Process Environment Block for process argument spoofing.
- Windows Defender Memory Scanning EvasionEvading Windows Defender memory scanning.
- Process InjectionCreateRemoteThread Process Injection in C#
- Unhooking Event Tracing for WindowsBypassing ETW userland hooks.
- Assembly.Load & AMSIBypassing AMSI when using Assembly.Load.
- DNS TunnelingUsing the Domain Name System as a Command & Control mechanism.
- ICMP TunnelingTunneling C2 messages in ICMP traffic.
Exploit Development
- LD_PRELOAD ExploitationUsing LD_PRELOAD for dynamic function hooking and privilege escalation.
- Cyber Apocalypse 2023Cyber Apocalypse CTF 2023 challenge writeups.
- Windows x64 Reverse ShellcodeReverse shells in x64 assembly.
- Windows x64 Shellcode DevelopmentWriting Shellcode for Windows 11.
- Fuzzing Network ProtocolsFuzzing Network Protocols with the BooFuzz Python library.
- Fuzzing with AFL++File format fuzzing with American Fuzzy Lop++.
- Reverse Engineering Network ProtocolsAnalysing Network Protocols to identify vulnerabilities.
- Use After Free VulnerabilitiesExploiting use-after-free vulnerabilities.
- Heap Exploitation: The House of ForceTampering with the top chunk size field for an arbitrary write primitive.
- Ubuntu 20.04 Heap ExploitationExploiting heap corruption on Ubuntu 20.04.
- Heap Thread Cache ExploitationExploiting heap thread caching on glibc 2.26.
- Heap Fastbin ExploitationDouble free exploitation of glibc heap fastbins.
- Dealing with Small Buffer SpaceUsing relative JMP instructions to escape small buffers.
- 64-Bit NX BypassBypassing NX on 64-bit Linux.
- Bypassing DEP & ASLR in LinuxBypassing DEP & ASLR using pointer leakage and return orientated programming.
- Format String ExploitationA quick tutorial on exploiting format string vulnerabilities to read and write memory.
Security Engineering
- x64 Call Stack WalkingWalking an x64 call stack using UNWIND data structures.
- Headless Linux Disk EncryptionUnlocking LUKS encrypted disks remotely.
- Blocking Outbound Docker TrafficBlocking outbound docker traffic using an IPTables firewall.
- PowerShell Constrained ModeA guide to enabling PowerShell constrained mode.
- Kali Linux – Ensuring Traffic is Only Sent via OpenVPNA guide on configuring Kali so all network traffic is routed over an OpenVPN connection.
- Windows 10 Software Restriction PoliciesConfiguring Software Restriction Policies (SRP) in Windows 10.
- Active Directory Honey TokensConfiguring Active Directory honey tokens to detect account enumeration.
- Creating a WPA2 Enterprise Access Point Using LinuxA guide to configure a Linux system as a WPA2 Enterprise wireless access point using an Alpha wireless adapter.
- Windows Domain Authentication With YubiKeyConfiguring YubiKey two factor authenticaton for interactive login to a Windows domain.
Hardware
- Serial Peripheral InterfacesInteracting with SPI to extract the contents of a ROM.
- TEMPEST SDRIntercepting signals from a HDMI monitor.
- UART ConnectionsInterfacing with UART to gain command line access on a embedded device.
- GPS Signal SpoofingFalsifying Global Positioning System signals.
- Configuring an ESP32 in Ubuntu 22.04Getting an ESP32 to work with Ubuntu and Visual Studio Code.
- Getting Started with Bash BunnyStealing credentials using Quick Creds.
Cheat Sheets
- MimikatzA Mimikatz command reference.
- PowerViewA PowerView command reference.
- WinDBGA list of common WinDBG commands.
- MetasploitA Metasploit command reference.
- Configuring KaliAdding additional security auditing tools to Kali.