Skip to main content
📚 Technical Insights & Research

KoreLogic Security
Blog

66 Security Insights and Updates from KoreLogic's Team

Latest Articles

🚀 Latest February 1, 2026

Heads Up. CyberConVA 2026 Lands February 12, 2026 in Richmond, Virginia

CyberConVA 2026 brings together cybersecurity leaders and professionals on February 12th, 2026 at the Museum of Science in Richmond, Virginia.

Community
#cyberconva #conference #cybersecurity
View
January 19, 2025

CyberConVA 2025!

Reasons to attend:

Security Research
#networking
View

66 articles found

Password Security Jan 12, 2025

2024: What KoreLogic Has Been Up To

It's been a busy year! This year we:

#vulnerability-research #passwords #iot #web-security +1 more
View
Password Security Aug 21, 2021

WMkick - MITM MS-RPC, WMI, WinRM to Capture NetNTLMv2 Hashes

WMkick is a tool we recently released to MITM and capture NetNTLMv2 hashes for some protocols not (yet?) supported by other tools like Responder, such as WMI access to MS-RPC (135/tcp) and Powershell Remoting/WSMan/WinRM (5985/tcp).

#tools #passwords #web-security #networking +1 more
View
Vulnerability Research Jan 4, 2021

WePresent... vulnerabilities!

This blog post describes an exploit chain to go from a completely unauthenticated attacker to a root shell on a Barco WePresent WiPG-1600. The device was running firmware version 2.5.1.8, which was the latest version available at the time this research was performed. Several vulnerabilities were found, an...

#vulnerability-research #passwords #iot #web-security +1 more
View
Password Security Jun 28, 2020

Cellebrite Good Times, Come On: Reverse-Engineering Phone Forensics Tools

How can vulnerabilities in technologies used by our judicial system affect the outcome of cases brought to the courts?

#vulnerability-research #tools #forensics #passwords +1 more
View
Tools & Frameworks Nov 7, 2019

FTimes, KLEL, and File Hooks

This is another blog post in the series showcasing various aspects and controls that can be utilized within the framework. This blog post will focus on using file hooks, a feature that offers the ability to run external programs or scripts on matching files during dig, map, or mad stages.

#tools #forensics #passwords #iot +1 more
View
Tools & Frameworks Sep 4, 2019

Building FTimes With Lua

This is the next part in a series of blog posts focusing on the open-source tool . This blog post will demonstrate building FTimes with and an embedded Lua interpreter. In so doing, FTimes will be able to perform more complex searches by utilizing file hooks.

#tools #iot #web-security
View
Tools & Frameworks Sep 3, 2019

FTimes 3.13.0 Released

Version 3.13.0 is a minor release of FTimes. Generally, code was cleaned up and refined as necessary. Several bugs have been fixed -- see the ChangeLog for details. This release includes updated support for file hooks and introduces KLEL-based include/exclude filters.

#tools #iot
View
Password Security Aug 18, 2019

Unpatched Fringe Infrastructure Bits

Typically during internal network penetration tests, pentesters come across many different types of devices. Much of the focus is likely on the Windows/UNIX-like systems and critical infrastructure devices (e.g., storage, DNS servers, routers, switches, etc.). There are, however, a number of other n...

#vulnerability-research #tools #passwords #iot +1 more
View
Password Security May 8, 2019

Password Audits - Focus on the Admins

Have you considered adding periodic password audits to your corporate security plan? Compared to the cost of a security breach or standard pentest, periodic password audits are relatively inexpensive (e.g., on the order of $7K/quarter for a single medium-sized domain), yet they shed light on an impo...

#passwords
View
Tools & Frameworks Apr 24, 2019

Building FTimes With Python3

This is the next part in a series of blog posts focusing on the open-source tool . This blog post will demonstrate building FTimes with XMagic and an embedded Python interpreter. In so doing, FTimes will be able to perform more complex searches by utilizing file hooks.

#tools #iot
View
Tools & Frameworks Apr 10, 2019

Building FTimes With Perl

This is a first in a series of blog posts focusing on the open-source tool . This blog post will demonstrate building FTimes with XMagic and an embedded Perl interpreter. In so doing, FTimes will be able to perform more complex searches by utilizing file hooks.

#tools #iot
View
Tools & Frameworks Mar 14, 2019

FTimes 3.12.0 Released

Version 3.12.0 is a minor release of . Basically, the various changes, enhancements, additions, and bug fixes that have accumulated over the past few years reached critical mass. Some of the noteworthy changes include: a new option for depth-limited mapping/digging, additional encoding/decoding/tran...

#tools
View
Tools & Frameworks May 11, 2017

New LibPathWell Release, and an Updated Talk

A couple of weeks ago we released a PathWell update, version 0.7.0, available . I had the pleasure of giving a talk about it at yesterday that highlighted the new features; the slides are . [PDF warning]

#javascript #tools #passwords #web-security
View
Password Security Oct 9, 2016

Virtual Appliance Spelunking

Hello again and welcome back. Today I want to talk about a Sunday I spent reversing the Cisco Firepower Management Console virtual appliance that resulted in multiple CVEs being issued. The tricks I will show have worked on four or five other virtual appliances from other vendors. Results from those...

#vulnerability-research #tools #passwords #web-security
View
Password Security Aug 7, 2016

Nothing To See Here, Move Along

Vendors often have interesting ways to facilitate support for their appliances. Today, I'll discuss a few ways we have seen it implemented: one that is vulnerable to exploitation and others that aren't so bad.

#vulnerability-research #passwords
View
Password Security May 24, 2016

Cracking Grid - Essential Attributes

Here at KoreLogic, we are constantly cracking passwords. It's just one of the things we do. While we haven't made a concerted effort to track it, I'd venture to say that cracking for us is pretty close to a 24/7/365 operation. Between paid cracking engagements and penetration tests, our resident cr...

#tools #passwords #web-security #networking
View
Vulnerability Research May 18, 2016

LinkedIn Revisited - Full 2012 Hash Dump Analysis

As you may know, a "full" dump of email addresses and password hashes for the Linkedin.com attack that occurred in 2012 has become available. Here at KoreLogic, we got our hands on the list of emails and the separate list of passwords (but nothing linking the two together, which we don't want or need...

#forensics #passwords
View
Contests & Events Mar 27, 2016

Update on Crack Me If You Can - DEFCON 2016

The team at KoreLogic has had a lot of questions about this year's DEFCON Crack Me If You Can (CMIYC) contest ...

#tools #passwords #contests
View
Password Security Feb 11, 2016

Hacking an Arris Cablemodem

Welcome to part four in our four part series on firmware and embedded devices. In our final part, we will discuss a remote root vulnerability in a popular cable modem. Awhile ago, we were shown the administrator portal for a particular cable modem vendor. Old school, right? Still, what an interestin...

#vulnerability-research #tools #passwords #iot +1 more
View
Password Security Dec 17, 2015

The importance of access to firmware files

Welcome to the third part of our series! Today I hope to spark a conversation amongst the readers about an important topic in a world filled with IoT: access to device firmware. And not just (at best) encrypted opaque blobs provided for device updates, but usable images that can be deconstructed, ev...

#vulnerability-research #tools #passwords #iot +1 more
View
Malware Analysis Dec 10, 2015

Unplugging An IoT Device From The Cloud

Hello again and welcome back. This is part two in our four-part series on firmware and embedded devices. Today, I will be discussing home automation and the Internet of Things (IoT). More specifically, I'll be talking about Blossom. Blossom is a cloud-based smart lawn watering system that will 'auto...

#javascript #malware #forensics #passwords +1 more
View
Password Security Dec 3, 2015

Q: Can I have your password? A: Yes you can.

Hello folks, welcome to the first of a four part blog mini-series on firmware and embedded devices. My name is Matt Bergin and i'll be guiding you through the series. We plan to release each part of the series on the Friday of each week in December. The release of the final part in our series is dep...

#javascript #vulnerability-research #tools #passwords +1 more
View
Tools & Frameworks Sep 30, 2015

LibPathWell 0.6.3 Released

I am pleased to announce that a new release of the Password Topology Histogram Wear-Leveling (PathWell) library and PAM module for dynamic password-strength enforcement is now available for download .

#tools #passwords #web-security
View
Tools & Frameworks Sep 24, 2015

MASTIFF Output Plug-ins

MASTIFF is a living project whose continuous goal is to provide an automated means for static analysis of files. To meet this end, the project has multiple short and long term goals in place. Recently we silently released an update that hit one of the major goals we have been working towards since i...

#javascript #malware #tools #forensics +1 more
View
Malware Analysis Aug 20, 2015

How I Solved (Most Of) the Yara CTF Puzzles: Puzzle #9 - #11

So far I've discussed how and in the contest were solved. In this post, I'll go over the final three puzzles.

#javascript #malware #vulnerability-research #tools +1 more
View
Malware Analysis Aug 18, 2015

How I Solved (Most Of) the Yara CTF Puzzles: Puzzle #5 - #8

, I posted how I solved puzzles #1-#4 of the , sponsored by . In this post, I'll go into how I solved puzzles #5-#8.

#malware #tools #forensics #web-security +1 more
View
Malware Analysis Aug 16, 2015

How I Solved (Most Of) the Yara CTF Puzzles: Puzzle #1 - #4

During Black Hat, of put together a . This CTF consisted of 11 logic and Yara-based puzzles that participants had to solve for a chance to win a DJI Quadcopter. The best part is you could participate in the CTF if you weren't at Black Hat!

#malware #tools #forensics #passwords +1 more
View
Tools & Frameworks Jul 30, 2015

LibPathWell 0.6.1 Released

I am thrilled to announce the first public release of the Password Topology Histogram Wear-Leveling (PathWell) library and PAM module for dynamic password-strength enforcement. Version 0.6.1 is available for download .

#tools #passwords #web-security #networking +1 more
View
Security Research Jul 8, 2015

Hacking Team Documents Claim BIOS-based Persistence

A search through the of the information stolen from Hacking Team shows indications that a BIOS-based infection capability was developed as part of the Remote Control System software. This may be the first time a commercial spyware product claims this type of capability.

#tools
View
Tools & Frameworks Jun 22, 2015

Giles at Black Hat and in the ISSA Journal

The Giles production rule system compiler (which we described ) has gotten some good press lately!

#tools
View
Tools & Frameworks Jun 18, 2015

MASTIFF Online Updated to Add pyOLEScanner

The MASTIFF Online site was updated on 2015-06-05 which included the following:

#tools #forensics
View
Digital Forensics Jun 9, 2015

The WebJob Framework: An Endpoint Security Solution

The WebJob framework is a next generation endpoint security solution that, from a centralized management location, can execute virtually any program on an arbitrary number of end systems at any time. This framework has been deployed in a number of production environments including the Federal govern...

#tools #forensics #web-security
View
Tools & Frameworks May 26, 2015

One Month of MASTIFF Online!

It has been exactly one month since MASTIFF Online was opened, and to celebrate, we have released the next stable version of MASTIFF! Version 0.7.1 includes a large number of bug fixes, as well as some new analysis plug-ins to get more information out of the files you are analyzing. The new version ...

#malware #tools #forensics
View
Digital Forensics May 17, 2015

What Did CCleaner Wipe?

The use of CCleaner is encountered at times during forensic investigations of computer systems. It has been labeled an "anti-forensics" tool as it has a secure deletion mode where it can overwrite data, filenames, and free space.

#tools #forensics
View
Tools & Frameworks Apr 26, 2015

MASTIFF Online Free 1.0.0 Released

KoreLogic is pleased to announce the release of MASTIFF Online, a web interface into the open source MASTIFF static analysis framework. With this free online tool, anyone can upload files to be examined by MASTIFF, returning the results within minutes. MASTIFF Online can be accessed at .

#malware #tools #forensics #passwords +1 more
View
Security Research Mar 23, 2015

SSD Storage - Ignorance of Technology is No Excuse

Digital evidence storage for legal matters is a common practice. As the use of Solid State Drives (SSD) in consumer and enterprise computers has increased, so too has the number of SSDs in storage increased. When most, if not all, of the drives in storage were mechanical, there was little chance of ...

#web-security
View
Security Research Jan 27, 2015

Windows 2003 Privilege Escalation via tcpip.sys

In my post for today, I will be discussing a vulnerability that I found within the TCP/IP driver as implemented by Microsoft within their Windows 2003 Operating System with Service Pack 2 installed (advisory ). If an attacker has obtained unprivileged access into the operating system, this vulnerability...

#vulnerability-research #tools
View
Tools & Frameworks Jan 21, 2015

Giles 3.0.0 Released

The Giles production rule system compiler has just been released! It is available for download .

#tools #forensics #iot #web-security
View
Malware Analysis Jan 11, 2015

Brain Bleeding JavaScript Obfuscation

JavaScript is often used to facilitate web-based attacks. To make analysis more difficult and hide from signature-based systems, attackers will often obfuscate their JavaScript. Fortunately, there are many ways to deobfuscate JavaScript, or at least determine what it is doing. Sometimes, however, yo...

#javascript #malware #tools #forensics +1 more
View
Malware Analysis Dec 22, 2014

Using Windows Resource Language Codes for Attribution

Since news of the Sony hack broke, a number of reports have been pointing to North Korea as the source of the compromise. Part of the reasoning that North Korea is to blame is undoubtedly because the malware recovered from the compromise, and subsequently on a number of malware analysis websites, ha...

#malware #tools #forensics #passwords +1 more
View
Vulnerability Research Nov 17, 2014

VMware: "It's not a vulnerability, mmkkkayyy"

During a recent review of the VMWare Workstation application, I discovered a method that allows any member of the __vmware__ group to extract arbitrary sections of kernel memory. When you consider the fact that members of this group are not required to already have administrative privileges, this su...

#vulnerability-research
View
Security Research Nov 4, 2014

im in ur scm, bein a ninja

A few months ago I posted a of some source code repository tampering risks.

View
Password Security Oct 16, 2014

Password Security Research Featured in the Huffington Post

Check out the recent Huffington Post article by Jeff Fox that talks about the need to "avoid a *little-known* mistake recently uncovered by password researchers" (i.e., the overuse of common password patterns (or topologies) by users as they create their passwords). This article references some of ...

#tools #passwords
View
Vulnerability Research Oct 6, 2014

Vuln Analysis: Classic write-what-where in XP's BthPan

Recently, we came across the BthPan.sys driver while researching Microsoft's Bluetooth implementation within 32-bit Windows XP (SP3), and after conducting a number of fuzzing tests, we discovered that this driver has a vulnerability known as a write-what-where condition. It should be noted that the ...

#vulnerability-research #tools #forensics
View
Password Security Oct 1, 2014

CISO's Corner: Password Cracking Best Practices and Myths

Despite repeated breaches of password repositories, most recently the rumored cause of the Apple iCloud celebrity image theft, password-based authentication remains the norm for most users even though solutions like multi-factor authentication offer superior protection. Not only are user accounts at...

#vulnerability-research #tools #forensics #passwords +1 more
View
Tools & Frameworks Jul 29, 2014

FTimes 3.11.0 Released

Version 3.11.0 is a minor release of . Generally, code was cleaned up and refined as necessary. Several bugs have been fixed -- see the ChangeLog for details. This release introduces file hooks support for an embedded Python interpreter. Finally, a new tool, ftimes-bimvl, has been added to the proje...

#tools #iot
View
Tools & Frameworks Jul 21, 2014

KLogTail 1.2.0 Released

Version 1.2.0 is a minor release of . Generally, code was cleaned up and refined as necessary. Several bugs have been fixed; all warning and error messages have been enhanced to facilitate post-processing by log analysis tools; a basic man page has been added; and the project has been completely res...

#tools #forensics
View
Security Research Jun 25, 2014

Repository Tampering: What You Don't Know Can Hurt You

Consider this security scenario: Attackers gain access to developer or sysadmin accounts. They find and target the revision control system that is used to manage system configurations, internal code, or even software that is shipped to customers. The attackers use the compromised accounts to modify ...

#vulnerability-research #tools
View
Malware Analysis May 26, 2014

Callback Functions in Malware

Recently, KoreLogic examined a number of malware downloaders that use API callback functions to redirect the flow of execution and make malware analysis more difficult. While this is not a new technique our research did not find many public resources discussing this topic. The purpose of this blog p...

#javascript #malware #forensics
View
Tools & Frameworks Apr 16, 2014

MASTIFF Updates and Git SSL Issue

Over the last few weeks, a number of updates have been pushed to the dev version of MASTIFF located in the . One of these updates is a major change to the analysis plug-in architecture.

#tools #forensics
View
Contests & Events Apr 6, 2014

Mini-Crack Me If You Can for ISSW 2014

This weekend at KoreLogic's Crack Me If You Can (CMIYC) team ran a mini-CMIYC contest for the people attending the conference. The prize was a $100 dollar gift card.

#passwords #contests
View
Password Security Apr 3, 2014

PathWell Topologies

As previously discussed at multiple conference and in this blog, KoreLogic worked on the PathWell project for the DARPA Cyber Fast Track program. PathWell identifies and blocks common passwords based upon common password topologies and learned user behavior.

#passwords #networking
View
Tools & Frameworks Mar 24, 2014

MASTIFF in KoreLogic Git Repository

In order to make new development versions of MASTIFF available to the masses, KoreLogic has put MASTIFF in a GitHub repo. This repository can be accessed at or the repository can be cloned with:

#tools
View
Password Security Jan 8, 2014

ShmooCon Epilogue Prologue: PathWell

On January 20, I will be giving a talk at on PathWell, a project we did last summer. Epilogue is a great event and is much easier to get tickets for than ShmooCon, and I highly recommend it. (And I said that before they accepted my talk ;)

#vulnerability-research #passwords
View
Security Research Nov 14, 2013

Converting IDA PAT to Yara Signatures

One of the issues when analyzing malicious Linux executables occurs when the executable has been statically linked and the debugging symbols stripped. Since the debugging symbols are stripped, IDA Pro is unable to identify the names of the library functions and we are left to determine the names on ...

#tools #forensics #iot
View
Tools & Frameworks Oct 29, 2013

MASTIFF on Mac OS X

One of the reasons MASTIFF was written in Python was to give it the flexibility to run wherever it was needed. Linux and other *nix's have been supported since the initial release, but one goal was to have MASTIFF work on Mac OS X. It was suspected that MASTIFF would run without a problem on OS X, b...

#javascript #tools
View
Contests & Events Sep 3, 2013

CMIYC 2013 Encrypted Challenge Files, Password Creation, and Hints

We've just published details about the Crack Me If You Can 2013 encrypted file challenges : the passphrase for each encrypted file, and the hints that are included in each one.

#tools #passwords #iot #contests
View
Password Security Aug 11, 2013

Mini-Password Cracking Challenge for LOLBitCoin Party

As a favor to , I supplied a mini password cracking challenge for hackers at DEFCON. It was a small list of NTLM hashes that the teams had to crack. They had no idea what the significance of them was.

#passwords
View
Contests & Events Aug 7, 2013

CMIYC 2013 Post-game

This is the first of several posts we'll make post-Crack Me If You Can 2013. Later we'll gather things up and add content to the .

#tools #passwords #contests
View
Password Security Jun 4, 2013

Submerging a GPU Cluster in Mineral Oil

You may have seen the recent article on . We (Rick Redman and Dale Corpron, KoreLogic consultants) dipped a computer in oil, and left it there, running, 24x7.

#tools #forensics #passwords #web-security +1 more
View
Contests & Events May 8, 2013

Crack Me If You Can 2013 Is On!

It's official, will definitely be back for DEFCON 21 in August.

#passwords #contests
View
Tools & Frameworks Apr 18, 2013

MASTIFF 0.6.0 Released

The latest version of MASTIFF, 0.6.0, has just been released! Run over to the and !

#tools #forensics #passwords
View
Tools & Frameworks Mar 31, 2013

FTimes 3.10.0 Released

Version 3.10.0 is a minor release of FTimes. Generally, code was cleaned up and refined as necessary. Several bugs have been fixed -- see the ChangeLog for details. This release includes updated support for file hooks and introduces KLEL-based XMagic. Consequently, the minimum required version of li...

#tools
View
Digital Forensics Feb 14, 2013

KLEL 1.1.0 Released

The latest version of KLEL, 1.1.0, has just been released! It's available for download at its .

#tools #forensics #iot
View