Research Blog

Executive Summary NCC Group is pleased to open source a new tool built to help Red Teams log their activity for later correlation with the Blue Team’s own logging. What started as a simple internal web based data-collection tool has grown to integrate with Cobalt Strike and BloodHound to improve the accuracy and ease of […]

This article is an attempt at cataloging all the types of bitcoin transaction locking scripts, their prevalence and their security implications. The data presented in this article was lifted directly from the bitcoin blockchain, which required custom code to quickly iterate over the entire blockchain (over 450 GB at the time of writing). The tool […]

Different forms of DNS rebinding attacks have been described as far back as 1996 for Java Applets and 2002 for JavaScript (Quick-Swap). It has been four years since our State of DNS Rebinding presentation in 2019 at DEF CON 27 (slides), where we introduced our DNS rebinding attack framework Singularity of Origin. In 2020, we […]

Readable Thrift makes binary Thrift protocol messages easy to work with by converting them to and from a human-friendly format. This makes manual analysis of and tampering with binary format Thrift messages just as easy as working with plaintext protocols like HTTP. The library is implemented in Java, enabling integration with extensions for popular web […]

xendbg is a full-featured debugger for both HVM and PV Xen guests. It can act as a stub server for LLDB, allowing users to do their work in a familiar environment, and also provides a standalone REPL with all the standard comfort features of popular debuggers: contextual tab-completion, expressions, and variables. While there are indeed some […]

Singularity of Origin is a robust and easy-to-use tool to perform DNS rebinding attacks. It consists of a DNS and a web server, a web interface to configure and launch an attack, and sample attack payloads. We plan to support this tool and continue to add features and payloads. Singularity is open source and is […]

It has been known for a while that deserialisation of untrusted data can often lead to serious security issues such as code execution. However, finding such issues might not be a trivial task during time-limited penetration testing. As a result, NCC Group has developed a Burp Suite extension called Freddy [1] to automatically identify deserialisation issues […]

Sobelow, released in 2017, is the first security-focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent the introduction of a number of common vulnerabilities. Over the last year, Sobelow has been consistently […]

House is an open source web application that simplifies the testing process with Frida. With House, security researchers can easily generate Frida scripts to perform various tasks including enumeration, function hooking and intercepting. It also provides an easy-to-use web UI for researchers to generate, customise, and manage their Frida scripts. House is currently focused on Android […]

How can we quickly identify which users and roles have access to a given action (and resource) in an AWS account? Erik Steringer built the Principal Mapper (pmapper) as the answer to that question. It uses the existing simulator APIs to determine which users and roles have access to each other. It provides a query […]