Tuesday, September 29, 2009

Cracking the Perimeter

Mati has taken a group of difficult security subjects that have not been well published and broken it down into well presented format that was easy to follow. With the use of the online labs you were able to go through each step and recreate the exploit without any issue and whenever one appeared Mati and Matteo where more than willing to help.

The registration requires the applicant to gain access to fc4.me and send over the registration details to the course team. This in itself is challenging but makes the applicant aware of what is expected of them before they attend the course.

The course begins with two 0day web exploits that cover XSS and PHP (Directory Traversal) and then leads on to adding payloads to executables and bypassing antivirus scanners then followed by the more serious application 0day exploit development using Perl and Python, which includes bypassing ASLR and protected Buffers, I would recommend brushing up on Assembley language and learning socket programming before attending however everything is well explained with the odd piece missing to get the student to think for them self.

The exam is the most challenging I have encountered and required more pots of coffee than coffee beans can be produced and at the end you will be bleary eyed for days after, but instead of giving away anymore I would recommend signing up for this course.

CTP is an advanced course, that will require ALOT of time, effort, sweat,tears and TRY HARDER... however after completing the course the exam you will feel more than confident at taking on any pentest, exploit development and won't feel left with just a bit of paper with no value.

Chris Sweeney
(MCSE, Linux+,MCITP (Enterprise), CCNA, CSTA, CSTP, OSCP,OSCE)

Sunday, August 30, 2009

Active Directory restore using Burf flags

Active directory restore using Burf flags.

I have had to use this various times to do an authoritative restore in AD. You will need to stop netlogon and file replication service on all DC's in the domain and then change the burf flag registry key (see below) on ALL Dc's. To make a DC the PDC you will set it to D2 and ALL other servers will need to be set with D4 before you start the netlogon and file replication server.


%domainname% child domain getting Morphed folders in all domain controllers.

FRS Replication is failing between the domain controllers .


1. ISTG is enabled and most of the domain controllers have manual connection objects
2. connect to all the domain controller on %domainname% one by one removed all connection objects and run repadmin /kcc and recreate the topology
3. removed the _ntfrs folders from the sysvol
4. Stop the ntfrs service on all the domain controllers
5. Locate in the following location in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
Values for the BurFlags registry key
D4, on PDC
D2, on all other domain controllers
Start the ntfrs service
6. Sysvol started to replicate to all domain controller but on two domain controllers it still does not
7. connect to them saw no connection object
8. connect an manual connection object and replicate wait for 5 min removed the connection object and run repadmin /kcc
9. automatic connection object created
10. stopped ntfrs service did d2 and start the service again.
11. Issue resolved
1.  Using the BurFlags registry key to reinitialize File Replication Service replica sets
2.  How to force a non-authoritative restore of the data in the Sysvol folder on a domain controller in Windows 2000 Server and in Windows Server 2003
3.  Troubleshooting journal_wrap errors on Sysvol and DFS replica sets