{"id":9861,"date":"2013-03-14T17:50:14","date_gmt":"2013-03-14T16:50:14","guid":{"rendered":"https:\/\/www.corelan.be\/?p=9861"},"modified":"2013-03-14T17:50:14","modified_gmt":"2013-03-14T16:50:14","slug":"blackhateu2013-day-1-to-dock-or-not-to-dock","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2013\/03\/14\/blackhateu2013-day-1-to-dock-or-not-to-dock\/","title":{"rendered":"BlackHatEU2013 - Day 1 - To dock or not to dock"},"content":{"rendered":"<p>Time flies ! \u00a0After hanging out with @repmovsb and @botherder, it's time for the last talk of the day. \u00a0In the \"To dock or not to dock, that is the question\" talk, <a href=\"http:\/\/www.blackhat.com\/eu-13\/briefings.html#Davis\">Andy Davis<\/a>, research director at NCC Group shares his research around using laptop docking stations as hardware-based attack platforms.<\/p>\n<h3>Why docking stations as an attack platform?<\/h3>\n<p>Docking stations sit in an important position - they have access to all the ports and provision additional interfaces that may not be available on the laptop itself. They are commonly used in \"hot-deskting\" environment and thus might be used by different laptops every day. \u00a0They are permanently powered on and to the network. \u00a0IT Admins and users consider these to be \"dumb\" and trusted devices and treat them as \"passive\" and anonymous. \u00a0If a docking is broken, it can be easily replaced (with a device that has been 'prepared' by the attacker, for example).<\/p>\n<p>Encrypted data is decrypted at the laptop and is therefore accessible in the clear, including from the dock perspective. \u00a0Andy believes this is a realistic threat.<\/p>\n<h3>How do docking stations work ?<\/h3>\n<p>Andy mentions that he's using a Dell E-Port Plus (PRO2X) docking station, which is why he has performed the research on that particular device. \u00a0The EPORT extends all interfaces and provisions a number of additional devices (additional USB ports through an internal USB hub, as well as a DisplayPort). \u00a0It has a passive Ethernet switch. The laptop ethernet port gets disabled\/disconnected when docket.<\/p>\n<p>There's not a lot of public information available about the inner workings of the station, so Andy had to do research of his own to figure out how it actually works and what the functionality is of the various components placed on the device circuit board. \u00a0By default, the dock is extended, allowing you to use a large laptop battery. \u00a0This also gives room for additional \"features\".<\/p>\n<h3>What would a hardware implant do ?<\/h3>\n<p>Potential attack vectors or purposes might include:<\/p>\n<ul>\n<li>capture data from connected laptop via interfaces<\/li>\n<li>insert data, emulating devices<\/li>\n<li>exfiltrate stolen data via an out-of-band channel<\/li>\n<li>identify when different laptops are connected<\/li>\n<li>remain as stealthy as possible<\/li>\n<\/ul>\n<h4>Passive (non-powered) network tapping<\/h4>\n<p>Two interfaces may be required (one for each direction). To make this work, you'll need to think about downgrading speed on Gigabit networks to avoid that it would send\/receive data simultaneously. Passive network tapping is stealthy but not effective against encrypted protocols. \u00a0The Dell docking station allows you to connect the additional tap at the bottom of the circuit board, where the ethernet\/Usb module is placed.<\/p>\n<h4>Active network attack<\/h4>\n<p>If you're not concerned about being stealthy, because you want to launch attacks against the network, you'll need more space inside the device because you'll need to add some kind of ethernet hub inside the docking. \u00a0It requires more engineering, because it needs to be inline in between the laptop and the dock. \u00a0Of course, this won't be stealthy because as soon as you generate traffic, a new device will be detected on the network<\/p>\n<h4>Passive video monitoring<\/h4>\n<p>This might allow you to periodically grab screenshots of what is displayed on the screen. \u00a0It's very stealthy and all you need to pull it off is a VideoGhost VGA video monitor cable, which has a USB connector allowing you to connect a USB mass storage device to store the images. \u00a0Unfortunately, the via connector is part of a bigger module, which includes a parallel port. \u00a0To insert the attack, you'll have to take the module apart, which complicates matters.<\/p>\n<h4>USB \/ \u00a0PS\/2 Keyboard monitoring<\/h4>\n<p>Hardware keyloggers have been around for many years; and PS\/2 might sometimes still be useful in \"hardened\" environments. \u00a0In fact, a PS\/2 tap would actually be easier, because the pins are easily accessible on the circuit board. \u00a0 In any case, if you're able to insert something, you can also insert keystrokes (Arduino) when the laptop is unlocked. \u00a0Of course, if someone is looking at the screen, you would see (suspicious) activity.<\/p>\n<h4>Audio monitoring<\/h4>\n<p>Sensitive company presentations may be delivered via streamed media. \u00a0Increasingly more companies are using VOIP with soft phones. Even with strong network encryption, the audio socket will give you plain analog audio\u2026 \u00a0assuming that the audio mini-jack is used rather than USB. \u00a0If that is the case, tapping the audio can be done easily, the pins are very easily accessible<\/p>\n<h4>Webcam\/USB monitoring<\/h4>\n<p>Laptop webcams are usually directly connected into the internal USB bus of the laptop. \u00a0If we can tap the upstream USB bus, we can capture the traffic, which may include web\/video conferences. \u00a0Of course, data needs to be decoded. \u00a0This might be useful to check if someone is present in the office or at the device. \u00a0 Instead of tapping the USB port directly on the port, just tap into the USB controller to tap the upstream ports, which gives you access to all USB traffic on the USB bus\u2026 on any USB device. \u00a0 Pins can be accessed quite easily.<\/p>\n<h4>Proprietary Dock connector<\/h4>\n<p>The 144 pin proprietary connector attached to current versions of the connector are no longer publicly documented, but there is still information available for the older C-series. \u00a0Andy mentions that more works needs to be done in order to properly reverse engineer this connector.<\/p>\n<h3>The Control Platform<\/h3>\n<p>The attack implant needs to be small enough to fit into the dock and needs to be configurable enough. \u00a0It needs to be powerful enough (so we can decode, etc) and remotely controllable via an out-of-band communications channel. \u00a0 Andy continues to explain that his control platform, named \"SpyFi\" is based on a Raspberry Pi (model B, based on an ARM 11 processor), running Linux. \u00a0In addition to the Raspberry Pi, we need one additional USB Ethernet adapter and a USB sound card. \u00a0An Arduino might be required as well to do additional keystroke injection, if necessary. \u00a0A USB 3G modem would be perfect as an out-of-band communication mechanism to either store-and-forward data at certain points in time, or provide a realtime shell.<\/p>\n<p>Andy continues to demonstrate how he took apart the docking station to fit in the Raspberry Pi and all additional components.<\/p>\n<p>Of course, the Raspberry Pi needs to be connected to a permanent power supply. \u00a0The DC voltage provided by the power supply of the docking is +19.5V, the Rasberry Pi needs +5V. \u00a0In any case, the docking station contains sufficient space to fit in all elements.<\/p>\n<h3>Detecting Hardware Implants<\/h3>\n<ul>\n<li>Passive networking: \u00a0You might notice the speed downgrade if you're used to be connected to a Gigabit ethernet port.<\/li>\n<li>Active network attack: Shows up a new MAC address on the network.<\/li>\n<li>Keystroke insertion: easily visually spotted<\/li>\n<li>Weight: the device is slightly heavier. \u00a0 Simple technique but\u2026 labour intensive and weight could be manipulated by removing weight to offset the added weight of the additional electronics<\/li>\n<li>Heat: the infrared heat signature should highlight additional electronics inside the docking. \u00a0Simple and will clearly reveal the place that contains additional electronics. It still is labour-intensive and thermal shields could be used to further hide the implant.<\/li>\n<li>RF emanations: if you're using a 3G\/HSPA modem, you may be able to pick up signals coming from the docking station. \u00a0It does require specialist equipment and there might be other devices using the same frequency range (legitimate 3G connector in the device, phone, etc)<\/li>\n<li>Current consumed: Any additional electronics are going to increase the current consumption, but it requires very accurate measurement, which is labour-intensive. \u00a0On top of that, there may be variations in the baseline current drawn by a dock.<\/li>\n<\/ul>\n<h3>Attack Mitigation<\/h3>\n<ul>\n<li>To prevent the implants from working or being installed in the first place:<\/li>\n<li>Port level filtering on the switch will help detecting an active adapter<\/li>\n<li>Ensure confidential data is encrypted<\/li>\n<li>Physically secure all docking stations<\/li>\n<li>Use anti-tamper seals<\/li>\n<li>Use RF shielding to prevent the implant from communicating<\/li>\n<\/ul>\n<h3>Future Research<\/h3>\n<ul>\n<li>More work needs to be done to figuring out what can be achieved via the dock connector<\/li>\n<li>Look at some other docking stations to identify different capabilities<\/li>\n<li>Survey corporates to discover if they have encountered any dock \"incidents\". \u00a0A survey in the audience shows that nobody really considered this type of attack could\/might have been deployed at their company<\/li>\n<\/ul>\n<h3>Conclusions<\/h3>\n<p>Laptop docking stations are widely used and trusted. \u00a0Attackers have a history of using hardware-based attacks (key loggers), so docking stations may be next. \u00a0There are a couple of techniques available to detect hardware implants (with thermal cameras probably being the best one), but the best approach is to try to avoid that someone would be able to tamper with the docking station. (physical security, anti-tamper stickers). \u00a0Of course, using smaller-sized docking stations would also make it more complex (not impossible) to insert the implant.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Time flies ! \u00a0After hanging out with @repmovsb and @botherder, it's time for the last talk of the day. \u00a0In the \"To dock or not to dock, that is the question\" talk, Andy Davis, research director at NCC Group shares his research around using laptop docking stations as hardware-based attack platforms. Why docking stations as &hellip; <a href=\"https:\/\/www.corelan.be\/index.php\/2013\/03\/14\/blackhateu2013-day-1-to-dock-or-not-to-dock\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> \"BlackHatEU2013 - Day 1 - To dock or not to dock\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[2250],"tags":[2681,262,261],"class_list":["post-9861","post","type-post","status-publish","format-standard","hentry","category-cons-seminars","tag-blackhat","tag-corelan-team","tag-corelan"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>BlackHatEU2013 - Day 1 - To dock or not to dock - Corelan | Exploit Development &amp; Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2013\/03\/14\/blackhateu2013-day-1-to-dock-or-not-to-dock\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"BlackHatEU2013 - Day 1 - To dock or not to dock - Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"Time flies ! \u00a0After hanging out with @repmovsb and @botherder, it&#039;s time for the last talk of the day. \u00a0In the &quot;To dock or not to dock, that is the question&quot; talk, Andy Davis, research director at NCC Group shares his research around using laptop docking stations as hardware-based attack platforms. Why docking stations as &hellip; Continue reading &quot;BlackHatEU2013 - Day 1 - To dock or not to dock&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2013\/03\/14\/blackhateu2013-day-1-to-dock-or-not-to-dock\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2013-03-14T16:50:14+00:00\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2013\\\/03\\\/14\\\/blackhateu2013-day-1-to-dock-or-not-to-dock\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2013\\\/03\\\/14\\\/blackhateu2013-day-1-to-dock-or-not-to-dock\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"BlackHatEU2013 - Day 1 - To dock or not to dock\",\"datePublished\":\"2013-03-14T16:50:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2013\\\/03\\\/14\\\/blackhateu2013-day-1-to-dock-or-not-to-dock\\\/\"},\"wordCount\":1473,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"keywords\":[\"blackhat\",\"corelan team\",\"corelan\"],\"articleSection\":[\"Cons and Seminars\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2013\\\/03\\\/14\\\/blackhateu2013-day-1-to-dock-or-not-to-dock\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2013\\\/03\\\/14\\\/blackhateu2013-day-1-to-dock-or-not-to-dock\\\/\",\"name\":\"BlackHatEU2013 - Day 1 - To dock or not to dock - Corelan | Exploit Development &amp; Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"datePublished\":\"2013-03-14T16:50:14+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2013\\\/03\\\/14\\\/blackhateu2013-day-1-to-dock-or-not-to-dock\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2013\\\/03\\\/14\\\/blackhateu2013-day-1-to-dock-or-not-to-dock\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2013\\\/03\\\/14\\\/blackhateu2013-day-1-to-dock-or-not-to-dock\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"BlackHatEU2013 &#8211; Day 1 &#8211; To dock or not to dock\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"BlackHatEU2013 - Day 1 - To dock or not to dock - Corelan | Exploit Development &amp; Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2013\/03\/14\/blackhateu2013-day-1-to-dock-or-not-to-dock\/","og_locale":"en_US","og_type":"article","og_title":"BlackHatEU2013 - Day 1 - To dock or not to dock - Corelan | Exploit Development &amp; Vulnerability Research","og_description":"Time flies ! \u00a0After hanging out with @repmovsb and @botherder, it's time for the last talk of the day. \u00a0In the \"To dock or not to dock, that is the question\" talk, Andy Davis, research director at NCC Group shares his research around using laptop docking stations as hardware-based attack platforms. Why docking stations as &hellip; Continue reading \"BlackHatEU2013 - Day 1 - To dock or not to dock\"","og_url":"https:\/\/www.corelan.be\/index.php\/2013\/03\/14\/blackhateu2013-day-1-to-dock-or-not-to-dock\/","og_site_name":"Corelan | Exploit Development &amp; Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2013-03-14T16:50:14+00:00","author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2013\/03\/14\/blackhateu2013-day-1-to-dock-or-not-to-dock\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2013\/03\/14\/blackhateu2013-day-1-to-dock-or-not-to-dock\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"BlackHatEU2013 - Day 1 - To dock or not to dock","datePublished":"2013-03-14T16:50:14+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2013\/03\/14\/blackhateu2013-day-1-to-dock-or-not-to-dock\/"},"wordCount":1473,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"keywords":["blackhat","corelan team","corelan"],"articleSection":["Cons and Seminars"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2013\/03\/14\/blackhateu2013-day-1-to-dock-or-not-to-dock\/","url":"https:\/\/www.corelan.be\/index.php\/2013\/03\/14\/blackhateu2013-day-1-to-dock-or-not-to-dock\/","name":"BlackHatEU2013 - Day 1 - To dock or not to dock - Corelan | Exploit Development &amp; Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"datePublished":"2013-03-14T16:50:14+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2013\/03\/14\/blackhateu2013-day-1-to-dock-or-not-to-dock\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2013\/03\/14\/blackhateu2013-day-1-to-dock-or-not-to-dock\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2013\/03\/14\/blackhateu2013-day-1-to-dock-or-not-to-dock\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"BlackHatEU2013 &#8211; Day 1 &#8211; To dock or not to dock"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":2542,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/9861","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=9861"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/9861\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=9861"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=9861"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=9861"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}