Thoughts on Zero-Point Security's Red Team Ops course

October 24, 2022

This weekend I successfully completed the Red Team Ops exam offered by Zero-Point Security and Rasta Mouse. This is a red team training course with a focus on exploiting misconfigurations within an Active Directory environment. Completing the lessons earns you a certificate, so if that’s all you want, then you can stop there. However, if you really want to challenge what you’ve learnt, you’ll definitely want to take on the exam.

Read More

Cyber Apocalypse CTF 2021 Pwn Solutions

April 26, 2021

HackTheBox ran the Cyber Apocalypse CTF over a five day period. There were a lot of different challenges, but I joined for the sole purpose of just solving the Pwn category during my free time. Of the five challenges in the Pwn category, I solved four challenges during the CTF, and solved the last one the day after the CTF ended. I’ve listed my solution to all five challenges in this post.

Read More

The Omega2+ as a network implant

March 29, 2020

Some time ago in 2016 I backed a Kickstarter for the Omega2 board. This is a tiny Linux powered computer meant for IoT development. I had plans to make cool things with it at the time, but the reality of it was that the Omega2+ ended up in my closet to be forgotten. Fast forward to 2020, we’re in the middle of a pandemic, I’m on vacation looking for things to do, and now seemed like a good time to put the Omega2+ to use.

Read More

Raven hacking challenge

November 8, 2018

Raven is another boot2root challenge currently available for download at VulnHub. One of the cool things about Raven is it’s actually kind of realistic and a fairly easy challenge, which makes it a great boot2root for learning how to hack. I had been wanting to do a sort of tutorial for beginners for a while now, and I think Raven is a good challenge to do this writeup on. So unlike my previous writeups where I just mention the tools or techniques I use to escalate to root privileges, I’ll spend more time in this one talking about my thought processes, and my failures. Just in case anyone thinks it takes me 5 minutes to solve these challenges, it doesn’t. There’s a lot of swearing, and red herrings along the way.

Read More

Ch4inrulz hacking challenge

August 19, 2018

I had some extra free time this weekend so I picked a random boot2root from VulnHub. The lucky challenger was ch4inrulz, a boot2root made for Jordan’s Top Hacker 2018 CTF. The difficulty level is rated as intermediate. Perfect, let’s-a-go as Mario’s are wont to say.

Read More

Wakanda hacking challenge

August 10, 2018

It’s been a while since I’ve played with a VulnHub boot2root. Several new ones were recently pushed out, and having some free time on my hands, I decided to give Wakanda a go. This VM contains three flags and was listed as having an intermediate difficulty level. Challenge accepted!

Read More

STEM Cyber Challenge 2018: Keygenme

April 21, 2018

I got a chance to play a bit of the STEM Cyber Challenge 2018 CTF over the weekend. This one is called keygenme, a 400 point reverse engineering challenge. Like its name suggests, the binary prompts for input and runs some checks on it to determine if it’s a valid key.

Read More

DC416 Introduction to 64-bit Linux Exploit Development: vuln03 Solution

February 23, 2018

I had an awesome time presenting a workshop on an introduction to Linux binary exploitation at Defcon Toronto. As part of the workshop, I sent attendees home with a challenge binary called vuln03 to be solved at their own time using the information they learned. vuln03 came with a SUID root version called rootme that would pop a rootshell if correctly exploited. This is a writeup on how to reverse engineer this binary and figure out how to exploit it. If you’re stuck trying to solve it, or if you’ve solved it and just want to compare notes, keep reading!

Read More

Solving 67k binaries with r2pipe

March 20, 2017

This was a 400 point reverse engineering challenge from EasyCTF 2017. We’re given a zip file containing 67,139 small programs starting from 00000.exe to 10642.exe. The idea is to solve each one in order and to join their output. The end result would lead to the flag. Here’s the challenge description:

Read More

Codegate Prequalifiers 2017: Angrybird

February 11, 2017

I managed to put in a few hours playing Codegate Prequalifiers this year and scored a couple of flags. One of the challenges I solved was angrybird; which required using Angr. I had recently been reading up on Angr over the last couple of weeks so I was quite excited to try out what I had learned.

Read More

Mr. Robot hacking challenge

September 8, 2016

Time for another boot2root! I’m a fan of the Mr. Robot TV series, so I was looking forward to giving this one a go. It’s been out for a while now and can be downloaded from VulnHub. This challenge is based off the TV show and contains three flags. To ensure I was in the proper mood, I put on the Mr. Robot Soundtrack, dimmed the lights, kept my power drill beside me, and fired up the official Mr. Robot hacking OS; Kali Linux.

Read More

Tommy Boy hacking challenge

September 7, 2016

I started this right after I finished Necromancer, and it took much longer that I had expected. Lots of trolls along the way, and a bit too much brute-forcing for my liking. Good beginner level challenge, go grab it on VulnHub if you want to take it for a spin.

Read More

Necromancer hacking challenge

September 4, 2016

During the Labour Day long weekend I decided to download a handful of VulnHub boot2roots. I had heard some good things about Necromancer, so I thought I’d give it a shot! It’s marked as a beginner level, but I started to realize that it was quite different from most boot2roots I’d tackled in the past.

Read More

The Pentesters: 64-Bit AppSec Primer (Beta) hacking challenge

August 16, 2016

I was quite excited when this VM was posted on VulnHub and downloaded it right away. Exploiting and reverse engineering 64-bit binaries, and you get a chance to win a prize? Sign me up! Unfortunately I started to lose motivation when I found out that the author accidentally pushed out the beta version of the VM which includes errors such as ASLR being left on, and a challenge being unsolvable, among possible other bugs.

Read More

Milnet hacking challenge

June 2, 2016

It’s been a while since I’ve done one of these. Milnet is the latest VM uploaded to VulnHub, and is a beginner level challenge. Not having anything to do at midnight, I decided to give it a shot, if not to kill some time before crashing. You can grab Milnet here.

Read More

64-bit Linux stack smashing tutorial: Part 3

March 18, 2016

It’s been almost a year since I posted part 2, and since then, I’ve received requests to write a follow up on how to bypass ASLR. There are quite a few ways to do this, and rather than go over all of them, I’ve picked one interesting technique that I’ll describe here. It involves leaking a library function’s address from the GOT, and using it to determine the addresses of other functions in libc that we can return to.

Read More

Radare 2 in 0x1E minutes

March 8, 2016

Radare is an open source reversing framework. It comes with a ton of options, functionality, and a somewhat daunting learning curve. I primarily use it for CTF challenges, and I love that I can run it on a terminal along side GDB without requiring a GUI. It’s a powerful tool, and so I’ve come up with this guide to give people a kick start to the path of reversing with Radare. We’ll go through a workflow to reverse engineer a simple binary with Radare to get you familiar with some of Radare’s features.

Read More

Fristileaks hacking challenge

December 15, 2015

Fristileaks is the latest addition to VulnHub’s list of ever growing boot2roots. It’s authored by Ar0xA, and the goal is to get root and read the flag. As far as difficulty, I found it to be relatively easy making it great for those who are just starting out with hacking.

Read More

Brainpan 3 solution

October 13, 2015

It’s been a little over 3 months now since Brainpan 3 was first released. I offered stickers to those who could solve the challenge and I was not disappointed with the results! Some brilliant folks out there solved it in some very interesting ways. Since I’ve already given away all the stickers, I figured I’d go ahead and share my solution for the challenges. This won’t be a step-by-step walkthrough. If you want a full walkthrough, you’ll find some great ones here.

Read More

A ROP Primer solution 64-bit style

October 9, 2015

It turns out I’ve been blogging for 6 years as of today. To celebrate, here’s a writeup on 64-bit ROP exploitation! It’s a revist of barrebas’s awesome ROP primer, but compiled for 64-bit. This isn’t an official boot2root, just something I decided to do on my own for fun. barrebas provides the source code for each of the challenges in his ROP Primer so it’s just a matter of compiling it on a 64-bit system.

Read More

A ROP Primer solution

August 19, 2015

So a while back, barrebas from our VulnHub CTF Team decided to give us a primer on Return Oriented Programming (ROP). It was a great session and he went on to give the workshop at BSides London, which I hear was well received. Anyway, to accompany the workshop, he created a VM challenge containing three binaries that you get to practice exploiting using ROP. You can grab the VM at https://www.vulnhub.com/entry/rop-primer-02,114/. I meant to do this ages ago, but procrastination, plus CTFs, plus work kind of put it on the shelf. So finally, I got bits of free time to work on it and here’s my writeup on the challenges.

Read More

Brainpan 3 hacking challenge

July 27, 2015

Brainpan 3 is finally here! If you’ve completed the previous Brainpan releases, then you’ll know what to expect. This time round, I’ve made it a tad bit more challenging so get your caffeine shots ready!

Read More

Simplifying format string exploitation with libformatstr

July 1, 2015

libformatstr is a library created by hellman with the intention of simplifying format string exploitation. The GitHub repository can be found here. It’s been around since 2012 but I haven’t been able to find many tutorials on it. I have seen CTF writeups that use it though, so I decided to take the time to do a short writeup on it for my own reference.

Read More

64-bit Linux stack smashing tutorial: Part 2

April 21, 2015

This is part 2 of my 64-bit Linux Stack Smashing tutorial. In part 1 we exploited a 64-bit binary using a classic stack overflow and learned that we can’t just blindly expect to overwrite RIP by spamming the buffer with bytes. We turned off ASLR, NX, and stack canaries in part 1 so we could focus on the exploitation rather than bypassing these security features. This time we’ll enable NX and look at how we can exploit the same binary using ret2libc.

Read More

64-bit Linux stack smashing tutorial: Part 1

April 10, 2015

This series of tutorials is aimed as a quick introduction to exploiting buffer overflows on 64-bit Linux binaries. It’s geared primarily towards folks who are already familiar with exploiting 32-bit binaries and are wanting to apply their knowledge to exploiting 64-bit binaries. This tutorial is the result of compiling scattered notes I’ve collected over time into a cohesive whole.

Read More

Sokar hacking challenge

February 8, 2015

To commemorate their second birthday, VulnHub is holding another competition with the promise of prizes for those who are chosen as winners! The challenge is Sokar; a nefarious boot2root created by rasta_mouse which features a nice balance of frustration and satisfaction. For more details about the competition, head over to VulnHub’s blog post. I spent a couple of hours each evening after work to poke away at Sokar until I finally solved it. This post contains my walkthrough.

Read More

OverTheWire: Behemoth writeup

January 21, 2015

While killing time waiting for the next CTF, a handful of us from Team VulnHub decided to have a go at OverTheWire’s Behemoth challenges. I hadn’t played Behemoth before and found it pretty fun. The game is described as:

Read More

Pegasus hacking challenge

January 4, 2015

Happy 2015! With the holidays and merry making out of the way, it was time to resume hacking boot2roots and CTFs. To start off the new year is Pegasus, by TheKnapsy. I actually started this challenge a week before Christmas, but after getting a foothold on the target, I put it on hold to prepare for the holidays and unplug for a few days. Today I finally got around to loading it up again and finishing it off. I recommend having a go at it, so grab it from VulnHub.

Read More

The Offensive Security Playground: A review

December 6, 2014

A couple of years ago I successfully completed the Offensive Security Pentesting with Backtrack (PWB) course, and a year after that, the Cracking the Perimeter (CTP) course. Having a huge lab made up of different machines in different subnets to break into is just a great challenge. When I completed the courses, I was a little sadenned that I’d no longer get a chance to poke at the labs. So you can imagine my excitement when I was asked if I’d like to beta test Offensive Security’s latest offering; The Playground.

Read More

Knock-Knock hacking challenge

October 16, 2014

For the last few weeks I had immersed myself in several CTFs with team VulnHub. It was a nice change to return to boot2roots after tackling small and difficult challenges. This time round, it’s Knock-Knock by zer0w1re. Much like other boot2roots, the goal is to get root, and find the flag. As always, head over to VulnHub to download it and have a go.

Read More

OwlNest hacking challenge

September 10, 2014

It seems like more and more boot2roots are being submitted to VulnHub as of late. OwlNest by Swappage is one of the more recent ones that packs a good challenge. Grab it over at VulnHub if you’re interested in giving it a go. This was debuted at ESC 2014 CTF where no one was able to solve it. It took me several days to finish off this beast after getting stuck in a tarpit, but this was a whole lot of fun.

Read More

Flick hacking challenge

August 14, 2014

Flick by leonjza is a new boot2root available for download at VulnHub. I had quite a bit of fun with this one, and learned a couple of new things as well; like how I like to do some things the hard way. So without further ado, I’ll jump right in and describe how I completed the challenge.

Read More

Xerxes 2 Hacking Challenge

August 8, 2014

Another month, another hacking challenge! This time it’s Xerxes 2 by barrebas. This boot2root promised some challenges and it definitely delivered. Xerxes 1 was a lot of fun, and when Xerxes 2 was announced, I was looking forward to getting my hands dirty. As with other boot2roots, you can download a copy of Xerxes 2 at VulnHub

Read More

Hell hacking challenge

July 15, 2014

One of the latest and more challenging boot2roots released on VulnHub as of late is Hell. This boot2root by Peleus has appeared to cause quite a bit of hair pulling and teeth gnashing whenever it’s mentioned on IRC. I initially started off with his beta version but had to put it away when I got too busy with work. When I was finally ready to try again, the official version had been released, so I downloaded it and started over.

Read More

Hades hacking challenge

May 16, 2014

A few weeks ago, VulnHub hosted the Hades competition; a capture the flag challenge created by Lok_Sigma. Hades is touted as a difficult boot2root, requiring some experience in exploit writing and reverse engineering. The competition ran for a good 4 weeks, and with submissions now closed, I’ve decided to go ahead post my solution.

Read More

From fuzzing to 0-day

May 14, 2014

A couple of days ago, I found an interesting bug during a fuzzing session that led to me creating a 0-day exploit for it. I’ve been asked a few times about the methods I use to find bugs and write exploits, so I’ve decided to take this opportunity to describe one particular workflow I use. In this post, I’ll take you through finding a bug, analzying it, and creating a functional exploit.

Read More

Multi-Factor Authentication with SSH on OS X

May 9, 2014

This is a quick guide on how to setup multi-factor authentication with SSH using Google Authenticator. The goal is to require three items from the user in order to complete the authentication: SSH authentication keys, the user’s password, and a one-time password using Google Authenticator.

Read More

Leaving Blogger and moving to GitHub Pages

April 24, 2014

My first post on Blogger was on October 9, 2009. It’s been a good run, and I’ve enjoyed using Blogger for quickly sharing things with the Internet. For various reason, I’ve grown tired of Blogger, and I’ve decided to migrate over to GitHub Pages. Making the transfer took a bit of time and trial and error. Octopress made the migration relatively simple and so far, I’m pretty happy with the results.

Read More

De-ICE hacking challenge: Part 6

December 28, 2013

This is a walkthrough on De-ICE S1.140, available for download at VulnHub. This release was much anticipated and took a while to get released to the public. It’s a little tougher than the previous De-ICE challenges, but uses a similar formula of password cracking and guessing.

Read More

De-ICE hacking challenge: Part 4

December 13, 2013

This is a quick walkthrough on solving the De-ICE S1.120 A challenge which can be downloaded here: http://vulnhub.com/entry/de-ice_s1120-a,10/. Interestingly, I wasn’t aware that this boot2root even existed until a couple of nights ago when someone mentioned it on IRC. After doing a bit of searching, it turns out there are at least three that I haven’t had a go at popping. So with that in mind, I decided to load up S1.120 A and take the challenge.

Read More

Relativity hacking challenge

December 12, 2013

Several weeks ago, Sagi released his own challenge named Relativity to the public. It had been a while since I’d done a good boot2root, and so eager for a challenge, I grabbed it off VulnHub and loaded it into VMware.

Read More

Creating a virtual machine hacking challenge

December 10, 2013

After recently releasing the Brainpan 2 hacking challenge, a handful of people asked me for tips on how to create their own hacking challenge. These virtual machine hacking challenges, more commonly known as boot2roots, are relatively easy to make, but cat be somewhat time consuming. In this post, I’d like to share some tips on how to roll out your own boot2root.

Read More

Brainpan 2 hacking challenge

November 19, 2013

When I initially created Brainpan, my intent was to give back to the community with something fun and challenging. It didn’t occur to me that others would find it so enjoyable that they would want more. I had a blast creating the first challenge, and so I thought, “What the hey, let’s create a second one!”. And so I present, Brainpan 2. Your goal is to break into the server and read the contents of /root/flag.txt

Read More

Thoughts on Offensive Security's Cracking the Perimeter course

October 28, 2013

Several months ago I signed up for Offensive Security’s Cracking the Perimeter (CTP) course. Having successfully completed the course, I wanted to write a short review on it. CTP focuses primarily on Windows exploit development, while touching a little bit on web application hacking. As CTP is marketed as a non-beginner course, students must complete a registration challenge before they will be allowed to take the course. The challenge itself is relatively easy, if you’ve done any hacking before, or completed Penetration Testing with Backtrack (PWB), it should be pretty straightforward.

Read More

Brainpan hacking challenge

March 20, 2013

After attempting various hacking challenges, I was inspired to come up with my own. Brainpan is my attempt at a vulnerable virtual machine. Your goal is to break in and get root access.

Read More

Introduction to pivoting, Part 4: Metasploit

October 22, 2012

In this article, we’ll look at pivoting using Metasploit. If you have the option to use Metasploit, you’ll find that it makes pivoting much easier. Metasploit can be installed on Linux, Windows, and Mac OS X, which makes it a pretty versatile tool. The number of modules included in the framework grows continuously, and its low learning curve makes it popular among hackers.

Read More

Introduction to pivoting, Part 3: Ncat

October 16, 2012

In the past two articles, we pivoted our exploit to our target with the help of SSH. If SSH is not available, we can try to use client-to-client and listener-to-listener relays with netcat, as described by Ed Skoudis in Secrets of America’s Top Pen Testers. We will modify Skoudis’ technique by using ncat instead of netcat. Ncat is meant to be a replacement for netcat, and is included in the Nmap 5.x and higher package. I prefer ncat over netcat for this as it allows us to use the same syntax to set up the relays regardless of whether the pivot is running Linux, Windows, or Mac OS X.

Read More

Introduction to pivoting, Part 2: Proxychains

October 10, 2012

This is part 2 of a series of posts on pivoting techniques. In part 1, we used SSH port forwarding to pivot our exploit and obtain remote access to our Windows XP machine. In this article, we’ll be performing the same attack, but instead of using SSH local port forwarding, we’ll use Proxychains and an SSH SOCKS proxy.

Read More

Introduction to pivoting, Part 1: SSH

October 6, 2012

Pivoting is a technique that allows attackers to use a compromised system to attack other machines in the same network, or more devastatingly, machines in another network that the compromised machine has access to. There are several techniques that can be used to pivot deeper into the network, and I’ll be describing some of them in the next few articles. I’ve found that this topic can be a bit confusing to beginners, and I hope that these articles will help clear things up. In this article, we’ll look at pivoting with SSH.

Read More

Growl style for Chrome notifications

September 29, 2012

I use Chrome’s desktop notifications when using Gtalk, and Growl notifications for other applications. I wanted a Growl style that looked like Chrome’s desktop notifications, but was unable to find one after combing through Google searches. I finally said “screw it”, and decided to make my own.

Read More

Parsing Nmap's output

September 15, 2012

Nmap is a favorite tool when it comes to running port scans. The output can be a bit much however, especially when you’re dealing with many targets with many services. Nmap is capable of producing reports in text, grepable, and XML formats. When I was working on my OSCP, I wanted a lightweight tool that could quickly parse my Nmap reports and display clean results. I couldn’t find one that did what I wanted, so I hacked something together. The end result, is a script called scanreport.sh

Read More

Thoughts on Offensive Security's Penetration Testing with Backtrack course

September 5, 2012

The Offensive Security Certified Professional (OSCP) certification is awarded to students who successfully complete Offensive Security’s Pentesting with Backtrack (PWB) course. This is an intense hands on course, where students are expected to use the knowledge and tools they’ve obtained, to hack into several machines in a virtual network. There is no hand holding, no spoon feeding, and the only hint a student usually receives, is “Try Harder”. At the end of the course, the student must pass an exam and submit a penetration test report in order to earn the certificate. Unlike most exams, this one is 24 hours long, and the student must hack into several machines to obtain enough points to pass the exam.

Read More

VulnImage hacking challenge

August 27, 2012

Another virtual machine hacking challenge! This one is called vulnimage and can be downloaded from http://vulnhub.com This one is a little more advanced, requiring the attacker to craft a custom exploit to root the server. Give it a go if you’re interested in exploit development.

Read More

Kioptrix hacking challenge: Part 2

July 6, 2012

The second Kioptrix challenge isn’t quite as scan and exploit as the first, but still a relatively easy beginner challenge. The Kioptrix challenges can be downloaded from http://www.kioptrix.com/blog/?page_id=135. It’s actually labeled as Level 1.1. The author mentions that there are multiple ways to compromise the system. I’ve only explored one method, which is what I’ll be describing here.

Read More

Kioptrix hacking challenge: Part 1

July 4, 2012

Kioptrix is another set of virtual machines that are intended to be hacked into. As of this writing there are currently four Kioptrix challenges. Each one increases in difficulty and is a good start for someone new to penetration testing. Towards the end of last April, I started playing around with it and documented the steps to exploit it. Kioptrix 1 is geared towards the beginner, and is one of the easiest challenges out there.

Read More

Let's kick shell-ish, part 1: Directory traversal made easy

June 21, 2012

Web applications that are vulnerable to directory traversals offer a small window into viewing the contents of a target server. In a way, you’ve semi-penetrated the system, albeit with minimal privileges, mostly just reading files. However, that’s not necessarily a bad thing. Being able to read /etc/passwd for instance will give you an idea of what user accounts are on the system, thereby aiding in a brute force attack. If you can read the contents of C:\Windows\repair\sam and C:\Windows\repair\system, you can download those files and start cracking Windows passwords.

Read More

Port scanning one, two punch

May 31, 2012

Information gathering is an important step in a penetration test, or any hack attempt. Various attack vectors open up based on the findings in the information gathering stage. Port scanning provides a large amount of information on open services and possible exploits that target these services. The problem with port scanning is that it can take a lot of time to generate the results depending on the type of scan, the protocol that’s being scanned, the number of targets, whether or not any IDS is in the way, and a slew of other variables.

Read More

Wireshark OS X: Disappearing menu items fix

May 16, 2012

Wireshark on OS X runs on top of X11. As most people who’ve used X11 applications on OS X are aware, they look ugly, and don’t match the theme on OS X. In an effort to prettify Wireshark, the developers have included a default theme to go with it: Clearlooks-Quicksilver-OSX. At first, this looks nice, up until you actually start using any of the menu items on Wireshark. The text just disappears. White text on white background. Have a look:

Read More

Staying anonymous in a social Internet

April 11, 2012

There are legitimate reasons for wanting to stay anonymous online. You don’t have to be living in an oppressed country, or be a criminal, or an activist. Sometimes you just don’t want Facebook or Twitter to know where you’re connecting from.

Read More

Holynix hacking challenge: Part 1

April 7, 2012

I’ve been playing a few of these hacking challenges over the past few months, some are extremely easy, while others force you to think out of the box. Completing a challenge is rewarding, but the journey to completion is sometimes fraught with frustration. In this post I’m going to be describing how I completed the Holynix 1 challenge. Holynix 1 can be downloaded from http://sourceforge.net/projects/holynix/files/1.0/ As before I’ll be using Backtrack Linux to perform the attack and running Holynix on VMware. Both machines were running on the same network, so a netdiscover revealed the IP address of the target. I ran nmap against the target and pointed my browser to that IP address to see if a website was present:

Read More

De-ICE hacking challenge: Part 3

August 1, 2011

This is a walkthrough on how I completed level 2 of the De-ICE penetration testing Live CDs. I had completed level 1 a week before and talked about my experiences in a two part post (part 1 and part 2). If you’re interested in learning some hacking in a safe environment, I recommend checking out HackingDojo and downloading the De-ICE Live CDs.

Read More

De-ICE hacking challenge: Part 2

July 20, 2011

In my previous post I talked about how I completed part 1 of the De-ICE hacking challenge. If you’re not sure what De-ICE is, I recommend reading my last post and checking out HackingDojo, home of the De-ICE penetration testing Live CDs.

Read More

De-ICE hacking challenge: Part 1

July 19, 2011

Over the weekend I decided to take the De-ICE Live CD Level 1 challenge. De-ICE provides a safe environment where you can practice your penetration testing skills. If you’ve never done a penetration test before, or are looking for practice, these Live CDs are a good place to start.

Read More

Creating a user name list for brute force attacks

July 17, 2011

If you need to do a brute force attack against a particular service, you’ll need a couple of things. A good wordlist containing possible passwords, and a list of user names to try. It’s easy to get a password list on the Internet, but user lists often have to be customized for the target. You’ll need to do some research to find email addresses and employee names. Once you do have a list of names however, you’ll need to guess what the format of the login ID is for that user. John Doe could be johndoe, or john.doe, or jdoe, and so on.

Read More

Setting up a malicious wireless access point

July 15, 2011

It can be tempting to hop onto an open wireless network when you just need to check your email, or you want to send off a tweet. Stop for a moment though, because an open wireless network might not be as safe as you think. With the right tools, an attacker can turn his laptop into an open wireless access point that captures your online activity.

Read More

Sniffing website login credentials

July 13, 2011

Man-in-the-middle (MITM) attacks are an effective way to capture data flowing between a target and the router. In a nutshell, the attacker places himself between the target and the router so that all data flows through the attacker’s machine. The target thinks he’s communicating with the router, and the router thinks it’s communicating with the target, when in reality, they are communicating with the attacker and the attacker just relays the information back and forth. It’s like a malicious mailman who reads your letters before sealing them and sending them off.

Read More

Cracking MoinMoin Wiki Passwords

June 15, 2011

I wanted to audit the security of a server running the MoinMoin Wiki Engine version 1.9.2 and needed to see if I could crack the passwords on the site. Each user’s information is stored in a file located in the site’s data/user directory, for example: 1308083750.39.64129. This is a plaintext file which contains key-value pairs. There are two keys that we’re interested in: enc_password and name

Read More

Securely delete files and folders from Finder

March 11, 2011

In the computer world, when you delete a file and empty the Trash or Recycle Bin, it’s not really gone. This can be a good thing for when you accidentally delete something critical, or your hard drive crashes and you need to hire professionals to recover these files for you. These files are still recoverable because they’re still on the disk, just that you no longer have access to them. However in some cases, you may want to delete a file permanently and ensure that it is unrecoverable.

Read More

Bypassing MAC filters on WiFi networks

December 21, 2010

Most wireless routers have a security feature called MAC filtering. Each network card on a computer comes with a unique MAC address. MAC filtering allows the user to specify which computers are allowed to use the wireless network by entering the computer’s MAC address into the whitelist. This is a security tip that I see often when reading about securing wireless networks. When used by itself, or with WEP, it can give the user a false sense of security. I’m going to show you how this security layer can be bypassed.

Read More

Capturing the WPA handshake using mass deauthentication

December 20, 2010

Capturing the 4-way handshake required to crack WPA-PSK can be a bit frustrating when you can’t get a client to deauthenticate and reauthenticate with the access point. One option is to deauthenticate all the clients by not providing the client’s MAC address when running the deauthentication attack:

Read More

EmDeeFive: A drag-n-drop MD5 app

December 6, 2010

I got frustrated with Windows not having a default program for checking the MD5 hash of a file, so I wrote my own. It’s written in Java and has been tested on Windows and OS X, although it should work on any system that has a JRE installed. To use it, just drag the file(s) whose hashes you need to check into the window and it will display the MD5 and SHA-1 hashes for you.

Read More

Remote control your computer with Dropbox

November 24, 2010

Dropbox is a service that allows you to sync files and folders on multiple computers. It does this by syncing the files and folders to the Dropbox server and then syncing them to any other device (computers or smartphones) that you may have installed Dropbox on. Its primary purpose is to ensure that any files in your Dropbox folder are immediately accessible to any other device that you have installed Dropbox on. We can take advantage of this syncing feature and use it as a means to transfer instructions from one device to another. Here’s a basic example of using a smartphone to tell a computer (the target) to print out some documents.

Read More

Deactivate screensavers simultaneously on multiple Macs

November 11, 2010

In the last post I discussed a method for activating screensavers remotely on multiple Macs. Turns out that it’s just as much of a hassle to deactivate them, particularly if the screensaver is just meant to hide the desktop and not lock it. If you need to unlock the screen then this script will do you no good.

Read More

Activate screensavers simultaneously on multiple Macs

November 10, 2010

My work setup in the lab consists of two Mac Minis, one Mac Pro, and my Macbook Pro. I do all my typing on my Macbook and use teleport to remotely control the other computers. Whenever I leave my desk, I make it a habit to lock all my computers using the screensaver. It has become a bit of a pain to do this manually, so I came up with a way to lock all my computers with a single command from my Macbook.

Read More

Functions for sending email

August 17, 2010

Email notifications are handy for when you need to be alerted to an event that happens on your machine. Sometimes I might write a shell script that looks for a specific string in a log file, and I might want it to send me an email. Now most Unix systems come with a command called mail. What frustrates me about this command is that there’s no way to tell it which mail server to use. It always assumes that the localhost is the SMTP server.

Read More

Birthday code cake

July 26, 2010

For my friend’s birthday I decided to give him something geeky. Birthday code cake. It won’t win any obfuscated C contests, but it works and was done in short notice.

Read More

Samsung Galaxy Spica: Upgrading Android 1.5 to 2.1

June 28, 2010

About two months ago I decided I was tired of my Blackberry and wanted something a lot more fun, so I started hunting around for an Android phone. I purchased the Samsung Galaxy Spica off of eBay for about USD $300. The device came with Android 1.5 (Cupcake). It wasn’t long before I started looking for ways to upgrade it to 2.1 (Eclair).

Read More

Automating the checkmate of WiFi WEP networks

April 24, 2010

The techniques used to crack WEP vary depending on whether or not it uses MAC filtering, if it uses shared key or open key authentication, if we need to perform a deauthentication, and so on. I’ve found that the majority of WEP networks I’ve audited usually don’t employ MAC filtering and they use open key authentication. The series of steps I begin with goes like this.

Read More

One triple grande non-fat wireless hack please!

April 15, 2010

Coffee shops can make an excellent location for attacking wireless networks. If a hacker can pick up your access point’s signal, they can break into it from a coffee shop, the parking lot, or across the street. Most coffee shops such as Starbucks are popular hang outs for students with laptops, allowing the hacker to easily blend in without attracting suspicion. And of course there’s the coffee and a comfortable place to sit.

Read More

iTunes. Genres? Wikipedia!

March 10, 2010

A long time ago I altered my iTunes library to include only artist name and song title. That’s it. I removed any additional information including album name, genre, all of that.

Read More

Where are you?: Geolocating a server by its IP address

February 9, 2010

I often see IP addresses in log files on my servers and wonder where they might be coming from. Tools such as traceroute and whois are great when you need to dig further, But if you just want a quick answer to the question “where are you?”, here’s a possible solution.

Read More

Level Up!

December 14, 2009

I successfully completed the GIAC GSEC certification. Work paid for the OnDemand course and the exam. The exam is open book. I didn’t bring any of the books SANS provided, they were too many and too heavy. Instead I compiled my own set of notes which I found to be sufficient for the sample exams and the actual exam.

Read More

'Twas brillig, and the slithy toves... or... was it Brillig AND the sli...

November 8, 2009

So I managed to “forget” the passphrase to unlock my PGP private key. I kind of knew what the passphrase was, just wasn’t quite sure what it looked like. For instance, I knew it flowed as “alice smacked the jabberwock”, but I couldn’t remember if it was “Alice smacked the Jabberwock”, “alice SMACKED the jabberwock” or “Alice Smacked The Jabberwock” and so on…

Read More

Two-factor authentication for the rest of us

October 15, 2009

Encryption is a great way to protect your data. Generally you select some awesome algorithm, pick a passphrase and encrypt your data. When you want to access your data, you decrypt it using the passphrase.

Read More

Open, Simsim!

October 13, 2009

There’ve been a few times where I’ve found myself in need of a default username/password for a wireless router that has been factory reset, or was just improperly configured. Going through manufacturer websites searching for the manuals and the information can be a pain.

Read More

Weaponizing the Blackberry

October 9, 2009

I recently purchased a Blackberry on eBay. I needed a new phone and I thought a smartphone might be nice to play with. The Blackberry Pearl 8120 has built in wifi capabilities which means you can bum off a wireless network at Starbucks without paying for a data plan. This also means that if we join the wireless network, we can “see” what other computers have joined in as well and even probe them for interesting information.

Read More

Hello... blog?

October 9, 2009

Another blog to clutter the already garbage infested Internet? Yes. But why?

Read More