Sony were hacked, it was bad. That's all.

KreiosC2 can now channel data over TinyURL and JPEG as well as the original Twitter.

Pipal of a database dump from comicbookdb.

This months BruCON 5x5 project came from an idea sent to me by a friend after I released . Passpat takes passwords and tries to find keyboard patters in them, Pat to Pass is almost the opposite, it takes observed key presses and tries to convert them to potential passwords. The project in its current state is more a proof of concept and sample code which hopefully can be taken forward to be turned into something practical by someone who has better skills at handling very large lists of data.

A patch for Metasploit to have it play a wav file telling you a new session has been created. Similar to the Core 'Agent Deployed'.

While working on a new project I needed a way to create files containing binary data which I could control, for example all bytes from 0 to 255 in order or just a block of 10 0x03's, so I wrote bin_gen. There are loads of other ways to do this, especially in Linux, but for me this is quick and easy and I don't have to think to use it.

Going to WAR on Tomcat with Laundanum - A short how to on using Laundanum to attack Tomcat servers and how to setup a lab to try it at home.

Viewing Pages documents in Linux - A short shell script to display a document created in Pages in Linux

Converts Nessus v2 reports to various CSV files to help with reporting and continued scanning.

This post, along with part two coming soon, is an accompaniment to my BSides slides and the raw data which I published the other day. Here I try to summarise the results and add my commentry to them.

During BruCON 2012 the organisers announced a very generous competition, they had collected 25,000euro and were going to offer it in 5k euro chunks to five lucky hackers. The condition was you had to submit a proposal saying why you needed the cash. You can read more about it on the BruCON Blog. I've very please to say that I was one of the chosen hackers so want to document what I'm going to do with my share of the cash.

A quick write up on how to exploit Shellshock on telnet via the USER variable.

My DHCP and DNS Metasploit attack modules, now fixed up to work with Ruby 1.9.x

The second part of my write up of the conclusions I've taken from my Breaking In data. This part looks at the qualitative answers given which give some meaning behind some of the stats.

I really want to know what is behind this door.

Pipal now has a modular structure allowing you to write your own Checkers and Splitters, this is a brief introduction to how they both work.

Turning comments from a negative troll into a positive, a reminder of how great our community is.

In part one of this series, Exploiting RIP, we set up a GNS3 lab with RIPv1 and managed to exploit it by injecting a fake route into the network. As a way to protect against this, RIPv2 can use authentication to try to stop unauthorised routes being added to the system. From what I've read, authentication was not added to RIPv2 as a security mechanism but as a way to prevent routes from accidentally being added when incorrectly configured routers are added to the network. In this post I'll work through changing the lab from version 1 to version 2 and then enabling the different levels of authentication. At each stage I will show weaknesses in the system and ways to abuse them.

Save the effort of having to keep an XML file up-to-date and create your rules in a spreadsheet then convert to XML with my app.

I've finally got round to styling the new site

For quite a while now I've been planning to import all my Dradis issues into MediaWiki to make reusing issues easier. Till now, each time I wanted to reuse an issue I've had to open a new browser and go back to find the old project where the issue was used then copy and paste it into the new project, that is a real pain to do. So I finally bit the bullet and created a MediaWiki VM. Rather than mess around with manually copying all my issues across I developed this little script to automate it.

SocketToMe is little application I wrote to go along with my blog post on testing WebSockets. It combines chat, a simple number guessing game and a few other hidden features. The app is in two parts, the WebSocket app and a web page to access it. The whole lot is written PHP and is the first WebSocket work I've done so don't look on it as an example of how to do things.

In the first two parts of this dig into layer 2 I covered how to set up a lab using GNS3 and VirtualBox and then adding and interacting with VLANs. In this part I want to look at using Cisco's Dynamic Trunking Protocol - DTP - to change the state of a port from access mode to trunk mode to allow us to gain access all the VLANs on the network. The previous link gives a more thorough overview of DTP but in summary, it is a protocol developed by Cisco to allow devices connected to a switch negotiate whether they need their port to be in trunk or access mode. It is enabled by default on all ports so has to be deliberately disabled by an admin to turn it off. Ports default to access mode leaving devices such as switches, which need a trunk port, to request it. A port can be changed from one state to the other through a single DTP packet and there is no authentication, this makes it great as an attacker as you can easily switch your port to trunk mode on any switch which has DTP enabled.

A tool to follow HTTP redirects showing the full details at each request, collecting and replaying cookies on the way.

My story relating being a newcomer to a triathlon forum, asking for advice, and the initial elitist responses I got, and what I've heard some newcomers to the hacker community saying about our community. The TLDR; is that there are macho jerks everywhere, but if you persevere, the majority of people are nice and are willing to help.

Did you know Linux groups can have passwords? I didn't but I do now, this is how you set them up.

A short script to do frequency analysis on lines in a file, specifically designed for password reuse analysis.

Split KreiosC2 commands over multiple tweets, a very simple example language

When doing a web app test you usually end up spidering the site you are testing but what if the site could tell you most of that all about theirhout you going hunting for it. Bring on sitemap.xml, a file used by a lot of sites to tell spiders, like Google, all about their content. This script takes that file and parses it to extract all the URLs then requests each one through your proxy of choice (Burp, ZAP, etc). Now this won't find anything that isn't mentioned in the file and it won't do any brute forcing but it is a nice way to identify all the pages on the site that the admins want you to know about.