Two new beta Metasploit modules, one for DNS MiTM and one for DHCP Exhaustion attacks

Adding VLANs to the GNS3/VirtualBox Lab - In this post I show how to add VLANs to the lab and how to move between them on the switch. I then show what can happen if you get on to a trunk port and get to control your own VLAN tagging.

A modular brute force tool currently supporting HTTP(S), MySQL and SSH. Written in Ruby and designed to be easily extendable by using off the shelf protocol libraries.

If anyone was watching my Twitter feed over the last few days you'll have seen me complaining about my Gmail account being down. It wasn't down completely, I could still access the web interface and read all old mails but hadn't had any new emails in since 4AM on Thursday. I have various other mail accounts, some Gmail, some not, so I tried sending myself mails from those account to see if things were broken or whether I had just become very unpopular. None of the mails got through. I also tested sending emails out and none of those worked either so there was definitely a problem. By Friday lunchtime I'd had a couple of mails but nothing much so I figured I'd better do some digging and get it fixed.

With the slow uptake of HTML5, WebSockets are going to start being seen in more and more applications so I figured I'd better learn how to test them before being put in front of them on a client test and having to learn as I went along. I figured the best way to do this was to build a very simple application then throw in a proxy and see what happened. Unfortunately my proxy of choice, Burp Suite, currently doesn't handle WebSockets so I had to look for one that did. The only one, and this is their claim, that does in the OWASP Zed Attack Proxy, or ZAP for short. I'd been meaning to learn how to use it for a while so this seemed like the perfect opportunity. If anything in here is wrong, please get in touch and I'll fix it, I'm learning as I go along so may well be doing the odd thing wrong however it does all seem to work. I started by writing a small WebSocket based app which I called SocketToMe which has a few basic services, chat, a number guess game and a couple of other features. I figured I'd start with interception then have a look at fuzzing.

Integrating GNS3 and VirtualBox - Having come from a development background rather than a sys-admin one, my knowledge of layer 2 is not as good as I'd like it to be so I've decided to do something about it. I've always been interested in VLANs and the idea of bypassing them so thought that would be a good place to start. This is the first part of a series building a lab to test out different layer 2 attacks.

With the rise in popularity of NoSQL I figured it was time to build a lab so I could have a play with the different techniques used to attack them. This was the result...

Are secure web frameworks reducing long term security? Why I think developers should always think about security, even when someone else is taking care of it for them.

Automating looking through MSSQL databases to find interesting sounding column names. Once found automating pulling back some sample data to give a feel as to whether it is worth investigating.

What is #secvidofday and why am I doing it?

A short howto on getting the Windows RDP client to show the server login page rather than ask for credentials itself

I was wondering why dragon and monkey come up so often in Pipal analysis of password lists and it got me wondering if it was to do with Chinese signs of the zodiac so just as an experiment I've just added checking for both Western and Chinese zodiac signs to Pipal. I ran it against the 1 million eHarmony passwords I've got and it looks like they do play a small part in some people passwords.

A new Pipal checker to look at the relationship between email addresses and passwords.

Now with JS redirect checking and a bug fix for an issue I found in the ruby spider gem

A patch to GISKismet so it will import Kismet data which doesn't include GPS positions.

A write up of an experiment where I asked a class to give me their passwords.

When doing a web app test you usually end up spidering the site you are testing but what if the site could tell you most of that all about theirhout you going hunting for it. Bring on sitemap.xml, a file used by a lot of sites to tell spiders, like Google, all about their content. This script takes that file and parses it to extract all the URLs then requests each one through your proxy of choice (Burp, ZAP, etc). Now this won't find anything that isn't mentioned in the file and it won't do any brute forcing but it is a nice way to identify all the pages on the site that the admins want you to know about.

Split KreiosC2 commands over multiple tweets, a very simple example language

A short script to do frequency analysis on lines in a file, specifically designed for password reuse analysis.

Did you know Linux groups can have passwords? I didn't but I do now, this is how you set them up.

My story relating being a newcomer to a triathlon forum, asking for advice, and the initial elitist responses I got, and what I've heard some newcomers to the hacker community saying about our community. The TLDR; is that there are macho jerks everywhere, but if you persevere, the majority of people are nice and are willing to help.

A tool to follow HTTP redirects showing the full details at each request, collecting and replaying cookies on the way.

In the first two parts of this dig into layer 2 I covered how to set up a lab using GNS3 and VirtualBox and then adding and interacting with VLANs. In this part I want to look at using Cisco's Dynamic Trunking Protocol - DTP - to change the state of a port from access mode to trunk mode to allow us to gain access all the VLANs on the network. The previous link gives a more thorough overview of DTP but in summary, it is a protocol developed by Cisco to allow devices connected to a switch negotiate whether they need their port to be in trunk or access mode. It is enabled by default on all ports so has to be deliberately disabled by an admin to turn it off. Ports default to access mode leaving devices such as switches, which need a trunk port, to request it. A port can be changed from one state to the other through a single DTP packet and there is no authentication, this makes it great as an attacker as you can easily switch your port to trunk mode on any switch which has DTP enabled.

SocketToMe is little application I wrote to go along with my blog post on testing WebSockets. It combines chat, a simple number guessing game and a few other hidden features. The app is in two parts, the WebSocket app and a web page to access it. The whole lot is written PHP and is the first WebSocket work I've done so don't look on it as an example of how to do things.

For quite a while now I've been planning to import all my Dradis issues into MediaWiki to make reusing issues easier. Till now, each time I wanted to reuse an issue I've had to open a new browser and go back to find the old project where the issue was used then copy and paste it into the new project, that is a real pain to do. So I finally bit the bullet and created a MediaWiki VM. Rather than mess around with manually copying all my issues across I developed this little script to automate it.

I've finally got round to styling the new site

Save the effort of having to keep an XML file up-to-date and create your rules in a spreadsheet then convert to XML with my app.

In part one of this series, Exploiting RIP, we set up a GNS3 lab with RIPv1 and managed to exploit it by injecting a fake route into the network. As a way to protect against this, RIPv2 can use authentication to try to stop unauthorised routes being added to the system. From what I've read, authentication was not added to RIPv2 as a security mechanism but as a way to prevent routes from accidentally being added when incorrectly configured routers are added to the network. In this post I'll work through changing the lab from version 1 to version 2 and then enabling the different levels of authentication. At each stage I will show weaknesses in the system and ways to abuse them.

Turning comments from a negative troll into a positive, a reminder of how great our community is.