Adding VLANs to the GNS3/VirtualBox Lab - In this post I show how to add VLANs to the lab and how to move between them on the switch. I then show what can happen if you get on to a trunk port and get to control your own VLAN tagging.

Two new beta Metasploit modules, one for DNS MiTM and one for DHCP Exhaustion attacks

I've just added a new challenge to the lab looking at exploiting the none algorithm. For more information, and a walk through, see JWT None Authentication Lab.

A little trick to extract stored FTP details by setting up a fake server then capturing the clear text.

A Pipal analysis of the Manga Traders password dump, some interesting results when looking at demographics and reuse of username/email addresses as passwords.

Given a IP address calculate the top and bottom of its available subnet range

Spidering SpiderOak - By looking at the differences between responses it is possible to enumerate valid account names and then shares on the SpiderOak network. This post covers how I researched this, the findings and how it could be fixed.

When doing reconnaissance on clients it is often useful to try to identify other websites or companies who are related to your target. One way to do this is to look at who is managing the Google Analytics traffic for them and then find who else they manage. There are a few online services which do this, the probably best known being ewhois, but whenever you use someone else's resources you are at their mercy over things like accuracy of the data and coverage, especially if you are working for a small client who hasn't been scanned by them then you won't get any results. This is where my tracker tracking tool comes in. The tool is in two parts, the first uses the power of the nmap engine to scan all the domains you are interested in and pull back tracking codes, these are then output in the standard nmap format along with the page title. I've then written a second script which takes the output and generates a grouped and sorted CSV file which you can then analyse.

Karma was originally written for Madwifi and I then updated it to work with Madwifi-ng. This update adds the same functionality to hostapd.

Three times in the past few months I've been asked by clients to retest previous findings to see if they have been successfully fixed. One of the reports I was given was one I'd written, the other two were by other testers. For my report I couldn't remember anything about the test, reading the report gave me some clues but I was really lucky and found that I'd left myself a test harness in the client's folder fully set up to test the vulnerability. One of the other two was testing for a vulnerability I'd never heard of and couldn't find anything about on Google. I finally tracked down the original tester and it turns out there is a simple tool which tests for the issue and one command line script later the retest was over. The final issue was one that I knew about but had a really good write up that, even if I'd not heard of it, had a full walk through on how to reproduce the test.

File Disclosure Browser, an application to parse files such as .DS_Store to reveal otherwise unlinked files on web sites.

About once a fortnight I get a request to write an article for Hakin9 or one of its sister publications, this article details my attempts to stop this spam.

When I bought an IP camera to watch by daughters cot I didn't expect to end up writing tools to find others around the world, I also didn't expect it to be so poorly secured.

Analysis of the content I found when trawling Amazon's buckets looking for public information.

Using decompression to avoid filters - Decompressing data to get it past filters such as IDS.

The description of how I wrote a tool to brute force bucket names from the Amazon S3 system and then take it a step further.

A brief description of how Mobile Me allows access to its file listings and how to interpret them.

This tool will brute force user accounts with Mobile Me and then enumerate files associated with any public accounts found.

Google Profile scraping can be used a part of recon work to gather staff lists, this script automates that process

This tool will brute force bucket names from Amazon's S3 system and then enumerate files associated with any public buckets found.

Seeing as I had over 200 responses to the "Breaking In" survey in just 5 days I've plucked out a couple of interesting stats from the responses and posted them to whet your appitite.

Ever found yourself in a position where you have to teach or explain DNS zone transfers but not had a domain to run the transfer on? This domain is set up to allow transfers and contains plenty of information to work with. I've also explained how I would interpret the information.

Burp Intruder has four different attack modes, this post shows the differences between those four modes.

At BSides London I presented the findings from the Breaking in to Security survey, here are my slides and a link to the data collected so far.

The story of how I analysed a new IP web camera and found how it automatically tried to punch a hole through my firewall and register itself with dynamic DNS server to tell the world it was there. The slides also contain a bonus talk covering my blog post and project on 'Whats in Amazon's buckets'

This is my attempt to collect enough data to be able to answer the eternal question, 'How do I get started in Information Security?'. I've put together a questionnaire which I'll summarize the answers from and hopefully present at conferences and also summarise here on the site.

A write up on my experiences taking, and passing, the CHECK Team Leader Web App Exam

Automation of setting up a bunch of APs and airodump-ng to work out what encryption a client is probing for.

I recently did a test against a company and in the debrief they asked how I managed to enumerate so many of their subdomains as they were using a wildcard DNS setup and the previous tester had commented that it prevented DNS enumeration. When I explained to them how the wildcard only obscured valid domains they had a few choice words for the previous tester and I figured it would make a nice little blog post.