A look at what files are good to try to read when all you have is read only access to a machine, i.e. no directory listing ability.

Double tunnels to help a colleague in distress - Setting up SSH tunnels to allow external access to an internal network.

Twofi takes keywords and usernames and collects tweets based on these terms. It then extracts individual words and uses them to create a custom word list.

A Meterpreter script to download wireless profiles from Windows 7 and Vista boxes.

The Trojan in your pocket - Do you know what your phone is doing?

Hostapd was recently updated to version 1.0 so I've brought the Karma patches up-to-date. This release contains a fully patched source tarball and a patch file if you want to apply it to your own source. I've also added a mention of the hostapd_cli app which you can use to control hostapd once it is running.

A Pipal analysis of the recent Tesco password disclosure.

A worked example of using Burp Suite macros and session handling.

A Metasploit module to accompany my blog post on finding interesting data in MSSQL databases.

In this lab I'm going to look at RIPv1, probably the most basic routing protocol. As with the VLAN labs I'm building this one in GNS3 and linking it to a Virtual Box machine running Debian. The plan is to build a network with three routers all using RIP to sync their routing information. I'll then use the attacking box to inject a fake route into the network and so divert traffic away from its real target. If you are not familiar with RIP it is hop based system where each hop is a unit and traffic is routed across the shortest number of hops.

Handle alerts generated by Kismet Newcore in OSSEC.

ivMeta is based on information in . It will attempt to pull the following bits of information from an iPhone video: * Maker - should always be Apple * iOS Software version * Date video was taken * GPS co-ords where video was taken * Model of phone

Running a Nessus scan through a Meterpreter pivot using a SOCKS4 Proxy.

It is generally accepted that most passwords in common use are based on dictionary words however, some people decide to use keyboard patterns instead and to try to spot these I've created Passpat. Passpat uses data files containing the layouts of common keyboards to walk each word through the keyboard and score the word based on how close it is to being a pattern. For now I'm taking pattern to mean keys which are next to each other, while qpalzm is a pattern picking something like that up is currently out of the scope of this project.

My opinion on the eBay password reset policy - no pasting and 20 character caps are bad.

Sony were hacked, it was bad. That's all.

KreiosC2 can now channel data over TinyURL and JPEG as well as the original Twitter.

Pipal of a database dump from comicbookdb.

This months BruCON 5x5 project came from an idea sent to me by a friend after I released . Passpat takes passwords and tries to find keyboard patters in them, Pat to Pass is almost the opposite, it takes observed key presses and tries to convert them to potential passwords. The project in its current state is more a proof of concept and sample code which hopefully can be taken forward to be turned into something practical by someone who has better skills at handling very large lists of data.

A patch for Metasploit to have it play a wav file telling you a new session has been created. Similar to the Core 'Agent Deployed'.

While working on a new project I needed a way to create files containing binary data which I could control, for example all bytes from 0 to 255 in order or just a block of 10 0x03's, so I wrote bin_gen. There are loads of other ways to do this, especially in Linux, but for me this is quick and easy and I don't have to think to use it.

Going to WAR on Tomcat with Laundanum - A short how to on using Laundanum to attack Tomcat servers and how to setup a lab to try it at home.

Viewing Pages documents in Linux - A short shell script to display a document created in Pages in Linux

Converts Nessus v2 reports to various CSV files to help with reporting and continued scanning.

This post, along with part two coming soon, is an accompaniment to my BSides slides and the raw data which I published the other day. Here I try to summarise the results and add my commentry to them.

During BruCON 2012 the organisers announced a very generous competition, they had collected 25,000euro and were going to offer it in 5k euro chunks to five lucky hackers. The condition was you had to submit a proposal saying why you needed the cash. You can read more about it on the BruCON Blog. I've very please to say that I was one of the chosen hackers so want to document what I'm going to do with my share of the cash.

A quick write up on how to exploit Shellshock on telnet via the USER variable.

My DHCP and DNS Metasploit attack modules, now fixed up to work with Ruby 1.9.x

The second part of my write up of the conclusions I've taken from my Breaking In data. This part looks at the qualitative answers given which give some meaning behind some of the stats.