Category Archives: misc


Washington State

So, while since I last updated this blog – bad habit of mine. So, I moved a while ago to Washington State, to be closer to work. Still setting everything up, all the usual issues that happen when moving countries, but yay! New places to visit, new people to meet, new things to do!

misc security

The fake CC conversation

During social engineering exercises, one of the difficulties we face is to get a person to click a link or open an attachment. For the past few decades, we haven’t seen much changes in it. A rather, *sad* part even, a few days ago; Cisco researchers wrote about a quite aggressive malware; Rombertik. While being relatively technically advanced (uncalled functions, anti debugging techniques, etc), one of the modes of distribution is through phishing emails, and quite bad one at that:


A better way is to do targeted attacks; i.e: spear phishing attacks, where you focus your attack on a few people, rather than just casting a net and seeing what sticks.

For this, during social engineering engagements, we often like to use the following 2 techniques:

  • Fake CC
  • Fake email thread

read more »


Filtering password lists due to policies

passwordsSometimes if you’re performing a password bruteforce attack, either against local hashes or remotely against a service, you could use password lists rather than a pure bruteforce (incremental) one. People are most likely to use dictionary words, names, keyboard combinations or anything related to it. These passwords lists can be found anywhere online.

The problem sometimes happens that when you *know* the password policy, but your password list holds a lot of combinations that you know won’t work; simply passwords that are too short or don’t have a number in them or so.
For example, a service requires at least 6 characters, and have one of them being a digit; so you know that entries such as “jesus”, “satan” and “password” won’t work. Still, they are being tried.

For an audit on a company, I ran into that problem – so I wrote a quick and dirty perl script to take a large password list, and only output passwords that adhere to a certain policy. These include minimum and maximum length, as well as password complexity (has to have a digit, uppercase, …)

You can find it on my GitHub.



MS15-034 online checking tool

lockA friend and colleague of mine, Bhadresh, made a quick page to check whether your IIS site is vulnerable to the MS15-034 (CVE-2015-1635), the HTTP.sys remote code execution vulnerability. Check now, and make sure you don’t fall into the hands of blackhats.

You can test it at:


XKCD: hack the stars

This is pretty awesome, from the XKCD cartoons


So true: code quality

From Lifehacker


HeartBleed: we’re sslcrewed

heartbleedThe year 2014 is only a hundred days old, and this is probably the security bug of the year. In case you haven’t heard it, and shame on you if you didnt. HeartBleed is an exploit on a OpenSSL’s TLS Heartbeat extensions. It goes well undetected, and nearly half a billion (yes, B) of websites are vulnerable. We’re not even talking about most other SSL services, embedded systems and so on. It allows an attacker to read chunks of memory (per 64 Kilobytes) which may contain SSL secret keys, passwords, messages, etc.

More technical information can be seen on, and you can check your site using this site.

You can be sure that most blackhat parties, including several intelligence services have tried already to extract information from your SSL enabled websites. If not, you’ll see an increase in HTTPS connections this weekend. Patch your servers, chnge your certificates, change your passwords; all of them. If somebody was storing all your SSL data in the past, they will have a way to find the key to decrypt all of it now, it’s that bad.


The closeness of software, and its dangers.

Craig of /dev/ttys0 has discovered an interesting backdoor in D-Link routers; by setting your user agent to a particular string it is possible to circumvent the admin authentication challenge.

While this is just one of the cases, who knows how many devices have been “backdoored” over the year, either by manufacturers; or by telecom operators (telco branded all-in-one access points). My advice to anyone, get your own device, or flash OpenWRT on it.


How the semantic web should come back, and is.

The web has come a big way. Sir Tim Berners-Lee’s invention that changd the world has undergone a large metamorphosis in the way how it provides millions – and now billions – of human beings information, communication and entertainment.

Sites in the 90sEarly websites had a fair amount of content, but it was surrounded by flashing marquee’s, background MIDI sounds and non stop, animating gifs. That all paired with flashy color schemes and a Times New Roman fontface.

Fast forward a few years, and the world allowed a small company called Macromedia (later acquired by Adobe) to install a small plugin called “Flash” onto our computers which opened up a whole new dimension into web interactions. Many websites incorporated large amounts of “Flash” into their pages, or became a flash only website.

With the arrival of the iPhone and iPad, Flash has been pushed into a corner. The late Steve Jobs expressed that Flash was an inefficient way to make content look beautiful on battery powered devices, and the demise of flash has slowly begun.

Fast forward another few years, and we’re at the level of “content driven” websites. Websites are simpler than ever and the overall theme is becoming minimalistic. Since the majority of website have similar layouts, HTML5 included a few extra tags (<header>, <aside>, …) to ensure consistency throughout pages.

“Modern” CSS frameworks such as Twitter Bootstrap, Foundation or Base, go a few steps further; by streamlining naming conventions in CSS classes, we have similar “classes” that make links look like buttons, and navigation bars to stay on top of the screen when we scroll down and the like.

webskeletonBut is there a way to bring this to HTML5.1? Seeing that the majority (yes, there are always exceptions) have a navigation bar on top, fixed or not, a menu on the left or right and content on the other side, we should have a few extra tags there.

This could easily be fixed with a:

      <navbar fixed="true">
        <logo src="logo.gif" />
        <navitem href="/about">About Us</navitem>
        <navitem href="/services">Services</navitem>
        <navitem href="/content">Contact</navitem>
      .. content goes here ..
        <menuitem href="/profile">Your Profile</menuitem>
        <menuitem href="/favorites">Favorites</menuitem>
        <menuitem href="/cart">Cart</menuitem>

In order to bring this in a correct way, let these HTML tags dictate what they are, yet let a user decide whether he or she has any preferences:

  • Do you want the top bar to be sticky?
  • Do you want the menu no top, left or right?
  • Do you like big butt(-and cannot lie?)-ons or a more “professional” look?

I’m not saying we should totally discard CSS and its visual capabilities, but I think we spend too much time coding and consuming styles that don’t really make a difference. Users of the Links browser, the few that remain, probably have the last laugh; although I’m sure they’re missing their frame sets.


Browa10: Brute force script for OWA 2010 servers

To quickly test the strength of passwords used by users on a domain, through an OWA (Outlook Web Access) 2010 interface.
Here’s the ruby code, and its README.

Please use this script responsibly and only against servers you’re authorized to audit.