Mind Your OOPSEC

December 30, 2018

OPSEC is hard and those OOPS moments can often cost you a campaign when Red teaming. In this post I’ll go over how I set up my VMs so I never have to remember to turn on a VPN, stress about having some ‘killswitch’ fail, or being on the losing end of some network-race-condition nonsense when waking my laptop. Automation isn’t always about convenience for the user. Sometimes it’s also about determinism. ... Read more

Analyzing Data Exfiltration over ICMP

May 11, 2018

I’m a big fan of learning through competition. Capture The Flag games have tremendous utility for training within the Security sector and even outside of it. Intentionally vulnerable web applications, like OWASP’s JuiceShop, are excellent tools for assisting in developing Secure Software Development Life-cycle programs within an organization. So let’s take an exercise I recently came across in a CTF event. The skills required to solve the challenge are actually quite useful in real-world defensive scenarios. ... Read more

Password Spraying with DoxyCannon

April 16, 2018

Password sprays are here to stay. It’s probably a good idea to configure some clever WAF rules, implement captcha systems, and set up additional alerting. But once implemented, how do you test and tune your protective measures? Enter DoxyCannon DoxyCannon’s name borrows from ProxyCannon, a script that instantiates cloud infrastructure through which one can proxy requests. Unlike ProxyCannon, DoxyCannon gives you the same functionality without needing to rely on cloud providers. ... Read more


August 22, 2017

I’ve been running into more and more Linux boxes that don’t have python 2 installed. It’s been a little frustrating since I like to use a slightly modified version of the famous linuxprivchecker.py that almost all OSCP students know and love. I’m lazy and hate manual enumeration; makes my fingers go numb. I decided to spend an evening translating it to python 3, but quickly realized, “This python is just invoking shell commands, why am I doing this? ... Read more

Creating a VPN Access Point

August 18, 2017

By now, there shouldn’t be any doubt that not only are you being watched online, but your browsing habits, particularly your political ones, are of interest to the current administration. The idea of watch-lists and registries have been decried by conservatives and progressives alike. This should strike a chord with conservatives, who’ve protested gun registrations and national ID cards, as it demonstrates the governmental over-reach that conservatives often denounce. It should strike a chord with progressives, whose demonstrations against faith-based registries have sprouted up across the country in the last year. ... Read more

Chrome Extension Steals Cloudflare Api Tokens

August 3, 2017

Upon receiving news that the popular Chrome Extension, Web Developer, had been compromised, I quickly began to wonder about the what and how. Several stories exist about how the extension came to be compromised and they touched a bit on what it did. This post is meant to expand upon, what I believe to be, the more nefarious behavior of the extension. Since the extension calls out to an attacker-controlled URL, the payload hosted at that URL could be changed to anything at any time. ... Read more

Creating BashBunny Payloads

April 1, 2017

What is it? The BashBunny is an attack platform that allows attackers to create payloads in Bash. The device can be scripted to enumerate as a HID (keyboard), mass storage, serial, and Ethernet. This enables a multitude of attacks including thing like exfiltrating documents over a network interface or stealing account hashes from locked computers. Creating a Payload We want to create a payload that allows for easy exfiltration from macOS. ... Read more

Finding Your Way Out From Behind Firewalls with Strict Outbound Rules

February 7, 2017

You’ve achieved code execution on a machine, but for some reason your reverse shell isn’t pinging you back. Or that wget/tftp command isn’t downloading your recon/post-exploitation tools. There’s a chance you’re dealing with an egress problem. Typical ports that need outboud access are blocked. You try the main ones you can think of (21, 22, 53, 80, 8080, 443), but none of them seem to be connecting. Do you start at 1 and manually test? ... Read more

Configuring SSH for Pivoting

February 2, 2017

You’re on a pentesting engagement and you’ve discovered a dual homed machine that allows you access to a subnet you can’t access directly from your attack machine. Assuming you’ve compromised at least one machine on the initial network, you can use it as a proxy to other machines on the “hidden” subnet. The ssh client has an often-overlooked configuration file that resides in your ~/.ssh folder. You can configure things in here that are specific to certain hosts or you can set default configurations for every host. ... Read more