DigiNinja
https://digi.ninja/rss.xml
Security and general IT tools and tipsen-gbCopyright Robin Wood2022-05-26T08:20:19+01:00DigiNinjaIT SecurityA brief description of how to crack Flask session cookies and an introduction to the Cracked Flask Lab.
https://digi.ninja/blog/cracked_flask.php
Sun, 12 Sep 2021 00:00:00 +0100A brief description of how to crack Flask session cookies and an introduction to the Cracked Flask Lab.https://digi.ninja/blog/cracked_flask.phpThe DNS server that WSL2 uses returns records in a different way to a normal DNS server and because of this I ended up trying to log into the wrong server. This is my quick analysis of what is different, and what it caused to happen.
https://digi.ninja/blog/wsl2_dns.php
Fri, 02 Dec 2022 00:00:00 +0000The DNS server that WSL2 uses returns records in a different way to a normal DNS server and because of this I ended up trying to log into the wrong server. This is my quick analysis of what is different, and what it caused to happen.https://digi.ninja/blog/wsl2_dns.phpTalking about a way I found to split XSS payloads over multiple inputs to bypass input length limitations and input filtering.
https://digi.ninja/blog/split_xss.php
Mon, 01 Nov 2021 00:00:00 +0000Talking about a way I found to split XSS payloads over multiple inputs to bypass input length limitations and input filtering.https://digi.ninja/blog/split_xss.phpOverriding the JavaScript alert function to find a hidden XSS.
https://digi.ninja/blog/alert_hijack.php
Tue, 11 Aug 2020 00:00:00 +0100A story of how I tracked down a Cross-Site Scripting issue by overriding the built in alert function to trigger a breakpoint.https://digi.ninja/blog/alert_hijack.phpI've added a new lab for looking at different ways to use HTML5 postMessage and their associated vulnerabilities - HTML postMessage Lab.
https://digi.ninja/labs.php
Tue, 06 Jul 2021 00:00:00 +0100I've added a new lab for looking at different ways to use HTML5 postMessage and their associated vulnerabilities - HTML postMessage Lab.https://digi.ninja/labs.phpAnother update to the Authlab, this time covering how to use John the Ripper and Hashcat to crack the keys used to sign JWTs. For more information, and a walk through, see JWT Cracking Authentication Lab.
https://digi.ninja/projects/authlab.php#landjwtcracking
Sun, 07 Jun 2020 00:00:00 +0100Another update to the Authlab, this time covering how to use John the Ripper and Hashcat to crack the keys used to sign JWTs. For more information, and a walk through, see JWT Cracking Authentication Lab.https://digi.ninja/projects/authlab.php#landjwtcrackingI've just added a new challenge to the lab looking at exploiting the none algorithm. For more information, and a walk through, see JWT None Authentication Lab.
https://digi.ninja/projects/authlab.php#landjwtnone
Tue, 06 Apr 2021 00:00:00 +0100I've just added a new challenge to the lab looking at exploiting the none algorithm. For more information, and a walk through, see JWT None Authentication Lab.https://digi.ninja/projects/authlab.php#landjwtnoneAdded a new lab to play with GraphQL. It includes a set of working examples of how to make and manipulate various queries and mutations, and then a set of challenges to test what you learned.
https://digi.ninja/labs.php
Wed, 04 Mar 2020 00:00:00 +0000Added a new lab to play with GraphQL. It includes a set of working examples of how to make and manipulate various queries and mutations, and then a set of challenges to test what you learned.https://digi.ninja/labs.phpA story about having to push through elitism to get to the real community.
https://digi.ninja/blog/entering_community.php
Sat, 08 Jun 2019 00:00:00 +0100My story relating being a newcomer to a triathlon forum, asking for advice, and the initial elitist responses I got, and what I've heard some newcomers to the hacker community saying about our community. The TLDR; is that there are macho jerks everywhere, but if you persevere, the majority of people are nice and are willing to help.https://digi.ninja/blog/entering_community.phpAn offer to take some friends running during SteelCon 2019.
https://digi.ninja/blog/ninja_run_19.php
Sat, 07 Sep 2019 00:00:00 +0100An offer to take some friends running during SteelCon 2019.https://digi.ninja/blog/ninja_run_19.phpA walkthrough of a process which allows off the shelf hardware to automatically acquire a valid TLS certificate on startup.
https://digi.ninja/blog/ots_tls_cert.php
Sat, 06 Feb 2021 00:00:00 +0000A walkthrough of a process which allows off the shelf hardware to automatically acquire a valid TLS certificate on startup.https://digi.ninja/blog/ots_tls_cert.phpA proof of concept demonstration to go with the blog post TLS certs for internal OTS hardware.
https://digi.ninja/projects/ots_tls_cert_poc.php
Sat, 06 Feb 2021 00:00:00 +0000A proof of concept demonstration to go with the blog post TLS certs for internal OTS hardware.https://digi.ninja/projects/ots_tls_cert_poc.phpI was recently contacted by Ryan Dewhurst to help him with an XSS issue he was having problems with. Ryan knows his stuff, and if he was having problems with something, I knew it had to be a fun challenge. This blog post covers debugging quirks in browser behaviour and some information on how JavaScript URIs work.
https://digi.ninja/blog/jsurixss.php
Sun, 03 Jan 2021 00:00:00 +0000I was recently contacted by Ryan Dewhurst to help him with an XSS issue he was having problems with. Ryan knows his stuff, and if he was having problems with something, I knew it had to be a fun challenge. This blog post covers debugging quirks in browser behaviour and some information on how JavaScript URIs work.https://digi.ninja/blog/jsurixss.phpA set of walkthroughs for the challenges set in my Authentication Lab.
https://digi.ninja/projects/authlab.php
Sat, 05 Oct 2019 00:00:00 +0100A set of walkthroughs for the challenges set in my Authentication Lab.https://digi.ninja/projects/authlab.phpI want my blog to reach as wide an audience as possible and to help with that, I'm asking for my readers to make suggestions for changes which will help make the site more accessible.
https://digi.ninja/blog/becoming_accessible.php
Sun, 03 Jan 2021 00:00:00 +0000I want my blog to reach as wide an audience as possible and to help with that, I'm asking for my readers to make suggestions for changes which will help make the site more accessible.https://digi.ninja/blog/becoming_accessible.phpUsing HTTP pipelining to hide requests.
https://digi.ninja/blog/pipelining.php
Wed, 03 Jun 2020 00:00:00 +0100In this post I'm going to discuss using HTTP pipelining to hide malicious HTTP requests. This is not domain fronting but uses similar techniques to get the same result, an observer who is not able to perform TLS interception is only able to see the "good" request which conceals the "bad" request.https://digi.ninja/blog/pipelining.phpA worked example of setting up domain fronting with Cloudflare using ESNI.
https://digi.ninja/blog/cloudflare_example.php
Wed, 02 Sep 2020 00:00:00 +0100Whether you think it is true 'domain fronting' or just something that is similar, this post walks through how Cloudflare use SNI to protect against attackers modifying the HTTP Host header and then how ESNI can be used instead to help ensure any 'bad' traffic goes unnoticed by observers.https://digi.ninja/blog/cloudflare_example.phpA 101 on domain fronting along with some examples.
https://digi.ninja/blog/domain_fronting.php
Sat, 02 Nov 2019 00:00:00 +0000Domain fronting has been around for years and I've always understood the concept but never actually looked at exactly how it works. That was until recently when I did some work with Chris Truncer who had us set it up as part of a red team test. That was the point I had to get down and understand the actual inner workings. Luckily Chris is a good teacher and the concept is fairly simple when it is broken down into pieces.https://digi.ninja/blog/domain_fronting.phpA worked example of setting up domain fronting with Cloudfront.
https://digi.ninja/blog/cloudfront_example.php
Sat, 02 Nov 2019 00:00:00 +0000This post accompanies the post A 101 on Domain Fronting and in it we are going to setup both a site to use for domain fronting and then a fronted site.https://digi.ninja/blog/cloudfront_example.phpSome research on how to hide commands from the bash history.
https://digi.ninja/blog/hiding_bash_history.php
Wed, 10 Jan 2018 00:00:00 +0000Have you ever logged in to a box, started running commands, and then remembered the bash history will be logging everything you run. I've done it occasionally so thought I should do some research on what the options are. This post covers what I came up with, please get in touch if you have any other ideas.https://digi.ninja/blog/hiding_bash_history.phpProtecting against XSS in SVG
https://digi.ninja/blog/svg_xss.php
Thu, 08 Mar 2018 00:00:00 +0000A client had the requirement to allow users to upload SVG files to their web app, these files then had to be displayed. As SVG files can contain JavaScript and can be used for Cross-Site Scripting attacks, I had to do some investigating to find ways to allow them to do what they wanted safely.https://digi.ninja/blog/svg_xss.phpA walkthrough of my vuLnDAP project
https://digi.ninja/blog/vulndap_walkthrough.php
Thu, 08 Mar 2018 00:00:00 +0000This is a full walk through detailing how I would go through my vuLnDAP challenge. There are probably plenty of other ways this can be done so don't take this as the only or best. If you do have a better way, please let me know.https://digi.ninja/blog/vulndap_walkthrough.phpA logic gate challenge set by Pippa for the 2018 SteelCon kids track.
https://digi.ninja/blog/pippa_steelcon_logic.php
Sat, 07 Jul 2018 00:00:00 +0100In 2017, Pippa was learning about cryptography and set a couple of crypto challenges for the SteelCon kids track, this year we are working on logic gates so she has set a challenge based on that.https://digi.ninja/blog/pippa_steelcon_logic.phpInvalid HTTP requests and bypassing rewrite rules in lighttpd
https://digi.ninja/blog/lighttpd_rewrite_bypass.php
Thu, 04 Jun 2020 00:00:00 +0100Using an invalid HTTP request to bypass rewrite rules in lighttpd and the story of how I found the problem.https://digi.ninja/blog/lighttpd_rewrite_bypass.phpSNMP Config File Injection to Shell
https://digi.ninja/blog/snmp_to_shell.php
Thu, 04 Jul 2019 00:00:00 +0100A walk through from getting injection into an SNMP config file to getting a shell.https://digi.ninja/blog/snmp_to_shell.phpdotnetsheff Headers and Cookies Slides
https://digi.ninja/blog/dotnetsheff_headers.php
Sun, 02 Sep 2018 00:00:00 +0100A copy of the slides from my dotnetsheff talk on HTTP security headers and cookies.https://digi.ninja/blog/dotnetsheff_headers.phpBurp Macros and Session Handling.
https://digi.ninja/blog/burp_macros.php
Wed, 01 Jan 2020 00:00:00 +0000A worked example of using Burp Suite macros and session handling.https://digi.ninja/blog/burp_macros.phpProgramming with Google.
https://digi.ninja/blog/programming_with_google.php
Wed, 01 May 2019 00:00:00 +0100The slides and video from my talk at Wild West Hackinfest on programming by copying and pasting from Google.https://digi.ninja/blog/programming_with_google.phpShellshock and the Telnet USER Variable
https://digi.ninja/blog/telnet_shellshock.php
Sun, 11 Mar 2018 00:00:00 +0000A quick write up on how to exploit Shellshock on telnet via the USER variable.https://digi.ninja/blog/telnet_shellshock.phpStealing CSRF tokens with XSS
https://digi.ninja/blog/xss_steal_csrf_token.php
Thu, 11 Jan 2018 00:00:00 +0000Techniques using both raw JavaScript and jQuery to use XSS to grab a CSRF token and then submit the form it protects.https://digi.ninja/blog/xss_steal_csrf_token.phpA custom wordlist generator with a twist.
https://digi.ninja/projects/rsmangler.php
Thu, 28 Sep 2017 00:00:00 +0100A custom wordlist generator that creates permutations of all the input words as well as just manipulating them individually.https://digi.ninja/projects/rsmangler.phpA banking mutual authentication scheme that does not work.
https://digi.ninja/blog/mutual_auth.php
Mon, 10 Apr 2017 00:00:00 +0100A write up on how a common mutual authentication scheme used by a number of banks can be easily proxied and turned against the bank.https://digi.ninja/blog/mutual_auth.phpNoSQLi Lab
https://digi.ninja/projects/nosqli_lab.php
Mon, 10 Apr 2017 00:00:00 +0100With the rise in popularity of NoSQL I figured it was time to build a lab so I could have a play with the different techniques used to attack them. This was the result...https://digi.ninja/projects/nosqli_lab.phpNew tool, Sitediff
https://digi.ninja/projects/sitediff.php
Mon, 06 Feb 2017 00:00:00 +0000Imagine the scenario, you are testing a site running an open source package but not sure what version and need to find out. The site does not include any helpful comments in the HTML and there is no README file. The package isn't a popular one so none of the regular fingerprinting apps recognise it, what can you do? Call in Sitediff, it takes a local directory of files and then requests each of them from the target site and reports back on what it finds.https://digi.ninja/projects/sitediff.phpAccidentally Sharing CrashPlan Data
https://digi.ninja/blog/crashplan.php
Thu, 19 Jan 2017 00:00:00 +0000A story of how Christmas generosity in sharing his backup plan resulted in a friend's files being accessible by all his family.https://digi.ninja/blog/crashplan.phpThe plagiarism of Christian Bruhin
https://digi.ninja/blog/christian_bruhin_plagiarism.php
Fri, 16 Dec 2016 00:00:00 +0000There is lots of plagiarism goes on on the internet, unfortunately for Christian, he decided that he was happy to do it and accepted the risks it created.https://digi.ninja/blog/christian_bruhin_plagiarism.phpWindows RDP client, show login page
https://digi.ninja/blog/rdp_show_login_page.php
Thu, 24 Nov 2016 00:00:00 +0000A short howto on getting the Windows RDP client to show the server login page rather than ask for credentials itselfhttps://digi.ninja/blog/rdp_show_login_page.phpThe results of a small experiment to see what my heart rate was like during my SANS instructor murder board.
https://digi.ninja/blog/murder_heart.php
Wed, 16 Nov 2016 00:00:00 +0000The results of a small experiment to see what my heart rate was like during my SANS instructor murder board.https://digi.ninja/blog/murder_heart.phpI see a lot of requests for technical help with tools and projects, some good, some bad. This post covers what I like to see when someone asks a question.
https://digi.ninja/blog/asking_for_help.php
Thu, 10 Nov 2016 00:00:00 +0000I see a lot of requests for technical help with tools and projects, some good, some bad. This post covers what I like to see when someone asks a question.https://digi.ninja/blog/asking_for_help.phpHere is a little trick I just learned about to help prevent things like API keys from ending up in your Git repo. I've mentioned it to a few Git loving developers who all claimed that it is obvious and that loads of people are already using it, but, as we regularly see keys in GitHub, I'd guess that its a case of what people know they should be doing verses what they are actually doing. The trick uses Git hooks to catch content pre-commit and block anything that it thinks is suspicious.
https://digi.ninja/blog/git_hooks.php
Fri, 28 Oct 2016 00:00:00 +0100Here is a little trick I just learned about to help prevent things like API keys from ending up in your Git repo. I've mentioned it to a few Git loving developers who all claimed that it is obvious and that loads of people are already using it, but, as we regularly see keys in GitHub, I'd guess that its a case of what people know they should be doing verses what they are actually doing. The trick uses Git hooks to catch content pre-commit and block anything that it thinks is suspicious.https://digi.ninja/blog/git_hooks.phpI've spent the day testing an app which disables the right click context menu, this makes testing tricky so I found a one liner which I could drop into the browser console to re-enable it for me.
https://digi.ninja/blog/enable_right_click.php
Tue, 18 Oct 2016 00:00:00 +0100I've spent the day testing an app which disables the right click context menu, this makes testing tricky so I found a one liner which I could drop into the browser console to re-enable it for me.https://digi.ninja/blog/enable_right_click.phpAsking the question, when it is acceptable to miss a vulnerability on a test.
https://digi.ninja/blog/missing_a_vuln.php
Wed, 13 Apr 2016 00:00:00 +0100Asking the question, when it is acceptable to miss a vulnerability on a test.https://digi.ninja/blog/missing_a_vuln.phpTrying to understand why the EE web portal doesn't have a password change feature.
https://digi.ninja/blog/ee_no_password_change.php
Tue, 05 Apr 2016 00:00:00 +0100Trying to understand why the EE web portal doesn't have a password change feature.https://digi.ninja/blog/ee_no_password_change.phpA short guide to exploiting POST based reflected XSS using CSRF and iframes.
https://digi.ninja/blog/xss_through_csrf.php
Sun, 04 Jun 2017 00:00:00 +0100A short guide to exploiting POST based reflected XSS using CSRF and iframes.https://digi.ninja/blog/xss_through_csrf.phpA write up of my recent experiences of getting clients involved during testing.
https://digi.ninja/blog/interactive_pentesting.php
Sun, 04 Dec 2016 00:00:00 +0000A write up of my recent experiences of getting clients involved during testing.https://digi.ninja/blog/interactive_pentesting.phpA short howto on removing the obfuscation added to non-default passwords by Nessus.
https://digi.ninja/blog/hacking_nasl.php
Sun, 03 Dec 2017 00:00:00 +0000A short howto on removing the obfuscation added to non-default passwords by Nessus.https://digi.ninja/blog/hacking_nasl.phpPipal analysis of a password dump from the Neofriends dating site.
https://digi.ninja/projects/pipal.php#neofriends
Mon, 02 Mar 2015 00:00:00 +0000Pipal analysis of of a password dump from the Neofriends dating site.https://digi.ninja/projects/pipal.php#neofriendsPipal analysis of 13,000 passwords from the Lizard Squad dump.
https://digi.ninja/projects/pipal.php#lizard
Wed, 21 Jan 2015 00:00:00 +0000Pipal analysis of 13,000 passwords from the Lizard Squad dump.https://digi.ninja/projects/pipal.php#lizardPipal analysis of 1800 passwords dumped from Minecraft
https://digi.ninja/projects/pipal.php#minecraft
Wed, 21 Jan 2015 00:00:00 +0000Pipal analysis of 1800 passwords dumped from Minecrafthttps://digi.ninja/projects/pipal.php#minecraftPipal analysis of a password dump from a dating site.
https://digi.ninja/projects/pipal.php#datingsite
Sat, 27 Dec 2014 00:00:00 +0000Pipal analysis of a password dump from a dating site.https://digi.ninja/projects/pipal.php#datingsiteMy opinion on the Sony hack.
https://digi.ninja/blog/sony_hack.php
Sony were hacked, it was bad. That's all.https://digi.ninja/blog/sony_hack.phpA huge thank you to the amazing hacker community.
https://digi.ninja/blog/thanks_hackers.php
Turning comments from a negative troll into a positive, a reminder of how great our community is.https://digi.ninja/blog/thanks_hackers.phpA tool to follow HTTP redirects showing the full details at each request, collecting and replaying cookies on the way.
https://digi.ninja/projects/http_traceroute.php
A tool to follow HTTP redirects showing the full details at each request, collecting and replaying cookies on the way.https://digi.ninja/projects/http_traceroute.phpPipal of a database dump from comicbookdb.
https://digi.ninja/projects/pipal.php#comicbookdb
Pipal of a database dump from comicbookdb.https://digi.ninja/projects/pipal.php#comicbookdbPipal gets a Kippo log parser to show what passwords attackers are using when brute forcing SSH servers.
https://digi.ninja/blog/pipal_email_checker.php
For a long time I've been curious what passwords lists attackers are using when they try to brute force my ssh servers so I finally got round to setting up a Kippo honeypot and writing a custom Pipal Splitter to parse through the logs and pull out the info.
https://digi.ninja/blog/pipal_email_checker.phpA Pipal analysis of the Manga Traders password dump, some interesting results when looking at demographics and reuse of username/email addresses as passwords.
https://digi.ninja/projects/pipal.php#mangatraders
A Pipal analysis of the Manga Traders password dump, some interesting results when looking at demographics and reuse of username/email addresses as passwords.https://digi.ninja/projects/pipal.php#mangatradersA new Pipal checker to look at the relationship between email addresses and passwords.
https://digi.ninja/blog/pipal_email_checker.php
A new Pipal checker to look at the relationship between email addresses and passwords.https://digi.ninja/blog/pipal_email_checker.phpMy opinion on the eBay password reset policy - no pasting and 20 character caps are bad.
https://digi.ninja/blog/ebay.php
My opinion on the eBay password reset policy - no pasting and 20 character caps are bad.https://digi.ninja/blog/ebay.phpCustom word list generator based on tweets - Update to use the new Twitter search API
https://digi.ninja/projects/twofi.php
Twofi takes keywords and usernames and collects tweets based on these terms. It then extracts individual words and uses them to create a custom word list - Update to use the new Twitter search APIhttps://digi.ninja/projects/twofi.phpA script I knocked together to import issues from my DradisPro install into MediaWiki so they could be the start of my issues library.
https://digi.ninja/projects/mediawiki_dradis_import.php
For quite a while now I've been planning to import all my Dradis issues into
MediaWiki to make reusing issues easier. Till now, each time I wanted to reuse
an issue I've had to open a new browser and go back to find the old project
where the issue was used then copy and paste it into the new project, that is a
real pain to do. So I finally bit the bullet and created a MediaWiki VM. Rather than mess around with manually copying all my issues across I developed this little script to automate it. https://digi.ninja/projects/mediawiki_dradis_import.phpDo you include steps to reproduce vulnerabilities in your security reports? In this post I think about how to do this.
https://digi.ninja/blog/reproduce_report.php
Three times in the past few months I've been asked by clients to retest previous findings to see if they have been successfully fixed. One of the reports I was given was one I'd written, the other two were by other testers.
For my report I couldn't remember anything about the test, reading the report gave me some clues but I was really lucky and found that I'd left myself a test harness in the client's folder fully set up to test the vulnerability. One of the other two was testing for a vulnerability I'd never heard of and couldn't find anything about on Google. I finally tracked down the original tester and it turns out there is a simple tool which tests for the issue and one command line script later the retest was over. The final issue was one that I knew about but had a really good write up that, even if I'd not heard of it, had a full walk through on how to reproduce the test.https://digi.ninja/blog/reproduce_report.phpPart two of the exploiting RIP series, this time looking at RIPv2 and it's authentication mechanisms.
https://digi.ninja/blog/rip_v2.php
In part one of this series, Exploiting RIP, we
set up a GNS3 lab with RIPv1 and managed to exploit it by injecting a fake route
into the network. As a way to protect against this, RIPv2 can use authentication
to try to stop unauthorised routes being added to the system. From what I've
read, authentication was not added to RIPv2 as a security mechanism but as a way
to prevent routes from accidentally being added when incorrectly configured
routers are added to the network.
In this post I'll work through changing the lab from version 1 to version 2 and
then enabling the different levels of authentication. At each stage I will show
weaknesses in the system and ways to abuse them.https://digi.ninja/blog/rip_v2.phpA Pipal analysis of the recent Tesco password disclosure.
https://digi.ninja/projects/pipal.php#tesco
A Pipal analysis of the recent Tesco password disclosure.https://digi.ninja/projects/pipal.php#tescoWrite up of my efforts to track down what turned out to be an accidental DoS against my Gmail account.
https://digi.ninja/blog/gmail_dos.php
If anyone was watching my Twitter feed over the last few days you'll have seen me complaining about my Gmail account being down. It wasn't down completely, I could still access the web interface and read all old mails but hadn't had any new emails in since 4AM on Thursday. I have various other mail accounts, some Gmail, some not, so I tried sending myself mails from those account to see if things were broken or whether I had just become very unpopular. None of the mails got through. I also tested sending emails out and none of those worked either so there was definitely a problem. By Friday lunchtime I'd had a couple of mails but nothing much so I figured I'd better do some digging and get it fixed.https://digi.ninja/blog/gmail_dos.phpSetting up a RIPv1 lab in GNS3 and then exploiting it to poison routes between two machines.
https://digi.ninja/blog/rip_v1.php
In this lab I'm going to look at RIPv1, probably the most basic routing protocol. As with the VLAN labs I'm building this one in GNS3 and linking it to a Virtual Box machine running Debian. The plan is to build a network with three routers all using RIP to sync their routing information. I'll then use the attacking box to inject a fake route into the network and so divert traffic away from its real target. If you are not familiar with RIP it is hop based system where each hop is a unit and traffic is routed across the shortest number of hops.https://digi.ninja/blog/rip_v1.phpAbusing Cisco Dynamic Trunking Protocol, DTP, to change a switch port from access to trunk mode to gain access to all VLAN traffic.
https://digi.ninja/blog/abusing_dtp.php
In the first two parts of this dig into layer 2 I covered how to set up a lab using GNS3 and VirtualBox and then
adding and interacting with VLANs. In this part I want to look at using Cisco's
Dynamic Trunking Protocol - DTP - to change the state of a port from access
mode to trunk mode to allow us to gain access all the VLANs on the network.
The previous link gives a more thorough overview of DTP but in summary, it is a protocol developed by Cisco to allow devices connected to a switch negotiate
whether they need their port to be in trunk or access mode. It is enabled by default on all ports so has to be deliberately disabled by an admin to turn it off.
Ports default to access mode leaving devices such as switches, which need a trunk port, to request it. A port can be changed from one state to the other
through a single DTP packet and there is no authentication, this makes it great as an attacker as you can easily switch your port to trunk mode on any switch
which has DTP enabled.https://digi.ninja/blog/abusing_dtp.phpAdding VLANs to the GNS3/VirtualBox Lab
https://digi.ninja/blog/gns_vbox_vlan_lab.php
Adding VLANs to the GNS3/VirtualBox Lab - In this post I show how to add VLANs to the lab and how to move between them on the switch. I then show what can happen if you get on to a trunk port and get to control your own VLAN tagging.https://digi.ninja/blog/gns_vbox_vlan_lab.phpIntegrating GNS3 and VirtualBox - This is the first part of a series integrating GNS3 and VirtualBox to build a lab to play with layer 2 attacks
https://digi.ninja/blog/gns_vbox_basic_lab.php
Integrating GNS3 and VirtualBox - Having come from a development background rather than a sys-admin one, my knowledge of layer 2 is not as good as I'd like it to be so I've decided to do something about it. I've always been interested in VLANs and the idea of bypassing them so thought that would be a good place to start. This is the first part of a series building a lab to test out different layer 2 attacks.https://digi.ninja/blog/gns_vbox_basic_lab.phpSitemap2Proxy takes the sitemap published by a web app and requests each page through your specified proxy. This release adds response code stats to the output.
https://digi.ninja/projects/sitemap2proxy.php
Sitemap2Proxy takes the sitemap published by a web app and requests each page through your specified proxy. This release adds response code stats to the output.https://digi.ninja/projects/sitemap2proxy.phpBuilding a lab with ModSecurity and DVWA.
https://digi.ninja/blog/modsecurity_lab.php
I've been meaning to build a ModSecurity lab for a while and seeing as I had some free time I decided it was about time to do it and to document it for everyone to share. The lab I built uses an up-to-date version of ModSecurity with a rule set taken from the SpiderLabs github repo and, so there is something to attack, I've included DVWA.https://digi.ninja/blog/modsecurity_lab.phpVersion 5.0 of CeWL adds proxy and basic/digest authentication support along with a few small bug fixes.
https://digi.ninja/projects/cewl.php
Version 5.0 of CeWL adds proxy and basic/digest authentication support along with a few small bug fixes.https://digi.ninja/projects/cewl.phpExtract meta data from videos taken on iPhones.
https://digi.ninja/projects/ivmeta.php
ivMeta is based on information in this article on finding meta data in iPhone videos. It will attempt to pull the following bits of information from an iPhone video:
* Maker - should always be Apple
* iOS Software version
* Date video was taken
* GPS co-ords where video was taken
* Model of phone
https://digi.ninja/projects/ivmeta.phpThe second part of my introduction to using ZAP to test WebSockets, this part focuses on fuzzing.
https://digi.ninja/blog/zap_fuzzing.php
The following article is part two of my introduction to ZAP and testing WebSockets, in this episode I'll cover fuzzing. If you've not used ZAP before I suggest you look at some of the official tutorials first - ZAP home page, Videos. You can find my first part here OWASP ZAP and Web Sockets. The testing is being done against a small WebSockets based app I wrote called SocketToMe which has a few published services along with a few unpublished ones. In this article we are going to look at one of the published ones and try to identify some of the unpublished ones. The first feature I'll investigate is the number guessing game. Here the system picks a random number between 1 and 100 and you have to guess it. I'm going to cheat and see if I can get ZAP to play all 100 numbers for me to go for a quick win.https://digi.ninja/blog/zap_fuzzing.phpI recently decided it was time to learn how to test WebSockets and so decided to take the opportunity to learn a bit about how ZAP works. This two part blog post covers a brief into to ZAP and how it interacts with WebSockets and then looks in depth at how to fuzz them.
https://digi.ninja/blog/zap_web_sockets.php
With the slow uptake of HTML5, WebSockets are going to start being seen in more and more applications so I figured I'd better learn how to test them before being put in front of them on a client test and having to learn as I went along. I figured the best way to do this was to build a very simple application then throw in a proxy and see what happened. Unfortunately my proxy of choice, Burp Suite, currently doesn't handle WebSockets so I had to look for one that did. The only one, and this is their claim, that does in the OWASP Zed Attack Proxy, or ZAP for short. I'd been meaning to learn how to use it for a while so this seemed like the perfect opportunity. If anything in here is wrong, please get in touch and I'll fix it, I'm learning as I go along so may well be doing the odd thing wrong however it does all seem to work. I started by writing a small WebSocket based app which I called SocketToMe which has a few basic services, chat, a number guess game and a couple of other features. I figured I'd start with interception then have a look at fuzzing.https://digi.ninja/blog/zap_web_sockets.phpA WebSocket based application which goes along side the blog post on ZAP and WebSockets.
https://digi.ninja/projects/sockettome.php
SocketToMe is little application I wrote to go along with my blog post on testing WebSockets. It combines chat, a simple number guessing game and a few other hidden features. The app is in two parts, the WebSocket app and a web page to access it. The whole lot is written PHP and is the first WebSocket work I've done so don't look on it as an example of how to do things.https://digi.ninja/projects/sockettome.phpPipal now has a modular structure allowing you to write your own Checkers and Splitters, this is a brief introduction to how they both work.
https://digi.ninja/blog/pipal_goes_modular.php
Pipal now has a modular structure allowing you to write your own Checkers and Splitters, this is a brief introduction to how they both work.https://digi.ninja/blog/pipal_goes_modular.phpA proof of concept application which takes observed key presses and generates a list of potential passwords.
https://digi.ninja/projects/pat_to_pass.php
This months BruCON 5x5 project came from an idea sent to me by a friend after I released Passpat. Passpat takes passwords and tries to find keyboard patters in them, Pat to Pass is almost the opposite, it takes observed key presses and tries to convert them to potential passwords. The project in its current state is more a proof of concept and sample code which hopefully can be taken forward to be turned into something practical by someone who has better skills at handling very large lists of data.https://digi.ninja/projects/pat_to_pass.phpEnumerating shares on the SpiderOak network.
https://digi.ninja/projects/spidering_spideroak.php
Spidering SpiderOak - By looking at the differences between responses it is possible to enumerate valid account names and then shares on the SpiderOak network. This post covers how I researched this, the findings and how it could be fixed.https://digi.ninja/projects/spidering_spideroak.phpA companion tool to Pipal which can spot keyboard patterns in password lists.
https://digi.ninja/projects/passpat.php
It is generally accepted that most passwords in common use are based on dictionary words however, some people decide to use keyboard patterns instead and to try to spot these I've created Passpat. Passpat uses data files containing the layouts of common keyboards to walk each word through the keyboard and score the word based on how close it is to being a pattern. For now I'm taking pattern to mean keys which are next to each other, while qpalzm is a pattern picking something like that up is currently out of the scope of this project.https://digi.ninja/projects/passpat.phpA simple script to create files containing binary data.
https://digi.ninja/projects/bin_gen.php
While working on a new project I needed a way to create files containing binary data which I could control, for example all bytes from 0 to 255 in order or just a block of 10 0x03's, so I wrote bin_gen. There are loads of other ways to do this, especially in Linux, but for me this is quick and easy and I don't have to think to use it.https://digi.ninja/projects/bin_gen.phpUsing Google Analytics tracking codes to find relationships between domains.
https://digi.ninja/projects/tracker_tracking.php
When doing reconnaissance on clients it is often useful to try to identify other websites or companies who are related to your target. One way to do this is to look at who is managing the Google Analytics traffic for them and then find who else they manage. There are a few online services which do this, the probably best known being ewhois, but whenever you use someone else's resources you are at their mercy over things like accuracy of the data and coverage, especially if you are working for a small client who hasn't been scanned by them then you won't get any results. This is where my tracker tracking tool comes in. The tool is in two parts, the first uses the power of the nmap engine to scan all the domains you are interested in and pull back tracking codes, these are then output in the standard nmap format along with the page title. I've then written a second script which takes the output and generates a grouped and sorted CSV file which you can then analyse.https://digi.ninja/projects/tracker_tracking.phpHow I'm going to spend my share of the 25,000 euro BruCON 5x5 cash.
https://digi.ninja/blog/brucon_5x5.php
During BruCON 2012 the organisers announced a very generous competition, they had collected 25,000euro and were going to offer it in 5k euro chunks to five lucky hackers. The condition was you had to submit a proposal saying why you needed the cash. You can read more about it on the BruCON Blog. I've very please to say that I was one of the chosen hackers so want to document what I'm going to do with my share of the cash.https://digi.ninja/blog/brucon_5x5.phpAbusing a DDNS service to find IP cameras around the world.
https://digi.ninja/projects/ip_camera_finder.php
When I bought an IP camera to watch by daughters cot I didn't expect to end up writing tools to find others around the world, I also didn't expect it to be so poorly secured.https://digi.ninja/projects/ip_camera_finder.phpAn idea for a report writing competition
https://digi.ninja/blog/report_writing_comp.php
A lot of conferences have CTFs but how about testing people's report writing skills as well? This post contains some ideas I've had to run a competition which would test report writing skills.https://digi.ninja/blog/report_writing_comp.phpA Metasploit module for enumerating directories and files through MySQL
https://digi.ninja/metasploit/mysql_file_enum.php
Tim Tomes wrote a blog post on enumerating directories and files through a MySQL connection, this module automates that process.https://digi.ninja/metasploit/mysql_file_enum.phpDNS reconnaissance against wildcard domains
https://digi.ninja/blog/dns_wildcard_recon.php
I recently did a test against a company and in the debrief they asked how I managed to enumerate so many of their subdomains as they were using a wildcard DNS setup and the previous tester had commented that it prevented DNS enumeration. When I explained to them how the wildcard only obscured valid domains they had a few choice words for the previous tester and I figured it would make a nice little blog post.https://digi.ninja/blog/dns_wildcard_recon.phpA story about Hakin9, the kings of spam
https://digi.ninja/blog/hakin9_spam_kings.php
About once a fortnight I get a request to write an article for Hakin9 or one of its sister publications, this article details my attempts to stop this spam.https://digi.ninja/blog/hakin9_spam_kings.phpA review of the Corelan Live Win32 Exploit Dev Bootcamp
https://digi.ninja/blog/corelan.php
I've just got back from BruCON 2012 where I started the week with the Corelan Live - Win32 Exploit Development Bootcamp. A lot of people asked about the course and what it covered so I've put this together.https://digi.ninja/blog/corelan.phpExtract all URLs from a sitemap.xml file and request them through a proxy of your choosing.
https://digi.ninja/projects/sitemap2proxy.php
When doing a web app test you usually end up spidering the site you are testing but what if the site could tell you most of that all about theirhout you going hunting for it. Bring on sitemap.xml, a file used by a lot of sites to tell spiders, like Google, all about their content. This script takes that file and parses it to extract all the URLs then requests each one through your proxy of choice (Burp, ZAP, etc). Now this won't find anything that isn't mentioned in the file and it won't do any brute forcing but it is a nice way to identify all the pages on the site that the admins want you to know about. https://digi.ninja/projects/sitemap2proxy.phpVersion 4.3 of CeWL adds result sorting by word count, with optional display of the count, also various bug fixes.
https://digi.ninja/projects/cewl.php
Version 4.3 of CeWL adds result sorting by word count, with optional display of the count, also various bug fixes.https://digi.ninja/projects/cewl.phpHostapd Karma patches updated to hostapd version 1.0
https://digi.ninja/karma/
Hostapd was recently updated to version 1.0 so I've brought the Karma patches up-to-date. This release contains a fully patched source tarball and a patch file if you want to apply it to your own source. I've also added a mention of the hostapd_cli app which you can use to control hostapd once it is running.https://digi.ninja/karma/Are signs of the zodiac used as passwords?
https://digi.ninja/blog/zodiac_passwords.php
I was wondering why dragon and monkey come up so often in Pipal analysis of password lists and it got me wondering if it was to do with Chinese signs of the zodiac so just as an experiment I've just added checking for both Western and Chinese zodiac signs to Pipal. I ran it against the 1 million eHarmony passwords I've got and it looks like they do play a small part in some people passwords.https://digi.ninja/blog/zodiac_passwords.phpDid you know Linux groups can have passwords?
https://digi.ninja/blog/group_password.php
Did you know Linux groups can have passwords? I didn't but I do now, this is how you set them up.https://digi.ninja/blog/group_password.phpCustom word list generator based on tweets
https://digi.ninja/projects/twofi.php
Twofi takes keywords and usernames and collects tweets based on these terms. It then extracts individual words and uses them to create a custom word list.https://digi.ninja/projects/twofi.phpAre secure web frameworks reducing long term security?
https://digi.ninja/blog/web_frameworks.php
Are secure web frameworks reducing long term security? Why I think developers should always think about security, even when someone else is taking care of it for them.https://digi.ninja/blog/web_frameworks.phpVersion 4.2 of CeWL which fixes a major problem found in the spider I'm using.
https://digi.ninja/projects/cewl.php
Turns out that the spider I'm using for CeWL only checks for links in anchor tags where the href uses double quotes which means some links will have been missed. This release fixes that bug and adds the ability to do a depth of 0 search which lets you scan a single page.https://digi.ninja/projects/cewl.phpThis is part two of my write up of the findings from the Breaking In survey.
https://digi.ninja/projects/breaking_in_part_2.php
The second part of my write up of the conclusions I've taken from my Breaking In data. This part looks at the qualitative answers given which give some meaning behind some of the stats.https://digi.ninja/projects/breaking_in_part_2.phpThis is part one of my write up of the findings from the Breaking In survey.
https://digi.ninja/projects/breaking_in_part_1.php
This post, along with part two coming soon, is an accompaniment to my BSides slides and the raw data which I published the other day. Here I try to summarise the results and add my commentry to them.https://digi.ninja/projects/breaking_in_part_1.phpMy slides for my BSides London talk on Breaking in to Security
https://digi.ninja/projects/breaking_in_bsides.php
At BSides London I presented the findings from the Breaking in to Security survey, here are my slides and a link to the data collected so far.https://digi.ninja/projects/breaking_in_bsides.phpA set of interim results from my survey, how do I get started in security?.
https://digi.ninja/projects/breaking_in_interim.php
Seeing as I had over 200 responses to the "Breaking In" survey in just 5 days I've plucked out a couple of interesting stats from the responses and posted them to whet your appitite.https://digi.ninja/projects/breaking_in_interim.phpA copy of my slides from OWASP Leeds covering the perils of autoconfiguring web cams with a bonus set presenting 'Whats in Amazon's buckets'
https://digi.ninja/blog/owasp_leeds.php
The story of how I analysed a new IP web camera and found how it automatically tried to punch a hole through my firewall and register itself with dynamic DNS server to tell the world it was there. The slides also contain a bonus talk covering my blog post and project on 'Whats in Amazon's buckets'https://digi.ninja/blog/owasp_leeds.phpEver wanted to ask, or help answer the question, how do I get started in security?.
https://digi.ninja/projects/breaking_in_1.php
This is my attempt to collect enough data to be able to answer the eternal question, 'How do I get started in Information Security?'. I've put together a questionnaire which I'll summarize the answers from and hopefully present at conferences and also summarise here on the site.https://digi.ninja/projects/breaking_in_1.phpA domain set up to help teach and explain DNS zone transfers.
https://digi.ninja/projects/zonetransferme.php
Ever found yourself in a position where you have to teach or explain DNS zone transfers but not had a domain to run the transfer on? This domain is set up to allow transfers and contains plenty of information to work with. I've also explained how I would interpret the information.https://digi.ninja/projects/zonetransferme.phpPipal is a password analysis tool
https://digi.ninja/projects/pipal.php
Pipal analyses a cracked password list to help analysts spot patterns. Stats are generated on everything from the different lenghts to the character types to the words that other words are based on.https://digi.ninja/projects/pipal.phpHow I found the CHECK Team Leader Web Application exam
https://digi.ninja/blog/check_ctl.php
A write up on my experiences taking, and passing, the CHECK Team Leader Web App Examhttps://digi.ninja/blog/check_ctl.phpA description of the different attack modes in Burp Intruder
https://digi.ninja/blog/burp_intruder_types.php
Burp Intruder has four different attack modes, this post shows the differences between those four modes.https://digi.ninja/blog/burp_intruder_types.phpUsing decompression to avoid filters
https://digi.ninja/blog/compress_filter_avoidance.php
Using decompression to avoid filters - Decompressing data to get it past filters such as IDS.https://digi.ninja/blog/compress_filter_avoidance.phpAn application to parse files such as .DS_Store to reveal otherwise unlinked files on web sites.
https://digi.ninja/projects/fdb.php
File Disclosure Browser, an application to parse files such as .DS_Store to reveal otherwise unlinked files on web sites.https://digi.ninja/projects/fdb.phpCeWL Version 4
https://digi.ninja/projects/cewl.php
An upgrade to Ruby version 1.9 and fixes to work with Back Track 5.https://digi.ninja/projects/cewl.phpWifi Honey
https://digi.ninja/projects/wifi_honey.php
Automation of setting up a bunch of APs and airodump-ng to work out what encryption a client is probing for.https://digi.ninja/projects/wifi_honey.phpAnalysing Mobile Me
https://digi.ninja/blog/analysing_mobile_me.php
Analysis of the content I found when trawling Mobile Me accounts looking for public information.https://digi.ninja/blog/analysing_mobile_me.phpMobile Me Madness
https://digi.ninja/blog/mobile_me_madness.php
A brief description of how Mobile Me allows access to its file listings and how to interpret them.https://digi.ninja/blog/mobile_me_madness.phpA tool to brute force user accounts on Mobile Me
https://digi.ninja/projects/me_finder.php
This tool will brute force user accounts with Mobile Me and then enumerate files associated with any public accounts found.https://digi.ninja/projects/me_finder.phpAnalysing Amazons Buckets
https://digi.ninja/blog/analysing_amazons_buckets.php
Analysis of the content I found when trawling Amazon's buckets looking for public information.https://digi.ninja/blog/analysing_amazons_buckets.phpWhats in Amazon's buckets?
https://digi.ninja/blog/whats_in_amazons_buckets.php
The description of how I wrote a tool to brute force bucket names from the Amazon S3 system and then take it a step further.https://digi.ninja/blog/whats_in_amazons_buckets.phpA tool to brute force bucket names from Amazon S3
https://digi.ninja/projects/bucket_finder.php
This tool will brute force bucket names from Amazon's S3 system and then enumerate files associated with any public buckets found.https://digi.ninja/projects/bucket_finder.phpGoing to WAR on Tomcat with Laundanum
https://digi.ninja/blog/tomcat_laundanum.php
Going to WAR on Tomcat with Laundanum - A short how to on using Laundanum to attack Tomcat servers and how to setup a lab to try it at home.https://digi.ninja/blog/tomcat_laundanum.phpAn update to my script to mine data out of Google Profiles
https://digi.ninja/projects/gpscan.php
Google Profile scraping can be used a part of recon work to gather staff lists, this script automates that processhttps://digi.ninja/projects/gpscan.phpA little trick to extract stored FTP details
https://digi.ninja/blog/cleartext_creds.php
A little trick to extract stored FTP details by setting up a fake server then capturing the clear text.https://digi.ninja/blog/cleartext_creds.phpDouble tunnels to help a colleague in distress.
https://digi.ninja/blog/double_tunnel.php
Double tunnels to help a colleague in distress - Setting up SSH tunnels to allow external access to an internal network.https://digi.ninja/blog/double_tunnel.phpTiger Scheme Check Team Member Exam - A review of the Check Team Member exam.
https://digi.ninja/blog/tiger_ctm.php
Tiger Scheme Check Team Member Exam - A review of the Check Team Member exam.https://digi.ninja/blog/tiger_ctm.phpA Meterpreter script to download wireless profiles from Windows 7 and Vista boxes.
https://digi.ninja/metasploit/getwlanprofiles.php
A Meterpreter script to download wireless profiles from Windows 7 and Vista boxes.https://digi.ninja/metasploit/getwlanprofiles.phpA short script to do frequency analysis on lines in a file.
https://digi.ninja/projects/counter.php
A short script to do frequency analysis on lines in a file, specifically designed for password reuse analysis.https://digi.ninja/projects/counter.phpWhen All You Can Do Is Read.
https://digi.ninja/blog/when_all_you_can_do_is_read.php
A look at what files are good to try to read when all you have is read only access to a machine, i.e. no directory listing ability.https://digi.ninja/blog/when_all_you_can_do_is_read.phpNessus Through SOCKS Through Meterpreter.
https://digi.ninja/blog/nessus_over_sock4a_over_msf.php
Running a Nessus scan through a Meterpreter pivot using a SOCKS4 Proxy.https://digi.ninja/blog/nessus_over_sock4a_over_msf.phpA modular brute force tool currently supporting HTTP(S), MySQL and SSH.
https://digi.ninja/projects/rsyaba.php
A modular brute force tool currently supporting HTTP(S), MySQL and SSH. Written in Ruby and designed to be easily extendable by using off the shelf protocol libraries.https://digi.ninja/projects/rsyaba.phpHTTP Banner Grabbing Beyond The Root
https://digi.ninja/blog/http_banner_grab_dir.php
HTTP Banner grabbing beyond the root, where do you do your web banner grabbing?https://digi.ninja/blog/http_banner_grab_dir.phpViewing Pages documents in Linux
https://digi.ninja/blog/pages_linux.php
Viewing Pages documents in Linux - A short shell script to display a document created in Pages in Linuxhttps://digi.ninja/blog/pages_linux.phpDo you have a second hand Trojan in your pocket?
https://digi.ninja/blog/pocket_trojan.php
The Trojan in your pocket - Do you know what your phone is doing?https://digi.ninja/blog/pocket_trojan.phpA custom wordlist generator with a twist.
https://digi.ninja/projects/rsmangler.php
A custom wordlist generator that creates permutations of all the input words as well as just manipulating them individuallyhttps://digi.ninja/projects/rsmangler.phpA Metasploit module to accompany my blog post on finding interesting data in MSSQL databases.
https://digi.ninja/metasploit/mssql_idf.php
A Metasploit module to accompany my blog post on finding interesting data in MSSQL databases.https://digi.ninja/metasploit/mssql_idf.phpAutomating searching through MSSQL databases for interesting data.
https://digi.ninja/blog/finding_interesting_db_data.php
Automating looking through MSSQL databases to find interesting sounding column names. Once found automating pulling back some sample data to give a feel as to whether it is worth investigating.https://digi.ninja/blog/finding_interesting_db_data.phpThis scan result beats any I've seen from Nessus, Nikto or Nmap
https://digi.ninja/blog/ultrasound.php
This scan result beats any I've seen from Nessus, Nikto or Nmap. I'm going to be a daddy!https://digi.ninja/blog/ultrasound.phpKarma comes into the modern age with patches for hostapd.
https://digi.ninja/karma/index.php
Karma was originally written for Madwifi and I then updated it to work with Madwifi-ng. This update adds the same functionality to hostapd.https://digi.ninja/karma/index.phpA pair of Metasploit modules to do DHCP exhaustion attack and then act as a DNS MiTM.
https://digi.ninja/metasploit/dns_dhcp.php
My DHCP and DNS Metasploit attack modules, now fixed up to work with Ruby 1.9.xhttps://digi.ninja/metasploit/dns_dhcp.phpConvert Nessus v2 reports to CSV for easier manipulation and reporting.
https://digi.ninja/projects/nexcser.php
Converts Nessus v2 reports to various CSV files to help with reporting and continued scanning.https://digi.ninja/projects/nexcser.phpKismet log manipulation with GISKismet
https://digi.ninja/blog/giskismet_ignore_gps.php
A patch to GISKismet so it will import Kismet data which doesn't include GPS positions.https://digi.ninja/blog/giskismet_ignore_gps.phpUpdated Metasploit sound module
https://digi.ninja/metasploit/session_created.php
Now with added verbosity, reads IP address and port of connecting clients.https://digi.ninja/metasploit/session_created.phpMetasploit DNS MiTM and DHCP Exhaustion modules
https://digi.ninja/metasploit/dns_dhcp_beta.php
I've updated these to run with the latest version of Metasploit.https://digi.ninja/metasploit/dns_dhcp_beta.phpOSSEC rules for handling Kismet alerts files
https://digi.ninja/projects/ossec_kismet_rules.php
Handle alerts generated by Kismet Newcore in OSSEC.https://digi.ninja/projects/ossec_kismet_rules.phpConvert a CSV file to an OSSEC rules file
https://digi.ninja/projects/ossec_rule_converter.php
Save the effort of having to keep an XML file up-to-date and create your rules in a spreadsheet then convert to XML with my app.https://digi.ninja/projects/ossec_rule_converter.phpWhats behind the door?
https://digi.ninja/blog/door.php
I really want to know what is behind this door.https://digi.ninja/blog/door.phpDon't just see on screen that you've got a new Metasploit session, be told by a nice lady.
https://digi.ninja/metasploit/session_created.php
A patch for Metasploit to have it play a wav file telling you a new session has been created. Similar to the Core 'Agent Deployed'.https://digi.ninja/metasploit/session_created.phpWould you give out your password?
https://digi.ninja/blog/password_experiment.php
A write up of an experiment where I asked a class to give me their passwords.https://digi.ninja/blog/password_experiment.phpCeWL Version 3
https://digi.ninja/projects/cewl.php
Now with JS redirect checking and a bug fix for an issue I found in the ruby spider gemhttps://digi.ninja/projects/cewl.phpCalc IP Range
https://digi.ninja/projects/calc_ip_range.php
Given a IP address calculate the top and bottom of its available subnet rangehttps://digi.ninja/projects/calc_ip_range.php#secvidofday
https://digi.ninja/blog/secvidofday.php
What is #secvidofday and why am I doing it?https://digi.ninja/blog/secvidofday.phpMy AP Collection
https://digi.ninja/blog/ap_collection.php
I'm going to be doing some AP testing and this is a small part of the collection.https://digi.ninja/blog/ap_collection.phpReleasing KreiosC2 version 3
https://digi.ninja/kreiosc2/
KreiosC2 can now channel data over TinyURL and JPEG as well as the original Twitter.https://digi.ninja/kreiosc2/The start of the PenTester Scripting project
https://digi.ninja/blog/pentester_scripting.php
How I got involved in yet another new project, this time the PenTester Scripting community wikihttps://digi.ninja/blog/pentester_scripting.phpMetasploit DNS MiTM and DHCP Exhaustion modules
https://digi.ninja/metasploit/dns_dhcp_beta.php
Two new beta Metasploit modules, one for DNS MiTM and one for DHCP Exhaustion attackshttps://digi.ninja/metasploit/dns_dhcp_beta.phpCool new Micro SD reader
https://digi.ninja/blog/microsd.php
This Micro SD reader is so small it is only just larger than the USB connector it is built onhttps://digi.ninja/blog/microsd.phpNew KreiosC2 language pack
https://digi.ninja/projects/kreiosc2.php#download
Split KreiosC2 commands over multiple tweets, a very simple example languagehttps://digi.ninja/projects/kreiosc2.php#downloadBlindly Installing VMs and Using Live CDs
https://digi.ninja/blog.php
Do you know what the VM or live CD you have just downloaded really contains and if you don't, how do you find out?https://digi.ninja/blog.phpKreiosC2 released
https://digi.ninja/
Launching KreiosC2, version 2 of Twitterbot with new name and new dynamic language optionshttps://digi.ninja/New site launched
https://digi.ninja/
I've finally got round to styling the new sitehttps://digi.ninja/