https://digi.ninja/rss.xml Security and general IT tools and tips en-gb Copyright Robin Wood 2021-01-26T23:49:32+01:00 DigiNinja IT Security https://digi.ninja/blog/split_xss.php Mon, 01 Nov 2021 00:00:00 +0000 Talking about a way I found to split XSS payloads over multiple inputs to bypass input length limitations and input filtering. https://digi.ninja/blog/split_xss.php https://digi.ninja/blog/alert_hijack.php Tue, 11 Aug 2020 00:00:00 +0000 A story of how I tracked down a Cross-Site Scripting issue by overriding the built in alert function to trigger a breakpoint. https://digi.ninja/blog/alert_hijack.php https://digi.ninja/labs.php Tue, 06 Jul 2021 00:00:00 +0000 I've added a new lab for looking at different ways to use HTML5 postMessage and their associated vulnerabilities - HTML postMessage Lab. https://digi.ninja/labs.php https://digi.ninja/projects/authlab.php#landjwtcracking Sun, 07 Jun 2020 00:00:00 +0000 Another update to the Authlab, this time covering how to use John the Ripper and Hashcat to crack the keys used to sign JWTs. For more information, and a walk through, see JWT Cracking Authentication Lab. https://digi.ninja/projects/authlab.php#landjwtcracking https://digi.ninja/projects/authlab.php#landjwtnone Tue, 06 Apr 2021 00:00:00 +0000 I've just added a new challenge to the lab looking at exploiting the none algorithm. For more information, and a walk through, see JWT None Authentication Lab. https://digi.ninja/projects/authlab.php#landjwtnone https://digi.ninja/labs.php Wed, 04 Mar 2020 00:00:00 +0000 Added a new lab to play with GraphQL. It includes a set of working examples of how to make and manipulate various queries and mutations, and then a set of challenges to test what you learned. https://digi.ninja/labs.php https://digi.ninja/blog/entering_community.php Sat, 08 Jun 2019 00:00:00 +0000 My story relating being a newcomer to a triathlon forum, asking for advice, and the initial elitist responses I got, and what I've heard some newcomers to the hacker community saying about our community. The TLDR; is that there are macho jerks everywhere, but if you persevere, the majority of people are nice and are willing to help. https://digi.ninja/blog/entering_community.php https://digi.ninja/blog/ninja_run_19.php Sat, 07 Sep 2019 00:00:00 +0000 An offer to take some friends running during SteelCon 2019. https://digi.ninja/blog/ninja_run_19.php https://digi.ninja/blog/ots_tls_cert.php Sat, 06 Feb 2021 00:00:00 +0000 A walkthrough of a process which allows off the shelf hardware to automatically acquire a valid TLS certificate on startup. https://digi.ninja/blog/ots_tls_cert.php https://digi.ninja/projects/ots_tls_cert_poc.php Sat, 06 Feb 2021 00:00:00 +0000 A proof of concept demonstration to go with the blog post TLS certs for internal OTS hardware. https://digi.ninja/projects/ots_tls_cert_poc.php https://digi.ninja/blog/jsurixss.php Sun, 03 Jan 2021 00:00:00 +0000 I was recently contacted by Ryan Dewhurst to help him with an XSS issue he was having problems with. Ryan knows his stuff, and if he was having problems with something, I knew it had to be a fun challenge. This blog post covers debugging quirks in browser behaviour and some information on how JavaScript URIs work. https://digi.ninja/blog/jsurixss.php https://digi.ninja/projects/authlab.php Sat, 05 Oct 2019 00:00:00 +0000 A set of walkthroughs for the challenges set in my Authentication Lab. https://digi.ninja/projects/authlab.php https://digi.ninja/blog/becoming_accessible.php Sun, 03 Jan 2021 00:00:00 +0000 I want my blog to reach as wide an audience as possible and to help with that, I'm asking for my readers to make suggestions for changes which will help make the site more accessible. https://digi.ninja/blog/becoming_accessible.php https://digi.ninja/blog/pipelining.php Wed, 03 Jun 2020 00:00:00 +0000 In this post I'm going to discuss using HTTP pipelining to hide malicious HTTP requests. This is not domain fronting but uses similar techniques to get the same result, an observer who is not able to perform TLS interception is only able to see the "good" request which conceals the "bad" request. https://digi.ninja/blog/pipelining.php https://digi.ninja/blog/cloudflare_example.php Wed, 02 Sep 2020 00:00:00 +0000 Whether you think it is true 'domain fronting' or just something that is similar, this post walks through how Cloudflare use SNI to protect against attackers modifying the HTTP Host header and then how ESNI can be used instead to help ensure any 'bad' traffic goes unnoticed by observers. https://digi.ninja/blog/cloudflare_example.php https://digi.ninja/blog/domain_fronting.php Sat, 02 Nov 2019 00:00:00 +0000 Domain fronting has been around for years and I've always understood the concept but never actually looked at exactly how it works. That was until recently when I did some work with Chris Truncer who had us set it up as part of a red team test. That was the point I had to get down and understand the actual inner workings. Luckily Chris is a good teacher and the concept is fairly simple when it is broken down into pieces. https://digi.ninja/blog/domain_fronting.php https://digi.ninja/blog/cloudfront_example.php Sat, 02 Nov 2019 00:00:00 +0000 This post accompanies the post A 101 on Domain Fronting and in it we are going to setup both a site to use for domain fronting and then a fronted site. https://digi.ninja/blog/cloudfront_example.php https://digi.ninja/blog/hiding_bash_history.php Wed, 10 Jan 2018 00:00:00 +0000 Have you ever logged in to a box, started running commands, and then remembered the bash history will be logging everything you run. I've done it occasionally so thought I should do some research on what the options are. This post covers what I came up with, please get in touch if you have any other ideas. https://digi.ninja/blog/hiding_bash_history.php https://digi.ninja/blog/svg_xss.php Thu, 08 Mar 2018 00:00:00 +0000 A client had the requirement to allow users to upload SVG files to their web app, these files then had to be displayed. As SVG files can contain JavaScript and can be used for Cross-Site Scripting attacks, I had to do some investigating to find ways to allow them to do what they wanted safely. https://digi.ninja/blog/svg_xss.php https://digi.ninja/blog/vulndap_walkthrough.php Thu, 08 Mar 2018 00:00:00 +0000 This is a full walk through detailing how I would go through my vuLnDAP challenge. There are probably plenty of other ways this can be done so don't take this as the only or best. If you do have a better way, please let me know. https://digi.ninja/blog/vulndap_walkthrough.php https://digi.ninja/blog/pippa_steelcon_logic.php Sat, 07 Jul 2018 00:00:00 +0000 In 2017, Pippa was learning about cryptography and set a couple of crypto challenges for the SteelCon kids track, this year we are working on logic gates so she has set a challenge based on that. https://digi.ninja/blog/pippa_steelcon_logic.php https://digi.ninja/blog/lighttpd_rewrite_bypass.php Thu, 04 Jun 2020 00:00:00 +0000 Using an invalid HTTP request to bypass rewrite rules in lighttpd and the story of how I found the problem. https://digi.ninja/blog/lighttpd_rewrite_bypass.php https://digi.ninja/blog/snmp_to_shell.php Thu, 04 Jul 2019 00:00:00 +0000 A walk through from getting injection into an SNMP config file to getting a shell. https://digi.ninja/blog/snmp_to_shell.php https://digi.ninja/blog/dotnetsheff_headers.php Sun, 02 Sep 2018 00:00:00 +0000 A copy of the slides from my dotnetsheff talk on HTTP security headers and cookies. https://digi.ninja/blog/dotnetsheff_headers.php https://digi.ninja/blog/burp_macros.php Wed, 01 Jan 2020 00:00:00 +0000 A worked example of using Burp Suite macros and session handling. https://digi.ninja/blog/burp_macros.php https://digi.ninja/blog/programming_with_google.php Wed, 01 May 2019 00:00:00 +0000 The slides and video from my talk at Wild West Hackinfest on programming by copying and pasting from Google. https://digi.ninja/blog/programming_with_google.php https://digi.ninja/blog/telnet_shellshock.php Sun, 11 Mar 2018 00:00:00 +0000 A quick write up on how to exploit Shellshock on telnet via the USER variable. https://digi.ninja/blog/telnet_shellshock.php https://digi.ninja/blog/xss_steal_csrf_token.php Thu, 11 Jan 2018 00:00:00 +0000 Techniques using both raw JavaScript and jQuery to use XSS to grab a CSRF token and then submit the form it protects. https://digi.ninja/blog/xss_steal_csrf_token.php https://digi.ninja/projects/rsmangler.php Thu, 28 Sep 2017 00:00:00 +0000 A custom wordlist generator that creates permutations of all the input words as well as just manipulating them individually. https://digi.ninja/projects/rsmangler.php https://digi.ninja/blog/mutual_auth.php Mon, 10 Apr 2017 00:00:00 +0000 A write up on how a common mutual authentication scheme used by a number of banks can be easily proxied and turned against the bank. https://digi.ninja/blog/mutual_auth.php https://digi.ninja/projects/nosqli_lab.php Mon, 10 Apr 2017 00:00:00 +0000 With the rise in popularity of NoSQL I figured it was time to build a lab so I could have a play with the different techniques used to attack them. This was the result... https://digi.ninja/projects/nosqli_lab.php https://digi.ninja/projects/sitediff.php Mon, 06 Feb 2017 00:00:00 +0000 Imagine the scenario, you are testing a site running an open source package but not sure what version and need to find out. The site does not include any helpful comments in the HTML and there is no README file. The package isn't a popular one so none of the regular fingerprinting apps recognise it, what can you do? Call in Sitediff, it takes a local directory of files and then requests each of them from the target site and reports back on what it finds. https://digi.ninja/projects/sitediff.php https://digi.ninja/blog/crashplan.php Thu, 19 Jan 2017 00:00:00 +0000 A story of how Christmas generosity in sharing his backup plan resulted in a friend's files being accessible by all his family. https://digi.ninja/blog/crashplan.php https://digi.ninja/blog/christian_bruhin_plagiarism.php Fri, 16 Dec 2016 00:00:00 +0000 There is lots of plagiarism goes on on the internet, unfortunately for Christian, he decided that he was happy to do it and accepted the risks it created. https://digi.ninja/blog/christian_bruhin_plagiarism.php https://digi.ninja/blog/rdp_show_login_page.php Thu, 24 Nov 2016 00:00:00 +0000 A short howto on getting the Windows RDP client to show the server login page rather than ask for credentials itself https://digi.ninja/blog/rdp_show_login_page.php https://digi.ninja/blog/murder_heart.php Wed, 16 Nov 2016 00:00:00 +0000 The results of a small experiment to see what my heart rate was like during my SANS instructor murder board. https://digi.ninja/blog/murder_heart.php https://digi.ninja/blog/asking_for_help.php Thu, 10 Nov 2016 00:00:00 +0000 I see a lot of requests for technical help with tools and projects, some good, some bad. This post covers what I like to see when someone asks a question. https://digi.ninja/blog/asking_for_help.php https://digi.ninja/blog/git_hooks.php Fri, 28 Oct 2016 00:00:00 +0000 Here is a little trick I just learned about to help prevent things like API keys from ending up in your Git repo. I've mentioned it to a few Git loving developers who all claimed that it is obvious and that loads of people are already using it, but, as we regularly see keys in GitHub, I'd guess that its a case of what people know they should be doing verses what they are actually doing. The trick uses Git hooks to catch content pre-commit and block anything that it thinks is suspicious. https://digi.ninja/blog/git_hooks.php https://digi.ninja/blog/enable_right_click.php Tue, 18 Oct 2016 00:00:00 +0000 I've spent the day testing an app which disables the right click context menu, this makes testing tricky so I found a one liner which I could drop into the browser console to re-enable it for me. https://digi.ninja/blog/enable_right_click.php https://digi.ninja/blog/missing_a_vuln.php Wed, 13 Apr 2016 00:00:00 +0000 Asking the question, when it is acceptable to miss a vulnerability on a test. https://digi.ninja/blog/missing_a_vuln.php https://digi.ninja/blog/ee_no_password_change.php Tue, 05 Apr 2016 00:00:00 +0000 Trying to understand why the EE web portal doesn't have a password change feature. https://digi.ninja/blog/ee_no_password_change.php https://digi.ninja/blog/xss_through_csrf.php Sun, 04 Jun 2017 00:00:00 +0000 A short guide to exploiting POST based reflected XSS using CSRF and iframes. https://digi.ninja/blog/xss_through_csrf.php https://digi.ninja/blog/interactive_pentesting.php Sun, 04 Dec 2016 00:00:00 +0000 A write up of my recent experiences of getting clients involved during testing. https://digi.ninja/blog/interactive_pentesting.php https://digi.ninja/blog/hacking_nasl.php Sun, 03 Dec 2017 00:00:00 +0000 A short howto on removing the obfuscation added to non-default passwords by Nessus. https://digi.ninja/blog/hacking_nasl.php https://digi.ninja/projects/pipal.php#neofriends Mon, 02 Mar 2015 00:00:00 +0000 Pipal analysis of of a password dump from the Neofriends dating site. https://digi.ninja/projects/pipal.php#neofriends https://digi.ninja/projects/pipal.php#lizard Wed, 21 Jan 2015 00:00:00 +0000 Pipal analysis of 13,000 passwords from the Lizard Squad dump. https://digi.ninja/projects/pipal.php#lizard https://digi.ninja/projects/pipal.php#minecraft Wed, 21 Jan 2015 00:00:00 +0000 Pipal analysis of 1800 passwords dumped from Minecraft https://digi.ninja/projects/pipal.php#minecraft https://digi.ninja/projects/pipal.php#datingsite Sat, 27 Dec 2014 00:00:00 +0000 Pipal analysis of a password dump from a dating site. https://digi.ninja/projects/pipal.php#datingsite https://digi.ninja/blog/sony_hack.php Sony were hacked, it was bad. That's all. https://digi.ninja/blog/sony_hack.php https://digi.ninja/blog/thanks_hackers.php Turning comments from a negative troll into a positive, a reminder of how great our community is. https://digi.ninja/blog/thanks_hackers.php https://digi.ninja/projects/http_traceroute.php A tool to follow HTTP redirects showing the full details at each request, collecting and replaying cookies on the way. https://digi.ninja/projects/http_traceroute.php https://digi.ninja/projects/pipal.php#comicbookdb Pipal of a database dump from comicbookdb. https://digi.ninja/projects/pipal.php#comicbookdb https://digi.ninja/blog/pipal_email_checker.php For a long time I've been curious what passwords lists attackers are using when they try to brute force my ssh servers so I finally got round to setting up a Kippo honeypot and writing a custom Pipal Splitter to parse through the logs and pull out the info. https://digi.ninja/blog/pipal_email_checker.php https://digi.ninja/projects/pipal.php#mangatraders A Pipal analysis of the Manga Traders password dump, some interesting results when looking at demographics and reuse of username/email addresses as passwords. https://digi.ninja/projects/pipal.php#mangatraders https://digi.ninja/blog/pipal_email_checker.php A new Pipal checker to look at the relationship between email addresses and passwords. https://digi.ninja/blog/pipal_email_checker.php https://digi.ninja/blog/ebay.php My opinion on the eBay password reset policy - no pasting and 20 character caps are bad. https://digi.ninja/blog/ebay.php https://digi.ninja/projects/twofi.php Twofi takes keywords and usernames and collects tweets based on these terms. It then extracts individual words and uses them to create a custom word list - Update to use the new Twitter search API https://digi.ninja/projects/twofi.php https://digi.ninja/projects/mediawiki_dradis_import.php For quite a while now I've been planning to import all my Dradis issues into MediaWiki to make reusing issues easier. Till now, each time I wanted to reuse an issue I've had to open a new browser and go back to find the old project where the issue was used then copy and paste it into the new project, that is a real pain to do. So I finally bit the bullet and created a MediaWiki VM. Rather than mess around with manually copying all my issues across I developed this little script to automate it. https://digi.ninja/projects/mediawiki_dradis_import.php https://digi.ninja/blog/reproduce_report.php Three times in the past few months I've been asked by clients to retest previous findings to see if they have been successfully fixed. One of the reports I was given was one I'd written, the other two were by other testers. For my report I couldn't remember anything about the test, reading the report gave me some clues but I was really lucky and found that I'd left myself a test harness in the client's folder fully set up to test the vulnerability. One of the other two was testing for a vulnerability I'd never heard of and couldn't find anything about on Google. I finally tracked down the original tester and it turns out there is a simple tool which tests for the issue and one command line script later the retest was over. The final issue was one that I knew about but had a really good write up that, even if I'd not heard of it, had a full walk through on how to reproduce the test. https://digi.ninja/blog/reproduce_report.php https://digi.ninja/blog/rip_v2.php In part one of this series, Exploiting RIP, we set up a GNS3 lab with RIPv1 and managed to exploit it by injecting a fake route into the network. As a way to protect against this, RIPv2 can use authentication to try to stop unauthorised routes being added to the system. From what I've read, authentication was not added to RIPv2 as a security mechanism but as a way to prevent routes from accidentally being added when incorrectly configured routers are added to the network. In this post I'll work through changing the lab from version 1 to version 2 and then enabling the different levels of authentication. At each stage I will show weaknesses in the system and ways to abuse them. https://digi.ninja/blog/rip_v2.php https://digi.ninja/projects/pipal.php#tesco A Pipal analysis of the recent Tesco password disclosure. https://digi.ninja/projects/pipal.php#tesco https://digi.ninja/blog/gmail_dos.php If anyone was watching my Twitter feed over the last few days you'll have seen me complaining about my Gmail account being down. It wasn't down completely, I could still access the web interface and read all old mails but hadn't had any new emails in since 4AM on Thursday. I have various other mail accounts, some Gmail, some not, so I tried sending myself mails from those account to see if things were broken or whether I had just become very unpopular. None of the mails got through. I also tested sending emails out and none of those worked either so there was definitely a problem. By Friday lunchtime I'd had a couple of mails but nothing much so I figured I'd better do some digging and get it fixed. https://digi.ninja/blog/gmail_dos.php https://digi.ninja/blog/rip_v1.php In this lab I'm going to look at RIPv1, probably the most basic routing protocol. As with the VLAN labs I'm building this one in GNS3 and linking it to a Virtual Box machine running Debian. The plan is to build a network with three routers all using RIP to sync their routing information. I'll then use the attacking box to inject a fake route into the network and so divert traffic away from its real target. If you are not familiar with RIP it is hop based system where each hop is a unit and traffic is routed across the shortest number of hops. https://digi.ninja/blog/rip_v1.php https://digi.ninja/blog/abusing_dtp.php In the first two parts of this dig into layer 2 I covered how to set up a lab using GNS3 and VirtualBox and then adding and interacting with VLANs. In this part I want to look at using Cisco's Dynamic Trunking Protocol - DTP - to change the state of a port from access mode to trunk mode to allow us to gain access all the VLANs on the network. The previous link gives a more thorough overview of DTP but in summary, it is a protocol developed by Cisco to allow devices connected to a switch negotiate whether they need their port to be in trunk or access mode. It is enabled by default on all ports so has to be deliberately disabled by an admin to turn it off. Ports default to access mode leaving devices such as switches, which need a trunk port, to request it. A port can be changed from one state to the other through a single DTP packet and there is no authentication, this makes it great as an attacker as you can easily switch your port to trunk mode on any switch which has DTP enabled. https://digi.ninja/blog/abusing_dtp.php https://digi.ninja/blog/gns_vbox_vlan_lab.php Adding VLANs to the GNS3/VirtualBox Lab - In this post I show how to add VLANs to the lab and how to move between them on the switch. I then show what can happen if you get on to a trunk port and get to control your own VLAN tagging. https://digi.ninja/blog/gns_vbox_vlan_lab.php https://digi.ninja/blog/gns_vbox_basic_lab.php Integrating GNS3 and VirtualBox - Having come from a development background rather than a sys-admin one, my knowledge of layer 2 is not as good as I'd like it to be so I've decided to do something about it. I've always been interested in VLANs and the idea of bypassing them so thought that would be a good place to start. This is the first part of a series building a lab to test out different layer 2 attacks. https://digi.ninja/blog/gns_vbox_basic_lab.php https://digi.ninja/projects/sitemap2proxy.php Sitemap2Proxy takes the sitemap published by a web app and requests each page through your specified proxy. This release adds response code stats to the output. https://digi.ninja/projects/sitemap2proxy.php https://digi.ninja/blog/modsecurity_lab.php I've been meaning to build a ModSecurity lab for a while and seeing as I had some free time I decided it was about time to do it and to document it for everyone to share. The lab I built uses an up-to-date version of ModSecurity with a rule set taken from the SpiderLabs github repo and, so there is something to attack, I've included DVWA. https://digi.ninja/blog/modsecurity_lab.php https://digi.ninja/projects/cewl.php Version 5.0 of CeWL adds proxy and basic/digest authentication support along with a few small bug fixes. https://digi.ninja/projects/cewl.php https://digi.ninja/projects/ivmeta.php ivMeta is based on information in this article on finding meta data in iPhone videos. It will attempt to pull the following bits of information from an iPhone video: * Maker - should always be Apple * iOS Software version * Date video was taken * GPS co-ords where video was taken * Model of phone https://digi.ninja/projects/ivmeta.php https://digi.ninja/blog/zap_fuzzing.php The following article is part two of my introduction to ZAP and testing WebSockets, in this episode I'll cover fuzzing. If you've not used ZAP before I suggest you look at some of the official tutorials first - ZAP home page, Videos. You can find my first part here OWASP ZAP and Web Sockets. The testing is being done against a small WebSockets based app I wrote called SocketToMe which has a few published services along with a few unpublished ones. In this article we are going to look at one of the published ones and try to identify some of the unpublished ones. The first feature I'll investigate is the number guessing game. Here the system picks a random number between 1 and 100 and you have to guess it. I'm going to cheat and see if I can get ZAP to play all 100 numbers for me to go for a quick win. https://digi.ninja/blog/zap_fuzzing.php https://digi.ninja/blog/zap_web_sockets.php With the slow uptake of HTML5, WebSockets are going to start being seen in more and more applications so I figured I'd better learn how to test them before being put in front of them on a client test and having to learn as I went along. I figured the best way to do this was to build a very simple application then throw in a proxy and see what happened. Unfortunately my proxy of choice, Burp Suite, currently doesn't handle WebSockets so I had to look for one that did. The only one, and this is their claim, that does in the OWASP Zed Attack Proxy, or ZAP for short. I'd been meaning to learn how to use it for a while so this seemed like the perfect opportunity. If anything in here is wrong, please get in touch and I'll fix it, I'm learning as I go along so may well be doing the odd thing wrong however it does all seem to work. I started by writing a small WebSocket based app which I called SocketToMe which has a few basic services, chat, a number guess game and a couple of other features. I figured I'd start with interception then have a look at fuzzing. https://digi.ninja/blog/zap_web_sockets.php https://digi.ninja/projects/sockettome.php SocketToMe is little application I wrote to go along with my blog post on testing WebSockets. It combines chat, a simple number guessing game and a few other hidden features. The app is in two parts, the WebSocket app and a web page to access it. The whole lot is written PHP and is the first WebSocket work I've done so don't look on it as an example of how to do things. https://digi.ninja/projects/sockettome.php https://digi.ninja/blog/pipal_goes_modular.php Pipal now has a modular structure allowing you to write your own Checkers and Splitters, this is a brief introduction to how they both work. https://digi.ninja/blog/pipal_goes_modular.php https://digi.ninja/projects/pat_to_pass.php This months BruCON 5x5 project came from an idea sent to me by a friend after I released Passpat. Passpat takes passwords and tries to find keyboard patters in them, Pat to Pass is almost the opposite, it takes observed key presses and tries to convert them to potential passwords. The project in its current state is more a proof of concept and sample code which hopefully can be taken forward to be turned into something practical by someone who has better skills at handling very large lists of data. https://digi.ninja/projects/pat_to_pass.php https://digi.ninja/projects/spidering_spideroak.php Spidering SpiderOak - By looking at the differences between responses it is possible to enumerate valid account names and then shares on the SpiderOak network. This post covers how I researched this, the findings and how it could be fixed. https://digi.ninja/projects/spidering_spideroak.php https://digi.ninja/projects/passpat.php It is generally accepted that most passwords in common use are based on dictionary words however, some people decide to use keyboard patterns instead and to try to spot these I've created Passpat. Passpat uses data files containing the layouts of common keyboards to walk each word through the keyboard and score the word based on how close it is to being a pattern. For now I'm taking pattern to mean keys which are next to each other, while qpalzm is a pattern picking something like that up is currently out of the scope of this project. https://digi.ninja/projects/passpat.php https://digi.ninja/projects/bin_gen.php While working on a new project I needed a way to create files containing binary data which I could control, for example all bytes from 0 to 255 in order or just a block of 10 0x03's, so I wrote bin_gen. There are loads of other ways to do this, especially in Linux, but for me this is quick and easy and I don't have to think to use it. https://digi.ninja/projects/bin_gen.php https://digi.ninja/projects/tracker_tracking.php When doing reconnaissance on clients it is often useful to try to identify other websites or companies who are related to your target. One way to do this is to look at who is managing the Google Analytics traffic for them and then find who else they manage. There are a few online services which do this, the probably best known being ewhois, but whenever you use someone else's resources you are at their mercy over things like accuracy of the data and coverage, especially if you are working for a small client who hasn't been scanned by them then you won't get any results. This is where my tracker tracking tool comes in. The tool is in two parts, the first uses the power of the nmap engine to scan all the domains you are interested in and pull back tracking codes, these are then output in the standard nmap format along with the page title. I've then written a second script which takes the output and generates a grouped and sorted CSV file which you can then analyse. https://digi.ninja/projects/tracker_tracking.php https://digi.ninja/blog/brucon_5x5.php During BruCON 2012 the organisers announced a very generous competition, they had collected 25,000euro and were going to offer it in 5k euro chunks to five lucky hackers. The condition was you had to submit a proposal saying why you needed the cash. You can read more about it on the BruCON Blog. I've very please to say that I was one of the chosen hackers so want to document what I'm going to do with my share of the cash. https://digi.ninja/blog/brucon_5x5.php https://digi.ninja/projects/ip_camera_finder.php When I bought an IP camera to watch by daughters cot I didn't expect to end up writing tools to find others around the world, I also didn't expect it to be so poorly secured. https://digi.ninja/projects/ip_camera_finder.php https://digi.ninja/blog/report_writing_comp.php A lot of conferences have CTFs but how about testing people's report writing skills as well? This post contains some ideas I've had to run a competition which would test report writing skills. https://digi.ninja/blog/report_writing_comp.php https://digi.ninja/metasploit/mysql_file_enum.php Tim Tomes wrote a blog post on enumerating directories and files through a MySQL connection, this module automates that process. https://digi.ninja/metasploit/mysql_file_enum.php https://digi.ninja/blog/dns_wildcard_recon.php I recently did a test against a company and in the debrief they asked how I managed to enumerate so many of their subdomains as they were using a wildcard DNS setup and the previous tester had commented that it prevented DNS enumeration. When I explained to them how the wildcard only obscured valid domains they had a few choice words for the previous tester and I figured it would make a nice little blog post. https://digi.ninja/blog/dns_wildcard_recon.php https://digi.ninja/blog/hakin9_spam_kings.php About once a fortnight I get a request to write an article for Hakin9 or one of its sister publications, this article details my attempts to stop this spam. https://digi.ninja/blog/hakin9_spam_kings.php https://digi.ninja/blog/corelan.php I've just got back from BruCON 2012 where I started the week with the Corelan Live - Win32 Exploit Development Bootcamp. A lot of people asked about the course and what it covered so I've put this together. https://digi.ninja/blog/corelan.php https://digi.ninja/projects/sitemap2proxy.php When doing a web app test you usually end up spidering the site you are testing but what if the site could tell you most of that all about theirhout you going hunting for it. Bring on sitemap.xml, a file used by a lot of sites to tell spiders, like Google, all about their content. This script takes that file and parses it to extract all the URLs then requests each one through your proxy of choice (Burp, ZAP, etc). Now this won't find anything that isn't mentioned in the file and it won't do any brute forcing but it is a nice way to identify all the pages on the site that the admins want you to know about. https://digi.ninja/projects/sitemap2proxy.php https://digi.ninja/projects/cewl.php Version 4.3 of CeWL adds result sorting by word count, with optional display of the count, also various bug fixes. https://digi.ninja/projects/cewl.php https://digi.ninja/karma/ Hostapd was recently updated to version 1.0 so I've brought the Karma patches up-to-date. This release contains a fully patched source tarball and a patch file if you want to apply it to your own source. I've also added a mention of the hostapd_cli app which you can use to control hostapd once it is running. https://digi.ninja/karma/ https://digi.ninja/blog/zodiac_passwords.php I was wondering why dragon and monkey come up so often in Pipal analysis of password lists and it got me wondering if it was to do with Chinese signs of the zodiac so just as an experiment I've just added checking for both Western and Chinese zodiac signs to Pipal. I ran it against the 1 million eHarmony passwords I've got and it looks like they do play a small part in some people passwords. https://digi.ninja/blog/zodiac_passwords.php https://digi.ninja/blog/group_password.php Did you know Linux groups can have passwords? I didn't but I do now, this is how you set them up. https://digi.ninja/blog/group_password.php https://digi.ninja/projects/twofi.php Twofi takes keywords and usernames and collects tweets based on these terms. It then extracts individual words and uses them to create a custom word list. https://digi.ninja/projects/twofi.php https://digi.ninja/blog/web_frameworks.php Are secure web frameworks reducing long term security? Why I think developers should always think about security, even when someone else is taking care of it for them. https://digi.ninja/blog/web_frameworks.php https://digi.ninja/projects/cewl.php Turns out that the spider I'm using for CeWL only checks for links in anchor tags where the href uses double quotes which means some links will have been missed. This release fixes that bug and adds the ability to do a depth of 0 search which lets you scan a single page. https://digi.ninja/projects/cewl.php https://digi.ninja/projects/breaking_in_part_2.php The second part of my write up of the conclusions I've taken from my Breaking In data. This part looks at the qualitative answers given which give some meaning behind some of the stats. https://digi.ninja/projects/breaking_in_part_2.php https://digi.ninja/projects/breaking_in_part_1.php This post, along with part two coming soon, is an accompaniment to my BSides slides and the raw data which I published the other day. Here I try to summarise the results and add my commentry to them. https://digi.ninja/projects/breaking_in_part_1.php https://digi.ninja/projects/breaking_in_bsides.php At BSides London I presented the findings from the Breaking in to Security survey, here are my slides and a link to the data collected so far. https://digi.ninja/projects/breaking_in_bsides.php https://digi.ninja/projects/breaking_in_interim.php Seeing as I had over 200 responses to the "Breaking In" survey in just 5 days I've plucked out a couple of interesting stats from the responses and posted them to whet your appitite. https://digi.ninja/projects/breaking_in_interim.php https://digi.ninja/blog/owasp_leeds.php The story of how I analysed a new IP web camera and found how it automatically tried to punch a hole through my firewall and register itself with dynamic DNS server to tell the world it was there. The slides also contain a bonus talk covering my blog post and project on 'Whats in Amazon's buckets' https://digi.ninja/blog/owasp_leeds.php https://digi.ninja/projects/breaking_in_1.php This is my attempt to collect enough data to be able to answer the eternal question, 'How do I get started in Information Security?'. I've put together a questionnaire which I'll summarize the answers from and hopefully present at conferences and also summarise here on the site. https://digi.ninja/projects/breaking_in_1.php https://digi.ninja/projects/zonetransferme.php Ever found yourself in a position where you have to teach or explain DNS zone transfers but not had a domain to run the transfer on? This domain is set up to allow transfers and contains plenty of information to work with. I've also explained how I would interpret the information. https://digi.ninja/projects/zonetransferme.php https://digi.ninja/projects/pipal.php Pipal analyses a cracked password list to help analysts spot patterns. Stats are generated on everything from the different lenghts to the character types to the words that other words are based on. https://digi.ninja/projects/pipal.php https://digi.ninja/blog/check_ctl.php A write up on my experiences taking, and passing, the CHECK Team Leader Web App Exam https://digi.ninja/blog/check_ctl.php https://digi.ninja/blog/burp_intruder_types.php Burp Intruder has four different attack modes, this post shows the differences between those four modes. https://digi.ninja/blog/burp_intruder_types.php https://digi.ninja/blog/compress_filter_avoidance.php Using decompression to avoid filters - Decompressing data to get it past filters such as IDS. https://digi.ninja/blog/compress_filter_avoidance.php https://digi.ninja/projects/fdb.php File Disclosure Browser, an application to parse files such as .DS_Store to reveal otherwise unlinked files on web sites. https://digi.ninja/projects/fdb.php https://digi.ninja/projects/cewl.php An upgrade to Ruby version 1.9 and fixes to work with Back Track 5. https://digi.ninja/projects/cewl.php https://digi.ninja/projects/wifi_honey.php Automation of setting up a bunch of APs and airodump-ng to work out what encryption a client is probing for. https://digi.ninja/projects/wifi_honey.php https://digi.ninja/blog/analysing_mobile_me.php Analysis of the content I found when trawling Mobile Me accounts looking for public information. https://digi.ninja/blog/analysing_mobile_me.php https://digi.ninja/blog/mobile_me_madness.php A brief description of how Mobile Me allows access to its file listings and how to interpret them. https://digi.ninja/blog/mobile_me_madness.php https://digi.ninja/projects/me_finder.php This tool will brute force user accounts with Mobile Me and then enumerate files associated with any public accounts found. https://digi.ninja/projects/me_finder.php https://digi.ninja/blog/analysing_amazons_buckets.php Analysis of the content I found when trawling Amazon's buckets looking for public information. https://digi.ninja/blog/analysing_amazons_buckets.php https://digi.ninja/blog/whats_in_amazons_buckets.php The description of how I wrote a tool to brute force bucket names from the Amazon S3 system and then take it a step further. https://digi.ninja/blog/whats_in_amazons_buckets.php https://digi.ninja/projects/bucket_finder.php This tool will brute force bucket names from Amazon's S3 system and then enumerate files associated with any public buckets found. https://digi.ninja/projects/bucket_finder.php https://digi.ninja/blog/tomcat_laundanum.php Going to WAR on Tomcat with Laundanum - A short how to on using Laundanum to attack Tomcat servers and how to setup a lab to try it at home. https://digi.ninja/blog/tomcat_laundanum.php https://digi.ninja/projects/gpscan.php Google Profile scraping can be used a part of recon work to gather staff lists, this script automates that process https://digi.ninja/projects/gpscan.php https://digi.ninja/blog/cleartext_creds.php A little trick to extract stored FTP details by setting up a fake server then capturing the clear text. https://digi.ninja/blog/cleartext_creds.php https://digi.ninja/blog/double_tunnel.php Double tunnels to help a colleague in distress - Setting up SSH tunnels to allow external access to an internal network. https://digi.ninja/blog/double_tunnel.php https://digi.ninja/blog/tiger_ctm.php Tiger Scheme Check Team Member Exam - A review of the Check Team Member exam. https://digi.ninja/blog/tiger_ctm.php https://digi.ninja/metasploit/getwlanprofiles.php A Meterpreter script to download wireless profiles from Windows 7 and Vista boxes. https://digi.ninja/metasploit/getwlanprofiles.php https://digi.ninja/projects/counter.php A short script to do frequency analysis on lines in a file, specifically designed for password reuse analysis. https://digi.ninja/projects/counter.php https://digi.ninja/blog/when_all_you_can_do_is_read.php A look at what files are good to try to read when all you have is read only access to a machine, i.e. no directory listing ability. https://digi.ninja/blog/when_all_you_can_do_is_read.php https://digi.ninja/blog/nessus_over_sock4a_over_msf.php Running a Nessus scan through a Meterpreter pivot using a SOCKS4 Proxy. https://digi.ninja/blog/nessus_over_sock4a_over_msf.php https://digi.ninja/projects/rsyaba.php A modular brute force tool currently supporting HTTP(S), MySQL and SSH. Written in Ruby and designed to be easily extendable by using off the shelf protocol libraries. https://digi.ninja/projects/rsyaba.php https://digi.ninja/blog/http_banner_grab_dir.php HTTP Banner grabbing beyond the root, where do you do your web banner grabbing? https://digi.ninja/blog/http_banner_grab_dir.php https://digi.ninja/blog/pages_linux.php Viewing Pages documents in Linux - A short shell script to display a document created in Pages in Linux https://digi.ninja/blog/pages_linux.php https://digi.ninja/blog/pocket_trojan.php The Trojan in your pocket - Do you know what your phone is doing? https://digi.ninja/blog/pocket_trojan.php https://digi.ninja/projects/rsmangler.php A custom wordlist generator that creates permutations of all the input words as well as just manipulating them individually https://digi.ninja/projects/rsmangler.php https://digi.ninja/metasploit/mssql_idf.php A Metasploit module to accompany my blog post on finding interesting data in MSSQL databases. https://digi.ninja/metasploit/mssql_idf.php https://digi.ninja/blog/finding_interesting_db_data.php Automating looking through MSSQL databases to find interesting sounding column names. Once found automating pulling back some sample data to give a feel as to whether it is worth investigating. https://digi.ninja/blog/finding_interesting_db_data.php https://digi.ninja/blog/ultrasound.php This scan result beats any I've seen from Nessus, Nikto or Nmap. I'm going to be a daddy! https://digi.ninja/blog/ultrasound.php https://digi.ninja/karma/index.php Karma was originally written for Madwifi and I then updated it to work with Madwifi-ng. This update adds the same functionality to hostapd. https://digi.ninja/karma/index.php https://digi.ninja/metasploit/dns_dhcp.php My DHCP and DNS Metasploit attack modules, now fixed up to work with Ruby 1.9.x https://digi.ninja/metasploit/dns_dhcp.php https://digi.ninja/projects/nexcser.php Converts Nessus v2 reports to various CSV files to help with reporting and continued scanning. https://digi.ninja/projects/nexcser.php https://digi.ninja/blog/giskismet_ignore_gps.php A patch to GISKismet so it will import Kismet data which doesn't include GPS positions. https://digi.ninja/blog/giskismet_ignore_gps.php https://digi.ninja/metasploit/session_created.php Now with added verbosity, reads IP address and port of connecting clients. https://digi.ninja/metasploit/session_created.php https://digi.ninja/metasploit/dns_dhcp_beta.php I've updated these to run with the latest version of Metasploit. https://digi.ninja/metasploit/dns_dhcp_beta.php https://digi.ninja/projects/ossec_kismet_rules.php Handle alerts generated by Kismet Newcore in OSSEC. https://digi.ninja/projects/ossec_kismet_rules.php https://digi.ninja/projects/ossec_rule_converter.php Save the effort of having to keep an XML file up-to-date and create your rules in a spreadsheet then convert to XML with my app. https://digi.ninja/projects/ossec_rule_converter.php https://digi.ninja/blog/door.php I really want to know what is behind this door. https://digi.ninja/blog/door.php https://digi.ninja/metasploit/session_created.php A patch for Metasploit to have it play a wav file telling you a new session has been created. Similar to the Core 'Agent Deployed'. https://digi.ninja/metasploit/session_created.php https://digi.ninja/blog/password_experiment.php A write up of an experiment where I asked a class to give me their passwords. https://digi.ninja/blog/password_experiment.php https://digi.ninja/projects/cewl.php Now with JS redirect checking and a bug fix for an issue I found in the ruby spider gem https://digi.ninja/projects/cewl.php https://digi.ninja/projects/calc_ip_range.php Given a IP address calculate the top and bottom of its available subnet range https://digi.ninja/projects/calc_ip_range.php https://digi.ninja/blog/secvidofday.php What is #secvidofday and why am I doing it? https://digi.ninja/blog/secvidofday.php https://digi.ninja/blog/ap_collection.php I'm going to be doing some AP testing and this is a small part of the collection. https://digi.ninja/blog/ap_collection.php https://digi.ninja/kreiosc2/ KreiosC2 can now channel data over TinyURL and JPEG as well as the original Twitter. https://digi.ninja/kreiosc2/ https://digi.ninja/blog/pentester_scripting.php How I got involved in yet another new project, this time the PenTester Scripting community wiki https://digi.ninja/blog/pentester_scripting.php https://digi.ninja/metasploit/dns_dhcp_beta.php Two new beta Metasploit modules, one for DNS MiTM and one for DHCP Exhaustion attacks https://digi.ninja/metasploit/dns_dhcp_beta.php https://digi.ninja/blog/microsd.php This Micro SD reader is so small it is only just larger than the USB connector it is built on https://digi.ninja/blog/microsd.php https://digi.ninja/projects/kreiosc2.php#download Split KreiosC2 commands over multiple tweets, a very simple example language https://digi.ninja/projects/kreiosc2.php#download https://digi.ninja/blog.php Do you know what the VM or live CD you have just downloaded really contains and if you don't, how do you find out? https://digi.ninja/blog.php https://digi.ninja/ Launching KreiosC2, version 2 of Twitterbot with new name and new dynamic language options https://digi.ninja/ https://digi.ninja/ I've finally got round to styling the new site https://digi.ninja/