sending am-ook using metasploit and rfstransceiver

Towards the end of last year, I found myself playing around with some basic AM/OOK SDR stuff™. That resulted in ooktools being built to help with making some of that work easier and to help me learn. A few days ago, metasploit announced new ‘rftransceiver’ capabilities that were added to the framework with a similar goal of making this research easier.

This post is about me playing with these new toys, and as well as releasing a few small modules I wrote.

Read On →

ooktools: on-off keying tools for your sdr

In a previous post, I spoke about a simple static key remote and how to replicate its signal using a small python script and RfCat. As part of the work done there, I set out to write a small tool that should help with some of the tasks involved with this process.

Lets take a look at ooktools, how to use it and the internals there of. For those in a rush, the repository can be found here:

Read On →

reverse engineering static key remotes with gnuradio and rfcat

At defcon24 this year, I impulsively bought myself some new toys. Amongst what I got included a YARD Stick One and a Ubertooth One. I already owned a DVB-T dongle much like this one that I bought at defcon23 the previous year.

My interest in Software Defined Radio has long been one of those where I just felt so overwhelmed with the idea for a very long time that I dare not try it. This, together with the fact that its something I totally know nothing about really did make for this bit of research to be pretty daunting at first.

Nonetheless, here is my adventure into reverse engineering a plain static key remote and successfully replaying it from my computer.

Read On →

awesome nmap grep

Nmap’s greppable output is really handy. Saving greppable output from a scan means the output is delimited in a way that can be easily processed using tools such as grep, sed, cut and awk.

This post shows a few examples of post scan processing of the greppable output produced with the -oG flag. A more up to date repository with examples and command explanations can be found in my awesome-nmap-grep github repository.

Read On →

rooting darknet

Its been a while since I have done a vulnerable boot2root from @VulnHub. So, I decided to pick up where I last left. After paging back from the latest VM’s to where I roughly stopped last year, my attention was drawn to Darknet by @Q3rv0.

This is how I managed to solve a VM that totally kicked my ass! While I was solving this VM, I also tried out a Kali Docker image! This actually worked out great.

Read On →

kerberos, kerberoast and golden tickets

Active Directory is almost always in scope for many pentests. There is sometimes a competitive nature amongst pentesters where the challenge is to see who can set a new record for gaining Domain Administrative privileges the fastest. How sad its that?

The reality is, many times, the escalation processes is trivial. Pwn some workstation with admin creds, grab credentials out of lsass and pass the hash to move around laterally. This has been the typical breakfast of many pentesters. Heck, there are even attempts to automate this type of process because, personally, I feel its getting pretty old. Yet, its still very viable as an attack method due to its high success rate!

This post however tries to look at it from a little fresher perspective. There are many posts like this out there, but this one is mine. Mostly just a brain dump that I can refer to later. Many others have written this up (maybe even in greater detail), so definitely have a look around!

Read On →

a totally unnecessary composer shell


A silly reverse shell invoked via the Composer Dependency Manager. Source here

Composer, which is most probably the most popular PHP dependency manager allows for scripts to run as callbacks on based an event. Callbacks are normally triggered just before or after certain events.

It is possible to provide shell commands to the scripts property in the required composer.json file (with a few restrictions), but this method echoes the command that it executes. A slightly more covert approach would be to execute a cleverly named static function in a class included in the codebase. It has to be one that can be autoloaded by composer.

Read On →

canarytokens - the maybe not so obvious


Recently I became aware of the canarytokens project by the guys over at Thinkst. The basic idea is to manipulate things like documents / services in such a way that usage thereof will trigger an alert via some form of ‘phone home’ feature. The is most probably better known as ‘honeydocs’. In the case of canarytokens, the phone home features can be either via a DNS or HTTP request coupled with a unique token. As paraphrased from the projects website, this is no new groundbreaking idea but just another usable one.

In this post, I just want to take a few moments and jot down my findings when investigating the documents generated by this project.

Read On →

flick II vuln vm with a mobile twist

tl;dr Flick II just got published on Vulnhub! You should try it =) introduction After about a year since Flick I, I have finally managed to get Flick II out to VulnHub. I learned a lot from Flick I and as a result applied it to Flick II. The making of Flick II was also a very different story. If I have to compare it to the first one (which took 3 nights to build start to finish), Flick II took waay longer. Read On →

jenkins to meterpreter toying with powersploit

Recently I came across a few Jenkins continuous integration servers. A relatively old version I might add but that fact was not important. What was important though was the fact that it was not configured to be ‘secure’. Right out of the box Jenkins does not require any authentication to make use of it. In fact, it seems like its almost plug and play.

Read On →