PlaidCTF writeup for Web-100 (blind sql injection)

Hey folks, I know in my last blog I promised to do a couple exploit ones instead of doing boring Web stuff. But, this level was really easy and I still wanted to do a writeup, so you're just going to have to wait a little while longer for my 'kappa' writeup! This 100-point Web […]

PlaidCTF writeup for Web-300: whatscat (SQL Injection via DNS)

Hey folks, This is my writeup for Whatscat, just about the easiest 300-point Web level I've ever solved! I wouldn't normally do a writeup about a level like this, but much like the mtpox level I actually wrote the exact tool for exploiting this, and even wrote a blog post about it almost exactly 4 […]

PlaidCTF Web-150: mtpox (hash extension attack)

Hey folks, This is going to be my first of a couple writeups about this past weekend's CTF: PlaidCTF! My first writeup is for a 150-point Web level called mtpox. I chose this one to do first not only because it's the first level I completed, but also because the primary vulnerability was a hash […]

Padding oracle attacks: in depth

This post is about padding oracle vulnerabilities and the tool for attacking them - "Poracle" I'm officially releasing right now. You can grab the Poracle tool on Github! At my previous job — Tenable Network Security — one of the first tasks I ever had was to write a vulnerability check for MS10-070 — a […]

Everything you need to know about hash length extension attacks

You can grab the hash_extender tool on Github! (Administrative note: I'm no longer at Tenable! I left on good terms, and now I'm a consultant at Leviathan Security Group. Feel free to contact me if you need more information!) Awhile back, my friend @mogigoma and I were doing a capture-the-flag contest at One of […]

Using “Git Clone” to get Pwn3D

Hey everybody! While I was doing a pentest last month, I discovered an attack I didn't previously know, and I thought I'd share it. This may be a Christopher Columbus moment - discovering something that millions of people already knew about - but I found it pretty cool so now you get to hear about […]

Hacking crappy password resets (part 2)

Hey, In my last post, I showed how we could guess the output of a password-reset function with a million states. While doing research for that, I stumbled across some software that had a mere 16,000 states. I will show how to fully compromise this software package remotely using the password reset.

Hacking crappy password resets (part 1)

Greetings, all! This is part one of a two-part blog on password resets. For anybody who saw my talk (or watched the video) from Winnipeg Code Camp, some of this will be old news (but hopefully still interesting!) For this first part, I'm going to take a closer look at some very common (and very […]

Watch out for exim!

Hey everybody, Most of you have probably heard of the exim vulnerability this week. It has potential to be a nasty one, and my brain is stuffed with its inner workings right now so I want to post before I explode! First off, if you're concerned that you might have vulnerable hosts, I wrote a […]

Faking demos for fun and profit

This week Last week Earlier this month Last month Last year (if this intro doesn't work, I give up trying to post this :) ), I presented at B-Sides Ottawa, which was put on by Andrew Hay and others (and sorry I waited so long before posting this... I kept revising it and not publishing). […]

A call to arms! Web app fingerprints needed!

Hey all, This is partly an overview of a new Nmap feature that I'm excited about, but is mostly a call to arms. I don't have access to enterprise apps anymore, and I'm hoping you can all help me out by submitting fingerprints! Read on for more.

Call for testers: nbtool-0.05 and dnscat-0.05

Hey all, I just released the second alpha build of nbtool (0.05alpha2), and I'm hoping to get a few testers to give me some feedback before I release 0.05 proper. I'm pretty happy with the 0.05 release, but it's easy for me to miss things as the developer. I'm hoping for people to test: Through […]

Five Relays and a Patch

Hey all, We hired a new pair of co-op students recently. They're both in their last academic terms, and are looking for a good challenge and to learn a lot. So, for a challenge, I set up a scenario that forced them to use a series of netcat relays to compromise a target host and […]

Metasploit Express Beta – First Look

This post was written by Matt Gardenghi This is just initial impressions of a beta product. I've been playing with this for about a week now in an internal network.  I have a dedicated box running Ubuntu 10.04 and Metasploit Express.  I've noticed that Express loves CPU time but is much less caring about RAM.  […]

Stuffing Javascript into DNS names

Greetings! Today seemed like a fun day to write about a really cool vector for cross-site scripting I found. In my testing, this attack is pretty specific and, in some ways, useless, but I strongly suspect that, with resources I don't have access to, this can trigger stored cross-site scripting in some pretty nasty places. […]

Weaponizing dnscat with shellcode and Metasploit

Hey all, I've been letting other projects slip these last couple weeks because I was excited about converting dnscat into shellcode (or "weaponizing dnscat", as I enjoy saying). Even though I got into the security field with reverse engineering and writing hacks for games, I have never written more than a couple lines of x86 […]

DNS Backdoors with dnscat

Hey all, I'm really excited to announce the first release of a tool I've put a lot of hard work into: dnscat. It's being released, along with a bunch of other tools that I'll be blogging about, as part of nbtool 0.04.

Pwning hotel guests

Greetings everybody! I spent a good part of the past month traveling, which meant staying in several hotels, both planned and unplanned. There's nothing like having a canceled flight and spending a boring night in San Francisco! But hey, why be bored when you have a packet sniffer installed? :)

Zombie Web servers: are you one?

Greetings! I found this excellent writeup of a Web-server botnet on Slashdot this weekend. Since it sounded like just the thing for Nmap to detect, I wrote a quick script!