Welcome!


Welcome to my personal blog about IT, Linux, network & security.

Profile Image

Scanning for IP-Forwarding Systems / Routers Part 2: IPv6 Networks

Introduction In my last blog post (Scanning for IP-Forwarding Systems / Routers), I explained why it can be useful during pentests to identify IP-forwarding systems (also known as routers or gateways) and showcased a script that can be used to identify such systems. In this post, I’ll show how this can be done in IPv6 networks when your host has a routable IPv6 address configured. Script The script can be found on GitHub: ip6-forwarding-scanner. The usage is quite simple: ...

03.11.2024 · 7 min · Emanuel Duss

Scanning for IP-Forwarding Systems / Routers

Introduction Systems which have IP forwarding or routing enabled (so called routers or gateways) will forward IP packets to other networks where the system is connected to. In pentests, it can be useful to search for such systems, because these systems could be used to access otherwise inaccessible networks and systems. I wrote a small script that automates this task. Script The script can be found on GitHub: ip-forwarding-scanner. The usage is quite simple: ...

05.06.2024 · 7 min · Emanuel Duss

CTF Writeup: GPN CTF 2024

Introduction The last few days, I was at the GPN22 in Karlsruhe with some friends from our LuXeria hackerspace. We participated in the CTF. Here are the solutions I wrote for the challenges we solved together. So Many Flags Description I heard you like flags, so I launched Chrome with a lot of flags so you can get your flag! The flag is in /flag.txt, and the bot will visit the HTML file you uploaded! ...

02.06.2024 · 9 min · Emanuel Duss

Wireshark Trick: Sniffing Browser TLS Traffic

Introduction Wireshark 4.2.0 added a new functionality [1] that can be used to directly launch a web browser with the SSLKEYLOGFILE environment variable set, in order to easily sniff and decrypt TLS traffic from a started application. Howto This new feature can be found in the Tools menu and then under TLS Keylog Launcher (1). You can specify to which file where the SSLKEYLOGFILE variable should point to (2) in order to save the key material. Then, a command can be provided in the command line input field (3), which is then started with the SSLKEYLOGFILE variable set. If an application supports the SSLKEYLOGFILE mechanism [3], the TLS keys are the automatically stored in the configured file and Wireshark is able to decrypt the content (4) and show it in cleartext (5). ...

17.11.2023 · 1 min · Emanuel Duss

Script to Clone Certificates (dollyx509)

Introduction X.509 certificates are used to secure communications online by encrypting data and verifying identities, such as in HTTPS or VPNs. During penetration tests, it’s important to check if systems correctly handle cloned certificates. Cloned certificates are fake copies that look like real ones but aren’t properly signed by a trusted CA. I wrote a simple python script called dollyx509 that creates clones of X.509 certificates. Script and Usage The script can be found on GitHub: dollyx509. ...

17.09.2023 · 4 min · Emanuel Duss

Download Burp Suite BApps

Introduction When you don’t have Internet connection during a web application pentest and you still want to install some BApps in the Burp Suite, you have to download them manually from the BApp Store. If you use a lot extensions, this can be a tedious task. It’s possible to download all BApps using a little script to simplify this task. Script The following script can be used to download all Burp Suite BApps from the BApp Store: ...

15.09.2023 · 2 min · Emanuel Duss

Create Evil WiFi Access Point (802.11evil)

Introduction In pentests, connecting devices to your own network can be very useful. This enables you to analyze the network traffic and use a transparent proxy to intercept and inspect data transmitted between the devices and servers. This approach helps finding potential security weaknesses in applications and network communications. In order to make this process easier, I created a script that starts a new WiFi that can be used to analyze the network traffic of the connected clients. ...

12.09.2023 · 3 min · Emanuel Duss

Humble Book Bundle Download Bookmarklet

Introduction Humble Book Bundle [1] has often very cool books about IT, hacking, security, programming, Linux, Unix, science and other geeky stuff. Sadly there is no reliable way to download all books. This post shows how you can download all books in a quick and reliable way using a bookmarklet. Precondition Of course, first you need to buy the Humble Book Bundle. For this example, I use the “Secure Your Stuff by Apress” Humble Book Bundle: ...

30.06.2020 · 2 min · Emanuel Duss

Bypassing Proxy Filters via SNI Spoofing

Introduction Recently, I read on Twitter that SNI spoofing can be used to bypass deep packet inspection. This is the Tweet: Ok, so SNI spoofing is cooler than I thought. It’s easy to bypass these deep packet inspection devices and Next Gen firewall filters. Want to visit a “malicious” website? Getting blocked? Just change the SNI value to a windows update address. - @nullenc0de on Twitter (https://twitter.com/nullenc0de/status/1159805999332638720) I wanted to understand how this works and how it can be done, so started playing around with curl. ...

25.06.2020 · 3 min · Emanuel Duss

Some DNSSEC / NSEC Experiments Starting at the Root Zone

Introduction I was recently playing around with DNSSEC and figured out that the root DNS zone . uses NSEC and not NSEC3 to prove the absence of a resource record. This looked interesting to me and triggered some ideas. So I did some experiments and here are the results. TL;Dr: The most interesting facts: The root DNS zone uses NSEC can be therefore be DNSSEC zone walked There are more than 1500 TLDs More than 90% of all TLDs haven DNSSEC configured The most used algorithm for signing DNS zones is RSA/SHA-256 53 TLDs also use NSEC and can therefore also be DNSSEC zone walked Note: The results may not be exactly accurate because it was not always verified if every query was always successful. ...

20.04.2020 · 16 min · Emanuel Duss

Simple Certificate Creation Script

Introduction In pentests, you often need to create X.509 certificates (e.g. for TLS) or Certificate Authorities (CAs) to mimic secure environments during your tests. Manually generating these certificates with tools like openssl can be time-consuming and error-prone, especially when you’re in a hurry. Who remembers all these commands? Whether you’re setting up a fake webserver for data exchange, a proxy setup, a machine-in-the-middle (MITM) attack, testing secure connections, or creating your own CA chain, manually generate these certificates should not take much time. ...

02.05.2019 · 5 min · Emanuel Duss

Advent Calendar of Advanced Cyber Fun 2018 Write-Up

Introduction There was an advent calendar on http://xmas.rip/ that had a little network riddle every day: The riddles are very fun. I solved all except for the one on day 22. Here are my solutions. 1/TCP Day 1: Connect to port 1 using ncat and the -C option to send proper CRLF linebreaks. Sadly, the service does not support the HELP command that would output all services: ...

24.12.2018 · 42 min · Emanuel Duss

WireGuard VPN Road Warrior Setup

Introduction WireGuard is a relatively new open-source software for creating VPN tunnels on the IP layer using state of the art cryptography. I attended a self-organized session by the creator and developer Jason Donenfeld at the 34c3 who explained how WireGuard works and how it can be used. I was quite impressed by it’s simplicity and gave it a try. It worked more or less out of the box. Now I created a more advanced setup for accessing my home network. ...

29.09.2018 · 17 min · Emanuel Duss

Tool/Script to encode and decode base16 (Hex) data

Introduction The RFC 4648 (The Base16, Base32, and Base64 Data Encodings) defines different methods to encode binary data. Every Unix like system has the tool base64 installed to encode and decode data using the base64 alphabet. This alphabet includes the characters A-Z, a-z, 0-9, +, / for the data and = for padding. The base16 encoding scheme, better known as hex encoding, uses the alphabet 0-9 and A-F. This encoding is case-insensitive. The GNU coreutils do not include a base16 tool. I searched for a hex encoding and decoding tool with the same functionality as base64 without success. That’s why I wrote a script so I can use it to hex encode and decode binary data. Basically, it’s a wrapper around some Perl code. ...

11.03.2017 · 4 min · Emanuel Duss

Fix the photos taken by your Jolla phone (EXIF date/time, rename, rotate)

Introduction If you take a photo with your Jolla phone, the date and time is not saved in the EXIF data. I like to have these data stored in my pictures, so they can easy be renamed. I wrote a script to add the date and time to the EXIF data based on the timestamp on the filesystem. Script The script does the following: Add the EXIF timestamp according to the filesystem timestamp Renames the photo like YYYY-mm-dd_HH-MM-SS Rotates the photo correctly Here is the script: ...

25.08.2016 · 2 min · Emanuel Duss