Hi!

Introduction Systems which have IP forwarding or routing enabled (so called routers or gateways) will forward IP packets to other networks where the system is connected to. In pentests, it can be useful to search for such systems, because these systems could be used to access otherwise inaccessible networks and systems. I wrote a small script that automates this task. Script The script can be found on GitHub: ip-forwarding-scanner. The usage is quite simple:...

Introduction The last few days, I was at the GPN22 in Karlsruhe with some friends from our LuXeria hackerspace. We participated in the CTF. Here are the solutions I wrote for the challenges we solved together. So Many Flags Description I heard you like flags, so I launched Chrome with a lot of flags so you can get your flag! The flag is in /flag.txt, and the bot will visit the HTML file you uploaded!...

Introduction Wireshark 4.2.0 added a new functionality [1] that can be used to directly launch a web browser with the SSLKEYLOGFILE environment variable set, in order to easily sniff and decrypt TLS traffic from a started application. Howto This new feature can be found in the Tools menu and then under TLS Keylog Launcher (1). You can specify to which file where the SSLKEYLOGFILE variable should point to (2) in order to save the key material....

Introduction X.509 certificates are used to secure communications online by encrypting data and verifying identities, such as in HTTPS or VPNs. During penetration tests, it’s important to check if systems correctly handle cloned certificates. Cloned certificates are fake copies that look like real ones but aren’t properly signed by a trusted CA. I wrote a simple python script called dollyx509 that creates clones of X.509 certificates. Script and Usage The script can be found on GitHub: dollyx509....

Introduction When you don’t have Internet connection during a web application pentest and you still want to install some BApps in the Burp Suite, you have to download them manually from the BApp Store. If you use a lot extensions, this can be a tedious task. It’s possible to download all BApps using a little script to simplify this task. Script The following script can be used to download all Burp Suite BApps from the BApp Store:...

Introduction In pentests, connecting devices to your own network can be very useful. This enables you to analyze the network traffic and use a transparent proxy to intercept and inspect data transmitted between the devices and servers. This approach helps finding potential security weaknesses in applications and network communications. In order to make this process easier, I created a script that starts a new WiFi that can be used to analyze the network traffic of the connected clients....

Introduction Humble Book Bundle [1] has often very cool books about IT, hacking, security, programming, Linux, Unix, science and other geeky stuff. Sadly there is no reliable way to download all books. This post shows how you can download all books in a quick and reliable way using a bookmarklet. Precondition Of course, first you need to buy the Humble Book Bundle. For this example, I use the “Secure Your Stuff by Apress” Humble Book Bundle:...

Introduction Recently, I read on Twitter that SNI spoofing can be used to bypass deep packet inspection. This is the Tweet: Ok, so SNI spoofing is cooler than I thought. It’s easy to bypass these deep packet inspection devices and Next Gen firewall filters. Want to visit a “malicious” website? Getting blocked? Just change the SNI value to a windows update address. - @nullenc0de on Twitter (https://twitter.com/nullenc0de/status/1159805999332638720) I wanted to understand how this works and how it can be done, so started playing around with curl....

Introduction I was recently playing around with DNSSEC and figured out that the root DNS zone . uses NSEC and not NSEC3 to prove the absence of a resource record. This looked interesting to me and triggered some ideas. So I did some experiments and here are the results. TL;Dr: The most interesting facts: The root DNS zone uses NSEC can be therefore be DNSSEC zone walked There are more than 1500 TLDs More than 90% of all TLDs haven DNSSEC configured The most used algorithm for signing DNS zones is RSA/SHA-256 53 TLDs also use NSEC and can therefore also be DNSSEC zone walked Note: The results may not be exactly accurate because it was not always verified if every query was always successful....

Introduction In pentests, you often need to create X.509 certificates (e.g. for TLS) or Certificate Authorities (CAs) to mimic secure environments during your tests. Manually generating these certificates with tools like openssl can be time-consuming and error-prone, especially when you’re in a hurry. Who remembers all these commands? Whether you’re setting up a fake webserver for data exchange, a proxy setup, a machine-in-the-middle (MITM) attack, testing secure connections, or creating your own CA chain, manually generate these certificates should not take much time....

Introduction There was an advent calendar on http://xmas.rip/ that had a little network riddle every day: The riddles are very fun. I solved all except for the one on day 22. Here are my solutions. 1/TCP Day 1: Connect to port 1 using ncat and the -C option to send proper CRLF linebreaks. Sadly, the service does not support the HELP command that would output all services: $ ncat -C xmas....

Introduction WireGuard is a relatively new open-source software for creating VPN tunnels on the IP layer using state of the art cryptography. I attended a self-organized session by the creator and developer Jason Donenfeld at the 34c3 who explained how WireGuard works and how it can be used. I was quite impressed by it’s simplicity and gave it a try. It worked more or less out of the box. Now I created a more advanced setup for accessing my home network....

Introduction The RFC 4648 (The Base16, Base32, and Base64 Data Encodings) defines different methods to encode binary data. Every Unix like system has the tool base64 installed to encode and decode data using the base64 alphabet. This alphabet includes the characters A-Z, a-z, 0-9, +, / for the data and = for padding. The base16 encoding scheme, better known as hex encoding, uses the alphabet 0-9 and A-F. This encoding is case-insensitive....

Introduction If you take a photo with your Jolla phone, the date and time is not saved in the EXIF data. I like to have these data stored in my pictures, so they can easy be renamed. I wrote a script to add the date and time to the EXIF data based on the timestamp on the filesystem. Script The script does the following: Add the EXIF timestamp according to the filesystem timestamp Renames the photo like YYYY-mm-dd_HH-MM-SS Rotates the photo correctly Here is the script:...

Introduction This post describes an installation of Arch Linux with GPT (GUID partition table), LUKS (Linux Unified Key Setup) and LVM (Logical Volume Manager) with the basic graphical window manager i3. LVM is set up on top of LUKS. Systemd-boot is used as an EFI compatible boot manager. I wrote this post, so next time I don’t have to search all the information in the Arch Linux Wiki. For more details, consult the links in the reference section....