<?xml version="1.0" encoding="UTF-8"?> <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"> <channel> <title>DigiNinja</title> <atom:link href='https://digi.ninja/rss.xml' rel='self' type='application/rss+xml' /> <link>https://digi.ninja/rss.xml</link> <description>Security and general IT tools and tips</description> <language>en-gb</language> <copyright>Copyright Robin Wood</copyright> <pubDate>Wed, 27 Nov 2024 18:25:36 +0000</pubDate> <managingEditor>robin@digi.ninja (Robin Wood)</managingEditor> <image><url>https://digi.ninja/graphics/ninja.png</url><title>DigiNinja</title><link>https://digi.ninja/rss.xml</link></image> <item> <title>A brief description of how to crack Flask session cookies and an introduction to the Cracked Flask Lab.</title> <link>https://digi.ninja/blog/cracked_flask.php</link> <guid>https://digi.ninja/blog/cracked_flask.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>A brief description of how to crack Flask session cookies and an introduction to the Cracked Flask Lab.</description> </item> <item> <title>The DNS server that WSL2 uses returns records in a different way to a normal DNS server and because of this I ended up trying to log into the wrong server. This is my quick analysis of what is different, and what it caused to happen.</title> <link>https://digi.ninja/blog/wsl2_dns.php</link> <guid>https://digi.ninja/blog/wsl2_dns.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>The DNS server that WSL2 uses returns records in a different way to a normal DNS server and because of this I ended up trying to log into the wrong server. This is my quick analysis of what is different, and what it caused to happen.</description> </item> <item> <title>Talking about a way I found to split XSS payloads over multiple inputs to bypass input length limitations and input filtering.</title> <link>https://digi.ninja/blog/split_xss.php</link> <guid>https://digi.ninja/blog/split_xss.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>Talking about a way I found to split XSS payloads over multiple inputs to bypass input length limitations and input filtering.</description> </item> <item> <title>Overriding the JavaScript alert function to find a hidden XSS.</title> <link>https://digi.ninja/blog/alert_hijack.php</link> <guid>https://digi.ninja/blog/alert_hijack.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>A story of how I tracked down a Cross-Site Scripting issue by overriding the built in alert function to trigger a breakpoint.</description> </item> <item> <title>I've added a new lab for looking at different ways to use HTML5 postMessage and their associated vulnerabilities.</title> <link>https://digi.ninja/labs.php</link> <guid>https://digi.ninja/labs.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>I've added a new lab for looking at different ways to use HTML5 postMessage and their associated vulnerabilities - &lt;a href=&#039;https://html5.digi.ninja&#039;&gt;HTML postMessage Lab&lt;/a&gt;.</description> </item> <item> <title>Another update to the Authlab, this time covering how to use John the Ripper and Hashcat to crack the keys used to sign JWTs. For more information, and a walk through.</title> <link>https://digi.ninja/projects/authlab.php#landjwtcracking</link> <guid>https://digi.ninja/projects/authlab.php#landjwtcracking</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>Another update to the Authlab, this time covering how to use John the Ripper and Hashcat to crack the keys used to sign JWTs. For more information, and a walk through, see &lt;a href=&#039;https://authlab.digi.ninja#landjwtcracking&#039;&gt;JWT Cracking Authentication Lab&lt;/a&gt;.</description> </item> <item> <title>I've just added a new challenge to the lab looking at exploiting the none algorithm. For more information, and a walk through.</title> <link>https://digi.ninja/projects/authlab.php#landjwtnone</link> <guid>https://digi.ninja/projects/authlab.php#landjwtnone</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>I've just added a new challenge to the lab looking at exploiting the none algorithm. For more information, and a walk through, see &lt;a href=&#039;https://authlab.digi.ninja#landjwtnone&#039;&gt;JWT None Authentication Lab&lt;/a&gt;.</description> </item> <item> <title>Added a new lab to play with GraphQL. It includes a set of working examples of how to make and manipulate various queries and mutations, and then a set of challenges to test what you learned.</title> <link>https://digi.ninja/labs.php</link> <guid>https://digi.ninja/labs.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>Added a new lab to play with GraphQL. It includes a set of working examples of how to make and manipulate various queries and mutations, and then a set of challenges to test what you learned.</description> </item> <item> <title>A story about having to push through elitism to get to the real community.</title> <link>https://digi.ninja/blog/entering_community.php</link> <guid>https://digi.ninja/blog/entering_community.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>My story relating being a newcomer to a triathlon forum, asking for advice, and the initial elitist responses I got, and what I've heard some newcomers to the hacker community saying about our community. The TLDR; is that there are macho jerks everywhere, but if you persevere, the majority of people are nice and are willing to help.</description> </item> <item> <title>An offer to take some friends running during SteelCon 2019.</title> <link>https://digi.ninja/blog/ninja_run_19.php</link> <guid>https://digi.ninja/blog/ninja_run_19.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>An offer to take some friends running during SteelCon 2019.</description> </item> <item> <title>A walkthrough of a process which allows off the shelf hardware to automatically acquire a valid TLS certificate on startup.</title> <link>https://digi.ninja/blog/ots_tls_cert.php</link> <guid>https://digi.ninja/blog/ots_tls_cert.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>A walkthrough of a process which allows off the shelf hardware to automatically acquire a valid TLS certificate on startup.</description> </item> <item> <title>A proof of concept demonstration to go with the blog post <a href='https://digi.ninja/blog/ots_tls_cert.php'>TLS certs for internal OTS hardware</a>.</title> <link>https://digi.ninja/projects/ots_tls_cert_poc.php</link> <guid>https://digi.ninja/projects/ots_tls_cert_poc.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>A proof of concept demonstration to go with the blog post <a href='https://digi.ninja/blog/ots_tls_cert.php'>TLS certs for internal OTS hardware</a>.</description> </item> <item> <title>I was recently contacted by <a href='https://twitter.com/ethicalhack3r'>Ryan Dewhurst</a> to help him with an XSS issue he was having problems with. Ryan knows his stuff, and if he was having problems with something, I knew it had to be a fun challenge. This blog post covers debugging quirks in browser behaviour and some information on how JavaScript URIs work.</title> <link>https://digi.ninja/blog/jsurixss.php</link> <guid>https://digi.ninja/blog/jsurixss.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>I was recently contacted by <a href='https://twitter.com/ethicalhack3r'>Ryan Dewhurst</a> to help him with an XSS issue he was having problems with. Ryan knows his stuff, and if he was having problems with something, I knew it had to be a fun challenge. This blog post covers debugging quirks in browser behaviour and some information on how JavaScript URIs work.</description> </item> <item> <title>A set of walkthroughs for the challenges set in my <a href='https://authlab.digi.ninja'>Authentication Lab</a>.</title> <link>https://digi.ninja/projects/authlab.php</link> <guid>https://digi.ninja/projects/authlab.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>A set of walkthroughs for the challenges set in my <a href='https://authlab.digi.ninja'>Authentication Lab</a>.</description> </item> <item> <title>I want my blog to reach as wide an audience as possible and to help with that, I'm asking for my readers to make suggestions for changes which will help make the site more accessible.</title> <link>https://digi.ninja/blog/becoming_accessible.php</link> <guid>https://digi.ninja/blog/becoming_accessible.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>I want my blog to reach as wide an audience as possible and to help with that, I'm asking for my readers to make suggestions for changes which will help make the site more accessible.</description> </item> <item> <title>Using HTTP pipelining to hide requests.</title> <link>https://digi.ninja/blog/pipelining.php</link> <guid>https://digi.ninja/blog/pipelining.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>In this post I'm going to discuss using HTTP pipelining to hide malicious HTTP requests. This is not domain fronting but uses similar techniques to get the same result, an observer who is not able to perform TLS interception is only able to see the "good" request which conceals the "bad" request.</description> </item> <item> <title>A worked example of setting up domain fronting with Cloudflare using ESNI.</title> <link>https://digi.ninja/blog/cloudflare_example.php</link> <guid>https://digi.ninja/blog/cloudflare_example.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>Whether you think it is true 'domain fronting' or just something that is similar, this post walks through how Cloudflare use SNI to protect against attackers modifying the HTTP Host header and then how ESNI can be used instead to help ensure any 'bad' traffic goes unnoticed by observers.</description> </item> <item> <title>A 101 on domain fronting along with some examples.</title> <link>https://digi.ninja/blog/domain_fronting.php</link> <guid>https://digi.ninja/blog/domain_fronting.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>Domain fronting has been around for years and I've always understood the concept but never actually looked at exactly how it works. That was until recently when I did some work with Chris Truncer who had us set it up as part of a red team test. That was the point I had to get down and understand the actual inner workings. Luckily Chris is a good teacher and the concept is fairly simple when it is broken down into pieces.</description> </item> <item> <title>A worked example of setting up domain fronting with Cloudfront.</title> <link>https://digi.ninja/blog/cloudfront_example.php</link> <guid>https://digi.ninja/blog/cloudfront_example.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>This post accompanies the post A 101 on Domain Fronting and in it we are going to setup both a site to use for domain fronting and then a fronted site.</description> </item> <item> <title>Some research on how to hide commands from the bash history.</title> <link>https://digi.ninja/blog/hiding_bash_history.php</link> <guid>https://digi.ninja/blog/hiding_bash_history.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>Have you ever logged in to a box, started running commands, and then remembered the bash history will be logging everything you run. I've done it occasionally so thought I should do some research on what the options are. This post covers what I came up with, please get in touch if you have any other ideas.</description> </item> <item> <title>Protecting against XSS in SVG</title> <link>https://digi.ninja/blog/svg_xss.php</link> <guid>https://digi.ninja/blog/svg_xss.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>A client had the requirement to allow users to upload SVG files to their web app, these files then had to be displayed. As SVG files can contain JavaScript and can be used for Cross-Site Scripting attacks, I had to do some investigating to find ways to allow them to do what they wanted safely.</description> </item> <item> <title>A walkthrough of my vuLnDAP project</title> <link>https://digi.ninja/blog/vulndap_walkthrough.php</link> <guid>https://digi.ninja/blog/vulndap_walkthrough.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>This is a full walk through detailing how I would go through my <a href='/projects/vulndap.php'>vuLnDAP</a> challenge. There are probably plenty of other ways this can be done so don't take this as the only or best. If you do have a better way, please let me know.</description> </item> <item> <title>A logic gate challenge set by Pippa for the 2018 SteelCon kids track.</title> <link>https://digi.ninja/blog/pippa_steelcon_logic.php</link> <guid>https://digi.ninja/blog/pippa_steelcon_logic.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>In 2017, Pippa was learning about cryptography and set a couple of crypto challenges for the SteelCon kids track, this year we are working on logic gates so she has set a challenge based on that.</description> </item> <item> <title>Invalid HTTP requests and bypassing rewrite rules in lighttpd</title> <link>https://digi.ninja/blog/lighttpd_rewrite_bypass.php</link> <guid>https://digi.ninja/blog/lighttpd_rewrite_bypass.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>Using an invalid HTTP request to bypass rewrite rules in lighttpd and the story of how I found the problem.</description> </item> <item> <title>SNMP Config File Injection to Shell</title> <link>https://digi.ninja/blog/snmp_to_shell.php</link> <guid>https://digi.ninja/blog/snmp_to_shell.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>A walk through from getting injection into an SNMP config file to getting a shell.</description> </item> <item> <title>dotnetsheff Headers and Cookies Slides</title> <link>https://digi.ninja/blog/dotnetsheff_headers.php</link> <guid>https://digi.ninja/blog/dotnetsheff_headers.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>A copy of the slides from my dotnetsheff talk on HTTP security headers and cookies.</description> </item> <item> <title>Burp Macros and Session Handling.</title> <link>https://digi.ninja/blog/burp_macros.php</link> <guid>https://digi.ninja/blog/burp_macros.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>A worked example of using Burp Suite macros and session handling.</description> </item> <item> <title>Programming with Google.</title> <link>https://digi.ninja/blog/programming_with_google.php</link> <guid>https://digi.ninja/blog/programming_with_google.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>The slides and video from my talk at Wild West Hackinfest on programming by copying and pasting from Google.</description> </item> <item> <title>Shellshock and the Telnet USER Variable</title> <link>https://digi.ninja/blog/telnet_shellshock.php</link> <guid>https://digi.ninja/blog/telnet_shellshock.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>A quick write up on how to exploit Shellshock on telnet via the USER variable.</description> </item> <item> <title>Stealing CSRF tokens with XSS</title> <link>https://digi.ninja/blog/xss_steal_csrf_token.php</link> <guid>https://digi.ninja/blog/xss_steal_csrf_token.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>Techniques using both raw JavaScript and jQuery to use XSS to grab a CSRF token and then submit the form it protects.</description> </item> <item> <title>A custom wordlist generator with a twist.</title> <link>https://digi.ninja/projects/rsmangler.php</link> <guid>https://digi.ninja/projects/rsmangler.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>A custom wordlist generator that creates permutations of all the input words as well as just manipulating them individually.</description> </item> <item> <title>A banking mutual authentication scheme that does not work.</title> <link>https://digi.ninja/blog/mutual_auth.php</link> <guid>https://digi.ninja/blog/mutual_auth.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>A write up on how a common mutual authentication scheme used by a number of banks can be easily proxied and turned against the bank.</description> </item> <item> <title>NoSQLi Lab</title> <link>https://digi.ninja/projects/nosqli_lab.php</link> <guid>https://digi.ninja/projects/nosqli_lab.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>With the rise in popularity of NoSQL I figured it was time to build a lab so I could have a play with the different techniques used to attack them. This was the result...</description> </item> <item> <title>New tool, Sitediff</title> <link>https://digi.ninja/projects/sitediff.php</link> <guid>https://digi.ninja/projects/sitediff.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>Imagine the scenario, you are testing a site running an open source package but not sure what version and need to find out. The site does not include any helpful comments in the HTML and there is no README file. The package isn't a popular one so none of the regular fingerprinting apps recognise it, what can you do? Call in Sitediff, it takes a local directory of files and then requests each of them from the target site and reports back on what it finds.</description> </item> <item> <title>Accidentally Sharing CrashPlan Data</title> <link>https://digi.ninja/blog/crashplan.php</link> <guid>https://digi.ninja/blog/crashplan.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>A story of how Christmas generosity in sharing his backup plan resulted in a friend's files being accessible by all his family.</description> </item> <item> <title>The plagiarism of Christian Bruhin</title> <link>https://digi.ninja/blog/christian_bruhin_plagiarism.php</link> <guid>https://digi.ninja/blog/christian_bruhin_plagiarism.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>There is lots of plagiarism goes on on the internet, unfortunately for Christian, he decided that he was happy to do it and accepted the risks it created.</description> </item> <item> <title>Windows RDP client, show login page</title> <link>https://digi.ninja/blog/rdp_show_login_page.php</link> <guid>https://digi.ninja/blog/rdp_show_login_page.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>A short howto on getting the Windows RDP client to show the server login page rather than ask for credentials itself</description> </item> <item> <title>The results of a small experiment to see what my heart rate was like during my SANS instructor murder board.</title> <link>https://digi.ninja/blog/murder_heart.php</link> <guid>https://digi.ninja/blog/murder_heart.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>The results of a small experiment to see what my heart rate was like during my SANS instructor murder board.</description> </item> <item> <title>I see a lot of requests for technical help with tools and projects, some good, some bad. This post covers what I like to see when someone asks a question.</title> <link>https://digi.ninja/blog/asking_for_help.php</link> <guid>https://digi.ninja/blog/asking_for_help.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>I see a lot of requests for technical help with tools and projects, some good, some bad. This post covers what I like to see when someone asks a question.</description> </item> <item> <title>Here is a little trick I just learned about to help prevent things like API keys from ending up in your Git repo. I've mentioned it to a few Git loving developers who all claimed that it is obvious and that loads of people are already using it, but, as we regularly see keys in GitHub, I'd guess that its a case of what people know they should be doing verses what they are actually doing. The trick uses Git hooks to catch content pre-commit and block anything that it thinks is suspicious.</title> <link>https://digi.ninja/blog/git_hooks.php</link> <guid>https://digi.ninja/blog/git_hooks.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>Here is a little trick I just learned about to help prevent things like API keys from ending up in your Git repo. I've mentioned it to a few Git loving developers who all claimed that it is obvious and that loads of people are already using it, but, as we regularly see keys in GitHub, I'd guess that its a case of what people know they should be doing verses what they are actually doing. The trick uses Git hooks to catch content pre-commit and block anything that it thinks is suspicious.</description> </item> <item> <title>I've spent the day testing an app which disables the right click context menu, this makes testing tricky so I found a one liner which I could drop into the browser console to re-enable it for me.</title> <link>https://digi.ninja/blog/enable_right_click.php</link> <guid>https://digi.ninja/blog/enable_right_click.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>I've spent the day testing an app which disables the right click context menu, this makes testing tricky so I found a one liner which I could drop into the browser console to re-enable it for me.</description> </item> <item> <title>Asking the question, when it is acceptable to miss a vulnerability on a test.</title> <link>https://digi.ninja/blog/missing_a_vuln.php</link> <guid>https://digi.ninja/blog/missing_a_vuln.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>Asking the question, when it is acceptable to miss a vulnerability on a test.</description> </item> <item> <title>Trying to understand why the EE web portal doesn't have a password change feature.</title> <link>https://digi.ninja/blog/ee_no_password_change.php</link> <guid>https://digi.ninja/blog/ee_no_password_change.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>Trying to understand why the EE web portal doesn't have a password change feature.</description> </item> <item> <title>A short guide to exploiting POST based reflected XSS using CSRF and iframes.</title> <link>https://digi.ninja/blog/xss_through_csrf.php</link> <guid>https://digi.ninja/blog/xss_through_csrf.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>A short guide to exploiting POST based reflected XSS using CSRF and iframes.</description> </item> <item> <title>A write up of my recent experiences of getting clients involved during testing.</title> <link>https://digi.ninja/blog/interactive_pentesting.php</link> <guid>https://digi.ninja/blog/interactive_pentesting.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>A write up of my recent experiences of getting clients involved during testing.</description> </item> <item> <title>A short howto on removing the obfuscation added to non-default passwords by Nessus.</title> <link>https://digi.ninja/blog/hacking_nasl.php</link> <guid>https://digi.ninja/blog/hacking_nasl.php</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>A short howto on removing the obfuscation added to non-default passwords by Nessus.</description> </item> <item> <title>Pipal analysis of a password dump from the Neofriends dating site.</title> <link>https://digi.ninja/projects/pipal.php#neofriends</link> <guid>https://digi.ninja/projects/pipal.php#neofriends</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>Pipal analysis of of a password dump from the Neofriends dating site.</description> </item> <item> <title>Pipal analysis of 13,000 passwords from the Lizard Squad dump.</title> <link>https://digi.ninja/projects/pipal.php#lizard</link> <guid>https://digi.ninja/projects/pipal.php#lizard</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>Pipal analysis of 13,000 passwords from the Lizard Squad dump.</description> </item> <item> <title>Pipal analysis of 1800 passwords dumped from Minecraft</title> <link>https://digi.ninja/projects/pipal.php#minecraft</link> <guid>https://digi.ninja/projects/pipal.php#minecraft</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>Pipal analysis of 1800 passwords dumped from Minecraft</description> </item> <item> <title>Pipal analysis of a password dump from a dating site.</title> <link>https://digi.ninja/projects/pipal.php#datingsite</link> <guid>https://digi.ninja/projects/pipal.php#datingsite</guid> <pubDate>Sun, 19 May 2002 15:21:36 GMT</pubDate> <description>Pipal analysis of a password dump from a dating site.</description> </item> <item> <title>My opinion on the Sony hack.</title> <link>https://digi.ninja/blog/sony_hack.php</link> <guid>https://digi.ninja/blog/sony_hack.php</guid> <description>Sony were hacked, it was bad. That's all.</description> </item> <item> <title>A huge thank you to the amazing hacker community.</title> <link>https://digi.ninja/blog/thanks_hackers.php</link> <guid>https://digi.ninja/blog/thanks_hackers.php</guid> <description>Turning comments from a negative troll into a positive, a reminder of how great our community is.</description> </item> <item> <title>A tool to follow HTTP redirects showing the full details at each request, collecting and replaying cookies on the way.</title> <link>https://digi.ninja/projects/http_traceroute.php</link> <guid>https://digi.ninja/projects/http_traceroute.php</guid> <description>A tool to follow HTTP redirects showing the full details at each request, collecting and replaying cookies on the way.</description> </item> <item> <title>Pipal of a database dump from comicbookdb.</title> <link>https://digi.ninja/projects/pipal.php#comicbookdb</link> <guid>https://digi.ninja/projects/pipal.php#comicbookdb</guid> <description>Pipal of a database dump from comicbookdb.</description> </item> <item> <title>Pipal gets a Kippo log parser to show what passwords attackers are using when brute forcing SSH servers.</title> <link>https://digi.ninja/blog/pipal_email_checker.php</link> <guid>https://digi.ninja/blog/pipal_email_checker.php</guid> <description>For a long time I've been curious what passwords lists attackers are using when they try to brute force my ssh servers so I finally got round to setting up a Kippo honeypot and writing a custom Pipal Splitter to parse through the logs and pull out the info. </description> </item> <item> <title>A Pipal analysis of the Manga Traders password dump, some interesting results when looking at demographics and reuse of username/email addresses as passwords.</title> <link>https://digi.ninja/projects/pipal.php#mangatraders</link> <guid>https://digi.ninja/projects/pipal.php#mangatraders</guid> <description>A Pipal analysis of the Manga Traders password dump, some interesting results when looking at demographics and reuse of username/email addresses as passwords.</description> </item> <item> <title>A new Pipal checker to look at the relationship between email addresses and passwords.</title> <link>https://digi.ninja/blog/pipal_email_checker.php</link> <guid>https://digi.ninja/blog/pipal_email_checker.php</guid> <description>A new Pipal checker to look at the relationship between email addresses and passwords.</description> </item> <item> <title>My opinion on the eBay password reset policy - no pasting and 20 character caps are bad.</title> <link>https://digi.ninja/blog/ebay.php</link> <guid>https://digi.ninja/blog/ebay.php</guid> <description>My opinion on the eBay password reset policy - no pasting and 20 character caps are bad.</description> </item> <item> <title>Custom word list generator based on tweets - Update to use the new Twitter search API</title> <link>https://digi.ninja/projects/twofi.php</link> <guid>https://digi.ninja/projects/twofi.php</guid> <description>Twofi takes keywords and usernames and collects tweets based on these terms. It then extracts individual words and uses them to create a custom word list - Update to use the new Twitter search API</description> </item> <item> <title>A script I knocked together to import issues from my DradisPro install into MediaWiki so they could be the start of my issues library.</title> <link>https://digi.ninja/projects/mediawiki_dradis_import.php</link> <guid>https://digi.ninja/projects/mediawiki_dradis_import.php</guid> <description>For quite a while now I've been planning to import all my Dradis issues into MediaWiki to make reusing issues easier. Till now, each time I wanted to reuse an issue I've had to open a new browser and go back to find the old project where the issue was used then copy and paste it into the new project, that is a real pain to do. So I finally bit the bullet and created a MediaWiki VM. Rather than mess around with manually copying all my issues across I developed this little script to automate it. </description> </item> <item> <title>Do you include steps to reproduce vulnerabilities in your security reports? In this post I think about how to do this.</title> <link>https://digi.ninja/blog/reproduce_report.php</link> <guid>https://digi.ninja/blog/reproduce_report.php</guid> <description>Three times in the past few months I've been asked by clients to retest previous findings to see if they have been successfully fixed. One of the reports I was given was one I'd written, the other two were by other testers. For my report I couldn't remember anything about the test, reading the report gave me some clues but I was really lucky and found that I'd left myself a test harness in the client's folder fully set up to test the vulnerability. One of the other two was testing for a vulnerability I'd never heard of and couldn't find anything about on Google. I finally tracked down the original tester and it turns out there is a simple tool which tests for the issue and one command line script later the retest was over. The final issue was one that I knew about but had a really good write up that, even if I'd not heard of it, had a full walk through on how to reproduce the test.</description> </item> <item> <title>Part two of the exploiting RIP series, this time looking at RIPv2 and it's authentication mechanisms.</title> <link>https://digi.ninja/blog/rip_v2.php</link> <guid>https://digi.ninja/blog/rip_v2.php</guid> <description>In part one of this series, Exploiting RIP, we set up a GNS3 lab with RIPv1 and managed to exploit it by injecting a fake route into the network. As a way to protect against this, RIPv2 can use authentication to try to stop unauthorised routes being added to the system. From what I've read, authentication was not added to RIPv2 as a security mechanism but as a way to prevent routes from accidentally being added when incorrectly configured routers are added to the network. In this post I'll work through changing the lab from version 1 to version 2 and then enabling the different levels of authentication. At each stage I will show weaknesses in the system and ways to abuse them.</description> </item> <item> <title>A Pipal analysis of the recent Tesco password disclosure.</title> <link>https://digi.ninja/projects/pipal.php#tesco</link> <guid>https://digi.ninja/projects/pipal.php#tesco</guid> <description>A Pipal analysis of the recent Tesco password disclosure.</description> </item> <item> <title>Write up of my efforts to track down what turned out to be an accidental DoS against my Gmail account.</title> <link>https://digi.ninja/blog/gmail_dos.php</link> <guid>https://digi.ninja/blog/gmail_dos.php</guid> <description>If anyone was watching my Twitter feed over the last few days you'll have seen me complaining about my Gmail account being down. It wasn't down completely, I could still access the web interface and read all old mails but hadn't had any new emails in since 4AM on Thursday. I have various other mail accounts, some Gmail, some not, so I tried sending myself mails from those account to see if things were broken or whether I had just become very unpopular. None of the mails got through. I also tested sending emails out and none of those worked either so there was definitely a problem. By Friday lunchtime I'd had a couple of mails but nothing much so I figured I'd better do some digging and get it fixed.</description> </item> <item> <title>Setting up a RIPv1 lab in GNS3 and then exploiting it to poison routes between two machines.</title> <link>https://digi.ninja/blog/rip_v1.php</link> <guid>https://digi.ninja/blog/rip_v1.php</guid> <description>In this lab I'm going to look at RIPv1, probably the most basic routing protocol. As with the VLAN labs I'm building this one in GNS3 and linking it to a Virtual Box machine running Debian. The plan is to build a network with three routers all using RIP to sync their routing information. I'll then use the attacking box to inject a fake route into the network and so divert traffic away from its real target. If you are not familiar with RIP it is hop based system where each hop is a unit and traffic is routed across the shortest number of hops.</description> </item> <item> <title>Abusing Cisco Dynamic Trunking Protocol, DTP, to change a switch port from access to trunk mode to gain access to all VLAN traffic.</title> <link>https://digi.ninja/blog/abusing_dtp.php</link> <guid>https://digi.ninja/blog/abusing_dtp.php</guid> <description>In the first two parts of this dig into layer 2 I covered how to set up a lab using GNS3 and VirtualBox and then adding and interacting with VLANs. In this part I want to look at using Cisco's Dynamic Trunking Protocol - DTP - to change the state of a port from access mode to trunk mode to allow us to gain access all the VLANs on the network. The previous link gives a more thorough overview of DTP but in summary, it is a protocol developed by Cisco to allow devices connected to a switch negotiate whether they need their port to be in trunk or access mode. It is enabled by default on all ports so has to be deliberately disabled by an admin to turn it off. Ports default to access mode leaving devices such as switches, which need a trunk port, to request it. A port can be changed from one state to the other through a single DTP packet and there is no authentication, this makes it great as an attacker as you can easily switch your port to trunk mode on any switch which has DTP enabled.</description> </item> <item> <title>Adding VLANs to the GNS3/VirtualBox Lab</title> <link>https://digi.ninja/blog/gns_vbox_vlan_lab.php</link> <guid>https://digi.ninja/blog/gns_vbox_vlan_lab.php</guid> <description>Adding VLANs to the GNS3/VirtualBox Lab - In this post I show how to add VLANs to the lab and how to move between them on the switch. I then show what can happen if you get on to a trunk port and get to control your own VLAN tagging.</description> </item> <item> <title>Integrating GNS3 and VirtualBox - This is the first part of a series integrating GNS3 and VirtualBox to build a lab to play with layer 2 attacks</title> <link>https://digi.ninja/blog/gns_vbox_basic_lab.php</link> <guid>https://digi.ninja/blog/gns_vbox_basic_lab.php</guid> <description>Integrating GNS3 and VirtualBox - Having come from a development background rather than a sys-admin one, my knowledge of layer 2 is not as good as I'd like it to be so I've decided to do something about it. I've always been interested in VLANs and the idea of bypassing them so thought that would be a good place to start. This is the first part of a series building a lab to test out different layer 2 attacks.</description> </item> <item> <title>Sitemap2Proxy takes the sitemap published by a web app and requests each page through your specified proxy. This release adds response code stats to the output.</title> <link>https://digi.ninja/projects/sitemap2proxy.php</link> <guid>https://digi.ninja/projects/sitemap2proxy.php</guid> <description>Sitemap2Proxy takes the sitemap published by a web app and requests each page through your specified proxy. This release adds response code stats to the output.</description> </item> <item> <title>Building a lab with ModSecurity and DVWA.</title> <link>https://digi.ninja/blog/modsecurity_lab.php</link> <guid>https://digi.ninja/blog/modsecurity_lab.php</guid> <description>I've been meaning to build a ModSecurity lab for a while and seeing as I had some free time I decided it was about time to do it and to document it for everyone to share. The lab I built uses an up-to-date version of ModSecurity with a rule set taken from the SpiderLabs github repo and, so there is something to attack, I've included DVWA.</description> </item> <item> <title>Version 5.0 of CeWL adds proxy and basic/digest authentication support along with a few small bug fixes.</title> <link>https://digi.ninja/projects/cewl.php</link> <guid>https://digi.ninja/projects/cewl.php</guid> <description>Version 5.0 of CeWL adds proxy and basic/digest authentication support along with a few small bug fixes.</description> </item> <item> <title>Extract meta data from videos taken on iPhones.</title> <link>https://digi.ninja/projects/ivmeta.php</link> <guid>https://digi.ninja/projects/ivmeta.php</guid> <description>ivMeta is based on information in <a href="http://www.csitech.co.uk/iphone-video-metadata" rel="nofollow">this article on finding meta data in iPhone videos</a>. It will attempt to pull the following bits of information from an iPhone video: * Maker - should always be Apple * iOS Software version * Date video was taken * GPS co-ords where video was taken * Model of phone </description> </item> <item> <title>The second part of my introduction to using ZAP to test WebSockets, this part focuses on fuzzing.</title> <link>https://digi.ninja/blog/zap_fuzzing.php</link> <guid>https://digi.ninja/blog/zap_fuzzing.php</guid> <description>The following article is part two of my introduction to ZAP and testing WebSockets, in this episode I'll cover fuzzing. If you've not used ZAP before I suggest you look at some of the official tutorials first - ZAP home page, Videos. You can find my first part here OWASP ZAP and Web Sockets. The testing is being done against a small WebSockets based app I wrote called SocketToMe which has a few published services along with a few unpublished ones. In this article we are going to look at one of the published ones and try to identify some of the unpublished ones. The first feature I'll investigate is the number guessing game. Here the system picks a random number between 1 and 100 and you have to guess it. I'm going to cheat and see if I can get ZAP to play all 100 numbers for me to go for a quick win.</description> </item> <item> <title>I recently decided it was time to learn how to test WebSockets and so decided to take the opportunity to learn a bit about how ZAP works. This two part blog post covers a brief into to ZAP and how it interacts with WebSockets and then looks in depth at how to fuzz them.</title> <link>https://digi.ninja/blog/zap_web_sockets.php</link> <guid>https://digi.ninja/blog/zap_web_sockets.php</guid> <description>With the slow uptake of HTML5, WebSockets are going to start being seen in more and more applications so I figured I'd better learn how to test them before being put in front of them on a client test and having to learn as I went along. I figured the best way to do this was to build a very simple application then throw in a proxy and see what happened. Unfortunately my proxy of choice, Burp Suite, currently doesn't handle WebSockets so I had to look for one that did. The only one, and this is their claim, that does in the OWASP Zed Attack Proxy, or ZAP for short. I'd been meaning to learn how to use it for a while so this seemed like the perfect opportunity. If anything in here is wrong, please get in touch and I'll fix it, I'm learning as I go along so may well be doing the odd thing wrong however it does all seem to work. I started by writing a small WebSocket based app which I called SocketToMe which has a few basic services, chat, a number guess game and a couple of other features. I figured I'd start with interception then have a look at fuzzing.</description> </item> <item> <title>A WebSocket based application which goes along side the blog post on ZAP and WebSockets.</title> <link>https://digi.ninja/projects/sockettome.php</link> <guid>https://digi.ninja/projects/sockettome.php</guid> <description>SocketToMe is little application I wrote to go along with my blog post on testing WebSockets. It combines chat, a simple number guessing game and a few other hidden features. The app is in two parts, the WebSocket app and a web page to access it. The whole lot is written PHP and is the first WebSocket work I've done so don't look on it as an example of how to do things.</description> </item> <item> <title>Pipal now has a modular structure allowing you to write your own Checkers and Splitters, this is a brief introduction to how they both work.</title> <link>https://digi.ninja/blog/pipal_goes_modular.php</link> <guid>https://digi.ninja/blog/pipal_goes_modular.php</guid> <description>Pipal now has a modular structure allowing you to write your own Checkers and Splitters, this is a brief introduction to how they both work.</description> </item> <item> <title>A proof of concept application which takes observed key presses and generates a list of potential passwords.</title> <link>https://digi.ninja/projects/pat_to_pass.php</link> <guid>https://digi.ninja/projects/pat_to_pass.php</guid> <description>This months BruCON 5x5 project came from an idea sent to me by a friend after I released <a href="https://digi.ninja/projects/passpat.php">Passpat</a>. Passpat takes passwords and tries to find keyboard patters in them, Pat to Pass is almost the opposite, it takes observed key presses and tries to convert them to potential passwords. The project in its current state is more a proof of concept and sample code which hopefully can be taken forward to be turned into something practical by someone who has better skills at handling very large lists of data.</description> </item> <item> <title>Enumerating shares on the SpiderOak network.</title> <link>https://digi.ninja/projects/spidering_spideroak.php</link> <guid>https://digi.ninja/projects/spidering_spideroak.php</guid> <description>Spidering SpiderOak - By looking at the differences between responses it is possible to enumerate valid account names and then shares on the SpiderOak network. This post covers how I researched this, the findings and how it could be fixed.</description> </item> <item> <title>A companion tool to Pipal which can spot keyboard patterns in password lists.</title> <link>https://digi.ninja/projects/passpat.php</link> <guid>https://digi.ninja/projects/passpat.php</guid> <description>It is generally accepted that most passwords in common use are based on dictionary words however, some people decide to use keyboard patterns instead and to try to spot these I've created Passpat. Passpat uses data files containing the layouts of common keyboards to walk each word through the keyboard and score the word based on how close it is to being a pattern. For now I'm taking pattern to mean keys which are next to each other, while qpalzm is a pattern picking something like that up is currently out of the scope of this project.</description> </item> <item> <title>A simple script to create files containing binary data.</title> <link>https://digi.ninja/projects/bin_gen.php</link> <guid>https://digi.ninja/projects/bin_gen.php</guid> <description>While working on a new project I needed a way to create files containing binary data which I could control, for example all bytes from 0 to 255 in order or just a block of 10 0x03's, so I wrote bin_gen. There are loads of other ways to do this, especially in Linux, but for me this is quick and easy and I don't have to think to use it.</description> </item> <item> <title>Using Google Analytics tracking codes to find relationships between domains.</title> <link>https://digi.ninja/projects/tracker_tracking.php</link> <guid>https://digi.ninja/projects/tracker_tracking.php</guid> <description>When doing reconnaissance on clients it is often useful to try to identify other websites or companies who are related to your target. One way to do this is to look at who is managing the Google Analytics traffic for them and then find who else they manage. There are a few online services which do this, the probably best known being ewhois, but whenever you use someone else's resources you are at their mercy over things like accuracy of the data and coverage, especially if you are working for a small client who hasn't been scanned by them then you won't get any results. This is where my tracker tracking tool comes in. The tool is in two parts, the first uses the power of the nmap engine to scan all the domains you are interested in and pull back tracking codes, these are then output in the standard nmap format along with the page title. I've then written a second script which takes the output and generates a grouped and sorted CSV file which you can then analyse.</description> </item> <item> <title>How I'm going to spend my share of the 25,000 euro BruCON 5x5 cash.</title> <link>https://digi.ninja/blog/brucon_5x5.php</link> <guid>https://digi.ninja/blog/brucon_5x5.php</guid> <description>During BruCON 2012 the organisers announced a very generous competition, they had collected 25,000euro and were going to offer it in 5k euro chunks to five lucky hackers. The condition was you had to submit a proposal saying why you needed the cash. You can read more about it on the BruCON Blog. I've very please to say that I was one of the chosen hackers so want to document what I'm going to do with my share of the cash.</description> </item> <item> <title>Abusing a DDNS service to find IP cameras around the world.</title> <link>https://digi.ninja/projects/ip_camera_finder.php</link> <guid>https://digi.ninja/projects/ip_camera_finder.php</guid> <description>When I bought an IP camera to watch by daughters cot I didn't expect to end up writing tools to find others around the world, I also didn't expect it to be so poorly secured.</description> </item> <item> <title>An idea for a report writing competition</title> <link>https://digi.ninja/blog/report_writing_comp.php</link> <guid>https://digi.ninja/blog/report_writing_comp.php</guid> <description>A lot of conferences have CTFs but how about testing people's report writing skills as well? This post contains some ideas I've had to run a competition which would test report writing skills.</description> </item> <item> <title>A Metasploit module for enumerating directories and files through MySQL</title> <link>https://digi.ninja/metasploit/mysql_file_enum.php</link> <guid>https://digi.ninja/metasploit/mysql_file_enum.php</guid> <description>Tim Tomes wrote a blog post on enumerating directories and files through a MySQL connection, this module automates that process.</description> </item> <item> <title>DNS reconnaissance against wildcard domains</title> <link>https://digi.ninja/blog/dns_wildcard_recon.php</link> <guid>https://digi.ninja/blog/dns_wildcard_recon.php</guid> <description>I recently did a test against a company and in the debrief they asked how I managed to enumerate so many of their subdomains as they were using a wildcard DNS setup and the previous tester had commented that it prevented DNS enumeration. When I explained to them how the wildcard only obscured valid domains they had a few choice words for the previous tester and I figured it would make a nice little blog post.</description> </item> <item> <title>A story about Hakin9, the kings of spam</title> <link>https://digi.ninja/blog/hakin9_spam_kings.php</link> <guid>https://digi.ninja/blog/hakin9_spam_kings.php</guid> <description>About once a fortnight I get a request to write an article for Hakin9 or one of its sister publications, this article details my attempts to stop this spam.</description> </item> <item> <title>A review of the Corelan Live Win32 Exploit Dev Bootcamp</title> <link>https://digi.ninja/blog/corelan.php</link> <guid>https://digi.ninja/blog/corelan.php</guid> <description>I've just got back from BruCON 2012 where I started the week with the Corelan Live - Win32 Exploit Development Bootcamp. A lot of people asked about the course and what it covered so I've put this together.</description> </item> <item> <title>Extract all URLs from a sitemap.xml file and request them through a proxy of your choosing.</title> <link>https://digi.ninja/projects/sitemap2proxy.php</link> <guid>https://digi.ninja/projects/sitemap2proxy.php</guid> <description>When doing a web app test you usually end up spidering the site you are testing but what if the site could tell you most of that all about theirhout you going hunting for it. Bring on sitemap.xml, a file used by a lot of sites to tell spiders, like Google, all about their content. This script takes that file and parses it to extract all the URLs then requests each one through your proxy of choice (Burp, ZAP, etc). Now this won't find anything that isn't mentioned in the file and it won't do any brute forcing but it is a nice way to identify all the pages on the site that the admins want you to know about. </description> </item> <item> <title>Version 4.3 of CeWL adds result sorting by word count, with optional display of the count, also various bug fixes.</title> <link>https://digi.ninja/projects/cewl.php</link> <guid>https://digi.ninja/projects/cewl.php</guid> <description>Version 4.3 of CeWL adds result sorting by word count, with optional display of the count, also various bug fixes.</description> </item> <item> <title>Hostapd Karma patches updated to hostapd version 1.0</title> <link>https://digi.ninja/karma/</link> <guid>https://digi.ninja/karma/</guid> <description>Hostapd was recently updated to version 1.0 so I've brought the Karma patches up-to-date. This release contains a fully patched source tarball and a patch file if you want to apply it to your own source. I've also added a mention of the hostapd_cli app which you can use to control hostapd once it is running.</description> </item> <item> <title>Are signs of the zodiac used as passwords?</title> <link>https://digi.ninja/blog/zodiac_passwords.php</link> <guid>https://digi.ninja/blog/zodiac_passwords.php</guid> <description>I was wondering why dragon and monkey come up so often in Pipal analysis of password lists and it got me wondering if it was to do with Chinese signs of the zodiac so just as an experiment I've just added checking for both Western and Chinese zodiac signs to Pipal. I ran it against the 1 million eHarmony passwords I've got and it looks like they do play a small part in some people passwords.</description> </item> <item> <title>Did you know Linux groups can have passwords?</title> <link>https://digi.ninja/blog/group_password.php</link> <guid>https://digi.ninja/blog/group_password.php</guid> <description>Did you know Linux groups can have passwords? I didn't but I do now, this is how you set them up.</description> </item> <item> <title>Custom word list generator based on tweets</title> <link>https://digi.ninja/projects/twofi.php</link> <guid>https://digi.ninja/projects/twofi.php</guid> <description>Twofi takes keywords and usernames and collects tweets based on these terms. It then extracts individual words and uses them to create a custom word list.</description> </item> <item> <title>Are secure web frameworks reducing long term security?</title> <link>https://digi.ninja/blog/web_frameworks.php</link> <guid>https://digi.ninja/blog/web_frameworks.php</guid> <description>Are secure web frameworks reducing long term security? Why I think developers should always think about security, even when someone else is taking care of it for them.</description> </item> <item> <title>Version 4.2 of CeWL which fixes a major problem found in the spider I'm using.</title> <link>https://digi.ninja/projects/cewl.php</link> <guid>https://digi.ninja/projects/cewl.php</guid> <description>Turns out that the spider I'm using for CeWL only checks for links in anchor tags where the href uses double quotes which means some links will have been missed. This release fixes that bug and adds the ability to do a depth of 0 search which lets you scan a single page.</description> </item> <item> <title>This is part two of my write up of the findings from the Breaking In survey.</title> <link>https://digi.ninja/projects/breaking_in_part_2.php</link> <guid>https://digi.ninja/projects/breaking_in_part_2.php</guid> <description>The second part of my write up of the conclusions I've taken from my Breaking In data. This part looks at the qualitative answers given which give some meaning behind some of the stats.</description> </item> <item> <title>This is part one of my write up of the findings from the Breaking In survey.</title> <link>https://digi.ninja/projects/breaking_in_part_1.php</link> <guid>https://digi.ninja/projects/breaking_in_part_1.php</guid> <description>This post, along with part two coming soon, is an accompaniment to my BSides slides and the raw data which I published the other day. Here I try to summarise the results and add my commentry to them.</description> </item> <item> <title>My slides for my BSides London talk on Breaking in to Security</title> <link>https://digi.ninja/projects/breaking_in_bsides.php</link> <guid>https://digi.ninja/projects/breaking_in_bsides.php</guid> <description>At BSides London I presented the findings from the Breaking in to Security survey, here are my slides and a link to the data collected so far.</description> </item> <item> <title>A set of interim results from my survey, how do I get started in security?.</title> <link>https://digi.ninja/projects/breaking_in_interim.php</link> <guid>https://digi.ninja/projects/breaking_in_interim.php</guid> <description>Seeing as I had over 200 responses to the "Breaking In" survey in just 5 days I've plucked out a couple of interesting stats from the responses and posted them to whet your appitite.</description> </item> <item> <title>A copy of my slides from OWASP Leeds covering the perils of autoconfiguring web cams with a bonus set presenting 'Whats in Amazon's buckets'</title> <link>https://digi.ninja/blog/owasp_leeds.php</link> <guid>https://digi.ninja/blog/owasp_leeds.php</guid> <description>The story of how I analysed a new IP web camera and found how it automatically tried to punch a hole through my firewall and register itself with dynamic DNS server to tell the world it was there. The slides also contain a bonus talk covering my blog post and project on 'Whats in Amazon's buckets'</description> </item> <item> <title>Ever wanted to ask, or help answer the question, how do I get started in security?.</title> <link>https://digi.ninja/projects/breaking_in_1.php</link> <guid>https://digi.ninja/projects/breaking_in_1.php</guid> <description>This is my attempt to collect enough data to be able to answer the eternal question, 'How do I get started in Information Security?'. I've put together a questionnaire which I'll summarize the answers from and hopefully present at conferences and also summarise here on the site.</description> </item> <item> <title>A domain set up to help teach and explain DNS zone transfers.</title> <link>https://digi.ninja/projects/zonetransferme.php</link> <guid>https://digi.ninja/projects/zonetransferme.php</guid> <description>Ever found yourself in a position where you have to teach or explain DNS zone transfers but not had a domain to run the transfer on? This domain is set up to allow transfers and contains plenty of information to work with. I've also explained how I would interpret the information.</description> </item> <item> <title>Pipal is a password analysis tool</title> <link>https://digi.ninja/projects/pipal.php</link> <guid>https://digi.ninja/projects/pipal.php</guid> <description>Pipal analyses a cracked password list to help analysts spot patterns. Stats are generated on everything from the different lenghts to the character types to the words that other words are based on.</description> </item> <item> <title>How I found the CHECK Team Leader Web Application exam</title> <link>https://digi.ninja/blog/check_ctl.php</link> <guid>https://digi.ninja/blog/check_ctl.php</guid> <description>A write up on my experiences taking, and passing, the CHECK Team Leader Web App Exam</description> </item> <item> <title>A description of the different attack modes in Burp Intruder</title> <link>https://digi.ninja/blog/burp_intruder_types.php</link> <guid>https://digi.ninja/blog/burp_intruder_types.php</guid> <description>Burp Intruder has four different attack modes, this post shows the differences between those four modes.</description> </item> <item> <title>Using decompression to avoid filters</title> <link>https://digi.ninja/blog/compress_filter_avoidance.php</link> <guid>https://digi.ninja/blog/compress_filter_avoidance.php</guid> <description>Using decompression to avoid filters - Decompressing data to get it past filters such as IDS.</description> </item> <item> <title>An application to parse files such as .DS_Store to reveal otherwise unlinked files on web sites.</title> <link>https://digi.ninja/projects/fdb.php</link> <guid>https://digi.ninja/projects/fdb.php</guid> <description>File Disclosure Browser, an application to parse files such as .DS_Store to reveal otherwise unlinked files on web sites.</description> </item> <item> <title>CeWL Version 4</title> <link>https://digi.ninja/projects/cewl.php</link> <guid>https://digi.ninja/projects/cewl.php</guid> <description>An upgrade to Ruby version 1.9 and fixes to work with Back Track 5.</description> </item> <item> <title>Wifi Honey</title> <link>https://digi.ninja/projects/wifi_honey.php</link> <guid>https://digi.ninja/projects/wifi_honey.php</guid> <description>Automation of setting up a bunch of APs and airodump-ng to work out what encryption a client is probing for.</description> </item> <item> <title>Analysing Mobile Me</title> <link>https://digi.ninja/blog/analysing_mobile_me.php</link> <guid>https://digi.ninja/blog/analysing_mobile_me.php</guid> <description>Analysis of the content I found when trawling Mobile Me accounts looking for public information.</description> </item> <item> <title>Mobile Me Madness</title> <link>https://digi.ninja/blog/mobile_me_madness.php</link> <guid>https://digi.ninja/blog/mobile_me_madness.php</guid> <description>A brief description of how Mobile Me allows access to its file listings and how to interpret them.</description> </item> <item> <title>A tool to brute force user accounts on Mobile Me</title> <link>https://digi.ninja/projects/me_finder.php</link> <guid>https://digi.ninja/projects/me_finder.php</guid> <description>This tool will brute force user accounts with Mobile Me and then enumerate files associated with any public accounts found.</description> </item> <item> <title>Analysing Amazons Buckets</title> <link>https://digi.ninja/blog/analysing_amazons_buckets.php</link> <guid>https://digi.ninja/blog/analysing_amazons_buckets.php</guid> <description>Analysis of the content I found when trawling Amazon's buckets looking for public information.</description> </item> <item> <title>Whats in Amazon's buckets?</title> <link>https://digi.ninja/blog/whats_in_amazons_buckets.php</link> <guid>https://digi.ninja/blog/whats_in_amazons_buckets.php</guid> <description>The description of how I wrote a tool to brute force bucket names from the Amazon S3 system and then take it a step further.</description> </item> <item> <title>A tool to brute force bucket names from Amazon S3</title> <link>https://digi.ninja/projects/bucket_finder.php</link> <guid>https://digi.ninja/projects/bucket_finder.php</guid> <description>This tool will brute force bucket names from Amazon's S3 system and then enumerate files associated with any public buckets found.</description> </item> <item> <title>Going to WAR on Tomcat with Laundanum</title> <link>https://digi.ninja/blog/tomcat_laundanum.php</link> <guid>https://digi.ninja/blog/tomcat_laundanum.php</guid> <description>Going to WAR on Tomcat with Laundanum - A short how to on using Laundanum to attack Tomcat servers and how to setup a lab to try it at home.</description> </item> <item> <title>An update to my script to mine data out of Google Profiles</title> <link>https://digi.ninja/projects/gpscan.php</link> <guid>https://digi.ninja/projects/gpscan.php</guid> <description>Google Profile scraping can be used a part of recon work to gather staff lists, this script automates that process</description> </item> <item> <title>A little trick to extract stored FTP details</title> <link>https://digi.ninja/blog/cleartext_creds.php</link> <guid>https://digi.ninja/blog/cleartext_creds.php</guid> <description>A little trick to extract stored FTP details by setting up a fake server then capturing the clear text.</description> </item> <item> <title>Double tunnels to help a colleague in distress.</title> <link>https://digi.ninja/blog/double_tunnel.php</link> <guid>https://digi.ninja/blog/double_tunnel.php</guid> <description>Double tunnels to help a colleague in distress - Setting up SSH tunnels to allow external access to an internal network.</description> </item> <item> <title>Tiger Scheme Check Team Member Exam - A review of the Check Team Member exam.</title> <link>https://digi.ninja/blog/tiger_ctm.php</link> <guid>https://digi.ninja/blog/tiger_ctm.php</guid> <description>Tiger Scheme Check Team Member Exam - A review of the Check Team Member exam.</description> </item> <item> <title>A Meterpreter script to download wireless profiles from Windows 7 and Vista boxes.</title> <link>https://digi.ninja/metasploit/getwlanprofiles.php</link> <guid>https://digi.ninja/metasploit/getwlanprofiles.php</guid> <description>A Meterpreter script to download wireless profiles from Windows 7 and Vista boxes.</description> </item> <item> <title>A short script to do frequency analysis on lines in a file.</title> <link>https://digi.ninja/projects/counter.php</link> <guid>https://digi.ninja/projects/counter.php</guid> <description>A short script to do frequency analysis on lines in a file, specifically designed for password reuse analysis.</description> </item> <item> <title>When All You Can Do Is Read.</title> <link>https://digi.ninja/blog/when_all_you_can_do_is_read.php</link> <guid>https://digi.ninja/blog/when_all_you_can_do_is_read.php</guid> <description>A look at what files are good to try to read when all you have is read only access to a machine, i.e. no directory listing ability.</description> </item> <item> <title>Nessus Through SOCKS Through Meterpreter.</title> <link>https://digi.ninja/blog/nessus_over_sock4a_over_msf.php</link> <guid>https://digi.ninja/blog/nessus_over_sock4a_over_msf.php</guid> <description>Running a Nessus scan through a Meterpreter pivot using a SOCKS4 Proxy.</description> </item> <item> <title>A modular brute force tool currently supporting HTTP(S), MySQL and SSH.</title> <link>https://digi.ninja/projects/rsyaba.php</link> <guid>https://digi.ninja/projects/rsyaba.php</guid> <description>A modular brute force tool currently supporting HTTP(S), MySQL and SSH. Written in Ruby and designed to be easily extendable by using off the shelf protocol libraries.</description> </item> <item> <title>HTTP Banner Grabbing Beyond The Root</title> <link>https://digi.ninja/blog/http_banner_grab_dir.php</link> <guid>https://digi.ninja/blog/http_banner_grab_dir.php</guid> <description>HTTP Banner grabbing beyond the root, where do you do your web banner grabbing?</description> </item> <item> <title>Viewing Pages documents in Linux</title> <link>https://digi.ninja/blog/pages_linux.php</link> <guid>https://digi.ninja/blog/pages_linux.php</guid> <description>Viewing Pages documents in Linux - A short shell script to display a document created in Pages in Linux</description> </item> <item> <title>Do you have a second hand Trojan in your pocket?</title> <link>https://digi.ninja/blog/pocket_trojan.php</link> <guid>https://digi.ninja/blog/pocket_trojan.php</guid> <description>The Trojan in your pocket - Do you know what your phone is doing?</description> </item> <item> <title>A custom wordlist generator with a twist.</title> <link>https://digi.ninja/projects/rsmangler.php</link> <guid>https://digi.ninja/projects/rsmangler.php</guid> <description>A custom wordlist generator that creates permutations of all the input words as well as just manipulating them individually</description> </item> <item> <title>A Metasploit module to accompany my blog post on finding interesting data in MSSQL databases.</title> <link>https://digi.ninja/metasploit/mssql_idf.php</link> <guid>https://digi.ninja/metasploit/mssql_idf.php</guid> <description>A Metasploit module to accompany my blog post on finding interesting data in MSSQL databases.</description> </item> <item> <title>Automating searching through MSSQL databases for interesting data.</title> <link>https://digi.ninja/blog/finding_interesting_db_data.php</link> <guid>https://digi.ninja/blog/finding_interesting_db_data.php</guid> <description>Automating looking through MSSQL databases to find interesting sounding column names. Once found automating pulling back some sample data to give a feel as to whether it is worth investigating.</description> </item> <item> <title>This scan result beats any I've seen from Nessus, Nikto or Nmap</title> <link>https://digi.ninja/blog/ultrasound.php</link> <guid>https://digi.ninja/blog/ultrasound.php</guid> <description>This scan result beats any I've seen from Nessus, Nikto or Nmap. I'm going to be a daddy!</description> </item> <item> <title>Karma comes into the modern age with patches for hostapd.</title> <link>https://digi.ninja/karma/index.php</link> <guid>https://digi.ninja/karma/index.php</guid> <description>Karma was originally written for Madwifi and I then updated it to work with Madwifi-ng. This update adds the same functionality to hostapd.</description> </item> <item> <title>A pair of Metasploit modules to do DHCP exhaustion attack and then act as a DNS MiTM.</title> <link>https://digi.ninja/metasploit/dns_dhcp.php</link> <guid>https://digi.ninja/metasploit/dns_dhcp.php</guid> <description>My DHCP and DNS Metasploit attack modules, now fixed up to work with Ruby 1.9.x</description> </item> <item> <title>Convert Nessus v2 reports to CSV for easier manipulation and reporting.</title> <link>https://digi.ninja/projects/nexcser.php</link> <guid>https://digi.ninja/projects/nexcser.php</guid> <description>Converts Nessus v2 reports to various CSV files to help with reporting and continued scanning.</description> </item> <item> <title>Kismet log manipulation with GISKismet</title> <link>https://digi.ninja/blog/giskismet_ignore_gps.php</link> <guid>https://digi.ninja/blog/giskismet_ignore_gps.php</guid> <description>A patch to GISKismet so it will import Kismet data which doesn't include GPS positions.</description> </item> <item> <title>Updated Metasploit sound module</title> <link>https://digi.ninja/metasploit/session_created.php</link> <guid>https://digi.ninja/metasploit/session_created.php</guid> <description>Now with added verbosity, reads IP address and port of connecting clients.</description> </item> <item> <title>Metasploit DNS MiTM and DHCP Exhaustion modules</title> <link>https://digi.ninja/metasploit/dns_dhcp_beta.php</link> <guid>https://digi.ninja/metasploit/dns_dhcp_beta.php</guid> <description>I've updated these to run with the latest version of Metasploit.</description> </item> <item> <title>OSSEC rules for handling Kismet alerts files</title> <link>https://digi.ninja/projects/ossec_kismet_rules.php</link> <guid>https://digi.ninja/projects/ossec_kismet_rules.php</guid> <description>Handle alerts generated by Kismet Newcore in OSSEC.</description> </item> <item> <title>Convert a CSV file to an OSSEC rules file</title> <link>https://digi.ninja/projects/ossec_rule_converter.php</link> <guid>https://digi.ninja/projects/ossec_rule_converter.php</guid> <description>Save the effort of having to keep an XML file up-to-date and create your rules in a spreadsheet then convert to XML with my app.</description> </item> <item> <title>Whats behind the door?</title> <link>https://digi.ninja/blog/door.php</link> <guid>https://digi.ninja/blog/door.php</guid> <description>I really want to know what is behind this door.</description> </item> <item> <title>Don't just see on screen that you've got a new Metasploit session, be told by a nice lady.</title> <link>https://digi.ninja/metasploit/session_created.php</link> <guid>https://digi.ninja/metasploit/session_created.php</guid> <description>A patch for Metasploit to have it play a wav file telling you a new session has been created. Similar to the Core 'Agent Deployed'.</description> </item> <item> <title>Would you give out your password?</title> <link>https://digi.ninja/blog/password_experiment.php</link> <guid>https://digi.ninja/blog/password_experiment.php</guid> <description>A write up of an experiment where I asked a class to give me their passwords.</description> </item> <item> <title>CeWL Version 3</title> <link>https://digi.ninja/projects/cewl.php</link> <guid>https://digi.ninja/projects/cewl.php</guid> <description>Now with JS redirect checking and a bug fix for an issue I found in the ruby spider gem</description> </item> <item> <title>Calc IP Range</title> <link>https://digi.ninja/projects/calc_ip_range.php</link> <guid>https://digi.ninja/projects/calc_ip_range.php</guid> <description>Given a IP address calculate the top and bottom of its available subnet range</description> </item> <item> <title>#secvidofday</title> <link>https://digi.ninja/blog/secvidofday.php</link> <guid>https://digi.ninja/blog/secvidofday.php</guid> <description>What is #secvidofday and why am I doing it?</description> </item> <item> <title>My AP Collection</title> <link>https://digi.ninja/blog/ap_collection.php</link> <guid>https://digi.ninja/blog/ap_collection.php</guid> <description>I'm going to be doing some AP testing and this is a small part of the collection.</description> </item> <item> <title>Releasing KreiosC2 version 3</title> <link>https://digi.ninja/kreiosc2/</link> <guid>https://digi.ninja/kreiosc2/</guid> <description>KreiosC2 can now channel data over TinyURL and JPEG as well as the original Twitter.</description> </item> <item> <title>The start of the PenTester Scripting project</title> <link>https://digi.ninja/blog/pentester_scripting.php</link> <guid>https://digi.ninja/blog/pentester_scripting.php</guid> <description>How I got involved in yet another new project, this time the PenTester Scripting community wiki</description> </item> <item> <title>Metasploit DNS MiTM and DHCP Exhaustion modules</title> <link>https://digi.ninja/metasploit/dns_dhcp_beta.php</link> <guid>https://digi.ninja/metasploit/dns_dhcp_beta.php</guid> <description>Two new beta Metasploit modules, one for DNS MiTM and one for DHCP Exhaustion attacks</description> </item> <item> <title>Cool new Micro SD reader</title> <link>https://digi.ninja/blog/microsd.php</link> <guid>https://digi.ninja/blog/microsd.php</guid> <description>This Micro SD reader is so small it is only just larger than the USB connector it is built on</description> </item> <item> <title>New KreiosC2 language pack</title> <link>https://digi.ninja/projects/kreiosc2.php#download</link> <guid>https://digi.ninja/projects/kreiosc2.php#download</guid> <description>Split KreiosC2 commands over multiple tweets, a very simple example language</description> </item> <item> <title>Blindly Installing VMs and Using Live CDs</title> <link>https://digi.ninja/blog.php</link> <guid>https://digi.ninja/blog.php</guid> <description>Do you know what the VM or live CD you have just downloaded really contains and if you don't, how do you find out?</description> </item> <item> <title>KreiosC2 released</title> <link>https://digi.ninja/</link> <guid>https://digi.ninja/</guid> <description>Launching KreiosC2, version 2 of Twitterbot with new name and new dynamic language options</description> </item> <item> <title>New site launched</title> <link>https://digi.ninja/</link> <guid>https://digi.ninja/</guid> <description>I've finally got round to styling the new site</description> </item> </channel> </rss>