installing unicornscan on debian/ubuntu

Looking back, I can’t remember a time where I used Nmap to perform UDP port scans. Pentesters are far too impatient to spend hours waiting for a UDP scan to finish in the hope of finding some badly configured service. Which is why I found it odd when I received a message saying “why do UDP scans take hours?

It never occurred to me that this poor dude was staring at the screen, Nmap torturing him every 30 seconds by telling him he won’t be done with this machine any time this week. I told him about this gem of a payload transmitter that just also happened to be an epic UDP port scanner, largely forgotten since the sad departure of the late Jack C. Louis. And seeing as this was a client supplied ‘jump-box’ and not something handy like Kali, I decided to take a crack at installing and showing the tester good ol’ unicornscan. (I didn’t realise installing unicornscan would take longer than the Nmap UDP … read more

data exfiltration over SSL with srvdir

Every now and then I come across some application that may or may not have been developed with penetration testing in mind but it ends up being damn helpful all the same. Yesterday I found a post about ‘srvdir‘ (surv~durr?) which is designed to share content over SSL/TLS via a public site.

When trying to exfiltrate data from a client site I normally spend a lot of time setting up tunnels, using disposable A records from and one of my boxes in some east-european cave just so I can get the damn ‘payroll-summary-june-2014.pdf’ trophy off some box that is swimming in ssh-tunnel-fu. srvdir is the perfect answer to this problem and testing it has been awesome and full of those “Why didn’t I think of this?!!” rants.

Essentially, what srvdir does is to create a SSL tunnel to the mothership ‘’ and issue a subdomain that can be accessed externally to siphon the files off. Grabbing files is relatively painless with the odd 404 for the permission snobs. … read more

build a heartbleed test lab in 5 minutes

Lets be clear, I’m all about the offensive side of information security. I’m a pentester and I enjoy popping, rooting, owning and pwning all the things. I am aware that what we do is there to assist and encourage better defensive countermeasures but I just leave that to the experts. My colleague sitting nearby has the more unfortunate “defensive” job consisting of writing detections for all the evil things I do.

post exploitation: finding passwords in haystacks

Often while conducting an internal pentest you may gain access to a user machine through some vulnerability or more commonly via social engineering. Let’s say that you pop a shell, unprivileged, and incognito only finds unprivileged domain tokens. You could move onto another target or you can try some post exploitation reconnaissance. A commonly overlooked source of sensitive information is documents that are stored on the company servers as well as staff who think they know enough to start sharing folders with their peers and end up sharing the root of ‘C’. These can be a fantastic source of juicy info if you know how to index and then search through them effectively.