GrrCon 2016 OSINT CTF

Aside from the great speakers and free beer, one of my favorite things about GrrCon is that everything is so hands-on and interactive for all types of skill levels. I got to pick various locks, try and pwn some IoT light bulbs, and even compete in CG Silvers Open Source Intelligence (OSINT) capture the flag competition our team “ramrod” took 1st place!!! The Contest 2 real human targets. No paid search services can be used.

Reconnaissance and Footprinting

Reconnaissance and Footprinting   Reconnaissance and footprinting is the primary phase of the ethical hacking process. Although this phase does not constitute breaking into a network or system, it is still fun and quite possibly the most important. I will discuss some of the tools and techniques I use for actively and passively footprinting a target during the reconnaissance phase of a penetration test. Of course, this will be very top level and not inclusive of all the techniques used to recon and footprint a target.

Hacking and Penetration Testing

Hacking and Penetration Testing Certified Ethical Hacker (CEH) It is time to get back to the basics of hacking. It’s tough to be a in a security position and admit that you don’t know EVERYTHING about security and penetration testing. The sooner this notion is accepted, the sooner new concepts can be learned, and old concepts can be further stored into long-term memory. Most of what will be described in this post is simply review since technically this should already be known prior to starting a CEH training program, but I know I can gain a better understanding and strengthen core concepts by touching on a few important topics.

Paving the road to certifiably hacking “ethically”

Becoming a Certified Ethical Hacker Lately I have been having thoughts of studying for my first infosec industry certification. Being that it is now July 2015 and we are in the middle of the security “conference season”, I find that I am missing a few acronyms on my business card when I attempt to network with others in the field. With so many people I meet possessing recognizable and respected certifications such as CISSP, Security+, CASP, or CEH… it is tough to stand out on paper among the hordes of “industry certified” security professionals.

2014 SANS Holiday Hacking Carol

2014 SANS Holiday Hacking Carol Challenge Every year, the SANS institute hosts a holiday hacking challenge open to any and all that want to participate. This year I decided to hop on board after @n3tl0kr from our #MISEC crew sent out the following tweet: So I decided that with my time off work, and no classes to keep me occupied I should try and keep my skills sharp and see how far I could get.

Scan and Fix Unquoted Service Path Vulnerability with PowerShell

As many security experts and system administrators are aware, Microsoft has really dropped the ball at addressing a decade old flaw in the way the Windows API handles service paths… What amazes me is how prevalent this issue still is and how easy it is for any common script kiddie to elevate privileges and gain a foothold in your system. I will discuss the vulnerability and how I scanned for and remediated vulnerable systems using Windows PowerShell.

Powershell Incident Response Scripts

Powershell Incident Response During the past few months I have been rather quiet with my online presence mainly due to my professional life becoming more and more demanding, thus not leaving time to blog about my experiences. Even though I have not been sharing any experiences with the online community, I have been working diligently on leveraging PowerShell Incident Response tool. I want to share a scenario in which I used PowerShell scripts to gather info, determine a scope, and begin remediation for a particular security related incident with a client out of the country.

Cryptoviral Extortion: Malicious Encryption Exploited for Monetary Gain

“Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill… yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege.” — “A Thinking Man’s Creed for Crypto”, Vin McLellan Cryptoviral Extortion: Malicious Encryption Exploited for Monetary Gain There is a certain level of sophistication and status surrounding the cryptography field.

Part I: Powershell Multithreading: Asynchronous Network and Host Discovery Scanner

Part I of my Get-SecNetMap “Mini-Module”: Get-SecNetMap. (This Post) Get-SecPortScan Get-SecIPRange Convert-SecIPAddress Get-SecArpTable A Quick Word about Powershell + Multithreading At the time of this post, it has been just over a year since I started using Powershell as my “go-to” scripting language. As my skills developed and my scripts became more robust, I now see that what has been lacking in my Powershell journey was true performance metering.

Part II: PowerShell Multithreading – Asyncronous Network and Host Discovery Scanner

Part II of my Get-SecNetMap “Mini-Module”: Get-SecNetMap Get-SecPortScan (This Post) Get-SecIPRange Convert-SecIPAddress Get-SecArpTable Get-SecPortScan You can download the module source files here: Get-SecPortScan is unique in that it can scan a target host for many ports at once. This is done so by using .NET runspaces in PowerShell. This script will target a host and throw many asyncronous TCP socket connections over various ports either specified by the user, or using default top ports.

Part III: Powershell Multithreading – Asynchronous Network and Host Discovery Scanner

Part III of my Get-SecNetMap “Mini-Module”: Get-SecNetMap Get-SecPortScan Get-SecIPRange (This Post) Convert-SecIPAddress Get-SecArpTable You can download the module source files here: Get-SecIPRange Get-SecIPRange is designed to enumerate all IP addresses within a given range. I have intentionally coded this to support a max range of 65534 addresses or a (/16 CIDR) because seriously, who needs to scan such a large range like that. Anyway, this function will loop through only the third and fourth octets of an IP address range to determine each address in the range for scanning.

Part IV: PowerShell Multithreading – Asyncronous Network and Host Discovery Scanner

Part III of my Get-SecNetMap “Mini-Module”: Get-SecNetMap Get-SecPortScan Get-SecIPRange Convert-SecIPAddress (This Post) Get-SecArpTable You can download the module source files here: Convert-SecIPAddress The Convert-SecIPAddress function is actually pretty cool. I was able to use mathematics learned from my cryptography courses during my undergrad to convert an IP address to an integer and vice-verse. It is performance optimized and has support for long integers which was where most of the errors I had during development were.

Part V: PowerShell Multithreading – Asyncronous Network and Host Discovery Scanner

Part V of my Get-SecNetMap “Mini-Module”: Get-SecNetMap Get-SecPortScan Get-SecIPRange Convert-SecIPAddress Get-SecArpTable (This Post) You can download the module source files here: Get-SecArpTable The Get-SecArpTable is more or less a framework surrounding the already existing executable ARP.exe. The only issue with simply calling ARP.exe in your scripts is that the output is all strings. This function is designed to parse the output of the ARP table and return a PSObject so that it can be used in scripts and other functions more easily.

Powershell Simple Substitution Cipher

Powershell Simple Substitution Cipher Another assignment from my Cryptography course in my undergrad was to develop our own Powershell simple substitution cipher programmatically. This code is merely a framework to provide any type of substitution key you want. I wanted to do a custom cipher to allow a bit more security (though any security expert knows that substitution ciphers are highly crackable)… though, it is still better then clear-text at least…

Factoring Prime numbers with Java

Factoring Prime numbers with Java This was an assignment from a cryptography class during my undergrad. This mainly assisted in decrypting a low-bit RSA algorithm but can be used for any purpose. Essentially it will loop through and perform some mod calculations to figure out the prime factors in the specified range. The three algoritems are used to show that even if a number doesn’t seem to be prime at first, it could be a prime number used in an encryption algorithm.


Crafting the “Perfect” WordList

I want to start post by pointing out that the word perfect is in quotes for a reason. This is because there is never a truly perfect wordlist for hacking passwords. There can never be a guarantee on whether a word list will be successful in matching a password hash, but brute forcing and password cracking essentially rely on the quality of the word list being used. The goal is to focus on what we already know.

Windows Forensic Analysis using PowerShell

Windows Forensic Analysis using PowerShell As I continue on with my undergrad in Information Assurance, I try to apply techniques and concepts in real-world applications. It helps me “drill” the concepts into my forgetful brain, and because security interests me, I think its fun! As stated before in my post Controlling/Monitoring Local Admin Rights using PowerShell. PoshSec is seeking to tackle Information Security concerns using PowerShell. What PoshSec hasn’t quite looked at (yet), is Forensic Analysis.

Controlling/Monitoring Local Admin Rights using PowerShell

Almost a month has gone by since my last post so I am long overdue to place some good content. I feel this script I wrote up should be sufficient 🙂 Enjoy! SANS Critical Control 12: Controlled Use of Administrative Privileges VIDEO DEMONSTRATION EXPLAINING EXAMPLES TO COME SOON Download the SourceCode MD5 – 2AF4224E79672658DCC05AF90A4D0FC8 Recently joined up as a new developer for a great project in my area called PoshSec (https://github.


This site serves its purpose as a dynamic knowledge-base; a way for me to keep organized, focused, and well-understood during my undergrad and beyond. I will post any content I feel needs explanation and share all relevant labs and demo’s in tutorial format. As my experience continues to evolve, so will this site. I hope to educate and create interest in this field for anyone who takes the time to visit this site.

BYOD (Bring Your Own Device): A Powerful Trend Forcing Companies to Reinvent the ‘Corporate Security Model’

Abstract: Companies no longer need to focus on letting their IT departments drive the technology of the business. Employees demand the most out of their equipment, and need access to corporate networks and applications from anywhere, on any device. With the proper implementation, BYOD can not only reduce cost and generate revenue, but can create a more productive and fulfilled workforce. Click here: to view my original essay in PDF format.

Hacking WPA / WPA2 Encrypted Networks

Before we begin The methods and tools used in this WPA / WPA2 hacking tutorial can be utilized without any previous knowledge, however it is best for the attacker to have an understanding of what is going on behind the scenes. My job with this tutorial is to break down each step of the attack process and explain it in a simplified manner. Assuming that the reader of this guide has no previous knowledge with hacking, Linux, or Network Security, I will take it slow (one step at a time).

Introduction to the forensic examination of E-Mail

[][1]Email Forensics This will be Part I in my two-part E-Mail forensics series exclusive to Most people these days already have a basic understanding of what email is, or how to use it. Simply type up your message and hit “Send” and like magic, the message is delivered electronically to the recipient you intended. But what is going on behind the scenes may still be widely unknown. Gaining a basic understanding on the underlying technologies used in email communication can be a valuable advantage in any type of cyber crime investigation.

How to display formatted PowerShell scripts in WordPress post

Posting source code has never been easier in WordPress! I have spent the better portion of this past week writing specialized scripts to transform my existing scripts into “formatted HTML” so I can include source in my blog posts. Needless to say, it has been WAY too much administrative effort for such a simple task. I was literally searching and finding every space in my scripts and replacing them with &nbsp, or having to search my code and enclose every special character with an HTML FONT tag… This of course before having to manually set different colors for all my variables, strings, cmdlets, attributes.


Developer Link: log2timeline is a single tool to parse through log files and artifacts recursively, eliminating the need to accomplish the same task through other manual processes.It produces a formatted timeline in (.CSV) format that can be viewed in excel or other spreadsheet applications to be analyzed by a forensic investigator or analyst. The timeline will show all recognized events (which is a dynamically growing list) in the order in which the event occurred.

Change Local Account Name and Password using PowerShell

PowerShell is a great scripting utility that can drastically speed up administrative tasks in the “IT world”. Since Microsoft is trying to make it so all their products can be managed using PowerShell, it is a great idea to be proficient in it because PowerShell is not going away anytime soon. I plan to utilize this blog as a means to share my scripts with the public and gain valuable feedback from any followers in the IT field.


Method of Attack: ARP Poisoning/Spoofing Tools Required: Android device with ROOT access. DroidSheep APK A Wireless Network Time to Complete: Less than 10 Minutes The app can be downloaded at: I am going to give a simple but effective demonstration on how to hijack an internet session over a wireless network using an android smartphone. This is just one of many ways to perform an ARP spoofing attack but I wanted to show just how trivial this technique has become, and how to better protect yourself from malicious attacks.