This is the second post of a two-part series, so if you haven't read part one yet, stop reading, and go do that first. Those that have followed through the first post will have installed the Let's Encrypt client and obtained their first certificate. Now lets take a look at how to leverage this certificate for some offensive purposes. This post will walk through using the ... READ MORE
Blog
King Phisher 1.1 Released
King Phisher version 1.1 has been released today with numerous improvements since the last release in October. One of the most exciting new features is the ability to send phishing emails in the form of calendar invites. This causes an email to be sent to the target that looks like a typical meeting request. More information on using the new calendar invite mode (including an ... READ MORE
Let’s Hack! Part 1: Using Certificates From “Let’s Encrypt”
In case you haven't heard, in early December 2015, Let's Encrypt entered Public Beta, meaning that anyone can get a certificate issued by the Let's Encrypt Certificate Authority without the need for an invite. If you aren't familiar with the Let's Encrypt project, you should check out their site. I can't really sum it up any better than they did already, so to quote them, ... READ MORE
Encryption Basics: HMAC
We have covered a method for key exchange, and we have covered a way to implement public key encryption and message signing. Our topic today is hash-based message authentication codes or HMAC (a subset of message authentication codes). An HMAC provides us with most of the features of message signing, but it is quicker. There are times when you will use one over the other, and ... READ MORE
Github Primer: Collaborating with Git
This post serves as a simple walk-through of how to contribute to a repository or collaborate on a project with others using github.com. The content is broken down into three sections: (1) How to create your own fork of the repository that you wish to contribute to. (2) How to sync your branch with a branch from your upstream repository (the upstream repository is the ... READ MORE
Penetration Panel Follow-Up: Defensive Best Practices
We recently held a Penetration Panel webinar that consisted of a nice mix of our attack and defense teams. The event afforded participants an opportunity to submit questions to the experts prior to the start of the webinar. One of the questions that I was slated to answer was "Describe the best practice methods you've discovered work best to prevent/detect unauthorized access." ... READ MORE
Let’s Build an Arcade Cabinet: Episode II
Our busy season is winding down! That means more time to dedicate to the arcade cabinet. I didn't get as far as I would have liked last Wednesday, unfortunately. The shell's interior supports ended up being about an inch off on one side, and it was causing the whole cabinet to lean significantly. That oversight has been addressed, though it ate up a lot of time. Measure twice, ... READ MORE
Encryption Basics: RSA
Number two in our encryption basics series. This time we are going to get into a well-known form of public key encryption, RSA. I plan on giving the same boiler plate warning for each of these; if you promise not to use this for encrypting anything truly important, you are allowed to skip the next couple of lines. The programs contained herein (obligatory lawyer speak) are for ... READ MORE
5 Tips For Pentesters Switching To Python 3
Python has been a popular language among penetration testers from some time now and is used extensively here at RSM. Python version 3 has been out since December 2008 and yet many scripts currently being produced by the security community exclusively target version 2.7. Given that Python 2.7 is in maintenance mode only at this point, it's important for people to have the tools ... READ MORE
Encryption Basics: DHKE
As a side project I have been doing some self-study on encryption to better understand it. It is how we protect our data as it travels across the internet or when at rest, we use concepts from it to verify that we sent messages, and whole currency schemes are built around the idea. Encryption is an incredibly dense topic and it is easy to mess up. As such, all of the code I ... READ MORE