SE Village @ DC25: Social Engineering with Web Analytics

July 31, 2017

This weekend I was lucky enough to have the opportunity to speak at the Social Engineering Village at DefCon25. I gave a talk regarding my research with using Google Analytics for social engineering. I made a new tool called google-analytics-attack-ng that has many new features compared to its predecessor in my previous blog post. In addition to…

Building IoT: A Hacker’s Journey

May 2, 2017

Being a first time home owner means a lot of different things, but in particular I’ve found it means fixing a lot of things. A garage door opener has been on my fix-it list for a while and I finally got around to solving it! This blog post will cover the IoT device I created and the security protections I baked in along the way!

DakotaCon 2017 CTF Write Ups

April 12, 2017

I was able to attend DakotaCon in Madison, SD again this year and staying true to the precedent from last year, it was a great time! The time I didn’t spend in the talks or training was spent on the CTF, of which my team and I were able to complete in 1st place! This blog post contains write-ups for various challenges.

Magic Mirror with DNS Filtering

February 6, 2017

Over a year ago I came across a Raspberry Pi project called Magic Mirror. The project uses a one-way mirror to overlay a reflective property on a computer monitor, while allowing display elements to “magically” appear on the mirror. I liked this project and went ahead and built my own, but with a twist. This blog post will briefly cover my Magic Mirror build and how I use it to manage and filter DNS on my network.

Social Engineering with Google Analytics

September 25, 2016

If a sophisticated attacker could flood a victim’s Google Analytics portal with referrals from a domain the attacker controls, a victim may investigate the referrals and browse to the attacker controlled domain. Sneaky! This blog post will covers the development and a usage of a Social Engineering Toolkit (SET) module I wrote called “Google Analytics Attack”.

Referer Redirection and Its Inconspicuous Danger

August 16, 2016

Recently I noticed some peculiar behavior on a web application; it would openly redirect to whatever the ‘Referer’ header was set to in the request. At first I though that seemed pretty harmless, but after recognizing it as unsanitized input, I was determined to come up with a use-case as for when this behavior could be used for evil.

KeePass and Eating Your Own Dog Food

July 21, 2016

For a while now the information security community has been griping about the need for better passwords. I decided it was time to ‘eat my own dog food’ and take my personal password security to the next level by using KeePass.

Consumed: A DefCon Short Story

May 31, 2016

Late this April, I came across a Tweet from DefCon announcing a short story contest. My mind began buzzing with different ideas. Eventually I came up with one I really liked, and I began running with it. This post contains my short story!

Persistence Aggressor Script

May 4, 2016

I got tired of running my basic persistence by hand and hadn’t gotten a chance to play with extending Cobalt Strike yet, so I decided to write a script to do some basic persistence techniques using Cobalt Strike’s scripting engine!

DakotaCon 2016: Talks, Training, and CTF

April 9, 2016

Last week I was lucky enough to visit DakotaCon! This blog post will contain my remarks on the various talks I attended, a recap of the training I received, and some write-ups of the CTF challenges I was able to solve.