Latest posts


Getting the goods with CrackMapExec: Part 2

In Part 1 we went over the basics such as:

  • Using credentials
  • Dumping credentials
  • Executing commands
  • Using the payload modules.

Part 2 will cover CME's internal database and getting shells using Metasploit and Empire!

The Database

CME's internal database can be queried by using the script, two things …


Getting the goods with CrackMapExec: Part 1

This is going to be a multipost series going over a lot of the functionality of CrackMapExec. Although there is some documentation already on the project's wiki (which I'm still in the process of writing) I feel blog posts will help get everyone who is interested up to speed on …


Installing Empire on Arch Linux

I'm an Arch linux fan and I've been using Empire on a lot of pentests recently. Problem is Empire requires Swig2 and Arch had only Swig3 in it's repos.

Today I just noticed that the Arch AUR has a functional Swig2 package, and I finally got Empire running! W00t!

So …


Mad-Max Scapy: Improving Scapy's packet sending performance

I've been using Scapy for years and one thing that's always bothered me was it's performace, especially when it comes to sending packets, to give you an idea:

from scapy.all import *
for i in range(0, 10):
             psrc=' …


Converting commands to Powershell compatible encoded strings for dummies

This is basically a reminder for me but could be useful for anyone. I keep forgetting how to convert commands to a Powershell compatible encoded string:

From the command line:

echo "iex(command)" | iconv --to-code UTF-16LE | base64 -w 0

For Python:

from base64 import b64encode
b64encode('iex(command)'.encode('UTF-16LE …


Using Nfqueue with Python the right way

While I was re-writing the Spoof plugin for MITMf I came across the "pythonic" way of using Nfqueue with python.

Previously the plugin was using code from for DNS tampering, which used the nfqueue-bindings python library from here.

Problem was that it was a pain to setup: you …


Toby: finding the needle in the haystack

When I successfully extract a file system from the firmware of an embedded system, the first thing that I do is run grep or strings looking for low hanging fruit or even potential command injection vulns.

What I wanted though is something that recursively checked all files of a directory …


Pyexfil - Using Python to make Gmail a C&C server

Now I'm pretty sure there was a talk at BlackHat a couple of years ago about doing this, so this might not be anything new but I'll write about it anyway.

This is a great way to exfiltrate data from a network: it's stealthy (who looks at traffic going to …