Website Update

We had a pretty solid push the first half of the year with updates to the site and projects. We’ve picked up some business that has left us fairly busy. The forecast for 2018 looks is:

Software Projects

  1. IPv6 Scanner, I actually wrote this a few years ago on an assessment and then prompt lost the source so I’m cleaning it up and making it ready for prime time.
  2. SMBv1 Validator. Pretty self explanatory, that scanner is about 90% done I’m just adding threading because it is slow right now doing them one at a time with a full connection and handshake. Project is on GitHub and the post is Here
  3. Extra Secret Classified Project! Actually, we just don’t have a name for it yet but it is a mix of stuff we look for on assessments as some menu driven python code.

Posts

  1. Watering Hole Attacks, this is a favorite of mine.
  2. Metasploitable3 walk-through.
  3. Low power linux dropbox using Nexx 3020H hardware. Device build Here and installing Responder on the device is Here

If you haven’t noticed we’ve been publishing more content lately. Partly, this is because we had a lull in the schedule to actually get things done and we also had a bunch of half finished stuff that we focused on getting done.

Here are the things you will see soon.

The last recon-ng installment, this one is exciting because it is the actual nuts and bolts

Relatively soon, some of these are half done some are nothing more than a title and vague idea at this point.

Weaponized Boredom

Phish Stories, I once wrote a post [———- THIS ———-] big

OSINT Tutorial for Dimitry

Penetration Testing Trade Craft

Not as soon.

Tool Usage Wiki, this is the equivalent of letting someone watch you make the secret sauce

We have been so busy that we haven’t been getting content onto the website. Here is a quick rundown of what is going on.

 

We are giving the keynote address on emerging threat trends at New Mexico Technology in Education November 20th. http://nmtie.net/2014-conference/

 

We will be presenting ‘Why you don’t need a pen test’ to the Albuquerque Chapter of ISACA on December 9th. http://www.eventbrite.com/e/why-you-dont-need-a-penetration-test-plus-sandworm-demo-tickets-14154631885?aff=eorg

 

And because we hate free time we are partnering with Albuquerque Health Care for the Homeless to provide a vulnerability assessment of their network. Being part of the InfoSec community is important, but helping those in need in our local community is part of being a good citizen.

 

Once all the dust settles, we will be posting more tutorials and content.

With the SandWorm 0day (CVE-2014-4114) and POODLE being released this week we are working on integrating it into our testing as well as developing good mitigation for our clients. We had discussed internally how Heartbleed would probably focus other researchers on SSL and it seems to be holding true. We also think that Shellshock with lead to a number of other parsing vulnerabilities being found in other shells and operating systems.