Blog

  •

    Setting up an API pentesting environment

    4.91 of 54 votes

    This is my go-to reference documentation for setting up a fresh dedicated API pentesting environment within Kali. Setting up Burp Download Jython Head over to https://www.jython.org/download.html and download the latest Jython standalone installer. Set the Python Environment path Set the downloaded Jython installer as the Python Environment path. Install the Autorize extension Within Burp, navigate to Extender > BApp Store > search for Autorize and install the extension. Install FoxyProxy With Firefox open, press Ctrl + Shift + A to open the add-ons menu. Search for FoxyProxy Standard Add FoxyProxy to Firefox Navigate to FoxyProxy options Add Burp to FoxyProxy Add Postman to FoxyProxy Configure Burp Suite Certificate Start Burp With Burp Suite enabled in FoxyProxy, navigate to http://burpsuite and click the CA Certificate to download the certificate. In Firefox, open Preferences and use the search bar to look for certificates. Import the downloaded certificate. In Chrome, open Settings > Privacy and security > Certificates managed by Chrome and import the downloaded certificate (may need to change the file type options to 'All Files'). Postman Download Postman sudo wget https://dl.pstmn.io/download/latest/linux64 -O postman-linux-x64.tar.gz Extract and install Postman sudo tar -xvzf postman-linux-x64.tar.gz Link the postman command sudo ln -s ~/Postman/Postman /usr/bin/postman mitmproxy2swagger Install mitmproxy2swagger sudo pip3 install mitmproxy2swagger Git Install Git sudo apt install git Docker Install Docker sudo apt install docker-composesudo apt install docker.io Golang Install Golang sudo apt install golang-go At this point a restart may be required. JWT Tool Pull down the JWT Tool repo sudo git clone https://github.com/ticarpi/jwt_tool.git Install JWT Tool cd jwt_toolpython3 -m pip install termcolor cprint pycryptodomex requestssudo chmod +x jwt_tool.pysudo ln -s ~/jwt_tool/jwt_tool.py /usr/bin/jwt_tool Kiterunner Pull down the Kiterunner repo sudo git clone https://github.com/assetnote/kiterunner.git Install Kiterunner cd kiterunnersudo make buildcd distsudo ln -s ~/kiterunner/dist/kr /usr/bin/kr Arjun Pull down the Arjun repo sudo git clone https://github.com/s0md3v/Arjun.git Install Arjun cd Arjunsudo python3 setup.py install ZAProxy Install ZAProxy sudo apt install zaproxy Update OpenAPI add-on

  • The mystery 50p coin I found

    • General
    • by Jacob Riggs
    • 13-09-2022
    4.91 of 57 votes

    Over 50 years ago a coin entered circulation. A coin that once belonged to a man named Sean Creamer. Engraved on the faces of this coin are the wordsThis once belonged to Sean Creamer 58 Henry St Limerick — worth £5 to me if returned Today this mystery coin resides with me, after what I suspect has been a very long journey.I'm not sure who Sean Creamer is or what motivated him to inscribe his message, though the words do make me think there's a certain desperation in the creative fight to declare our existence. Much like the reason many of us post online, we're participants of the past speaking our own timeless messages like a familiar chapter in a tattered book — messages that we hope might survive the test of time and someday outlive us. "See me. Remember me. I was here." Perhaps this small relic of the past is intended to function as more than a memento, a keepsake, or a souvenir. Maybe it's an artifact of history that truly belongs to nobody, only temporary caretakers during its journey, and serves to teach an important lesson about value.Maybe a value worth more than we ever realise at the time.

  •

    Shark Tank success 'LARQ' sent me a free water bottle

    • General
    • by Jacob Riggs
    • 27-08-2022
    4.91 of 58 votes

    Last week I fell into the abyss of watching random YouTube videos and at one point landed on a video featuring LARQ, the highest valuation company to ever pitch on the popular US television show Shark Tank. The product line they were offering was simple – self-cleaning water bottles that use UV light to purify water. Intrigued to find out if the company had found success since airing and intending to purchase one of their bottles for myself, I registered to their site.Shortly after registering I noticed a security vulnerability, and duly reported this to them that sameday. My report was well received, and as a thank you, they kindly offered to send me any product I wanted for free.Hi Jacob, Our Digital team is very grateful for your time and the issue you have brought to our attention, we would be happy to ship you any LARQ Product of your choice as a thank you! Please be so kind as to confirm which product you would like and your shipping address. Thank you! I opted to select the LARQ Bottle PureVis 740ml (insulated), as I figured this would have been my preferred choice for purchase. Thanks to the LARQ customer experience team for sending me this free gift.

  •

    UK ISPs prohibit ethical security research activities

    • General
    • by Jacob Riggs
    • 26-08-2022
    4.91 of 54 votes

    All major UK ISPs seem to stipulate contractual terms which specifically prohibit their customers from employing the use of their home broadband service for security testing activities, regardless of the lawful basis for those activities (such as when penetration testing and bug bounty engagements are authorised). Below are the relevant extracts I pulled from those associated policies. If you're a UK customer of these services and engage in any bug bounty or penetration testing activities, it's likely you've already agreed to comply with these terms, and may therefore be at risk of having your home broadband service suspended for violating them. POLICY EXTRACT Source: Vodafone Acceptable Usage Policy 2.  Your use of the Service ... 2.9   You must not use the internet to send information that has forged addresses or are deliberately constructed to adversely affect remote machines or other computer systems. 4.  Network security 4.1   You must not take any action that could inhibit or violate the network security of any person or company (including Vodafone) or that could adversely affect their use of the internet. POLICY EXTRACT Source: BT Acceptable Usage Policy Security Violations The BT Network may not be used to violate the security of a network, service or other system. Examples of security include hacking, cracking into, monitoring, or using systems without authorisation; scanning ports; conducting denial of service attacks; distributing viruses or other harmful software; smurf attacks; and unauthorised alteration or destruction of websites or other information. POLICY EXTRACT Source: Virgin Media Acceptable Usage Policy 5.   Your responsibilities - Virgin Media’s systems, services and equipment ... 5.2.   Specific prohibited acts in relation to Virgin Media’s systems, services and equipment are: ... 5.2.5.   attempting to circumvent user authentication or security of any host, network, or account (also known as “cracking” or “hacking”). POLICY EXTRACT Source: Sky Acceptable Usage Policy Do not violate anyone's systems or network security You must not use Sky Broadband, or allow someone else to use Sky Broadband, to violate Sky’s networks’ security or any third party’s system or network security by any method including: ... You must not send, receive, store, distribute, transmit, post, upload or download any materials that are designed to violate Sky Network’s security or any third party’s system or network security. Examples of such prohibited material may include (but are not limited to): ... •  tools designed to compromise the security of other sites; These terms make up the components of valid contracts, and as ISPs are in the business of making money, this raises a few questions. Do ISPs actually care what their customers do with their service? How enforcable are the relevant legal obligations in practice? Are ISPs actively monitoring customer traffic for attack characteristics? Do reports of abuse ever result in ISPs terminating services? Such unanswered questions might incentivise security professionals to consider the wider use of commercial VPNs.  

  • The Royal Mint sent me a limited edition gold coin

    • General
    • by Jacob Riggs
    • 25-07-2022
    5.00 of 55 votes

    For some voluntary work I did, The Royal Mint sent me a limited edition 22 carat gold coin which commemorates the life and legacy of the great mathematician and codebreaker Alan Turing. This included bespoke packaging that contained a small 'Innovation in Science' series booklet detailing Turing's remarkable achievements, and featured one of his most famous quotes: We can see only a short distance ahead, but we can see plenty there that needs to be done ~Alan Turing I would like to express my thanks to The Royal Mint for this thoughtful gift.

  •

    How to access and trade on darknet markets

    5.00 of 55 votes

    Welcome to my first counter-economics walkthrough, featuring the darknet. The darknet is not just a domain for illicit activities, it also serves as a space that offers unparalleled opportunities for discourse, free market trade, and collective and communal discovery. It’s occupied by people from all walks of our complex and layered lives - from outright criminals and troublemakers, to journalists, dissidents, and security researchers (like myself). Whilst I can appreciate that the darknet is widely associated with illegal activity, it’s important to note that simply accessing the darknet is perfectly legal. There’s a lot of advanced cryptographic protocols and processes behind the workings of what I’m about to explain, but for the purpose of keeping this post short and tailored for a wide audience, I’m going to simplify everything as best I can. 1. Tor To access the darknet you’ll need to download and install the Tor (the onion routing) browser. This is an open source purpose-built and completely free browser based on Firefox that enables anonymous web surfing, by ensuring that all traffic it processes is heavily protected against traffic analysis. Download Tor Tor establishes a secure network circuit for each browser session, which connects Tor nodes deployed around the world at random. These nodes encrypt your browser traffic in layers at each node hop on its way to/from the source (your browser) and the destination (a hosted hidden service). 2. Darknet markets With Tor installed, you’ll next need to find a darknet marketplace domain to visit. The Tor network mandates that Tor clients (such as the Tor browser) can only access sites using the .onion TLD. However, these domains are not easy to distinguish, and are usually represented in long, often randomly generated alpha-numeric strings. Finding the correctly represented URL for a particular domain in the first instance can be a challenge. There are hundreds of marketplaces to choose from, each with their own set of communities, politics, and socio-economic motivations. I wont list them all here, as unfortunately not all survive long enough to outgrow the impulse of real-world influence and fallible human desires. Some get hacked, some get shut down by law enforcement, and some succumb to their own greed - whereby the operators 'exit scam' entire communities. This is why there’s no specific endorsement for any particular marketplace I can make, but I’ll include a few of the most common below for reference. Please beware of the many fake .onion addresses that frequently circulate the web and are set up as convincing phishing sites. The above hidden service URLs were validated as accurate at the time of this blog post being made, though may require further validation if they are to be relied upon in the future.   3. What you can buy Most darknet marketplaces have a large selection of categories populated with listings from reputable vendors. These are varied, and can include both legal and illegal listings.In no particular order, I’ve added a table featuring some of the most common categories I’ve observed below: Drugs Doxxing Malware Hacking Software Hosting Electronics Ebooks Firearms Graphics Databases VPNs Jewellery Fraud Passports Programming 4. Buying Bitcoin (BTC) The first step, if you’re new to this space and want to facilitate a trade, is to buy yourself some cryptocurrency.This process, in summary, is to trade a value of what you own in digital fiat currency (GBP, USD, AUD, etc) for a value of what you desire in BTC, and can most easily be achieved by registering to a centralised platform, like one of those I’ve included below. Coinbase Binance Bitfinex Poloniex Many darknet marketplaces employ the use of specific cryptocurrencies (such as XMR) that use technologies such as stealth addressing and ring signatures to evade traceability. However, these currencies, due to their decentralised and counter-economic nature, are often restricted by centralised platforms from purchase and practical use. This means it’s sometimes possible to buy these currencies (such as XMR) in exchange for fiat (GBP, USD, AUD, etc), but you may find yourself prevented from transferring such currencies outside of the platform you’ve purchased them from. 5. Exchanging Bitcoin (BTC) for Monero (XMR) A logical and convenient method I’ve seen adopted to get around this problem is to purchase another mainstream currency (such as BTC) via a centralised platform, then to use a third-party service to facilitate an exchange into a darknet marketplace supported currency like XMR.Below I've added an embedded interactive exchange utility that runs off a secure third-party API, and connects each transaction request with the best real-time market rates offered across a wide number of centralised trading platforms. If you'd like to use it to exchange currencies, please feel free. 6. Making a purchase Most reputable darknet marketplaces employ the use of escrow systems for mutual buyer and seller protection, with step-by-step client-side encryption features leveraging PGP to ensure end-to-end privacy and anonymity is preserved. This usually (but not always) means that when you supply potentially identifiable information, such as an email address or postal address to receive goods, the marketplace usually auto-encrypts your data to the vendor’s public key in your browser at the point of sale. This is to prevent your data being inadvertently disclosed at any time in the future to anyone other than yourself and the vendor, and ensures that trade participants can remain confident that marketplace transactions are provably private.Understanding PGP usage in this context is important, but can be overwhelming for newcomers. A while back I made another blog post on PGP keys which helps explain what PGP is and how it works.