Posts on heapspray.io - a plethora of infosec garbage

Speeding up my lab work with ludus

Sun, 02 Nov 2025 05:00:00 +0200

Thoughts on the ludus cyber-range/lab system, and tricks

Baselining with NetBox, part 2: Creating an inventory

Sun, 26 Oct 2025 07:00:00 +0200

Using netbox and ansible to automate the catalogging of your IP addresses and services.

Baselining with NetBox, part 1: Installing netbox with ansible

Sun, 26 Oct 2025 03:00:00 +0200

Using netbox and ansible to automate the catalogging of your IP addresses and services. First part describes automating the installation.

Automating the boring (pentest) stuff with Terraform and Ansible. Part 2: Scanning

Sat, 28 Jan 2023 00:00:00 +0000

A simple way to automate the repetitive parts of your pentest using typical DevOps tools.

Automating the boring (pentest) stuff with Terraform and Ansible. Part 1: Recon

Wed, 18 Jan 2023 00:00:00 +0000

A simple way to automate the repetitive parts of your pentest using typical DevOps tools.

Timesheet simplification with osquery, Splunk and Python!

Sun, 17 May 2020 00:00:00 +0000

This post walks through basic osquery and Splunk installation – but with a twist. I use these security tools to monitor for connections so as to keep track of my work hours.

Attack Jupyter!

Sun, 18 Aug 2019 00:00:00 +0000

A few tips on using jupyter for reverse engineering and pwn challenges.

Automating pentests with WebDriver

Sun, 18 Aug 2019 00:00:00 +0000

Using WebDriver to automate pentest activities - two use cases and some code.

Logging Nessus vulnerabilities to graylog

Sat, 08 Jul 2017 00:00:00 +0000

I’ve been beefing up the security of my home network recently. If you were to ask me why, I could rattle out a few good excuses, such as “it’s good to maintain good computer hygiene, especially at home” or “as a fan of CTF’s, I’m concerned that I’ll accidentally pick up something nasty which will own my network”. Oooo, hey, here’s a good one: “to be a good red teamer, you have to know how blue teams operate”. Those excuses are all well and good; to be honest, though, the real reason I’m messing around with defensive security nowadays is that it’s just fun as hell.

Certificate Transparency as a recon technique

Fri, 04 Nov 2016 00:00:00 +0000

I’ve been using certificate transparency with increasing frequency during my network pentests. What a great source of information! I’ve found it so useful that I wrote a short standalone script to search for domains in a transparency log and resolve them to IP addresses.

What’s certificate transparency?

There’s an actual site dedicated to describing Certificate Transparency (https://www.certificate-transparency.org/), which I recommend you check out. In a nutshell, CT is a mechanism that provides real-time monitoring and auditing of certificate information. If you’ve ever clicked on that little padlock next to the URL of a site you’ve visited in your browser, chances are that you’ve used CT.

Decompressing Android Backups With Python

Fri, 12 Feb 2016 00:00:00 +0000

A small script for decompressing android backups written in python, practically no deps.

Metasploit soul-searching: scanning with metasploit

Wed, 22 Apr 2015 00:00:00 +0000

I’ve been trying to expand my knowledge of Metasploit recently. I’ve gotten training which included quite extensive coverage of the framework, for which I’m grateful; but to really get how extensive the tool’s functionality is, there’s nothing quite like practice.

With this in mind, I downloaded the metasploitable VM over at sourceforge (http://sourceforge.net/projects/metasploitable/files/Metasploitable2/) and began hacking away at it.

When you start working on these things, it’s awful tempting to fall back into ‘CTF mode’, where your only objective is to get in. It’s not super effective in testing the tool, though. So I tried to limit myself to metasploit only, and see how far I could go. I also took a breadth-first approach rather than a depth-first approach - in other words, exploring as many of the scanning functionality as possible before moving on to exploitation.

WebSockets

Fri, 14 Mar 2014 00:00:00 +0000

WebSockets are a mechanism that allow a client (typically a web page) to talk to a server without the overhead and complications that web services may pose. The client first establishes a connection using http and then makes a request to switch over to websockets; the process is described in RFC 6455 <https://tools.ietf.org/html/rfc6455>__. Using this technology simplifies development of elaborate web based clients and reduces web traffic, which is pretty sweet for developed and admins alike

VNC passwords

Wed, 12 Mar 2014 00:00:00 +0000

We like to think of VNC passwords as encrypted; but when you consider that they’re encrypted using DES (a weak encryption algorithm) with a key that is hardcoded… Well… That pretty much makes VNC passwords \ encoded and not \ encrypted. There are a few VNC password revealers out there, such as \ vncpwd <https://github.com/jeroennijhof/vncpwd>__ or VNCPassView <http://www.nirsoft.net/utils/vnc_password.html>__, the former can be used in Linux and the latter in Windows. A prerequisite to using these is that you have access to the VNC passwd file and/or registry. Other tools exist to snarf the VNC password out of network captures.

Automatically retrieve list of offline shares on all PCs of a domain

Tue, 14 May 2013 00:00:00 +0000

I wrote this short VBS script today to help out a client; basically, you can run this on an Active Directory domain as a login script to see if your users’ offline shares are correctly configured. In this case, each user is supposed to have a ‘U:’ drive that syncs with a file server whenever they’re on campus, and is available whenever they’re on the road. Sometimes, though, the configuration isn’t set for one reason or another… Hence the script.

Brucon 2010: a recap

Sat, 02 Oct 2010 00:00:00 +0000

I was at Brucon 2010 last week, and it was a blast!

The ambiance at the con was very much reminiscent of Defcon’s: people talking passionately about security in a relaxed, geek-and-caffeine-rich environment.

In the past, when attending infosec cons I tend to go to all the talks – this time, I decided to go to as many workshops as possible. I must say, I was not disappointed at all – while talks are often absolutely fascinating and wildly entertaining, workshops provide a chance to understand something at a much deeper level and allow you to test your knowledge of the topic; it also allows the speaker to tune her content to the audience in a much more interactive manner, providing more, or less, background information according to the crowd’s grasp of the subject. For instance, during the malicious PDF analysis workshop, Didier Stevens provided an overview of the PDF structure and started working through his samples, but quickly started skipping through examples he thought were obvious and allotting more time to the ‘juicy bits’.

A honeypot solution from start to finish

Sat, 03 May 2008 00:00:00 +0000

| Operating System and tools | Pick an operating system with which you’re comfortable. A lot of *nix junkies out there will heckle you about which distro is best, especially when it comes to running security tools; and whilst I agree with the principle that a good solid distro will improve your machine’s robustness and prevent a malicious attacker from turning your security tools against you, let’s be realistic: there isn’t a single distro, operating system or device out there that can’t be exploited. This is not always due to the shortcomings of the developer, or administrator, or what have you: it is the result of a complex balance between security, functionality, communication and logistics. So what I say is, pick *one* distro and get to know it very well. Make sure it can patched on a regular basis and that any remote communication you set up with it is secured (encrypted, with a long password or certificate for authentication). For this example, I’m going to use an Ubuntu box, honeyd, swatch and ruby to set up the honeypot and monitoring systems.