Freedom Hosting 2: Conclusion

In this fourth and final post in the series, I will point out some remarkable items that didn’t fit into the more general analyses of the previous articles. I will also mention a few avenues of investigation that didn’t pan out. Finally, I will try to pull all of these loose threads together into some final conclusions. Unclustered Sites In the first post of this series, I used a clustering technique to identify sites that seemed to be running similar software.

Python 3 Search Engine

I’ve been using Python 3 exclusively for a few years now, but when I search for Python API docs, most search engine results point at the Python 2.7 docs. Python 2.7 will be end of life on January 1st, 2020, which is 5 months away as I’m writing this! Why does it keep showing up in my search results!?

Freedom Hosting 2: Overview

I’m a little late to the party on this post, but Freedom Hosting 2—a notorious shared hosting service on the dark web—was anonymously hacked in 2017. The hacker posted a dump of the databases and some of the configuration and code from the server. In this post, I’ll crack into the dump and show you a bit of my analytic process to make sense of this large mass of data.

Oracle Reports: My First CVE

In 2018, I had some downtime between work projects, so I waded into the world of bug bounty programs. I learned that I’m not a great bounty hunter: I only found 3 payable bugs after investing a lot of bug hunting time. On the upside, I found a bug in Oracle Reports that eventually turned into… my first CVE credit!

Assemblies in Encoding Tools

Back in June, I posted about a project called Encoding Tools, which is an open source, browser-based utility for transforming text and binary strings. The purpose of this project is partially to scratch an itch, but also to have some fun building a project that I can market publicly. This post is an update on the project.

Multicast DNS for Pen Testers

Multicast DNS (mDNS) and Service Discovery (DNS-SD) are ubiquitous protocols that are enabled by default in many modern tech products, especially those designed for home and small office environments. They are part of Zeroconf, a suite of technologies that helps network devices automatically discover each other. When you go to print a document, and your computer automatically suggests nearby printers, it might be using Zeroconf to do that!

In this blog post, I’ll break down what pen testers should know about mDNS and DNS-SD and how to use these technologies on your own assessments.

Introducing Encoding Tools

If you are a programmer, pen tester, or reverse engineer, you probably find yourself needing to manipulate data between various representations, such as URL encoding, base64 encoding, etc. There are a lot of web sites and utilities to do this sort of thing interactively, but I’ve never been totally satisfied with any of them.

So… I built my own! Today I am releasing Encoding Tools, an open source, browser-based utility for transforming text and binary strings.