Rick Wisser// Here at BHIS we are always on the lookout for new toys. Especially if we can use them during a pentest. As a pentester, we all have a complimentary tool set in our jump bags that we have grown accustomed to using. Tools such as the Rubber Ducky, Konboot, Lan Turtle, proxmark3, crowbar […]
Jordan Drysdale // Let’s start this post at Walmart. Yes, the visit may be attributable against the purchaser via security camera footage retrieved by warrant, so hand your wife/husband/confidant/whomever a stack of untraceable cash. The first thing to snag is a new burner phone. This one seems acceptable for our purposes: Wait though, did we […]
Lee Kagan* // Expanding upon the previous post in this series, I decided to rewrite C2K (find it here) to change its behavior and options for the user. In this post we will walk through the changes to C2K as well as re-deploy a demo C2 infrastructure with all the new features. It is worth […]
Dakota Nelson// The modern internet’s got a lot of places to hide. In this webcast, join Dakota as he shows how you can establish C2 channels and issue commands to implants over several different social media sites, including Google Sheets, Twitter, Tumblr, and Salesforce, in under 100 lines of Python. Slides can be […]
Carrie Roberts//* *UPDDATE: I’ve improved on the “Gathering Contacts with Burp” method by creating a dedicated extension. This provides the following improvements over what I blogged about here: 1) The output is tab delimited and imports into Excel much cleaner 2) It avoids duplicates for the most part. 3) It doesn’t miss results that don’t […]
BB King//* The state of Ohio recently validated a webapp pentest finding that sometimes goes overlooked. It relates to the details of administrative functions, how they can be abused, and how just the potential for abuse can call all of your data into question. Here’s what they found: COLUMBUS, Ohio — A “critical flaw” in […]
Jordan Drysdale// Some days are not like others. Someday, you might get tasked with scanning a million IP addresses. Here’s how I did it: Digital Ocean. Amazon is too picky about their rules for inbound and outbound traffic. I don’t want to piss off the third or fourth largest corporation on Earth. Politically speaking, there’s […]
David Fletcher// There are a number of items that I watch on eBay. Included in that group are long range proximity card readers. As it turns out, I was recently able to pick up an HID MaxiProx 5375 reader, new in box, for less than $100. I had to buy it!! These devices were […]
Carrie Roberts//* Is your employer reading all your sensitive information when you browse the internet from your work computer? Probably. But how can you be sure? It is common for companies to deploy an SSL decrypting proxy at work in an effort to better protect their assets from attack. It’s something you agree to when […]
