Sign in

security researcher and penetration tester. twitter: @kali_null

I wanted to implement a simple server that would register source IPs which it was ping from and display it back to me. This way i wouldn’t have to spin up an instance each time I want to test a remote execution vulnerability on a box I’m testing.

Scenario: I’m testing a box with potential remote code execution and I want to quickly confirm it with making that box ping my server. In order to confirm it, I’d need to spin up an AWS instance and monitor pings, and this takes some time to set up. Alternatively I’d need to…


Genymotion is so far my favorite Android emulator. It’s both powerful and easy to use. It’s widely used by developers because it’s way faster than Android Studio emulator. Genymotion instances work right out of the box, however there are quite a few steps to set it up for smooth application pentesting and intercepting traffic with Burp.

Before we begin, Genymotion is based on VirtualBox. So you can preinstall it prior to setting up the emulator.

Once you go through the installation process, you can setup a proxy for all the future virtual devices. …


After returning from DefCon I wanted to make sure my iPhone is not communicating with any sketchy servers out there. So decided to run a quick tcpdump on the traffic and here is how to do it:

First you need to install Xcode. Once you create a project and connect your iPhone, choose your device in the devices tab and click “Trust” on your phone.

Then move to iTunes and click on Serial Number to find the UDID of the device.


It’s not uncommon that VPN connection to our client’s boxes either breaks mid testing or is blocked by some firewall or IDS. SSH tunneling can be used as a back up connection to already existing VPN connection or as a decent lightweight alternative.

Things we’ll need:

  1. AWS instance for pivoting
  2. Target box on the network we are ̶h̶a̶c̶k̶i̶n̶g̶ testing.

First, we need to set up the AWS instance to use as the initial jump box:

  1. Open port 8080 in the security rules
  2. Create new user: adduser revconnect (or whatever user name) and give the user sudo privileges: usermod -aG sudo…


Look for the exploit you want to add: searchsploit sonicwall 8.1.0.2-14sv Make a note of the path for the exploit.

searchsploit output

Next, you would need to create a folder in the .msf4/modules directory that correlates with the path in exploit-db. So in this case I will add cgi/webapps.

Go to your newly created folder and copy the exploit:

cp /usr/share/exploitdb/exploits/cgi/webapps/42344.rb /root/.msf4/modules/exploits/cgi/webapps/

Make sure that you specify both, the root path (its specified right underneath the title “Path” in the searchsploit search output) and the relative path.


I perform network penetration testing from headless Kali boxes. This is limiting when I want to test internally available web apps. I can get away with SSH tunneling (aka port forwarding) for basic applications or RDP interface but it quickly becomes a pain once you start interacting with dynamic content and especially with redirections. And thats where the Squid proxy comes in handy. So the goal is to run internally available web pages that were found during the assessment through the instance of Burp Pro on my local machine.

Steps:

  1. Spin up a Squid proxy server on the remote instance:


My environment for this setup: MacOS, Burp Suite, Tor service, Firefox browser and brew.

  • Install tor service(not the TorBrowser bundle). On Mac you can do it with “brew install tor”. If you don’t have brew installed run this command:
/usr/bin/ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)

Here is the link in you need more information on brew: https://brew.sh/

  • Run tor service with the following command: brew service start tor. If you do brew service list you should see tor running:

Configure Firefox:

  • Set manual proxy configuration to 127.0.0.1 port 8080
  • Make sure SOCKS is set to v5. V4 is not supported.


DD-WRT does not support repeater mode for Atheros chipset based routers. Hence you will not find Repeater and Repeater Bridge options under Wireless Settings. You can still however achieve similar result with Client mode connection. It won’t be as seamless as it would be in Repeater mode though, you would be connecting to a different network in this case. First, you will be creating a wireless link between the remote AP and the DD-WRT router on the physical interface so that the DD-WRT router can join the remote AP’s network as a client. Then you will configure a virtual Access…


I found running BeEF from Kali VirtualBox inconvenient because it requires port forwarding from VMnet, then LAN uggh… You’d really want to connect directly with BeEF. So there.

  1. Get Ubuntu or other Debian instance. Red Hat (ie Amazon instance is missing some dependancies).
  2. Follow https://github.com/beefproject/beef/wiki/installation. Make sure to install Ruby. You can just do sudo apt-get install ruby-full
  3. Move to beef directory and ./install
  4. Add your instance public IP to config.yaml for “Host Name / Domain Name”


What happens when you open an email and allow it to display embedded images and pixels? You may expect the sender to learn that you’ve read the email, and which device you used to read it. But in a new paper we find that privacy risks of email tracking extend far beyond senders knowing when emails are viewed. Opening an email can trigger requests to tens of third parties, and many of these requests contain your email address. …

kali null

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store