Archive for the ‘Uncategorized’ Category

CRESTCon Asia 2018 – Config Password Encryption Gone Wrong

July 21, 2018 Leave a comment

Below are my presentation slides from CRESTCon Asia 2018.

I presented the topic “Config Password Encryption Gone Wrong”.

I will be working on a proper writeup which contains more details. Please follow my blog to get updates.

Categories: Uncategorized

(CVE-2018-0296) Script to extract usernames from Cisco ASA devices

June 21, 2018 Leave a comment

I wrote a simple script to extract usernames from Cisco ASA devices if they are vulnerable to CVE-2018-0296.

You can check out this blog post for more technical details.

Screen Shot 2018-06-21 at 5.04.44 PM

This script would be useful instead of doing it manually.

However, there are easier ways to get usernames belonging to an organization.

The script is available at

Categories: Uncategorized

pathBrute – yet another dirbuster alternative

April 21, 2018 Leave a comment

pathBrute is yet another dirbuster alternative.

It’s written in Go so it’s blazing fast.

pathBrute contains/uses a number of self compiled wordlists for identifying “interesting” content and potentially vulnerable websites.
1) 13925 URI paths from Exploit-Database (increasing regularly)
2) URI paths from Metasploit Framework

pathBrute can also use wordlists from other sources if you prefer.

pathBrute can also be used for identifying if any type of CMS (Joomla, WordPress and Drupal) is running on the target websites and fingerprint the versions of the CMS using the –cms option.

Binaries for different platforms and architectures are available in the the below Github project’s release section.

pathBrute is also available as a docket container.

I hope this tool will come in handy to you as it is to me.

The tool can be downloaded from

Categories: Uncategorized

Enumerating Domains of Specific Organisations

December 21, 2017 Leave a comment

My friend Paul wrote a tweet about a useful tip on how to enumerate the domains of a specific organization using curl.

Do follow him at @PaulWebSec if you haven’t.

I decided to expand on his tip.  It might be sometimes hard to find out the full organization name but you do know the domain name that they use (or maybe I am just lazy)

Below is the script that I wrote.  You only need to provide the domain name that the organization is using.    Please see the below example.

$ python -h

Usage: [options]
  -h, –help  show this help message and exit
  -t THREADS  number of threads
  -n DOMAIN   domain name
  -r          resolve DNS name

Below is an example of the script running against

$ python -n -t 20 -r
[*] Found the below organization names
TechCrunch, Inc., TechCrunch

[*] Found the below domains
——– redacted for brevity ——–

[*] Results
—————————-  ——————————————-    ,    ,,,      ,     ,      ,

——– redacted for brevity ——–


The script can be downloaded from

Categories: Uncategorized

Punycode Phishing Domains Generator

November 9, 2017 Leave a comment

I wrote a simple script that can generate Pnnycode domain names that I can use during phishing tests.
The issue with Punycode is that an attacker can create a spoof website with a URL that looks exactly the same like the real website.  It relies on the way that many browsers interpret punycode.

Firefox and Safari seems to be vulnerable to punycode phishing attack currently.

There are around 80 similar looking domains being generated by the script.

$ python -d []
unï [available]
unì [available]
uní [available]
uniqlö.com [available]
uniqlò.com [available]
uniqló.com [available]
ü [available]
ù [available]
ú [available] []
unïqlö.com [available]
unïqlò.com [available]
unïqló.com [available]
ünï [available]
ùnï [available]
únï [available]
unï [available]
unìqlö.com [available]
unìqlò.com [available]
unìqló.com [available]
ünì [available]
ùnì [available]
únì [available]
unì [available]
uníqlö.com [available]
uníqlò.com [available]
uníqló.com [available]
üní [available]
ùní [available]
úní [available]
uní [available]
üniqlö.com [available]
ùniqlö.com [available]
úniqlö.com [available]
üniqlò.com [available]
ùniqlò.com [available]
úniqlò.com [available]
üniqló.com [available]
ùniqló.com [available]
úniqló.com [available]
ü [available]
ù [available]
ú [available]
ünïqlö.com [available]
ùnïqlö.com [available]
únïqlö.com [available]
ünïqlò.com [available]
ùnïqlò.com [available]
únïqlò.com [available]
ünïqló.com [available]
ùnïqló.com [available]
únïqló.com [available]
ünï [available]
ùnï [available]
únï [available]
ünìqlö.com [available]
ùnìqlö.com [available]
únìqlö.com [available]
ünìqlò.com [available]
ùnìqlò.com [available]
únìqlò.com [available]
ünìqló.com [available]
ùnìqló.com [available]
únìqló.com [available]
ünì [available]
ùnì [available]
únì [available]
üníqlö.com [available]
ùníqlö.com [available]
úníqlö.com [available]
üníqlò.com [available]
ùníqlò.com [available]
úníqlò.com [available]
üníqló.com [available]
ùníqló.com [available]
úníqló.com [available]
üní [available]
ùní [available]
úní [available]

The domain on the left column is how the domain will appear in the browser’s location bar.
The domain on the right column is the domain to use/register.
If the domain is already in use, the IP address will appear next to the domain in the output above.

I hope this can be useful to some of you during your phishing tests.

The link to the source code is available at

Below are some references to phishing with punycode.
Phishing with ‘punycode’ – when foreign letters spell English words

Categories: Uncategorized

Portia GitHub link

July 30, 2017 Leave a comment

Below is the updated GitHub link for Portia

Categories: Uncategorized

owaDump – Another tool to use during Phishing Campaigns

October 20, 2016 Leave a comment

There were a number of tools available in the Internet for attacking Exchange/Outlook Web Access.

Below are some of them that I have used before.
1) OWA-Toolkit (
2) Metasploit Outlook Web Access (OWA) Bruteforce Utility (
3) OWABF (,26944)
4) PEAS (
5) MailSniper (

During a phishing test, other than attempting to gain further access to the target’s network via HTA powershell, exploiting out-of-date browser plugins and etc, another interesting thing to look at are targets’ email accounts.

If we have captured more than 50 to 100 credentials via the phishing test, it might not be feasible to ransack the mailboxes one at a time manually.

I needed a simple tool (that I can write in a couple of hours) to search the mailboxes of users for PAN (VISA and MasterCard) numbers, passwords or even specific keywords.

As there were tons of resources on the Internet regarding Exchange Web Services (EWS) for C#, I decided to write the tool in C# instead of the usual Python/Ruby and use mono to run the executable on OSX and Linux. I have tested this on OSX and Win32.

Mono can be downloaded from

It should work on all versions of OWA.
Please let me know if you face any issues.

$ mono owaDump.exe -h
-u, –user       Required. Email Address
-p, –pass       Required. Password
-f, –file       Text File (Email|Password) Per Line
-k, –keyword    Text to Search
–pan            (Default: False) Find PAN numbers
-d               (Default: False) Debug Mode
-h, –help       (Default: False) Print This Help Menu

Below are some ways you can use the tool.
In the below example, keywords such as password, creds, credentials, ssn, credit card are used as search terms.

$ mono owaDump.exe -u -p Password#

[Subject]: RE [WARNING :  Test Mail]

If you check the current folder, you will see the below files.
Emails and attachments that we found to be matching the search terms were downloaded.

$ ls

If you would like to search for PAN numbers, you can use the –pan keyword.

$ mono owaDump.exe -u -p ‘Password’ –pan
[PAN] PAN Number found in keith_Inbox3.eml

If you have a list of email addresses and passwords which you captured from a phishing test or a dump from the Domain Controller, you can use the below.

Below is the format of the text file if you want to target multiple accounts.

$ cat creds.txt|password1|password2

$ mono owaDump.exe -f creds.txt
[Subject]: RE [WARNING :  Test Mail]

[Subject]: RE [WARNING :  Test Mail]

The source code is available for download at

If you needed a compiled version of the executable, it is available at

This is a pre-release.  Please send me your comments and suggestions.

Thank you for reading.