m8r0wn

A Web spider is an automated approach to identifying links and other resources hosted on a target website. In today’s world, this can be used in anything from data mining to mapping an attack surface during offensive security assessments. This post demonstrates how to create a Python web spider and add further customization to fit your own programming requirements.

Image for post
Image for post
Photo by Christopher Gower on Unsplash

Web Spider vs Web Scraper

Before diving in, let’s define the difference between a web spider and web scraper. These are two common terms easily confused online:

  • A Spider, also referred to as crawler, is a bot-like program that systematically indexes pages on a site. This…


Okay, so Slack can’t actually perform port scans! However, it can act as a communication channel to relay tasks, such as port scanning, to a remote server.

This post demonstrates how to use Slack to automate repetitive, resource intensive tasks during bug bounty hunting or any offensive security engagement. This comes with multiple benefits and ultimately frees up your primary host to continue testing until results are returned.

Image for post
Image for post
Photo by Stephen Phillips — Hostreviews.co.uk on Unsplash

Introduction

Port scanning is an essential step in the recon process that can lead to missed opportunities if left unchecked. …


Bash scripting is an easy concept that can allow bug bounty hunters to automate repetitive tasks and spend more time on advanced vulnerabilities, often resulting in higher payouts.

Tool chaining is just that, using Bash scripting to integrate multiple tools executed in a predefined pattern. This post discusses the use of tool chaining in bug bounty automation and introduces a new enumeration tool to add in your recon process!

Image for post
Image for post
Photo by Caspar Camille Rubin on Unsplash

Introduction

Automation is the latest trend in bug bounty hunting, with new frameworks being released every day. This ranges from full-fledged solutions with user interfaces and back-end databases to collections of custom-built…


Image for post
Image for post
Photo by Tumisu from Pixabay

LinkedIn is the world’s largest professional networking platform and used every day for recruiting, marketing, and connecting. However, it’s because of this that LinkedIn is also a great source for information gathering during penetration testing.

Through a company’s profile, it’s possible to collect a list of current employees and their position. This information can lead to spear phishing, password spraying, or other attacks against the organization. While there are various opensource tools to help collect and weaponize this information, I have always found one reason or anther to perform this process manually. Until now…

Introducing CrossLinked

CrossLinked was created to simplify the…


Metadata is simply defined as data about data. In computer systems, this is used to correctly interpret files and store descriptive attributes. While not always visible, metadata provides far more information than content creators realize. Once a document and containing metadata is made public, it could unknowingly help an attacker infiltrate your organization.

Image for post
Image for post
Photo by Josue Valencia on Unsplash

As a penetration tester, I am often given a week to target a client’s public facing environment with the goal of breaching their internal network. This form of testing allows the client to evaluate the effectiveness of their defensive solutions, assess the security team’s response to simulated…


As a fan of The Big Bang Theory, and while practicing “social distance” due to COVID-19, I decided to try a write-up for emaragko’s TBBT: FunWithFlags machine on vulnhub.com. My goal was to gain root privileges on the box and identify all 7 flags using only open source tools, without the use of Metasploit.

Port Scanning

When first launching the virtual machine (VM) with VirtualBox, the DHCP address was provided on screen prior to login. Anyone who has used vulnhub before knows, this is super helpful as the first step is always finding where the system landed on the network. …


As more applications and resources move to the cloud, organization’s are requiring multi-factor authentication (MFA) to better safeguard user accounts. This post outlines various methods used to bypass MFA in Microsoft 365 and Azure AD during offensive security engagements.

Image for post
Image for post
Photo by Gerd Altmann on Pixabay

Conditional Access Policies

The first method used to bypass MFA is through conditional access policies. Simply put, these are if-then statements that allow an organization control over user access requirements. This can be used to enhance security by implementing policies such as:

  • Requiring MFA on all users with administrative roles.
  • Creating trusted zones for MFA self-enrollment.
  • Blocking potentially risky sign-in behaviors.

Another common use-case…


Image for post
Image for post

Whether you’re about to embark on the OSCP journey, already started the PWK course, or waiting those nervous days before the exam, you’ve come to the right place. This post outlines my experience passing the OSCP and aims to provide some tips that helped me along the way!

Background

I have been a full time penetration tester for several years now, performing a variety of assessments against customer environments. I knew going into the OSCP web applications were not my strong suit (in comparison). Therefore, I decided to take the first few months of 2020 and complete eLearnSecurity’s eWPT certification. …


Image for post
Image for post
Photo by vishnu vijayan on Pixabay

During an offensive security engagement it may not be a major vulnerability that leads to your end-goal, but a combination of lower severity findings compounded to make a larger impact. This post discusses information disclosure through NTLM authentication, which is one of those smaller vulnerabilities that can lead to greater attacks under the right circumstances. Additionally, we will demonstrate methods for invoking an NTLM challenge response, even when no login page is present, to coerce this information.

Overview

NTLM is a challenge/response authentication protocol utilized by Windows systems in which the user’s actual password is never sent over the wire. Instead…

m8r0wn

Sr. Penetration tester, Opensource Developer, Bug Bounty Hunter — m8r0wn.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store