Skip to content

Edward Snowden And Daniel Ellsberg Rock The House At Hacker Convention!

We have a civil duty to teach people in our society how to interact with technology, safely.

  1. The next stage is to hide not just the communication, but to hide the metadata.

  2. Metadata is the same information that a private detective collects, who met whom, at what time and where.

 This correlates precisely with the EU’s goal of “Privacy Enhancing Technology”.


Basic questions to ask:

1. Do you log my IP?

2. Do you keep server logs and for how long?

3. What type of encryption is used?  Look for Perfect Forward Secrecy.


What next?

1. Learn to use Encryption

2. Learn to use Privacy tools

3. Learn to use OpenVPN

Use VPN providers such as – who delete their logs every 10 minutes

4. Avoid search engines like Google.

Use EU proxies like that hide your IP from Google, keep no server logs on your queries and have Perfect Forward Secrecy to secure your communications.  Startpage do not store your IP or your queries.


They are audited by the EU – and have won 2 EU privacy awards (called the EU Europrise Award).  They’re covering your back.   Go for it!

PXE BOOTING – How Network Booting works in Linux

Pixie or PXE booting is booting systems without a hard-drive, using RAM and a Network card.  So how do we do this?  Home routers won’t work, as you need a second DHCP function which does not conflict with existing DHCP servers.

Step 1 – PXE Capable Router & Client is needed

A home router won’t be able to PXE boot, as it needs to be able to operate 2 DHCP servers, a standard and an extended DHCP server – with extra pixie options.

Step 2 – Client sends the DHCP DISCOVER to Port 67

The client sends a DHCP DISCOVER packet extended with PXE options is sent to UDP port 4011 or UDP port 67.

pxe 1

Step 3 – Contact the “next server” by IP address

The client connects to the server that gave it the DHCP lease…. OR

If the “next-server” parameter is set, it will download from the IP set as the “next server” – ensure an IP not a hostname is used.

pxe 2

Step 4 – DHCP OFFER from server

The extended DHCP Offer replies to the client on UDP port 68.

DHCP is set up in the /etc/dhcp.conf

/etc/dhcp.conf can be configured to hand out pixie boot IP’s for a single IP, MAC or an entire subnet.

We need to look closely at 2 pixe specific sections…. SUBNET block and HOST block.

dhcp conf

The Host block has 2 pixie specific parameters, “filename” and “next-server”

The “next-server” must be an IP address.  If the “next-server” is omitted then it should default to the IP of the DHCP server, however there is a hiccup.  Some motherboards will send packets to if the “next-server” IP is missing.


This host block is for a single hardware MAC 00:0c:6E:64:D8:B4


We can set the IP to boot on an entire subnet.

The “filename” sets the file to be downloaded ie “pxelinux.o” in the above example.

Step 5 – Network Bootstrap attempts to Download file using TFTP

The PXE client attempts to download the specified file in Step 2 using TFTP.

pxe boot

It then executes this file.



PXE Stack before booting and after booting


pxe stack


PXE Booting


Preboot Execution Environment(PXE) Specification




KALI Linux – How to find the HASHING algorithm – The Visual Guide

The default hashing algorithm for /etc/shadow files is SHA512 in Kali Linux.  Here’s the coding which relates “SHA512″ to $6$.kali hash $6 code

Step 1 – View your /etc/shadow file

cat /etc/shadow

hash id shadow fileIs there a $6 ?  Thought so, as SHA256 is default for Kali.


Step 2 – Codes for other Hashing Algorithms

You can hash the passwords in several algorithms.  These are revealed in the  /etc/shadow file – for instance here we consider a $1 – which indicates MD5 hashing has been used.

$1   $Etg2ExUZ$F9NTP7omafhKIlqaBMqng1

md5 The different hashes revealed in the /etc/shadow file include:

$0 = DES

$1 = MD5 Hashing

$2 = Blowfish

$2A = eksblowfish

$5 = SHA256

$6 = SHA512


Field 2 format =  3 components

$Hashing Algorithm $ SALT  $ Encoded password (includes the SALT).

eg: $1$Etg2ExUZ$F9NTP7omafhKIlqaBMqng1


  • The encoded password is using MD5 hashing algorithm (because the of $1$)
  • Salt value is Etg2ExUZ (the content between the second and third $ sign)
  • And the hash value of “PASSWORD + SALT”.


What is the SALT?

If there is no salt, a plain dictionary attack could identify the password from the hash. If a salt value is in use,  then 2 users with the same passwords will have different hashes.  A random salt is generated when the password is being set.. therefore 2 users with the same password will have totally different salts, and totally different encrypted passwords.


Order of the /etc/shadow file – Useful to know

/etc/shadow” contains the following.


As explained in shadow(5), each “:” separated entry of this file means the following.

  • Login name
  • Encrypted password (The initial “$1$” indicates use of the MD5 encryption. The “*” indicates no login.)
  • Date of the last password change, expressed as the number of days since Jan 1, 1970
  • Number of days the user will have to wait before she will be allowed to change her password again
  • Number of days after which the user will have to change her password
  • Number of days before a password is going to expire during which the user should be warned
  • Number of days after a password has expired during which the password should still be accepted
  • Date of expiration of the account, expressed as the number of days since Jan 1, 1970




Code for SHA512

Debian Linux – Authentication


How are passwords stored in Linux?

KALI – How to install Notepad++ – The Visual Guide

We all love Notepad++, luckily we can install this on Kali.

Step 1 – Install Wine

sudo apt-get install wine



Step 2 – Download Notepad++

notepad frog


Installercreate new folder > Notepad – save the download in this folder

notepad 3

 Step 3 – Use wine to open npp.6.6.7.Installer.exe

Open a terminal

cd notepad


wine npp.6.6.7.Installer.exe

notepad installer**If you’re on a 64 bit machine you’ll get an error about Multi Architecture instructions.

notepad installer 2Okay, so lets fix this, and make your machine able to cope with multiple architectures.

Step 4 – Make 64 bit machines “Multi Architecture”

In a root terminal type

dpkg  –add-architecture i386

apt-get update

apt-get install wine-bin:i386

Now, lets try step 3 again.

wine after multi archNow the wine installer runs

Okay > Next > I Agree

wine installer runs

Accept defaults in Setup

Next > Next >


Tick the box to create a shortcut on the desktop

Install > Finish > Run Notepad++

shortcutHere’s your shortcut..


Viola!  Easey Peasey


KALI – First things to do after installing Kali Debian Linux – The Visual Guide

Step 1 – Install Synaptic Package Manager

apt-get install synaptic

synapticSystem Tools > Administration > Synaptic


Step 2 – Install the AMAZING Lazy Kali Script

lazyLazy Kali is a mandatory step.  Install it – and you’ll understand my enthusiasm for this legendary script.

Use Lazy Kali to install hackpack.


Step 3 – Make 64 Bit into a multi architecture system.

Root Terminal

dpkg –add-architecture i386

apt-get update

apt-get install wine-bin:i386

This means you now have a multi architecture system and the Configure Wine option under System Tools.

This is really useful where your printer drivers are 32 bit and your Kali is 64 bit.


Step 4  – Set Vista in Wine

Applications > System Tools > Configure Wine

Application Tab

Select “XP” or “Vista”.

Click Apply

Step 5 – Run Office 2007

Places > Office 2007 CD > look for setup.exe

Right click Setup.exe > Open with Wine Windows Program Loader

Step 6 – Run Office 2007

Applications > Wine > Programs > Microsoft Office

All apps apart from Powerpoint will work.

Step 7 – Fix Powerpoint

Applications > System Tools > Configure wine

Libraries Tab

“New override for library”

Select “riched20.dll”, then click ADD

Click on the newly added “riched20.dll” file, click Edit and select “Native (Windows” option.

Step 8 – Launch Office 2007

Applications > Programs > Microsoft Office > Word


Step 9 – Install Nessus

32 or 64 bit version – check the package name).

dpkg -i Nessus-5.2.1-debian6_amd64.deb


nessus dpkg


/etc/init.d/nessusd start

nessus start

Step 10 – Install Notepad++


KALI – BASH SCRIPTING – How to write a FOR loop – The Visual Guide

The for loop starts with a list of items and works it’s way through them until it reaches the end.  A for loop does not test conditions.

Step 1 – Root Terminal and Nano editor

Start a root terminal, then enter the word nano – the nano editor will appear.

nano editornano open

We save a file using Ctrl+O.

 Step 2 – Write a for loop for 3 items


kali FOR

Step 3 – Make the script executable

chmod +x


kali fruit for loop running

Step 4 – Analysis of For Loop

The for loop is reading in a fixed list (apples, orange, pear).

It assigns a variable called fruit – and writes each item of the list into this variable

The first time fruit=apple, second time fruit=orange, third time fruit=pear.  The variable fruit is changing as it runs through our fixed list.

Do is the start of the loop.

Done shows the end of the loop.

After the loop is complete, it prints out “lets make a fruit salad”!.


Different ways of “feeding” the FOR LOOP with data

 fruit = “apple orange pear”

kali fruit variable 2


kali fruit salad for tea****

User Input to “FEED DATA” into our FOR LOOP


fruituserCode for User Input

echo -en “Please tell me your favourite fruit: “

read fruit

for fruit in $fruit

user input 2Make executeable

fruituser chmod rights User Input read in, and used in code

fruit user outputEnter multiple fruits – output on a new line for each item in list


multiple fruit


University of South Wales Reading list

PARKER, S.  2011.  Shell Scripting – Expert recipes for Linux, Bash, and More.  Indianapolis: John Wiley & Sons.

WOOHOO!! HALF A MILLION VIEWS!! Thank you so much

Who knew InfoSec was so popular?  Half a million views – thank you so much guys.

half a million view

I also graduate tomorrow – so it’s a significant milestone and a celebration for all the right reasons.

OMG, I have a Masters… that is unreal!


If any of you are considering studying Cyber Security or Information Security at the University of South Wales, then definitely go for it.

The teamwork on the course is spectacular.  The teams have been second to none for co-operation, hard work, cross training and motivation.  The people on the course, make it what it is.  We all have strengths, and we all play to them.

And to everyone on my course…  see you guys tomorrow :)

Batman capes at the ready :)


How do you spot USW Graduates… by the red Griffindor strips and harry potter capes.

Yeah, this was me today.  Okay.. I can hear you laughing you know….



Edward Snowden: rush to pass British surveillance law is extraordinary – video

The NSA whistleblower questions the need for emergency legislation in an exclusive Guardian interview, saying the move mirrors a hastily introduced US law in 2007, and asks whether it would ‘really be so costly’ to take time to debate the issue

Watch the full interview on Thursday 17 July 2014

NMAP – How to Automate NMAP scans on Windows 7 – The Visual Guide

Here we automate NMAP scans to only scan production servers IP’s rather than an entire network.

Step 1 – Use Notepad to create a list of IP’s to scan

Notepad+ was used, enter in the IP’s to scan.  Avoid the use of hostnames – use IP’s.

Create a directory called nmap. c:\nmap.

Create a file called scan_me.txt (use notepad or notepad+).  c:\nmap\scan_me.txt


Step 2 – Use Zenmap the Gui for NMAP

Enter the path to the scan_me.txt.

nmap -sP -iL c:\nmap\scan_me.txt

scanme zen guiRemember the -sP is the Ping Scan to generate an inventory of active stations on the network.  On the local subnet it uses ARP.  On remote subnet it uses ICMP echo and TCP ACK to port 80 (to double the chances of success).

Just remember that -sP is an inventory that uses 2 formats – ARP on the local subnet, and ICMP echo + TCP ACK to port 80 on remote subnets.


Step 3 – Scan Results

Note that only the IP’s within the scanme.txt file were scanned.   This is how you automate scanning.

scanme zen gui results*****

That’s it!!

You can now carry out targeted or focused NMAP scans.


In the results above, we hit a printer.  Often printers react badly to scan, so we may chose to exclude the IP.

nmap -sP -iL c:\nmap\scan_me.txt –exclude

scanme exclude

Notice how even where the scan_me.txt included the IP, the –exclude option takes precedence and the scan never runs the excluded IP.


Create a no_scan file.

scanme dont

nmap -sP -iL c:\nmap\scan_me.txt –excludefile c:\nmap\no_scan.txt

scanme excludefile resultsNotice that the excludefile reads the IP’s in the no_scan.txt and they take precedence over the scan_me.txt file.

–exclude = IP’s

–excludefile = IP’s in a text file – which is easier to automate.

nmap -sU -iL c:\nmap\scan_me.txt



Professor Messer Guide to NMAP

Download NMAP with Windows Installer (Zenmap)

Nmap Commands – Cyberciti

NMAP SCANNING Book – Written by the developer of NMAP **AMAZING STUFF

NMAP cookbook

Penetration Testing Methodology – The Visual Guide – German Federal Bureau of Information Security

ITIL rules in the UK, whereas the German Federal Bureau of Information Security is IMHO, the greatest and easiest system to put into action.  The Germans live and breathe data protection – these guys are the ones to follow.

Penetration Methodology – The Visual Guide

The Bureau have adopted some BSI guides…

pen method 1

Just draw circles around each box, so that the outline of the Penetration Test is scoped within 2 minutes.  Easy right, when we work in visual mode.

pen method 2

Just get a pen and put a circle around the level of aggressiveness and scope, and you’re half way there.  It’s literally that simple.  The devil may be in the detail, but with diagrams and visual guides it’s easy to get agreement.


Tools such as NMAP can be customised to be less aggressive than the default.  Whereas T4 is the default scan, prehaps a T1 or T2 scan might be more appropriate.

T0 = Paranoid.  A port scan every 5 minutes – this would be too slow, but a hacker may need this.

T1 = Sneaky and a port scan every 15 seconds.

T2 = Polite.  If you’re on production servers you may not want to add pressure to the network.


Focused – how to target specific production servers

NMAP offers 2 files – a file of IP’s to include and a file of those IP’s to exclude.


We can create a file that lists only one or two IP’s of say webservers, or a list of subnets.

Next we have an exclude file.  If an IP is in this exclude file, then NMAP won’t scan it.  There maybe production servers that must not be scanned, and we would add the IP to this file.



-sP = ICMP Echoes – lots of network traffic generated

-sO = Protocol Decode – looks odds and gives away the attacker in a heartbeat

-sR = RPC Grind, lots of packets, listed in App logs, Avoid this.

-sT  = Opens a session, the attackers IP is logged, lots of RST’s are generated.  SCAN OF LAST RESORT!!

The Mnemonic of noisy scans to avoid is PORT.  -sP, -sO, -sR and -sT (the scan of last resort).



-P0 = Disable Ping – for heavens sake, use -P0, -PD or -PN.  PLEASE!!!

-n = Turn off Reverse DNS.  Use the IP not the hostname.  If you must use hosts, enter then in the local LMHOSTS file.


So you can see how easily the visual penetration testing methodology converts into NMAP scans, and how it may switch off many default settings to protect the network.

Even more important, if you’re the attacker, you now why you should NOT be using the NMAP default settings.  Think of the logs as more a sonar in a submarine.  You can tell so much from the bounced signals.  In an -O scan we see sets of 6 pings.  So if anyone mentions seeing 6 pings in the logs, we know it’s an attack profile.

OS Recon -O

Step 1  – IPID = 6 probes = sequence generation.  The IPID monitors the sequence ID of the packet.  Often used with the Zombie Scan or Idle Scan -sI.  If you see 6 pings… look out for a Zombie Scan.  Of course, look for a UDP and ECN just in case it’s a -O scan underway.

Step 2 – ICMP = 2 probes

Step 3 – UDP = 1 probe = must be sent to a closed port to generate a RST.  Remember to think of this as SONAR, the reflected signal, from a closed port is more important, so the port MUST be closed to assist in the attack, in order to get a bounced signal and hence a footprint.

Step 4 – ECN (Congestion Notice) = 1 probe

Step 5 – TCP = 6 probes = malformed TCP packets.

NMAP will issue malformed TCP packets, including:

**** No Flags set

**** F, S, P, U Flags set

**** F, P, U Flags set


So suddenly the methodology has come to life.  The visual guides assist us in getting the settings right for the production environment.


Get every new post delivered to your Inbox.

Join 134 other followers