Tech Help

Introduction I found that with the 1001 options for "SOC As A Service" companies, and "contract incident response", many client companies still don't understand why use them outside of a compliance check. Some companies seem to have them on retainer but refuse them any ability to act, just to notify and it may or may not be dealt with ever. It's really weird when companies want to secure their data and do secure business using that data, but not actually do the work around securing their data. I think it's the age old adage with IT that "passing the buck" is the default, then only with training and awareness do people want to take responsibility for their own security.  Then on the other side, these soc as a service companies themselves don't always provide training, understanding, or really anything more than a templated write up of the incident back to the company. That write up may contain details and even actions around what needs to ha...

     So, I made a yara rule a while back based on some suspicious phishing nonsense I found in some open (unauthenticated + file directory listing enabled) cloud storage buckets. I decided only recently to see if I could do some public hunting with these. One possibility was on hybrid analysis. After just a few days, I have 9 detections already found.       The YARA rule is hosted on my github ( https://raw.githubusercontent.com/ferasdour/SpecialYaraRules/refs/heads/main/Bucket%20Phishing%20Kits.yar ) but basically it's like this (notations added for this post): rule phishingKits3 {     meta :       description = "PhishingKits3: This was found in multiple phishing kits hosted on open/unauthenticated S3 buckets."       author = "ferasdour"     strings :       $s1 = "https://ajax.googleapis.com/ajax/libs/jquery/" ascii // adds jquery       $s2 = "https://code.jquery...

Wifi Beacons      This was an adventure.      Some back story first, when any device you have that listens for connections for wifi wants to connect to something, even when the access point it's trying to reach isn't there, the default tends to be probe for it. That's basically a small little radio in your phone, car, watch, light bulb, whatever saying publicly "YO! IS MY WIFI OUT THERE? WHAT ABOUT THIS OTHER ONE!!?!? NOT THAT ONE EITHER, OKAY NEVER MIND!". When doing wireless network pentesting, it's pretty common to use tools like kismet or airodump and include these beacons, in part to flag what's relating to what network you're targeting / have permission to access and in part to see if network devices in scope are connecting so you can redirect their traffic to a fake network as part of the test. But I came up with an idea a while back due to having a scan going at my house and I kept seeing these "ROPD-CAR4" (fake, but something like th...

Weird Routes?  History:      So I wasn't really sure how to start this post, but I guess some back story. Many in the IT world know consumer ISPs (internet service providers) like ATT, Comcast, Charter (now spectrum), all have a weird history of "you can't prove there's a problem because we don't escalate it properly, now you're stuck with this while we replace your router 200 times because it can't be on us" sort of problems. I switched to spectrum because in my area its the only non-att fiber lines, and ATT couldn't tell me why my router had an ssh server listening on it. They couldn't think it was compromised or could be compromised, they couldn't tell me anything they just replaced it. Then replaced it again. Then again. After 2 years of doing that, I just had enough. Later that year after leaving ATT, https://en.wikipedia.org/wiki/Salt_Typhoon . But sadly, despite my contempt for ATT by this point, this post isn't about them. More ...

Creating a testpage:      So, after taking some offensive javascript lessons, the bright idea came to mind that I should see what else I can make with it. I'd been playing with some ideas about dnsrebinding and using subdomains that resolve to internal ips as pivot points to point to private ips, and I'd found a way to sort through all the subdomains one at a time and try to resolve them. So I added that with other pre-existing knowledge. I have heard many times of people making javascript use websockets to then scan the network so I thought, pft, do you even need websockets for this?     Well, there's some problems. First of which, it seems the method of doing this waits until completion to move along. That will bog down most browsers. I was also trying to go off of an extremely large list of subdomains and literally all ports. So browser tab had to wait on (lots of ips) on (65550) ports. Terrible design, terrible idea, aaaaaand then came the weird part.  ...

     Just wanted to drop some stuff over what I've been playing with lately. Please be aware, tools and links described here might be or be able to be used maliciously, don't click or run things without understanding them. Much of the code referenced here can be found on github . Pyscript      To start with, I found the latest version of pyscript and couldn't really think of anything to do with it, outside of visualizations for web interface, or making integrations with jypyter widgets a little different without learning javascript. So I went a different route. In case anyone isn't aware, pyscript is intended to go along side pyodide or micropython (web versions of python) to leverage python programming inside a web page (loading these as javascript modules with fun little interface features). There is a wide range of examples (https://pyscript.com/@examples) and even an online ide (coding environment) to play with.     That's where I came in, af...