Hijacking NTLM-powered Mobile Apps (Part 2 - Relaying with Metasploit)

Working on hacking a mobile app that uses NTLM to authenticate to a back-end web service? Make sure to check out Part 1 first. In this blog, we’ll assume we could not crack the password and instead need to relay the Challenge/Response to interact with the API.
Read more →

Hijacking NTLM-powered Mobile Apps (Part 1 - Cracking with Responder)

Doing a black-box test of a mobile app that uses NTLM authentication to speak to the web service? You may find your typical tools won’t work. Read on for information on intercepting, inspecting, and modifying the API calls. You might even get lucky and crack a clear-test master password.
Read more →

How to Lose Your Bitcoins: Part 2 (Cracking Bitcoin Core wallet.dat Files)

This is part two in a series of blogs on cryptocurrencies and security. The goal is to show how passwords can be recovered for encrypted Bitcoin Core (or Satoshi Client) wallets.
Read more →

How to Lose Your Bitcoins: Part 1 (Cracking Encrypted USB Drives)

This is part one in a series of blogs on cryptocurrencies and security. The goal show how your private keys could be extracted from an encrypted USB stick, like a Tails OS persistent volume.
Read more →

Penetration Testing Flash Apps (aka “How to Cheat at Blackjack”)

In this post, we will walk through detailed steps to intercept, review, modify, and replay flash-based web apps. For demonstration purposes, I’ve selected a blackjack-style card game.
Read more →

Hacking a Pizza Order with Burp Suite

A real-life example of bypassing UI restrictions in a web application.
Read more →

How to Spy on Your Android Phone

Beginners guide to intercepting HTTP traffic on Android.
Read more →

Scraping Song Lyrics for Password Attacks

Generate targeted password wordlists based on song lyrics for specific artists.
Read more →