To develop in cybersecurity, it is vastly important to keep a growth mindset. Always be learning. In order to allow that, it helps to have the right tools available. One important tool is a dedicated computer for hacking activities such as participating in training labs, testing tools, or learning new methodologies. I reset a Macbook Pro, keeping the intending macOS and installed VMware fusion for running virtual machines (VM) including Kali linux.

A friend and mentor in the field introduced me to Wazuh. An open source, free to use tool for security. He was looking at the tool to understand some of it’s inner functionality for his own projects, but when I was reviewing it with him I was impressed by it’s feature set. First off, being open source means that Wazuh has source code published online that anyone can use, review, or extend.

Cloudflare offers some amazing, and free, products to secure personal use, self-hosted applications and devices. Last week, I set up a server at home running docker containers. By using Cloudflare I can securely make those docker containers internet accessible. Previously in order to do that, I’d have to open a port through my home router and accept any traffic from the internet on that port. This is visible and allows a home IP to appear in use to anyone who scans it.

Note from hackerunder.dev: This post was copied from https://www.passwordmanager.com/are-password-managers-safe-to-use/ with permission to display on this site. Managing all of your passwords for different accounts can be surprisingly complicated. You need to be able to create, store, and access strong passwords for all of your accounts on every device you use. Furthermore, each password needs to be unique, making it nearly impossible to remember every one of them on your own.

This blog post is a record of what I did to spin up a home server that uses Docker for various side projects and fun. One of the pain points of having projects that involve computer applications, websites, or code is that it needs to be hosted somewhere to run. Our personal computers are not usually online for projects that could be running all the time. Creating physical servers or paying for cloud hosting can get expenive fast for passion projects or proof of concepts.

Friends among my various hacker spaces have shared links to a new tool called Updog created by Sc0tfree. A python3 implementation of an HTTP server that is intended to replace Python2’s SimpleHTTPServer module. I had to test it out myself and these are my opinions. In many hacker training courses, it is vital to be able to host your tools on a web server to download them onto target machines. One example would be to download a network scanning tool once you’ve gained a shell on the first machine of a target network.

In order to learn something, you need to practice it. When it comes to becoming a hacker, that is done by attacking machines in a lab. There are many ways of doing this, such as building your own, spinning up an OWASP or Metasploitable virtual machine, or using a service like Hack The Box. There’s one common flaw with these labs though, they’re not realistic. To build realistic labs that look like live environments is a hard task to accomplish.

What is the best part of creating a new blog? You create everything, move content, and then get back to the daily grind. Come back to write the next post and, wait, what did I set as the WordPress password? Looks like we’re going to have to overwrite the hash in the database. <pre class="wp-block-code">``` mysql> SELECT ID, user_login, user_pass FROM wp_users; +----+------------+------------------------------------+ | ID | user_login | user_pass | +----+------------+------------------------------------+ | 1 | admin | $P$BThiRip7s2lXh/PBVW7yFnKbQWvDtc0 | +----+------------+------------------------------------+ Here’s the problem though, we need to know how WordPress hash passwords in version 5.

On March 9th, I was a part of an awesome class hosted by @Ashioni that went over the Bandit challenges from OverTheWire.org. While I’ve attempted the Bandit challenges a few years ago, there are new additions and it’s always good to review how to answer these puzzles. There is never a single solution! In this article, I want to show a few ways we attempted the last challenge of the day.

Have you ever wanted to be a 1337 hacker like you see in the movies? Metasploit automates some of the harder tasks related to penetration testing. This blog post is a quick setup to install two virtual machines that will allow you to explore how to use Metasploit. Step 1: Get files needed to create the VMs Download VirtualBox Download Kali for VirtualBox Clone Metasploitable2 Step 2: Setup Kali Open VirtualBox, click File > Import Appliance.

Have you ever wondered how web applications do validation on forms? How does the app know when your input is really an email address? In most PHP applications, this is done using regular expressions (Regex). I’ve previously posted about how to defend against XSS and SQL injection. Checking strings with a white list of allowed characters is one of the easiest changes a developer can make. Regex makes this easy in most programming languages.

Ever sit at a bar with friends and try to have a conversation but the TVs behind the bar were too loud? If only there was a quick convenient way to turn them all off at once. This is where the TV B GONE remote comes in. A simple kit that sends over 100 “power off” signals to TVs within a 150 foot range at the push of a button.

First off, I don’t know if you’ve been avoiding the political storm as much as I have but there’s one thing that’s been so retweeted, shared, and updated that I couldn’t avoid it. The discussion about the privacy of our internet content. The Problem ISPs are able to sell your data. While it is possible that similar data is already being collected and used by social media, applications, and other providers… It’s brought up an interesting conversation about how to secure ourselves while browsing the internet.

Last week I posted in Hacking about installing a Honeypot to record SSH traffic. Since it was installed, I’ve been working on easily monitoring of the output. Michel Oosterhof, the creator of Cowrie, has done a lot of development work to create some awesome logging output from the honeypot. There are a lot of different options and you can even store output in a mySql database. I found instructions for that on a wordpress blog.

Who likes honey? I know I do. Unfortunately Cowrie isn’t the like of honeypot you might imagine. Instead of thinking source of deliciousness, think something you will get your hand stuck in. In security terms a Honeypot is where a system is set up to record everything that’s going on. In those terms, cowrie is a SSH monitor that tracks everything that happens over an ssh connection. This is a project that I started with @Taco_Pirate.

Two posts ago, I wrote a quick post about installing OWASP’s Broken Web App. This post will be about exploiting the BWA and by that I mean I’m sharing my experience following existing proof of concepts and walkthroughs. For example, reported vulnerabilities from sourceforge and video walkthroughs on irongeek.com. This post assumes you have the OWASP BWA virtual machine up and running and that your target VM’s IP address is mapped to owaspbwa.

I wanted to do a quick write up of the last project I did for class, it was a scoreboard app written in Python and used Flask. For extra credit we could host it on Python Anywhere. The app also uses SQLlite for the database. All of the development work was done using PyCharm. One of my Media and Information classes has a lot of programming based projects. We used two main different languages and IDEs to get them done, the final for the class and the early projects was done using C# and Unity, while the end of the class utilized Python and PyCharm from JetBrains.

OWASP Broken Web App (BWA) is a safe place to practice some fun stuff and is basically a collection of applications to test everything security related. OWASP has a few projects like Web Goat, Security Shepherd, and more. Broken Web Apps is a collection of these guides and some outdated apps to test your developing skills. Install All The Things! In order to set things up, it’s important to have everything you need installed.

Hello again, I am going to share my love hate relationship with my latest web design project: spartanhackers.com Some background information, Spartan Hackers is a group at Michigan State University that holds weekly events to introduce students to various technical skills that they can use at hackathons like Spartahack. The Beginning Spartan Hackers started up just last year, and only had a few members to run everything. The president at the time wrote a nice website for the club that was using only static content and the grayscale bootstrap theme.

I’ve had a couple posts about Kali on here already. But I still haven’t had a chance to fully get in to it myself. I know, it’s tragic right? Well for those who know less than I do about it; Kali is a linux distro from Offensive Security that comes packed with tools and programs that make hacking easy. However carrying around a computer for work, one for class, one with Windows, and a tablet or two isn’t really an option, unless your bag is designed for 80lbs.

Who likes Angular? A JS library that is all about load a page once and get a dynamic website. Who likes Node JS? A server written in javascript. Who likes scripts that write code for you? Hello Yeoman! The first time I used Jhpister was for a innovation project that maps out the office seating. This is a great internal tool since we have an entire floor of developers and finding the third “John Smith” is kind of annoying.

GrrCon 2015 is in October, it’ll be a great conference with a lot of talks. It’s the first con I’ll be able to attend. The tickets are a little expensive and I was unsure about going since this would be my first conference… Not to mention I’m still trying to get through college and I’m tight on money. So of course, I’m volunteering! I’ll be working my butt off to get you the best Con possible while making all the connections I can.

I’ve mentioned in previous posts that my girlfriend is on a gymnastics team. I did their club website for them a while ago. I went to a meet they hosted their year and helped out as much as possible. They were using a Microsoft Excel sheet to do all of their scoring for each event. While watching the guy use excel, I got a headache just trying to follow the complex steps that were set up for it… so I had the bright idea to set up a website that simplifies the process and allow anyone to use it for their meets as well.

One of my first “professional” website creations. Making the club’s website gave me a solid 4.0 in a college web design class where I reviewed the basics of CSS, Javascript, and HTML5. Fun stuff really. What I learned by doing this project is how important initial design and communication is. Working with a client (in this case, the “client” is my girlfriend a.k.a club President) means that you can’t just look at the website and think “Good enough, ship it”.

How many people do you see every day that are staring infinity into their smartphones? How much would you bet that they are on Facebook or Twitter right now? There are also a lot of people on the internet who write interesting blog posts to people about a lot of cool things… and I am one of those people. There is a wordpress plugin that allows me to share new published posts with friends and followers automatically.

This is a big project I’ve worked on from the beginning when working at Matrix: Center for Digital Humanities & Social Sciences. It’s taking an old platform and revamps it into a modern application. KORA 1.0 was built over the last two decades by non-software developers, I never saw the code personally but I heard horror stories of unorganized pages of code that was thousands of lines long. KORA 2.0 reorganized the code into an Object-Oriented-Programming (OOP) format, Matrix’s system admin (now retired) and students introduced classes and actually made the code readable to developers.

If you’ve never played with BASH/terminal or you don’t know what Linux is. I suggest you read into that first before you get much further into hacking. Most of Kali’s toys are based off of the terminal, so in order to run them, you will be typing commands like “nmap -A http://your-ip-address”. This link is Offensive Security’s website where they have some awesome documentation about what’s available on Kali.

Everyone wants to break into their neighbors wifi or steal someones password at Starbucks, but depending on National, State, and local law, even packet sniffing could be illegal. So how do we safely practice how to hack before we are ready to find Sony’s back door? We set up a environment for virtual machines on our local computer or server! For those of you who don’t know what a Virtual Machine is, it’s a “computer” inside your computer.