December 31, 2018

2018 in review

This year seemed to fly by, but looking back a lot has happened. This is a summary of what I did in 2018. Tackling the OSCP If there’s one thing I’m going to struggle with recording on the internet… it’s that I’ve struggled with the OSCP exam three times. With each attempt I have gotten better and better, but I still need to try harder. Looking back, there’s more I need to do in the PWK course.

December 16, 2018

My experience with RuCTFe 2018

This year was my fourth attempt at the RuCTFe competition. I was leading the #misec team this year along with some smart and talented people. For those who are unaware. The RuCTFe is a Russian capture the flag event, held online and open to everyone around the world. This year’s event was in November and it was my first time leading the team. The CTF is an active “red vs blue” game, where each team is given a server of vulnerable applications.

May 13, 2018

Round 3 at Converge

Converge 2018 and Bsides Detroit was May 10-12. 3 days of infosec talks, workshops and challenges. I volunteered this year and had an amazing time (as I usually do at conferences). In case you missed out on the fun or are looking to catch up, check out Irongeek’s website for the recorded talks. Converge is a smaller conference if you’re used to hearing about Conferences like Shmoocon, DerbyCon, and Defcon. However we still manage to fill three days with awesome content.

March 31, 2018

How to quickly get into infosec

A lot of people ask “How do I get into infosec?” but that is a tough question to answer. There is not one path to follow and there is not one destination either. However if you ask anyone who’s already in the position you’re searching for. A common theme arises, that is years of experience or thousands of dollars for training. Until you’re able to join a company to pay for that training.

December 31, 2017

2017 in review

Like years before, I want to share a summary of what I have accomplished. While there has been months where I feel like I focused on everything except security, my notes for 2017 turned out to be pretty extensive. One of the first things I did this year was go to Shmoocon. I was not able to get a ticket, but that did not stop me from getting on a plane and tagging along with Infosystir (Amanda)!

November 15, 2017

Online Brute Forcing 101

A good friend once mentioned how cool it’d be to practice brute forcing for a website login. I created a simple web page with a login form. Incorrect logins display a red error message while successful logins show the rest of the web page. There’s no database or complex code behind the webpage. It simply hashes the user input and compares it to a stored value. Before we continue, I must make it blatantly obvious that hacking any online service without consent could land you in a lot of trouble.

October 29, 2017

Volunteering at GrrCON 2017

GrrCON 2017, the seventh year and my third time attending. I volunteered again this year because it is a lot more involved than being a regular attendee. I’ve been to other conferences where volunteering burns you out. GrrCON is the only con where I could be in the middle of one job and ask “What more can I do to help?”. The 2017 Difference GrrCON hasn’t changed much since I have started coming to it.

September 13, 2017

Installing Kali and Metasploitable on VirtualBox

Have you ever wanted to be a 1337 hacker like you see in the movies? Metasploit automates some of the harder tasks related to penetration testing. This blog post is a quick setup to install two virtual machines that will allow you to explore how to use Metasploit. Step 1: Get files needed to create the VMs Download VirtualBox Download Kali for VirtualBox Clone Metasploitable2 Step 2: Setup Kali Open VirtualBox, click File > Import Appliance.

September 2, 2017

PHP Regex tutorial

Have you ever wondered how web applications do validation on forms? How does the app know when your input is really an email address? In most PHP applications, this is done using regular expressions (Regex). I’ve previously posted about how to defend against XSS and SQL injection. Checking strings with a white list of allowed characters is one of the easiest changes a developer can make. Regex makes this easy in most programming languages.

August 27, 2017

Do not waste your time with HPKP

This is my last post related to HTTP Public Key Pinning (HPKP). This is a post in response to Scott Helme’s latest post about him giving up on HPKP and how my blog is a perfect example of his concerns. In the past I’ve written three articles about the HPKP header: Testing HPKP headers Adding HPKP headers HPKP.. Public Key Pinning? The point of each of these articles are pretty well summed up in their titles.