Archive for January, 2016

January 31, 2016

Any experienced Pentester will tell you that the enumeration and reconnaissance phases of a Penetration Test are probably the most important parts of any Security Assessment. The problems many Pentesters face these days is the sheer volume of different tools available and which one(s) to use.

Thankfully there is an answer for the Enumeration Phase. A great tool with a nice GUI has been developed and best of all it’s absolutely free and has been integrated into Kali Linux 2.0. Of course it can also be downloaded as a standalone on Github.

It’s called Sparta: 

An extremely powerful tool which goes beyond NMAP, SMTP, SNMP, NetBIOS, FTP etc. but also includes fancy tools like dirbuster and other nice Web Assessment tools all through 1 single user interface.



January 29, 2016

We have just completed a Social Engineering Assessment for one of our U.S. clients. The first one in 2016. The company (a strong well established medium sized business) did a lot of Penetration Testing audits over the years and also a Spear Phishing Test already but they have never undergone a Social Engineering audit.

So they have engaged us asking to pay special attention on whether employees would give out usernames and passwords if social engineered. The results were shocking. Not because users fell for classic social engineering techniques (like claiming to be the IT Dept. or posing as a manager or trusted 3rd party). No it was far worse. Employees were asked by email and in person to give out usernames and passwords in return for something. For the new hires and junior members as $50 Amazon gift voucher did the trick in 7 out of 10 cases.

The classic email phishing was very successful. Claiming to be a manager, people seem to have no problem sending their Active Directory login by email or even via LinkedIn message. Out of 500 phishing emails, more than 400 were successfully answered by employees with username/password pairs.

The best IT Security doesn’t protect anything if employees happily hand it out.

It’s shocking. If we, with the permission of the client get such high results, imagine what a determined competitor or hacking group could do? Security policies are there for a reason. People wouldn’t put their car keys into an envelope and send it to an alleged address of a co-worker? Why people still don’t understand that a username/password is as valuable as the keys to all office buildings?

A lot of training and education is still needed in this field…


January 28, 2016

Today we would like to introduce a website which offers a neat collection of very useful Penetration Testing Tools. From Web Shells and reverse shells to useful scripts and enumeration tools. We highly recommend Penetration Testers and Ethical Hackers to add them to their portfolio.


Cyber Threat Search Tool

Author: Martin Voelk
January 26, 2016

Often our clients ask us, where do we find threat information which is actually relevant to our organisation? Well, there is no direct answer to this because the threat and attack vectors are vast and complex in an ever growing digital landscape. There is however good starting points. Today we wanna feature a nice online tool called threat crowd. Simply type in your own domain name / IP addresses etc. and watch what it comes back with. Those familiar with Maltego will spot some similarities. Especially around larger corporates or companies doing shared hosting, it reveals interesting stuff such as malware infections but also visually represents how certain websites are linked.



New OpenSSH vulnerability

Author: Martin Voelk
January 14, 2016

The new year starts as the old one ended – full of vulnerabilities. This particular one will likely affect tons of businesses. Make sure you check it out. Workaround exists. 


OSINT Facebook Intelligence Tool

Author: Martin Voelk
January 14, 2016

Following up from our post the other day, today we want to introduce a little free Cyber Intelligence Tool around Facebook. The tool and the search combinations make it a very powerful asset for background investigations (pre-job screening) or ongoing investigations on a commercial and law enforcement basis alike. Despite Facebook’s privacy efforts a lot of information is publicly available about individuals even though you are not connected or friends with them.

How is this useful?

Use cases:

  • Would you employ individuals who are liking radical terrorist organisations?
  • Would you as a business like to know if some of your employees like certain terrorist organisations?
  • Would you like to know if an employee is attending certain events?
  • Of course Facebook information is also vital to marketeers? Like where are people who like our products etc.

Check it out for yourself. Facebook has become an integral part of investigative work and whilst this tool only scratches the surface of possibilities, it should give individuals a feel for what commercial tools / law enforcement tools are capable of 😉


Free Secure Email Encryption

Author: Martin Voelk
January 13, 2016

We are in 2016 now and we are surprised how many businesses still send highly sensitive data over plain text email without authentication or encryption whatsoever. We are not even talking about home users, we are talking about businesses of all size! We often get engaged by our clients to perform spear phishing campaigns and the results are shocking.

Consider the following example. Company ABC uses the domain and we know that a senior director’s email is From an attackers standpoint the most logical thing is to register or any other similar available domain. Once done, ordinary employees are being told from a fake Jim Smith ( to click a link or supply information. 95% of employees will because they feel threatened by authority.

Which employee will ever check (let alone has the skills) to check the authenticity of such an email? On iPhones etc. the name , in this case Jim Smith, will show up as usual. Most companies are neither using digital email signage nor encryption which is fatal as our Pentests proof again and again.

So what can you do? Simple. Get all your employees a digital certificate. Comodo for example offers those for free even!

Why? If everyone uses certificates you can make sure the sender is the person the email claims to come from and the traffic can be encrypted to stop any Man in the Middle. It’s such an easy exercise, yet even big corporates fail to do it. Please take a few moments to think about this post and how an email certificate could make your organisation much more secure!


Vulnerability Scanning with NMAP

Author: Martin Voelk
January 12, 2016

Almost everyone in IT Security has either heard of or used the powerful port scanning tool NMAP. However a lot of the folks don’t seem to know that NMAP can be turned into a free powerful Vulnerability Scanner like Nessus or OpenVAS.

Here is how to do that (from Kali or any other Linux distro):

nmap -sS -sV –script=vulscan/vulscan.nse target

To eliminate false positives:
nmap -PN -sS -sV –script=vulscan –script-args vulscancorrelation=1 target



Social Media Intelligence Basics

Author: Martin Voelk
January 11, 2016

Social Media Intelligence is important both from a marketing perspective as well as from a Security / Law enforcement perspective. People often have a wrong impression on what’s needed to get started with monitoring social media. Whilst there are tons of free and commercial tools out there, a lot of the investigation just involves the good old friend Google.

Why that easy? Well a lot of people tweet on Twitter and post on Facebook without restricting the audience. In other words, all there posts and tweets are public. Then the Google spider robot comes around and indexes it – ready to be found. Moreover a lot of people intentionally or unintentionally submit full location information with their tweets for example.


Here are few basic examples on how to search around from

1.) intext:”Works at best buy”
This dork is easy. Looking for open profiles of people working at best buy.

2.) intext:”Lives in Austin”
Dork to find people living in Austin

3.) “Studied at Harvard”
Dork to find former Harvard students

4.) intext:”at Walmart”
Slightly advanced Dork where people say Employed at or Manager at etc. Instead of Works at

5.) intext:”Started Working at Olive Garden”
People who started working at Olive Garden in the past.

Those searches can be combined, changed etc. A lot of the intel work is based on thinking out of the box. You will be surprised what people reveal on to the whole world instead of just their friends.

6.) Facebook also allows for GUI search on what people like or have liked. That can give vital clues around all sorts of things….

Twitter Location Tracking

A nice free Web Based tool can be found here:

If people have location enabled on their devices it shows you where tweets were sent from. This can assist law enforcement during security situations, large scale events etc. Of course there is a lot more to it, but with the above basics anyone can get started in investigating.


UK police hires Ex-Hacker

Author: Martin Voelk
January 11, 2016

Law enforcement often is hiring Top nodge Ex-Hackers to provide their services for them. Everyone knows about the famous Kevin Mitnick who once was the most wanted by the FBI. These days Mr. Mitnick runs his own business helping others to stay safe from Cyber Crime.

More recently something similar happened in the UK. Tony Sales was one of the biggest online fraudsters in the UK and has recently been hired by West Midlands police in the UK.