MaiInt - Profiling China based Employees

Introduction MaiInt is a tool to perform OSINT, gather employee names and predict e-mail addresses for China based companies. The output is in HTML and CSV format. The Challenge The primary issue we’re trying to solve is that there are no good tools to enumerate employees in China based »


TLDR; A bunch of hackers went and created a BadUSB, in cable form, where charging of the phone works. Introduction As Red Teamers we are always looking for means to compromise machines. Karsten Nohl had released his research on BadUSB: Looking around, there was soon »

Aorus Gaming Box for Password Cracking

Introduction The Aorus Gaming box is an external GPU (eGPU) that is light-weight and you can carry it around with you on different penetration tests. Let's take for example you might have a client who does not want you to take any data off-site (for obvious reasons), or you do »

Proxmark Adventures 101

I've been out to purchase a Proxmark for a long time, I've even checked out the fake ones on Taobao and AliExpress. I've recently moved to China to proceed with my YOLO start-up adventure towards spreading the good old “Red Team”, or attack mindset, practical, and technique driven services. Since »

CloudFlare for Command and Control

CloudFlare has a free service that protects your website against DDoS attacks, crawling, brute-force, and generic web application attacks. That's all great, but it also offers quick content delivery through its fast network, URL rewrite, caching rules, firewall rules, user-agent blocking, analytics, and even SSL certificates issued by CloudFlare! For »

F# Shellcode Execution

I decided to go ahead and try to execute shellcode from F# by generating an EXE. It currently gets 1/66 on VT, with CrowdStrike Falcon detecting it using heuristics potentially due to PInvoke. Code repository: F# Code: open System.Runtime.InteropServices open System.Threading »


What the... IPFuscation was a technique that we just named on Twitter after @LucaBongiorni demanded a name! It's a technique that allows for IP addresses to be represented in hexadecimal, octal, or a combination, instead of the decimal encoding that we are used to. What can we do? Normal: ping »


TLDR; use Splunk as a central log database and analysis system for offensive infrastructure logs. In many engagements, you will want accurate logging across multiple RAT systems, phishing web servers, mail systems, and more. Currently only supports Cobalt Strike, but will be looking at supporting Empire, Pupy, Metasploit, Apache, Nginx, »

OffensiveSplunk vs. Grep

TLDR; Using Splunk for Offensive security data analysis has advantages over the traditional Grep when trifling through and analysing data. Why Splunk and not ELK? ELK is a fantastic open source project, and made even easier thanks to the HELK project by Cyb3rward0g. In fact, I actually tried ELK first »

Host Header Manipulation

TLDR; Host header obfuscation When attacking a target, you never know what sort of rules the blue team has in place to detect you. With a rise in Domain Fronting, which meant that more people were manipuating host headers, I decided to look a bit more into what you can »

Vultr Domain Hijacking

TLDR: Vultr does not verify domain ownership when adding new domains. This allows the hijack of abandoned domains by pretty much anyone with an account and verified payment method Disclosure Timeline 2018/04/09: Reported to Vultr to see if they will fix and accept under bug bounty program. 2018/ »