Vincent Yiu's Picture

Vincent Yiu

30 posts

Aorus Gaming Box for Password Cracking

Introduction The Aorus Gaming box is an external GPU (eGPU) that is light-weight and you can carry it around with you on different penetration tests. Let's take for example you might have a client who does not want you to take any data off-site (for obvious reasons), or you do »

MaiInt - Profiling China based Employees

Introduction MaiInt is a tool to perform OSINT, gather employee names and predict e-mail addresses for China based companies. The output is in HTML and CSV format. The Challenge The primary issue we’re trying to solve is that there are no good tools to enumerate employees in China based »

CloudFlare for Command and Control

CloudFlare has a free service that protects your website against DDoS attacks, crawling, brute-force, and generic web application attacks. That's all great, but it also offers quick content delivery through its fast network, URL rewrite, caching rules, firewall rules, user-agent blocking, analytics, and even SSL certificates issued by CloudFront! For »

F# Shellcode Execution

I decided to go ahead and try to execute shellcode from F# by generating an EXE. It currently gets 1/66 on VT, with CrowdStrike Falcon detecting it using heuristics potentially due to PInvoke. Code repository: F# Code: open System.Runtime.InteropServices open System.Threading »


What the... IPFuscation was a technique that we just named on Twitter after @LucaBongiorni demanded a name! It's a technique that allows for IP addresses to be represented in hexadecimal, octal, or a combination, instead of the decimal encoding that we are used to. What can we do? Normal: ping »


TLDR; use Splunk as a central log database and analysis system for offensive infrastructure logs. In many engagements, you will want accurate logging across multiple RAT systems, phishing web servers, mail systems, and more. Currently only supports Cobalt Strike, but will be looking at supporting Empire, Pupy, Metasploit, Apache, Nginx, »

OffensiveSplunk vs. Grep

TLDR; Using Splunk for Offensive security data analysis has advantages over the traditional Grep when trifling through and analysing data. Why Splunk and not ELK? ELK is a fantastic open source project, and made even easier thanks to the HELK project by Cyb3rward0g. In fact, I actually tried ELK first »

Host Header Manipulation

TLDR; Host header obfuscation When attacking a target, you never know what sort of rules the blue team has in place to detect you. With a rise in Domain Fronting, which meant that more people were manipuating host headers, I decided to look a bit more into what you can »

Vultr Domain Hijacking

TLDR: Vultr does not verify domain ownership when adding new domains. This allows the hijack of abandoned domains by pretty much anyone with an account and verified payment method Disclosure Timeline 2018/04/09: Reported to Vultr to see if they will fix and accept under bug bounty program. 2018/ »

DomLink — Automating domain discovery

TLDR: Give DomLink a domain, it’ll go and find associated organization and e-mail registered then use this information to perform reverse WHOIS. Simple. You then get an output of lots of other associated domains registered by the company. Author: Vincent Yiu (@vysecurity) DomLink Not saying this is a new »

CloudFront Domain Hijacks under Attack

Update: To my attention in April, it appears that Mindpoint may have been behind the automated assigning of the hijackable instances. See This is great, but CloudFront’s engineers definitely missed a whole lot, so I’m not sure if they actually see »