Running Nmap in AWS Lambda

While people have created AWS Lambda based scanners, such as AWS-SCAN and Better-AWS-SCAN which make use of “python-nmap“, I wanted to see if I could get the “real” Nmap running in AWS Lambda having recently created a Slack bot that runs PhantomJS in Lambda.

Read More

AWS Lambda Slack Bot (with PhantomJS) #chatops

Recently I wanted to automate some manual checks I was having to perform on client sites, and make these checks accessible to other colleagues – the solution I settled on was using a Slack bot to trigger an AWS Lambda function that runs PhantomJS to perform the checks. Here’s a quick crash course on how to set it up (you’ll need some AWS knowledge or do some Googling).

I’ve created a sample code base available at to build on, using NodeJS for the the Lambda function (because it starts up so quickly – but other supported languages could be used). It defines a “handler” function (that receives the Lambda request) which executes PhantomJS and tells it the file we want it to run (“title.js” in this case, which just returns the webpage’s title).

Read More

BSides Cape Town 2017 – “Docker for Hackers” talk and badge apps

Today at BSides Cape Town 2017 I gave a talk titled “Docker for Hackers” – a quick overview of what docker is, how to use it, and how to attack various aspects of it. The slides for my talk are here.

I also got to help @dale_nunns, who wrote the firmware for our electronic badges which is a BASIC interpreter, with some “.bas” files for attendees to discover as well as the badge default LED animation. The conference theme was “Back to the Future” and the badge was in the shape of a Flux Capacitor. The files are:

Read More

Compiling exploit 764.c in 2017 (using libssl-dev 1.1.0f )

One of the popular boot-to-root VMs has an exploit (764.c) which doesn’t compile so well in modern Kali, producing the errors:

764d.c:643:24: error: ‘SSL2_MAX_CONNECTION_ID_LENGTH’ undeclared here (not in a function)
764d.c:651:2: error: unknown type name ‘RC4_KEY’
764d.c:652:2: error: unknown type name ‘RC4_KEY’
764d.c:844:7: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764d.c:845:19: error: ‘SSL2_MT_ERROR’ undeclared (first use in this function)
764d.c:882:2: error: unknown type name ‘MD5_CTX’
764d.c:887:23: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764d.c:977:16: error: ‘SSL2_MT_SERVER_HELLO’ undeclared (first use in this function)
764d.c:1069:10: error: dereferencing pointer to incomplete type ‘EVP_PKEY {aka struct evp_pkey_st}’
764d.c:1106:2: error: unknown type name ‘MD5_CTX’
764d.c:1111:42: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764d.c:1127:23: error: ‘RC4_KEY’ undeclared (first use in this function)
764d.c:1127:31: error: expected expression before ‘)’ token
764d.c:1131:32: error: expected expression before ‘)’ token
764d.c:1146:16: error: ‘SSL2_MT_SERVER_VERIFY’ undeclared (first use in this function)
764d.c:1158:11: error: ‘SSL2_MT_CLIENT_FINISHED’ undeclared (first use in this function)
764d.c:1171:16: error: ‘SSL2_MT_SERVER_FINISHED’ undeclared (first use in this function)

Read More

AWS Lambda Mischief

After attending a great talk by @marcoslaviero about AWS cloud security and persisting your access through AWS Lambda and EC2, I realised there was another nasty way to “inject” malicious code in to an account and execute it on demand (or have it executed for you)… by inserting it as a “version” of an existing Lambda function, and restoring that Lambda’s functionality. Again, this assumes you have already compromised the AWS account.

Given an existing Lambda function (eg: “hypn-lambda-mischief” below) :

Read More

Misc binaries for *nix

I’ve been doing some boot-to-root VMs lately and some of the classics are quite old, with Kioptrix: Level 1 going all the way back to 2010. While the puzzles and exploits still hold up, it’s not always easy to get hold of tooling – especially newer stuff like “socat” – for these older distros.

For that reason I’ve compiled a bunch of variants of busybox, netcat, and socat for different architectures and distro’s (mostly older Debian) and put them up on github: While you definitely shouldn’t download and run executable files a stranger told you to, they will likely help you upgrade your reverse shells in VMs should you choose to use them.

Read More

Compiling binaries for different CPU architectures using Docker

If you’re running on a 64bit cpu but need to compile some code to 32bit, you can usually get away with doing:

gcc <filename.c> -o <filename> -m32

or in the case of “configure” and “make” you can probably go with:

./configure –build=i686-pc-linux-gnu “CFLAGS=-m32”

Unless of course you’re greeted with this error:

Read More

Running Kioptrix: Level 1 (and others?) in VirtualBox

The “Kioptrix” boot-to-root VMs are some of the most popular hacking challenges but are intended for use with VMWare. If your choice of virtualization is VirtualBox you can choose to mount the VMDK disk image of “Kioptrix: Level 1 (#1)” but will likely end up with a Kernel panic. To get it working in VirtualBox do the following:

Read More

ASCII Skulls

I needed an ASCII Skull for… err… reasons, so decided to post the best ones I could find here. Unfortunately nearly all of them are on multiple websites without any credit to the authors, so if you made them or know who did I’ll happily give credit where credit is due.

Read More

Alpine Linux as a Docker host and portable dev VM

I’m a fan of Docker – especially for software development, allowing me to switch machines or operating systems and not have to spend hours re-configuring them to have the same services and configuration. There’s a growing trend to use Alpine Linux for Docker containers, rather than something like Ubuntu, because it has a smaller footprint (making it faster to download and more convenient for smaller, such as solid state, drives).

While all the operating systems I switch between (Linux, Mac and Windows) can run Docker and thus let me easily run my code, I’ve found there’s still a lot of config I want to keep bundled together but would prefer to keep out of “the cloud” – stuff like AWS environment variables, bash history and various utility scripts. I’ve settled on using a (previously Ubuntu) VM as the Docker host and file server, with Samba providing file sharing access so I can edit code in a native editor (Sublime). All I need is an operating system that can run Virtual Box and an SSH client and I’m “home”, able to dev and commit code with everything where I left it. I also don’t have to juggle SSH keys (either for connecting out or authorized keys for connecting in), guessing what IP my host is running on (the VM’s mac address and ip config remains fixed across machines).

Read More