Jeriko Group and Source Code Repository

Jeriko moved in its own source code repository which you will be able to find here. There is also a discussion group here, if you feel like using it.

The version inside the new code repository is very different from the version you’ve seen before. The main difference is that while the old version is basically a collection of scripts, the new version implements its own shell (wrapper around bash) which does the heavily lifting and also introduces some funky programming mechanisms. [...]

more | comments | comments rss | posted by

Exploit Development Framework Design

Perl, Ruby Python: use the language that suits your character. However, one of the things that differentiate python from the rest is its philosophy, which is: there should be one– and preferably only one –obvious way to do it (where it is a problem). This philosophy gives python some interesting advantages over other similar languages. That will be explained later on. [...]

more | comments | comments rss | posted by

Even More XSS Worms

This morning I spotted several blog posts mentioning that Twitter has been hit by yet another XSS worm.

There is no merit in discussing how this has been done and for what purposes but this incident is yet another proof that the attack landscape is rapidly changing and moving towards web enabled infrastructures and the client-side. [...]

more | comments | comments rss | posted by

Tools of Trade

Lately I’ve been dropping a lot bash scripts on public forums and of course on work related projects. Many people came back to me asking why I chose bash. Python or perl would have been better! While I agree that both python and perl are a lot more expressive, I disagree that tools in general should be written just to accommodate the needs of a particular framework. Tools are tools and they have their lifetime just like everything else. So should we bother? [...]

more | comments | comments rss | posted by

More Penetration Testing Goodness with Jeriko

Over the last couple of weeks I’ve added more features to the Jeriko toolkit which I briefly covered in my post over here. For those of you who don’t know, Jeriko is a compilation of various bash scripts to ease manual penetration testing practices. The idea is to automate only the things which are sort of boring.

Anyway, now you have a few more scripts at your disposal. [...]

more | comments | comments rss | posted by

On Security Buzzwords

I’ve got quite a lot of good feedback on the security buzzword generator I announced yesterday. For those of you who do not know, the generator is a fun little utility which helps you with coming up with new and exciting buzzwords like a security pro.

We often laugh when a new buzzword makes its rounds in the media but the matter of fact is that buzzwords are important. In essence, buzzwords are just terminology which happens to be used extensively by the media. [...]

more | comments | comments rss | posted by

Security Buzzword Generator

In the light of the Month of New Security Buzzwords, I am releasing an online fuzzer to help you generate as many security buzzwords as you like. Sweet!

Jokes aside, tools like this one are quite helpful to brainstorm new ideas. If you ever do research inspired by our buzzword generator, please give us a credit. That way we will know that the tool is actually useful.

more | comments | comments rss | posted by

Codez Are Up

This is a quick announcement just to let you know that our codes are now getting synced at, which is basically a file browser interface to the source repositories.

The reason we had to come up with something like this is because most of our projects are dispersed across several Google Code repositories, personal SVNs and many other places. We have started so many ideas in the past that now it is hard to keep track of everything. [...]

more | comments | comments rss | posted by

It is Persistence

Do some people have the magical skill to find vulnerabilities with ease while others don’t! Of course not! I disagree with the whole tendency to believe that technical understandings is all that is needed to find vulnerabilities.

It is mostly persistence that plays a role. Most of the researchers I know have almost zero knowledge on the subjects they dive into. [...]

more | comments | comments rss | posted by

You Don’t Need the Ultimate Pen-testing Framework!

You’ve already got it! It is laying on your PC and it is called the shell. The shell was designed to start/strop and control process with ease so why do we need yet another universal pen-testing framework, which does what another tool is already doing for us and it comes by default? In this post we are going to delve in the world of advanced shell programming for penetration testing purposes.

The shell is defacto the interface to your operating system. [...]

more | comments | comments rss | posted by