Setting up Slack for MiSec

Some time last year, I wrote a post about setting up an IRC client on my VM. The idea was that since it’s always online, I’d always have the chat history for the #misec IRC channel. That way I’d never miss a mention or interesting conversation.

Since then, a lot has changed and I don’t connect to that machine as much as I used to.  I had to restart it a few times so the “always online” theory quickly fizzled out as well. I found that a majority of my MiSec conversations were on twitter or in person.

Why Slack?

At the RuCTF, we used to transfer notes and share files. For those that don’t know about Slack, it’s a modern chat client. While it may be just another messaging app to some people. I’ve used it through college, at work, and for groups like MiSec and There’s been talk about trying to get an official MiSec slack channel.

During the November Lansing social, we did just that and was created. Later that night I found a project on Github that had a “push button” solution for creating a auto-invite application on Shortly after setting that up, I was able to tweet out the URL and people starting joining the new channel. If you’d like to set up a similar invitation application, then read the Github description and press either the Heroku or Azure deploy buttons based on what service you want to use to deploy the application.

How it works

The app works great. Heroku even took care of a lot of the hosting details, like handling TLS. Within a day, the channel had 30 members and I didn’t have to manually invite anyone. The only change I made to the app was cosmetic. I didn’t like the gradient background so I replaced it with a more “cyber” background. In order to change the application, I had to fork the github repository and connect it to my Heroku app. I used git and the Heroku CLI to do the heavy lifting. To change the background I simply replaced the bg.jpg in the images directory and redeployed the app.

IRC or death

A lot of MiSec members prefer to stay on IRC. In an attempt to accommodate their preferences, I opened an IRC gateway to connect to the channel from their favorite IRC client. However that still requires to be on the #misec IRC channel and the irc channel for MiSec slack… The only thing more annoying than having to be in multiple chats is being in multiple chats for the same reason.

So I found an alternative with the help of some MiSec friends. Another Github project called slack-irc.  The bot uses nodeJS to run, so hopefully anyone attempting this themselves have some experience with npm. Slack-irc made it possible to set up a slack bot that integrates with another IRC channel. So now #misec is in’s #general channel and vice versa.

Demo from GitHub, show's how it looks for each client.
Demo from GitHub, show’s how it looks for each client.

Becoming a Slacker

If you’re interested in joining the MiSec slack channel, follow the steps below:

  1. Get an invite by going to and entering your email address you’d like to use for the account
  2. Finish creating an account for the channel
    (Please note the team URL is
  3. Sign in from a Slack application on whatever device you prefer if you don’t want to use the web client.
  4. Optional: Go to for instructions on connecting over IRC

GrrCON 2016

October 6th & 7th was GrrCON. For those that don’t know, it is a security conference in Grand Rapids, Michigan. 2015 was the first year I started going to conferences and GrrCON was my first. That year I volunteered because it’s really hard for poor students to pay their way for the fun stuff. This year, I have a job that actually pays for me to go and learn about security.

Since I wasn’t volunteering this time, I got to explore a lot more of the con and see what goes on for everyone who isn’t behind the scenes. Last year, I was helping set up, getting there early, and got stuck at one spot hours. This time I was able to visit with sponsors, go to all the talks I wanted to see, test out the lock pick village and more. One thing that never changes is that I always have fun at GrrCON.

After attending the keynote speech on Thursday, I met up with friends from MiSec. One of the best reasons for going to a conference is to network. Twitter is one of the best places to stay in touch with your favorite hackers. However conferences are where you get to see them in person.

There’s always too many people to mention at once… if you’re looking to expand your network though, Sam’s got our backs!

After networking and visiting at the MiSec sponsor booth I stopped by the lock pick village. I can officially say that I’ve picked deadbolt locks now, I’ve moved up from just being able to open padlocks. GrrCON had some amazing villages this year. The lock pick village switched up the challenges this year. Instead of the cage escape there was a race to free yourself from being handcuffed to 3 other contestants.

@infosec_rogue's invention for the lockpick village challenge this year
@infosec_rogue’s invention for the lockpick village challenge this year

The other villages included IoT hacking, car hacking, enterprise hacking, and an osint (open source intelligence) CTF. IoT and car hacking were set up as demo’s which looked really cool. There was so much going on that the booths were always busy. The osint CTF was a challenge to find out the most information about two con attendee’s. Finding information like their DOB by using social media and more was the idea being the CTF.

Hacker Family Feud was a lot of fun as well. Amanda (@Infosystir) invited me to play along with Aaron and Adrian. I had no idea what to expect for some of the answers… but I do know I won’t be forgotten any time soon. One of the questions was “Name a 2015 vulnerability that was big in the media” and I froze when it was my turn to answer. The only media I’ve watched lately is Netflix.  What was my answer you ask? “The Target hack”. While I didn’t get any points for that answer, I got some free drinks and candy for my attempt and left a lasting impression on the con’s organizers.

I wish I could show you a picture... but I didn't want to get kicked out of the conference!
I wish I could show you a picture… but I didn’t want to get kicked out of the conference!

There were some great costumes, mature jokes, inappropriate comments and more at the hacker family feud. Due to recording restrictions, I can’t tell you more… if you want to see what really happens at night during GrrCON I only have one word of advice for you, get a ticket for next year!

A lot of my friends and mentors gave talks throughout the con. I attended as many as I could. The rest are recorded and posted on Irongeek’s website. You should definitely check it out and see what you missed.

Hak4Kidz made another appearance this year. From what I heard, there was an awesome turn out. Hak4Kidz held a all day workshop on Friday to get kids involved with ethical hacking. They participated in tech destruction, crpytochallenges, an online CTF, and more. One of the goals of Hak4Kidz is to include hacking into STEM programs (vote STEHM). It’s great to see the interest in sharing the “hacker” mindset with kids, or really, seeing how kids are going to improve our hacker mindset tomorrow. If you have kids or are interesting in helping out, check out their website.

There was a lot of great content this year. GrrCON has a collection of amazing speakers, staff, and volunteers that knock it out of the park every year. I have a lot of good material that I want to bring into work on Monday and share with my boss. Hopefully it will be a means to getting work to help me attending even more conferences next year.

One thing I want to attempt at the next conference is to sit down and attempt some of the challenges. It’s great to attend the talks and get so much information. However they’re also recorded so you can see them on your own time. Networking is important but that also isn’t exclusive. It can even help you win a challenge by asking for help or by joining up to create a team.

Lastly I want to say thanks to everyone who helped make GrrCON 2016 a reality. It’s awesome to have con like this thats so close to home. I can’t wait for next year, it looks like GrrCON 2017 will be on Oct 26th and 27th. Plan now so you don’t miss out! (There may be halloween costumes, be prepared)

GrrCON debauchery with @infosystir and @vajkat. After parties are also a lot of fun at GrrCON!
GrrCON debauchery with @infosystir and @vajkat. After parties are also a lot of fun at GrrCON!

My first hacker summer camp

April 26th was when I booked my flights to and from Las Vegas for hacker summer camp. I had no idea what was in store for me. The plan was to attend some conferences with Amanda Berlin, who had offered to to let me stay with her. Originally I did not plan to go at all. Although after discussing with her, I really only had one option left.

I was walking into one of the best hacker experiences I’ve had to date. The week long journey into Las Vegas that was hacker summer camp is a back to back combination of BsidesLV, Blackhat, and Defcon. It was nothing like I imagined but it definitely has me saving up for next year.


Amanda had shared a few links with me to prepare for Defcon. There were packing lists and notes like this one from JK-47. I signed up to volunteer at Bsides and to go to the “unoffical” Defcon shoot. There were plans to buy a burner phone and get all paranoid about getting hacked, but that didn’t last long. I entered every event I knew about into my calendar and Amanda shared hers with me as well. There were accounts on Twitter that I started following as well, like Defcon Parties.

When I was packing for the plane, I had originally imagined needing a checked bag and that I’d have a ton of gear to bring. As it turns out, a lot of technology is at risk of being hacked (who knew?). Meaning that the extra computers, raspberry pi, and other tools I thought would be fun to bring had to be left behind. I made do with just my carry on and a backpack. The only tech I brought was a computer with Kali, my phone, and a new MiFi I bought. The MiFi was because I was still too paranoid to trust any of the wifi networks.


Hacker summer camp started with BsidesLV at the Tuscany. For those who aren’t familiar with Bsides conferences, they are “smaller” conferences that accept talks that didn’t make it into the “main” conference. Imagine the B side of a cassette tape.

My volunteer shifts were Tuesday and Wednesday from 8am to 5pm. The shifts I had were laid back, I worked the information desk and was a floater for speaker ops. Most of the time my job was to inform any attendees that might have questions and I think I did pretty well with that. The only negative to working all the shifts I did meant that I left no time for actually attending talks. I’m still shifting though the videos that were uploaded to their youtube channel.

My favorite shifts were working the information booth with Kate from misec. Those shifts flew by because we talked the entire time. Some other volunteers would stop by and talk to us as well.

The parties were good too. Tuesday night I went to Queercon, a gathering of the LGBT hacker community. They really know how to throw a party, everyone was talkative and it was pretty fun while I was there. Wedneday night was the BsidesLV pool party. We took over the entire pool area and had an awesome party. I played “volleyball” with a beach ball for a majority of the time, it was a lot of fun.

The best part of BsidesLV (for me) was getting to network with everyone. Volunteering allows me to get close to the organizers and other staff and I get to see a different side of the conference. There’s still the parties, events, and after-hours stuff that allows me to experience the rest of the conference with the regular attendees.

Defcon Shoot

Between BsidesLv and Defcon, there was the shoot. The Defcon shoot is an opportunity to unleash some lead downrange in a variety of amount and speed. Basically, pay to shoot guns. Lanes are bought and can be shared with the public or “reserved” for private parties.

The idea behind the Defcon shoot is to gather together some gun loving hackers and have a fun time. It’s a great opportunity to shoot for the first time or for foreigners to shoot if they’re not allowed to back home. The range is closely monitored by experienced volunteers (and this year, someone from range staff) so the entire event is extremely safe.

The lane I shot at was provided by some friends of Amanda’s from across the pond. They brought bleeding zombie targets, something they’ve made a name for themselves by doing. Throughout the night I shot a range of firearms from .22 caliber rifles to .40 caliber pistols. I could have social engineered my way to shoot even more exotic weaponry, but time flew by. One missed opportunity was a Defcon shoot veteran who brings machine guns every year.

The “badges” for the shoot were 40mm grenade launcher shells. Practice shells of course, with the primer removed as well. At the end of the badge making process, the shell was reduced to an amount of chalk in a plastic case, perfect for those going through the TSA to get back home. There were even stickers to personalize your badge.


Unfortunately I couldn’t attend Blackhat myself. While signing up to volunteer for as many shifts as I did at BsidesLV, I was unable to volunteer at Blackhat as well. Not to mention it was probably way too late to offer. I was able to experience it vicariously through Amanda who was a speaker liaison and was able to get me into a few Blackhat afterparties. Thanks to her I was able to get some cool swag. I’m waiting for the recorded talks to go live on their website.


Not to say we saved the best for last, but we did save the biggest conference for last. I had no idea what I was in store for. There’s so many rumors flying around what happens, it was hard to sort through it all to find what really happens. I’m just glad it wasn’t canceled this year.

The badge

This year’s defcon badge was a terminator themed skull. The core of the chip was an Intel Quark. The eyes of the skull had blue LEDs and there were eight buttons as well. After registration I met up with some more friends from misec and we gathered in Kate’s hotel room to take a shot at the badge’s crypto challenge.

We found a lot of initial hints on the defcon reddit page. Lost shared a picture about the lanyards and the codes on the back of the badges had been collected in one reddit post. We were able to decode one of the encoded messages on the back of our badges, it was chameleon. Lost used ROT2 because it was the inverse of 24.

Within a couple hours we found that a modified konami code would activate a sequence on the LED eyes. The code is Up Up Down Down Left Right Left Right on the left four buttons and then Left Right (A, B) on the right four buttons. There was encoded text being displayed while running the konami code. We had to connect a computer to decrypt the messages. For a complete write up on the badge challenge, there’s an awesome post from the team that won.


There were a lot of vendors this year at defcon. Hak5 and the Hacker Warehouse were two of my favorite vendors. There were a lot of great companies, Rapid7 and Pwnie Express to name a few. As well as some important organizations like TOOOL and EFF. That’s a lot of big name companies and organizations that are key to hacker conventions like Defcon, I’ll let you take your pick and explore the links if interested.

I picked up a few new toys while at Defcon. The first thing I got was WiFi Pineapple Tetra. I also picked up new clear padlocks, a deadbolt, and a different style of tension wrenches.

Car Hacking Village

On Friday, I had breakfast with Amanda and Chris. After that, the first place Chris and I stopped at was the car hacking village. Rapid7 sponsored the badges. Each badge had a CAN adapter, which I thought was pretty cool.

The car hacking village was really cool. There was a driving simulator with a Dodge Challenger. Throughout the length of the conference, there were talks in the village about different kinds of car hacks.

Friday night

After an afternoon of lock-picking and struggling to watch the recorded talks on the hotel tv network. An evening of parties awaited me. Amanda had an entire evening planned. For those who don’t have the same luck, this is where the Hacker Tracker app and the Defcon parties twitter account comes in handy.

Before getting to any parties, Amanda and I stopped at Drone Wars. They were racing small drones around obstacles and then attempting to knock down a solo cup pyramid without crashing the plane.

There are countless groups that attend Defcon, and a lot host parties in the hotel sweets. I joined Milton Security for a bourbon tasting party before going to meet with some friends I met at the BsidesLV pool party.

Hack Fortress

Saturday morning started with a combination of a CTF and Team Fortress 2 called Hack Fortress. Hack Fortress originated from Shmoocon in DC. Hackers get points they can redeem at a store that will affect the gamers. Special awards in game will also give more points towards the final team score.

Misec was able to represent with an entire team made up of Michigan hackers. The time limit was only 30 minutes. Unfortunately Misec didn’t win. If we were to play again, I would prepare by playing more Team Fortress 2 and understanding the game dynamics. Hacking was an important aspect, but a majority of the game points came from the gamers.

More talks on TV

The recorded talks on the hotel TVs were working a lot better on Saturday. The Misec group met back up at one of the hotel rooms to watch what was being broadcasted instead of dealing with linecon (waiting for hours to get into a talk).

The first talk we watched was on phishing campaigns. Tactics of a good campaign and what separates success from failure were the main topics. The speaker mentioned not reinventing the wheel for every campaign, and using a certain framework. (I’ll add more details when I get to rewatch that talk. Another talk we watched was about attribution. Attribution as in which hacker did what. For instance, did Russia really hack the DNC? It was really interesting to see where researchers, media, and more get their information from that allows them to attribute an attacker. I know I’ll be sticking to using Attribute Dice.

Saturday Night

The last night of partying at Defcon (for me) started with Hacker Karaoke. Misec grouped together to sing Journey. It was a fun gathering. We then moved to the Social Engineering party which consisted of more bourbon tasting. (I hope you see the theme here).

Closing Ceremonies

Sunday morning was bitter sweet. After five days of conference, I was ready for it to close… but at the same time, I didn’t want it to end. The closing ceremony started with my longest linecon of the conference. Winners of the larger challenges from the conference were recognized. The black badge was shown to the audience, the eyes pop out and looks really cool. The animator that made the dinosaurs for Jurassic Park is hand crafting each one. A super computer was the first to win DARPA’s cyber grand challenge. Defcon 25 has a lot of potential.

What else happened at hacker summer camp?

There is so much that goes on at summer camp that it was impossible for me to attend it all. It’s been a week and I’ve only seen some of the Bsides talks that were recorded. What I talked about above was what I was able to participated in. There’s official and unofficial events, conferences, and parties throughout the entire week that I didn’t even know about outside of twitter. For instance there’s Tiaracon and Queercon (at defcon). There’s the open and official CTFs at Defcon. There’s honestly so much that I’m not even sure what else I missed. All I know is that I’ll find something fun and new to do next year!

First SecOps Job at Circle City Con 2016

Hey guys, I know it’s been a while since I posted. Thank you for coming back to read more. I hope you find these interesting. This post is a follow up of my SecOps experience at Circle City Con. I learned a lot and am looking forward to doing it again.

The Conference

Circle City Con is a annual security conference in Indianapolis. This year’s theme was Game of Pwns. The theme added a fun aspect to the usual conference atmosphere. The organizers dressed up in Renaissance garb and became “heads of houses”. Each of which offered challenges based on a specific field in security. A few of my favorites were social engineering, incident response, and penetration testing. Winning these challenges gave points for the CTF that lasted the entire conference.

Social engineering involved challenges like taking a group photo of a few houses together, making an organizer hold something purple, and more. The Incident response challenge was a quiz to test your skill and knowledge of the trade. The penetration testing challenge was a test to gain access to a network by figuring out the wifi password by decrypting a poem and finding the right information online. I’m still hoping to find a more complete writeup of the challenges.

I like to volunteer at conferences. Volunteering allows me to connect with the organizers and get a view of what happens “behind the curtain” at conferences. It’s great for networking. I offered to help Security Operations (SecOps) for the conference and shortly after was signed up to work 5 shifts for the weekend.

Working SecOps

I learned a lot from working on the SecOps team. First and foremost, they get to use radios and let’s be honest, that’s the coolest part of the job. I worked a few different spots on my shift, watching different areas of the con. However the end goal was always the same: Check for badges and keep everyone safe.

The only downside I found to working security for Circle City con was how long the shifts were. I’m always trying to help however I can, and that means that I try to take as many shifts that are open. At the same time, that means I miss things at the conference, like checking out the CTF, talking to vendors, and going to see speakers. Next time I sign up to help out, it’ll definitely not be for every shift and I’ll be sure to save some time for actually going to the conference.

Path to the dark side

On Saturday, May 21st. The first career panel in #Misec history was held. Put on by the brave @chaoticflaws, @vajkat, and @ZenM0de, it was highly successful. The panel included @jwgoerlich, @jeremynielson, @jim_beechy, @D0Xt0rZ3r0, and a infosec recruiter from @TEKsystems (Sorry, I didn’t find his handle). It was five glorious hours of Q/A related to getting a head start in infosec and what really matters in the field. Here’s a recap of what was discussed from the panel.

Please realize that whatever I was able to scribble down does not include everything that was said. To help me try to get “the important points” I “borrowed” a few tweets from our panelists and avid listeners from the crowd (cough, cough, @TeaPartyTechie). A lot of my quoted references are paraphrased and are my adaptations of their wise words. I grabbed the tweets after the event so they’re out of order, but I tried to make it as chronological as possible. Feel free to take it with a grain of salt. Also if you’re one of the panelists and don’t like something you read, please let me know and I’ll work with you to fix it!

Screen Shot 2016-05-21 at 4.31.34 PM

Rule #1:
The golden rule was mentioned in the first question of the panel, and it was was don’t be a dick. Whether you’re talking about security exercises inside your company, hacking someone, talking to other infosec people, mentoring people… “Don’t be a d1ck” can be applied to thousands of situations. In #Misec especially, we are all here to help each other, so play nice. It can get dirty, but it’s all in good fun.


While we aren’t dicks, we do love our trolls. The first open question to start the panel was about trolling employees. How do you handle security exercises like leaving bad usb drives, phishing, and more at your job? There’s a lot of ways to run these exercises. The point is to improve the culture to increase security and not to get someone in trouble. If you’re going to troll your coworkers, do it because you want them to be safe not because you want them to get fired.

If you’re doing anything for a company, track the results. The numbers at the end of the exercise are what’s going to prove to the higher-ups that the trolls; while “mean”; were worth it.

When you’re looking for an infosec job, a degree isn’t the most important thing. Some companies will demand the traditional Computer Science degree, others are willing to see what you bring to an interview. The important part is that you can explain your position and why you should get the job using a thoughtful story. Tell an interviewer why you belong.

If you’re looking at people in the industry, and they give you advice on what to do, follow it. If you take action on what they suggest, you’ll be 1 out of 10 people who talked to that person that did something with that information -wolf.

You want to continue to grow even after your finish school or get a job. I’ve said the following in at least three other blog posts, but you really need to find a community. Once I found Misec, my infosec network literally exploded. Networking was repeatedly brought up throughout the panel. I starred it in my notes three times. It’s important to reach out to as many people as you can so you can surround yourself with successful people that have been in the same boat.

Try to find a mentor. Someone who isn’t at your current company, but someone who has done what you want to do. They’ll be able to guide you in the right direction and make sure you do need to in order to get you where you want to go. A mentor is someone who you can bounce ideas off of and will navigate you down the best path possible. Have goals and share them with your mentor.

Screen Shot 2016-05-21 at 4.32.20 PM

There was a lot of discussion around how to become an expert. Really there’s only one way to become an expert and that’s practice, practice, practice. You’ll never be perfect and there’s probably someone more knowledgable, but you can always improve.

Being a leader

There will come a time, after you’ve found your niche in the infosec world when you are more knowledgable then most. No one is going to walk up and say “Congratulations, here’s your expertise certification”. If you feel you’re an expert, then say so. Just be prepared for what that entitles, interviewers will ask you the tougher questions, people will come to you for help, and there will be higher expectations. Only you can decided when you’re ready for that kind of title.

Screen Shot 2016-05-21 at 4.31.06 PMIn regards to “technical know-how VS social, economical, political know-how”. It was pretty well decided that it was important to be technical but still be aware of your surroundings. Keep up to date on the practices related to your field. Know the products involved and the processes in place and what might be coming in the future.

Screen Shot 2016-05-21 at 4.32.46 PM

The first 90 days on the job can be the most important. A few tips were given by the panel. Wolf said to focus on competence, perception, relationships, and getting results. That’s where the Red Baron reference was applied. Jeremy mentioned doing anything and everything that was asked or offered. Even if you’re a just an admin, help out to unpack the new machines. Jim said that for the first few years, get experience, you don’t have to narrow it down as soon as you get a job. Just get some knowledge first. The idea here is to be productive, work hard to get where you want to be.

A good thing that was pointed out here during a follow up question is that everyone fails. From the interns to the rock stars. Good guys will own up to their mistakes and try to fix them. Others will try to hide them.

Screen Shot 2016-05-21 at 4.30.12 PM
Contribute back, a lot of people new to the community will think “I’m not experienced enough” or “I’m just a student” or something similar to that. I can tell you first hand just how valuable it is to contribute as a noob. I write these blog posts as I learn, so I can look back and  see how far I’ve come and so that you can learn as well. I give talks about the research I’ve done for classes or as an intern and I plan on giving a talk about what I do as a full time employee. Well, mostly what I do, (just come to the talk and find out). Get involved and give a talk, even if it’s a recap of one of your classes. You don’t have to be “all knowing” to give back. Hey, at the very least, you should start a security blog of your own 😉



Screen Shot 2016-05-21 at 4.29.54 PM

Just another reason to contribute. You’ll become more of an expert by being involved. Give back to the community, volunteer at cons, network, give talks, go to panels. I can’t stress it enough how many times this was mentioned and how invaluable it really is.

Another option to give back is to mentor. Even if you’re not the #1 person in the field, you can still try to mentor someone. Help others so others want to help you. If you’re contributing, other’s will find you. Trust me.

Screen Shot 2016-05-21 at 4.29.08 PM

People asked about what was the most overrated and underrated skills in infosec. Being the top dog, knowing a vulnerability by the first sight of an indicator, and partying hard are all things that are overrated. 80% of the value comes from the last 20% of the work. That doesn’t mean that the first 80% of the work isn’t important. Put your time in, get the research, do it right. “Partying is pretty well tied into the infosec community. It’s big at cons, but it’s not a requirement. Be safe and have fun” -Jim.

The underrated skills that were mentioned were writing reports and monitoring performance. Red team writes 2:1 compared to hacking. It’s important to be able to clearly describe the issue and suggest a technical fix to non-technical people. Monitoring performance is also really important. Going back to the trolls, if you run a phishing exercise, it’s good to show by how much the click through rate has decreased on malicious emails.

Another question was how to get kids involved in infosec. The resounding answer was “don’t”. Thanks wolf. What is really important is allowing your kids to be curious and explore what they are interested in. If the kids are really into infosec, show them the ethical side of hacking. Always try to inspire them to be the best they can be. Also, a good way to allow kids to grow into hackers is Hak4kidz.

Finally I want to finish with a list of other points that I know are important but I can’t remember where in the Q/A they belong. Probably because they were important and were repeated 3-4 times. Hope you like them:

  • Be comfortable being uncomfortable (we’re all uncomfortable)
  • Build relationships <3 NETWORK!
  • Join Misec! (or your local infosec group)

Thanks to TEKsystems for hosting us for the event. Thanks to all the panelists that joined us, Thanks to @chaoticflaws, @vajkat, and @ZenM0de for planning all of this. It was really a great event and I learned a lot. Oh! and I won a RTFM in a raffle, it’s a great resource.


OverTheWire: Leviathan

Hello everyone, thanks for looking at my last post about OverTheWire: Bandit. Since my traffic is about x10 my average consistently for the last four days, I wanted to write a follow up post about the next wargame offered by OverTheWire, Leviathan.

All over the exercises, they say to not post walkthroughs or writeups, so I won’t. I will do my best to promote the project without giving away the important stuff. If you’ve done the Bandit challenge already with or without a group, I suggest trying Leviathan on your own. Leviathan only has 7 levels, which by myself, took me just under 2 hours.

Leviathan Lv7 end messafe
Just to prove I made it through the lessons!

Shh, don’t tell, here are some tips

Now the site does say it’s 1/10  for difficulty so it should not be hard right? Well… it is if you have no idea what you’re doing, so you should definitely start with Bandit if you’ve never used bash before.

Remember what you learned from bandit. Cat files, ls directories, and don’t forget that passwords are stored in /etc/leviathan_pass/. There is two commands that you should read the manual for: ltrace and ln. You might need to find a website to convert combinations of only 2 numbers (well, 10 😉 ) to readable letters.

That is all the help I am willing to give you guys, otherwise you would not learn anything. There is only six levels and you should be able to figure most of it our. Trust me, there are walk throughs you can google (BUT SHOULD NOT)… I will admit that I did that for the second level but that does not make it ok. It is a cheap way to get to the next level and you do not learn  as much. Definitely try to do as much as possibly without looking up the password or how to get it.

OverTheWire: Bandit

Hey everyone, this post about Bandit is NOT a walkthrough of the greatest (only) “learn bash hacking” programs I’ve completed. This is NOT going to give you an advantage if you’re looking for cheat codes. This post will hopefully make you click on OverTheWire and want to try it out for yourself.

Why you should try Bandit

Do you work with Linux, bash shells, scripts, or ever have to deal with the command line? If you are a developer, network admin, forensic analyst, incident responser, pentester… or any other IT job, the answer is most likely yes (unless you have some serious automation or “a guy” for that). Whether you’re entering into a new field or you need a refresher course, Bandit is the first of many war games offered by the good looking hackers of OverTheWire. Start at Lesson 0 and work your way through them all.

Last night, I met up with a group of fellow hackers from #Misec and we tackled it. We went from 4pm to 12am, only stopping for a taco/wings run. We had a wide range of skill levels from 15 years of experience to a recent college grad, but we were able to go through the tasks at a pretty even pace. Doing this training in a open group where everyone discusses their tactics was really cool because there are multiple ways to do the same lesson, there’s never one right answer. I highly suggest you do the same. Get a group of 4-10 people, grab a six-pack and hunker down somewhere.

Helpful Hints

By the end of the night, I had expanded on the bash commands I already knew like ls, cat, chmod, mkdir, touch, openssl, and vi/nano/vim. I looked at the man page (help documentation) for the first time for other commands I heard of but didn’t use: grep, file, diff, gzip, tar, and so much more. Seriously guys and gals, you will not complete this course unless you type <cmd> –help or man <cmd>.

There was only really tricky lesson in Bandit for those unfamiliar with development or python. So to assist but not give the answer away, I’d like to point a few things out about python. Please note this is one specific way to beat this level, @jadedtreebeard found a faster way to beat this level without even touching python.

  • Run python scripts by writing: python
  • Variables have type, so numbers (30002) are integers and words are strings (“words”)
    • Change integers to strings: str(myVariable)
    • Change strings to integers: int(myString)
  • Importing packages are the first thing to do in a .py file
    • I suggest you look at socket *COUGH COUGH*
  • range(x, y) will give you a list starting at x going to y
  • For loops will loop through every object in a list
    • Syntax: for something in list:
    • Indent under that line and it’ll be included in the list
  • If statements are powerful
    • What would happen if you only did something when a variable contained a certain substring
      • if only “Correct” was in someString: then I could print someString only when it has the right values instead of every incorrect one as well… 😉

There are 27 lessons in Bandit, it took our group 8 hours to casually and thoroughly go through every lesson. A few are very tricky. I suggest you a) read cmd manuals b) read the associated links from OverTheWire for each lesson c) brainstorm and bounce ideas around your group. The only thing you should not do is google the answer, this is a public activity and other people have already done this. I suggest you stay away from googling “how to complete Bandit”…. It’s not cool, you can learn so much more by following a-c.

Lastly, I want to give a shout out to @Ashioni of @CBI_IT, @JadedTreeBeard, @bigryanb, @EquinchOcha and the other hackers in my group who’s twitter handles I do not know… It’s because of them I had such a fun time instead of pulling my hair out when I got stuck on lesson 28. If you are in the Michigan area, you seriously need to look up #Misec, it’s a great group of people. Reach out to @Ashioni, he is trying to set up a workshop at @CBI_IT to go over these exercises.

After you’ve conquered Bandit, move on to the next level: Leviathan. I suggest trying Bandit in a group with other people, but Leviathan should be pretty tame and is a good way to test your individual skills.

Testing HPKP Headers

Over the last two weeks, I’ve posting a lot about HTTP Public Key Pinning. This will be my last post about it, I want to focus on testing HPKP. If you don’t know what HPKP is, read the first post. To learn how to add those headers, read the second post.

I’ve had to spend a lot of time trying to figure out how to properly test these headers. In theory, this is how it should work. The first time your browser loads a website with HPKP, it saves the pin in it’s memory and then compares the pin on every request after that until the pin expires. If the browser ever finds a request without a pin or a incorrect pin, then the browser will block the request and warn the user.

Failed attempts at testing HPKP

In order to test this, you should just have to change the pin. Easy right? Well so far the execution of that has been tricky. When I tried to change the pin to a random number that doesn’t match the cert, the browser seems to ignore the pin (According to my own results) and doesn’t send an error.

The next idea I attempted was to use OWASP ZAP to man-in-the-middle (MITM) the request, which would change the certificate and the pin could be modified in all the requests. This also didn’t work because HPKP is ignored when a client trusted certificate is used instead of one approved by a CA. “Firefox (and Chrome) disable Pin Validation for Pinned Hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor).” –Mozilla.

Better ways for testing HPKP

What did seem to work was setting Chrome’s expected value to a false pin, and then getting an error when going to the site with a real pin. Here are the steps:

  • Go to chrome://net-internals/#hsts in chrome
  • Add your domain and use the example sha256/7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y= as the Public key fingerprints
  • Go to your domain
  • You should see an error message like the one below.
Chrome error message from testing HPKP
Error message from testing HPKP

This works for testing it from one application. What about other browsers like Firefox?

Another idea for testing HPKP is to keep the pin but  change the certificate used to one that doesn’t match the pin. This requires buying another certificate because it has to be CA approved. You can either modify your domain’s headers to change the cert or you can try to use MITM and the CA cert instead of the self-signed cert.

Let me know how you test HPKP, it’s tricky business and isn’t easy to do. There are online tools like report-uri’s HPKP analyser that can compare the certificate and the pin, but will not test the browsers usage of the pin. A lot of people think it’s good enough, but that’s not true. If browsers do not properly block other requests without a correct pin, then there is no point in using HPKP.

Adding a HPKP Header

Before we try to add a HPKP header, let’s review from last week. I made a post about what HTTP public key pinning is. It’s a fingerprint that browsers use to compare certificates can warn the user if the certificate is from a different source, even if it’s trusted or from the same server. If that doesn’t make sense, check out the link to the previous post.


A Public-Key-Pins header looks like this:
Public-Key-Pins: pin-256=”…”; pin-256=”…”; max-age=###; include subdomains; reporting-url=”…”;

The required parts are pin-sha256, and max-age. The pin is where you add the actual pin and the age is the number of seconds the the pin is kept on a browser. It’s good to note that the policy will not work with only one pin in the header, at least one backup pin is required. I’ll go over creating pins further below. For testing keep age short like 10 seconds (I did 500), otherwise standards recommends a two month period (5184000 seconds). Both include subdomains and the reporting url are optional. the include is just a boolean, I set it to true just to be safe. I don’t have reporting set up so I do not include that url in my header.

Getting a pin

In order to get a pin, you first need a certificate. So make sure you have TLS enabled on your site. Basically, you need to make sure https://your-website works and you get the green lock. An easy way to get TLS set up is Let’s Encrypt, I wrote about that in my TLS blog post a few months ago, scroll to the Try it! section. Once you have a certificate, you have two choices. First, you can use a nice tool and grab the pin generated for you (don’t worry, you’ll be sending this hash to everyone anyways, it’s ok if someone else generates it for you… as long as it’s valid). All you have to do is type in your website’s domain / URL into the tool.

The other option is to use openssl on your server to encode and hash the value yourself. First you need to find the certificate. Since I use Let’s Encrypt. Mine was in /etc/le and called private.pem. All you need to do from there is run the command below:

openssl x509 -pubkey < private.pem | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

Be sure to change private.pem to your filename, all else should stay the same. This won’t modify anything but will echo your new pin.

Getting a backup pin

Backup pins are a little tricker to create. First off, the reason we need a backup pin is we are limited what’s accepted by the browser. It’s a good idea to give the browser more then a single option just in case the private key from the first pin gets compromised. This method will generate a new CSR and private key for the same TLS certificate. Here are the steps. It’s very similar to generating the first pin, you just need to create the csr and key first.

Step 1: Generate a new private key
 openssl genrsa -out name.your.backup.key 4096
– 4096 is the bits used (I think), 2048 or 4096 is the only two values you should be using.

Step 2: Generate a CSR
openssl req -new -key name.your.backup.key -sha256 -out name.your.backup.csr
– There are fields you will be prompted to fill in, do so to the best of your ability.

Step 3: Generate the second pin
openssl x509 -pubkey < name.your.backup.csr | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

So now you should have both pins*, for future reference, I would recommend writing a bash script to run these commands and then echo the pin values in the format of the header so it’s possible to copy and paste the header into a configuration file. Can you think of a better way? *This is also a good time to mention that you will have to redo this EVERY time you change your TLS certificates, if you’re being super-cyber-secure, that means every three months. That means the more automated, the better!

Adding a HPKP header

Now, depending on your sever, there are a lot of different ways to add a header to your requests. If you’re using apache, add a line to the vhost file. If you’re using nginx, there’s a similar line you can add to the configuration. If you’re using a fancy load balancer that’s too expensive for a guy running a blog off a VM, then you can use a rule designed for that load balancer.

I’d be worried to tell you too much about my architecture but the response header already straight up tells you I run on an apache server… [note to self: remove that next time I’m digging in header configs and then update this blog post]. Since we are all caught up on my server’s inner workings. I’ll go through the steps to add this to your apache config.

sudo a2enmod headers
– You need to have permission to modify headers from the vhost file

Step 2:
sudo nano/vim/vi [your favorite text editor] server.conf
– Edit your vhost file and add the line in step 3

Step 3:
Header always set Public-Key-Pins “pin-sha256=\”base64+primary==\”; pin-sha256=\”base64+backup==\”; max-age=5184000; includeSubDomains”
– Save the vhost file

Step 4:
sudo service apache2 restart

Check your HPKP header is there

Your header should be there, if everything works well, your browser won’t yell at you about your website. Nothing will change, yay you’re done! But wait, how do we know? Well.. seeing that the pin is there is easy, check your request headers and you can see the pin. Or use another report-uri tool that tells if the hash is valid and that you have your backup pin available.

HPKP header results
Results from tool after HPKP header has been added

Final Comments

In a future blog post, I’ll be discussing a way to actually test the pins and see if the browser will respond well. Right now, I’ve only read about a method that requires purchasing a second certificate. To avoid that, I’m looking into any other possibilities such as using a MITM technique. The issue with that is modern browsers are doing a similar check even without the pins, so at this point in time I’m unsure if it’s the default browsers functionality or the new HPKP header.

If you have any issues with the steps, please comment below. Let me know if you want to see more about securing HTTPS protocols!

Special shout out again to Thanks to Scott’s blog post’s I found the report-uri tools and was able to double check the commands I found on Mozilla about getting a pin for the HPKP header.



Rebuilding the 3D printer

A long long time ago, I wrote a blog post about trying to assemble a new Folger Tech 3D printer. Long story short, I was given a bad Arduino board that started to smoke as soon as it was plugged. I spent weeks trying to get help from Folger to check my wiring, because to the best of my knowledge I had followed their instructions and I didn’t know what was wrong. Well after getting a response from them saying “Looks fine to me” and Reddit users not being able to help I looked for a cheap replacement for the board and found the electronics from an online store that shipped from china. I got a new board, shield, and 5 motor controls for under $20.

Reassembling the 3D printer

After a couple months of procrastination, I finally decided to rip apart the printer and install the new electronics. This wasn’t the first time I had to disassemble part of the printer, tear apart the electronics and reassemble them. The only good thing from that is practice makes perfect. This is the fourth time having to go through the process and that makes it easier. It’s also nice to have a second set of hands, I had a helper who was able to catch falling screws, hold wires, and check the instructions when my hands were full.

Before I started doing anything to the printer, I re-watched a video on Youtube of a guy that assembled the same printer and got it working. Even when I was following along with the video, I didn’t do anything different, so I’m pretty sure the only issue was the bad board.

Once I got everything reinstalled, plugging it in was the most nerve racking part of the entire process. I didn’t want to have it start smoking again because I really did wire in something wrong. Luckily I had nothing to fear, plugging it in didn’t cause anything to smoke and that was a huge relief to me. I was able to calibrate the motor controls and nothing started to burn even as it was on for around 15 minutes.

Firmware/Computer Software

The next stage was getting the firmware installed on the Arduino. Another rookie mistake I learned. Install the firmware before you connect everything together. The firmware (and configuration) was provided by Folger Tech and for some reason I couldn’t install it from my mac once everything  on the 3D printer was connected to the board. The computer knew there was a serial connection, but couldn’t do anything with it. After reinstalling drivers and googling fixes, I finally gave up and decided to try another computer. I installed the Arduino IDE and Repitier Host onto my new windows 10 “gaming” laptop that I just got for Christmas and hoped that would work. Luckily it did, I was able to upload the firmware without having to disassemble the printer for the fifth time.

I was able to connect to the printer using Repititer. I set up the software’s configuration and tested the end stops on the printer. It seemed like the printer and computer was working well, so I tried to send the “go home” command to the printer, so the nozzle would move to the default position… Well, guess what happened.

What’s next?

This isn’t the end, I’m currently messing with more configurations for the 3D printer and the Repitier software, I’m not sure what I need to do next but I’ll figure it out eventually. Hopefully sometime soon you’ll see a post with my first actual print.