Wiresharking for Fun or Profit

Wireshark is an open source network packet analyzer that allows live traffic analysis, with support to several protocols.

Wireshark also allows network forensic, being very useful for CTFs for example (check my writeups for the D-CTF Quals 2014 and for the CSAW Quals 2014 in Networking and Forensics).

In this ...

more ...

The Ultimate Linux Guide for Hackers ;)

Being a Linux user is, above all, a life style. Interestingly, more and more people have been joining this community, keeping it dynamic and organic.

Linux has been in my life since my high school years and I'm still constantly inspired by the fact that it has not lost ...

more ...

On CRLs, OCSP, and a Short Review of Why Revocation Checking Doesn't Work (for Browsers)

Today I am going to talk about some regulation details of SSL/TLS connections. These connections rely on a chain of trust. This chain of trust is established by certificate authorities (CAs), which serve as trust anchors to verify the validity of who a device thinks it is talking to ...

more ...

A Closer Look at Chrome's Security: Understanding V8

In 2008, Google released a sandbox-oriented browser, that was assembled from several different code libraries from Google and third parties (for instance, it borrowed a rendering machinery from the open-source Webkit layout engine, later changing it to a forked version, Blink). Six years later, Chrome has became the preferred browser ...

more ...

A List of Common Web Vulnerabilities

Although nomenclatures don't help much when you are facing a security problem, I am keeping this list for a systematic organization. It is constantly been updated.

In addition to this list, you can check some specific web exploration older posts: Exploiting the web in 20 lessons and D-Camp CTF ...

more ...

Quick and Dirty intro to OpenPGP & GPG

Pretty Good Privacy (PGP) is a model that provides cryptographic privacy and authentication for data communication. It was created by Phil Zimmermann in 1991. Today, PGP is a company that sells a proprietary encryption program, OpenPGP is the open protocol that defines how PGP encryption works, and GnuGP is the ...

more ...

The Peace Pipe at Hack.lu's Final CTF 2014

Last week was the Hack.lu Final CTF. In this post I discuss one of my favorite crypto problems in that CTF: the "Peace Pipe".

Understanding the Problem

The problem starts with this weird story:

After a long day, you sit around a campfire in the wild wild web with ...
more ...

Exploring D-CTF Quals 2014's Exploits

Last weekend I played some of the DEFCAMP CTF Quals. It was pretty intense. For (my own) organizational purposes, I made a list of all the technologies and vulnerabilities found in this CTF, some based on my team's game, some based on the CTF write-ups git repo.

Vulnerabilities

Remote ...

more ...

Exploiting the Web in 20 Lessons (Natas)

Continuing my quest through the Wargames, today I am going to talk about the 20 first levels of Natas, the web exploitation episode.

I divide the exploits in two parts. The first part contains the easy challenges that don't demand much art (and are a bit boring). The second ...

more ...

On Paillier Ciphersystem, Binary Search and the ASIS CTF 2014

The ASIS CTF happened last weekend. Although I ended up not playing all I wanted, I did spend some time working on a crypto challenge that was worth a lot of points in the game. The challenge was about a sort of not well-known system, the Paillier cryptosystem.


The Cryptosystem ...

more ...