Thursday, 24 September 2015

A security tester’s toolkit @DevConnections

Last week I presented my Security Tester’s Toolkit talk or as I subtitled it “How to get arrested by doing stupid stuff!” at IT/DevConnections in Las Vegas.

Here are the list of tools and resources that I used or mentioned and also by request the hardware that I demonstrated during the the talk

Operating Systems
  • Kali Linux – Debian based Linux based penetration testing operating system
Wi-Fi Tools
Attack tools

There are a lot of tools mentioned and demoed in this talk but that is only the tip of the testing toolkit iceberg.

Tuesday, 15 September 2015

Website Fuzziness @Devconnections

As this is being posted, I will be just finishing up my session at IT DevConnections on Website Fuzziness. This talk is how to hack your own website to discover potential flaws and vulnerabilities before someone else does.

As promised, here are the resources for the tools that I showed during this talk

Demo sites

These sites can be loaded locally or attacked without permission. You can use them as reference to test your scanners and also to demonstrate to people what should not be done in production systems


The following tools are designed to find cracks in your defenses. Use wisely and do not use against sites that you do not have permission to attack.

Wednesday, 26 August 2015

Introducing Am I Sharing Stuff

A while back, I posted about the dangers of open FTP services that a lot of home routers provide. The more I thought about, the more I realised that it wasn’t visible to people on how to find out if they were sharing files via FTP without going to sites such as Shodan or FileMare.

That is why I created Am I Sharing Stuff and it is now live at so let me tell you about it.

About Am I Sharing Stuff

After I wrong the post, I went through a number of different ideas on automating searches so that people could see if their router was doing anything suspicious. The more I looked into it, the more I could see that the problem was only getting bigger as routers were being compromised and more files were been exposed.

So I came up with an idea of load a page and tell the person what is wrong and so Am I Sharing Stuff was born.

It is a very simple site that checks if your current IP is sharing information via FTP. It is limited to the FTP service at the moment, but I will expand it to HTTP, Telnet and SMB as these are the most common vulnerable services.

On loading the page, you will be shown your IP and any information the scanner has. Over 40 million IPs have been scanned so far covering the Nordics (Norway, Sweden, Denmark and Finland) with country blocks been added daily.

You can request a scan of your IP and the server will attempt to connect to your shown IP address. Feedback is sent in real time from the scanner so that will get an update while you wait. You can only scan the IP address you are connected from. This is simply to prevent abuse and using the scanner to scan to IP addresses.

You can also remove your information from the site but at the moment there is no permanent blacklisting but this will be coming on stream in a couple of days.


What are you doing to connect to my router?

The server sends a request to your router on port 21, the port used by FTP. If your router answers, the crawler will attempt to login using the anonymous credentials. If it logs in, it will attempt to get a list of the directories. The crawler then sends the following information back to the server

  • The IP address that was scanned
  • The country that the IP is registered to
  • If port 21 was open
  • If items were found

No details of the types of files, the number of files or any other information is retrieved nor stored.

Do you charge for the service?

No. Its free to use

What if I don’t want my data on the site

Click the Remove your details button. The site information is deleted. If you click Scan, it will be inserted again. I will be rolling out permanent blacklisting in the next couple of days.

Will removing my site mean you will not scan me again?

Yes, Am I Sharing Stuff’s crawler will not however other crawlers may.

What do I do if I am sharing files and I didn’t realise it?

You can check with the manufacturer of your router and see how to change it. The most common manufacturers are listed below

Technical FAQ

The site is ASP.NET MVC hosted on Azure. Technical write will be coming soon.

Friday, 19 June 2015

A thank you to Skandiabanken

At my NDC Oslo talk today, I showed how to downgrade HTTPS to HTTP on Skandiabanken. It was with the kind permission of the people at Skandiabanken and I would like to express my thanks for that.

The attack I used is a very narrow attack and doesn’t not compromise the bank’s security because of the excellent security that they have implemented but it does show the vulnerability of the underlying network.

The main lesson for people is to keep an eye on your browser because as you saw, the browser showed the correct site but address was

If you are a regular user of the bank website you should be ok due to the way attack works, as for it to work, you must not have visited the bank in that browser before.

Again, many thanks for their kind permission.