Recover administrator password of a Windows VM

I run a lab with a couple of Windows VMs on different laptops via VMware Workstation (for Linux). Some of these machines are “vulnerable” Windows systems (check out Microsoft Evaluation Center). I pretty much always use the same password for the administrator account to make management easy. This is bad practice for a real-life environment, but the purpose of these machines is to get compromised anyway.

However, sometimes it might seem like a good ideaRead more.

Security and MQTT

I recently had to explore MQTT. I had never heard of this protocol before. However some helpful resources provide a clear explanation what MQTT is about.

MQTT is a machine-to-machine (M2M)/”Internet of Things” connectivity protocol that uses a lightweight publish/subscribe messaging transport. MQTT works on top of TCP/IP and by default uses port tcp/1883.

A quick search on Shodan reveals that there are a lot of devices publicly available, primarily in the US and Asia.Read more.

Manually deleting Time Machine backups

I use an Apple MacBook as my primary work laptop. One of the nice features that are automatically included in OSX is Time Machine, allowing you to do automatic backups.

You can do the backups to an external disk (via USB) or to a network connected disk. I also have a Synology NAS with a volume (encrypted of course) configured for the backups. I have set a quota for this volume to prevent the backupsRead more.

ipv6: Neighbour table overflow

One of my virtual machines hosted at Gandi had an excessive amount of error messages

The cause of this error message are the IPv6 router announcements that try to discover and configure the IPv6 neighbourhood. The excessive amount of messages were polluting the logs.

After contacting the Gandi helpdesk they provided insight on the cause of the error message and provided mitigations to prevent these type of errors. I had to update /etc/sysctl.conf withRead more.

Do Tor exit nodes alter your content? (or is Tor safer than Vodafone?)

The short answer : no, TOR exit nodes do not alter your content.

A recent post by @adrellias got my attention. The link in the post refers to an article where a user spots a case of content (Javascript) injection by Vodafone. The details can be found in the blogpost Am I hacked? Oh, it’s just Vodafone. Needless to say this is very bad behavior by Vodafone.

Vodafone eavesdrops on your conversation, causing this toRead more.

Introduction to Modbus TCP traffic

Modbus is a serial communication protocol. It is the most widespread used protocol within ICS.

It works in a Master / Slave mode. This means the Master has the pull the information from a Slave at regular times.

Modbus is a clear text protocol with no authentication.

Although it was initially developed for serial communication it is now often used over TCP. Other versions of Modbus (used in serial communication) are for example Modbus RTURead more.

Split terminal on OSX

I use Apple OSX for my day-to-day work. Because of my background with Linux and OpenBSD the OSX Terminal application is my most “popular” application.

Because I got spoiled with the ease of use of screen on Linux devices and the basic Terminal app on OSX is fairly limited in feature-set I was looking for an alternative that runs natively on OSX and provides similar features to screen.

TMUX is a terminal application that allowsRead more.

Using different public online malware analyser tools

Analyzing malware and extracting useful detection indicators (Indicators of Compromise, IOCs) for protecting your customers is a recurrent task if you do incident response. If you have your own malware analysis environment and you receive a suspected malicious file then uploading the file for processing and waiting for the analysis is one of the first steps in this process. However sometimes you have to rely on using different public online malware analyser tool for gettingRead more.

Recursive curl with Tor on Apple OSX

The Tor Apple OSX Tor Bundle is a stripped Firefox browser that uses a local SOCKS proxy to anonymize the requests.

The SOCKS proxy that is used is tor.real, located at /Applications//

Anonymous browsing is good but I needed a command line tool to fetch a web page or web site. More specific, I want to recursively download a website from the command line. Ideally you use wget for this. Unfortunately wget does notRead more.

Use CryptoLocker to train your incident response team (part 2)

This is the second part in a post describing how to train your team for incident response and incident investigations.

The first part covered how to analyze the e-mail headers and information in a suspicious e-mail.

The e-mail contained one attachment : Unzipping the file resulted in a .scr file.

The sha1 is

MD5 is

I uploaded the scr file to Virustotal for further analysis. So far (22-Feb) no-one else submitted a similar sample.Read more.