Andreas Happe

LLMs as Hackers: Autonomous Linux Privilege Escalation Attacks

Wed, 15 Oct 2025 00:00:00 +0000

Published in EMSE, arxiv version:

Penetration-testing is crucial for identifying system vulnerabilities, with privilege-escalation being a critical subtask to gain elevated access to protected resources. Language Models (LLMs) presents new avenues for automating these security practices by emulating human behavior. However, a comprehensive understanding of LLMs’ efficacy and limitations in performing autonomous Linux privilege-escalation attacks remains under-explored. To address this gap, we introduce hackingBuddyGPT, a fully automated LLM-driven prototype designed for autonomous Linux privilege-escalation. We curated a novel, publicly available Linux privilege-escalation benchmark, enabling controlled and reproducible evaluation. Our empirical analysis assesses the quantitative success rates and qualitative operational behaviors of various LLMs – GPT-3.5-Turbo, GPT-4-Turbo, and Llama3 – against baselines of human professional pen-testers and traditional automated tools. We investigate the impact of context management strategies, different context sizes, and various high-level guidance mechanisms on LLM performance. Results show that GPT-4-Turbo demonstrates high efficacy, successfully exploiting 33-83% of vulnerabilities, a performance comparable to human pen-testers (75%). In contrast, local models like Llama3 exhibited limited success (0-33%), and GPT-3.5-Turbo achieved moderate rates (16-50%). We show that both high-level guidance and state-management through LLM-driven reflection significantly boost LLM success rates. Qualitative analysis reveals both LLMs’ strengths and weaknesses in generating valid commands and highlights challenges in common-sense reasoning, error handling, and multi-step exploitation, particularly with temporal dependencies. Cost analysis indicates that GPT-4-Turbo can achieve human-comparable performance at competitive costs, especially with optimized context management.

Installing LineageOS on Xiaomi Mi Mix 3

Mon, 13 Oct 2025 00:00:00 +0000

I am using an (now 5 years old) Xiaomi Mi Mix 3 as a backup phone for travelling. Given its age, the phone is no longer receiving official updates from Xiaomi, which poses security risks and limits access to new features.

To address this, I installed LineageOS, a popular custom ROM that provides regular updates and enhanced privacy features a couple of years back. Recently, I’ve updated the phone to the latest support version (LineageOS 22.2) and ran into some problems, whose solutions I want to share here.

Can LLMs Hack Enterprise Networks? Autonomous Assumed Breach Penetration-Testing Active Directory Networks

Thu, 11 Sep 2025 00:00:00 +0000

Published in TOSEM, arxiv version:

Enterprise penetration-testing is often limited by high operational costs and the scarcity of human expertise. This paper investigates the feasibility and effectiveness of using Large Language Model (LLM)-driven autonomous systems to address these challenges in real-world Active Directory (AD) enterprise networks. We introduce a novel prototype designed to employ LLMs to autonomously perform Assumed Breach penetration-testing against enterprise networks. Our system represents the first demonstration of a fully autonomous, LLM-driven framework capable of compromising accounts within a real-life Microsoft Active Directory testbed, GOAD. We perform our empirical evaluation using five LLMs, comparing reasoning to non-reasoning models as well as including open-weight models. Through quantitative and qualitative analysis, incorporating insights from cybersecurity experts, we demonstrate that autonomous LLMs can effectively conduct Assumed Breach simulations. Key findings highlight their ability to dynamically adapt attack strategies, perform inter-context attacks (e.g., web-app audits, social engineering, and unstructured data analysis for credentials), and generate scenario-specific attack parameters like realistic password candidates. The prototype exhibits robust self-correction mechanisms, installing missing tools and rectifying invalid command generations. We find that the associated costs are competitive with, and often significantly lower than, those incurred by professional human pen-testers, suggesting a path toward democratizing access to essential security testing for organizations with budgetary constraints. However, our research also illuminates existing limitations, including instances of LLM ``going down rabbit holes’’, challenges in comprehensive information transfer between planning and execution modules, and critical safety concerns that necessitate human oversight.

Adversarial Bug Reports as a Security Risk in Language Model-Based Automated Program Repair

Thu, 04 Sep 2025 00:00:00 +0000

arxiv version:

Large Language Model (LLM) - based Automated Program Repair (APR) systems are increasingly integrated into modern software development workflows, offering automated patches in response to natural language bug reports. However, this reliance on untrusted user input introduces a novel and underexplored attack surface. In this paper, we investigate the security risks posed by adversarial bug reports – realistic-looking issue submissions crafted to mislead APR systems into producing insecure or harmful code changes. We develop a comprehensive threat model and conduct an empirical study to evaluate the vulnerability of state-of-the-art APR systems to such attacks. Our demonstration comprises 51 adversarial bug reports generated across a spectrum of strategies, from manual curation to fully automated pipelines. We test these against leading APR model and assess both pre-repair defenses (e.g., LlamaGuard variants, PromptGuard variants, Granite-Guardian, and custom LLM filters) and post-repair detectors (GitHub Copilot, CodeQL). Our findings show that current defenses are insufficient: 90% of crafted bug reports triggered attacker-aligned patches. The best pre-repair filter blocked only 47%, while post-repair analysis-often requiring human oversight-was effective in just 58% of cases. To support scalable security testing, we introduce a prototype framework for automating the generation of adversarial bug reports. Our analysis exposes a structural asymmetry: generating adversarial inputs is inexpensive, while detecting or mitigating them remains costly and error-prone. We conclude with practical recommendations for improving the robustness of APR systems against adversarial misuse and highlight directions for future work on trustworthy automated repair.

On the Surprising Efficacy of LLMs for Penetration-Testing

Tue, 01 Jul 2025 00:00:00 +0000

arxiv version:

This paper presents a critical examination of the surprising efficacy of Large Language Models (LLMs) in penetration testing. The paper thoroughly reviews the evolution of LLMs and their rapidly expanding capabilities which render them increasingly suitable for complex penetration testing operations. It systematically details the historical adoption of LLMs in both academic research and industry, showcasing their application across various offensive security tasks and covering broader phases of the cyber kill chain. Crucially, the analysis also extends to the observed adoption of LLMs by malicious actors, underscoring the inherent dual-use challenge of this technology within the security landscape. The unexpected effectiveness of LLMs in this context is elucidated by several key factors: the strong alignment between penetration testing’s reliance on pattern-matching and LLMs’ core strengths, their inherent capacity to manage uncertainty in dynamic environments, and cost-effective access to competent pre-trained models through LLM providers. The current landscape of LLM-aided penetration testing is categorized into interactive ‘vibe-hacking’ and the emergence of fully autonomous systems. The paper identifies and discusses significant obstacles impeding wider adoption and safe deployment. These include critical issues concerning model reliability and stability, paramount safety and security concerns, substantial monetary and ecological costs, implications for privacy and digital sovereignty, complex questions of accountability, and profound ethical dilemmas. This comprehensive review and analysis provides a foundation for discussion on future research directions and the development of robust safeguards at the intersection of AI and security.

Benchmarking Practices in LLM-driven Offensive Security: Testbeds, Metrics, and Experiment Design

Mon, 16 Jun 2025 00:00:00 +0000

Presented at DeMeSSAI'25 in Venice, Italy, arxiv version:

Large Language Models (LLMs) have emerged as a powerful approach for driving offensive penetration-testing tooling. Due to the opaque nature of LLMs, empirical methods are typically used to analyze their efficacy. The quality of this analysis is highly dependent on the chosen testbed, captured metrics and analysis methods employed. This paper analyzes the methodology and benchmarking practices used for evaluating Large Language Model (LLM)-driven attacks, focusing on offensive uses of LLMs in cybersecurity. We review 19 research papers detailing 18 prototypes and their respective testbeds. We detail our findings and provide actionable recommendations for future research, emphasizing the importance of extending existing testbeds, creating baselines, and including comprehensive metrics and qualitative analysis. We also note the distinction between security research and practice, suggesting that CTF-based challenges may not fully represent real-world penetration testing scenarios.

Homeserver: Glances and Home Assistant for Monitoring

Wed, 30 Apr 2025 00:00:00 +0000

Now that I have a minimal home server running, I thought it would be good idea to monitor temperature, disk usage and such. The simplest solution that I found was to use Glances and use Home Assistant to store and display the data.

Homeserver: Creating local Proton Drive/Mail Backups

Sun, 27 Apr 2025 00:00:00 +0000

By now, I am using Proton Drive for cloud data storage and Proton Mail as my primary mail service. While I trust Proton with my data, I do not want to rely on them completely. As I have a small server standing around at home, it’s kinda obvious to use it for automatically performing backups of my cloud data.

I try to use systemd services and timers for this, as this makes monitoring and logging quite easy.

This blog post mostly serves as a reminder for me, but maybe it helps someone else as well.

Homeserver: Services Pt. 1

Wed, 09 Apr 2025 00:00:00 +0000

I am running a home server for a while now. I have been using it to host some services that I use regularly. In this post, I will share my experience with some of the services I have set up on my home server.

This initial post will go over local git hosting using gitea, audiobook streaming using audiobookshelf and a self-hosted RSS reader using tt-rss.

Using tailscale on Fedora Silverblue

Mon, 07 Apr 2025 00:00:00 +0000

I am using Fedora Silverblue as one of my main desktops. Recently, I’ve been moving some services to a server behind tailscale but was still using its local IP address when at home at my Silverblue desktop. While doable, using an IP-address with an invalid HTTPS certificate wasn’t that pretty — so why not just access it through tailscale even within the same network, it’s an overlay network overall (so it should do a direct connection between my desktop and the home-server).

Building a little home-server with Linux, TailScale, ProtonVPN, Docker Compose and VM support

Sat, 05 Apr 2025 00:00:00 +0000

I’ve been using a mini-computer as home-server for the last couple of years. Originally, I used it to share files between my computers, but over time more and more services (like RSS-readers, media-libraries, home automation, etc.) were moved on that surprisingly capable mini-server.

I’ve grown up using Linux (well, I was already 16 when Linux became available around here, but you get the gist) so it always felt natural to me to just just use a minimal Linux installation (debian) instead of using some NAS that supports add-on third-party software.

LangGraph: Adding Plan-and-Execute Planner

Mon, 14 Oct 2024 00:00:00 +0000

Adding Plan-and-Execute Planner

All sources can be found in our github history.

When using LLMs for complex tasks like hacking, a common problem is that they become hyper-focused upon a single attack vector and ignore all others. They go down a “depth-first” rabbit hole and never leave it. This was experienced by me and others.

Plan-and-Execute Pattern

One potential solution is the ‘plan-and-solve’-pattern (often also named ‘plan-and-execute’-pattern). in this strategy, one LLM (the planner) is given the task of creating a high-level task plan based upon the user-given objective. The task plan is processed by another LLM module (the agent or executor). Basically, the next step from the task plan is taken and forwarded to the executer to solve within in a limited number of steps or time.

LangGraph: Simplify our Tool-Calling Agent through `create_react_agent`

Sat, 12 Oct 2024 00:00:00 +0000

Simplify our Tool-Calling Agent through `create_react_agent`

LangGraph has some amazing Prebuilt Components, one of them is the create_react_agent function that allows you to hughely simplify creating new tool-using agents.

The full source code can be found within our github history.

The simplified version

This willb e based upon our recent configuration-improved version. Similar to that version, we start by reading the configuration data, setting up our LLM, connecting to the target system via SSH, and configuring tools for usage through LLMs:

LangGraph: Improving Configuration Handling, esp. for Tools

Fri, 11 Oct 2024 00:00:00 +0000

Improving Configuration Handling, esp. for Tools

While being quite happy that the initial prototype worked within hours, its code was very prototype-y, i.e., much of its configuration was hard-coded. In a second step, we want to fix this by making our target information (the SSH connection) configurable and remove all hard-coded credentials from the code.

Big Picture

We are already using python-dotenv for some of our configuration so it makes sense to further utilize this for more configuration data. In the improved implementation, our .env will look like this:

Work/Life Balance, pt. 3: Scheduling Work

Sat, 11 Nov 2023 00:00:00 +0000

The first parts of this series were about getting more done while at work as well as making it easier to switch from work into leisure mode. Both have a rather bottom-up feeling to them. In contrast, this post will be top-down: investigating my scheduling habits and trying to get them to a point where they actually protect myself from over-scheduling too much work.

My Scheduling Habits thus far

After years or trying different todo and task applications, I’ve settled upon a rather simplistic approach: simple markdown todo lists versioned through git. Mostly I use this for reminders, things that I need to do for work and, leisure activities such as reminding me to go do some yoga.

Work/Life Balance, pt. 2: Separation and Blurry Lines

Sat, 28 Oct 2023 00:00:00 +0000

While the initial experiment focused upon productivity, the main goal of this series is to improve my work/life balance. Getting more productive should just allow me to switch from work to leisure earlier.

Currently I have access to my university office, so I have a nice geographical separation between Work/“The Office” and “Everything Else”. So basically I want to keep work at the Office and leisure (mostly) outside of it: getting out of the office to recover while keeping distractions out of the office to let me get out of it faster. This is primarily about the office space, my coworkers are actually part of my recovery activities such as climbing. If I wouldn’t have access to the university office anymore I would have to get some shared office space.

Work/Life Balance, pt. 1: Prelude and Experiments

Fri, 27 Oct 2023 00:00:00 +0000

Last winter I was lucky to enroll in the so-far best lecture of my PhD studies: From Surviving to Thriving: Crafting your good personal Life by the great Geraldine Fitzpatrick. The course was about stress, mindfullnes, crafting, productivity.. nothing mind-blowing nor rocket science but comprehensive, accessible, and charmingly presented. Recently I read Do Nothing which I thoroughly enjoyed.

Maybe it’s time to experiment with my time (or rather life) management..

My Background

Just to give a bit of context: I am 41 and by now am back in Academia doing a PhD about the intersection of computer security and machine learning while I freelance as pen-tester and doing commercial security training workshops/talks, mostly about secure development and/or web security.

Understanding Hackers' Work: An Empirical Study of Offensive Security Practitioners

Wed, 23 Aug 2023 00:00:00 +0000

Presented at FSE'23 in San Francisco, US, arxiv version:

Offensive security-tests are a common way to pro-actively discover potential vulnerabilities. They are performed by specialists, often called penetration-testers or white-hat hackers. The chronic lack of available white-hat hackers prevents sufficient security test coverage of software. Research into automation tries to alleviate this problem by improving the efficiency of security testing. To achieve this, researchers and tool builders need a solid understanding of how hackers work, their assumptions, and pain points. In this paper, we present a first data-driven exploratory qualitative study of twelve security professionals, their work and problems occurring therein. We perform a thematic analysis to gain insights into the execution of security assignments, hackers’ thought processes and encountered challenges. This analysis allows us to conclude with recommendations for researchers and tool builders to increase the efficiency of their automation and identify novel areas for research.

Getting pwn'd by AI: Penetration Testing with Large Language Models

Thu, 17 Aug 2023 00:00:00 +0000

Presented at FSE'23 in San Francisco, US, arxiv version:

The field of software security testing, more specifically penetration testing, is an activity that requires high levels of expertise and involves many manual testing and analysis steps. This paper explores the potential usage of large-language models, such as GPT3.5, to augment penetration testers with AI sparring partners. We explore the feasibility of supplementing penetration testers with AI models for two distinct use cases: high-level task planning for security testing assignments and low-level vulnerability hunting within a vulnerable virtual machine. For the latter, we implemented a closed-feedback loop between LLM-generated low-level actions with a vulnerable virtual machine (connected through SSH) and allowed the LLM to analyze the machine state for vulnerabilities and suggest concrete attack vectors which were automatically executed within the virtual machine. We discuss promising initial results, detail avenues for improvement, and close deliberating on the ethics of providing AI-based sparring partners.

Using WSL2 to hide from EDR

Fri, 27 Jan 2023 00:00:00 +0000

TL;DR WSL2 seems to be one big lolbin when it comes to EDR

Scenario/Background

During a recent assumed-breach pen-test assignment I was stranded as a low-level user on a fully-updated Windows 10 Enterprise system (10.0.19045) including a deployed CrowdStrike Falcon EDR suite (6.49.16303.0). As I respect CrowdStrike I did not want to execute any malicious scripts on the host, so what to do?

WSL2 to the rescue!

Installation was done quite comfortable through the company’s Software Center, no local administrative rights required.

Active Directory: Using LDAP Queries for Stealthy Enumeration

Wed, 25 Jan 2023 00:00:00 +0000

During a recent assumed-breach pen-test assignment I ran into a problem: the customer had an up to date Windows Active Directory environment, CrowdStrike was rolled out as an EDR and a dedicated Incident Response Team was monitoring for alerts.. and I needed some Active Directory Enumeration to be done before I was planning out my next steps. I assumed, which later proved correctly, that just starting BloodHound or GetUserSPN.py would trigger defenders and defences.

Enumerating User-Accessible Directories within Windows Network Shares

Mon, 23 Jan 2023 00:00:00 +0000

During a recent security assignment I came upon a projects folder stored on a Microsoft Active Directory server and accessible thought the network (SMB/CIFS). It had the commonly used layout of a single subdirectory per project, users should only be able to access their corresponding projects and this is configured through ACLs. Initial tests did indicate that the access rights were given away sloppily as I was able to access some of those subdirectories.

Trying my hand with hacking Active Directories with responder, mitm6, ntlmrelayx and crackmapexec

Wed, 12 Oct 2022 00:00:00 +0000

So a customer of mine thought about ordering a Red Team Assessment and wanted me to go through their local network beforehands — no need to make it too easy for the red teamers. The customer’s network was a typical windows network, dated but kept up to date by two admins. Microsoft Defender was rolled out at all clients, and on some servers. A laptop with Kali Linux was connected to the local network, this was my starting point.

Building a 4G/LTE router+accesspoint using hostapd, network-manager and modemmanager

Fri, 11 Feb 2022 00:00:00 +0000

So I’ve been using a Raspberry Pi 4b+ together with a WaveShare LTE Modem as 4G router/access-point for my home network setup. I do like my hardware to be quiet and thus fan-less, alas the Raspberry Pi 4b+ gets a tad on the warm side. So this was a perfect opportunitiy to play around with an older Raspberry Pi 3b+ which should use approx. 20-25% less power (both, during idle and load) and with “new” software.

What is AppSec anyways?

Thu, 03 Jun 2021 00:00:00 +0000

AppSec includes all tasks that (hopefully) introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance.

To contrast AppSec with a traditional penetration-test: the latter tries to find vulnerabilities within an already existing application while AppSec focuses upon preventing vulnerabilities from entering the application code in the first place. Penetration Tests are also part of AppSec but they are used rather late in the project runtime to verify the security quality of the application and as input for how the development process can be augmented to prevent similar vulnerabilities from subsequently entering the application.

Secure Software Development Lifecycle Basics

Sun, 23 May 2021 00:00:00 +0000

Recently I had a couple of customers that needed some guidance about secure software development. I assume that this happens because I am a developer gone pen-tester so I’ve seen both side of the “problem”. Of course, suggestions differ between software stacks and the overall customer professionalism level, but there is a common starting ground that should be suitable for any professional software project. Without those, anything more advanced would be built upon shaky grounds. Please note, that those are just the starting ground and should not be a limiting set for further improvements.

HTTP Header Security

Mon, 12 Apr 2021 00:00:00 +0000

During a recent presentation on HTTP Header Security I was asked for a “simple” flow chart with directions which headers can be used without too many problems. The result was this:

What was the reasoning? Initially, basic headers that unify browser behavior are set. They control behavior that is already set when using modern browsers (e.g., Referrer-Policy) or unify non-standard behavior (e.g, X-Content-Type-Options: nosniff). The basic idea behind those headers is, that web developers need to make sure that their website works with those anyway (otherwise people using modern browsers might complain) so it makes sense to take care of those situations during development.

Book Updates and Blog Posts..

Tue, 08 Dec 2020 00:00:00 +0000

Given that I’ve spent more time in my flat (hello, COVID-19) I also spent more time looking at my book shelf.. and wasn’t too happy with it: in hindsight, some of the books I’ve read are way to pretentious and the books I remember as life-changing were mostly read on my kindle anyways. Speaking of Kindles, my first kindle (must be bought around 2008 in the United States) was stored between the books.. with a quite bulging lithium ion battery.. good thing I did that cleanup.

Running OWASP Juice Shop with Root-the-Box on Google Cloud Platform

Wed, 02 Dec 2020 00:00:00 +0000

So I am back at teaching web application security. This time I wanted to setup a CTF challenge for my students. To not reinvent the wheel, or rather, to stand on the shoulders of giants I am reusing the OWASP Juice Shop vulnerable web app in its CTF mode.

Normally I would teach at a (physical) lab which would make the setup easy: all students are situated in the same physical room, I can setup the game server on my laptop and distribute virtual machines containing the vulnerable web app over the local network. Well, that thing called COVID-19 happened so this is not an option right now.

Create a new Ubuntu 20.10 Desktop without too much Ubuntiness.

Tue, 13 Oct 2020 00:00:00 +0000

After I’ve bought a new and fast 1TB SSD, it’s time to setup my aging Desktop again. Last time I went with Fedora Core, this time I will try to reduce some of the ubuntu-iness of a Ubuntu 20.10 Desktop for that. After preliminary tests Ubuntu seems to be more resource efficient than Fedora Silverblue and I should be able to remove most of Ubuntu’s problematic packages. Given that my Notebook still runs Fedora Core, I’m also keeping in touch with both the Ubuntu/Debian as well as with the Redhat/Fedora world through that.

Building a simple VPN with WireGuard with a Raspberry Pi as Server

Wed, 29 Jan 2020 00:00:00 +0000

Now that wireguard will be part of the upcoming Linux 5.6 Kernel it’s time to see how to best integrate it with my Raspberry Pi based LTE-Router/Access Point Setup.

What is my scenario?

Raspberry Pi 3 with a LTE hat, using a public IP address. This will be the VPN server (called edgewalker in this post)
An Android Phone that should use the VPN for all communication when connected
An Linux Laptop that should use the VPN only accessing network services that are exposed to the VPN

Each device connected to the VPN should be able to connect to all other devices, e.g., my phone should be able to connect to a webserver running on the laptop as long as both are part of the VPN network. If setup is easy enough I’m actually thinking about adding my (Ethernet-connected) Desktop to the VPN too.

2019 redux, what to expect in 2020

Wed, 01 Jan 2020 00:00:00 +0000

2019 was a year in which I expanded my comfort zone and forced myself to face some fears. I haven’t always been victorious, there’s enough to face next year. I see progress and hope; I do not feel trapped in my situation but rather see a comfy base from which I can explore further.

I shed some possessions, mostly donated them or gave them away to friends. This calms my mind tremendously. There’s a song by “Down like Silver” that contains the fitting lines: “everything I own, owns me now”.

Closing down my company

Fri, 20 Dec 2019 00:00:00 +0000

After 15 or so years I’m finally closing down my own company (it was a small one-person vehicle, in Austrian Einzelpersonenunternehmen or EPU). How so?

I’ve been self-employed since I’ve started to study at university. Mostly I did software engineering for various research projects at AIT. There was a short side-project (a failed startup that I created with friends of mine), after that more web development with other friends of mine. Slowly some changes happened, I’ve got down towards security/penetration-testing six or seven years ago. Five years ago I got an part-time employment at the research center, mostly for two EU research projects. my work time got more and more split between pen-testing and research stuff.

Adding advertisement-filtering and spotify support to a Linux-based Access Point/Router

Sun, 08 Dec 2019 00:00:00 +0000

The last weeks I’ve tried to improve upon my Raspberry Pi based LTE-Router/Access Point. Normally I would heave tons of software on it, try it out and let it simmer on. I did that this time too: the ELK-Stack (too little memory) and HomeAssistant (too little SmartHome-devices in my flat) only had a short intermezzo on this hardware. What stuck?

Before that a small note: originally I was using a IKEA USB charger; its spec should be sufficient but I kept getting “Undervoltage detected” error messages in dmesg/syslog. I switched it out my Xiaomi Phone’s USB charger: the warnings disappeared.

FH-Lecture: Secure Operating Systems (SecOps)

Fri, 15 Nov 2019 00:00:00 +0000

Nach dem guten Feedback meiner Studenten auf meine Web Application Security Vorlesung lies ich mich überreden, im Wintersemester 2019 einen Teil einer weiteren Vorlesung zu halten: SecOps — Secure Operating Systems, also quasi Security Themen für Administratoren. Mein Part umschloss Linux, Virtualisierung und (sehr kurz) Mobile Systeme.

Mein BrainDump dieser Vorlesung kann hier bezogen werden. Es ist noch in einem frühen Stadium, aber ich hoffe es kann schon weiteren Personen helfen bzw. das Veröffentlichen wertvolles Feedback für die nächste Vorlesung liefern.

Einführung in die Web-Security

Fri, 30 Aug 2019 00:00:00 +0000

Diese Unterlagen entstanden zeitgleich während einer von mir gehaltenen Vorlesung an dem Technikum/FH Wien. Nach dem positiven Feedback der Stundenten wurden die Unterlagen überarbeitet und ich hoffe, dass sie auch von anderen Personen genutzt werden können.

Inhalt

Der Inhalt orientiert sich grob an den OWASP Top 10:

Allgemeine Sicherheitsgrundlagen
Was sind Web-Applikationen?
Authentication und Authorization-Fehler
Serverseite Injection-Angriffe (inkl. SQLi, SSTI, XEE, Type-Juggling, etc.)
Clientseitige Angriffe (inkl. XSS, CSRF, Clickjacking, etc.)
Clientsetiige Härtung

Download

Das Skript kann von verschiedenen Quellen bezogen werden.

Hi, I Care About Security

Fri, 30 Aug 2019 00:00:00 +0000

From coding..

My developer life started at 14 when I enrolled at the HTL Villach with a focus on IT. In those five years I learned to code: Assembler, C, C++, COBOL, and that new thing: Java. I continued the path at the Technical University of Vienna, eventually earning my Master's Degree in Software Engineering.

In parallel to my studies, I started to work at the Austrian Institue of Technology (AIT), initially as part of an EU FP7 Project on Quantum Key Distribution, later mostly on EU Horizon 2020 projects focusing on Secure Data Storage and Identity Management in the Cloud.

Building a secure torrent download station by combining Private Internet Access (PIA), OpenVPN and transmission through docker

Mon, 05 Aug 2019 00:00:00 +0000

Sometimes I want to work on client assignments (penetration-tests) from home, if I do that I am using my company VPN so that all traffic is routed thorugh their public IP address (which is white-listed by the client). I do not want for traffic to ever leave that VPN as that would look like as if I’d be performing cyber attacks from my private home IP address. The same requirements arise for different use-cases, e.g., when downloading bittorrent files or forcing traffic through the tor network if whistle-blowing.

How to create a (good-looking) PDF and Kindle eBook from LaTeX

Mon, 29 Jul 2019 00:00:00 +0000

So I held a lecture on “Web Application Security” for the FH/Technikum Wien last spring and wrote a small booklet for my students (partially because I wanted to avoid discussions during the final exam). I did volunteer for a anonymous feedback round which turned out very positive for me, the booklet was repeatatly mentioned positively. So I distilled and refined it, tried to improve its focus. As I will do the same lecture next year, I am in dire need of feedback so that I can improve it, so I went to dark places and published it on reddit. I was suprised by the kindness of strangers, also got some suggestions from them. I offer the book for free under a creative commons license on my website, but also created a kindle version of the book. If you’re into web security and have read the book, I’d be very happy if you leave a (hopefully positive) review of the book on Amazon. This blog post describes, how I’ve created both the PDF-Version as well as the Kindle-Version of the book.

LTE uplink for Raspberry Pi: Huawei E3372 vs Waveshare SIM7600E-H

Fri, 05 Jul 2019 00:00:00 +0000

I spent some time playing around with various LTE-options for my Raspberry Pi Access Point/Router setup.

My Huawei E3372 USB LTE modem works find but only implements a fake network card. This means that a virtual network card is emulated, all traffic is NATted over a virtual router located behind that virtual network card. This happens in addition to the network translation (NAT) that my Raspberry Pi access point already does. Also, I think that my Raspberry with the external USB LTE modem looks a bit unprofessional:

Books and influences of mine

Wed, 26 Jun 2019 00:00:00 +0000

Most of you (and there are a couple of thousands of you) come for my tech-posts, but it seems that some of you get lost reading my non-techie posts too. Time to add on of those, it’s been a while..

I breathe books, they give my brain constant input to thrive on. Recently I went through my goodreads list of reread-good-books to check what influences me and started to reread some of them. Result: I removed some of the books as I had no clue why they were on there. In a flash of practical minimalism I started to think about those books that move(d) me, the result is this list:

Building an LTE Access Point with a Raspberry Pi

Sat, 22 Jun 2019 00:00:00 +0000

In one of my last experiments I replaced my crappy T-Mobile (now Magenta) 4G modem/access point with an OpenWRT-based cheap travel router and a 4G USB LTE modem. That doubled my speed over the wireless (WLAN) network but the setup was limited by the outdated and under-powered travel rooter. So I got myself a cheap Raspberry Pi 3b+ and created a minimal Linux-based 4G router/access-point. My basic goal was to create the minimal feasible configuration so that I have a good starting point for future IoT/VPN/SmartHome experiments. I think I succeeded.

Switching a Xiaomi Mi Mix 2s to LinageOS (Android 9)

Tue, 11 Jun 2019 00:00:00 +0000

Recently I upgraded from my “old” Motorola/Lenovo G6 plus to a Xiaomi Mi Mix 2s.

Why the new phone?

Main reasons for that upgrade were:

The old phone started to look like a banana. Seriously, I carry my phone in my back pockets and after a year that.. let to a more-than-slightly bent phone. This might have let to another problem: random vibra-call activation. Originally I thought that I was just imagining them, but recently my phone started to vibrate while it was in my hand — while no notification or interaction at all was happening.
Both the USB-C as well as the audio jack were already broken; cables tended to loose connection.. it was annoying to find out that the phone wasn’t charged up after a night because the connection was not stable.
Size: the phone was just too big to carry around comfortably.
Recently Lenovo’s software upgrade policy turned to the worse: while the phone was recently upgraded to Android 9, 6 months went by without any of the monthly Android security upgrades. As those included fixes for critical remote exploitable vulnerabilities, not having access to upgrades was a no-go for me (I do work in security after all).
Mandatory apps; there were both Google’s (Keep, etc.) as well as Lenovo’s mandatory apps (LinkedIn, Outlook, etc.) installed on the old phone; as an user you are not able to remove them. This disturbed my sense of minimalism.
No notification LED: this seems small, but a notification LED is something that I highly value. Periodically activating my phone just to check for new notifications is playing havoc with my concentration, so this feature is very dear to me.

So I looked out for an Android One or LinageOS phone, that was smaller than my current one and offered dual-SIM functionality (as I want to keep my old private phone number — this one is used by Signal/WhatApp and I’d like to avoid notifying all my contacts).

Building an LTE Access point with OpenWRT Rooter

Thu, 30 May 2019 00:00:00 +0000

My LTE internet connection (70 Mbit downstream, 15 MBit upstream) came with a combined Huawei B315s LTE modem/access point. As I was using it for the last two to three years a couple of problems did arise:

the internet connection was often shaky, oftentimes the uplink connection got lost and I had to power-cycle the modem/access point. Subjectively this got improved with the last system upgrade.
while the internet down speed on the wired connection was good, the speed achieved through the wireless connection was atrocious (see measurements later in this blog post)
the power supply is badly built and takes the space of two power outlets.
I am not trusting proprietary hardware and software too much.

Some research showed that I should be able to replace the existing hardware with an OpenWRT-based access point and a single USB LTE-modem. I wasn’t sure if the drivers would work out and what the resulting internet performance would be but there’s only a single way to find that out: build it.

To Fuzz a WebSocket

Wed, 22 May 2019 00:00:00 +0000

During a recent assignment the customer server was utilizing a WebSocket for some notification transport, part of my assignment was to fuzz-test the used WebSocket (and the messages transported over it).

To do this, I turned to my typical tools:

PortSwigger BURP only supports display of WebSocket messages but not altering and/or automated fuzzing of websocket messages.
OWASP ZAP can inject and fuzz web sockets (e. g. using FuzzDB vectors), alas the tested application disconnects the websocket and thus prevents ZAP from performing the fuzzing attack.

So again I had to write a small python script. This time i used the Kitty fuzzing framework and the python web socket library to create a simple WebSocket transport/target for Kitty (WebSocketTarget). This target reopens the web socket after each sent message, so the disconnect behavior would not limit the testing (but would decrease its performance — I can live with that).

JWT: Signature-vs-MAC attacks

Thu, 16 May 2019 00:00:00 +0000

During a recent pen-test I stumbled upon a JSON Web Token(in short: JWT) based authorization scheme. JWTs consist of three parts: header, payload and verification information. The initial header part contains the name of the algorithm that will later be used to generate the verification part of the JWT. This is dangerous as an attacker can change this information and thus (maybe) control what scheme will be used for verification by the server.

On Reframing

Mon, 07 Jan 2019 00:00:00 +0000

There’s power in switching mental models. In my work, switching from “there might be a vulnerability in this software” to “i just haven’t found the vulnerability” was a game changer for me. I get nervous prior to presentations; one switch that helped me was that instead of thinking “my goal is to look bright” I try to remember that my goal is to teach the audience something and it doesn’t matter who stupid I look as long as they gain something from me.

Amazing (Physical) Access Control with HID RFID cards

Fri, 04 Jan 2019 00:00:00 +0000

So my company moved to a new building which uses HID RFID cards for access control. These cards are typically white with some sort of numeric code printed on one side of them. I have not included an image of my card due to (later) obvious reasons..

Setting up my Proxmark3 RDV4 reader

Some time ago I joined the Kickstarter for an updated version of the Proxmark3 RFID reader/writer and immediately broke it during the initial flash update. After I was able to unbreak the reader (hint: kill network-manager and modem-manager before trying to flash the new image) this seems to be a good time to test those pesky access cards. Also a huge Thank you! to the Proxmark support team for helping me.

This year's review, 2018 edition

Mon, 31 Dec 2018 00:00:00 +0000

This year was good work- and health-wise, but bad when it comes to money and relationships. Financially the stock market drop hurt, emotionally getting dumped was painful.

For 2019, I plan to keep and improve my healthy 2018 habits: enjoy life as non-smoker, keep on bouldering (6a+ - 6c with a rare sent 7a in-between), finally finish a full Bikram yoga sequence and maybe meditate more often.

In addition, I’d like to improve my sleep. This might lead to less screen time in the evening, more Kindle reading and maybe a slight drop in my caffeine consumption. Another thing that worries me is that many of my best stories start with “when we were out drinking..”. After quitting to smoke, it might be time to work on this area too.

Wireguard vs OpenVPN on a local Gigabit Network

Thu, 13 Dec 2018 00:00:00 +0000

Wireguard is recently making a splash as human-configurable low-overhead alternative to OpenVPN and IPSec. As some privacy-centric VPN providers are planning to support it (e.g., PIA) or already have a beta running (e.g., IVPN, as tested by Ars Technica) it was time for me to look into it.

The Setup

To get a better feeling about the used technology I directly connected my laptop to my desktop (gigabit Ethernet with no switch/router in between) and setup OpenVPN with a minimalist configuration as well as with a more realistic TLS-configuration. I took some bandwidth/latency measurements with iperf and qperf and compared those to a minimal Wireguard setup.

Revising my lazy http/https interception setup

Fri, 23 Nov 2018 00:00:00 +0000

Lazily creating an HTTP/HTTPS interception proxy with network-manager and mitmproxy

Living with changes

Wed, 07 Nov 2018 00:00:00 +0000

This year seems to bring a lot of changes: I’ve switched employers after staying on/off at a research center or the last twelve years. When I started there, I was doing cool network coding for the SECOQC quantum key distribution network, it somehow felt as being a part of some bigger undertaking that finally let to something. My work had a tenable outcome, this compensated for the long hours and poor pay. Colleagues were (and have been until the end) good friends and oftentimes mentors.

Fun Hacking Stuff ahead

Tue, 23 Oct 2018 00:00:00 +0000

Recently I’ve found an old post-it with guidelines I wrote myself a couple of years back, two of those stood out:

make mistakes
don’t buy stupid stuff

Seems like I haven’t been the most consistent person back then. The post-it got discovered during a clean-up session of my flat, the same session brought up the following stupidly-bought-and-never-used gadgets:

one BBC micro:bit that should be able to capture Bluetooth Low Energy transmissions
one Proxmark 3 RV4 that should be able to do some nifty RFID stuff (and that I was recently able to fix)
one Realtek Software-Defined Radio USB Stick (rtl-sdr)..

My new year’s resolution (or rather near-future resolution) is to do /something/ hackery with that stuff. Suggestions more than welcome.

GnuPG/PGP and Evolution/Seahorse Private Key Woes

Thu, 01 Dec 2016 00:00:00 +0000

I have a quite simple setup: Fedora 23 on my Desktop, Ubuntu 16.04 on my Notebook and a YubiKey thrown into the mix.

I do have my normal GnuPG key DD436203 that I’m using. There’s also an old and revoked key 3F5D00B6 with which I was testing my YubiKey with (note to myself: don’t use an YubiKey-crested private key as you cannot backup it). My main key offers an ElGamal 2048bit subkey – which does not work with the Yubikey (as that only supports 2048bit RSA). So I ’ve added a new subkey on my laptop.

How (NOT) to hide OpenVPN behind HTTPS/SSL

Thu, 01 Dec 2016 00:00:00 +0000

Update 2017: Sadly I found out (thanks due to the comments on this blog post) that using port-share does not encapsulates subsequent traffic in normal TLS. So using this method will not fool Deep-Package Inspection Firewalls. If you need to mask all your traffic, this is not an option – you might need to investigate stunnel, information can be found here, here or here. I assume, that the higher success rate of this method could be related to some firewalls checking the target of the initial https request. This would yield a normal website with this setup and might be enough to fool some websites.

Secret-sharing described by Prismacloud

Sat, 27 Feb 2016 00:00:00 +0000

One important part of the European Prismacloud project is dissemination: make ordinary people understand some of our cryptographic directives. Out of this, the following clip originated:

The technique in question is called secret-sharing and was originally detailed in 1979.

Firejail: Chroot on Speed

Thu, 25 Feb 2016 00:00:00 +0000

Firejail describes itself as a SUID program that reduces the risk of security breaches by restricing the running environment of running programs. We’ll just call it chroot or jail (for the BSDers out there).

So, it’s SUID?

First things first: it’s SUID, so if there’s an error within the firejail binary an attacker can gain root rights. This comes with the territory. How large is Firejail and how many dependencies does it have? It’s written in C and:

Low-hanging Security/Privacy for the Lazy 2016!

Thu, 25 Feb 2016 00:00:00 +0000

Keeping a good security and privacy is tough work. There’s always a trade-off between effort and achieved security. In this blog post I’ll mention small things that a ``normal’’ person should be able to perform — that still increase the overall security of that user’s data.

Choose your Liege

Bruce Schneier talks about the comeback of feudal security: you choose your liege lord and depend upon him for providing security. You pledge yourself to Google, Facebook or Apple. Your liege protects his servers (with your data) and might defend your data/emails in a legal court — for which I as a private person would not have the monies — but for that it gets access to all your data. Choose your liege carefully and only have few of them. For me Google is essential. It’s hosted mail service gets all my possible password reminder/reset emails. If it gets compromised, it’s game over for me. Similar for me is LastPass. Identify those main trust anchors and use secure and unique passwords for them. If possible enable two-factor-authentication (2FA). This forces an attacker to not just steal your password in cyberspace, but she would also need to steal a second factor (i.e. phone or RSA token) in the physical world. Few “private” hackers will escalate to this level.

OSCP: Check!

Sun, 07 Feb 2016 00:00:00 +0000

I have just received my OSCP exam success notification. This is a penetration-testing certification by Offensive Security with focus on hands-on-training. You get an eBook and a week’s worth of video lectures with guided exercises; access to a virtual lab with approximately 55 machines that you should gain full control over and will finish with an 24 hour exam in which you are supposed to root five target machines. All this should be documented and submitted at last 24 hours after your exam is over – my documentation had 264 pages.

Network Concurrency Problem

Fri, 13 Nov 2015 00:00:00 +0000

A project I’m involved with has a traditional distributed client-server architecture: multiple servers are interconnected, clients connect to one more servers. In this use-case we’re expecting around four to seven servers with long-running connections between them and approx. a dozen clients with short-lived connections to the server.

Initially I had used plain Java networking but during 2013 I’ve switched over to netty.io as a communication layer. Benefits were more agile networking code, better concurrency, etc. At least in theory.

pathogen vs vundle

Wed, 18 Feb 2015 00:00:00 +0000

Pathogen was the first vim plugin management system that I’ve known of. The contender is Vundle which seems to be inspired in it’s configuration syntax (and name) by Ruby’s Bundler.

So let’s compare those two.

Pathogen

Pathogen’s workings are quite easy to grasp: each plugin is a directory within “~/.vim/bundle/”; pathogen traverses through the plugin list and includes each one of them. Let’s see a sample directory:

[~/.vim]$ ls -l bundle/
drwxr-xr-x  5 andy andy 4096 Sep  8 22:20 ag
drwxr-xr-x  5 andy andy 4096 Sep  8 22:20 ctrlp.vim
drwxr-xr-x  7 andy andy 4096 Sep  8 22:22 syntastic
drwxr-xr-x 13 andy andy 4096 Sep  8 22:23 ultisnips
drwxr-xr-x  7 andy andy 4096 Sep  8 22:26 vim-airline
...

It gets really powerful when you store you ~/.vim directory within a git repository and share it between multiple computers. If you use git submodules for each plugin you even get versioned plugins for free.

Capybara for automating Pen-Tests

Tue, 09 Sep 2014 00:00:00 +0000

After a successful penetration test a re-test is performed. The common approach is that the customer fixes the code and I perform the necessary steps to confirm that that initial security breach was closed. Sometimes it takes the customer a couple of tries to achieve that.

Most security problems (XSS, CSRF, SQLi) can easily be automated tested, but I had problems automating server-side authentication and authorization problems. The test would have to emulate multiple parallel user sessions. The tests mostly consists of one session trying to access the resources of another user session.

Migrating to Middleman

Tue, 09 Sep 2014 00:00:00 +0000

My blog has a history of migrations. It started as wordpress, then was converted Octopress. After Octopress was missing update-love and jekyll started to be actively maintained again it switched over to jekyll. And now, it finally is based upon Middleman.

Sorry for any inconvinient bugs or layout errors that will happen during the migration.

Why have I switched to middleman?

as I’m a RoR devleoper it seems better suited for me. Jekyll always seemed to be the choice for “web designer that need to add some dynamic content” while middleman seems to incorporate the “web developer that needs some blog”-attitude
nice integration with bundler
existing plugins for deployment. This replaced a lot of custom cruft that I had to initially write for myself when I was using jekyll

While in there I’ve switched from bootstrap to bourbon/neat/bitters. Let’s see how this works out. Wouldn’t mind the framework to be called Islay though.

Review: Penetration Testing with BackBox

Tue, 09 Sep 2014 00:00:00 +0000

Full-disclosure: I was asked by PacktPublishing to provide a review of Penetration Testing with BackBox by Stefan Umit Uygur. They offered me a free copy of the ebook; otherwise I have not been compensated by any means for this review.

The book aims to be an introduction to penetration-testing for experienced Unix/Linux users or administrators (seems like there are Linux users that aren’t administrators by now). After reading the book I believe that the assumed use-case is an administrator that wants to gain some insight into the tools that might be used against his server. Other parts of the books (hash cracking, tools) might allure aspirating script kiddies.

Using a (host) reverse-proxy together with LXC application servers

Fri, 25 Apr 2014 00:00:00 +0000

How to combine an reverse proxy (nginx) running on the host with virtualized aplication workers

How to convert an KVM image into a LXC container

Mon, 07 Apr 2014 00:00:00 +0000

How to use convert an KVM image into a LXC container

How to use virt-install to install new virtual machines within libvirt/kvm

Sat, 22 Mar 2014 00:00:00 +0000

How to use virt-install to install new virtual machines within libvirt/kvm

Rogue Access Point and SSL Man-in-the-Middle the easy way

Thu, 20 Mar 2014 00:00:00 +0000

How to setup an rogue access point and do ssl interception using KDE and BURP

How-to setup a rogue access point with a transparent HTTP(s) proxy

Mon, 24 Feb 2014 00:00:00 +0000

How to setup a rogue access point with a transparent HTTP(s) proxy

Politics: there seems to be no middle anymore

Sun, 26 Jan 2014 00:00:00 +0000

Yesterday was this year’s “Akademikerball” in Vienna. This is a continuation of the former WKR ball – which is used for right-wing networking across Europe and organized by the Austrian Freedom Party. This party in turn is a right-wing party: populist, xenophobic, haven of people with a far-right history. Opposed to this party were protests mostly organized by the left-ish social party and the green-alternative party. Police forces were using this event as a show-of-strength. Traditionally the executive is seen as the long arm of the people’s party (OeVP) – a party with historic roots in the christ-fascist party of the ’30s, the last decades it is more of a liberal-economic party. True to it roots freedom-of-press and the right-to-assemble were severely limited during the event.

Luxury is Slavery

Sun, 05 Jan 2014 00:00:00 +0000

It’s weakness. Well at least un-enjoyed luxury that has become an everyday event is. This has nothing to do with morals.

Luxury costs money. Making money makes you dependant and consumes your free time, it reduces your financial freedom.

So if you’re spending your life on luxury make sure that it counts and you’re enjoying it every moment.

Review and New Year's resolutions

Tue, 31 Dec 2013 00:00:00 +0000

Yeah, let’s make some new year’s resolutions so that I can feel bad breaking them. The big ones are:

Stop smoking. And nail-biting. Both might be the same outlet of my nervousness, let’s see if I can get them under control.
Start doing Yoga and/or Meditation again. To be honest, this will be needed to get resolution #1 to work.
Continue climbing. Alas my left wrist joint seems to have suffered sometime last year – I’ll gonna go to the doctor, but might have to reduce my bouldering for a bit. I might try to soak up my free time with Yoga. Sarcastic, as doing yoga was replaced by bouldering in 2013.
cooking vs. delivery-service: this will be a tough one. Currently I’m ordering way to much through the delivery service. In addition lots of the food eaten at home is just convinience food. I do not like the fact that delivery food is either way to expensive or unhealthy (or both).

Then there are some “more of the same” resolutions:

Cleaning Up

Sun, 29 Dec 2013 00:00:00 +0000

With the year’s end comes the time for reviews and cleanups. Reducing cruft allows your mind to be free, with it comes a sense of closure and empowerement. Otherwise all my possessions would drag me down.

Stuff I really like to do at this time is:

review existing bank accounts and service contracts (like phone/internet/power plans). Reduce them to maintain some sense of control.
Books: I hoard them even if most of them are not exactly Pulitzer-price materiel. I’ve read each of them but won’t read most of them again – so they’re mostly dead weight. There are places like public libraries or book sharing (i.e. Wortschatz in Vienna, Austria) places that love (and need) new books – sharing is caring. Add your books to the BookCrossing Index before sharing them and see where they have traveled and what people reading them think.
Clothing drives. I try to make my garderobe work: so far I’m having far too many tshirts and am lacking other stuff (there’s not too much sense in having tshirts for four weeks when I’ll have to do my laundry every two weeks due to my trousers count). So I’ve imposed a new rule: when buying new clothes I have to donate at least on old cloth.
old paper work: depending upon the jurisdiction you’re living under you might have to keep old (business) paper work. Here in Austria you’re allowed to discard paperwork after seven years – so each time at the end of the year I’m going through the archives and find stuff that is not needed anymore but still wastes space.
There’s another problem: I hoard stuff. For example I own some rare bottles of whisky that are (by now) too expensive to drink. This is stuff that won’t go away easily. My solution is to give them as presents upon special occations. To prevent this situation from happening again I’m imposing some new rules: I won’t buy new Whisky when my existing collection is worth more than 600 Euro.

How to use FakeS3 for S3 testing

Tue, 24 Dec 2013 00:00:00 +0000

How to setup the Fake S3 gem to create a local fake S3 server (for testing purposes)

Indulgence Galore!

Tue, 24 Dec 2013 00:00:00 +0000

We’re living in a world of indulgence and seem not to cherish the small (or larger) daily treats anymore. As a cousin of mine once noted: we are able to go out for coffee and food daily without thinking to much of it’s costs. We’re the lucky few but somehow forgot about that. We’re privileged but we’ve got accustomed to it.

Living in Austria our grand-parents and parents started with almost nothing after the second world war. Then came a long line of firsts: cars, television sets, an united Europe, mobile phones, the possibility of traveling abroads, higher-education. Things that my generation takes for granted.

Linux: How to force an application to use a given VPN tunnel

Sun, 20 Oct 2013 00:00:00 +0000

wicked_pdf allows generating PDFs from ruby on rails, for free!

Git with transparent encryption

Thu, 10 Oct 2013 00:00:00 +0000

Using encryption to make git handle un-trusted remote storage server

Encrypted S3 storage filesystems

Thu, 27 Jun 2013 00:00:00 +0000

Trying to use two s3-based storage methods that provide transparent encryption and compression

Secure Online Data Backup using Duplicity

Thu, 27 Jun 2013 00:00:00 +0000

Encrypted incremental backup to clouds/ssh hosts using duplicity

Penetration testing

Sun, 23 Jun 2013 00:00:00 +0000

Penetration testing

Avoiding Internet/Network Surveillance

Mon, 10 Dec 2012 00:00:00 +0000

How to encrypt most of your communication data on the internet

Linux: How to encrypt your data on hard drives, USB sticks, etc.

Sun, 02 Dec 2012 00:00:00 +0000

How to transparently encrypt hard drives/USB sticks/etc.

Linux: How to forward port 3000 to port 80

Sun, 18 Nov 2012 00:00:00 +0000

Howto forward port 3000 to port 80 under Linux.

Postgres: Howto change owner for all tables

Sun, 11 Nov 2012 00:00:00 +0000

Howto change owner of all tables of a database (in postgresql)

Moving OctoPress to Amazon S3 and CloudFront

Sat, 03 Nov 2012 00:00:00 +0000

Moving OctoPress to Amazon S3 is easy, but how's the performance?

A full-powered shoebox-sized Desktop

Sun, 28 Oct 2012 00:00:00 +0000

Building a mini-ITX high-performance desktop that would fit into a shoebox

The Lazy Engineer

Sun, 28 Oct 2012 00:00:00 +0000

How I operate

Generating PDFs with wicked_pdf

Tue, 01 May 2012 00:00:00 +0000

wicked_pdf allows generating PDFs from ruby on rails, for free!

Andreas Happe

LLMs as Hackers: Autonomous Linux Privilege Escalation Attacks

Installing LineageOS on Xiaomi Mi Mix 3

Can LLMs Hack Enterprise Networks? Autonomous Assumed Breach Penetration-Testing Active Directory Networks

Adversarial Bug Reports as a Security Risk in Language Model-Based Automated Program Repair

On the Surprising Efficacy of LLMs for Penetration-Testing

Benchmarking Practices in LLM-driven Offensive Security: Testbeds, Metrics, and Experiment Design

Homeserver: Glances and Home Assistant for Monitoring

Homeserver: Creating local Proton Drive/Mail Backups

Homeserver: Services Pt. 1

Using tailscale on Fedora Silverblue

Building a little home-server with Linux, TailScale, ProtonVPN, Docker Compose and VM support

LangGraph: Adding Plan-and-Execute Planner

Adding Plan-and-Execute Planner

Plan-and-Execute Pattern

LangGraph: Simplify our Tool-Calling Agent through `create_react_agent`

Simplify our Tool-Calling Agent through create_react_agent

The simplified version

LangGraph: Improving Configuration Handling, esp. for Tools

Improving Configuration Handling, esp. for Tools

Big Picture

Work/Life Balance, pt. 3: Scheduling Work

My Scheduling Habits thus far

Work/Life Balance, pt. 2: Separation and Blurry Lines

Work/Life Balance, pt. 1: Prelude and Experiments

My Background

Understanding Hackers' Work: An Empirical Study of Offensive Security Practitioners

Getting pwn'd by AI: Penetration Testing with Large Language Models

Using WSL2 to hide from EDR

Scenario/Background

WSL2 to the rescue!

Active Directory: Using LDAP Queries for Stealthy Enumeration

Enumerating User-Accessible Directories within Windows Network Shares

Trying my hand with hacking Active Directories with responder, mitm6, ntlmrelayx and crackmapexec

Building a 4G/LTE router+accesspoint using hostapd, network-manager and modemmanager

What is AppSec anyways?

Secure Software Development Lifecycle Basics

HTTP Header Security

Book Updates and Blog Posts..

Running OWASP Juice Shop with Root-the-Box on Google Cloud Platform

Create a new Ubuntu 20.10 Desktop without too much Ubuntiness.

Building a simple VPN with WireGuard with a Raspberry Pi as Server

What is my scenario?

2019 redux, what to expect in 2020

Closing down my company

Adding advertisement-filtering and spotify support to a Linux-based Access Point/Router

FH-Lecture: Secure Operating Systems (SecOps)

Einführung in die Web-Security

Inhalt

Download

Hi, I Care About Security

From coding..

Building a secure torrent download station by combining Private Internet Access (PIA), OpenVPN and transmission through docker

How to create a (good-looking) PDF and Kindle eBook from LaTeX

LTE uplink for Raspberry Pi: Huawei E3372 vs Waveshare SIM7600E-H

Books and influences of mine

Building an LTE Access Point with a Raspberry Pi

Switching a Xiaomi Mi Mix 2s to LinageOS (Android 9)

Why the new phone?

Building an LTE Access point with OpenWRT Rooter

To Fuzz a WebSocket

JWT: Signature-vs-MAC attacks

On Reframing

Amazing (Physical) Access Control with HID RFID cards

Setting up my Proxmark3 RDV4 reader

This year's review, 2018 edition

Wireguard vs OpenVPN on a local Gigabit Network

The Setup

Revising my lazy http/https interception setup

Living with changes

Fun Hacking Stuff ahead

GnuPG/PGP and Evolution/Seahorse Private Key Woes

How (NOT) to hide OpenVPN behind HTTPS/SSL

Secret-sharing described by Prismacloud

Firejail: Chroot on Speed

So, it’s SUID?

Low-hanging Security/Privacy for the Lazy 2016!

Choose your Liege

OSCP: Check!

Network Concurrency Problem

Simplify our Tool-Calling Agent through `create_react_agent`