Wednesday, March 06, 2019

Restoring VM Images List in VMWare Player under Linux Mint

While running VMWare Player on my Linux Mint 19.1 box (don't judge me. I prefer to use things that work out of the box rather than spend countless of time, which I don't have now and frankly I better spend it on something else, to make it work), I quickly discovered that after adding multiple CTF VM images, there were not displaying on the selection area.

With a little Google-fu and common sense, I found this on the VMWare communities page and it solves my problems.

While I don't use Ubuntu, in Linux Mint (latest release 18.3) I went into privacy settings and told it to remember recently accessed files (Set to "on") and Never forget old files (Set to "On") and now I can add the machine(s) to my Library.

Friday, August 17, 2018

August 2018

Been some time since I last updated my personal blog. In a nutshell, here's what I have been up to for those curious.

Winter is ending here in Sydney, Australia. Spring, my favourite season, is soon here. Can't wait for the beautiful flowers springing out to life. Although after that, the worst season comes which is summer. Do you know how pesky flies are in Australia??? Not to mention that is the time of the year where the magpies, freakin spiders, slithery snakes, etc. will be out to hunt me ... I mean food.

Still pursuing my OSCP although to be honest, with so little time and so little energy left after a day at work, not to mention my daughter now who demands more of my attention during the weekends, finding time for the OSCP let alone playing a quick round of Street Fighter is becoming a giant task. I'll get there someday. At least I think I will. And in the meantime, I thought I knocked the CEH off. GPEN might be the next one before attempting for the OSCP. We'll see ...

Tuesday, September 12, 2017

Rooting a Nexus 6P using SuperSU v2.82 SR3 by Chainfire

From the XDA forums, comes a very good tip. If you are having problems patching your Nexus 6P using the SuperSU v2.82 SR3 and you saw that it failed in the logs, Chiyo-chan came up with this tip :-)

- Calling user ramdisk patch script
--- Failure, aborting

my log when trying to install after a clean system + boot reflash.
Is something wrong? HtC 10 stock rom


I had the same issue.
Looking at the code in the SR2 zip file, I pinpointed it to the file /data/ Looking inside the file, it's some remains of Magisk. I removed that file via the TWRP Terminal (rm /data/ and it solved the problem.

Hope this helps!"

And there's the quick fix.

Tuesday, April 25, 2017

Bash Bunny, BlackHat Asia

I gotten a Bash Bunny a month ago and boy this is a device to behold. It works somewhat like a rubber ducky but the plus point is you can immediately run scripts on it (it has a Python interpreter too!) without having to go through a compilation process like how the rubber ducky needs. The 3-way hardware switch toggle on the top is the icing on the cake. Modes 1 and 2 for unleashing the kraken while mode 3 makes it a mass storage device.
Bunny hoping
I been very interested in USB attacks for the past few months now seeing how many organisations and people still rely on USB devices amidst a storm of wireless technologies offerings. One of the questions that got me thinking is there are USB ports on planes. What happens if you connect a rubber ducky or a bash bunny into the USB port and uses a mimikatz-like exploit? Well, like any other computer, if it connects to the main network, you are probably in passwords heaven. But I doubt it. Most media terminals on the plane are standalone. WiFi on the other ...

By the way, for you security enthusiasts around the SEA region, one notable conference that might interests you is BlackHat Asia. This year, again it was held at the Marina Bay Sands Expo in Singapore. This is an excellent place for networking and getting to know the people in the industry. I have had the privilege of getting to know, meeting and talking with the Pingu team, Michael Ossmann of HackRF One fame, Jeff Moss with his young kid, Anthony Lai  who is HongKong's OWASP chapter lead and the founder of the VXCON, another awesome security conference which I hope I can attend one day, and a whole group of other awesome security people. This is one conference you should seriously consider to attend even if it's for the free business pass.
A view of events for the day. Usually the briefings and the business hall events will last for two days. Blackhat trainings last for two days as well but they are held prior to the briefings and business hall days.

One of the popular booths in Blackhat Asia business hall. Here the contestants are picking locks to win prizes. Photo credited to Anthony.

Tuesday, March 14, 2017

Nexus 6P

The Nexus 6 has a new companion for on-the-go pentesting. Can't wait to see how this baby performs on multi core tasks compared to the 6. Was tempted to flash my OnePlus 3T at first but side loading the OTAs are kinda painful compared to the Nexus phones. Pixel phones? No can do with Google's change in the FS structure. For now.

Friday, November 25, 2016

Nexus 6

Back to a bit of blogging from time to time since the OSCP and work is taking quite a bit of my time. Not to mention family time with the Hyrulian princess.

A few months back, I've gotten a Nexus 6 pre-owned. Now why would I want a pre-owned 2 years old handset when I could have spend a bit more money and maybe get a not too 'old' handset? Well I wanted to replace my Nexus 7 as my mobile penetration testing device. I wanted something reliable, cheap and easily modified. The Nexus 6P was still pretty expensive back then and even though the price had come down a little (for pre-owned sets) thanks to the Pixel phones, they are still quite a bit of a wallet-drainer. The Nexus 6 on the other hand, is a gem. Big screen, faster processor than my Nexus 7, more mobile than a tablet and it's a phone for goodness sake so ... sorry Nexus 7 ... you are relegated to a backup device for now. Besides, Nougat 7.0 runs officially on the Nexus 6 which makes it a tad more 'updated'.
Ain't she a beauty? If you look carefully, you'll see a TP-Link WN722N behind the phone which I used some velcro to attach it to the phone. Works pretty well. At least I don't have to look awkward holding a phone in one hand and the other a wireless adapter. Besides this setup sorts of conceals me when I am doing assignments walking around randomly in companies without raising concerns among its employees.

By the way, in case you plan to make a Nexus 6 your only device for penetration testing or acting cool like in Mr. Robot (although that was a PwnPhone which is essentially a Nexus 5 with a customized Pwn ROM), do take note of its limitations. For one, if you heard of the recent BlackNurse attack (read up on's an interesting effective 20 years old attack technique) the Nexus 6 caps out at TX less than 10mbps which is below the 15mbps required to launch a successful attack. Not that I've never heard of people actually using their phones to DoS networks ...

Monday, August 29, 2016

Something big is about to happen in a month's time

Ignore the tile. It's another post of another day ;-). The one year since I last posted were filled with many changes in my life both work and personal. Personal wise, Zelda turned 3 years old recently. Still trying to be a good father though ... not sure if I am doing things right but we'll hear soon enough from the little Hyrulian princess.

Pimped my Mr. Robot wannabe MacBook Air (it's an 11-inch model by the way and is something that I am typing on currently). Filled with stickers, nothing too personal save perhaps the dated picture of the Hyrulian princess. The priciest sticker would have to be the Hak5 one. How did I get it?
Well I side ordered a few of them when I spent some dough on the Hak5 wireless kit which is shown below. Almost everything you see in the picture (rubber ducky USB, LAN turtle, tons of cables, a DVB tuner, antennas and of course the famous PineApple device) are all from Hak5 except the HackRF One, which is a device I had a year back. That's really some kick-ass security gear there! Now I need to scout for RFID cards and some other security hardware to add into this wireless kit. By the way, if you ever buy these kind of stuff, make sure you know what you are doing and not try something stupid and illegal. You do not want to land in jail for nothing ...
On the other hand, if you want to feel like doing something 'illegal' but legally of course, there's the Mr. Robot game that's available on iOS and Android now. It's a text-based SMS-like game which puts you in the role of a hacker wannabe (either by choice or forcefully depending on how you look at it) who is going to help Darlene and 'E' to achieve their goals. And yes, that's what I been spending some of my train rides time for.
Exam-wise and also to improve myself, I am attempting to try for the OSCP the next few months. Hopefully I am good enough to attempt it but we'll see. It's a tough exam. Much much tougher than the CISSP or even CEH I would say (not that I have taken the CEH before ;-)). Wish me luck!

Till the next post ... over and out.