i.crave.beer – The online home of Joshua Skorich

12th August 2016

Defcon 24 Badge

Another August, another week in the desert for security summer camp. This year my company was kind enough to sponsor my entire trip including four days of Black Hat training. Ossmann's Software Defined Radio (SDR) class was pretty darn fantastic and I also really enjoyed Joe Grand's Hardware Hacking course. Having a few years experience in product development, most of what Joe was saying wasn't new to me, but the tools and techniques he presented in reversing unknown hardware were well received. Which leads me to the entire point of this post. Defcon 24 featured an electronic badge for attendee's that allowed me to practice some of my new skills in reversing the circuit.

+ Continue reading

27th July 2016

Net Discovery Reporter

I often have clients who want me to perform network discovery prior to kicking off an External Penetration Test. For example, they may know they have a class B network, but not know what systems are externally reachable. I was struggling to take this intel and put it into a consumable format.

Thus was born another script to take nmap or masscan XML output, parse it, and export the data to a Word DOCX table. The hosts are sorted, duplicate ports from multiple scans are removed, and the longest service description is kept. It also pumps out the table using our internal colors, fonts, etc.. It has saved me countless hours since creating it, and obviously creates a much more professional table in a fraction of the time it would take to make it by hand.

+ Continue reading

27th July 2016

Nessus Parse

Every now and then a colleague will send me a Nessus export for an engagement they are working on for me to take a look at. I don't really know all that many people that genuinely enjoy sifting through XML, so I put together a simple script to parse the file and output to console. Just to make my life easier, I also added colorization based on the CVSSv3 scale.

+ Continue reading

27th May 2015


scepwn-ng is a wrapper script for launching winexe/psexec at a target, which then runs shellcode exec from a samba share with a msf generated reverse shell. As the executable never touches disk, it is highly effective at evading a/v. Layer 2 attacks are highly effective in most environments, and credentials are often cracked within the first few hours of an engagement. This tool was developed to simplify the task of going from credentials to a shell on a target machine.

+ Continue reading

27th April 2015

Burp Loader

I wrote a simple ruby script to help with loading large lists of URLS/IP's into Burp Proxy. Historically, I would just use the "Open Multiple Tabs" add-on in Firefox to accomplish the task, but when confronted with an external pentest for 300+ vhost's I decided it was time for a change. The best part is bypassing the SSL certificate check.

+ Continue reading

13th April 2015

OpenEdge Decryption and DK Generation

During a recent pen testing engagement I was able to access encrypted Card Holder Data (CHD) created by an OpenEdge database. Poor key management procedures were in place allowing me to recover the cleartext and encrypted encryption key, however it did not appear to conform to PBKDF standards for PKE. Recognizing the opportunity to reverse engineer the encryption function, I took the time to discover that it uses what I will loosely call psuedo-PBKDF logic to create the encryption key.

+ Continue reading

4th March 2014

7x7 Practice Lock

Last year I picked up a 7×7 practice lock from LP101 user Mr. Wizard. It is a rather interesting top loading 7 pin lock with a Schlage SC4 keyway. The beauty of the design is that you can change the bitting in seconds, and also limit your access to working on a single pin stack at a time. As you can imagine, the lock can be transformed from a single pin lock to a 7 pin with serrated and spool pins for an added challenge in no time at all.

+ Continue reading

3rd March 2014

PyHash - A Python based hash generator

I wrote a basic Python script today for generating hashes. The entire driving factor for this was the lack of hashing functionality in many operating systems, Windows specifically. I've used FCIV in Windows before, but generating anything above a SHA1 hash on Windows (7 specifically) is still cumbersome.There are thousands of other tools out there, but if you want a simple Python 2.X tool for the task feel free to use at your discretion.

+ Continue reading