Creating evil WiFi hotspots, network bridges and complex hybrids

Intercepting traffic between devices and the internet is part of the day to day work of an IoT pentester. More often than not, those devices only support one type of connectivity, and it’s usually the one you don’t have at hand, at that moment (well, at least sort of ūüėČ ). So, this guide will show code snippets for creating (evil) access points and network bridges (under Linux) for:

Continue reading “Creating evil WiFi hotspots, network bridges and complex hybrids”

Bypass PassKey-Entry Authentication in BT-LE

As part of my bachelor’s thesis published in 2020 in information technology, I investigated a largely unknown weakness in a Bluetooth Low Energy (BT-LE) pairing process and developed a concept to prove it in practice.

The basis for this is a document[1] by Mr. Tom√°Ň° Rosa, who claims that a mathematical function for calculating confirmation parameters can be bypassed. According to some research, this issue in particular has not been addressed by anyone since the publication of Rosa’s document in 2013.

In the blog post, I present the results of my thesis in short form. In the end, the vulnerability was practically exploited and all tested devices of all BT-LE versions (v4.0-v5.1) are affected.

Continue reading “Bypass PassKey-Entry Authentication in BT-LE”

Write-up: Hack The Box – Rope Two

The machine Rope2 by r4j is probably (one of) the hardest boxes on with only 104 system owns after 202 days. The theme of the box is more or less “research”, since it requires (gaining) knowledge in many different fields: Browser Exploitation, esoteric Heap Feng-Shui, and finally Linux Kernel Exploitation. For me, all 3 fields were pretty new and thus I had a lot to learn (over the course of almost exactly 3 months).

Continue reading “Write-up: Hack The Box – Rope Two”

Customizing Desinfec’t (and other Linux Live disks)

Desinfec’t, formerly known as Knoppicillin, is a Ubuntu-based Linux distribution that was created by the c’t Magazine for Computer Technology. It contains several anti-virus engines (currently ESET, F-Secure, Kaspersky and Sophos), as well as several tools for recovering systems from malware incidents.

Continue reading “Customizing Desinfec’t (and other Linux Live disks)”

ARM-X Challenge: Breaking the webs

At the beginning of November, @therealsaumil announced “a brand new IP camera CTF challenge” on Twitter:

Continue reading “ARM-X Challenge: Breaking the webs”

Write-up: DVAR ROP Challenge

Not long after I took the ‚ÄěARM IoT Exploit Laboratory‚Äú training by @therealsaumil, the following tweet popped up on my timeline:

Continue reading “Write-up: DVAR ROP Challenge”

BurpSuite – Update HTTP Header in Session Handling Rules

Marko works as security professional since 2012 and performs assessments focused on web application security and code audits.
Latest posts by marko (see all)


First, this post will not cover the basics of recoding macros or use of the session handling rules in BurpSuite. There are a lot of basic stuff to be found in the internet [1][2]. However, by default, Burp is unable to update or modify an http request HTTP header by using session handling rules and macros. This can cause in problems if you investigate REST APIs or applications which protects requests with one-time CSRF tokens. Further, the Portswigger community blog is not very useful to address this problem [4][5]. Continue reading “BurpSuite – Update HTTP Header in Session Handling Rules”

Hooking Burp Suite in Client Software Communication

After learning to inspect security from all perspectives from Prof. Pfitzmann at the University, I am now working as Penetration tester and IT Security Consultant since 2009. I have seen many many different applications, architectures and technologies since then.
Web Applications, Web Services, Oracle, MySQL, Linux, SAP R3 are my focus technologies, while my activities are widely spreaded: manual penetration tests, static code analysis, code reviews, consulting, project management

Ever came across the issue to redirect HTTP(S) traffic to Burp Suite originating from client software that is not supporting to configure a proxy? Continue reading “Hooking Burp Suite in Client Software Communication”

Ergonomic Password Generator

Latest posts by Simon (see all)

To secure applications it is often necessary to verify the identity of the user, this process is called authentication. There are several methods to authenticate a user, with passwords being the most common one. Passwords are usually chosen by the user. Those user passwords are often not strong enough and can be easily guessed by brute forcing or simple deduction (e.g.¬† pet names etc.). Continue reading “Ergonomic Password Generator”

Using Chrome Logger in BurpSuite

Marko works as security professional since 2012 and performs assessments focused on web application security and code audits.
Latest posts by marko (see all)

In February of this year, a blog post by the OWASP ZAP newsletter has pointed us towards an interesting technology called Chrome Logger. Chrome Logger can be used to display server side debugging information into the web console (e.g. in Firefox) at runtime.

How it works

First, download and import¬†the¬†server side library which is available for different languages like Continue reading “Using Chrome Logger in BurpSuite”