Getting into Exploit Development

Been really busy lately trying to get deep into exploit development, c, assembly, messing around with debuggers, disassemblers & low level stuff. It’s just so much stuff to learn that it’s some what overwhelming. Wish I had started earlier so that I could have gained a lot of experience by now; but it’s better late than never.

The main barrier for me right now is getting access to a windows environment. Since I’m a Linux guy, everything I own is configured to run Linux and getting through the trouble to reinstalling windows (dual boot) seems like too much work. But I’ve some how managed to get Windows running in a virtualbox, but it still feels kinda annoying to switch back and forth all the time.

I’ve been going through a lot of books lately,  especially Gray Hat Python, Hacking the art of exploitation, Shell coders handbook, etc.

Only problem I’m facing right now is that I’ve very little coding experience with C or Assembly,  therefore going through all the coding samples seems to be taking a lot more time than usual. Also coming from Java & Python, the world of C & Assembly feels like I’m left with sticks and stones.

Nonetheless I do see the reason behind the existence of low level languages, and I hope I have the patience and motivation to continue learning and finally get to master it.

If you have any suggestions for me,  if you’ve been there before feel free to let me know :)




New features coming to Gen2k!

Gen2k is kind of whats driving half the traffic on my blog right now, so I’ve decided to add some interesting features to it.

Alright these changes are being implemented (work in progress) and with in the next few days will be available hopefully.


1) Option to add a packet capture file (.pcap) to crack a WPA handshake with save option.

First of all, I felt the real need for a save option in aircrack-ng toolkit when cracking a handshake. Whenever you crack with a big wordlist, aircrack-ng doesn’t save the progress so you’re forced to start from the beginning all over again if the cracking is somehow interrupted. So what Gen2k will do is act as a frontend on top of aircrack-ng. It’ll give you the ability to quit at anytime while also creating an automatic save file so that you can autoresume your particular cracking session at any time. This is really convenient because you’ll be able to persistently crack a handshake with a wordlist of let’s say a few Gigabytes in size without losing track of progress. Also there’ll be a progress indicator that actually shows your cracking progress based on the wordlist you’ve used. I’m also planning to add the feature of just dumping a folder full of wordlist and Gen2k will take it from there, but let’s see if I have enough time for that too :)


2) Efficient memory usage

I’m currently busy perfecting Gen2k to be memory efficient. Previously Gen2k used to load all the tasks in memory at the same time therefore if you had a really big wordlist and not sufficient free memory, you’d end up crashing the program. But now things will be different as Gen2k will set aside only a significant portion of freely available memory to do the processing and will load things depending on the amount of memory available.


3) Advanced wordlist processing algorithm

For the handshake cracking part, Gen2k will use more space on the hard disk but it’ll be efficient on how it does things. More details will be provided later.


4) Depth search

Some people requested to have depth as a feature to make Gen2k more flexible, I hope to introduce that too!

Well that’s pretty much it, perhaps if I do get enough time I’ll also introduce a GUI for Gen2k to make things easier, not sure if I’d have the time for that.

Also if you have any further suggestions or criticisms for improving my tool do let me know, I do listen to my users. Keep your eyes on my blog for the next few days, or you might miss out on the new Gen2k release!



It seems to me like it is better to keep Gen2k dedicated to being a wordlist generator, and I think I’d be better off creating a separate application to act as a frontend to aircrack-ng & also to be a solid, automated wireless cracker.


Router Intrusion

Recently, a friend of mine asked me to take a look at his home network & see if it’s secure or not. So the first thing that came into my mind was obviously the security state of his router. He’s not a technical user, so I expected that the router might be left in an insecure state (default passwords on) etc.

When I tried logging in through the web interface with default passwords, it failed. That was kind of suspicious because he told me he didn’t know how to change his router’s password. Upon further inspection I realised that it was running the telnet service. Then I thought why not just bruteforce the router’s telnet service using my custom coded tool Autobrute.

I used a small wordlist of commonly used passwords and after like 2-3 mins got root access. Next I decided to investigate further via telnet and the things that I found totally caught me by surprise.

It was a Busybox router. Busybox is a minimal linux based system having only a limited subset of commandline tools, but sometimes those tools are more than enough to do what you want from the point of view of an intruder. I used the ps command to list all the running processes and I noted something quite interesting at the end.



What were those tools and why were they connected to those ip addresses? Those tools were not in the /bin directory so obviously it meant that it didn’t come prepackaged with the busybox operating system. I navigated to the /home directory and discovered all those tools in their unpacked state.

.mtgox in the /home didn’t reveal anything when I tried running it with --help argument.

Where as when I ran the other tool hIAJKp it gave me this:


Obviously from what I can see this tool is a bitcoin miner, upon googling further it revealed to be coded specifically for the ARM architecture so it can be run on anything from your smart phone to your router, etc.

What is a bitcoin? Unless you’ve been living under a rock for the past few 4-5 years, you should know that it’s an online crypto currency.

In other words, the intruder was using this tool on my friends router with one goal:  mine bitcoins & benefit himself using the bandwidth as well as the limited processing power of the router.

I wanted to do further investigating into a lot of other things but due to lack of time wasn’t able to.

One of the things that’s good about routers in general is that they use the Squashfs filesystem and it is readonly. That means whatever you decide to keep on the router stays there temporarily and is only good till next reboot. So after resetting the router manually the bitcoin miner & all other tools planted by the intruder disappeared which is good.

Next I secured the router with a strong password, made some changes to make sure the web interface isn’t available remotely & called it a day :)

Power Saving GOD Mode on Linux (Part – 2)

This is the advanced guide to Linux power saving. Advanced in the sense that I’ll walk you through the process of learning about the different modules used by your kernel; also how to apply the different power management settings supported by your hardware.

Part of the hacker mindset is to learn, explore & think outside the box which can sometimes lead you to a whole new world of opportunities & at other times can cause you trouble if you’re not careful enough ;)

Alright, so first of all you need to know the devices which are present in your system (e.g graphics card, wireless adapters, etc.) and the modules they use that support power management options.

One way find that out is to use the command: lspci -v


The command shows you a lot of details but as you can see above, I’ve an integrated intel card running the kernel module i915 & the Wireless Atheros card running ath9k module.

Okay so what you need to do next is learn more about the options supported by these modules.

You can do so by using the following command: modinfo -p [module name]

In my case these are the parameters supported by the module (ath9k) used by my wireless card.


As you can see, there’s the flag ps_enable which can be activated to enable power management options. By default it’s not activated, and even when I try to enable it through powertop it doesn’t seem to work. So in order to make sure that feature works I’ve to enable it by explicitly stating it in my boot settings.

We’ll get to that part (enabling @boot settings) a bit later but first let’s see the power management options supported by my intel card.


The module i915 has a lot of features but I decided to just focus on the power saving aspect of it.

As you can see there’s 4 main features (i915_enable_rc6, i915_enable_fbc, lvds_downclock, enable_pc8) that you can enable in your boot settings to make them work properly. By default some of these features are probably disabled because it is known to cause problems with certain types of hardware. Therefore you should be cautious about which feature you plan on enabling & double check to see if everything works out fine.

As you can also see in the description of these parameters, most require 1 for enabling, 0 to disable, etc. so use them accordingly.

Let’s get started on setting up these parameters on our boot settings. Personally I use grub as my bootloader which is the default bootloader on a lot of other popular distros like Ubuntu, Mint, etc.

The default location for grub cofig file on my distro is in /etc/default/grub

Open that config file in your favourite text editor make sure you have root priviledge.

Go to the line that says:


There would probably be some parameters set in that line already, but to enable our power management parameters we have to do it like this:

[module name].[module function]=value

e.g:  ath9k.ps_enable=1

Each of the supplied parameters have to be separated by space.Therefore the settings in my grub file looks like this:

GRUB_CMDLINE_LINUX_DEFAULT=”quiet intel_pstate=disable ath9k.ps_enable=1 i915.i915_enable_rc6=1 i915.lvds_downclock=1 i915.i915_enable_fbc=1 i915.semaphores=1″

After you make the changes don’t forget to use the command update-grub otherwise the parameters won’t be set.

Also as you can see from the settings in my grub config file, I’ve set the parameter intel_pstate=disable

From what I’ve heard intel_pstate driver has issues with certain processors or the implementation doesn’t really work that well for the case of power management, etc.

I’ve disabled pstate & I configured tlp to clock the speed of my cores according to the speeds that I want.

These are the configurations on my tlp config file located in /etc/default/tlp





I’ve set the minimum frequency of the core down to 800 & I think by default it used to be around 2000. After reboot the changes should take place & you might notice less heating or power usage from your cpu aswell.

Also currently I run 3.14 kernel (did notice slight power improvements), and having made all these changes my power usage dropped to 9W (lowest) & averaging on about 10-11W.

So that’s it for my Linux power saving guide, I hope I’ve been able to share what I’ve learned & hope that it helped some people. If I had this knowledge earlier I’d have been so much happier, would appreciate any feedback.

Thanks :)

Power Saving GOD Mode on Linux (Part – 1)

Some people who use Linux on a daily basis have a lot of issues configuring their system to attain the optimal power saving features supported by their hardware (mainly due to lack of experience), which is why the battery life on Linux is not even close to that on Windows. It’s not just about configuring the features, sometimes it can be due to the driver itself lacking good power management support for certain hardware.

Anyway, I’ve been looking around a LOT and finally I think I’ve achieved some of the wisdom to understand how and what to mess around with to get the most out of my laptop’s battery and I wish to share it with you! :)

Okay, so there’s a lot of things to look for & there are many tweaks to be made depending on your preferences & hardware. For the basic configuration it should be the same regardless of your hardware, but for advanced configuration I’ll show you the steps towards detecting & enabling the power management configurations in the kernel level manually. There’s a lot of things to write about so I’ve decided to make it into two parts. This part will only cover the basics, on the next part I hope to cover the advanced configuration stuff.


Basic Configuration:

First of all, there’s 2 main utilities on Linux that are out there which automatically optimises your hardware settings for power management depending on whether your laptop is plugged to a power source or not.

1) TLP (

2) Laptop-mode-tools (

You have to choose one of the above tools but not both as they conflict with each other. I personally would recommend going with TLP as it has good power management defaults & it automatically does all the things for you where as in laptop mode you would have to configure the settings manually before you can start using it. Which can be quite time consuming but it’s upto you. Please follow the steps in the wiki accordingly, and also note that in case of tlp or laptop-mode you may need to add usb device hardware id’s (for stuff like a mouse, etc.) in the configuration file to make sure they work after your laptop is unplugged from the power source.


After installing and configuring one of the above tools, I’d recommend installing Powertop (

Powertop is the main tool that you rely on to get statistics about your laptop’s power usage.

With this utility you get to see which device is using how much Watt of power.



You can even enable some power management settings for your hardware from within powertop if they’re not enabled already.



For me personally, since I’m paranoid about security, I blacklisted the bluetooth and webcam modules completely so that they don’t load at boot by any chance as I don’t use those services anyway. That’s also a good way to save up on power. If you’re on systemd, you can create a file in /etc/modprobe.d/ with the following details to do the same.



Next we move on to CPU related stuff, install Thermald from your package manager & enable it on boot time.

Thermald is a Linux daemon used to prevent the overheating of platforms. This daemon monitors temperature and applies compensation using available cooling methods. You can find further information on cpu power saving on the wiki:


Also laptops these days come up with different types of discrete cards from Nvidia to Radeon & the drivers you decide to use will also impact your battery life. Personally for me I find the use of discrete cards like Radeon unnecessary as I don’t do gaming on laptops. So I’ve also disabled the discrete card at boot time, running only the internal intel card to save power and it reduces the heat aswell keeping your laptop cool at all times. You can do the same by following this guide:


Finally, there’s this full run down of everything that I’ve covered in Arch wiki which you can use as a reference:


Personally, after applying all the configuration changes the power usage on my laptop dropped from somewhere around 16-20W to about 11-14W. That my friend is a major drop in power usage. Usually I used to have a discrete card running at all times & due to lack of a working driver (new card) it used to run in the background without even being used resulting in such high power usage. Now I’ve finally been able to power down the GPU & thus my battery life has been extended from somewhere around 1-1.5 hr to 2.5-3 hours and best of all it’s cool at all times.


In the next part we discuss in details some of the advanced aspects of power saving I mentioned earlier & it can also boost your battery life quite significantly depending on your hardware, etc.

Autobrute – Automated Bruteforcer

A lot of times we often neglect to look into our home, office or private networks for routers, servers and various other devices running services such as telnet, ssh, ftp, etc. which haven’t been secured yet (default password hasn’t been changed). Also for the most part manual discovery & securing of these devices individually can be a headache, especially if you’re working on an IT department of a large company with vast amount of devices that are setup by the company yet left untouched with default passwords and connected to the internet.

Therefore I wrote a simple bash script – Autobrute.

AutoBrute takes the IP range, service name, wordlist as input. It takes care of automation of everything from scanning hosts for specific services using Nmap, parsing IP’s, feeding the result to network crackers like Hydra, etc. without any user intervention. Due to the complexity & variety of different operating systems that run on routers, printers, etc. it wasn’t possible for me to automate the way to secure it yet but this tool makes the task of detecting such devicess much more faster & easier.


Usage: ./ [ip range] [ssh|telnet|ftp] [wordlist]

./ telnet wordlist.txt  




Major Openssl Bug!

I just read this today morning:

That just seems ridiculous…and it’s way past April fool’s day so doesn’t seem like it could be a joke.

So what does this mean? It basically means that before the patched out version of openssl was used, everything that used openssl library to encrypt data is basically useless…in otherwords people/governments can use this bug as a way to decrypt all data (using private key) from servers that hosted it as quoted:

“We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication”.

Well I’m no crypto expert nor do I want to doubt the difficulty of implementing a piece of cryptographic technology…but why do I have this feeling that it was setup? I mean this bug has been there forever, the code is fully opensourced; is under the watchful eye of hundreds & thousands of crypto experts & no one until recently (especially after Snowden revelations) had the brains to find out something like this? I have a feeling that the bug was intentional so our Big Brother, Big Sister or whatever entity has control of our data.

From now on, I’ll think twice before trusting anyone or anything with my data.