Conference: c0c0n 2025

Slides: https://mrt-c0c0n.netlify.app

:%!COMMAND

:%!sort # sort all the lines alphabetically

:%!sort | uniq #remove duplicate lines

:%!tac #reverse lines (last line to first line)

:%!base64 -d #base64 decode one line at a time

Extract IP addresses in a file

:%!grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}'

Create custom commands for repeatable tasks

You might want to repeat tasks regularly. For example:

You want to encode all the lines in the file (one line at a time). The below vim command would register a custom command EncodeLines that will take one argument and operate that argument on one line at a time. Now, you can use this base64, xxd, sha256 or anything else as long as your shell has the command.

:command! -nargs=1 EncodeLines execute '%!awk ''{print $0 | "' . <q-args> . '"; close("' . <q-args> . '");}'''
:EncodeLines base64
:EncodeLines xxd

You might want to remove empty lines in a file regularly

:command! RemoveEmptyLines g/^$/d

Add these lines to ~/.vimrc for persistence.

Where did I learn (steal!?) this from? #

• https://www.youtube.com/watch?v=l8iXMgk2nnY

https://github.com/0xbharath/ctlog-utilities/

crt.sh by Comodo provides direct DB access to it’s CT Logs. There is a 1-12 hours delay though.

psql -h crt.sh -p 5432 -U guest certwatch \
-c "SELECT id, x509_commonname(certificate) AS common_name FROM certificate WHERE identities(certificate) @@ plainto_tsquery('navigalactic.com') AND lower(x509_commonname(certificate)) LIKE '%.navigalactic.com' ;"

Where did I learn (steal!?) this from? #

“Let’s say I want a list of usernames of all the people who starred a project on Github via Github API.”

1. Let’s call the API using curl and find the number of elements in the JSON returned

curl "https://api.github.com/repos/tomnomnom/gron/stargazers" -s | jq length

The JSON is farly large. Let’s get to parsing it.

2. Use Gron to understand the structure of the JSON file.

gron "https://api.github.com/repos/tomnomnom/gron/stargazers" -s

json = [];
json[0] = {};
json[0].avatar_url = "https://avatars.githubusercontent.com/u/369020?v=4";
json[0].events_url = "https://api.github.com/users/iamthemovie/events{/privacy}";
json[0].followers_url = "https://api.github.com/users/iamthemovie/followers";
json[0].following_url = "https://api.github.com/users/iamthemovie/following{/other_user}";
json[0].gists_url = "https://api.github.com/users/iamthemovie/gists{/gist_id}";
json[0].gravatar_id = "";
json[0].html_url = "https://github.com/iamthemovie";
json[0].id = 369020;
json[0].login = "iamthemovie";

The login field seems to have the username of the stargazer. Let’s now use the output of gron with jq to extract all the usernames.

This is the beauty of Gron. It makes JSON greppable and also it gives you a flat visual structure of what the JSON looks like. You can simply copy paste the flat representation of a specific element to get the exact elements and their values in large JSON files

• Replace the json keyword with .
• Remove the index numerical to get all the usernames

curl "https://api.github.com/repos/tomnomnom/gron/stargazers" -s | jq ".[].login"

Let’s do a similar activity. Using Known Exploited Vulnerabilities Catalog JSON, list the names of all the vendors whose products are being attacked actively in the wild.

gron https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
curl https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json | jq ".vulnerabilities[].vendorProject" | sort -u

Where did I learn (steal!?) this from? #

• https://github.com/tomnomnom/gron
• https://www.youtube.com/watch?v=TOgbERklQr4

# Blame for specific lines
git blame -L start,end /path/to/file
git blame -L 21,42 config.yml

Where did I learn (steal!?) this from? #

• https://www.youtube.com/watch?v=aolI_Rz0ZqY

TL;DR:

This blog is on my views around choosing a platform for an Open Source project’s community.

Spoiler alert: I like forums that can be indexed by search engines, can be read without logging in and doesn’t need additional software.

We moved our Mantis project community from Discord to Github discussions https://github.com/PhonePe/mantis/discussions

Of late I have noticed a trend among lot of Open Source projects where they use collaboration or communication platforms like Slack/Discord for managing their communities. There are also projects using messaging platforms like Telegram. Examples include:

• ProjectDiscovery using Discord
• Frida using Telegram https://frida.re/contact/
• Null community using WhatsApp, Discord etc https://linktr.ee/nullcommunity

I’m one of the maintainers for a small Open Source project called Mantis. We started off using Discord for community management. However, I personally observed few pitfalls in using these platforms for community management instead of using “open” forums. We eventually decided to use “Github Discussions” forums instead of Discord as our primary point of community interactions. I’ll discuss a few points that led us to this decision:

Killing the “Wisdom of the Ancients” #

Have you ever had to work on some niche technology or ran into some obscure error that you couldn’t solve yourself? In your despair, you had to turn to Stack Overflow or support forums for a solution. You most probably found your answers lying in some ancient forum thread. The “Wisdom of the Ancients” has come to your rescue!

A lot of technical troubleshooting relies on leveraging the “Wisdom of the Ancients”. Personally, I would have given up on using Linux as my primary OS in earlier days if it were not for the Wisdom of the Ancients on the support forums.

Most of the collaboration/messaging platforms are behind login and are not indexable by search engines. This means, your community needs to be on the platform and are at the mercy of the platform’s search. I personally noticed that we were solving the same issue multiple times because of the inefficiencies of the search and interface on these platforms.

I like forums that are open for reading by anyone on the Internet and are indexable by search engines or archival services like WayBack machine.

Walled garden vs Bazaar #

Most of the new-age collaboration platforms act like walled-gardens. They are behind a login, running on platform provider’s infrastructure and they recommend using their new flashy desktop client.

This creates a significant barrier for hobbyist users that just want test the waters and get involved with your project.

I prefer forums that can be read by anyone with a working Internet connection and a browser.

The “chatting” mindset #

This point is highly-opinionated. Most collaboration/messaging tools fixate the users into a mindset of “chatting”/“talking”. This sorta sets an unrealistic expectation on the project maintainers to respond quick and often.

The “chatting” mindset can be great to get conversations/discussions to kick-start but I noticed that these “chatting” quickly evolves into a banter that doesn’t add value and in turn drowns any meaningful conversations. This can also turn into a nightmare for moderation.

Although this maybe seem insignificant, this mindset can affect the project’s community in a long term.

Final thoughts #

So, what would work for your Open Source project? Like with all the engineering problems, the answer is, “it depends”. I’ll conclude this blog with the closing points from a better blog post on this topic:

As alluded to initially, you can of course use both tools at different times in your community’s evolution. I think the longer you build, the more you’ll move to a forum or other public knowledge sharing solution.

Well, what do you want to emphasise? Long term aggregation of knowledge and a culture of completeness, or community and a culture of immediacy.

Additional reading #

• https://en.wikipedia.org/wiki/Closed_platform
• https://www.mooreds.com/wordpress/archives/3451
• https://x.com/mooreds/status/1381286576903233536

Conference: BlackHat Europe (Arsenal) | 06th Dec 2023

Slides Deck: https://speakerdeck.com/0xbharath/mantis-asset-discovery-at-scale

Conference: ThreatCon | 15th Sep 2023 | Kathmandu, Nepal

Slides Deck: https://speakerdeck.com/0xbharath/breaking-ios-security-testing-barrier

This blog post is my ad hoc notes on setting up and automating Yubikey 5 series on Linux/MacOS

The setup and automation works for my specific scenarios, environment and threat model. Your mileage may vary.

Software required #

Once you have the Yubikeys, the following are the quintessential software to work with Yubikeys -

1. Yubikey Manager - configure FIDO2, OTP and PIV functionality on your YubiKey
2. YubiKey Manager CLI (ykman) - Because CLI is the way to automate
3. Yubico Authenticator - To work with TOTPs (Simply put, OTPs for which you use “Authenticator” apps)
4. yubikey-agent - ssh-agent for YubiKeys

Working with Time based one time passwords (TOTPs) #

You are in luck if the application you want to secure with MFA supports Yubikeys natively (FIDO2/FIDO U2F) such as Github etc. A lot of applications (VPNs, SSH MFA etc) do not support FIDO2/FIDO U2F and they support only TOTP that requires an Authenticator app on a secondary device (mobile phone).

Using Yubikeys, you can make your TOTP mechanism relatively more secure and usable by storing the TOTPs on the Yubikey that on the Authenticator app on a mobile or worse, using browser extensions like Autheticator which nullify the security provided by MFA.

Yubikeys + TOTPs are still not the best from usability PoV because you still have to retrieve the OTP from the Yubikey and enter the OTP but in my opinion, storing TOTP on Yubikey is a better storing on an app on mobile device

1. Install Yubico Authenticator on your mobile device and pair it with your Yubikey (I have a Yubikey with NFC so I do it via NFC)
2. Scan the QR code of your TOTP using Yubico Authenticator, this will store the TOTP on the Yubikey
3. Alternatively, you can use ykman to add a TOTP to your Yubikey (https://docs.yubico.com/software/yubikey/tools/ykman/OATH_Commands.html)

ykman oath access change # set password for OATH codes access 
ykman oath accounts add <NAME> --touch` # Add an OATH TOTP to Yubikey

1. You can not read the code on the Yubikey using ykman oath accounts code <NAME>
2. You can automate the above process by using bash functions (or alias) added to your shell config (.zshrc for ZSH)

my-vpn-otp () {
    echo "Generating OTP for VPN"
    ykman oath accounts code <NAME> | cut -d " " -f 3 | pbcopy
    echo "Code copied to clipboard!"
}

Hardware-backed (yubikey) SSH authentication #

You can secure your SSH autnetication by using Yubikeys for hardware based authentication. You can secure SSH private keys with the YubiKey by importing them or generating the private key directly on the YubiKey. Private keys cannot be exported or extracted from the YubiKey.

https://developers.yubico.com/SSH/

OpenSSH version 8.2p1 added support for FIDO hardware authenticators. FIDO devices are supported by the public key types “ecdsa-sk” and “ed25519-sk", along with corresponding certificate types.

ssh-keygen -t ecdsa-sk -O resident

The easiest way of setting up SSH key based authentication is using yubikey-agent.

Just install yubikey-agent and run yubikey-agent -setup, you are good to go!

Other tips #

• You can remember the OATH TOTP password for Yubikey for a given session using ykman oath access remember

Better blogs on the same topic #

• https://github.com/drduh/YubiKey-Guide
• https://debugging.works/blog/yubikey-cheatsheet/
• https://felixhammerl.com/2022/08/29/yubikey-madness.html
• https://gist.github.com/reanim8ed/35a998b018f976e1189fe7266b2d1a43
• https://www.dzombak.com/blog/2021/02/Securing-my-personal-SSH-infrastructure-with-Yubikeys.html

Creator: Bharath

Recommended Class Duration: 2 hours

Class content: Documentation & Labs at https://github.com/0xbharath/Effective-OpenSSH-Client-Usage-Workshop/

Conference: ThreatCon | 15th Sep 2022 | Kathmandu, Nepal

Slides Deck: https://speakerdeck.com/0xbharath/frida-unleashed-scratching-beneath-the-surface-of-bug-bounties

Conference: Webinar

Slides deck: https://speakerdeck.com/0xbharath/an-attackers-guide-to-aws-access-keys

Creator: Bharath

Recommended Class Duration: 4 hours

Class content: Documentation & Labs at https://github.com/appsecco/attacking-cloudgoat2

This post is inspired by a post by Remy Sharp at https://remysharp.com/2018/08/23/cli-improved

Please read that blog post as I won’t repeat some tools mentioned in that blog

If you use *nix OS then you’ll find yourself using command-line more often than not. I find myself using the command-line majority of the time and I prefer using CLI over GUI. Linux command-line by default has tools that are mature and powerful to get most tasks done.

Over the years, I have picked up various tools that are not available by default in Linux command-line. I use these tools extensively to improve my CLI experience and stay productivity.

In this blog post, I’ll list various tools that I use to improve my CLI experience. I’ll try not to repeat the tools mentioned in Remy blog post unless necessary.

fzf > ctrl+r #

In terminal, ctrl+r is used to search through history but I found ctrl+r to be not intutive. fzf is a great alternative to ctrl+r.

Project page: https://github.com/junegunn/fzf

Remy blog covers this tool: https://remysharp.com/2018/08/23/cli-improved#fzf--ctrlr

zoxide > fasd > cd #

This section recommended fasd in the past but the project is deprecated. Use zoxide instead.

Project page: https://github.com/ajeetdsouza/zoxide

Traversing directories is one of the most tedious things to do on the command-line. zoxide boosts your productivity by offering ways to quickly access to files and directories.

Zoxide ranks files and directories by “frecency,” that is, by both “frequency” and “recency”

Zoxide defines various powerful commands but I tend to use the following commands frequently

• z <keyword>: To quickly switch to the highest weightage directory with the keyword
• zi <keyword>: List of all directories with the keyword and their corresponding weightage
• zoxide add <dir>: Add a specific directory to zoxide

zoxide required fzf as a prerequisite.

fd > find #

find is a command to find files. Although powerful, it is a struggle to remember the syntax for the find command.

fd is a great replacement for find. The command suntax is straight forward and covers all the common use cases.

Remy blog covers this tool - https://remysharp.com/2018/08/23/cli-improved#fd--find

trippy > mtr > traceroute #

This section recommended mtr in the past but I have started to use trippy often. mtr and trippy are great tools solving the same problem.

Project page: https://github.com/fujiapple852/trippy

trippy is a combination traceroute and ping functionalities. It is quite handy when diagonising network issues.

trip disruptivelabs.in

nnn > ranger > GUI file managers #

Project page : https://github.com/jarun/nnn

Installation - https://github.com/jarun/nnn#installation

nnn is blazing fast and lightweight CLI file manager. I also like ranger as an alternative but nnn flow feels more natural and faster.

Socat > Netcat #

Project page : http://www.dest-unreach.org/socat/

This one is might be a little obscure. I do security assessments and often I need to use tools that connect to different hosts/ports and also forward ports etc.

socat is an incredibly powerful tool for network relays, forwarding ports etc. It supports IPv6 and SSL. Socat has strange syntax but once you get hold of the syntax, you can do magic with socat.

jq #

Project page : https://stedolan.github.io/jq/

Installation - https://stedolan.github.io/jq/download/

JSON has become defacto format for data exchange. jq is a command-line JSON processor which is quite handy while working with JSON streams. The syntax is a little tricky to get hold of though

curl -s 'https://api.github.com/repos/stedolan/jq/commits?per_page=5' | jq .

Tig ~ Git #

Project page : https://github.com/jonas/tig

Installation - https://github.com/jonas/tig/blob/master/INSTALL.adoc

tig is a great compliment to git. tig makes git through CLI more intutive.

I use the following tig commands often -

1. tig - equivalent of git log
2. tig status - qquivalent of git status but cleaner and interactive
3. tig refs - equivalent of git tag -n

Other mentions #

• i3wm Powerful, resource efficient, productive tiling window manager. The learning curve is steep but totally worth it. Customisation is the key.
• Oh My Zsh Glorified Bash. I find that using zsh & Oh My Zsh make me relatively productive
• Terminator Linux terminal on steroids with tabs, layouts and shortcuts etc
• HTTPie curl for humans
• direnv Manages directory specific environments
• asciinema Tool to record and share a terminal session (Not videos)

References #

• https://github.com/alebcay/awesome-shell
• https://github.com/BurntSushi
• https://www.atlassian.com/blog/git/git-tig
• http://jonas.nitro.dk/tig/manual.html
• https://blog.dnsimple.com/2017/07/ag-a-better-unix-search-tool/

Conference: Null Bangalore | 17th November 2018

Slides Deck: https://speakerdeck.com/0xbharath/features

https://blog.appsecco.com/static-analysis-of-client-side-javascript-for-pen-testers-and-bug-bounty-hunters-f1cb1a5d5288

https://blog.appsecco.com/open-source-intelligence-gathering-201-covering-12-additional-techniques-b76417b5a544

Conference: Bugcrowd LevelUp 0x02 | 26th May 2018 | Online

Github repo: https://github.com/appsecco/practical-recon-levelup0x02

Slides Deck: https://speakerdeck.com/0xbharath/practical-recon-techniques-for-bug-hunters-and-pentesters

Video: https://youtu.be/McLdm4c1oLs

https://medium.com/disruptive-labs/a-quick-primer-on-encoding-decoding-for-security-folks-a021afd98fbe

Conference: Null Bangalore | 10th March 2018

Talk repo: https://github.com/0xbharath/understanding-wmi/

Slides deck https://speakerdeck.com/0xbharath/understanding-windows-management-instrumentation-wmi

https://blog.appsecco.com/hunting-publicly-accessible-digitalocean-spaces-for-pentesters-9516a4cd3c87

Conference: Bsides Delhi | 27th Oct 2017

Repo: https://github.com/appsecco/bsides-delhi-recon

https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6

https://blog.appsecco.com/certificate-transparency-part-3-the-dark-side-9d401809b025

https://blog.appsecco.com/certificate-transparency-part-2-the-bright-side-c0b99ebf31a8

https://blog.appsecco.com/certificate-transparency-the-bright-side-and-the-dark-side-8aa47d9a6616

Conference: Bugcrowd LevelUp | 15th July 2017 | Online

Github repo: https://github.com/appsecco/bugcrowd-levelup-subdomain-enumeration

Slides Deck: https://speakerdeck.com/0xbharath/esoteric-sub-domain-enumeration-techniques

Video: https://www.youtube.com/watch?v=e_Gq99CKAys

Conference: Null Bangalore | 17th June 2017

Slides Deck: https://speakerdeck.com/0xbharath/dns-for-penetration-testers

https://medium.com/disruptive-labs/virtualboxs-little-secret-command-line-924442d9a2dc

Conference: Null Bangalore | 17th Dec 2017

Slides Deck: https://speakerdeck.com/0xbharath/pentesting-ipv6-networks

Creator: Bharath

Class Pre-requisites: Python programming: Foundations / Google’s Python Class / Python in one easy lesson or equivalent.

Lab setup: The VM’s used for workshop are available at https://archive.org/details/pysos_class3_labs_32bit.7z

Recommended Class Duration: 1-2 days

Class Notes: https://scapy.disruptivelabs.in

Creator: Bharath

Class Pre-requisites: Python programming: Foundations / Google’s Python Class / Python in one easy lesson or equivalent.

Lab setup: Network playground by Brandon Rhodes

Recommended Class Duration: 1-2 days

Class Notes: https://0xbharath.github.io/python-network-programming

Conference: Null Bangalore | 13th Aug 2016

Slides Deck: https://speakerdeck.com/0xbharath/iot-exploitation

Creator: Bharath

Class Pre-requisites: Familiarity with some programming language(Not necessarily Python).

Lab setup: Any machine with Python 2.7.x installed is enough to practice.

Recommended Class Duration: 1-2 days

Class Notes: https://0xbharath.github.io/python-foundations/