This is the personal website of Ben Lincoln.
|Summon the Lulz|
|Posted by Ben Lincoln, 2018-01-06 @ 15:00|
|Assorted New Material|
In this completely random collection of updates, I present:
A long-overdue rewrite of Thermal versus Near Infrared, prompted by a discussion I had in email with Dr. David Wilson.
A look at how I made my Destiny Costume for Halloween, 2017.
A list of the vulnerabilities I've discovered which have been publicly-disclosed: Hack the Planet.
|Posted by Ben Lincoln, 2018-01-02 @ 08:30|
|UW/ISACA Presentation Slide Deck|
Early tonight I gave a presentation at the University of Washington demonstrating some penetration testing tools. A video should be available eventually. In the meantime, if you'd like to download the slide deck I used:
Penetration Testing Slide Deck - PDF [ 51 MiB ] (yes, it's enormous compared to the PowerPoint file :( )
|Posted by Ben Lincoln, 2016-05-20 @ 01:00|
I've finally made time to post a handy utility VBScript I hacked together late last year: wg.vbs. It's a quick and dirty way to download files via HTTP from the command-line on versions of Windows® too old to support other mechanisms (e.g. PowerShell).
I've also made a few other minor updates I've been meaning to get to for awhile, such as noting in Mimikatz 2.0 - Brute-Forcing Service Account Passwords that Mimikatz already included the capability to launch OS commands — it just wasn't well-documented when I wrote that article.
|Posted by Ben Lincoln, 2015-08-23 @ 20:00|
|Mimikatz 2.0 Golden/Silver Ticket Walkthroughs|
Back in October I had the opportunity to see Benjamin Delpy (the author of Mimikatz) give a presentation on the new features in the 2.0 alpha release of that tool. I haven't run across any walkthroughs that I really felt conveyed the power of the "Golden Ticket" and "Silver Ticket" functionality, so I made some of my own: Mimikatz 2.0 - Golden Ticket Walkthrough and Mimikatz 2.0 - Silver Ticket Walkthrough. Forge your own Domain Admin tickets! Inject XSS attacks into upstream logging/monitoring systems! Corrupt forensic evidence! Misuse trusted web applications to alter the membership of privileged domain groups!
But some of you already knew about all of those things. What about using the Silver Ticket functionality to launch brute-force or dictionary attacks against the password for trusted service accounts used to run SPN-enabled web applications, even if the target domain locks out accounts after some number of failed login attempts? That's covered in Mimikatz 2.0 - Brute-Forcing Service Account Passwords.
|Posted by Ben Lincoln, 2014-12-18 @ 20:28|
|Yield-Focused Vulnerability Score|
I've been building an experimental vulnerability scoring system designed to give more accurate results (especially for penetration testing) than other existing systems (e.g. CVSS). You can read about it in the Yield-Focused Vulnerability Score (YFVS) article. The live YFVS 0.4 score calculator includes some fancy radial bar graphs that I'm pretty pleased with. You can read more about those in the Nightingale Charts article.
I am definitely looking for feedback on the scoring system — it is most certainly a work-in-progress.
|Posted by Ben Lincoln, 2014-10-16 @ 04:45|
|Wax seal, etc.|
I went to Metrix on Capitol Hill in Seattle on Thursday, 2014-10-02, and had a wax seal made out of my personal symbol using a computer-controlled laser. You can see some photos and whatnot in the What Does This Symbol Mean? article. Metrix is a great place, and their rates are outstanding. I thought it would cost $50-$100 to have that seal made, but it was actually more like $15-$20.
|Posted by Ben Lincoln, 2014-10-05 @ 14:45|
|Unofficial ShellShock logo/symbol|
Like several other people, I'd read over the last few days a number of comments about how the fantastic ShellShock vulnerability disclosed this past week wasn't quite as cool as Heartbleed because it didn't have a custom logo, and decided to do my part to help remedy the situation. Consider it my tribute to Stephane Chazelas' work.
A few of the other unofficial logos/symbols I've seen:
|Posted by Ben Lincoln, 2014-09-26 @ 18:00|
|A British accent for your Android phone|
A few weeks ago I discovered how to Give Your Android Phone A British Accent — and that it's possible to compel it to speak arbitrary text. I think you'll agree that the results are pretty great.
|Posted by Ben Lincoln, 2014-08-30 @ 11:30|
Another update I've had on my list for awhile — I obtained a FLIR E4 thermal imager in early 2014 and used the modification developed by Mike Harrison and company to bump it up to 320x240 resolution. I've added several sets of Thermal Imaging Examples, and the Thermal versus Near Infrared article has been updated.
|Posted by Ben Lincoln, 2014-08-14 @ 18:45|