Recent Writing

This is a collection of ideas, writing, and thoughts considered worth sharing. Generally infosec focused, and generally longer form than thoughts shared on Twitter.

  • merged
    Just a note that the older / dead blog at has been merged into this stream.More
  • Using ‘jq’ to query JSON
    jq is great for CLI manipulation of JSON data!  Handy little bit of knowledge here, stashing so i can remember. You’re probably familiar with the fact that you…More
  • Spectre & Meltdown: Mitigation Status
    UPDATE 20170104: US-CERT has published an alert with aggregated links to vendor guidance and updates. Rather than requiring you to chase info all over the Internet (or on…More
  • Visualizing Pentest Findings
    Quick blurb so I can remember this. A bubble chart can make a handy display for pentest findings – and prioritize them. It’s a simple way to identify…More
  • You and Your Research
    I was recently pointed to a great speech entitled “You and Your Research” given by Richard Hamming of Bell Labs (and Hamming codes!) fame. It’s essentially Hamming giving…More
  • Getting started in Information Security
    I recently had a college student ask about getting into Information Security. Here’s his question: My biggest issue with my current education is the broad scale and lack…More
  • Regional Internet Registries
    Handy reference list of links, storing in a single place for future use. A Regional Internet Registry (RIR) is an organization that manages the allocation and registration of…More
  • Cybersecurity tips for traveling abroad
    This was originally written in early 2017 for a friend of mine that asked for advice about how to avoid being hacked when traveling abroad.  It mirrors much…More
  • Pentestify.
    i’m over here now.More
  • password hangover
    Just saw the Hangover 2. – funny (and true) bit on passwords… as an international drug dealer tranfers money between accounts: “your password is bologna1?” “it used to…More
  • throwaway osx post (until i need it again)
    use homebrew (instead of ports) for installing software. grab the rdio and soundcloud apps. trying bind an applescript to a key? use fastscripts (for open-terminal-here functionality). pay for…More
  • System Event Monitoring with Prosody and jablog.rb
    The tl;dr version of this post is: – apt-get install prosody (Tested on ubuntu 10.04.2 LTS) – configure a VirtualHost for your domain in the config file /etc/prosody/ (see: – set up srv records, (use this generator: – create 2 accounts – prosodyctl adduser gawd@domain && prosodyctl addusser minion@domain (one for you, one for your bot/minion) – gem install xmpp4r, add a sigs.txt and run the scriptMore
  • pianobar is epic!
    @mrbarrett just pointed me at pianobar, a command-line client for pandora. It gets rid of the need for flash player, and allows you to bypass some of the…More
  • Loading only the Metasploit modules you use
    The framework is taking quite a while to load on my machine these days, so i decided to stop loading all modules by default, and load only those…More
  • IP List to KML generator (Create a google map from a list of IPs)
    Pretty simple, it takes a file with a list of ips, one/line and generates a kml file. Very handy if you’re working on a large pentest and want…More
  • Metasploit HowTo: Standalone Java Meterpreter Connect-Back
    Here are some quick notes on how to create a connect-back Java Meterpreter .jar file. The process is very straightforward, simply generate the .jar, setup a handler. Then…More
  • searching ruby source code
    contributing to open source? need to search & understand ruby code faster? This bash function should save you some time. I use it atleast 50-60 times a day.…More
  • ruby hash per-value defaults
    Here’s a quick tip for assigning default values with a ruby hash. It’s well publicized that you can set an overall default (i think this is called “default…More
  • 10 min project hosting & sharing
    Need a simple way to backup (and share) local files & scripts? Yeah yeah, another svn/websvn howto – but my brain sucks, and i forget this stuff if…More
  • scrape scrape scrape
    totally half-finished thought. maybe it’ll spawn an idea for you… there’s a zillion+1 ways to scrape information from the web these days. here’s the easiest i’ve found:More
  • Apt-proxy installation notes
    No big secret that i’m a huge fan of ubuntu as a pentesting platform, and run it as my main OS. Recently I’ve had enough systems to justify…More
  • Scripting Post-Exploitation
    A common question that comes up with post-exploitation is the need to run multiple things when a meterpreter session is initiated. You can easily run a single command…More
  • Thoughts on Recommendations (Prevention vs Detection & Reaction)
    I started thinking about some of the findings we make and the recommendations around them – and how unrealistic we’re being as penetration testers. Take ‘Information Leakage’ for…More
  • Phishing Attacks – Are your technical controls helping?
    Phishing is one of those things people either love or hate (A lot of it depends on which side of the fence you’re on). That said, the subject…More
  • what should be considered a vulnerability?
    …And now, a rant. What should be considered (and reported) as a vulnerability when auditing a network? Is weak network architecture? What if i can hit a critical…More
  • pentesting with an ubuntu box
    here’s  a recent drop of a script i use to configure my ubuntu box for pentesting. yes, i could use backtrack (and i do — especially if i’m…More
  • WiFiFoFum for locating rogue access points!
    what’s that you say? The PCI DSS (wireless supplement) now requires that you have to do quarterly wireless scanning at your facility? oh? you have no budget? no…More
  • local network enumeration
    UPDATED: 11/19/2009 little script i threw together for local network enumeration – uses arp-scan, propecia, and nmap. was going to use it to dynamically generate my subnet (hence…More
  • owning a windows network
    so… you say you were able to grab LM / NTLM hashes from a windows box??? cool. now use them in the scanner/smb/login to check & see which…More
  • checking valid windows logins with metasploit
    so you have some windows creds, and you want to check if they’re valid or not. turns out there’s a bunch of ways to do this: 1) auxiliary/scanner/smb/login2)…More
  • exploiting suid binaries
    just had a quick refresher on exploiting suid bits (and why they’re so darn evil): jcran@aldatmak:/usr/bin$ ls -la id-rwxr-xr-x 1 root root 35232 2008-06-26 20:31 id jcran@aldatmak:/usr/bin$ iduid=1000(jcran)…More
  • exception has been thrown by the target of an invocation (bing + mono = fail)
  • security product recommendations in a pentest?
    is there room for it? after reading this post on the metasploit blog, i started thinking about how well I currently evaluate product implementations within a typical penetration…More
  • security tools with personality
    i love tools with personality: Caught exit of DirBuster Writing report Report saved to Enjoy the rest of your day The compilation process of nmap comes to…More
  • Automate basic web server checks
    #!/bin/bash#webservercheck.shfor i in `cat $1`  ## for all lines in the file provided to the scriptdo    echo “Nikto’ing $i”    ##NOTE: Nikto needs to have been untarred here.    /home/jcran/toolkit/nix/attack-net-webserver/nikto/…More
  • Google is the new AV.
    Doing a little research on an exploit, i came across SecurityDot.Net. Google provided the link. However, when i clicked on it, i got this: Of the 174 pages…More
  • Call an arbitrary library with JavaScript? I think i will.
    This is a handy way to execute code within the browser. Kudos to Jesse Ruderman and Dan Kaminsky for the bug discovery and POC. Essentially, in Firefox up…More
  • Scott Hanselman’s 2009 Utils List
    I followed Scott Hanselman around for a year when I was touring with the Dead^W^W^W^W a build / team system admin. He always puts out a good utils…More
  • this is the only reason why facebook is so valuable…
  • (Error code: sec_error_untrusted_issuer )
    ever get this error in firefox? if i accept a ssl certificate with an attack proxy (such as burp suite) in the middle, then later go back to…More
  • Security Reputation Monitoring
    Recently I had a financial-sector client contact me regarding tools and techniques for security and reputation monitoring. The client had recently had their web site scraped and placed…More
  • SCHED: Black Hat USA 2009 Briefings & Training: jcran’s schedule
    SCHED: Black Hat USA 2009 Briefings & Training: jcran’s scheduleMore
  • gift cards
    IMG_0231, originally uploaded by jonathancran. notice anything conspicuous about those serial #’s?More
  • didn’t get your facebook vanity url?
    that’s okay, a vanity phone number will do. google voice now allows you to search for numbers when you sign up. it’s the little things. and you can…More
  • simply awful
    i currently have the worst bio i’ve ever seen. must fix that. fyi, wordpress has issues: (thank you, core) A vulnerability was found in the way that…More
  • custom.dic could really end up being one.
    Typing up a report tonight and i realized I had been adding a number of exceptions to my custom Microsoft Word dictionary (‘Add to Dictionary’) . Thinking about this as…More
  • Google Voice (was Grand Central) is a pentester’s best friend
    Google Voice turns out to be really handy for phishing attacks. When you send out a phishing email, it’s useful to include a phone number, in case of…More
  • Scoping a Penetration Test
    Scoping a penetration test is difficult. This is why Statements of Work and Requests for Proposals are necessary evils. It’s not an exact science. There’s a lot of…More
  • Raising the Bar
    I often hear technologies or controls disregarded on the basis of  “It can’t protect against X scenario.” or “It doesn’t completely protect me.” For example, take a web…More
  • Back|Track 4 First Impressions
    It’s damned liberating to take this distro and be able to update it. This, along with specialized security-tool repositories, is the killer feature of the new Back|Track 4…More
  • Just about right…
  • ShmooCon 2009 Wordle Visualization
    Visualization of the 2009 Shmoocon talks created
  • ShmooCon 2009 picks
    Just arrived in DC for ShmooCon 2009. Here’s the move: Day 1: Automated Mapping of Large Binary Objects Watching the Watcher: The Prevalence of Third-party Web Tracking Day…More
  • john, meet amazon. amazon, john.
    These are a rough set of notes I put together when figuring out Amazon’s EC2. I’ve been using the boxes quite extensively to crack passwords. This has turned…More
  • Top Web Hacking Techniques of 2008
    Jeremiah Grossman & co’s “Top Web Hacking Techniques of 2008” have been released. Go check’m out, update your own techniques, and add anything they might have missed (I…More
  • OWASP v3.0
    Just in case you missed this one, the OWASP v3.0 Testing Guide has been released. If you are involved in application security at all, building or breaking, you…More
  • How to suck at infosec
    passed along by jabra:
  • HP Mini 1000 Series – HP 1030nr
    just picked up a HP 1030NR on a lark at best buy. super tiny, but powerful enough to run most of what i need. the thing makes my…More
  • New DOS attack technique: sockstress
    The guys from outpost24 are releasing a new tool (sockstress) that exploits problems with TCP state tables. Apparently, you can disable most any windows/linux/firewall box with minimal attack…More
  • Framing via Facebook ==> FaceFraming?
    So, i was posting on the wall of a friend in facebook today, alluding to how we should steal my car back from the fascist towing company who…More
  • The future will be 0day.
    Browsing through my collection of papers & presentations and ran across these: The IPO of 0day by Justine Aitel and 0day – How hacking really works by Dave…More
  • McCain vs Obama on the Internet
    Interesting & enlightening article on Slate. Details the difference between the Obama & McCain camp on Internet policy. Essentially, boils down to: McCain: Internet is a Product, and…More
  • Firefox Extensions Dump
    This is a dump of my current set of Firefox extensions. Some of these are absolutely critical for pentesting: HackBar, TamperData, FireBug and ModifyHeaders. Some are not so…More
  • The One
    If you want a glimpse into the future of the web, you NEED to watch this video. Kevin Kelly of WIRED raps on on the semantic web, the…More
  • Google Calendar Search for Fun & Profit
    In the same vein as the earlier post on searching for vulnerabilities with Google Code Search, I realized tonight that you can search for private calendars on Google…More
  • – simple file & directory brute-force utility
    Here’s a simple utility i coded up using perl + lwp to blindly request files from a webserver + print the status code that’s returned. Functionally, it’s similar…More
  • HTTP Response Splitting Explained
    j0e of recently mentioned that he was actively looking for examples of ‘HTTP Response Splitting.’ I was aware of the vulnerability, but always considered it somewhat theoretical,…More
  • Google Code Search for Fun & Profit
    While toying around with Google code search to look for HTTP Response Splitting vulnerabilities, i discovered that code search is a treasure trove of vulnerabilities. For instance, simply…More
  • Mager Twitter Tour
    A friend of mine, Andrew Mager, recently got the chance to go through the new Twitter offices in San Francisco. He took the opportunity to snag a few…More
  • Defcon MBTA Madness!
    Wow, the MBTA is in deep shit. If you haven’t heard about this, 3 kids from MIT did some analysis on the MBTA fare system and found out…More
  • Pentesting Timelines
    I’ve often run into the case of the network that simply can’t be satisfactorily tested in the time allotted to it. There are a couple reasons for this:…More
  • Pentesting Skillset
    I’ve been fumbling together a list of skills necessary to succeed as a pentester. This was prompted by mapping out my own short-term education and by gathering a…More
  • Sublime says…
    what happened? You may notice the new blog (or not). I’ve recently switched everything over to hosted wordpress. Why? because i’m lazy. Looks like this will make it…More
  • Disclosure
    About Me: A pentester for a growing vulnerability assessment (product) firm.  My background is in computer science and i have no strict formal education in security. I’ve only…More
  • Hello world!
    Welcome to This is your first post. Edit or delete it and start blogging!More