Monday, January 22, 2024

Learning Binary Ninja For Reverse Engineering and Scripting

 Recently added a new playlist with about 1.5 hours of Binary Ninja Content so far..   

Video 1: I put this out a couple months ago covering use cases and reversing flows as well as some basic scripting.. 


Videos 2+3 in the playlist start getting specifically into scripting for reversing automation.. Enjoy.. 


@Ficti0n on twitter..   


Video 1 UI Workflows and Scripting:



Video 2: Scripting Part1 


Video 3: Scripting Part 2



Wednesday, December 27, 2023

Real World Social Engineering - Turning life into a Penetration Test or one Hell of an Adventure

In this video you will learn all the things they never told on how to become a badass social engineer..  Instead of wasting time learning sneaky tactics to "Engineer" the outcome.. We focus on the part which is always left out when teaching social engineering..  the "Social" part..  

With the social part working correctly, the engineering part becomes seamless and easy to pull off without feeling forced. 




Monday, March 27, 2023

New Consulting Series Financial Statement Workshop

 I added a new video to the consulting series playlist today... This is for creating and managing your personal financial statements,  your budgeting of income/expenses from various sources and how to allocate those automatically to investments to build and track over time.... 

If you learn something.. Like and leave a comment...   Cheers... 




Tuesday, March 21, 2023

Web3 Smart Contract and Blockchain Hacking with Python Free Course Section 1

 Below is the full playlist and the outline for Section 1 the Web3 Hacking in Python course.. This is the most in-depth python based web3 material I have seen anywhere online. 

Section 1 is the foundational section of the course using python for web3 that covers the following topics and also assumes that you have already taken my smart contract hacking course from 2020.  


Smart Contract and Blockchain Web3 Hacking in Python: 

Section 1: 

Smart Contract Interactions: 

1.  Simple Smart Contract Interactions

2.  ERC20 Token Interactions

3.  Wallet Interactions

4.  Manual ByteCode Reversing

5.  ByteCode Function BruteForce Automation

6.  Automated Reversing and Disassembly

7.  Transaction Signing

8.  In Depth Manual Smart Contract Interactions

9.  Asynchronous programming to monitor Contract Events


Homework Assignments

1. Uniswap Pair nested Contract Interactions

2. Attacking Smart Contract Pathways Manually with python

3. Analyze Bytecode and Determine what it Interactions


Network Interactions: 

1. Blocks and transaction Filtering and Monitoring

2. Pending Transaction Subscriptions And Network Monitoring

3. Monitoring Smart Contract Mempool Transactions (Uniswap Routers)


Playlist: 

https://www.youtube.com/watch?v=UBK2BoFv6Lo&list=PLCwnLq3tOElrubfUWHa1qKrJv1apO8Aag&index=1

Thursday, February 23, 2023

Blockchain Decentralized Application Hacking Course Part 2 - A Continuation into Smart Contract Hacking and DApp Penetration Testing (Web 3) With Python

New Course Announcement:  
Python  Based Blockchain Hacking, Smart Contract exploitation and Automation


Twitter: https://twitter.com/ficti0n
Website: http://cclabs.io

This is the course announcement for part 2 of our smart contract hacking journey, this time we are going to pick up where we left off leveraging frameworks, automation, other tools.. Starting out learning all the ways to interact with things programmatically with python... Then automate it, attack it, and get into all kinds of other things you have not seen before...  

Note:  This is NOT a re-hash of old material, NOR is it an update of the previous course.. This is all new material and the old course stands on its own as a Pre-Requisite to this course..  Also requiring knowledge of basic python scripting to follow along... 

This course has 3 sections:

  1. Web3.py in depth, Manual attacks and interactions
  2. Automation, Frameworks, Fun things and Automated Attacks
  3. Forensics and DEFI Attacks, Blockchain IDS and information gathering


Here is the Course intro Overview Outline: 


Here is the Overview of Section 1 which is in depth Web3.py basics: 




Other Videos to follow... 

To keep up to date follow the following playlist and follow on twitter: 

https://www.youtube.com/playlist?list=PLCwnLq3tOElrubfUWHa1qKrJv1apO8Aag

Tuesday, August 23, 2022

Blockchain Forensics R&D with Python - Tracking Attackers, Etherscan API Usage, Python Coding, Signature Lookups and Decompiling bytecode

 Added a new playlist over the last few weeks, its up to about 8 videos now which starts out writing code to monitor attackers address changes on the blockchain followed by using EtherScan API's to track some movements and make sense of things with a few other learning points along the way...   

There is one pre-requisite video however which is where this series came from which is another video I created where we took apart a smart contract from a YouTube scam to find the attackers malicious code, so review that first below: 

Twitter: @ficti0n
Web: http://cclabs.io/


If you learn something from this blog/video consider sharing it on your social media or retweeting my posts.


Here is the Pre-Requisite Video to this series Which does a smart contract audit of a malicious front running bot: 



Here is the new playlist series which digs into tracking this attacker: 


Link to full Playlist since blogger is not letting me embed the playlist: 
https://www.youtube.com/playlist?list=PLCwnLq3tOElrUdIg4LgdhPhCKAiy7NZYA




Intro to the playlist: 


 

Wednesday, March 24, 2021

Proxying Newer Versions of Android with Genymotion

 I did a quick video last night for someone on proxying the newer version of Android SDK with Genymotion as the changes back in version 7 make it a bit more difficult to proxy https traffic and I get a lot of questions on a regular basis even years later... 

Hopefully this video helps anyone else out that may be running into the same troubles.. This is proxying the latest version of android as of this writing which is version 10 but should work just fine on newer versions unless there is a major change in the future again that specifically restricts this method.. 


Mobile Hacking - Proxying Newer Versions of Android with Burp and Genymotion:




You can follow along with the video but additionally for reference below are the commands used: 



Step 1: Create a Burp Cert for Android

  1. Export the certificate from burp to .DER format via the proxy tab import/export

  2. Change the format from der to pem: 

       openssl x509 -inform DER -in cacert.der -out cacert.pem


  3. Pull the hash of the certificate subject name and rename the cert to the hah.0 format: 

       openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1

       mv cacert.pem <hash>.0


Step 2: Create a new Emulator: 

  1. Create a version 10 Galaxy x10 with bridge mode networking (or whatever newest version required)

  2. Click 3 dots under my installed devices in genymotion --> Edit --> Change to bridged mode


Step 3: Setup certificate on device

  1. Check devices and push the certificate to the SD card: 

     adb devices

     adb push <hash.0> /sdcard/


  2. Connect to the device and install the cert with proper permissions: 

     adb remount

     adb shell

     mv /sdcard/<hash.0> /system/etc/security/cacerts/

     chmod 644 /system/etc/security/cacerts/<hash.0>


  3. Reboot the device: 

     reboot


Step 4: Verify and setup the proxy: 

  1. Settings --> search for Trusted --> Scroll down till you see portswigger

  2. Setup your Burp proxy to the correct IP/Port combo of your external interface IP

  3. In Genymotion click Settings --> wifi  --> Gear -> Pencil Icon -> Add in Proxy info under advanced

  4. Go forth and proxy things

Learning Binary Ninja For Reverse Engineering and Scripting

 Recently added a new playlist with about 1.5 hours of Binary Ninja Content so far..    Video 1: I put this out a couple months ago covering...