ATTACKING JWT’S WITH A CUSTOM SQLMAP TAMPER SCRIPT Automating the Attack with SQLmap and a Custom Tamper Script Let’s review what I know and where I’m at in capturing the flag: The web server is NodeJS Express The database is SQLite The hole in the wall is the JSON Web Token. The JWT username field is vulnerable…
ATTACKING JWT’S WITH A CUSTOM SQLMAP TAMPER SCRIPT The Path of Attack After reading the documentation on JWT’s, I decided that this will be my next path of attack. There were a few hints to push me down this path. First, I looked up JWT vulnerabilities. Most attack techniques go after the algorithm for signing…
ATTACKING JWT’S WITH A CUSTOM SQLMAP TAMPER SCRIPT Digging Deeper into the Code Lets start to look under the hood of the site some more. Maybe the developers left a comment in the website code pointing to a hole. Maybe some JavaScript gets loaded that holds the vulnerability. Whatever it is, I have to look…
ATTACKING JWT’S WITH A CUSTOM SQLMAP TAMPER SCRIPT First look I know the challenge is a website so open up the IP:Port address in a browser. It forwards to /auth: I’m given a simple login screen (user and password) with two buttons, “Login” and “Register”. First, lets see how it is supposed to work and then…
Attacking JWT’s with a Custom SQLmap Tamper Script Introduction If you’ve ever watched a movie or TV show that involves computer “hacking”, you’ll recognize these scenes. Someone wearing a hoody (of course) hunched over six monitors of scrolling text, frantically typing and instantly programming some complex code to break past a firewall. My favourite (facepalming)…
Intro Key to transporting anything over the internet these days, is encryption. For a tunnel, this involved encrypting the whole packet that would be your payload. We don’t want anyone along the path to be able to intercept packets and see what the unencapsulated traffic would look like. Especially in the case of LAN to…
Intro There are many ways to implement the UDP handling. Since I’m primarily interested in using UDP to tunnel traffic from a client to a server, both of which are known and controlled by me, I’m going to implement a udp_tunnel. This is different to say, how a DNS server would work, listening on a…
Intro A part of the project I’ve been working on requires the use of a virtual network device. Traditionally, this would be a tun/tap device. The user-space program would register a new tunnel device connected to /dev/net/tun, which presents the user with a tun0 device to which you can assign an IP address etc. IP…
Intro In the last post, I mentioned the /proc system but never got much further. We’ll delve a little deeper in this post. So what is /proc anyway? According to wikipedia – “The proc file is a special file system … that acts as an interface to internal data structures in the kernel. It can be used to obtain…
Intro As a packet slinger by trade, a network admin, and also a bit of a programmer, I lately embarked on a quest for better throughput – to find a way to get more packets to pass through a rather small footprint low-cost device running a VPN tunnel. I will review my findings here over the…
The global circumstances around the Covid-19 outbreak, which the World Health Organization is now calling a pandemic, continue to rapidly evolve. It is important that businesses be proactive and vigilant in order to minimize the risks. At Crafty Penguins and Kerkhoff Technologies, we are regularly monitoring the situation and putting structures in place to continue…
I know that, like me, you’re getting inundated with emails from people you don’t normally hear about, as to what they are doing with Covid 19. To actually help you, I just wanted to share these free materials from LinkedIn on how to work remotely, considering culture, communication, tools etc. We’ve got no choice but to…
I came across this recent blog post on OpenSource.com about the Top 10 Grafana Features. We too love Grafana of course (blog post). it’s amazing that for a project that’s under 7 years old already has over a 1/2 million installations! Here are the top features of Grafana that we use ourselves, or help our…
The culture in many companies (not just technology) is to blame an employee for mistakes, not doing a good enough job, being sloppy, being slower than expected, etc. However this is kind of culture is hugely demotivating to anyone to improve, and often comes across as a personal character attack. I’ve created a video on…
So you’ve just hired an A player in a technical role – young, super “green,” and with all the potential in the world. You’ve developed and taken her through a tight onboarding program; a couple weeks of learning, training, and culture-infusion. She’s hooked and ready to start real work. Now what? Here are three things…
Today we received the following impromptu and unsoliciated testimonial from one of our clients. Also, I can’t stress enough how thankful I am that last year went so well. You did such a great job of setting up everything and for the first time since I started with the company the site was not down…
As announced in a previous blog post, Richard and myself presented at the BC Tech Association several months ago. We shared our story on how we repurposed DevOps, software development, and system monitoring tools (like Grafana) to transform our business by visualizing the key drivers to our business model. In this blog post, I’ve shared…
We recently sent out our first newsletter in the mail and have received positive feedback on it. The goal is to share some of the content we’ve written in our blog post, educate our readers, and give a peek into the world of the Crafty Penguins. Kindly share any feedback, ideas, kudos, and rotten tomatoes…
The “Inspired” book – by Marty Cagan This post is based on resources from the excellent and popular book from Marty Cagan on Product Management. Here are some resources for summaries and excerpts from the book, which is a must-read for anyone developing a SaaS software product. https://www.amazon.ca/INSPIRED-Create-Tech-Products-Customers/dp/1119387507/ref=dp_ob_title_bk https://www.mightybytes.com/blog/inspired-marty-cagan/ https://svpg.com/assessing-product-opportunities/ https://svpg.com/ – Marty’s website and blog…
Why do we use Linux? We posed this question to our team during a weekly meeting. We are so embedded in the Linux ecosystem that it actually took most of us a while to think about reasons that would make sense to people unfamiliar with Linux, or really with any operating system (OS) other than…
Here are some of the SaaS resources that have been useful to me and my companies over the years. Let me know (email, contact form, or LinkedIn) if you have suggestions to add to it, or just to let me know if any of these have been useful to you too! -wim Dan Martell Dan…
We have recently launched a new service to help new clients who need some help with a (semi-)urgent server, network, or code issue which might only need a few hours of an expert’s time to resolve. This service, called Get Me Out Of Trouble, is designed to quickly match up your unique need with an…
Recently, at LinuxFest 2019, Rob presented on Node-RED. Here is an interview with Rob about what this is all about, and a link to the Youtube video recording. Here is what he covered: Connecting to a Raspberry Pi’s GPIO for digital I/O. Connecting to Google Home and Google Assistant for voice I/O. Connecting to Slack…
Myself and Richard will be presenting at the BC Tech Association next Thursday. We will be sharing our story on how we repurposed DevOps, software development, and system montioring tools to transform our business by visualizing the key drivers to our model. Learn why this important for any business and team, and what happens if…
In Summer 2018, our Crafty Penguins team visited the Open Source Summit here in Vancouver BC. Here are some gleanings of “what’s cool” from the post-event journal notes from the sessions we attended and found interesting. Lots of buzzwords in here! The following key takeaways were provided by Richard, Rob, and Curtis. Linux Keynote conversation…
Today is World Penguin Day! As our Crafty Penguins company name is obviously derived from Penguins, and particular Tux who is the Linux Mascot, we are giving these lovely birds some homage today. Crafty Penguins is the brand of the Linux professional services division of Kerkhoff Technologies Inc. Riddle provided by my 9-year old son:…
When it comes to a money-producing website, speed and reliability do matter. The era of 33k dialup when visitors would patiently wait a minute for a site to load are LONG gone. As we help clients to improve user experience on their WordPress websites and use WP ourselves, we wanted to share some of our…
For the first half of March 2019, we were in the Spotlight with the BC Tech Association. Click through to read the interview, including a specific interview with yours truly.
This news is almost a year old already, but still worth sharing as not many people have heard about it. There is ginormous amount of tech news out there! Microsoft has always pushed Windows as the O/S for all devices, from super computers down to small devices using their new Windows 10 IoT Core edition.…
Our team is excited to both attend and sponsor the Friday Night Board Games Night event at LinuxFest Northwest, which will be held again at Bellingham Technical College (WA state) on April 26 – 28, 2019. Click through to https://lfnw.org/ for details and to register. It’s actually FREE to attend (tickets are optional) due to donations, event…
The videos from the recent Chilliwack.Tech/Next event have been posted, including Richard’s presentation on ChatOps. It’s very fast paced due to the 30 minute time limit for each technology demo. The Chilliwack.Tech/Next event was held at the Black Box Theatre at the University of the Fraser Valley Chilliwack campus on Saturday November 17, 2018. Attendees experience an action-packed…
For the last couple of years, we’ve been working to implement Kanban philosophies of work for our teams at Kerkhoff Technologies Inc. and Crafty Penguins. One result of that work is the development of a tool we’ve called TopLeft to interface with our CRM, ConnectWise Manage, so we can better visualize the work that we do. We are selling this as a…
In the rush to create web applications and sites that look snazzy and are functional, something that often gets overlooked is basic user experience in regards to performance. Here are some questions to ask: Could my Google organic search ranking be low because my site is so slow? When somebody clicks a search result (either Organic…
Richard will be giving a 30-minute presentation on combining DevOps and ChatOps at Chilliwack.tech‘s /Next event on coming Saturday, November 17th. Other topics include: Building an Internet-Connected Doorbell Applying Machine Learning to Geospatial Applications Building a Predictive Analytics Service with Azure Machine Learning Studio (apparently this is super powerful – I look forward to this…
“After 10 years in our previous office, we moved into our new office this past August. We had the opportunity to make it our own. The actual move wasn’t far – just across the hall! In the old office, we had grown from 3 full-time employees to 12 and it was getting tight. We had…
What should you do when you’ve developed and installed a cron job for your Kubernetes application, and you need to test it? When writing classic cron jobs in Unix, it’s obvious how to test the job- just manually run the command specified in the cron file. However, it’s not as obvious how to do this…
So you know all about Kubernetes and how it manages your containers, hosts your ingresses, mounts your volumes, schedules your jobs, feeds your dog and makes your coffee. You know that Kubernetes is for devops folks who don’t want to be woken up at 4 AM on Sunday to rebuild a failed server or to spend three…
Grafana has a lot of cool built-in drivers for connecting and running SQL against databases. You can see at a glance literally anything you can think of. Do you want a dashboard showing users who are active in a table? Do you want to see how often they’ve logged in? Or how many tickets you…
This is the last post in the 6-post series on the Crafty Penguins DevOps Journey we take our clients on. Lastly, we’ll look at the service of Monitoring / Metrics / Alerting (MMA). Sometimes, in the production environment, no one knows the health status of all the pieces and what can be seen in production.…
We have talked about specific types of pain: things breaking in the production environment that didn’t in the development environment, which we called “Works for me;” taking too long to get features out the door, which we solve with continuous improvement / continuous development; and the pain of not having a staging environment in which…
We’ve talked about why stuff breaks in the production environment when it didn’t in development (see “Works for me”), how Continuous Improvement / Continuous Deployment helps in failure detection, and how we can set up a “like-production” staging environment in which to test your features. At this point in the journey, we act as consultants…
We’ve talked already about two parts of the journey: “Works for me” and Continuous Improvement / Continuous Development (CI/CD). This time, we’ll talk about the importance of an effective staging environment in which to test a bunch of stuff before going into production. The main things we do in our staging environments are testing QA…
In our client’s DevOps journey, we are shooting for an efficient, stable, and reactive development-to-production workflow in your infrastructure. Let’s talk about the Continuous Improvement/Continuous Development (CI/CD) phase along the journey! Failure IS an option! It’s in your best interest to fail and FAIL FAST. What? No, that’s not a confused marketing strategy to simply get…
At Crafty Penguins, we work with software development teams to automate their processes and infrastructure, so that they can deploy software updates at least daily instead of monthly or yearly, all the while maintaining a high level of up-time and security. The journey we take our clients on has six phases or markers along the…
Trickster is a reverse proxy cache for the Prometheus HTTP APIv1 that dramatically accelerates dashboard rendering times for any series queried from Prometheus. See our previous post about Why we Love Grafana and Prometheus. We are always super impatient so love cool things like Trickster. Dashboards that automatically refresh should now load on average 90% faster. Oh yeah!…
Continuous Integration and Delivery (CI/CD for short) has tons of potential! Watch Kelsey Hightower deliver an awesome presentation on Kubernetes via several demos during his keynote talk on the KubeCon 2017:
Continuous improvement and continuous development (CI/CD) is a landmark of solid Linux and DevOps work, specifically in Kubernetes and Jenkins. The key here is to create automated tools around the process of failure detection (at Crafty Penguins, we refer to this as “failing fast!”) Too often, we see that it takes too long to get…
Kubernetes is all the rage right now for several reasons: It’s the industry standard for deploying containers in production, it’s the new go-to in managing virtualized infrastructure, developers seem to love it, and it can run any containerized application (thanks to Cynthia Harvey for organizing these thoughts). The basic architecture of Kubernetes is very cool and defines…
Richard has created a page explaining how we solve the “It Works For Me!” problem for developers, using the illustration of ships and barnacles. Read more….
Happy October! We have added some new testimonials from clients around the world, take a look. Photo by rawpixel on Unsplash
We’ve collected a bunch of videos which explain all the new major features in one of our long-time favorite SQL databases – PostgreSQL. Version 10 was released in the fall of 2017. I’ve been using PostgreSQL since my first IT job doing Perl CGI development, right out of 12th Grade, so it is near and…
Back in April, Richard presented at LinuxFest NorthWest in Bellingham (Washington state) on using the Proxmox Hypervisor as a rich, easy to use, open source management platform for both LXC containers and KVM virtual machines. We love and support the LinuxFest conference for a wide variety of the reasons. It’s close to Chilliwack. Accommodations are…
Recently we worked with an amazing biotech client on an initiative to shutdown internal self-hosted systems and move all services to “the cloud”. The client requested that we convert a virtual appliance (basically a regular Linux install) to a standard Docker image. The docker images would then be run on Kubernetes on either Google Kubernetes…
Want to know the CPU use of a container in a Kubernetes node three months from now? Want custom alerts based on thresholds or failures? Prometheus has you covered, with its powerful time series database. Here are some of the top reasons we love it: Works on everything. Different exporters allow you to gather CPU, Memory,…
Knowing what went wrong in the event of a failure is incredibly important. Elasticsearch provides storage for log level events across systems, creating a reliable and redundant way to store, search, and query critical system events. Here are the top reasons we use it: Open source and well documented. Elasticsearch has a great community of…
With many diverse server systems to deploy, configure, and maintain for our clients, it is important to have a Managed Configuration and Orchestration platform. There are many different systems in this space like Chef, Puppet, Ansible, Terraform, and Salt Stack. We use and have used many of them, but the preferred system that we love…
Container based micro-service deployment has been a logical evolution of better managing large software systems and getting the most out of your server resources. The platform we recommend for managing our clients container/microservice infrastructure is Kubernetes (K8S). The top 3 reasons we love Kubernetes: It is Open Source, and vendor neutral. Kubernetes (K8S) can manage…
Jenkins is a core part of our Continuous Integration and Continuous Deployment (CI/CD) pipeline for our clients. Here are the top 3 reasons we love Jenkins: It is an open system that is platform, language, and methodology agnostic allowing us to support our diverse client base with one non-proprietary CI/CD platform. It is the industry…
If it’s been awhile since you’ve checked in with us, we’ve recently welcomed three new people to the team. Joining Wim, Richard, Rob and Matt are Nicole, Curtis and Sam. Check out their bios here to get to know them a little.
As a team we have many years of experience using a plethora of different solutions for storing code. Everything from paid solutions like Jira and Bitbucket, all the way to hand-written custom solutions to store assembler code. In the end, we’ve settled on Gitlab as a great industry standard solution for all our clients. Among the many reasons,…
If you are just getting into DevOps, here is some reading and light homework to get you started: Read the Phoenix Project book by Gene Kim etc. Kubenetes tutorials Jenkins introduction Salt in 10 Minutes tutorial
Here is the training that we like our fledgling baby Crafty Penguins go through. This gives solid exposure to Linux, Networking, and Development concepts required to fill a DevOps or SRE (Site Reliability Engineering) role. Run through http://www.linuxfromscratch.org/lfs/ book to build a Linux system from scratch. Setup GNS3 simulator with: Cisco IOS switch VLANs. One VLAN for…
Wim had the pleasure of moderating the “Props to DevOps!” panel meetup on March 21st, 2017, presented by BC Tech Jobs in partnership with the BC Tech Association. Two of the main goals of the meetup were to provide education on what DevOps is and how people can get started at learning and implementing it. Richard…
Here is an example of a High Level Help Desk interaction with a client. This client is US based company with internal software development and operations team. It’s a good example of what we can bring to the table for ongoing support and escalations as a valuable resource to them. Sometimes we answer random ‘What do you…
