I read this last week: WC 01 October 2018

By | October 8, 2018

Here’s a few of the interesting and useful articles and tools that I’ve come across last week.

Articles and news:

Dark Web Report + TorGhost + EyeWitness == Goodness

Outlining the automated tools and process used to grab screenshots of Dark Web sites.

Caveat Emptor: Be very aware that blindly collecting screen grabs from Dark Web sites can expose you to content you would rather didn’t appear on your system, and be associated with you!

California is making it illegal for devices to have lousy passwords

The law only applies to passwords that come pre-programmed into devices, but it’s still a step in the right direction.

Bug Bounty scheme uncovers 150 vulnerabilities in US Marine Corp websites

Bug bounty is a great thing: Nearly 150 security vulnerabilities have been discovered in US Marine Corps websites and related services during a bug bounty challenge that saw ethical hackers awarded over $150,000.

The UK blames Russia for 4 major cyber attacks

The attacks aren’t new and Russia has long been suspected of launching them, but attribution by the UK government is a significant moment

Cisco update addresses 36 vulnerabilities, 3 of them critical

Cisco released several security patches addressing 36 vulnerabilities on 3-4 October, three of which were rated “critical” and eight of which were rated “high” with some of the exploits allowing an attacker to take control of an affected system

Tools and tech:


EyeWitness is designed to take screenshots of websites, RDP services, and open VNC servers, provide some server header info, and identify default credentials if possible.

NMAP cheatsheet

Hacker Andrea Fortuna’s list of essential NMAP commands

Huge Googe Dork resource

over 4500 Google dorks to improve your OSINT and vulnerability searching

Link Finder

LinkFinder is a python script written to discover endpoints and their parameters in JavaScript files. This way penetration testers and bug hunters are able to gather new, hidden endpoints on the websites they are testing.


NSE script using some well-known service to provide info on vulnerabilities