vulnreport: Open-source pentesting management and automation platform – Penetration Testing


Pentesting management and automation platform

Vulnreport is a platform for managing penetration tests and generating well-formatted, actionable findings reports without the normal overhead that takes up security engineer’s time. The platform is built to support automation at every stage of the process and allow customization for whatever other systems you use as part of your pentesting process.

Vulnreport was built by the Salesforce Product Security team as a way to get rid of the time we spent writing, formatting, and proofing reports for penetration tests. Our goal was and continues to be to build great security tools that let pentesters and security engineers focus on finding and fixing vulns.

For full documentation, see


Vulnreport is a Ruby web application (Sinatra/Rack stack) backed by a PostgreSQL database with a Redis cache layer.

Vulnreport can be installed on a local VM or server behind something like nginx, or can be deployed to Heroku.

Local Deploy / Your own server

To deploy locally, you’ll need to make sure you have installed the dependencies:

Ruby >= 2.1





Clone the repo and open up the .env file, updating it as necessary. The run bundle install. You’ll probably want to modify to make it work for your environment – the one included in the repo is intended to be used for local use during debugging/development.

You should also create a .env file based on .env.example, or set the same ENV variables defined in .env in your environment.


To handle the initial configuration for Vulnreport, run the SEED.rb script. If you are deploying on Heroku, run this via heroku run ./SEED.rb.

If you used the automated ‘Deploy to Heroku’ feature, this step should have been handled for you automatically.

Running ./SEED.rb on ⬢ vulnreport-test… up, run.8035

Vulnreport 3.0.0.alpha seed script
WARNING: This script should be run ONCE immediately after deploying and then DELETED

Setting up Vulnreport now…

Setting up the PostgreSQL database…

Seeding the database…

User ID 1 created for you

Login to Vulnreport now and go through the rest of the settings!

Download & Tutorial

The post vulnreport: Open-source pentesting management and automation platform appeared first on Penetration Testing.


Ok Google. Navigate to the International Space Station

If you’d have asked most people a few decades ago if they wanted a picture of every street address in the world, they would have probably looked at you like you were crazy. But turns out that Google Street View is handy for several reasons. Sure, it is easy to check out the neighborhood around that cheap hotel before you book. But it is also a great way to visit places virtually. Now one of those places is the International Space Station (ISS).

[Thomas Pesquet] in a true hack used bungee cords and existing cameras to take panoramas of all 15 ISS modules. Google did their magic, and you can enjoy the results. You can also see a video on how it was all done, below.

One interesting feature is the addition of pop-up annotations. This is a new feature for Google, but likely to appear in other street view venues, as well.

If space isn’t your thing, there are other interesting tours like locations for Game of Thrones, the oceans, Machu Picchu, the Taj Mahal, and more. Perhaps you’d like to jog through the ISS, assuming you don’t mind pretending there is artificial gravity. Or you can take a break from the large ISS and try something a bit smaller.

Filed under: news

JKS-private-key-cracker-hashcat: Cracking passwords of private key entries in a JKS file – Penetration Testing

JKS private key cracker – Nail in the JKS coffin

The Java Key Store (JKS) is the Java way of storing one or several cryptographic private and public keys for asymmetric cryptography in a file. While there are various key store formats, Java and Android still default to the JKS file format. JKS is one of the file formats for Java key stores, but JKS is confusingly used as the acronym for the general Java key store API as well. This project includes information regarding the security mechanisms of the JKS file format and how the password protection of the private key can be cracked. Due the unusual design of JKS the developed implementation can ignore the key store password and crack the private key password directly. Because it ignores the key store password, this implementation can attack every JKS configuration, which is not the case with most other tools. By exploiting a weakness of the Password Based Encryption scheme for the private key in JKS, passwords can be cracked very efficiently. Until now, no public tool was available exploiting this weakness. This technique was implemented in hashcat to amplify the efficiency of the algorithm with higher cracking speeds on GPUs.

To get the theory part, please refer to the POC||GTFO article “15:12 Nail in the Java Key Store Coffin” in issue 0x15 included in this repository (pocorgtfo15.pdf) or available on various mirros like this beautiful one:

Before you ask: JCEKS or BKS or any other Key Store format is not supported (yet).


git clone

How you should crack JKS files

The answer is build your own cracking hardware for it . But let’s be a little more practical, so the answer is using your GPU:

_____: _____________ _____: v3.6.0 ____________
_\ |__\______ _/_______ _\ |_____ _______\______ /__ ______
| _ | __ \ ____/____ _ | ___/____ __ |_______/
| | | \ _\____ / | | \ / \ | |
|_____| |______/ / /____| |_________/_________: |
|_____:-aTZ!/___________/ |_____: /_______:


All you need to do is run the following command:

java -jar JksPrivkPrepare.jar your_JKS_file.jks > hash.txt

If your hash.txt ends up being empty, there is either no private key in the JKS file or you specified a non-JKS file.

Then feed the hash.txt file to hashcat (version 3.6.0 and above), for example like this:

$ ./hashcat -m 15500 -a 3 -1 ‘?u|’ -w 3 hash.txt ?1?1?1?1?1?1?1?1?1
hashcat (v3.6.0) starting…

OpenCL Platform #1: NVIDIA Corporation
* Device #1: GeForce GTX 1080, 2026/8107 MB allocatable, 20MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Precompute-Init
* Not-Iterated
* Appended-Salt
* Single-Hash
* Single-Salt
* Brute-Force

Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 75c


Session……….: hashcat
Status………..: Cracked
Hash.Type……..: JKS Java Key Store Private Keys (SHA1)
Hash.Target……: $jksprivk$*D1BC102EF5FE5F1A7ED6A63431767DD4E1569670…8*test
Time.Started…..: Tue May 30 17:41:58 2017 (8 mins, 25 secs)
Time.Estimated…: Tue May 30 17:50:23 2017 (0 secs)
Guess.Mask…….: ?1?1?1?1?1?1?1?1?1 [9]
Guess.Charset….: -1 ?u|, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue……: 1/1 (100.00%)
Speed.Dev.#1…..: 7946.6 MH/s (39.48ms)
Recovered……..: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress………: 4014116700160/7625597484987 (52.64%)
Rejected………: 0/4014116700160 (0.00%)
Restore.Point….: 5505024000/10460353203 (52.63%)
Candidates.#1….: NNVGFSRFO -> Z|ZFVDUFO
HWMon.Dev.#1…..: Temp: 75c Fan: 89% Util:100% Core:1936MHz Mem:4513MHz Bus:1

Started: Tue May 30 17:41:56 2017
Stopped: Tue May 30 17:50:24 2017

So from this repository you basically only need the JksPrivkPrepare.jar to run a cracking session.

Other things in this repository A little test script that you should be able to run after a couple of minutes to see this project in action. It includes comments on how to setup the dependencies for this project.

benchmarking: tests that show why you should use this technique and not others. Please read the “Nail in the JKS coffin” article.

example_jks: generate example JKS files

fingerprint_creation: Every plaintext private key in PKCS#8 has it’s own “fingerprint” that we expect when we guess the correct password. These fingerprints are necessary to make sure we are able to detect when we guessed the correct password. Please read the “Nail in the JKS coffin” article. This folder has the code to generate these fingerprints, it’s a little bit hacky but I don’t expect that it will be necessary to add any other fingerprints ever.

JksPrivkPrepare: The source code of how the JKS files are read and the hash calculated we need to give to hashcat. A proof of concept implementation that can be used instead of hashcat. Obviously this is much slower than hashcat, but it can outperform John the Ripper (JtR) in certain cases. Please read the “Nail in the JKS coffin” article. A little helper script that can be used to extract a private key once the password was correctly guessed. A script that runs JksPrivkPrepare.jar and on all example JKS files in the example_jks folder. Make sure you run the in example_jks script before.

Source: Github

The post JKS-private-key-cracker-hashcat: Cracking passwords of private key entries in a JKS file appeared first on Penetration Testing.

Hackaday Links: July 23, 2017

Hey, you know what’s happening right now? We’re wrapping up the third round of The Hackaday Prize. This challenge, Wheels, Wings, and Walkers, is dedicated to things that move. If it’s a robot, it qualifies, if it’s a plane, it qualifies, if it passes butter, it qualifies. There’s only a short time for you to get your entry in. Do it now. Superliminal advertising.

Speaking of the Hackaday Prize, this project would be a front-runner if only [Peter] would enter it in the competition. It’s one thing to have a cult; I have a cult and a petition to ‘stop’ me.

We were completely unaware of this project, but a few weeks ago, a cubesat was launched from Baikonur. This cubesat contains a gigantic mylar reflector, and once it’s deployed it will be the second brightest object in the night sky after the moon. I don’t know why we haven’t seen this in the press, but if you have any pictures of sightings, drop those in the comments.

In a mere two years, we’ll be looking at the 50th anniversary of the Apollo 11 landing. The mission control center at Johnson Space Center — where these landings were commanded and controlled — is still around, and it’s not in the best shape. There’s a Kickstarter to restore the Apollo Mission Control Center to its former glory. For the consoles, this means restoring them to Apollo 15 operational configuration.

We’ve seen 3D printed remote control airplanes, and at this point, there’s nothing really exceptional about printing a wing. This user on imgur is going a different direction with 3D printed fiberglass molds. Basically, it’s a fuselage for a Mustang that is printed, glued together, with the inside sanded and coated in wax. Two layers (3 oz and 6 oz) fiberglass is laid down with West Systems epoxy. After a few days, the mold is cracked open and a fuselage appears. This looks great, and further refinements of the process can include vapor smoothing of the inside of the mold, a few tabs to make sure the mold halves don’t break when the part is released, and larger parts in general.

The Darknet’s Casefile will take you to the limit of your existing knowledge. Join them, to go on a quest to improve your technical abilities.

This week is Def Con. That means two things. First, we’re on a hardware hunt. If you’ve been dedicating the last few months to #badgelife or other artisanal electronics, we want to hear about it. Second, [Joe Kim] made a graphic of the Tindie dog wearing a Hackaday hoodie and it’s adorable. There are a limited number of stickers of our hacker dog.

Gigabyte launched a single board computer with an Intel Apollo Lake CPU, discrete memory and storage, and a mini PCIe slot. Of course, this is being incorrectly marketed as a ‘Raspberry Pi competitor’, but whatever.

Filed under: Hackaday Columns, Hackaday links

ReconDog – An All In One Tool For All Your Basic Information Gathering Needs

Recon Dog is an all in one tool for all your basic information gathering needs. It uses APIs to gather all the information so your identity is not exposed.Downloading and running Recon Dog
Enter the following command in the terminal to download it

git clone

After downloading the program, enter the following command to navigate to the Recon Dog directory and listing the contents

cd ReconDog && ls

Now run the script with following command.


Download ReconDog

Hackaday Prize Entry: Minimalist HTTP

For his Hackaday Prize entry, [Yann] is building something that isn’t hardware, but it’s still fascinating. He’s come up with a minimalist HTTP compliant server written in C. It’s small, it’s portable, and in some cases, it will be a bunch better solution than throwing a full Linux stack into a single sensor.

This micro HTTP server has two core modules, each with a specific purpose. The file server does exactly what it says on the tin, but the HTTaP is a bit more interesting. HTTaP is a protocol first published in 2014 that is designed to be a simpler alternative to WebSockets.

[Yann] has been experimenting with HTTaP, and the benefits are obvious. You don’t need Apache to make use of it, HTTaP can work directly with an HTML/JavaScript page, and using only GET and POST messages, you can control hardware and logic circuits.

As this is a minimalist HTTP server, the security is dubious at best. That’s not the point, though. This is just a tool designed for use in a lab or controlled environments with an air gap. Safety, scheduling, encryption, and authentication are not part of HTTaP or this micro HTTP server.

The HackadayPrize2017 is Sponsored by:

Filed under: The Hackaday Prize

Users Leave 45,000 One-Star Facebook Reviews After Hacker’s Unjust Arrest

Over 45,000 users have left one-star reviews on a company’s Facebook page after the business reported a security researcher to police and had him arrested in the middle of the night instead of fixing a reported bug. […]