Cracking Oracle Apex password hashes

We'll reverse the Oracle Apex engine and find out how to crack its hashes with hashcat.

- Oracle Apex, password storage, hashcat

Sharpen your monitoring capabilities with honeypots

I started out with this article to showcase vulnerabilities in honeypot software, but ended up believing that honeypots are the next step in leveling the cyber security playing field.

- honeypot, infosec, mindgames

Harden your security team - Don't trust bug bounty reports

Pro-actively tighten security procedures or your security team might be subject to social engineering attacks.

- bugbounty, socialengineering, threatprevention

Recovering passwords from pixelized screenshots

No tools were available for recovering a password from a pixelized screenshot, so I created one. In this article I explain my algorithm and its implementation, but start with some history and the current state of deblurring techniques.

- pixelization, passwords, recovering, documentation, informationsecurity

Lessons from password policy science

Password expiration and complexity rules are dead. We have proper password policy guidelines for over three years now. Stop trying to fix users and start fixing your infrastructure.

- password policy, science, research, essay

A widespread piece of .NET code allowing code execution

ViewState deserialization has been 'fixed' in .NET since 2012, but a vulnerable code snippet for creating a custom compressed ViewState is being passed around on the internet to this day.

- .NET ViewState, ViewState compression, Widespread vulnerability

Spot The Bug - An Open End

A new Spot The Bug challenge based on a vulnerability I found during an assignment.

- STB, code, hacking

Temporary intercom hack

The lock of the front door was broken, so I hacked together a way for housemates to open the door via their phones.

- Lego Mindstorm, Hacks, Fun, Free time

OSCP - Fun and challenging but overrated

An article about my experiences with the OSCP course.

- OSCP, exam, culture

Viewing mssql backups files and extracting hashes

How to extract the sa password hash and view the content of the master database from an MSSQL database backup (.bak).

- MSSQL, bak, mdf, master, hash

Owning Building Management Systems

When working for Applied Risk I got to contribute to research for hacking Building Mangement Systems. We'd found bugs and created exploits for owning buildings over the internet.

- BMS, hacking, exploits, reverse engineering

To set currents in motion

Some blog article I wanted to write on information security.

- information security, writing, ideas

Secure Diffie-Hellman parameters for Lighttpd with SNI

A proper SNI configuration for lighttpd DH parameters.

- DH, lighttpd, configuration, SNI

Staying Positive About False Negatives

How and why I failed a couple of times during a code review / pentest.

- failing, pentest, code review, work

Fixing this "couldn't get 'max filedescriptors'" error

How I fixed the "couldn't get 'max filedescriptors'" error from Lighttpd.

- lighttpd, error, code fix

Spot The Bug challenge 2018 warm-up

Warm-up for the Spot The Bug challenge 2018 from Securify.

- challenge, code review

Hoe begin je 2018 veilig op internet?

After reporting some vulnerabilities I found during SOP to a newspaper, they ask me to give some general internet safety tips for 2017-2018. The article contains a few of my practical tips. Here is the complete (Dutch) text I sent in regarding internet safety for the public.

- volkskrant, security advice

Compiling a Monero miner on OSX

Tutorial on compiling a Monero miner op OSX.

- monero, mining, osx, cryptocurrency


Backgrond information about the website.

- meta, about, creator, website

Fixing the critical software update OSX install message

A short article about fixing the critical software update error message when re-installing a Macbook Pro with a touch bar.

- OSX, Macbook, touch bar

A journey into cracking RSA moduli with a common GCD

In this article I share some experiences from cracking RSA moduli in bulk by exploiting the use of common GCDs.

- RSA, GCD, crypto, cracking, global

Helpdesk - Stupid things people say

It's about seven years ago I worked at a helpdesk. At that time, I created a document to register what people say (in Dutch). Don't get me wrong; people are not stupid. They are just end users.

- helpdesk, psychology, people

Kobo Aura H2O hacking

Bypassing registration for the Kobo Aura H2O so you can use it like the actual product you payed for.

- Kubo Aura, hacking, no registration

Added RSS feed

I've added a Really Simple method for generating an RSS feed. Most information I got from w3schools. There was a hick-up with XML-escaping, luckily the neat xmlescape method from the Python package xml.sax.saxutils was perfect for this. Also, it turns out that the 'guid' element can just be the URL to an article.

- meta, RSS,

Spot The Bug challenge 2016 write-up

Write-up for the Spot The Bug challenge 2016 from Securify.

- challenge, write-up, php, code review

Spot The Bug challenge December 2016

Briefing for the Spot The Bug challenge 2016 from Securify.

- challenge, php, code review

Spot The Bug challenge 2015 write-up

Write-up for the Spot The Bug challenge 2015 from Securify.

- code review, challenge, securify, write-up

Spot The Bug challenge 2015 briefing

Briefing for the Spot The Bug challenge 2015 from Securify.

- code review, challenge, securify


Back in 2014 I thought of a hack for the Dutch train system I call trainpooling.

- ov-chipcard, trains, hacks