We'll reverse the Oracle Apex engine and find out how to crack its hashes with hashcat.

I started out with this article to showcase vulnerabilities in honeypot software, but ended up believing that honeypots are the next step in leveling the cyber security playing field.

Pro-actively tighten security procedures or your security team might be subject to social engineering attacks.

No tools were available for recovering a password from a pixelized screenshot, so I created one. In this article I explain my algorithm and its implementation, but start with some history and the current state of deblurring techniques.

Password expiration and complexity rules are dead. We have proper password policy guidelines for over three years now. Stop trying to fix users and start fixing your infrastructure.

ViewState deserialization has been 'fixed' in .NET since 2012, but a vulnerable code snippet for creating a custom compressed ViewState is being passed around on the internet to this day.

A new Spot The Bug challenge based on a vulnerability I found during an assignment.

The lock of the front door was broken, so I hacked together a way for housemates to open the door via their phones.

An article about my experiences with the OSCP course.

How to extract the sa password hash and view the content of the master database from an MSSQL database backup (.bak).

When working for Applied Risk I got to contribute to research for hacking Building Mangement Systems. We'd found bugs and created exploits for owning buildings over the internet.

Some blog article I wanted to write on information security.

A proper SNI configuration for lighttpd DH parameters.

How and why I failed a couple of times during a code review / pentest.

How I fixed the "couldn't get 'max filedescriptors'" error from Lighttpd.

Warm-up for the Spot The Bug challenge 2018 from Securify.

After reporting some vulnerabilities I found during SOP to a newspaper, they ask me to give some general internet safety tips for 2017-2018. The article contains a few of my practical tips. Here is the complete (Dutch) text I sent in regarding internet safety for the public.

Tutorial on compiling a Monero miner op OSX.

Backgrond information about the website.

A short article about fixing the critical software update error message when re-installing a Macbook Pro with a touch bar.

In this article I share some experiences from cracking RSA moduli in bulk by exploiting the use of common GCDs.

It's about seven years ago I worked at a helpdesk. At that time, I created a document to register what people say (in Dutch). Don't get me wrong; people are not stupid. They are just end users.

Bypassing registration for the Kobo Aura H2O so you can use it like the actual product you payed for.

I've added a Really Simple method for generating an RSS feed. Most information I got from w3schools. There was a hick-up with XML-escaping, luckily the neat xmlescape method from the Python package xml.sax.saxutils was perfect for this. Also, it turns out that the 'guid' element can just be the URL to an article.

Write-up for the Spot The Bug challenge 2016 from Securify.

Briefing for the Spot The Bug challenge 2016 from Securify.

Write-up for the Spot The Bug challenge 2015 from Securify.

Briefing for the Spot The Bug challenge 2015 from Securify.

Back in 2014 I thought of a hack for the Dutch train system I call trainpooling.