Category Archives: Security

Funny Story: To DoS or DDoS? … that is the question.

I recently received an invitation to attend a seminar in “How to protect your business from DDoS attacks” the invitation was sent via an HTML attachment.

So, in my paranoia I opened the file in an editor before trying to load it in a browser.  While in the editor view I saw a link to a web server using an IP address directly.

Again I wanted to investigate further, so I loaded the root of the server ( on Firefox with “Header Spy” add-on in Firefox, just to see some info on the server.

To my surprise the server loads the default IIS page, and with the Header Spy information and look of the page I confirmed it was running IIS 8.5 on Windows (of course).

So I searched for vulnerabilities on IIS 8.5 and came up with MS15-034 bulletin so to make sure, I did manual check using curl with the following lien of code:

curl -v http(s)://hostname (or ip)/ -H “Host: anything” -H “Range: bytes=018446744073709551615” -k


So I used some vulnerability checks from Offensive Security DB and a PoC on Python to be 100% sure and it was confirmed.

So the funny part: A DDoS prevention announcement on a DoS vulnerable host with a 1 year old vulnerability.  Isn’t it funny? #LOL

Ping with creativity … on windows

Recently saw a blog post on netstat , so I tough that if someone could blog about netstat I can blog about ping.  #insidejoke

First of all,  ping is a windows/unix command used to check connectivity between to points using ICMP protocol, but that’s not all you can do with it.

Disclaimer:  Many networks block ICMP, so this may not help you in any way.

First let see our options:


As you can see there are a lot of options, but lets test three (3) of the most common ones.

Check connectivity to target

Check for DNS resolution on target

Manipulate TTL,  lets check the third (3rd) hop on a route to target

So let’s be creative with it:

Traceroute & check 30 hops

Do a ping sweep discovery on a /24 subnet

Now we can do  a reverse DNS walk

So now you see how an everyday  “insignificant” command can be of very much use.

In unix we have more tools available to manipulate strings and with the power of Bash more so.  But in essence you can do the same. I will cover this in a future post.


Skeleton Key from Open Source Intelligence


Recently I sawScreenshot 2016-03-07 07.52.46 tweet by @gsuberland that blew my mind.  Not because it was special but because it was common.  He tweeted a photo of a NY Post article on a particular key that was been sold on eBay for $8.  This key allegedly can get you access to subways and elevators in NY City.  Scary right? it gets worst.


When you analyze this, its wrong in so many ways that its scary.

  1. The NY Post publishes a photo of the real key,  a Yale 1620.
  2. @gsuberland tweets about it and gets more that 770 RTs. (at the time of this post)
  3. In the thread it gets disclosed that this is a Yale large pin key
  4. … and later on the same thread some one tweets a high resolution photo of the key in question from the NY Post website.

Ok, this guy accuses the NY Post of been morons for publishing a photo on the paper and he is right, but his accusation unleashes a series of events that multiplies that error by X factor.  Just add the NY Post print circulation + NY Post Web Traffic + The Followers of every one who retweeted + the 5 people who read my blog).  That’s millions + 5, and that’s a lot.

The article in question is from September 20, 2015, that 5 months back, but after reading the articles and tweets (if you believe them), this is old news. Someone claims that way before the articles he got a 1620 key from a friend.  But knowing first hand how things move in government a I can safely assume that this problem will persist long after everyone on the twitter-verse forgets about it.

Finally the web post of the NY Post tells that eBay stopped selling the key.  Hooray! … NOT, well actually a quick search on eBay confirms it (i could not find it).  But now its EVERYWHRE!  With the information on the print + web + twitter we can get a Yale blank and make one, or just take one of the high resolution images and convert it to a 3D model (youtube is your friend) and just print it.  NO eBay, NO underground connections and NO special abilities.

NEW YORK - SEPTEMBER 18: For Sunday News. Fireman elevator keys purchased online pictured in the studio on September 18, 2015. (Anne Wermiel/NY Post)
NEW YORK POST- SEPTEMBER 18: For Sunday News. Fireman elevator keys purchased online pictured in the studio on September 18, 2015. (Anne Wermiel/NY Post)

This is a prime example of how OSINT works and while many people have the best interest at heart, the road to hell is paved with good intentions (if you believe in that). We have to be careful with the information we put out.  I believe in responsible disclosure, but I also know sometimes the ones responsible just don’t care.

… and thats how you can get a skeleton key using open source intelligence.

jq – 2016

Como protegerse del “ransomware” #Locky


Recientemente varios usuarios han sido afectados por un nuevo virus de modalidad “ransomware” llamado Locky.  Las preguntas son muchas  al igual que la confusión, así que les dejo este corto artículo para ayudarles.

 ¿Qué es ransomware?

Rasomware es un tipo de virus de cifra los datos del usuario y solicita un rescate para descifrarlos, en efecto secuestrando los datos de usuario. Estos pagos son solicitados utilizando Bitcoin, una moneda digital casi imposible de rastrear como si fuera efectivo digital.

 ¿Cómo los hace?

El virus utiliza una llave criptográfica imposible de quebrantar la cual es almacenada en servidores controlados por el programador del mismo. Estas llaves solo pueden ser accedidas pagando el rescate solicitado.

 ¿Hay exfiltración de datos?

Hasta el momento no se ha confirmado que los datos del usuario sean transmitidos fuera del sistema.  Existe la posibilidad que otras versiones del virus tengan la funcionalidad de robo de datos.  Por tanto toda persona que maneje datos sensitivos debe tomar todas las medidas de seguridad posibles.

 ¿Que tiene este virus que lo hace especial y nocivo?

Este virus al momento conocido como “Locky” está atacando a instituciones de salud en particular debido a la importancia de los datos que manejan.  Todo dispositivo (computadora, móvil, tableta, etc.) que contenga datos de pacientes está cubierto bajo la ley HIPAA la cual impone multas por la exfiltración de datos de pacientes si no se toman las medidas de seguridad necesarias.

 ¿Cómo nos protegemos?

  1. Actualizar antivirus (AV) y escanear el sistema diariamente.  Recordemos que los AV solo detectan lo que conocen y lo que pueden ver.
  2. Actualizar sistema operativo (Updates) por lo menos una vez en semana.
  3. Actualizar aplicaciones (PDF, Flash, Zip, etc) por lo menos una vez en semana.
  4. Hacer resguardo de datos fuera del sistema y en un medio desconectado (offline). Ej. USB o DVD
  5. Si es posible deshabilitar Macros en Productos de Office

  1. NO abrir correos enviados por personas que usted no conoce.
  2. NO abrir documentos del SPAM/Junk mail bajo ninguna circunstancia.


¿Qué hago si detecto que mi equipo ha sido infectado?

Apague el equipo inmediatamente y comuníquese con el personal de apoyo técnico lo antes posible.

Al momento de esta publicación no hay forma de recuperar los datos más allá de pagar el rescate.  :-(

— jq

Drone Wars: Weaponizing your drone

Drones, UAVs, UASs, whatever you want to call them are getting a lot of attention lately, bad press mostly.  There is a lot of talk of how drones are bad for privacy, used by drug lords, terrorist and some other shit.

Things can get really interesting when you combine your Xcopter with WiFi, Bluetooth, SDR, DevBoards or Digital Video. Did you know it can actually become a remote controlled turret? , Interesting or scary, you decide.

Its a matter of time until legislators start to make stupid laws for stupid people.  I say be creative, innovate, experiment but use common sense and don’t get mad if you get in trouble for doing something stupid.

Recently at Security B Sides Puerto Rico 2015, I presented on weaponizing drones.  Here is my preso …

… and video recording of it.


Securing your business …

By José L. Quiñones (@josequinones)

1512801_359775770847771_3214556159751524632_nA couple of weeks back I did a presentation for the Cyber Security Awareness Month at Turabo University  with Obsidis Consortia and the Internet Society PR Chapter, titled:  “Securing your Business”.

So , for those who asked for it or could not make it,  here is my presentation:

Hope this helps, and don’t hesitate to contact me for questions or help.

InfoSec Gamification

By: Jose Quinones (@josequinones)


On the last Init6 InfoSec Group meeting I did a short talk about InfoSec Gamification and them we did some “gaming”.

While there I talked about how its done and about my experience with it.  I would like to encourage other professionals, students and enthusiasts to participate in various CTFs and “competitions” out there.

There are many, many open CTFs out there, but I would like you to consider SANS NetWars Tournaments, Course, Continuous and CyberCity.  Although they are paid services (really worth the money) these are designed by Ed Skoudis, The Grand Master Jedi of InfoSec (in my opinion) and just top notch.  NetWars is structured and design not only to test your skills, but to learn and have fun at the same time.  Not many CTFs can state the same.

My First experience with  CTF’s was a couple of years ago and I just fell in love with them. They are a great experience and mostly a lot of fun.

Well,  … here is my presentation from the meet, enjoy and remember to comment:

See you on the wire …


WarWalking — Plaza Las Americas

Para los que fueron a #BsidesPR 2014 y participaron de la charla de Carlos Perez y este servidor (mas Carlos que Yo) recordaran que mencioné que se podía identificar los AP y a través de las asociaciones de cliente y AP se podía rastrear a la persona.

Pues hoy estuve jugando con los datos e hice este mapa para demostrar el concepto de identificar los AP’s:


Esta data la saque a través de sacarle fotos a los AP, y extraer la metadata de las mismas.

Este es el commando que utilize:


Seguiré trabajando para hacer algo un poco mas detallado, pero por el momento recuerden que la privacidad esta en peligro de extinción.


¿Confio en Apple con mi huella digital?


Primero que todo debo aclarar que soy usuario de iPhone desde el principio con el iPhone 2G (sí, fui tan estúpido de botar $400 en esa mierda), después seguí con el iPhone 3G, iPhone 4 y a mi esposa le compré el iPhone 4s.  Después de ver el iPhone 5 que solo estiraron el 4s tuve que parar y evaluar… “shit!, Apple me seguirá sacando dinero?” … probablemente no (talvez), pero vamos a lo que vinimos.
Continue reading ¿Confio en Apple con mi huella digital?