Category Archives: scripting

Post-Exploitation with Windows PowerShell

I gave a presentation on the topic of “Post-Exploitation with Windows PowerShell” sometime ago in 2015. This presentation showcases the use of PowerShell scripting exploitation frameworks coupled with various penetration testing tools and AV evasion techniques for post-exploitation on compromised hosts.

The slides can be found here:

Video of the demo from the presentation:


Flashing DD-WRT on D-Link’s 868-L Router

I always wanted to have a separate WiFi access point in my home network that automatically tunnels traffic through my VPN server in the US, instead of having VPN clients installed on every device that require the use of the VPN. At times, some devices do not have support for VPN clients to be installed. I then began doing a bit of research and found that the DD-WRT firmware might be able to help me achieve this goal.

I recalled that I was given a new AC1750 D-Link 868L router by Starhub a while back and it was just sitting in one corner collecting dust. I decided to reflash that router and add it as a bridge to my current network’s router. As information on that particular router online is pretty scarse, it took a few tries and several bricks to get it working as intended.

These are the steps to get DD-WRT working: (with a lot of trial and errors!)

  1. Navigate to the D-Link’s router administrative interface and update the stock firmware to the first ever factory release firmware. (DIR868LA1_FW100SHCb01.bin from the official site will work)
  2. When that is done, repeat step 1, but with the following firmware specifically for the 868-L: r25974-factory-to-ddwrt_base.bin, available on the official DD-WRT repository.
  3. The router should be on the base DD-WRT firmware after the reboot.
  4. Clear the NVRAM.
  5. Navigate to the DD-WRT’s firmware page and update the firmware that is specifically for the 868-L: r27506-dir868a-webflash.bin, which can also be found on the official DD-WRT repository.
  6. After the reboot, the 868-L will be running a full-fledged version of DD-WRT.

The next few steps involves getting the configuration right for the WiFi access point that has VPN tunnelling:

  1. First navigate to the wireless tab in DD-WRT administrative interface. Scroll down slightly and you should see a ‘Virtual Interface’ section. Click on ‘Add’.
  2. You should now see a new section right at the bottom of the page showing the newly added interface.
  3. Name it accordingly. If unsure, you simply replicate my settings as follows:Screen Shot 2016-01-18 at 10.09.46 AM
  4. Now that the virtual AP is set, the next step would be to create a virtual bridge. Navigate to the ‘Setup’ –> ‘Networking’ tab. Under the ‘Bridging’ section, create a new bridge named ‘br1’. Here, you can assign an IP range that belongs to the ‘br1’ bridge interface. My settings are as follows:Screen Shot 2016-01-18 at 10.13.49 AM
  5. Now the bridging is settled, the next step is to set the VPN settings, which can be easily done under the ‘Services’ –> ‘VPN’ tab. I am using OpenVPN and after configuring it correctly, you should see the following page under ‘Status’ –> ‘OpenVPN’. This depends on your VPN settiings.Screen Shot 2016-01-18 at 10.20.10 AM
  6. The last step is to set the routing on the device. I set a start-up script under the ‘Administration’ –> ‘Commands’ tab as follows:
    sleep 220;
    tun_name=$(ifconfig | sed -n 's/.*\(tun[^ ]\).*/\1/p');
    tun_addr=$(ifconfig $tun_name | sed -nr 's/.*P-t-P:([^ ]+) .*/\1/p');
    ip rule add from table 200;
    ip route add default via $tun_addr dev $tun_name table 200;
    ip route flush cache;
  7. All the settings should be configured now. Your new virtual AP should have all traffic tunneled through the VPN.


NRIC Number Generation

At times, my job requires the use of “valid” NRIC numbers to conduct certain security testing. There was a time last year where there was a requirement for a sample of approximately 5000 NRIC numbers to conduct user-enumeration tests. I did a quick Google search and found a couple of online generators, but they were clunky and slow and it would probably take ages to generate a sizable sample. There was even this website, that stated: “If you need bulk generation of > 1000 NRIC numbers in any format, please contact me for a quote.” I wonder if this is even legal, so in my curiosity, I proceeded to request for a quotation with a dummy email account (see the email exchange below).


Anyway, I would definitely not pay for stuff like these and decided to do a small research with a good buddy (Joel) of mine on the algorithm behind the generation. After a few minutes, we found the publicly available algorithm online and we started programming a simple generator. 5000 unique NRIC numbers were then generated in less than 1 second, at zero cost. S$30 saved. 🙂


Now that the goodies are in a text file, it would be easy to use it in Burp Intruder and enumerate away…