Posts on Jordan Wright

Building the "Curious World Podcast"

Sat, 18 Apr 2026 06:00:00 -0500

My daughter and I love listening to the Yoto Daily podcast on her Yoto player. It’s a daily podcast featuring a friendly host, and it’s content is the perfect laid back way to start or end the day.

Having a daily, bite-sized podcast is such a fun part of our routine that I decided to make one myself. It’s called the “Curious World” podcast (she came up with the name!) and you can listen to today’s episode here.

And the really neat part is that the process of making an episode is entirely automated.

Hunting for Malicious Packages on PyPI

Thu, 12 Nov 2020 06:00:00 -0500

About a year ago, the Python Software Foundation opened a Request for Information (RFI) to discuss how we could detect malicious packages being uploaded to PyPI. Whether it’s taking over abandoned packages, typosquatting on popular libraries, or hijacking packages using credential stuffing, it’s clear this is a real issue affecting nearly every package manager.

Building Gophish Healthcheck: Part One

Sun, 02 Sep 2018 22:01:01 -0500

One of the questions I see most often from Gophish users is “how do I get past my spam filter?” Generally, my answer to this is something along the lines of “just whitelist the IP address,” since it’s my opinion that phishing simulations should be a test of the people and processes, not the email infrastructure.

But what if we do want to test the email infrastructure?

This post is the first in a two-part series about how I’m creating the email healthcheck service for Gophish. This post talks about how I handle DNS programmatically, and the next post will describe the actual architecture being used.

Automating Gophish Releases With Ansible and Docker

Sun, 04 Feb 2018 11:00:59 -0600

It’s been a while! While I haven’t posted as much here, I have been writing quite a bit over on Duo’s blog about the really cool research I’ve gotten to do this past year with the incredible Duo Labs team.

Any spare time I’ve had has been spent working on Gophish. This past year I’ve released a new hand-crafted, artisinal website, responded to nearly 400 support requests, and made too many improvements to count!

Now, most people who use Gophish use a pre-built binary*, which means that it’s important to make new releases as soon as possible after improvements are made. Otherwise, I’m left answering support requests with the advice of “build from source”, which is not ideal.

The previous release process was manual, making it a huge pain. This led to inconsistency and large amounts of time spent packaging every release, which results in very infrequent releases.

This post documents the previous process as well as how I recently improved it using Ansible, Docker, DigitalOcean API’s, and more.

Mapping the Clinton Emails

Wed, 12 Oct 2016 18:57:33 -0500

Back in March, Wikileaks released over 30,000 emails “sent to and from Hillary Clinton’s private email server while she was Secretary of State”.

I decided to make a quick map showing how emails were sent through the server, mapping the senders and recipients. This post is a quick explanation of how I did it.

Analyzing 5 Years of Police Call Data

Wed, 22 Jun 2016 06:30:00 -0500

San Antonio is a great city. According to Yelp, there are over 1200 places to get a taco - how could it not be great?

Unfortunately, any time you get a huge group of people together there will be crime, and SA is no exception. Our SAPD stay busy 24/7, constantly putting their lives on the line to keep the city safe, and I’m thankful for all the work they do.

Being an amateur API aficionado, I was excited to find the SAPD Open Data Initiative that contains a wealth of information on the activities the SAPD perform. Specifically, I wanted to see what kinds of analytics I could gather from exploring the historic SAPD call data.

In this post, I’ll explain how I was able to gather and analyze 4.3 million call data records, or how I basically became the extremely boring part of Batman.

I Automated Infosec "Thought Leadership", and it's Hilarious

Sun, 10 Apr 2016 14:40:18 -0500

Being a Thought Leader is Hard

@thought__leader - Thinking thoughts for you, so you don’t have to.

The infosec industry is full of “thought leaders”. These are people who are on the forefront of the industry, keeping up with latest trends, technologies, and philosophies.

Or they are heavy on the buzzwords and prolific on Linkedin/Twitter. That works, too.

Unfortunately, both of these take way too much time for me. In fact, I’d argue that they take too long for our industry. So this weekend, I set out to automate thought leadership, so that we can spend more time doing things that matter - things like coming up with marketing for the next CVE or finding obscure reflective XSS bugs that affect literally no one.

This resulted in @thought__leader. And it’s hilarious.

What Happens When Tor Exit Nodes Break Bad?

Tue, 05 Apr 2016 00:00:00 +0000

Introduction

When looking at how Tor works, we’ve looked at the various types of nodes that make up the Tor network. However, you’ll notice that we haven’t dealt too much with exit nodes. Exit nodes are the final link in a Tor “circuit”, or path from the client to the server. Since exit nodes send data to the final destination, they can see the data as if it had just left the device.

This visibility puts quite a bit of trust in exit nodes and, for the most part, they tend to act responsibly. However, this isn’t always the case. This post will take a look at what happens when a Tor exit node operator decides to “break bad” and wreak havoc on Tor users¹.

How to Download a List of All Registered Domain Names

Wed, 30 Sep 2015 00:00:00 +0000

Introduction

Every morning, the infosec field is greeted with an onslaught of freshly registered malicious domains. These domains are used to host phishing sites, maintain botnet command and control, harvest stolen information, and more.

Having the complete list of registered domains day-by-day offers substantial visibility that can be used for intel and repsonse. Fortunately, such lists not only exist, but are available (usually for free!) with little effort involved. This post will introduce TLD zone files, how to access them, and how they can be used to your benefit.

Gophish Update - Importing Sites and Emails

Tue, 29 Sep 2015 06:45:33 +0000

Introduction

I’m excited to announce that the gophish “alpha” release is almost complete! I’m just cleaning up a few bugs, touching some things up, etc. In the meantime, I wanted to write a quick post to show off some really slick features that I was able to add earlier than planned.

Creating pixel-perfect email templates and landing pages are crucial to delivering the best possible phishing training. Gophish has always had the ability to create these, but it was quite frankly a pain to use as you needed the raw HTML or text for both the email and site content. In this post, let’s take a look at how we can now import sites and emails directly into gophish.

CSAW CTF 2015 - Forensics 100 Flash Writeup

Tue, 22 Sep 2015 20:51:43 +0000

For this challenge, we were given an HDD image and asked to find the flag on it.

CSAW CTF 2015 - Forensics 100 Transfer Writeup

Tue, 22 Sep 2015 19:05:18 +0000

This challenge starts off with the following hint:

I was sniffing some web traffic for a while, I think i finally got something interesting. Help me find flag through all these packets.

This challenge started off with a pcap. Let’s take the cheap way out and do a basic Wireshark filter for frame contains flag:

CSAW CTF 2015 - Web 200 Writeup

Mon, 21 Sep 2015 00:00:00 +0000

Web 200 was a fun challenge that required us to chain together a few basic concepts to get the flag. When navigating to the URL given, we see that the challenge is based on a “Lawn Care Simulator 2015”.

CSAW CTF 2015 - Web 600 Writeup

Sun, 20 Sep 2015 00:00:00 +0000

This one was surprisingly easy if you knew where to look.

2 Years of @dumpmon

Tue, 26 May 2015 00:00:00 +0000

Introduction

This post is long overdue.

Back in May 2013, I released a Twitter bot called @dumpmon whose sole purpose was to track and report password dumps and other sensitive information shared on paste sites such as Pastebin. Since that time, dumpmon has proven - to my excitement - to be valuable to researchers, being featured in news articles, Defcon slides, and HIBP!

After two years, it’s time to post an overdue status update providing some insight into the data dumpmon has collected over this time.

Note: This is a pretty long post, so feel free to skip here if you just want the data.

How Tor Works Part Three - The Consensus

Thu, 14 May 2015 00:00:00 +0000

Introduction

Welcome to the third post in my series on how Tor works! In the past two posts, we talked about how clients tunnel traffic through relays, as well as introduced the idea of unpublished relays called bridges.

But how do clients know what relays are active? How is the Tor network actually organized and maintained? This post will answer this question by talking about a living document called the consensus as well as introducing a few very important Tor nodes that run the show behind the scenes.

How Tor Works: Part Two - Relays vs. Bridges

Sat, 09 May 2015 00:00:00 +0000

Introduction

Welcome back to my series on how Tor works! In the last post, we took a look at how Tor operates from a very high level. In this post, we’ll dive a bit deeper, taking a look at a potential issue with relays in order to introduce a new concept: bridges.

60 Days of Watching Hackers Attack Elasticsearch

Thu, 30 Apr 2015 20:00:00 +0000

Introduction

Two months ago, one of my DigitalOcean instances started attacking another host with massive amounts of bogus traffic. I was notified by the abuse team at DO that my VPS was participating in a DDoS attack. I managed to track down that the attackers leveraged an RCE vulnerability in Elasticsearch to automatically download and run malware.

After re-building the box from scratch (with many improvements!), I created a honeypot called Elastichoney to measure how much this vulnerability is being exploited in the wild. Since then, I’ve had multiple sensors silently logging all attempts to exploit this vulnerability.

Here are the results.

Introducing elastichoney - an Elasticsearch Honeypot

Mon, 23 Mar 2015 00:00:00 +0000

Introduction

I recently wrote about an Elasticsearch RCE vulnerability that is being heavily exploited in the wild. To see what kind of attacks are taking place, I decided to write a simple honeypot designed to mimic a vulnerable Elasticsearch (ES) instance. Say hello to elastichoney!

Remote Code Execution in Elasticsearch - CVE-2015-1427

Sun, 08 Mar 2015 00:00:00 +0000

TL;DR If you have an elasticsearch instance that is publicly available, upgrade to 1.4.3 or later now.

Elasticsearch (the “E” in ELK) is a full-text search engine that makes data aggregation and querying easy. It has an extensive JSON API that allows everything from searching to system management. This post will show how a new vulnerability, CVE-2015-1427, allows attackers to leverage features of this API to gain unauthenticated remote code execution (RCE).

Much of the analysis discovering this vulnerability was originally found on a blog post here (translated). This post aims to translate and provide more detail on the vulnerability.

How Tor Works: Part One

Sat, 28 Feb 2015 00:00:00 +0000

Introduction

Tor is an anonymity tool used by those who want to stay private and uncensored when browsing the Internet. Over time, it’s grown to be pretty darn good at this. This makes the security, stability, and speed of the underlying network critical to those depending on it.

But how does Tor work under the hood? In this series of posts, we’ll take a deep dive into the structure and protocols used by the Tor network in order to see first-hand how Tor operates.

Gophish Update: Getting Closer to Alpha!

Thu, 26 Feb 2015 00:00:00 +0000

Introduction

It’s been a busy couple of months!

I thought it would be worth providing a long-overdue update into the development status of gophish. Overall, the project is getting closer to beta status every day, and I’m hoping to see a 0.1 release at the end of March.

Without further ado, let’s dive in and see where we’re at.

Web Scraping Hotel Prices for Fun and Savings

Sat, 21 Feb 2015 00:00:00 +0000

Introduction

During the process of planning a vacation, I came across a nice hotel I wanted to stay at. When looking at some possible dates, I noticed the nightly rate would fluctuate dramatically. This made me question if I was going to wind up paying way more just because I wanted to stay at the hotel on a certain day.

Then I considered the alternative - maybe I could scrape the prices every day to find the cheapest nightly rate. Sounded like a job for Python, BeautifulSoup, and some whiskey.

SANS Holiday Challenge 2014 - Writeup

Mon, 05 Jan 2015 00:00:00 +0000

Introduction

Back in December, SANS released another installment of their annual holiday challenge. I enjoyed taking on the 2012 challenge, so I was excited to see what SANS had in store this year. This year’s challenge didn’t disappoint with a nice mix of basic network recon, web application hacking, and some forensics. This post will detail how I found each required “secret” to solve the challenge.

I’d like to extend a personal thanks for all the hard work SANS puts in to putting on this challenge every year.

Why Deleting Sensitive Information from Github Doesn't Save You

Tue, 30 Dec 2014 00:00:00 +0000

So you accidentally committed a password or API key to Github. Ouch.

“No problem!”, you think, “I’ll just follow Github’s helpful information on how to delete sensitive information and I’ll be fine!”

Just today, I saw a great article detailing one developer’s experience with committing sensitive information to Github. Unfortunately, this article missed the main point. In this post, I’m going to show exactly how hackers instantly harvest information committed to public Github repositories, and why deleting this information doesn’t solve the problem.

What InfoSec Learned in 2014

Sun, 28 Dec 2014 00:00:00 +0000

Busy year.

It seems as though each year brings more and more events that throw our industry into the forefront of attention - and they’re never good. At the same time, it’s key to remember that these events allow us to learn and evolve as an industry. Let’s take a look at some of the key things we as an infosec industry can learn from 2014:

What Happens if Tor Directory Authorities are Seized?

Fri, 19 Dec 2014 00:00:00 +0000

Introduction

The Tor Project has announced that they have received threats about possible upcoming attempts to disable the Tor network through the seizure of Directory Authority (DA) servers. While we don’t know the legitimacy behind these threats, it’s worth looking at the role DA’s play in the Tor network, showing what effects their seizure could have on the Tor network.*

Chrome Tracks Every Key Typed into the Omnibox

Tue, 16 Dec 2014 00:00:00 +0000

Friendly Reminder: Browser makers may track every key you type in the URL bar

Introduction

Technologies like Google Chrome’s Omnibox makes searching easier. However, these quick search suggestions come at a price. This post is a friendly reminder that you may want to consider turning off predictive search to protect your privacy.

My (Probably Boring) Research Papers on Security

Mon, 01 Dec 2014 00:00:00 +0000

Introduction

I’ve always been a proponent and contributor of open-source projects and information. I strongly believe that information and knowledge should be shared as much and as freely as possible - progress happens this way.

As such, I’ve decided to “open-source”, if you will, the academic essays I wrote regarding information security and software development my last couple of semesters at Texas Tech. It’s my hope that people find these useful, either by provoking thought and discussion or simply by serving as material to help people fall asleep a little easier.

Please bear in mind some of these papers were written ~~the night before~~ in a short time-span.

Creating Tor Hidden Services with Python

Mon, 06 Oct 2014 00:00:00 +0000

Introduction

Tor is often used to protect the anonymity of someone who is trying to connect to a service. However, it is also possible to use Tor to protect the anonymity of a service provider via hidden services. These services, operating under the .onion TLD, allow publishers to anonymously create and host content viewable only by other Tor users.

The Tor project has instructions on how to create hidden services, but this can be a manual and arduous process if you want to setup multiple services. This post will show how we can use the fantastic stem Python library to automatically create and host a Tor hidden service.

Decompiling Android Apps the Easy Way

Sun, 10 Aug 2014 00:00:00 +0000

Introduction

Mobile applications are often viewed as black-box applications. However, these applications often suffer from the same (or similar) vulnerabilities as their web application counterparts.

In a previous post, I showed how we can perform dynamic analysis on iPhone applications by intercepting the inbound/outbound traffic with the Burp proxy. In this post, we’ll explore static analysis of Android apps by looing at a couple of online tools that make decompiling apps into equivalent Java and Smali code trivial.

Reverse Engineering the We Heart It API

Sat, 09 Aug 2014 00:00:00 +0000

Introduction

A while back, I came across the article from the The Washington Post describing We Heart It, a social network claiming over 30 million users. If you haven’t seen it, We Heart It (from here on out abbreviated as WHI) is a social network which encourages people to post and share photos and images of things that inspire them.

Having such a large user-base, I was interested in seeing what kind of API the site offered developers. However, I was disappointed when I found out that the API was closed to “partners”, and even this is not a full REST API, but rather a simple button developers can place on their website to allow users to interact with WHI.

With this being the case, I decided to take a look at the Android and iPhone apps using both static and dynamic analysis in an experiment to see if I could reverse engineer the API used on the backend. Here are the results.

How to Hunt Down Phishing Kits

Tue, 29 Jul 2014 00:00:00 +0000

Introduction

Sites like phishtank and clean-mx act as crowdsourced phishing detection and validation. By knowing how to look, you can consistently find interesting information about how attackers work, and the tools they use to conduct phishing campaigns. This post will give an example of how phishing kits are used, how to find them, as well as show a case study into other tools attackers use to maintain access to compromised servers.

A Look at Comment Spam Generator Scripts

Fri, 04 Apr 2014 00:00:00 +0000

Introduction

It’s been a while! I’ve been busy getting gophish closer and closer to beta. Should be ready soon!

Until then, here’s a quick look at some comment spam scripts I discovered when perusing through the content over at phishtank.com.

As a side note, the scripts were bundled as some Louis Vuitton spam, though that doesn’t seem to relate to the content of the spam scripts at all.

The Spam Scripts

Here are the scripts - the format looks very similar to those found by Alex King. I’m guessing that one choice from each {block} is used at random to make every comment unique.

Building GoPhish - How to Send Email with Go

Fri, 03 Jan 2014 00:00:00 +0000

Introduction

I’ve been playing around with Go for about a month now, and I’ve really grown to like it. After getting used to the syntax and remembering what a pointer is for (thanks, Python), Go has become a favorite language to develop with. I’m even using it for the Matasano Crypto Challenges (which are awesome).

While the standard library in Go is definitely robust, being a young language, there are a few niceties that aren’t yet included. Sending email is one of them. Don’t get me wrong, Go has a wonderful SMTP package, MIME package, and even a Mail package (which only parses existing email messages). However, there is no library to actually create emails in a meaningful way. Since Gophish relies heavily on sending emails, I’ve sought to change this. And, after reading more RFC’s than I normally prefer, I believe I’ve created a package that provides intuitive, robust, and flexible email creation and sending called email.

Let’s see how to use it.

Building Gophish - Day 1

Fri, 29 Nov 2013 00:00:00 +0000

Introduction

Since the Simple Phishing Toolkit (SPT) was discontinued, I’ve wanted to create a simple, effective, and open-source phishing toolkit. In recent years, we’ve seen a rise in spear-phishing attacks targeting large organizations, most of which are largely successful. The goal of this toolkit will be to provide businesses and penetration testers with the ability to quickly and easily perform in-house or contracted phishing engagements, and track the responses to see where improvements can be made. This toolkit will be called gophish.

In addition to this, I’ve been casually poking around at go for a while now, and have decided it would be good to finally put it to use in a larger project. I’m a fan of seeing the steady development and updates of projects as they are created. I believe it can help keep the developer motivated and the users informed and involved, so this is what I’m going to do. Hopefully, these posts will allow others to learn alongside me, as well as spur improvements from experienced go developers so that gophish can be the best product possible.

With that being said - let’s get started!

Wireless Attacks with Python: Part One - The "Dnspwn Attack"

Fri, 15 Nov 2013 00:00:00 +0000

Introduction

A while back, I published a post on the Raidersec blog demonstrating how to perform a deauthentication attack using Python and Scapy. I enjoyed writing the post, since I got the opportunity to learn in-depth about how different wireless attacks work, beyond just learning how to exclusively use the aircrack suite.

So, with that being said, this post will kick off a short series of posts discussing how to perform common wireless attacks using Python. I hope you enjoy the posts and, as always, never hesitate to let me know if you have any comments or questions below.

How to Pentest iPhone Apps with Burp

Tue, 05 Nov 2013 21:50:00 +0000

Introduction

When looking at the functionality of mobile apps, it’s clear that they aren’t that different than web applications. They often just serve as a frontend for the data stored on a central backend server or database. As such, if developers aren’t careful to protect these apps, many of the same vulnerabilities we find in standard web applications (such as injection attacks on unvalidated input) can be exploited by attackers.

This post will show how to setup the iPhone to work with the popular Burp Suite so that traffic from apps can be intercepted and tested for vulnerabilities.

Linkedin's Response to My "Phishing with Intro" Post

Fri, 01 Nov 2013 00:00:00 +0000

The Initial Post

I recently published a blog post which showed a practical attack against Linkedin’s Intro. The post reached the front page of Hacker News (a full writeup of my experience with the “Hacker News Effect” will be posted soon for those interested), which caused the post to gain quite a bit of publicity and traction. Soon after, I was contacted by Linkedin’s security team. This was their response.

Phishing with Linkedin's Intro

Sat, 26 Oct 2013 00:00:00 +0000

Update 10/28/2013 6:30PM CDT - I have been in contact with Linkedin’s security team and a hotfix has recently been released to address the findings below. This fix applies the styling rules to a randomly generated ID, as opposed to the class based styling seen below. This provides more specificity in applying the rules, making it more difficult to override.

I am no CSS expert so there could very well be tricks to still get around this and remove the content (or even just hide it and overlap it) - email me if you know of one! I will be continuing my work with Linkedin’s security team to iron out any bugs we can find. Users are reminded that no solution is perfect, and that seeing this data in an email in no way definitively proves the senders legitimacy.

I would also like to thank Linkedin’s security team for their quick and effective response to these findings.

“Intro"duction

On October 23, Linkedin introduced an application called “Intro”. The premise is simple: allow iPhone users to see details about the people they are emailing within the native iPhone Mail App. Think Rapportive for the iPhone Mail App, because that’s essentially what this is (and made by the same people).

However, when reading the initial description of Intro, there was one part that caught my eye:

David says Crosswise would love to work with you. Is this spam, or the real deal?

With Intro, you can immediately see what David looks like, where he’s based, and what he does. You can see that he’s the CEO of Crosswise. This is the real deal.

This is not much different than Linkedin saying “we’ve put a picture of a lock in your email, so you know for sure it’s secure”. Linkedin is simply giving its users a false sense of security. In this post, we’ll take a look and see what exactly Linkedin is doing to its users’ email, as well as how we can spoof this information, gaining full control of the information shown to the user.

Automated Social Engineering Recon Using Rapportive

Mon, 14 Oct 2013 00:00:00 +0000

Introduction

When performing a social engineering engagement, recon is key. In a previous post, I demonstrated a few ways in which we could automate the recon process. However, the methods I showed were simply ways to find the profiles of people that might belong to a particular organization.

During SE engagements, we often either run across email addresses (by, say, simply scraping the main website) or want to enumerate the email address structure in use by an organization (generating possible alternatives using tools like jigsaw.rb). It would be helpful if it were possible to automate the process of validating those email addresses by associating them to additional information or social networking profiles. This is where Rapportive comes in handy.

Hello World!

Fri, 11 Oct 2013 00:00:00 +0000

``` #!/usr/bin/env python print 'Hello, World!' ```

Hi there! My name is Jordan, and I am a security researcher, developer, and hobbyist.

For the past few years, I created and maintained a blog for an organization I started called Raidersec. While I fully intend to leave the existing content on the Raidersec blog, I thought it would be ideal to create a personal blog on which I can continue writing about my research and projects dealing with not just security, but programming in general.