Hackthissite.org basic mission walkthroughs

Hack this site was one of the first places I used my knowledge of hacking and webapplication languages and not end up in jail ūüôā

I went through most of these tracks a long while ago but thought I would make video walkthroughs of each mission if you are new to hacking or security and want to learn alot about webapplication security this is the best place to start

I will be post the others as well in differnt playlists when I get around to it !


check them out @ https://www.hackthissite.org





Enhancing your websites protection while using Cloudflare

I posted some time ago about the benefits of using Cloudflare

See my video below if you are not familiar with Cloudflare which is a cloud CDN/WAF


Cloudflare provides a proxy between the internet and your website all traffic is intended to through the Cloudflare network where it is then filtered via the rules set up in the Cloudflare WAF (Web Application Firewall) then the traffic is based back to your servers real IP.

If you were to do a nslookup on a website that is behind Cloudflare you would see this.

Non-authoritative answer:
Name: example.com


see below for a diagram of how this works.

Cloudflare layout

Non-authoritative answer:
Name: example.com
Addresses:, <<<Cloudflare address

Now the real IP will be something else, however …..

If you are relying solely on the protection from Cloudflare this is a mistake !!!! and you should stop now and secure your server.

The issue becomes if your real IP is leaked there are many ways this can happen there  is also a hand script I can across


This script uses API’s to check header information and then also cross-references a database held by crimeflare of real IP addresses of servers that are behind the Cloudflare service.

The site looks at nameserver registrations to find the real IP information for the server behind the Cloudflare service.

Even if you look at my site it is listed since I have not always been on Cloudflare

see the output of my search  below

A direct-connect IP address was found: seanmancini.com CANADA

An attempt to fetch a page from this IP was unsuccessful.

Previous lockups for this domain:

  • 2016-05-27: seanmancini.com CANADA
  • 2016-02-23: seanmancini.com UNITED STATES

with this information, an attacker can now directly try to establish a connection to your server,

to combat this problem I have written a small script for the UFW firewall that will white-list all of the Cloudflare IP space and nothing else.

This would mean that any traffic that has not passed through Cloudflare is denied  for web traffic

see my script below


Simply run the script on your Debian based provided you are using UFW and this script will do the rest

This can also be changed to  support IPTABLES and others

If you have questions please let me know!


New tool Launched ( Random hash/number generator)

Hello Everyone!

First off the happy new year!

I hope everyone’s holiday was filled with fun and family

I posted earlier this month about the importance of entropy and generating truly random numbers for things like PGP keys and encryption keys I have created a small website which aims to help with this problem.


www.trulyrandom.tk¬† is the site it is pretty simple I have been developing some backend algorithms that takes many inputs to generate randomness¬† the data is not stored long-term and the hashes and outputs are created with so many types of data that you can be sure to get a unique number that is not recorded anywhere so you don’t know what seed data was used and neither do I

So far the system outputs





I have some other plans for the site which will add some features such as the ability to input your data and adding some other algorithms so stay tuned


And as always let me know what you think!


Bitcoin Security

If you have been hearing the news lately there has been a lot of media attention about Bitcoin.


bitcoin security

What is bitcoin ?,

Bitcoin is a cryptocurrency that is digital and has no central body governing it which also means there are no middlemen such as banks or other financial institutions.

Whatever your reasons for investing in the currency there are some things that you should know from a security perspective.

Since there is no middleman or institution that is governing your currency aka coins you are responsible for being your own bank.

You are responsible for keeping your money safe and there is no one to scream at if your security fails.

If you have been following the news and other reports I am sure you have heard of people who have had their cryptos stolen in hacks either at Bitcoin exchanges or their personal computers being hacked

See these 2 examples

Bitcoin mining marketplace NiceHash loses tens of millions of dollars following hack


Protecting your coin takes some knowledge of how the coin works and being paired with how to protect your self-using best practices.

Bitcoin works almost like PKI (Public Key Infrastructure)¬† there a PUBLIC key and PRIVATE keys¬† I am sure I don’t have to say which one of these keys you need to protect at all costs ….the PRIVATE one of course.

See below for a image that explains how a Bitcoin transaction works

bitcoin transaction

Lets first talk about how these keys are created these keys are referred to as Wallets the place where you can send a transaction to store the coins there are a few types of wallets each with their own level of security.


Hot wallets these wallets are usually mobile apps or wallets that reside on websites they are always connected to the internet the private key is stored either on the device you are using or the website’s servers. You can already see the issue with this you see the public key is used to receive transactions and it is fine to let everyone know what that is just like the public key of an SSL certificate. The PRIVATE key is what is used to spend your money so, in essence, the PRIVATE key is your money.

If your PRIVATE key is hacked or leaked bye bye money now with something that sensitive its best to get it as far away from the internet and third party hands as possible.

Now it can be ok to leave small amounts of money for trading and spending on these HOT wallets for convenience and they are not all bad but if you are looking for the highest amount of security it is not found in a HOT wallet.

this is very evident just look at some of the exchanges that are hacked and where many people have lost money these are examples of hot wallets.

hardware wallets these are interesting you use hardware to store your keys in a highly encrypted form someone would need to steal your hardware wallet to hack it the keys are stored on the hardware

Check out Ledger how makes a hardware wallet for bitcoin and other coins.

Now of course when buying a hardware wallet it is best to buy directly from the manufacturer to avoid possible tampering with the device hardware wallets offer some of the highest security you can get.


ledger hardware wallet

You can also use the Apricorn Aegis secure USB stick that you can use but offers a little less security as it is still a drive that can be read from and if the system you are on is compromised there is a chance your keys can be stolen as there are malware strains in the wild looking for bitcoin wallets.

One of the other options is a paper wallet

A paper wallet is literally a piece of paper with your keys printed on it and a QR code to scan when its time to use see below for an example


paper wallet


Above is a  paper wallet  paper wallets can be generated via a web browser there are websites such as https://walletgenerator.net/ 

that have an online utility you can use via your web browser to generate a wallet for your coin but there is a risk with this as the keys have been on a foreign server and have been online also if your computer has been compromised there is a possibility that your keys have been recorded.

To have the most secure wallet you would download the software that is available on the site and create the wallet offline even one step further is to run the software in a VM that has never been online. For most people running the software offline with your network disconnected works fine.

You then would print this on a piece of paper even better use a printer that is a dumb as possible as some new printers have memory that can be used to reprint at a later time.

Remeber this may sound ridiculous to go through but you have to think like a bank as you are your own bank !.

One more wallet to look at is a warm wallet this is a wallet such as COINOMI   Which is a mobile application that stores your private key locally on your phone they claim that your private key never leaves your phone. This can be a good option as well for most people it best that you use a phone that you can dedicate to this such as an old phone with no SIM card and not connected to the internet.

This prevents you falling victim to downloading a malware mobile app that can compromise your phone. I would also suggest encrypting your phone and use regular best practices to ensure your device is safe

speaking of safe you may choose to store your paper wallets and even hardware wallets in a safe or safety deposit box at a bank for an added level of security


Do you have bitcoin or other currencies? what apps or security mechanisms do you use? let me know in the comments.





What is PGP and how is it used ?

PGP or (“Pretty Good Privacy”) is an encryption technology that was created by Phil Zimmermann PGP can be used to encrypt anything from files to emails. Recently some email providers have adopted the technology as a privacy feature.

PGP logo


PGP works on all operating systems and functions similarly to PKI  the user makes their Public Key available to the public when someone wants to send them an encrypted message they encrypt the file with the public key. The receiver who has the private key is able to decrypt the message or decrypt the file. The receiver needs to take care to make sure the private key is stored in a safe place just as you would for SSL certificates private key.

Around the web there are key servers that you can submit your public PGP key to and other users can look up your key

One of these servers, for example, is launchpad.net

this server is operated by Ubuntu and acts as a directory for GPG keys now you don’t have to even reveal your public key to everyone it can be revealed to just people you know. The key servers do make it easier to find the key though. Again you will only be revealing you public key an attacker would take a huge amount of time to crack your keys without the private key PGP can go up to 4096-bit encryption!

I personally use  PGP  and the process to get a key is pretty simple however the use of PGP can be a bit of a pain in the neck for nontech savvy users however there are some plugins for Chrome that you can use to make it easier until PGP gets a bit more user-friendly for everyone.

Below I will show you the process on how you can create a PGP key on an Ubuntu-based computer using the terminal there are also graphical ways you can do this as well. I will also show you the gui methind using the MAILVELOPE plugin for chrome.


Linux command line method

gpg –gen-key << This will tell PGP to generate a key
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/home/sean/.gnupg’ created
gpg: new configuration file `/home/sean/.gnupg/gpg.conf’ created
gpg: WARNING: options in `/home/sean/.gnupg/gpg.conf’ are not yet active during this run
gpg: keyring `/home/sean/.gnupg/secring.gpg’ created
gpg: keyring `/home/sean/.gnupg/pubring.gpg’ created

In this step, PGP will ask you what algorithm you want to use to create the ket RSA is the default and a good choice

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1

As I said above PGP supports up to 4096-bit encryption make sure to check the laws in your country on encryption

RSA keys may be between 1024 and 4096 bits long.
What keys do you want? (2048)
Requested keysize is 2048 bits


You can set a key expiry below

Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
“Heinrich Heine (Der Dichter) <[email protected]>”


Enter your personal details below along with a strong passphrase

Real name: bob smith
Email address: [email protected]
Comment: 123
You selected this USER-ID:
“bob smith (123) <[email protected]>”

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)it? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 136 more bytes)

Now the last step can be a bit tricky if you are not doing this on a desktop computer or you are doing this on a virtual machine I recently posted about entropy and the issues that virtual machine have with not enough randomness the above is an example of that. This PC is a virtual machine and when I am generating a large key there is not enough entropy so you may need to run some commands and move the mouse and keyboard etc to generate the randomness.

After this step is complete you will receive your keyID   something like this ED87xxxxx

once that is done you can upload your newly generated key to the Ubuntu servers as follows

gpg –keyserver keyserver.ubuntu.com –send-keys ED87xxxxx¬†

You will need to create a launchpad account on ubuntu to see your profile and confirm your key. You will receive an encrypted email from launchpad you will need to decrypt it and follow a link that is sent to you.

If you want to decrypt a message you can copy and paste the message into a file and use gpg –decrypt message.txt.gpg¬† to decrypt the message as your private key is stored locally the computer will have what it needs to decrypt it.

Here is the GUI method using Mailvelope for Chrome


Install the Mailvelop plugin to your chrome browser following the instructions here.

Once install  click options

mailvelope screen


Then you will  click Generate keys

mailvelope screen

Fill out the required  info similar to how we did in the command line method

mailvelope screen


One complete you will see the below  output

mailvelope screen


Now you have created your PGP key  I will say that there are some opinions on using such a plugin to generate a key as some feel that there is no way to guarantee that the plugin itself is not recording plaintext info and sending it to the creator.

I personally don’t use this GUI method to generate my keys I use the command line method so chose the best option that suits you.

There are also  Android apps that you can use to store your keys and use it

I believe PGP has some way to go to be completely user-friendly but I believe that PGP is a step in the proper direction although it has been around for a long while it’s only recently really began to shine thanks to the adoption from the like of Google.

If you are looking for my PGP public key to send me to secure messages or files you can find it on the about me page of my site!


A blog for Helping users and professionals with their security questions and challanges !