Hi. đź‘‹

My name is Naz Markuta and I work in cyber security. This website serves as a personal blog where I share my experiences and occasional guides in various topics (mostly in IT). I’ve tried to keep this blog clean and purely content focused.

Hacking Amazon's eero 6 (part 1)

This is the first in the series of hacking Amazon’s eero 6 (3rd generation) Wi-Fi device. In this post I will be focusing on device disassembly, identifying pins, brute forcing JTAG, and reading serial output. About Eero is a San Francisco-based wireless Internet company founded in 2015. It is known for making household consumer Wi-Fi products. The company was acquired by Amazon in 2019 for $97 million. Device Specification eero 6 (3rd gen 2020) device specification....

15 June, 2023 Â· 25 min Â· Naz Markuta

How to block .zip domains with pfSense

A short guide on how to block the entire .zip TLD using pfSense. In particular using a package called pfBlocker-NG, which can be thought of as a “PiHole” alternative. pfBlocker-NG is capable of much much more but won’t be covered in this blog. Why is .zip TLD a problem? It’s simple really, Phishing. Whether it’s abusing a HTTP URI scheme or using special unicode characters, having a .zip TLD which has always been attributed to the compression file extension is just a bad idea....

25 May, 2023 Â· 3 min Â· Naz Markuta

PayPal and Passkeys issues since launch

PayPal’s Help Center - Technical Support post shows how Passkeys work on its platform and how users can add new security devices, this covers both iOS and Android but also desktop systems too. It also goes into more detail on what to do when you’ve lost your device, and much more. TL;DR: As of 26th May 2023, PayPal only supports external security “Passkeys” keys (such as Yubikeys) for two-factor authentication. Passkeys on mobile devices like iOS or Android still do NOT work, even though you can register one....

25 May, 2023 Â· 3 min Â· Naz Markuta

Getting root on an Android 12 emulated device with Google Services

This is a short blog post on how you can get root access on a Android 12 emulated device with Google services, using a tool (script) called rootAVD by newbit1. I also share a few recommendations which are helpful during mobile analysis. Android Studio For mobile analysis I generally use my Google Pixel 3a device. However, sometimes I will try to avoid it if I can, especially when I’m only curious about an app’s network traffic or API endpoints....

15 April, 2023 Â· 2 min Â· Naz Markuta

Cracking encrypted Lastpass vaults

In this post I will go into technical details on what attackers could do with the stolen encrypted vaults, specifically how they could use tools like Hashcat to crack vault passwords and get access to sensitive log-in credentials. To simulate the stolen data, I will use my test Lastpass account to extract an encrypted vault from the Chrome Browser extension on macOS. Following this, I will use a wordlist attack to bruteforce the vault which has a weak and guessiable password....

23 December, 2022 Â· 5 min Â· Naz Markuta