Jonas Lieb

Yet Another Hilbert Map of the (IPv4) Internet

Sat, 25 Apr 2026 12:00:00 +0100

In this blog post I want to showcase a recent project of mine: I took IPv4 port scans gathered by Patrick Sattler et al. (Technische Universität München) and visualized it as a zoomable Hilbert map using Leaflet. Visualization of the Internet using the Hilbert curve is not a new approach, as it has been suggested and implemented by several people in the past. Nevertheless, all existing implementations that I looked at were lacking interactivity, especially the ability to zoom into subnets for closer inspection. That’s why I built https://hilbert.app.jonaslieb.de/!

TOTP Brute-Force Statistics

Mon, 09 Mar 2026 21:10:00 +0100

There is this tiny statistics problem in IT security that almost nobody talks about, yet I have seen people get it wrong many times in the past: Calculation of the success probability of brute-force attacks against TOTP two-factor authenticators.

As a reminder: TOTP tokens are defined in RFC 6238 ("TOTP: Time-Based One-Time Password Algorithm"). They usually consist of six-digit strings that change every 30 seconds. The entire sequence of tokens is derived from a secret (and the current time) in a way that makes token prediction without the secret impossible. TOTP tokens are commonly used as a second factor, in addition to a user’s password, reducing the impact of a potential password compromise.

The Curious Case of nltest and LmOwfPassword/NtOwfPassword

Mon, 25 Nov 2024 17:47:50 +0100

I recently fiddled around with Window’s built-in command nltest and noticed that nltest /user:<username>, when executed as an Administrator, yields some interesting information about the requested user:

The two fields LmOwfPassword and NtOwfPassword spiked my interest. The abbreviation “Owf” typically stands for one-way-function, which is synonymous with hash function or even hash value. If LmOwfPassword and NtOwfPassword corresponded to the user’s LM and NT hash, nltest might be another option for dumping the SAM 🤔

Working with TCP Streams in Wireshark Dissectors

Sat, 02 Nov 2024 09:33:34 +0200

In my previous posts of this series, I focused on analyzing UDP-based protocols. However, many real-life network protocols rely on TCP for reliability, ordering and error checking. Unfortunately, TCP’s stream-like nature, compared for example to UDP’s discrete datagrams, creates unique challenges for packet analysis. This post will discuss how to handle these complexities in Wireshark dissectors. I will build on Wireshark’s documentation regarding TCP desegmentation and suggest effective patterns for implementing TCP-aware dissectors in Lua.

Enhancing Wireshark Lua Dissectors with C Libraries

Fri, 13 Sep 2024 20:52:55 +0200

Another way to step up your Wireshark game is to enhance Lua dissectors with features implemented in C/C++. Lua has a wonderful C API that allows to seamlessly leverage C libraries within Lua code. I found this especially helpful when working with cryptography or compression, as Wireshark does not provide such capabilities in its Lua API. With this post I want to explain how to wrap C libraries for using them in Lua and how to use pre-packaged Lua libraries from LuaRocks.

Analyzing VPN Protocols with Wireshark

Mon, 09 Sep 2024 21:34:49 +0200

In the previous post, I demonstrated how to implement a simple VPN service in Python. In this post I’ll show how to write a plugin for the packet sniffer Wireshark in order to analyze the VPN. The post is again intended as a general template, this time for the creation of Wireshark dissectors, with a focus on tunneling protocols.

Implementing Layer-3 VPN Protocols in Python

Sun, 25 Aug 2024 15:07:00 +0200

In this post, we’ll explore a practical approach to implementing tunneling protocols in Python. Along the way, you’ll gain an understanding of key concepts such as tunneling, TUN/TAP interfaces, and packet encapsulation. This post will be the first in a multipart series, where I will also demonstrate how to analyze tunneling protocols in Wireshark.

Reverse Engineering Arduino Binaries with Ghidra

Mon, 08 Apr 2024 00:00:00 +0000

Reverse engineering binaries for embedded devices like the Arduino can provide valuable insights for security researchers, but documentation on how to do so — especially using tools like Ghidra — is surprisingly limited. This post will provide a short introduction to the architecture and serve as a starting point for the analysis. As of April 2024, Ghidra’s support for the ATmega328P (used by the Arduino Uno) is still evolving, which we’ll explore in detail.