.\" Man page for SING (c) Slay
.\" ==========================
.\" Author: Alfredo Andres <aandres@s21sec.com>
.\" 
.\" You may distribute under the terms of the GNU General Public
.\" License as specified in the COPYING file that comes with the
.\" SING v1.1 distribution.
.\"
.\"
.\" $Id: sing.8,v 1.21 2001/02/13 10:51:31 slay Exp $
.\"
.TH "SING" "8" "$Date: 2001/02/13 10:51:31 $" "sing v1.1"
.SH "NAME"
.B sing 
\- \fBS\fPend \fBI\fPCMP \fBN\fPasty \fBG\fParbage packets to network hosts
.SH "SYNOPSIS"
.B sing
[\fB-hVRnvqGQOBU\fP] [\fB-c\fP \fIcount\fP] [\fB-T\fP \fIwait\fP] [\fB-p\fP \fIpattern\fP]
[\fB-s\fP \fIdatasize\fP] [\fB-F\fP \fIbytes\fP] [\fB-i\fP \fIinterface\fP]
[\fB-S\fP \fIspoof\fP] [\fB-t\fP \fIttl\fP] [\fB-TOS\fP \fItos\fP] [\fB-l\fP \fIpreload\fP]
[\fB-M\fP \fIos\fP] [\fB-L\fP \fIlogfile\fP] [\fB-MAC\fP \fIhw_addr\fP] [\fB-x\fP \fIcode\fP] [\fItype\fP]  \fIhost\fP
.SH "DESCRIPTION"
.B sing
is a tool that sends ICMP packets fully customized from command line. The
main purpose is to replace the niceful \fBping\fP command with certain
enhancenments as the ability to send/read IP spoofed packets, send MAC spoofed
packets, send in addition to the ECHO REQUEST type sent by default, many other 
ICMP types as \fBEcho Reply\fP, \fBAddress Mask Request\fP, \fBTimestamp\fP, 
\fBInformation Request\fP,\fBRouter Solicitation\fP and \fBRouter Advertisement\fP.

It supports also the following ICMP error types: \fBRedirect\fP, \fBSource Quench\fP,
\fBTime Exceeded\fP, \fBDestination Unreachable\fP and \fBParameter Problem\fP.

It can do a little fingerprinting, see the \fBFINGERPRINTING TECHNIQUES\fP section
to read more details about.

It can emulate certain OOSS sending \fBEcho Request\fP or \fBEcho Reply\fP
packets. See the \fBMIMIC TECHNIQUES\fP section for a more accurate
information.

The host destination can also be specified as a list of gateways (including
destination) breaked by the '\fB%\fP' symbol meaning the use of a \fBStrict Source Routing IP Option\fP
(v.g. router1\fB%\fProuter2\fB%\fProuter3\fB%\fPhost) or the '\fB@\fP' symbol meaning the use of a \fBLoose
Source Routing IP Option\fP (v.g. router1\fB@\fProuter2\fB@\fProuter3\fB@\fPhost).

A long number of examples is given at the \fBEXAMPLES\fP section of this page that shows a real 
use of this program.
.SH "MOST COMMON OPTIONS"
.IP "\fB\-h\fP, \fB--help\fP"
Help screen.
.IP "\fB\-V\fP, \fB--Version\fP"
Program version.
.IP "\fB\-v\fP"
Verbose mode.
.IP "\fB\-B\fP"
Send a \fBB\fPad ICMP Checksum on Information types.
.IP "\fB\-c\fP \fIcount\fP"
Stop after sending (and receiving) \fIcount\fP packets. Information
types only.
.IP "\fB\-F\fP \fIbytes\fP"
Fragment the entire ICMP packet with \fIbytes\fP size by fragment. Not used
on Solaris systems.
.IP "\fB\-G\fP"
Set the IP header Don't Fragment flag. Not used on Solaris systems.
.IP "\fB\-i\fP \fIinterface\fP"
Interface (name or IP address) where listen on for replies.
.IP "\fB\-l\fP \fIpreload\fP"
If \fIpreload\fP is specified, \fBsing\fP sends that many packets as fast as possible
before falling into its normal mode of behavior.  Only the super-user may
use this option. Information types only.
.IP "\fB\-L\fP \fIlogfile\fP"
Save the current session to the file \fIlogfile\fP. If \fIlogfile\fP exists
the data will be appended at end.
.IP "\fB\-M\fP \fIos\fP"
Do mimic of the \fIos\fP specified when sending an \fIEcho Request\fP or
\fIEcho Reply\fP. \fIos\fP can be \fIwin\fP, \fIunix\fP,  \fIlinux\fP,
\fIcisco\fP, \fIsolaris\fP or \fIshiva\fP.
.IP "\fB\-MAC\fP \fIhw_address\fP"
Do MAC spoofing using the MAC \fIhw_address\fP (maybe to surpass filtered switches). Be aware of using on an interface
with a datalink type different of Ethernet. The MAC address must be on hexadecimal
form and must be delimited by '\fB:\fP' (Example: 00:FF:AC:33:1:B). This
option made use of the libnet library to acces the network link layer. Only the
super-user can use this option.
.IP "\fB\-n\fP"
Don't use name resolution.
.IP "\fB\-O\fP"
Do fingerprinting to discover the target OS.
.IP "\fB\-p\fP \fIpattern\fP"
You may specify a \fIpattern\fP of bytes to fill out the packet you send.  This
is useful for diagnosing data-dependent problems in a network.  For example,
`-p INPACK'' will cause the sent packet to be filled with the word INPACK.
.IP "\fB\-q\fP"
Quiet output.  Nothing is displayed except the summary lines at startup time
and when finished.
.IP "\fB\-Q\fP"
Totally quiet output. Absolutly nothing is displayed. Useful to use within
shell scripts.
.IP "\fB\-R\fP"
Use Record Route IP Header Option on the ICMP packet.
.IP "\fB\-s\fP \fIbytes\fP|\fImax\fP"
Number of garbage bytes that will be sent on any ICMP packet. With \fImax\fP
the maximum possible will be sent.
.IP "\fB\-S\fP \fIaddress\fP"
IP address to be used as the source of the ICMP packet. This force the use
of the libpcap routines that puts your network interface into promiscuous mode
to be able to read the replies. Only the super-user may use this option.
.IP "\fB\-t\fP \fIttl\fP"
Set the IP Time To Live field to \fIttl\fP value.
.IP "\fB\-T\fP \fIwait\fP"
Wait \fIwait\fP seconds \fIbetween sending each packet\fP. The default is to
wait for one second between each packet.
.IP "\fB\-TOS\fP \fItos\fP"
Set the IP Type Of Service field to \fItos\fP value.
.IP "\fB\-U\fP"
Set the IP header Unused bit flag. Be aware on *BSD systems because the kernel set
to 0 the IP header flags when using the Reserved Bit so \fISING\fP must revert to promiscuous mode to be able to
read the response with libpcap. Not used on Solaris systems.
.IP "\fB\-x\fP, \fB--xcode\fP \fIcode\fP|\fInum\fP|\fImax\fP"
ICMP code to send. Code \fIcode\fP valid for Destination Unreachable (\fB-du\fP), 
Redirect (\fB-red\fP) and Time Exceeded (\fB-tx\fP) types. Numerical code can be
specified for the ICMP types that doesn't have (Echo Request, Information Request,
Address Mask Request, Router Solicitation, Router Advertisement, Source Quench, 
Parameter Problem and Timestamp). Using \fImax\fP an ICMP code greater than the
admited ones will be sent. See the \fBICMP CODES\fP section for a long list
of \fIcode\fP types.
.PP
.SH "ICMP TYPES"
The \fBtype\fP can be any of the following below: 
.IP "\fB\-echo\fP, \fB--echo_request\fP"
Echo Request. Request sent to a host to receive an echo reply.
This is the type sent by default. This ICMP type is \fBinformation\fP.
.IP "\fB\-tstamp\fP, \fB--timestamp\fP"
Timestamp. Host request to receive the time of another host. 
This ICMP type is \fBinformation\fP.
.IP "\fB\-mask\fP, \fB--mask_req\fP"
Address Mask Request. Used to find out a host network mask.
This ICMP type is \fBinformation\fP.
.IP "\fB\-info\fP, \fB--info_req\fP"
Information Request. Host request to receive an Info Reply from another host. 
This ICMP type is \fBinformation\fP.
.IP "\fB\-du\fP, \fB--dest_unreach\fP"
Destination Unreach. IP packet couldn't be given. 
This ICMP type is \fBerror\fP.
.IP "\fB\-sq\fP, \fB--src_quench\fP"
Source Quench. IP packet is not given due a net congestion.
This ICMP type is \fBerror\fP.
.IP "\fB\-red\fP, \fB--redirect\fP"
Redirect. Request to forward IP packets through another router.
This ICMP type is \fBerror\fP.
.IP "\fB\-rta\fP, \fB--router_advert\fP \fBaddress\fP[\fB/preference\fP]"
Router Advertisement. Router trasmits one or more routers with address
\fBaddress\fP and preference \fBpreference\fP.
If this is ommited, default preference 0 is given.
This ICMP type is \fBinformation\fP.
.IP "\fB\-rts\fP, \fB--router_solicit\fP"
Router Solicitation. Host requeriment for a message of one or more routers.
Like the previous, is a part of the messages exchange Router Discovery and
this ICMP type is \fBinformation\fP.
.IP "\fB\-tx\fP, \fB--time_exc\fP"
Time Exceeded. Time Exceeded for an IP packet. 
This ICMP type is \fBerror\fP.
.IP "\fB\-param\fP, \fB--param_problem\fP"
Parameter Problem. Erroneous value on a variable of IP header. 
This ICMP type is \fBerror\fP.
.IP "\fB\-reply\fP"
Echo Reply. Response to a Echo Request. This ICMP type is \fBinformation\fP.
.PP
.SH "LESS COMMON OPTIONS"
The \fBoptions\fP can be any of the following:
.IP "\fB\-lt\fP, \fB--lifetime\fP \fIsecs\fP"
Lifetime in seconds of the router announcement. Only valid with
Router Advertisement (\fB-rta\fP) type. 1800 seconds by default (30').
.IP "\fB\-gw\fP, \fB--gateway\fP \fIaddress\fP"
Route gateway address on an ICMP Redirect (\fB-red\fP).
By default will be the spoof address (\fB-S\fP), if it has been specified, 
or the outgoing IP address if it has not been specified.
.IP "\fB\-dest\fP, \fB--route_dest\fP \fIaddress\fP"
Route destination address on an ICMP Redirect (\fB-red\fP). This is a
required option when sending an ICMP Redirect.
.IP "\fB\-orig\fP, \fB--orig_host\fP \fIaddress\fP"
Original host within the IP header sent in the 64 bits data field of an ICMP \fBerror\fP.
By default will be the same as the IP of the host that sends the ICMP packet.
.IP "\fB\-psrc\fP, \fB--port_src\fP \fIport\fP"
Source port (tcp or udp) within the IP header sent in the 64 bits data field
of an ICMP \fBerror\fP. 0 by default.
.IP "\fB\-pdst\fP, \fB--port_dst\fP \fIport\fP"
Destination port (tcp or udp) within the IP header sent in the 64 bits data
field of an ICMP \fBerror\fP. 0 by default.
.IP "\fB\-prot\fP, \fB--protocol\fP \fIname\fP|\fInumber\fP"
Protocol to be used within the IP header sent in the 64 bits data field of an
ICMP \fBerror\fP. Must be a name from the \fB/etc/protocols\fP or a protocol number.
Only \fBtcp\fP,\fB udp\fP and \fBicmp\fP are fully implemented, with other protocols the
remaining of the 64 bits field are fulfilled with 0xFF. TCP by default.
.IP "\fB\-id\fP  \fIidentificator\fP"
ICMP id to be used with ICMP of Information types. Do not be confused with the \fB-ip_id\fP option!.
.IP "\fB\-seq\fP \fIsequence\fP"
Echo sequence number to be used with \fBEcho Request\fP or \fBEcho Reply\fP
types. Do not be confused with the \fB-ip_seq\fP option!.
.IP "\fB\-ip_id\fP  \fIidentificator\fP"
Echo identificator within the IP header sent in the 64 bits data field of an ICMP \fBerror\fP 
when the IP header protocol of the 64 bits data field (\fB-prot\fP) is icmp. 0
by default.
.IP "\fB\-ip_seq\fP  \fIsequence\fP"
Echo sequence number within the IP header sent in the 64 bits data field of an
ICMP \fBerror\fP when the IP header protocol of the 64 bits data field (\fB-prot\fP)
is icmp. 0 by default.
.IP "\fB\-ptr\fP, \fB--pointer\fP \fIbyte\fP"
Pointer to erroneus byte \fBbyte\fP on an ICMP packet showing a parameter problem.
Valid only on Parameter Problem type (\fB-param\fP).
.SH "ICMP CODES"
Valid \fBcodes\fP used with Destination Unreach, Redirect and Time Exceeded types are,
.IP "- Used with \fBDestination Unreach\fP type (\fB-du\fP):" 
.PP
\fBnet-unreach\fP (Net Unreachable) The destination net is unreachable.

\fBhost-unreach\fP (Host Unreachable) The destination host is unreachable.

\fBprot-unreach\fP (Protocol Unreachable) desired protocol is unreachable to destination host.

\fBport-unreach\fP (Port Unreachable) desired port is unreachable to destination host.

\fBfrag-needed\fP (Fragmentation Needed and Don't Fragment was Set) Shows that IP packet had
to be fragmented because of its size but the sender did not allowed it because
the DF (DON'T FRAGMENT) flag was set.

\fBsroute-fail\fP (Source Route Failed) could'nt follow the route indicated on IP packet.

\fBnet-unknown\fP (Destination Network Unknown) Destination network is unknown.

\fBhost-unknown\fP (Destination Host Unknown) Destination host unknown but network is.

\fBhost-isolated\fP (Source Host Isolated) Can't reach destination host.

\fBnet-ano\fP (Communication with Destination Network is Administratively
Prohibited) access network is denied through firewall or similar on receiver side.

\fBhost-ano\fP (Communication with Destination Host is Administratively
Prohibited) access host is denied through firewall or similar on receiver side.

\fBnet-unr-tos\fP (Destination Network Unreachable for Type of Service)
indicates on destination network that the Type Of Service (TOS) applied for is not allowed.

\fBhost-unr-tos\fP (Destination Host Unreachable for Type of Service) shows that destination
host is unreachable with applied TOS.

\fBcom-admin-prohib\fP (Communication Administratively Prohibited) a router can't forward a 
packet because of administrative filter.

\fBhost-precedence-viol\fP (Host Precedence Violation) IP packet precedence is not allowed.

\fBprecedence-cutoff\fP (Precedence cutoff in effect) a smaller IP packet precedence has tried to
be sent over the minimal impossed by network manager.

.IP "- To be used with \fBRedirect\fP type (\fB-red\fP):"
.PP
\fBnet\fP (Redirect Datagram for the Network) shows that destination is a network.

\fBhost\fP (Redirect Datagram for the Host) shows that destination is a host.

\fBserv-net\fP (Redirect Datagram for the Type Of Service and Network) destination is a type of service
and network.

\fBserv-host\fP (Redirect Datagram for the Type Of Service and Host) destination is a type of service
and host.
.PP
and
.IP "- to be used with \fB\Time Exceeded\fP type (\fB-tx\fP):"
.PP
\fBttl\fP (Time to Live exceeded in Transit) time is over on an IP packet header packet.

\fBfrag\fP (Fragment Reassembly Time Exceeded) could not reassembly all the IP packet fragments.


.SH "FINGERPRINTING TECHNIQUES"
With the \fB-O\fP option \fBSING\fP can use little techniques of remote OS fingerprinting.
To distinguish between Window$ boxes and the rest of the world \fBOfir
Arkin\fP has discovered a simple method: Sending an ICMP code that is not
0 within an ICMP Echo Request, a Window$ box respond with a 0 code while
the rest of the boxes would leave the code field unchanged. See the \fBSEE ALSO\fP section.

With Solaris systems \fBSING\fP use a method discovered by me: Sending a
fragmented Addres Mask Request any Solaris system (tested from 2.5.1 to
Solaris8 Intel & SPARC) respond with an Address Mask of 0's.
Last update!: Some people have noticed that HP-UX v11.0 respond the same
way.

See the \fBEXAMPLES\fP section for examples.


.SH "MIMIC TECHNIQUES"
With the \fB-M\fP option \fBSING\fP can try to emulate certain OS. At the
moment Window$98/Window$NT4 (\fBwin\fP value), UNIX (\fBunix\fP value),
Linux (\fBlinux\fP value), Cisco (\fBcisco\fP value), Solaris 
(\fBsolaris\fP value) or Shiva (\fBshiva\fP value) are the only accepted
values. To emulate them \fBSING\fP changes its normal behaviour about the IP
header flags, the TTL, the initial ICMP sequence number, the ICMP id and
the ICMP data that each OS send. These techniques are aplied only when
using \fBEcho Request\fP or \fBEcho Reply\fP types.


.SH "RETURN VALUES"
\fBsing\fP can be easily used within shell scripts. 
Program returns the following values to the shell:

.ti
Value  Meaning
.ti
-----  -----------
.ti
0      Received at least 1 response from destination host.
.ti
1      General Error.
.ti
2      Packet sent OK but received no response.
.ti
3      Out of memory.

.SH "EXAMPLES"
- Testing if www.solarisbox.xx is running the Solaris OS. Supposed no filter
methods:

\fBsing -mask -O  www.solarisbox.xx\fP


- Testing if www.winbox.xx is running the Window$ OS:

\fBsing -O  www.winbox.xx\fP


- Send Echos with garbage size of 32 bytes and fragments of 8 bytes to host
www.provatina.xx:

\fBsing -s\fP 32 \fB-F\fP 8 \fBwww.provatina.xx\fP


- Send Echos with data pattern IsSiNg and fragments of 8 bytes to the
host www.provatina.xx using Loose Source Routing via router1.xx and
router2.xx:

\fBsing -p\fP IsSiNg \fB-F\fP 8 \fBrouter1.xx@router2.xx@www.provatina.xx\fP


- Send an ICMP packet Timestamp to host sepultura.hell. We spoof as host
10.2.3.1:

\fBsing -tstamp -S\fP 10.2.3.1 \fBsepultura.hell\fP


- Send an ICMP packet Router Solicitation to 10.13.1.0:

\fBsing -rts \fP \fB10.13.1.0\fP


- Send an ICMP Router Advertisement to host death.es, saying that the routers
to use are: router1.xtc with preference 20, router2.xtc with preference 50
and router3.xtc with default preference (0). We spoof as fatherouter.xtc:

\fBsing -rta\fP router1.xtc/20 \fB-rta\fP router2.xtc/50
\fB-rta\fP router3.xtc \fB-S\fP fatherouter.xtc \fBdeath.es\fP 


- In response to a packet send with TCP source port 100 and destination on port 90,
we want to send and ICMP Redirect to dwdwah.xx to modify its routing table with the following
data: 10.12.12.12 as a gateway to the host death.es masking the packet source
as if it was sent from infect.comx host:
  
\fBsing -red -S\fP infect.comx \fB-gw\fP 10.12.12.12
\fB-dest\fP death.es \fB-x\fP host \fB-prot\fP tcp \fB-psrc\fP 100 \fB-pdst\fP
90 \fBdwdwah.xx\fP


- In response to an ICMP packet Echo Request sent with Echo Request id 100 and
Echo Request sequence number 90, we want to send an ICMP Redirect to the host
araya.xx to modify its routing table with the following data: the host
pizza.death as a gateway to the host death.es, masking the packet source as if
it was sent from infect.comx host. 

\fBsing -red -S\fP infect.comx \fB-gw\fP pizza.death
\fB-dest\fP death.es \fB-x\fP host \fB-prot\fP icmp
\fB-ip_id\fP 100 \fB-ip_seq\fP 90 \fBaraya.xx\fP


- We want to send an ICMP packet Destination Unreach to the host 10.2.3.4
saying that our TCP port number 20 connected with its TCP port 2100, is unreachable.
We mask ourselves as host 10.1.1.1:

\fBsing -du -S\fP 10.1.1.1 \fB-x\fP port-unreach \fB-prot\fP
tcp \fB-psrc\fP 2100 \fB-pdst\fP 20 \fB10.2.3.4\fP


- We want to send an ICMP packet Destination Unreach to host 10.2.3.4
saying that the host inferno.hell and its TCP port 69, connected with his
port TCP 666 in unreachable. We mask ourselves as gateway router.comx:

\fBsing -du -S\fP router.comx \fB-x\fP host-unreach
\fB-prot\fP tcp \fB-psrc\fP 666 \fB-pdst\fP 69 \fB-orig\fP inferno.hell
\fB10.2.3.4\fP


- We want to send a packet ICMP Source Quench to host ldg02.hell in
response to a packet destinated to host ldg00 with UDP protocol, source
port 100 and destination port 200. We mask ourselves as gateway 10.10.10.1:

\fBsing -sq -S\fP 10.10.10.1 \fB-prot\fP udp \fB-psrc\fP
100 \fB-pdst\fP 200 \fB-orig\fP ldg00 \fBldg02.hell\fP


- We want to send an ICMP packet Time Exceeded to host ldg02.hell in
response to a packet destinated to host ldg00 with UDP protocol, source 
port 100 and destination port 200. We mask as gateway ldg04.hell:

\fBsing -tx -S\fP ldg04.hell \fB-x\fP frag \fB-prot\fP
udp \fB-psrc\fP 100 \fB-pdst\fP 200 \fB-orig\fP ldg00 \fBldg02.hell\fP


- We want to send an ICMP packet Address Mask Request and wait 10 seconds
between sending each packet. We mask the packet with source address of
10.2.3.4 and we send it to the address 10.0.1.255:

\fBsing -mask -S\fP 10.2.3.4 \fB-T\fP 10 \fB10.0.1.255\fP


- We want to send an ICMP packet Information Request to host deep.hell:

\fBsing -info \fP \fBdeep.hell\fP


- We want to send an ICMP packet Echo Request to host black.hell with the data
pattern 'MyNameIsGump':

\fBsing -p\fP MyNameIsGump \fBblack.hell\fP


- We want to send ICMP packet Echo Request to 10.12.0.255 with the following data pattern:
D E A T H (blanks included). We will mask the source address as 192.168.0.255:

\fBsing -S\fP 192.168.0.255 \fB-p\fP 'D E A T H' \fB10.12.0.255\fP


- We want to send an ICMP packet Destination Unreach to host destination.death but sending it
with an ICMP code bigger to the legal ones adding also 60K of garbage data:

\fBsing -du -x\fP max \fB-s\fP 60000 \fBdestination.death\fP


- We send an ICMP Parameter Problem to host misery.es saying that the packet sent
from the host dump.xorg with udp protocol, source port 13 and destination port 53,
has an error on the IP header byte 13. We will also add all garbage bytes as possible:

\fBsing -S\fP dump.xorg \fB-param -ptr\fP 13 \fB-prot\fP
udp \fB-psrc\fP 13 \fB-pdest\fP 53 \fB-s\fP max \fBmisery.es\fP


- We want to send an ICMP packet Timestamp to host www.danz.hell with code 38
instead of code (0) as usual:

\fBsing -tstamp -x\fP 38 \fBwww.danz.hell\fP

- Same as above without code 38 and using Loose Source Routing between the routers
cisco, 10.13.1.1 and wakeup.man:

\fBsing -tstamp cisco@10.13.1.1@wakeup.man@www.danz.hell\fP

- Same as above using Strict Source Routing between the gateways:

\fBsing -tstamp cisco%10.13.1.1%wakeup.man%www.danz.hell\fP

- Using Record Route IP Option to see the route that takes to ftp.target.xx:

\fBsing -R ftp.target.xx\fP


.SH SEE ALSO
Postel, John, "Internet Control Message Protocol - DARPA Internet
Program Protocol Specification", \fBRFC 792\fP, USC/Information Sciences
Institute, September 1981.

Mogul, Jeffrey and John Postel, "Internet Standard Subnetting Procedure",
\fBRFC 950\fP, Stanford, USC/Information Sciences Institute, August 1985.

Braden, Robert, "Requeriments for Internet Hosts - Communication Layers",
\fBRFC 1122\fP, USC/Information Sciences Institute, October 1989.

Deering, Stephen, "ICMP Router Discovery Messages", \fBRFC 1256\fP, Xerox
PARC, September 1991.

Baker, Fred, "Requeriments for IP Version 4 Routers", \fBRFC 1812\fP, Cisco
Systems, June 1995.

Arkin, Ofir, "ICMP usage in scanning",
\fBhttp://www.sys-security.com/archive/papers/ICMP_Scanning.pdf\fP,
Sys-Security Group, July 2000.

The \fBLinux source code\fP, everything referent to network code and to ICMP protocol.

.SH AUTHOR
The original \fBping\fP command was written by Mike Muuss.

\fBsing\fP is original from Alfredo Andres Omella, Slay <aandres@s21sec.com>