The helping hand of URL shortening services

We all know that URL shortening services are a great aid when you want to shorten a URL. What I did not realize is that they can fill up one of the many gaps when performing a search for something(someone) on the internet. Usually you exhaust all the usual places like web, ftp,usenet, torrent, twitter,ftp search engines. But there is a whole(maybe not that big) world out there of short URL messaging. A good example is bit.ly this URL shortening service even has statistics about short URLs and every time you shorten a URL it is shortened to the same short URL(based on parameters, maybe time, unknown to me at this moment), now that does make things easier when using them to track something(someone) down. For example:

www.google.com = http://bit.ly/14d7yE

So you can use the short URL to perform more investigations about web pages mentioning it or tweets using it. If you want to see bit.ly own history about the URL you can just hit their history link, for google.com that is:

http://bit.ly/info/14d7yE

The statistics page also seems to uncover different short URL’s for the same domain which you can then use in your search. For example:

http://bit.ly/4d3xjX and http://bit.ly/676wYo both point to the NSA.

Now that sure does make things easy to continue searching, it will at least contribute to your search results by making it possible to find things(people) you would have otherwise possibly missed.

For all the people hating short URLs, you could always use www.longurl.org to verify you are not being scammed

and another google password dork

Just when you think that all possible google password dorks have been found and documented. For the ones still not familiar with the google hacking database (just click it)

I just stumbled upon this new dork to find passwords(and all other kind of interesting network related data(just enter the following into google):

ext:pcap password

example stuff you can find(I have censored the sensitive information using ***):

+OK Hello there.

AUTH

-ERR Invalid command.

USER ***

+OK Password required.

PASS ***

+OK logged in.

STAT

+OK 0 0

QUIT

+OK Bye-bye.

This was just a quick post…cause I honestly didn’t think people would STILL let google index their sensitive stuff.

MySQL UDF Shells

Nostalgic feelings all over the place. Just found this baby ugly code but when I needed it it sure did it’s job. I even seem to have implemented some kind of rudimentary “social engineering’. When the wrong password is supplied to the bind shell it will respond with “FTP ACCESS DENIED”. Intention was to have people think it was some kind of FTP daemon, so if they attempted a brute force it would be wrong from the beginning.

The command execution shell

http://pastebin.com/f22735864

The bind shell

http://pastebin.com/f611f0ba2

The reverse shell

http://pastebin.com/f5e167b65

Stealing stuff from vmdk files

Well that’s been a while. I almost forgot my WordPress password. My last post wasn’t really informative so I thought let me just post one of the projects I’m currently working on. It’s far from finished and I doubt if I’ll release it once it’s finished. So for the moment being I’ll only share my alpha POC which should be enough to build upon.

Have you ever had the need to get stuff of vmdk files without using any of the visual VMWARE products? Well I have!! Now luckily VMWARE also has detected that there are a lot of people with that need and they have released an excellent API the Virtual Disk Development Kit 1.1. Now that stuff is sexy, quote from it’s website:

The Virtual Disk Development Kit (VDDK) is a collection of C libraries, code samples, utilities, and documentation to help you create or access VMware virtual disk storage. The kit includes:

• The Virtual Disk and Disk Mount libraries, a set of C function calls to manipulate virtual disk files.
• C++ code samples that you can build with either Visual Studio or the GNU C compiler.
• The Disk Mount utility to access files and file systems in offline virtual disks on Windows or Linux guest virtual machines.
• Documentation about the VDDK libraries and the command-line utilities.
• The Virtual Disk Manager utility to manipulate offline virtual disk on Windows or Linux (clone, create, relocate, rename, grow, shrink, or defragment).

I assume that after reading the above you’ll also agree that the possibilities are endless. Now let’s get cooking.

Read more »

still alive

just busy… or on a more detailed note:

- real life hogging my online time

Hope to post some interesting stuff soon

The Dirty SQL Tricks

Another old paper

DOWNLOAD

Web Request Maker

Another old tool

DOWNLOAD.

Process Memory Dumper

Another old tool

DOWNLOAD

Copy File Time

Another old tool.

DOWNLOAD

Corruption & Security

This time it’s actually an afternoon thought. So let’s say you will be traveling from one country to another and you have stored your truecrypt container on a remote site. There is a chance someone might steel it and try to brute force it. Usually if you are paranoid enough a brute force on a truecrypt container is well…useless. Because you are THAT paranoid you actually also want to make sure that a brute force on your container really is futile. So how about corrupting the container in a controlled way? Check out the file format specifications: http://www.truecrypt.org/docs/?s=volume-format-specification.

A good option would be to change the 4bytes of the encrypted TRUE string to some random bytes. Make sure u have a backup of the original bytes(preferably memorized). This should prevent the successful decryption of the container even if someone has the correct password.

It’s security by obscurity but hey…you can never have enough layers of security. Another interesting idea is to modify the truecrypt source/binary on your hard disk to use the string FOUR instead of TRUE for the whole decryption verification. So unless they also steel your modified version of the truecrypt binary they will not be able to open it.

Just to make sure…the above ideas are only an ADDITIONAL security layer and it CAN be broken if detected by an adversary. I just thought it would be fun to have an additional layer of security on my truecrypt containers.

Workable Deniability

So you have just finished installing the hidden operating system offered by TrueCrypt. You are however stuck with the following problem…you need frequent access to the hidden operating system…which means that you won’t be using the decoy system that much. According to the guidelines offered by TrueCrypt this means that your plausible deniability is a little bit less plausible. How about fixing this? What if you could “work” at the same time in both operating systems?

So there I was thinking I could write a blog posting with screenshots and a extended howto. Unfortunatly I am not able to perform the idea on my computer and I got no spare computer left. So I’m just going to put it out there and maybe someone feels like implementing it and letting me know how well it works.

The whole thing is rather simple, it actually fits in a sentence:

Run your decoy OS inside your hidden OS with the help of virtualization techniques.

Like stated before the claim is simple. It’s a shame I got no spare computer around atm to test it out. In theorie it should work fine. Only thing that worries me is the possible evidence that a virtualization application might leave on the booted decoy system, I’m thinking there is none…but I haven’t been able to test this.

So just to be clear this is NOT an idea to go against the TrueCrypt Security Precautions, it’s just another method to be able to spend more time in a hidden operating system without having to worry that it could be compromised because of forensics on your decoy os. This way all the timestamps and the temp files will be kept up to date in your decoy os while you are working in your hidden os.

To take it one step further…you could even write a few scripts to startup your email, mark them as read at varieng intervals and surf around on the web. If they ask you why you have script to automate things inside your decoy os, you can just answer with a simple answer: I’m lazy.

If I get a spare computer anytime soon I’ll be sure to let you know how this method works out.

Abuse legitimate code for backdoor purposes

So once in a while you hear about some backdoor which was slipped into some source code. Mostly in C applications…so I was thinking how would this be done in Java? Most of the times the backdoors you hear about are very nasty and difficult to track down “bugs” in the source code like buffer overflows, race conditions and the likes. Since Java doesn’t really have buffer overflows(I’m ignoring faulty VM implementations for the moment) I was wondering what an other *hopefully* good way would be to introduce bugs you can exploit?

Read more »

Google sub domain indexer

Actually I called it GDNS but well…that would be to cryptic as a blog item title. This is also from the KD-Team archives. Enjoy. All it does is *TRY* and find all sub domains for a given domain with the use of google.

http://pastebin.com/f720c4036

SniffDoor

Some sources from the old KD-Team website. This time it’s a connect back shell which gets activated when a certain keyword is seen in passing traffic. The advantage of this, is that you can activate your shell without raising to much suspicion. One thing though…it’s buggy. I made this back in the day and never bothered to fix some things. AFAIK it works under windows XP SP2 if it doesn’t well…try and fix it. I haven’t tested it since a long while.

here

Bit more efficient brute forcing

Or like most people will call it “just another mod_negotiation script”. Well yeah that’s true. I still think it has it’s added value during a brute force if it’s available. I’m not going to waste any space on explaining what the whole mod_negotiation thing is, because there are a number of excellent resources out there:

• http://www.wisec.it/sectou.php?id=4698ebdc59d15
• http://appseclive.org/content/grudge-match-apaches-modnegotiation-vs-modspeling
• http://www.bonsai-sec.com/blog/index.php/exploiting-http-content-negotiation/
• http://voodoo-labs.org/blog/index.php?!=10
• https://kinqpinz.info/lib/2009/jul/#a79e8b99

For the ones that are just curious how this boils down to source you can of course read the source of the module and some documentation about it, which is available over here:

• https://svn.apache.org/repos/asf/httpd/httpd/tags/2.0.3/modules/mappers/mod_negotiation.c
• http://httpd.apache.org/docs/1.3/mod/mod_negotiation.html

So why did I write “yet another” script for this? Well first because I wanted to keep learning and practicing python. Also because I wanted my brute force attacks to be a little bit more efficient. So with this script instead of trying to guess the entire name(including the extension) of the file, I just guess the name and mod_negotiation will do the rest for me(read the links I provide, because it only works for mime types that are known to apache). So with a bit of luck you need less requests to find more files. For the ones working with w3af, it already has support for mod_negotiation testing.

The way to use this script would be to combine it with the excellent tool DirBuster. Just have DirBuster do a recursive directory brute force. Then take those results and feed them to my script with a decent file name list. This script is kind of an alpha version, just something I quickly whipped up.

[*] DiabloHorn http://diablohorn.wordpress.com
[*] Mod Negotiate File Brute Force
[*] mfbrute.py -t <target> -d <dir list> -f <file list>
[*] -t target to scan
[*] -d directories which will be scanned
[*] -f files which will be scanned
[*] -v verbose
[*] -h this help

You can get the src from here.