diablohorn

Gotta Love Compression

Well it’s times like these that I sometimes wonder if I should use twitter? Anyways here is that “naxxatoe-dict-total-new-unsorted” list of 32 gigs but instead it’s compressed. So now you only have to download like 1.2 gigs or so. Enjoy (also available from the download section).

naxxatoe-dict-total-new-unsorted.rar.torrent

More wordlists…

Following all the recent hype about wordlists, her are 2 lists. One is a “sort -u” representation of the lists I mentioned in my previous post (excluding the huge 30+gig list) and some additional lists I’ve collected. The other is my list of “8 character minimum” words that I’ve composed from the previous lists. Enjoy the lists and happy cracking. You can download them on the download page. For the really curious ones, below are the names of all the files included in the “sort -u” list.

wordlists-sorted.gz.torrent

8min_brute-20100321.txt.gz.torrent

Continue reading “More wordlists…”

Interesting Local File Inclusion method

So there I was exploiting a LFI, only problem being I hit a brick wall. I did not see any possible way to leverage my LFI so that I could get RCE or even leverage it in such a way that I would be able to view the source of other PHP files. Now WTF should I do I asked myself?

Continue reading “Interesting Local File Inclusion method”

Port scanning from different source ports

This is just some quick script I hacked up to scan TCP ports using different source ports. The aim of the script is to find badly configured firewalls that allow traffic from certain source ports. This is for instance explained in the NMAP book. I’ve done it in scapy (yeah I know python ones again) and still admire scapy, it’s a wonderful piece of software. Here are some nice references if you decide to write your own networking stuff in scapy:

#   – http://www.secdev.org/projects/scapy/doc/usage.html
#   – http://www.secdev.org/conf/scapy_pacsec05.pdf
#   – https://cs.uwindsor.ca/~rfortier/CRIPT/uploads/slides/Python_Scapy.pdf

You can find the source here.

I chose manual output analysis, this means that the script doesn’t have any logic whatsoever and you will have to decide, if it allows or doesn’t allow traffic from different source ports yourself. Example output:

Received 34 packets, got 8 answers, remaining 28 packets
srcport, dstport, flags, humanflags
20,80,18,[‘SYN’, ‘ACK’]
20,443,18,[‘SYN’, ‘ACK’]
53,80,18,[‘SYN’, ‘ACK’]
53,443,18,[‘SYN’, ‘ACK’]
67,80,18,[‘SYN’, ‘ACK’]
67,443,18,[‘SYN’, ‘ACK’]
88,80,18,[‘SYN’, ‘ACK’]
88,443,18,[‘SYN’, ‘ACK’]

Hope it’s also useful for someone out there.

Bootloader Development Environment

So I took on a new challenge, understanding how to develop your own Master Boot Record (MBR). So how do you start to develop your own bootloader? The first answer that came into mind was the setup of a development environment. No development environment , no bootloader. Actually that’s my thought on every new coding project I undertake. In this blog post I’m going to explain the steps I went through and why I finally choose for a somewhat rather basic development environment. Anyways let’s get started.

p.s. Happy New Year

p.s.2. HACK THE PLANET!!!

Continue reading “Bootloader Development Environment”

The helping hand of URL shortening services

We all know that URL shortening services are a great aid when you want to shorten a URL. What I did not realize is that they can fill up one of the many gaps when performing a search for something(someone) on the internet. Usually you exhaust all the usual places like web, ftp,usenet, torrent, twitter,ftp search engines. But there is a whole(maybe not that big) world out there of short URL messaging. A good example is bit.ly this URL shortening service even has statistics about short URLs and every time you shorten a URL it is shortened to the same short URL(based on parameters, maybe time, unknown to me at this moment), now that does make things easier when using them to track something(someone) down. For example:

http://www.google.com = http://bit.ly/14d7yE

So you can use the short URL to perform more investigations about web pages mentioning it or tweets using it. If you want to see bit.ly own history about the URL you can just hit their history link, for google.com that is:

http://bit.ly/info/14d7yE

The statistics page also seems to uncover different short URL’s for the same domain which you can then use in your search. For example:

http://bit.ly/4d3xjX and http://bit.ly/676wYo both point to the NSA.

Now that sure does make things easy to continue searching, it will at least contribute to your search results by making it possible to find things(people) you would have otherwise possibly missed.

For all the people hating short URLs, you could always use www.longurl.org to verify you are not being scammed ;)

and another google password dork

Just when you think that all possible google password dorks have been found and documented. For the ones still not familiar with the google hacking database (just click it) :)

I just stumbled upon this new dork to find passwords(and all other kind of interesting network related data(just enter the following into google):

ext:pcap password

example stuff you can find(I have censored the sensitive information using ***):

+OK Hello there.

AUTH

-ERR Invalid command.

USER ***

+OK Password required.

PASS ***

+OK logged in.

STAT

+OK 0 0

QUIT

+OK Bye-bye.

This was just a quick post…cause I honestly didn’t think people would STILL let google index their sensitive stuff.

MySQL UDF Shells

Nostalgic feelings all over the place. Just found this baby :) ugly code but when I needed it it sure did it’s job. I even seem to have implemented some kind of rudimentary “social engineering’. When the wrong password is supplied to the bind shell it will respond with “FTP ACCESS DENIED”. Intention was to have people think it was some kind of FTP daemon, so if they attempted a brute force it would be wrong from the beginning.

The command execution shell

http://pastebin.com/f22735864

The bind shell

http://pastebin.com/f611f0ba2

The reverse shell

http://pastebin.com/f5e167b65

Stealing stuff from vmdk files

Well that’s been a while. I almost forgot my WordPress password. My last post wasn’t really informative so I thought let me just post one of the projects I’m currently working on. It’s far from finished and I doubt if I’ll release it once it’s finished. So for the moment being I’ll only share my alpha POC which should be enough to build upon.

Have you ever had the need to get stuff of vmdk files without using any of the visual VMWARE products? Well I have!! Now luckily VMWARE also has detected that there are a lot of people with that need and they have released an excellent API the Virtual Disk Development Kit 1.1. Now that stuff is sexy, quote from it’s website:

The Virtual Disk Development Kit (VDDK) is a collection of C libraries, code samples, utilities, and documentation to help you create or access VMware virtual disk storage. The kit includes:

The Virtual Disk and Disk Mount libraries, a set of C function calls to manipulate virtual disk files.

C++ code samples that you can build with either Visual Studio or the GNU C compiler.

The Disk Mount utility to access files and file systems in offline virtual disks on Windows or Linux guest virtual machines.

Documentation about the VDDK libraries and the command-line utilities.

The Virtual Disk Manager utility to manipulate offline virtual disk on Windows or Linux (clone, create, relocate, rename, grow, shrink, or defragment).

I assume that after reading the above you’ll also agree that the possibilities are endless. Now let’s get cooking.

Continue reading “Stealing stuff from vmdk files”

still alive

just busy… or on a more detailed note:

– real life hogging my online time

Hope to post some interesting stuff soon :)

Author: diablohorn