Thursday, February 03, 2011

Transfer Files and Data via DNS-Requests

Most of you might know dnstunnel. Johannes Ullrich from Sans lists a poor mans dns-filetransfer using xxd which i think is a nice idea working on most unix boxes for xxd seems to be commonly installed.

Wednesday, February 02, 2011

How Egypt cut itself off - and how it got back hosts a nice video derived from bgplay showing how the egyptian BGP-Routes vanished. (sorry - much german text, but the video speaks for itself...)

Ripe also has some static infos here:

Egypt is currently coming back on the internet, see a video of the newly announced routes here:

The situation in Egypt and the currently proposed "Internet-Kill-Switches" throughout Europe made me think. In the days before Trumpet Winsock i used to be a FIDO-Net-Point, polling twice per day via modem. Maybe it's time to wipe the dust of the old sportsters and see, if we can remember the basics of the AT Commandset and if the boxes are still working, even without a serial card with a 16550-FIFO.

I wonder if FroDo2.02/FastEcho still run within a WinXP Commandshell. And if there is any local Fido-Node supporting Modem Calls left...

For those willing to try:


Why unsolicited reporting of vulnerabilities is a bad idea

Almost all young hackers come at some point of their hacker-life to the conclusion that finding and unsolicited reporting of vulnerabilities would be a fine idea:

The owner of the website might be thankful or even hire the young hacker to check the site further or fix the vulnerabilities.

Almost everyone in the IT-Sec-Business I know had this idea - and most of us learned the more or less hard way, that it is in fact a bad one. Not all potential customers are nice people. And be honest: Would you really hire someone who did an unsolicited hack of your infrastructure?

Some "IT-Sec-Professionals" take longer to learn their lessons - I remembered my own experiences when I read about Chris Russo and his plentyoffish-hack.

In my opinion both partys made mistakes and are leaving a really bad impression in this case. Maybe something to learn from, regardless on which side of the net you work?

Some of the comments over at slashdot are worth reading.


Thursday, December 16, 2010

Passwordlists with John the Ripper

Creating Passwordlists with John the Ripper

Whilst bringing back up to work i had to create passwordlists for checking the scripts and the database. For those that don't know: John the Ripper does quite a good Job creating passwordlists out of the blue or mangling existing lists. The --stdout-parameters are somewhat tricky:

john --i --stdout

creates passwords up to the length configured in MaxLen (and MinLen) in john.conf.

john --i --stdout:2

creates password up to the length of 2 chars.

If it comes to working with existing password-lists according to the defined rules, you can use

john --stdout --wordlist=file.txt

to echo the plain wordlist.

To mangle the list according to john's rules, you might use

john --stdout --wordlist=file.txt --rules

With a plain john-config this increases your amount of passwords by a factor of approximately 7, mangling "password" to stuff like Password, Password1, 1password etc.


Tuesday, October 20, 2009

Rather useful E-Book

Those of you readers who occasionaly do pentests, vulnerability checks or network analyses might be interested in this E-Book. Unlike most other free ebooks there is no advertising stuff and not the 101th description of nmap-switches, but a bunch of (imho) genuine and up to date information about few not so well known tools and methods. 316 colored Sites packed with information. Definitely a recommendation.


Tuesday, October 13, 2009

My hotmail-account is hacked. And now?

You're lost.
Not really. Microsoft set up a form to regain access to your inbox. I just tried to find it - took me (and I consider myself to be a routined google-hacker) about 5 minutes to find.

I doubt that a normal user would find it (btw: it's here:
Now I'm curios what yahoo did to enable users to reclaim their inbox. Any hints or links? - Post a comment if you can help.



due to massive media-echo on our check of compromised accounts serversniff is currently almost non-avaiable. slashdotted. twittered. heised. media-ddos. bear with us, times will get better and serversniff will be respond again when the massive load (traffic is currently >100 times over average) will decrease.


Saturday, October 10, 2009

Check for compromised account

I hacked a quick check together to check a mailaccount if it is compromised. All you have to enter is the first part of the mailadress - no password, no complete mailadress.


Friday, October 09, 2009

Is your mailaccount compromised?

I got quite a few questions to look up peoples mailaccounts in the list of compromised accounts.
I created a lookup-interface for anybody to look up if a mailaccount belongs to the compromised accounts, i'll set this live on serversniff in a few hours.



Thursday, October 08, 2009

How security-teams deal with leaking passwords

Finally: I have "The List" - I even posted where it is to find, for what I read was, that the security-teams of the major providers affected did their work properly deactivating all the affected accounts.

This is currently, three days after (early October 9th) NOT true. I removed the links from the previous posting, even if it is not so hard to find the lists using your favorite searchengine.

First of all, a bit of statistics:
The one BIG list is around 24.530 lines long, hosting a few double accounts. A quick check reveals (amongst many others):
  • 592 with password
  • 22 with password
  • 13.098 with password
  • ~800 other hotmail-tld-accounts with password
  • 477 msn-com-accounts with password
  • 3.717 with password
  • 971 with password
  • 347 with password
  • 41 facebook-accounts with password
  • 2 amazon-com accounts with password
  • 6 ebay-accopunts with password
A phishing-scam is likely to be the source, lines like
Not Telling! michelle!
indicate that at least a few victims were clever enough not to enter their real mailadress.

The bad guys obviously checked the at least some of the victims inboxes and extracted facebook, amazon, ebay and bulletinboard-stuff manually to put it on the list. This is very incomplete and only done for a handful of the listed accouts.

Tonight I took some time to dig deeper, i couldn't resist to check a few accounts. I found the results quite interesting:

Google did a fine work. None of the gmail-accounts checked did work. And i checked quite a few.
Surprisingly Ebay did a fine work too. All checked ebay-accounts had either the password changed or the account locked. This looks like this:

I checked further. Major media told that microsoft did suspend or otherwise protect the affected hotmail-accounts.
This is obviously not completely true, for i found a few of the hotmail-accounts still working, funny enough many of them swedish!
Hence whats to be found in the inbox of the poor guys:

A security-warning with account-suspension from Good guys, too. But ugly, if the warning is sent to a Mailaccount that is also compromised.

I got really disturbed when i checked the yahoo-accounts: A huge load of them is working.

Many of these InBoxes are stuffed with password-resets, security-hints or abuse-reports from other sites: Onlineshops, Bulletin-Boards, Web20-stuff. This leads to the conclusion that the accounts are circulating and actively exploited: Not only the mails, but also all other accounts depending on these inboxes. Password-Reset-Mails get sent there...

Yahoooooo. Wakeup-Call. Any security or customer service-stuff left at your offices?

I censored the links in my earlier blogposting, for i realized that so many accounts still work.

To sum it up:
Some, even if not really affected, acted fast and complete: Ebay suspended the accounts. Facebook sent warnings. Google seems to have fixed all accounts listed.

Security-guys over at Microsoft did a rather incomplete work, while the company pretends to have blocked all of the accounts listed.

Yahoo seems to have done nothing. (Did anybody at yahoo do anything in the last 2 years??)

Compliments go to google, facebook and ebay: I admit that i don't like the whole trio, but they silently did a fine job where others failed.

Note: This data is only gathered by examining ONE of the two lists mentioned by the bbc-article.
The second list has 10.030 lines and is also still publicly available. It hosts accountnames in alphanumeric order starting with A and B (ending with - this leads to the suggestion that there must be more HUGE lists containg accounts with C to Z.