Rather useful E-Book

Those of you readers who occasionaly do pentests, vulnerability checks or network analyses might be interested in this E-Book. Unlike most other free ebooks there is no advertising stuff and not the 101th description of nmap-switches, but a bunch of (imho) genuine and up to date information about few not so well known tools and methods. 316 colored Sites packed with information. Definitely a recommendation.

http://inverse.com.ng/sadv/Security_Analysis_and_Data_Visualization.pdf

tom

My hotmail-account is hacked. And now?

You're lost.

Not really. Microsoft set up a form to regain access to your inbox. I just tried to find it - took me (and I consider myself to be a routined google-hacker) about 5 minutes to find.

I doubt that a normal user would find it (btw: it's here: https://support.live.com/eform.aspx?productKey=wlidvalidation&ct=eformcs&scrx=1).

Now I'm curios what yahoo did to enable users to reclaim their inbox. Any hints or links? - Post a comment if you can help.

tom

slashdotted

due to massive media-echo on our check of compromised accounts serversniff is currently almost non-avaiable. slashdotted. twittered. heised. media-ddos. bear with us, times will get better and serversniff will be respond again when the massive load (traffic is currently >100 times over average) will decrease.

tom

Check for compromised account

I hacked a quick check together to check a mailaccount if it is compromised. All you have to enter is the first part of the mailadress - no password, no complete mailadress.

http://beta.serversniff.de/mailaccounts

tom

Is your mailaccount compromised?

I got quite a few questions to look up peoples mailaccounts in the list of compromised accounts.

I created a lookup-interface for anybody to look up if a mailaccount belongs to the compromised accounts, i'll set this live on serversniff in a few hours.

cheers,

tom

How security-teams deal with leaking passwords

Finally: I have "The List" - I even posted where it is to find, for what I read was, that the security-teams of the major providers affected did their work properly deactivating all the affected accounts.

http://windowslivewire.spaces.live.com/blog/cns!2F7EB29B42641D59!41528.entry?wa=wsignin1.0&sa=363915619

http://news.bbc.co.uk/2/hi/technology/8292928.stm

This is currently, three days after (early October 9th) NOT true. I removed the links from the previous posting, even if it is not so hard to find the lists using your favorite searchengine.

First of all, a bit of statistics:

The one BIG list is around 24.530 lines long, hosting a few double accounts. A quick check reveals (amongst many others):

• 592 gmail.com-accounts with password
• 22 googlemail.com-accounts with password
• 13.098 hotmail.com-accounts with password
• ~800 other hotmail-tld-accounts with password
• 477 msn-com-accounts with password
• 3.717 yahoo.com-accounts with password
• 971 aol.com-accounts with password
• 347 comcast.net-accounts with password
• 41 facebook-accounts with password
• 2 amazon-com accounts with password
• 6 ebay-accopunts with password

A phishing-scam is likely to be the source, lines like

Not Telling! michelle!

indicate that at least a few victims were clever enough not to enter their real mailadress.

The bad guys obviously checked the at least some of the victims inboxes and extracted facebook, amazon, ebay and bulletinboard-stuff manually to put it on the list. This is very incomplete and only done for a handful of the listed accouts.

Tonight I took some time to dig deeper, i couldn't resist to check a few accounts. I found the results quite interesting:

Google did a fine work. None of the gmail-accounts checked did work. And i checked quite a few.

Surprisingly Ebay did a fine work too. All checked ebay-accounts had either the password changed or the account locked. This looks like this:

I checked further. Major media told that microsoft did suspend or otherwise protect the affected hotmail-accounts.

This is obviously not completely true, for i found a few of the hotmail-accounts still working, funny enough many of them swedish!

Hence whats to be found in the inbox of the poor guys:

A security-warning with account-suspension from facebook.com. Good guys, too. But ugly, if the warning is sent to a Mailaccount that is also compromised.

I got really disturbed when i checked the yahoo-accounts: A huge load of them is working.

Many of these InBoxes are stuffed with password-resets, security-hints or abuse-reports from other sites: Onlineshops, Bulletin-Boards, Web20-stuff. This leads to the conclusion that the accounts are circulating and actively exploited: Not only the mails, but also all other accounts depending on these inboxes. Password-Reset-Mails get sent there...

Yahoooooo. Wakeup-Call. Any security or customer service-stuff left at your offices?

I censored the links in my earlier blogposting, for i realized that so many accounts still work.

To sum it up:

Some, even if not really affected, acted fast and complete: Ebay suspended the accounts. Facebook sent warnings. Google seems to have fixed all accounts listed.

Security-guys over at Microsoft did a rather incomplete work, while the company pretends to have blocked all of the accounts listed.

Yahoo seems to have done nothing. (Did anybody at yahoo do anything in the last 2 years??)

Compliments go to google, facebook and ebay: I admit that i don't like the whole trio, but they silently did a fine job where others failed.

Note: This data is only gathered by examining ONE of the two lists mentioned by the bbc-article.

The second list has 10.030 lines and is also still publicly available. It hosts accountnames in alphanumeric order starting with A and B (ending with blan____13@hotmail.com:an_____ey) - this leads to the suggestion that there must be more HUGE lists containg accounts with C to Z.

Tom

List of passwords for Gmail, Hotmail & co

As told in the previous posting: the passwordlists start to leak ...

~25.000 hotmail/gmail & others here: self-censored

Others here: self-censored

More locations to be found up to your imagination.

This list mentioned here will disappear at the mentioned location and pop up elsewhere. Dissapear there and pop up somewhere else. The internet won't ever forget. Welcome, you arrived in modern times.

cheers,

tom

Passwords on the Web

Somebody tried to post some 10.000 mailaccounts with passwords to pastebin.com. Bad idea, the post was truncated after ~ 10.000 lines, making the alphanumerically sorted list ending with B***.

Paul Dixon, aka Lordelph, the owner of pastebin.com (great idea for a website, btw) posted a blogentry about this here: http://blog.dixo.net/2009/10/07/pastebin-com-and-password-lists, you might get the rest of the story out of major media coverage.

While i really like the pastebin-concept i also like making fun of users contents: Doing a google-search for mailaccounts or password does reveal quite a few posts hosting passwords of different origins: There is are bulletin-boards complete userdatabase-dump, published by hacker-kids dissing other hacker-kids. There are gmail-accounts with passwords stored in scripts using the account for automatically sending emails or attachments.

I found a working facebook-account in another script.

And finally i found that google is not only indexing, but also caching the pastebin-entrys. So if you tag your pastebin-text with a lifetime of one day, or if you delete your pastebin-entry it is rather likely that searchengines have already indexed and cached your entry, thus totally subverting the TTL-concept of pastebin.

Seems like pastebin.com and its sisterprojects in other tlds (Thanks Paul for making the source available!) would be a nice place to spend the next procrastrinated afternoon.

Back to work now.

tom

Perltweak: fast and easy matching text with index()

The best tool in Perl for finding exact strings in another string (scalar) is not the match operator m//, but the much faster index() function. Use it whenever the text you are looking for is straight text. Whenever you don't need additional metanotation like "at the beginning of the string" or "any character," use index():

$index = index($T, $P); # T is the text, P is the pattern.

The returned $index is the index of the start of the first occurrence of $p in the $T. The first character of $T is at index 0. If the $P cannot be found, -1 is returned.

If you want to skip early occurrences of $P and start later in $T, use the three-argument version:

$index = index($T, $P, $start_index);

If you need to find the last occurrence of the $p, use rindex(), which begins at the end of the string and proceeds leftward.

If you do need to specify information beyond the text itself, use regular expressions.

Why do I tell you this?

Large parts of Serversniff use perl for its backend - be it the site-analyzer or the domain-database. Like most of us I never really learned perl - i was thrown right into a project using eperl and and a bulletin-board-system based on perl and had to maintain and evolve the projects code out nothing. While have used I use perl since then for more than 10 years now I still do find simple tweaks making my perl-life easier almost every week.

Thanks to O'Reilly's "Mastering Algorithms with Perl" for this one.

tom

Extracting Files from a tcpdump

I'm working as consultant, pentester and sometimes still as second-level-security guy for a rather huge company.

Occasionally I have to analyze tcp-streams, and occasionally I came to a point where i had to extract files out of huge dumps. What I found during my last research about a year ago was not really usable - i hacked together a few lines of perl to extract exactly what i wanted - this didn't deliver exact files, but was enough to help me solve a problem.

Jim Clausing, one of the more practical guys over at ISC described the same problem recently and asked the readers of the ISC-Blog for software that is able to extract files from pcap-dump. People came out with a load of promising solutions:

* NetworkMiner http://networkminer.sourceforge.ne/

* tcpxtract http://tcpxtract.sourceforge.net/)

* bro http://www.bro-ids.org/

* tcpflow http://www.circlemud.org/~jelson/software/tcpflow/

* foremost http://foremost.sourceforge.net/

* dsniff http://www.monkey.org/~dugsong/dsniff/

* Chaosreader http://chaosreader.sourceforge.net/

* pyflag http://www.pyflag.net/cgi-bin/moin.cgi

* tcptrace http://www.tcptrace.org/

* tcpick http://tcpick.sourceforge.net/

* xtract.py http://www.malforge.com/npeid/xtract.py

Not all of them might do exactly what you want - but this is defintely the best overview on pcap-file-extractors I ever came across.

Tom

Network-Cheatsheets

I'm on my way to become a friend of cheatsheets. A nice suite of network-related sheets is here: http://packetlife.net/cheatsheets/

Tom

How to find Elite-Security-People

Ever wondered where to find those real elite-security-people?

Maybe look for those who did their cissp-certification years ago: http://attrition.org/misc/ee/20050426-cissp.txt

~4.700 Names, employers, functions, addresses etc pp. of all those early CISSPs.

Real elite? - look for those who have an account at osvdb.org - especially check their id - the smaller the ID, the more 4337 they are. Get the (huge!) db here: https://www.metricscenter.net/amCharts/osvdb-metrics/raw/osvdb-csv.latest

Around 5.000 names here - but it reads like a who's who of those it-security-swamp. Also look here if you look for a human security-contact at some soft- or hardware-company - you find quite a few in those database.

Ever wondered how to find elite-security-guys, the leading edge security professionals?

You know other security-pro-listings? - Write a comment.

"The reason people search for themselves is that they're curious about what other people see when they search for their name," says Joe Kraus, Google's director of product management. (here)

Funny, those public databases.

tom

How to check a site for E-Mail authentication

Working as a pentester, i often check webshops and well-established brands. I expect them to have some kind of E-Mail-Authentication in place - be it Domain-Keys or an SPF-Record.

Not because I want to make the world a spam-free-place - I believe mail-authentication a worthwile measure against phishing-scams abusing a company-brand. I a company has mail-authentication like SPF in place, almost all spam-filters are able to and will separate legitimate company-mail and newsletters from phishing-scams, that are usually sent via untrusted ip's or without proper DKIM.

I was recently asked how to check this in a realworld-scenario. SPF is fairly easy - just get TXT and SPF-record for the domain in question. DIG is your friend, or just use serversniff's dns-report.

DKIM is more complicated: You need a realworld mail from the customer - be it a newsletter or an errormessage or anything else.

But how to verify SPF-Records and Domain-Key-Sigs?

I found it the easiest to use googlemail for this task - open an email in question, press the small arrow up right (next to the upper "reply") and select "Show Original". GMail will show you the complete Mail-Headers then, including validated SPF- and DKIM-Records. These might look like this:

SPF pass: Google verified an SPF-Record for this mail.

SPF neutral: Google can't verify an SPF-Record for this mail.

SPF pass by "best guess": There is no SPF-Record, but google was able to verify that the originating machine belongs to the originating domain.

And now for different DKIM-Headers:

I'm still not sure what google's spamfilter means with these headers, but it seems to be fairly accurate with even detecting a domain in "test-mode".

I'd be happy to hear from any other solution for verifying Mail-Authentication - write a comment or drop me a mail to tom@serversniff.net.

tom

DNS-Redirects

Nobody likes DNS-Redirects. Even IETF said recently (http://www.icann.org/en/committees/security/sac041.pdf):

The redirection and synthesizing of DNS responses by TLDs poses a clear and significant
danger to the security and stability of the domain name system. The consequences of
synthesized DNS responses range from erosion of trust relationships to the creation of
new opportunities for malicious attacks, without the ability of the affected party(ies) to mitigate these problems.

Serversniff stumbles over this shit, too. Currently the TLDs .mobi, .jobs and .asia use this - they answer every dns-request with an ip, even if a domain won't exist.

They don't dare to present a http-landing-page (like e.g. t-online.de does) - but in fact they resolve every query to an IP, misleading quite a few of serversniff's scripts. We're workin to fix this - but this takes time, for we need to fix every ip-lookup-routine.

totally useless shit.

tom

to be unique or not

Way back in 2004 I created serversniff
* to help myself managing and doing my pentests
* to help others checking their sites
* to help myself understanding stuff. cryptology, protocols etc
* to help others understanding stuff. cryptology, protocols etc

and finally, to create something unique and new.

Why should i reinvent the wheel, why invest time to offer services that others already offer for free?

I'm a bit puzzled about the occasional inquirys to "donate" sourcecode for somebody's public site. People are not ashamed to ask for ready-to-run code to implement serversniff's functions on their sites. And no, it's not just one or to mails coming in with such requests. Anyway, i still see serversniff as more or less academic, and primary educational stuff. I give out advice, concepts and snippets of code as long as the request is friendly and nice.

But still: It wouldn't come to my mind to ask anybody to donate code of his website so that i can implement it in any of my sites. I'm still eager to learn necessary stuff before i start coding php-scripts, i'm still committed to create unique services that aren't to be found anywhere else in this flavour or quality.

While serversniff's script use crappy php-code and the server itself is unstable like a one-legged stool i'd never try to release a service unless i'm convinced that it has something unique or does its job better than all other sites.

Maybe there's just somehting wrong with my mind.

tom

Serversniff on Twitter

We're implementing and fixing quite a lot on what we call "Serversniff 2.0", currently hosted on http://webwiki.de. Since it's plain to much to blog it all in detail, we decided to put the updates and fixes on a twitter-feed hosted at http://twitter.com/serversniff.

Follow there if you want to stay tuned about news and fixes concerning serversniff.

tom

Site-Analyzer: Added Page-Rank detection - http://webwiki.de/taglists/pagerank-8

Added a page-rank-detection for sites.
If a site has a page-rank, it is displayed at site-analyzer.
Page-Ranks of 5 and higher get tagged, so we'll build up a list of
sites with high-pageranks. Since the feature is brand new, there is
not really much in there right now - but you might try to list all
sites having a Google-Page-Rank of 8 here:
http://webwiki.de/taglists/pagerank-8
 
tom

New links in Site-Analyzer

I just implemented links to Symantec/Norton's SafeWeb-Analyzer
(https://safeweb.norton.com/), McAfee's SiteAdvisor
(https://www.siteadvisor.com/) and Googles SafeBrowsing
(http://google.com/safebrowsing/diagnostic?site=www.bayern.de).
 
If you're in doubt wether to trust a site you might check it first on
these sites.
 
Do you know any other relevant malware-checks?
 
Comment here or drop me a mail:
 
tom@serversniff.net

experiment: switched from http://thumbshots.com to http://shrinktheweb.com

we switched the site-image-hosting from thumbshots.com to
http://shrinktheweb.com
pictures are bigger and it seems faster. shrinktheweb.com has tighter
limits for the free version - we'll see if this is enough.
 
tom

added wp-post-ratings and wp-quotes-collection

Added support for random Wordpress-Plugins.

bugfix: fixed site-analyzer-api-output with multiple site-analyzers

i can't imagine why anybody wants to use more than one tracking-pixel....
anyway, i fixed the api-output as well.

implemented statcount.com-tracker. poc: http://webwiki.de/i/ik/ikb/www.ikbenanders.nl/htmlreport

Implemented the http://statcount.com tracking-script.
Example here: http://webwiki.de/i/ik/ikb/www.ikbenanders.nl/htmlreport
 
tom

fixed site-analyzer-bug (mutliple site-statistics)

Identified and fixed a site-analyzer bug that prevented multiple
site-statistics to be parsed when google-analytics was involved.
Multiple-Stats are working now. Example (google-analytics AND
statcount.com) here: http://webwiki.de/analyze/www.simonwakeman.com
 
Cheers,
 
tom

todo: add statcounter at site-analyzer - http://www.statcounter.com

example-site using statcounter (www.statcounter.com, my.statcounter.com):
http://www.ikbenanders.nl

Nice tools: http://www.gwebtools.com/

Nice Tools on gwebtools.com. Not really much unique stuff, and not
really "Amazing tools to increase your Network and Website
performance", but still fast and with some nice ideas.
Personally i don't like totally anonymous sites like gwebtools without
any name on it - but the author might have his/her reasons.
 
http://webwiki.de/g/gw/gwe/www.gwebtools.com/htmlreport
http://webwiki.de/b/bl/blo/blog.gwebtools.com/htmlreport
 
Be sure to check out the hosts-on-ns-function. It supports only
.com/.net, but it's using the .com/.net-zonefiles and is therefore
much more complete than Serversniffs NS-Catalog at
http://serversniff.net/nscatalog when it comes to these two tlds.
 
tom

We're getting faster

We are into tuning and speeding up Serversniff 2.0.
* The SiteReport got a new section: Other Hosts on this ip
* The DomainReport is half-optimized and now much faster
* We changed the directory-structure to waste less space and make it easier for you to see what information is already there about a host.

tom

Crypt-Functions are back

Some might have noticed: The Crypto-Functions didn't work for some time.
I'm happy to announce that most hashes and checksums are back online at our new beta-site:

 

Some checksums are still missing - bear with us, we will expand functionality there soon. Both checksums and hashes are faster, for we switched the implementation from jonelos great java-application jacksum to a binary implementation eating far less ram and cpu-power.

Currently the NIST-Competition for a new SHA3-Algorithm is in a hot phase, there are several candidates pending. We implemented two of them, SKEIN and MD6 (in fact: just one, for md6 is already withdrawn from the competition) in Serversniff's Hash Calculator and will implement the other candiates soon.

If you want to check out what an MD6 Hash looks like, check our Online Hash Calculator.

tom

Serversniff 2.0

After serveral tries: Serversniff 2.0 is on its way. As we believe it is better than Serversniff.net as we know it, we put the beta online: We will add functionality as we build it. Check it out: http://dw.serversniff.de/start