Filtering password lists due to policies

passwordsSometimes if you’re performing a password bruteforce attack, either against local hashes or remotely against a service, you could use password lists rather than a pure bruteforce (incremental) one. People are most likely to use dictionary words, names, keyboard combinations or anything related to it. These passwords lists can be found anywhere online.

The problem sometimes happens that when you *know* the password policy, but your password list holds a lot of combinations that you know won’t work; simply passwords that are too short or don’t have a number in them or so.
For example, a service requires at least 6 characters, and have one of them being a digit; so you know that entries such as “jesus”, “satan” and “password” won’t work. Still, they are being tried.

For an audit on a company, I ran into that problem – so I wrote a quick and dirty perl script to take a large password list, and only output passwords that adhere to a certain policy. These include minimum and maximum length, as well as password complexity (has to have a digit, uppercase, …)

You can find it on my GitHub.



KeyWalking: pattern based passwords

keywalkingTL,DR; download the script here.

In security audits, when we get a password file we -even though we may have admin or root access on the target already- usually grab the password file for offline cracking, just to see if there’s any passwords that users re-use, which would give us more access to other systems.

Doing so, we sometimes find passwords such as “cft6&YGVbhu8“, which by the looks of it seem secure; they have uppercase characters, special characters and numbers. When typing them, you’ll notice that they are keyboard patterns.

For this, I was wondering if it was possible to generate a list of all/many keyboard pattern based passwords, a technique referred to as “key walking“. Some tools exist already, but are often based on predefined patterns (“qwe”, “asdf”, “1qaz”, …). I wanted to make something based on a keyboard layout, so it could be extended. This is KeyWalker; a ruby script that generates keyboard pattern based passwords.
read more »


MS15-034 online checking tool

lockA friend and colleague of mine, Bhadresh, made a quick page to check whether your IIS site is vulnerable to the MS15-034 (CVE-2015-1635), the HTTP.sys remote code execution vulnerability. Check now, and make sure you don’t fall into the hands of blackhats.

You can test it at: http://sys.flurk.org/ms15-034/


The need for emergency access codes

dauod“I have nothing to hide.” is one of the more recent empty responses when conversing about privacy. We’re not all criminals, but we all have something to hide.

Whether it’s a snoopy spouse, an unfair employer or a threatening government cellphones are now -more than ever- secure from physical access. Having a pin code on your old nokia phone little over a decade ago labeled you as “paranoid”. Since smartphones are the equivalent of our parallel lives, they have more access to our information and thus are a much more sought after target to untangle ones “secrets”.

Recently, Time magazine published an article how iPhone’s fingerprint reader does not protect you against the 5th amendment, the protection against self incrimination. Key codes, luckily, do.

This would bare the question to allow multiple keycodes; one to unlock your data. One to censor it, and optionally to remove it. Say you have a smarthphone, and it’s code is 1111. You use it every day to access your contacts, emails and other data. You should be able to set up a 2nd passcode, say 1234 that would purge a certain set of data. In a riot, if the police asks for you to unlock your phone, you type 1234, and it shows a clean phone, filters out some of the questionable text and phone records you have.

code security

Brocade brute forcer

During a pentest, I needed to test a Brocade SAN Switch. Since the Java webstart was quite slow, and I couldn’t find another script – I quickly coded this together to brute force passwords:


internet security

Install Burp CA certificate on Android Emulator

Android SecuritySome people ask me how they can “hijack” HTTPS API calls from an Android app. One of the best ways is to use PortSwiggers free Burp Suite, and hijack all traffic between your app and the server. One of the problems is, how do you add burp’s CA certificate to your android (emulator)? Burp’s help page simply says to look it up on google. Well, I hope this is one of the results showing up.

Note: This does not require any ADB pushes or so, and can be done in a few minutes. This was done under Ubuntu, using Android Emulator version 22.6.4. I’m uploading it into a Android 4.4.2 image running on a virtual Nexus 4.

Adding a CA certificate can be done in just a few steps, and will take a few minutes… read more »


XKCD: hack the stars

This is pretty awesome, from the XKCD cartoons


So true: code quality

From Lifehacker


Quis hackiet ipsos hackes?

acunetix Yesterday, Israeli security researched Danor Cohen reported that Acunetix’s web application security scanner has an exploitable vulnerability. Although the blog post is titled “Pwn the n00bs”, I’ve seen several origanizations use Acunetix to perform scans on (their own?) web applications.

Security bugs appear in all pieces of software; including security scanners and hacking tools. These tools often require to run as root (to perform privileged actions, such as putting a network interface into promiscious mode, etc). LiveUSB security distributions often run all commands as root and could pose a problem. Even though you are running a liveUSB environment, users often mount their HDD or external media to save files. Open source tools can often be fixed easily, but commercial software a la Acunetix usually relies on vendor update channels.

Be careful when running all software, even your security software/hacking tools can be vulnerable.


HeartBleed: we’re sslcrewed

heartbleedThe year 2014 is only a hundred days old, and this is probably the security bug of the year. In case you haven’t heard it, and shame on you if you didnt. HeartBleed is an exploit on a OpenSSL’s TLS Heartbeat extensions. It goes well undetected, and nearly half a billion (yes, B) of websites are vulnerable. We’re not even talking about most other SSL services, embedded systems and so on. It allows an attacker to read chunks of memory (per 64 Kilobytes) which may contain SSL secret keys, passwords, messages, etc.

More technical information can be seen on heartbleed.com, and you can check your site using this site.

You can be sure that most blackhat parties, including several intelligence services have tried already to extract information from your SSL enabled websites. If not, you’ll see an increase in HTTPS connections this weekend. Patch your servers, chnge your certificates, change your passwords; all of them. If somebody was storing all your SSL data in the past, they will have a way to find the key to decrypt all of it now, it’s that bad.