The following is also source used in the grad project. I’ll post the actual paper at some point. But here is the linkedin crawler portion with the applicable source. By it’s nature, this code is breakable, and may not work even at the time of posting. But it did work long enough for me to [...]
This was a small part of a project that was itself about 1/3 of my graduate project. I used it to collect certain information. Here is the excerpt from the paper. Website Email Spider Program In order to automatically process publicly available email addresses, a simple tool was developed, with source code available in Appendix [...]
SPOILER. These games are awesome. Find them at http://www.overthewire.org. #!/usr/bin/python #edited so it doesn’t quite work… import socket import struct HOST=’host’ PORT=1111 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST,PORT)) blob = "" #no idea why 2 packets… but seems to be consistent for i in range (0,2): data = s.recv(2048) blob = blob + data print "DATA: [...]
I was recently using this to have total control over a redirect response without having to muck around with real servers. I figure I may reuse this at some point as stupid as it is. #!/bin/python #python response.py | ncat -l 80 import sys import time REDIRECT_SITE= "http://webstersprodigy.net" gm_time = time.gmtime() content_response = ( """<!DOCTYPE [...]
This is an update to http://webstersprodigy.net/2010/07/07/pydbg-reverseme-solution/. I change a register now to circumvent the isdebuggerpresent call. import sys import ctypes from pydbg import * from pydbg.defines import * print "This is a very stupid keygen that uses a debug method and grabs the key from memory" print "prints out the valid key, and writes it [...]
Last week I wrote a keygen here: http://webstersprodigy.net/2010/06/22/reverseme-windows-keygen/. This is an almost identical problem, but the binary has been patched to allow debugging (I may do this programmaticly as well, but not yet). I wanted to solve this with programmatic debugging. Here is the exe: Ice9pch3. The code simply sets a breakpoint and prints the [...]
This one was challenging for me, and took me several hours, but was fun. I got caught up on certain parts that may not have been too difficult, but, yeah… http://crackmes.de/users/tripletordo/ice9/ You can download the executable here Ice9.zip. The first thing I noticed is probably the ‘trick’ which was simply a call to isdebuggerpresent. I [...]
This relies on HD’s keys, found http://digitaloffense.net/tools/debian-openssl/ description = [[ Debian OpenSSH/OpenSSL Package Random Number Generator Weakness ]] — — @output — 22/ssh open ssh — |_ ssh_debian_weak: The following keys are vulnerable: 2048 RSA 1024 RSA — SSH Weak Debian Key Script — rev 1.0 (2010-02-07) — rougly based on ssh_debian_weak.nasl by tennable — [...]
This guy is here: http://crackmes.de/users/moofy/moofys_namegenme/ namegenme.zip I had a fairly hard time with this one for some reason, although the solution was right in front of my face… Most the logic for calculating the generation is in the function 00401852. The Serial is stored in a global variable, and the name is generated by taking [...]
I thought this was totally interesting. http://www.bindshell.net/tools/beef/ It’s a client browser exploitation framework. It integrates a bunch of existing tools like metasploit’s autopwn and includes a lot of modules like a malicious java module, port scanning with javascript, steals history using that css colored trick, logs keys, hijacks clipboard etc. It makes demos of xss [...]
http://crackmes.de/users/d0min4ted/keygenme_by_d0min4ted/ In case the link goes away, here is a zip of the executable. crackme I cheated on this one and used reflector. This was an excuse for me to try reflector out… so I started with that in mind. The Checking code ends up being in crackme->WindowsFormsApplication4->Form1. You can deduce what most the buttons do. [...]
To get back into the groove, I decided to try a crackme. After searching far and wide, I can’t seem to find where I got this from, other than crackmes.de. One of my favorite sites. Crackme.zip <– here it is in case it’s deleted. And the solution is, with no analysis: #include <iostream> #include <string> using [...]
The title sort of explains it. description = [[ Attempts to check if a login page exists on the port. ]] — — @output — 80/tcp open http — |_ http-login-form: HTTP login detected — HTTP authentication information gathering script — rev 1.0 (2010-02-06) author = "Rich Lundeen <mopey@webstersprodigy.net>" license = "Same as Nmap–See http://nmap.org/book/man-legal.html" [...]
Traditionally I’ve done this with nc. However, there is in fact a curl flag to do this. Demonstrating once again how awesome curl is (but I still use the inferior wget because I can never remember curl syntax). curl -X CONNECT example.com
This program takes a regular expression for a problem and returns the
affected hosts. It iterates through all reports saved in a .nessus file
making no attempt at uniqueness, (eg if you scanned a host more than once)
searching through titles, data, port, and IDs for matches.
POC XSRFs that only allow POST is not as straightforward as the GET. I use something like the following for situations like that. <html> <head></head> <body> <script> function poststuff() { var site = document.getElementById("posturl").value; var post_data = document.getElementById("postparam").value; alert("site: " + site); alert("pdata: " + post_data); var xmlhttp=new XMLHttpRequest(); xmlhttp.open("POST", site, true); xmlhttp.onreadystatechange = function [...]
cdecl, stdcall, fastcall, c++
In my line of work, I come across SNMP default community strings quite a bit. I seem to always be searching for a reference on how to query various things – and also what I might change.
The code is pretty self explanatory. It searches through a .nessus file and spits out matching hosts.
Kind of an annoying problem, but sometimes nikto runs out of control. This is made worse by nessus, which can have a lot of nikto instances running at once.
No computers were harmed in the 0.454 seconds it took to produce this page.