Sie befinden sich in den Archiven der Kategorie hacking.
- 15.5.2012: Link: Check the site before you surf it
- 15.5.2012: Link: Russian Cyber Crime 2011
- 7.5.2012: Solution to wicd problem
- 12.3.2012: Hacking: Post exploitation
- 28.2.2012: Link: DDoS
- 2.2.2012: Link: Best Security Certificate
- 31.1.2012: Hacking: SQL Injection tools for free
- 31.1.2012: Link: Antivirus stuff
- 31.1.2012: The SEVER Methodology
- 30.1.2012: Humor: Yes, we did it!
Archiv der Kategorie hacking
Hacking: Post exploitation
12.3.2012 von matti.
Hello folks,
Came across a nice tool for uploading to a compromised system:
http://blog.gentilkiwi.com/mimikatz/inject
There is a nice method of getting the local password, without cracking any hashes or passing on hashes.
All to do with the SSO implementation in windows. Really nice and works in seconds.
Also cool to inject DLLs into all processes and get it to communicate with the process.
So no reason not to put it into once arsenal…
Cheers,
Matti
Geschrieben in hacking | Drucken | Keine Kommentare »
Hacking: SQL Injection tools for free
31.1.2012 von matti.
Hello again,
It might be worth to test your applications for SQL Injection.
Here a list of tools:
Sqlninja ( http://sqlninja.sourceforge.net/ )
sqlmap ( http://sqlmap.sourceforge.net/ )
Pangolin 3.2.3 free edition ( http://down3.nosec.org/pangolin_free_edition_3.2.3.1105.zip )
Havij v1.14 Advanced SQL Injection – free version ( http://www.itsecteam.com/files/havij/Havij1.14Free.rar )
SQL Power Injector ( http://www.sqlpowerinjector.com/ )
Marathon Tool ( http://www.codeplex.com/marathontool )
Absinthe ( http://www.0×90.org/…inthe/index.php )
pysqlin ( http://code.google.c…source/checkout )
BSQL Hacker ( http://labs.portcull…on/bsql-hacker/ )
SQL Injection digger (SQLID) ( http://sqid.rubyforge.org/#download)
WITOOL ( http://witool.sourceforge.nSQL, Oracle, Microsoft SQL Server and Microsoft Access.et/ )
sqlus ( http://sqlsus.sourceforge.net/ )
DarkMySQLi16.py ( http://vmw4r3.blogspot.com/ )
mySQLenum ( http://sourceforge.n…ects/mysqlenum/ )
PRIAMOS ( http://www.priamos-project.com/ )
FJ-Injector Framework ( http://sourceforge.net/projects/injection-fwk/files/)
Bobcat SQL Injection Tool ( http://www.northern-…pub/bobcat.html )
SQLIer 0.8.2b ( http://bcable.net/releases.php?sqlier )
bsqlbf-v2 ( http://code.google.com/p/bsqlbf-v2/ )
Safe3 Sql Injector ( http://sourceforge.net/projects/safe3si/)
ExploitMyUnion ( http://sourceforge.n…exploitmyunion/ )Laudanum ( http://sourceforge.n…jects/laudanum/ )
WebRaider ( http://code.google.com/p/webraider/ )
Toolza 1.0 ( http://bug-track.ru/prog/toolza1.0.rar )
SCRT Mini-MySqlat0r (http://www.scrt.ch/attaque/telechargements/mini-mysqlat0r)
SFX-SQLi ( http://www.kachakil.com/ )
DarkMySQL ( http://vmw4r3.blogspot.com/ )
ProMSiD Premium ( http://forum.web-def…02&postcount=15 )
yInjector ( http://y-osirys.com/…-softwares/id10 )
Hexjector ( http://sourceforge.n…ects/hexjector/ )
Happy hacking…
Cheers,
Matti
Geschrieben in hacking | Drucken | Keine Kommentare »
Hacking: Tools
28.1.2012 von matti.
I am sometimes quite surprised of how many web security tools start with a single guy coding something up.
Here is such an example of a really cool tool written by guy from London Royal Holloway University, Anastasios Laskos:
Really impressed by the high rate and accuracy of issues it discovers…
So thanks for that tool
Cheers,
Matti
Geschrieben in hacking | Drucken | Keine Kommentare »
Hacking: Traces on the Internet
28.1.2012 von matti.
I was having a look at certain sites and tools that are good for finding things out about other people on the Internet.
Not for stalking 
but for Social Engineering.
Here are some of which I thought where quite useful….
Social Network Search Sites:
http://www.neoformix.com/Projects/TwitterStreamGraphs/view.php
http://twendz.waggeneredstrom.com/
http://twittermap.appspot.com/
Those might be good as well:
http://twittercounter.com/ (needs twitter account)
http://www.ubervu.com/ (demo must be requested)
http://www.alterian.com/socialmedia/products/sm2/ (demo must be requested)
People Search Sites:
People Search Tools
http://ilektrojohn.github.com/creepy/
http://code.google.com/p/fbpwn/
Exploiting
http://www.sptoolkit.com/documentation/001-the-spt-framework/
Cheers,
Matti
Geschrieben in hacking | Drucken | Keine Kommentare »
Hacking: Passwords again
17.8.2010 von matti.
A lot of the testing nowadays goes back to do some account hacking.
The hope of a password being in a dictionary is long gone.
Too many security policies hindering people to chose weak passwords.
But users still have to be able to remember passwords.
So we do mutations and other things:
http://www.randomstorm.com/rsmangler-security-tool.php
http://www.remote-exploit.org/Wyd/
So if you want to check your own password:
Geschrieben in hacking | Drucken | Keine Kommentare »
Hacking: All in one DVD
13.8.2010 von matti.
http://www.hackfromacave.com/katana.html
During Blackhat there has been an update to version two
Fun to have everything along….
Cheers,
Matti
Geschrieben in hacking | Drucken | 1 Kommentar »
Browser Malware
27.4.2010 von matti.
Just a quick one…
There is a nice service for testing flash and javascripts of websites:
http://wepawet.cs.ucsb.edu/index.php
If you feel brave enough to test for yourself or want to get to the source of some javascript stuff:
http://malzilla.sourceforge.net/
Cheers,
M
Geschrieben in hacking | Drucken | 1 Kommentar »
Hacking: Tools
18.3.2010 von matti.
I had a network test lately and was using some newer tools….
Ncrack:
http://nmap.org/ncrack/man.html
Medusa (after two years a new version):
http://www.foofus.net/jmk/medusa/medusa.html
Nsploit (nmap with metasploit)
http://trac.happypacket.net/
Happy hacking everyone…
Geschrieben in hacking | Drucken | 1 Kommentar »
Security: ISMS
18.3.2010 von matti.
I have kind of developed a 13 step program to an ISMS….
ISMS - An information security management system
13 Steps Program:
-
Purchase a copy of the ISO/IEC standards
-
Obtain Management Support
-
Determine the Scope of the ISMS
-
Identify Applicable Legislation
-
Define a Method of Risk Assessment
-
Create an Inventory of Information Assets to Protect
-
Identify Risks
-
Assess the Risks
-
Identify Applicable Objectives and Controls
-
Set up Policy and Procedures to Control Risks
-
Allocate Resources and train the Staff
-
Monitor the Implementation of the ISMS
-
Prepare for Certification Audit
Geschrieben in hacking | Drucken | Keine Kommentare »
Pre-loaded picture frames…
5.1.2010 von tugrik.
Just in case you don’t read slashdot… as revealed on http://seattlewireless.net/~casey/?p=13 , the Kodak EasyShare Wireless Digital Picture Frames contain a lovely security issue.
As well as displaying pictures from an SD card, you can point the device at any RSS feed and have it display the contents. You just set up a FrameChannel account using the secret code that comes with the frame, and configure the feeds accordingly. However in the Advanced Settings of this interface there’s a URL that shows a feed of everything being displayed on your frame. This is a very predictable URL, based on the device’s MAC address, So you can see what other Frame owners are downloading to their device…
…and if you look through the comments at that URL, you’ll see that a lot of “informal assessment” of the service has taken place; it’s possible to reset to activation code for frames, determine the RSS feeds used by devices that have yet to be sold… and there’s some code in the comments to do that for you too.
As “Mike” aptly put it: “So Kodak has essentially built a system for letting complete strangers (a) browse your family photos, and (b) beam shock porn directly into your living-room?”
See also http://yro.slashdot.org/story/10/01/05/0413228/Kodak-Wireless-Picture-Frames-Open-To-Public
( on a side-note I was considering another posting, refuting the comments on http://www.altaware.com/articles/pentest.html, which I stumbled across recently. In the end I decided that was best left as an exercise for the reader, as the only retort I have that won’t take me an evening to write is “you’re not very familiar with pentesting are you?” )
Geschrieben in hacking, general | Drucken | 1 Kommentar »