Here are a couple of videos I put together for my employer Assurance.com.au. The first one is cracking WEP using the AirCrack Suite on Linux.
The second one is cracking WPA PSK using the AirCrack Suite on Linux.
Thanks to Snare (Loukas) from Rex Banner for allowing me to use a couple of their tracks in the vidz.
It’s been a while since I did some sharing, so here you go…I’ve started using this web application fuzzing tool recently called wfuzz:
http://www.edge-security.com/wfuzz.php
It is a cool application for fuzzing parameters in web applications, including login forms. An example of of wfuzz syntax attempting to brute force a web application login form (in this case a Cisco VPN admin page (wishful thinking : P)):
wfuzz -c -z file -f /wordlists/big.txt –hc 404 –html -d “login=admin&password=FUZZ&ok=Login” https://10.10.10.10/admin.html 2 > cisco_vpn_admin.txt
You enter FUZZ in the parameter you wish to fuzz. Pretty simple once you get the hang of it…
It’s been a while since my last update, I don’t really have an excuse, but my current job is keeping very busy and I’m also studying for the CISSP exam. I just thought I would post a lame blog entry with some site stats for the past two years…So here goes:
For the year of 2006:
For the year of 2007:
Thank you to all those who donated via PayPal. As you can see the site is quite bandwidth hungry, so even the small donations are greatly appreciated.
All the best for 2008!
Movember is an annual, month-long November charity event involving the growing of moustaches. It is held primarily in Australia, New Zealand and is being launched this year in the United Kingdom, United States, Spain and Canada.
I am taking part…
It looks like the Liberal Party’s official website has been hacked to make it look like Prime Minister John Howard enjoys “smoking the bone”. In the image below it reads, “The Liberal Party of Australia, John Howard Says “I like to suck dick!”. This has been achieved through the use of XSS.
A spokesman for the Liberal Party’s federal secretariat said that officials were investigating the matter.”It appears to be a hoax, but we’re checking it out,” the spokesman said.
It’s been all over the news, but I guess it can’t hurt posting the article here too. INTERPOL is seeking the help of the public to try to identify the man in the photos below. He has appeared in photographs sexually abusing children in a series of images posted on the Internet.
According to INTERPOL, the photos shown below are from a series of around 200 pictures involving 12 different young boys, believed to have been taken in Vietnam and Cambodia in 2002 or 2003.
These pictures have been produced by specialists from Germany’s federal police force, the Bundeskriminalamt, working from originals found on the Internet, which had been digitally altered to disguise the man’s face.
The images were recovered from pictures taken off the Internet in which the man’s face had been blurred using something like Photoshop’s Filter > Distort > Twirl tool.
If you know this piece of shit, you should contact your local police or INTERPOL’s Trafficking in Human Beings Unit via email.
Microsoft has officially released a build of Windows XP SP3. It is reported to have 1073 patches/hotfixes and several new features. Windows XP SP3 does ship with a few new features, the majority of which have been backported from Windows Vista.
We all know how much time and effort is invested into keeping an organisation’s network secure. Then someone brings a USB device into the organisation with a virus or some illegal software and it is the organisation that pays (and sometimes the end user ; ) ).
GFI EndPointSecurity allows administrators to actively manage user access and log the activity of these portable USB devices. It’s well worth a look.
Oh dear! The Solaris 10/11 telnet daemon has been exploited. Kcope posted the exploit to Full-Discloser (local mirror) this morning, and the worst part about it is that it doesn’t require any skill. If you can execute a command on the command line, you can exploit this vulnerability, which also means that it can easily be scripted. All you need to do is pass a ‘-fusername‘ as an argument to the –l option you get full access to the OS as the user specified except ‘root’. Here is a command line example:
telnet -l “-fbin” target_address
In my experience, I have seen the telnet daemon enabled on a lot of hosts that I have reviewed even if ssh is used.
I hear the sound of system administrators frantically disabling the telnet daemons throughout their Solaris environments. : )
At Macworld this year, Apple has released the iPhone. There has been a lot of hype around this release, but it seems that reality has out done the hype for a change.
A couple of the highlights are:
Check out the full write up on ZDNet.
As I thought, Apple has joined Google and Microsoft in the race for world domination…