loftrat
-
Posts
99 -
Joined
-
Last visited
Posts posted by loftrat
-
-
Did consider that (thanks :) ), but I don't think it's a particularly large list.
It should suffice if they've chosen something blindingly obvious, but I think it's more likely to be something a bit more esoteric or maybe random.
-
Evening All :)
I'm soon to be doing a bit of web app testing on one of our internal sites. It's only very small, and there's not a lot of dynamic content, so I'm not expecting there to be very many 'interesting' issues ;)
One thing that I'm almost positive that I'm going to see is either 1) basic auth, or 2) a brute-forceable login page (with no lockouts, and no tarpitting). I'd like to really go to town on the authentication, because I think that's going to be the only place that there's really going to be a problem.
For this though I'm going to need a seriously comprehensive password list to run through Burp (or similar). Ideally I'd be looking for something that contains masses of dictionary words, or (probably better still) a list of all the possible combinations of letters numbers up to a reasonable length password (say 14 characters). This would then automatically include a whole host of 'real' words, but would cover other bases as well.
Anybody know of, or have, such a list - or (if necessary) have a tool that would allow me to create one?
I don't need any hashes or anything, just plain text passwords.
Cheers all :)
-
You can't.
Either a] just don't login any more, or b] send a message to one of the Admin's and they will do it for you.
-
All the passwords are available on the Interwebs for everybody to see now.....it was only a matter of time - mine's on there as well, I guess I must have been having finger trouble when I logged in though because there's about 4 different versions of it :D
-
Mine was ultra secure. I used upper case, lower case, and numbers, and I made sure I obfuscated letters so that it wasn't an obvious dictionary word. I know what you hax0rs are like.
As it can't do any harm I'll post it here so you loosers can see what a real password looks like.....ready?
Here it is:
Pa55w0rd
:D
-
Do we know if any large portions of data were harvested (does the server log show any such activity)? WHat I guess I'm wanting to know is, what are the chances that my email address is currently being targetted by people wanting to sell me penis enlargements?
-
No drama, password changed, thanks for the heads-up guys.
-
Episode 5x20
in Hak5
Must've had a bad password since the only way I know of breaking TC is by bruteforcing the password.+1
Would be interested in finding out magic ways of breaking/decrypting AES (TrueCrypt) vaults without bruteforcing the password.....I expect to be disappointed though.....
-
That is a very hard to prove statement :)
No it isn't.
The AES standard is open source and available for all to see.
Any such 'backdoor' would be in plain site, and (given the many thousands of people that are researching it continually) would have been found by now.
-
Can I ask why you want to encrypt a live CD?
-
Oh, sorry, missed a bit of your question :S
Nope, no performance hits that I can notice - everything's running just fine. I've not managed to break it yet, but that's more because it just seems to work quite nicely than because of any particular lack of effort on my part.
-
loftrat, how is it going? Notice any performance hits since you installed it? Accidentally trashed it yet by by trying to tweak it?
Did you get any forensics info out of it?
Ubuntu 9.04, installed using the alternate CD, and it's as stable as you like.
Have it running on one of the dev machines at work, trying to use it as often as I can for as wide a range of tasks as I can, haven't had a chance to throw encase at it yet - I'll probably aim to do that next week.
Looking at the mechanics of it I'm thinking that might be a waste of time though, the main reason I'm doing it is to make sure that Ubuntu's not caching anything enywhere unusual - although I can't see that being the case.
-
Thanks, but:
<error> − <reason> Sorry, this action could not be completed because of a permissions error. </reason> </error>
-
Tried to watch this the other day, but it just wouldn't stream right - was jumping all over the damn place.
Anybody got a location I can actually download it from so I can watch it from a local drive?
-
If you do get anything then there will be a very worried linux community out there!
LoL
Worrying people is something I do well :D
-
Thanks for the continued thoughts guys, much appreciated.
I've installed Ubuntu 9.04 using the alternate CD and setup the encryption that way (must really learn how to do it manually.....maybe one day ;) ).
Going to play with that for a while and then pull the drive and run it through a forensic analysis and see if I can pull anything back, in theory I shouldn't be able to but it never hurts to check :)
-
Linux supports full disk encryption. Look for LUKS with a LVM.
I'll take a look at that, thanks.
I don't think hardware encryption on disk drives is that great and you normally end up paying way too much of a premium because they are aimed for business use.Yeah, the ones I managed to find were a) very expensive, and B) normally only being sold to laptop vendors. It's the only solution that I can think of that will allow proper dual booting though.
I've used LUKS with LVM on ubuntu and fedora now and they work well, I'm moving away from encryption on my mobile devices now as it causes problems with certain aspects of the law. Its easier and more secure in my opinion to remote into a machine and do any sensitive work from there. Works especially well if the machine is located somewhere outside the laws jurisdiction.That's fine if you a) have a machine to remot into, or B) have a route to the machine that you want to remote into. Sensitive work sometimes has to be carried out locally unfortunately, and the information on the laptop therefore needs to be secured accordingly. I'd looked at running a VM within a host and then just storing the VM in an encrypted container. It's not an ideal solution as you still get some paging outside of the container, and obviously you get a performance hit - unfortunately that's not even a goer as one of the machines I want to run on is a netbook.....and it doesn't like VMs :D
I'll take a look at LUKS/LVM and see what that gives me.
Thanks.
-
Anybody got any good solutions for providing whole disk encryption on a linux system (laptop)?
I would like to fully encrypt my netbook, and at least one other laptop in the house, but can't find any way of doing this.
I'm running Windows at the moment, because I've happily been able to fully encrypt the drive using TrueCrypt - the same approach doesn't work under Linux though.
Ideally I think I need some sort of hardware based encryption (a nice, self encrypting, HDD would be nice - then I could probably have a dual-boot system as well ;) ) - unfortunately I can't seem to find a vendor willing/able to sell me one.
What are you guys using, if anything?
-
I'm having the same problem (still) and haven't found a fix yet.
I'm actually thinking about starting from scratch (again), but to be honest I don't think that's going to accomplish much.
-
<votes>Starting with a day in the life of moonlit</votes>
:D
-
That actually looks more like a scene from the Transformers series that was aired on TV.
The only feature length movie that I'm aware of that's was made in that era is "Transformers: The Movie" (aside from the more recent offerings of course).
-
Layer 8 = User
-
Be careful with your demo's though. Don't just go grabbing/sniffing private content and passwords without permission. The kids won't like it and you'll alienate them, the parents won't like it and you're likely to end up in hot water.
Number on rule of all InfoSec engagements....C Y A
Cover Your Ass ;)
-
That's up to you to decide for, if you do decide to partake in the exercise. Giving away too much information would defeat the point of the test. As an attacker coming accross data, there's a slim to none chance that you'd know what algorythms are being used and precisely what format the data takes.
If I come across encrypted data on a system the first thing I'm gonna do is work out what available encryption/decryption methods that system has. Little point in having it there if it can't be decrypted by the users.
Work out what's on the machine, then use that to decrypt the data.
Web Application Testing: Password Lists
in Security
Posted
@pizzaguy: Think I'm gonna need a bigger hard drive :D :D
@digininja: Thanks, if you could that would be useful :)