Jump to content


Dedicated Members
  • Posts

  • Joined

  • Last visited

Everything posted by kickarse

  1. I'm happy your cynicism hasn't changed at all Digip ;) lol... you picked that one right apart huh? It's just a proof of concept idea from what I gander. That's really all it's useful for. It might work on someone who doesn't know jack about PC's (most home users); I mean they end up "scanning" their PC for viruses with software they never paid for or installed. And yes, Konboot would be better. As for your other "questions" you might want to ask him what he planned on doing with it. I'm just a messenger.
  2. Pretty neat concept and code (link and desc below) https://github.com/AlexWebr/evilmaid_chkdsk Evil Maid CHKDSK This is s simple 512-byte MBR program that pretends to be Windows CHKDSK. It asks the user for a password, writes that password back to the media it booted from, renders that media unbootable, and reboots. Terminal capture of using it with QEMU: http://ascii.io/a/1201 Video demonstration on a Windows laptop:
  3. I wrote an AutoIT script to scan each workstation for local user accounts (admin or otherwise). I can then set the user bit like disabled, user can change pass, etc. Or I can remove each administrator account that doesn't belong. I've set it up so that I can perform this on every workstation it finds in a specific Domain OU. Perhaps you could leverage something like that?
  4. I wonder if there's a way to do some sort of passive pass through tap... so information goes in but nothing goes out using some one way gate, but still goes across the bridge without affecting the information. Sort of piggy back on the signal, but then you need something to capture it like Usbalyzer or Usbsnoop. This way you get around the HID having to install. USB Pin out - http://pinouts.ru/SerialPortsCables/usb_cable_pinout.shtml P1 - VCC - Power P2 - USB Data - P3 - USB Data + P4 - Ground It should be possible to tap with a Diode at 5v, that way we don't overdrive it, or not even hook it up at all. I guess in a way this is a USB splitter. Found this -- http://vusb.wikidot.com/usb-device-classes http://www.workinprogress.ca/v-usb-tutoria...-for-mega-tiny/
  5. What exactly are you looking to understand? The inner workings of ESX/ESXi (hypervisor)? How to setup a cluster (VM or MS?)? How the hosts talk to a SAN? It's kind of a broad subject, if you could hone in on a topic or a couple topics I'd be happy to answer some questions. And not anything against you, believe me, but I hope they aren't going to just go "here's a SAN and VMware manage it!".
  6. I've demo'd Languard (great price) but use PatchLink (very expensive) and WSUS. I find that Patchlink is very thorough but the agents sometimes go corrupt. WSUS works find but only for MS patches (although Eminentware has software that will addon to it so you can install third party software).
  7. Careful with your payload. These types of software usually send information regarding software that's been started and if you name your executable "pwnsk00l.exe" it'll be send and flagged. Something like notepad.exe would most likely be better. Just sayin'. I haven't had any experience with LanSchool and I don't know what data it sends. But these types of software usually do this.
  8. That's cool! Just write a program to insert 50,000 characters into a txt file and your good!
  9. Good software would read the file encoding and block based on that. So renaming to a txt file would do no good.
  10. It's a hard suit because while they were typing the information on a company workstation the data now resides on an off site server. This information was at one time, although not saved, on the corporate network, which in turn you own. Like Sparda said if you have some NDA policy that they signed then you can probably get a court order from the ISP.
  11. kickarse

    Pandora Hack

    The Lala.com hack is a simple one You need to start your capture to catch/filter this (could be any number, all i've found below): tcp.stream eq 4 or tcp.stream eq 6 The stream you want to reassemble is (info column) [TCP segment of a reassembled PDU] You must wait until the song finishes to reassemble. After the song is finished right click on the packet and click follow tcp stream, make sure it's raw. Save as an mp3.
  12. Their reasoning is that they deploy services and functionality that uses these ports and various ip addresses. I disagree and call bullshit. I asked them to supply a list of a few ports and ip addresses to connect to and they said they can't. I called bullshit. I asked them to supply technical references for other companies and they told me they can't and that all companies either open the ports or t1 to them. I called bullshit. There's a third option that uses port 80/443 for a connection to a Citrix presented application. The install rep tells me that it doesn't have the same functionality as the locally installed client. I ask if he can provide a list of functionality that it does not provide. He tells me that it's to long to list. So I request the "list". I call bullshit, again, and quote the install doc telling me that the the citrix presented application is the EXACT same application installed locally. He then tells me to talk to our sales rep and leads me to believe that he's obviously trying to pull something. This is bloomberg.com btw and their wonderful Bloomberg service. ----------- Believe me I know the issues with the ephemeral ports. He wants us to open the ports, including various other ports, on our firewall to the WAN. From internal sources to external sources and vice versa. We actually have a firewall vendor which is a great company. It's a Squid proxy firewall, btw. They've stated that they block that port range. It's one of the reasons why we don't use regular FTP sessions.
  13. So we have a vendor who wants us to basically open up all Ephemeral ports to about 1,300+ IP addresses on 6 subnets. How would you guys feel about that? I know that I feel pissed off that they want us to do this or buy a dedicated T1 to them to bypass this hole. They keep giving the run around that we somehow need all of this. Please chime in with your thoughts. I love to get the security/hacking communities view on this.
  14. I like the mask so nobody can see his face on the internet. Go figure it'd a be a picture Discovery would use. lol
  15. lol Of course. I didn't know if you guys were using "corporate" pay for type apps/netappl. I had to buy a freakin' feed license for Nessus for Professional. No more freebies for corporate :( Have you guys tried mirroring a port on your switch and run Wireshark on prom.?
  16. I seem to have dyslexia, although not proven scientifically. I sometimes go along a type things completely incorrectly like Test = Twat Rainbow = Rainbox Command = Cinnabon What about you guys?
  17. You guys should check out ImDisk if you haven't already ( can't actually get to the 911cd.net forums from work for some reason so here's a google search for you ) http://www.google.com/search?q=imdisk&...lient=firefox-a
  18. Of course. I'd never advise to do this IRL without some sort of encryption tunnel. But it just goes to show what you can do with some ingenuity. A proof of concept none-the-less.
  19. So at work we don't currently have anything setup like GoToMyPC so when we get a call on the dept. cell phone and someone needs to be unlocked someone, anyone, has to come in to unlock/reset a user. Today I combined a two different scripts to create a quick and dirty remote domain user unlocker via an email into outlook. Basically its comprised of 1. A rule in outlook to check for messages that A) has a certain subject (whatever you want it to be, the longer the pass phrase the better) B) has been sent by a certain address C) has an attachment D) has been sent to only one address E) Runs a script (script is described next, called SaveAttachments) against any new email, saving the attachments to a certain location 2. OTM Script in Outlook. If you press Alt-F11 in Outlook you will see Outlooks VBA editor. On the left hand side you will see all the defaults and on the right side an area to post the script. The VBA script is shown below, change the Root variable to a location of your choosing and save the script (ctrl-s). Change your rule to run this script called SaveAttachments. Make sure you have macro security set to None/Off (I know, I know, don't know a way around it yet) Sub SaveAttachments(ByRef item As Outlook.MailItem) Const Root = "C:\UnlockDomainUsers" ' Root folders structure. Change it according your needs Dim FName As String 'To store he name whole name of each attached file Dim fs 'To manage files Dim CountAttach As Integer 'Total number of attached files Dim I As Integer 'Tipical counter index CountAttach = item.Attachments.count 'Retrive the number of attachments If CountAttach > 0 Then 'Only do something when the email have files attached 'Check for the folders structure and create if something is missing Set fs = CreateObject("Scripting.FileSystemObject") For I = CountAttach To 1 Step -1 'From the end to the begining to avoid problems 'Creating the whole name of the file FName = Root & "\" & item.Attachments.item(I).FileName 'Saving the file item.Attachments.item(I).SaveAsFile (FName) 'Check if the file was saved and remove from email If fs.FileExists(FName) Then item.Attachments.item(I).Delete End If Next I item.Save End If End Sub 3. Next you'll need an AutoIT script. You can download the script editor and compiler from www.autoitscript.com . You will need to change two variables, the Processfilelocation (to the location you specified in the Outlook VBA script) and Domain (your domain, duh). Once compiled you keep this script running and it will check the folder you specified for a user.loc file. It will read the user.loc file for a username and unlock the user and log it to a log file. #Include <File.au3> global $strInfo $ProcessFileLocation = "C:\UnlockDomainUsers\user.loc"; Location path of file to read from user $Domain = "YourDomain"; Your domain $LogFileLocation = @ScriptDir & "\unlockusers.log"; Location path of file to write log to $x = 0; just set a variable that'll never be attained Do Do Sleep(10000) Until FileExists($ProcessFileLocation); Sleep every 10 seconds until you come across the .loc file Tooltip("A user is going to be unlocked",20,20,"Email Domain User Unlocker"); Let logged in user know what's going on $UnlockUser = FileReadLine($ProcessFileLocation,1); Read unlock information from file Tooltip("User: " & $Domain &"\" $UnlockUser & " will be unlocked shortly",20,20,"Email Domain User Unlocker"); Let logged in user know what's going on _UnlockDomainUsers($UnlockUser, $Domain); Unlock user in specified file Tooltip($Domain &"\" $UnlockUser & " " & $strInfo,20,20,"Email Domain User Unlocker"); Let logged in user know what's going on _FileWriteLog($LogFileLocation,$Domain &"\" $UnlockUser & " " & $strInfo); Write log information sleep(2000);sleep before deleting file Tooltip("Deleting file " & $ProcessFileLocation,20,20,"Email Domain User Unlocker"); Let logged in user know what's going on FileDelete($ProcessFileLocation); delete file for next incoming email Until $x = 1; forever! ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Func _UnlockDomainUsers($strUser, $strDomain) $GetUserInfo = ObjGet("WinNT://"& $strDomain &"/" & $strUser & ""); Get user information If $GetUserInfo.IsAccountLocked = 0 Then; If the value is 0 the user is not locked out $strInfo = "-- User is not locked out"; return the information Elseif $GetUserInfo.IsAccountLocked = -1 Then; if the value is -1 the user is locked out $GetUserInfo.IsAccountLocked = 0; set value to unlock $GetUserInfo.Setinfo; update the domain $strInfo = "-- User has been unlocked"; return the information Endif EndFunc 4. When you send an email to your work email it will need to run against the rules you set in place. The attachment is just a txt file (except with the extension .loc) with the first line being the username you want to unlock. This is what you will send yourself. User.loc MyIdiotUser That's pretty much it! Remember it runs in the user context. You could actually delegate a domain user account to only do unlocking of accounts if you wanted to http://support.microsoft.com/kb/279723
  20. Razor, I still don't think you understand. We're verifying our domain users over the phone. We don't have access to their personal account information. We'd like to not have to even know their employee number or last four of their ssn (because honestly if you know where they were born up you can gather the rest of the numbers). We're just trying to come up with a more secure way to go "Ok you are who you say you are I'll unlock your account/reset your password to the domain/program/web site/etc". Instead of the "Hi this is Mark Smith" and me thinking "hmm... sounds like Mark I guess it's him". We're probably going to be going with a solution like the password reset self solution from SpecOps http://www.specopssoft.com/products/passwo...self%20service/ But we still need something in place for those times when we can't just do a domain unlock. However, we do have a intranet based ticket system in place. This could provide the solution for that since its based on domain rights to get to the page, then they can request securely for things other than network access. Also, I'm not too worried about people tapping our phones externally. If it was a wireless phone maybe.
  21. It's not going to be for users to create their own accounts. It to verify already existing accounts Razor. I thought I mentioned that it was for user verification over the phone.
  22. Think they'll go for me putting a RFID under their skin? lolz... I think the best thing is definitely a random set of questions. Nobody remembers their employee number.
  • Create New...