Jump to content

the.red

Members
  • Posts

    31
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by the.red

  1. Looks like someone figured out how to game the Reddit system. This probably has been done before, but as far as we know nobody’s actually shared the methods in detail. [Esrun] wrote some scripts that allow him to register multiple accounts and use them to up-vote stories. The hack goes something like this. A script registers a group of accounts. Each uses a different IP and the only part that requires intervention is typing in the Captcha. This doesn’t take long. You can see the script interface above as well as a demonstration video after the break. Once the accounts have been acquired a story is submitted and the new accounts vote on it. They’re not all up-votes though, as having both up and down votes puts the article into the controversial section of Reddit (which is desirable), and doesn’t rouse as much suspicion from the moderators. He ran a few tests that he shares and it seems that as long as the article is interesting, this can be quite successful. Great, more spam with our social media please. Reddit hacking for votes and profit - Hack a Day
  2. I just released a new tool called Windows Credentials Editor 1.0 (WCE) It allows to perform pass-the-hash and other things related to windows logon sessions and supports XP,2003,7,2008 and Vista. You can find it here: http://www.ampliasecurity.com/research/wce_v1.0.tgz HEXALE (security & reverse engineering): Windows Credentials Editor v1.0 (WCE)
  3. Who doesn't love a good googledork? Francis Brown and Rob Ragan over at Stach & Liu sure do. They have given us a few reasons to fall in love with Google hacking all over again. If you haven't seen their excellent presentation called "Lord of the BIng" at Defcon, Blackhat, B-Sides, etc here is what you've missed. Google considers all search results to be their intellectual property. To prevent automated scraping of their results they implemented controls that block tools that do hundreds of google searches to collect the results. That makes automatically launching hundreds or thousands of google searches to find sensitive data, configuration files and other interesting things a time consuming process. The Francis and Rob have figured out a few ways to make that process simple. First, BING doesn't have any of the restrictions that Google does. But BING's syntax is a little different that Googles so you can't just plug your GoogleDorks into BING. So they converted the entire GHDB to BING Searches and have made that publicly available on their website. That is pretty awesome by itself. But there is more. Second, Google doesn't blacklist or apply restriction to searches conducted from Google services (imagine that). They took the entire Google Hacking Database, Foundstone Hacking Database and their new BING Hacking Database and turned them into Google READER RSS feeds. As soon as Google or BING indexes a new site that matches your "intitle:Index Of passwords" criteria Google reader adds it to your RSS feed. (Your Google reader is able to get BING results by leveraging BING's &format=rss parameter) As a result, Google and BING are constantly searching for all the Googledorks in the database and maintaining a realtime database of the results! Then Rob and Francis exported their RSS feeds to OPML format so you can just import them into your own Google reader account. That is REALLY cool! (note: importing that huge xml file takes some time. Be patient) But there is more! If you order today they will send you the GHDB converted to the BHDB and the entire GHDB, FHDB and BHDB in Google Reader format but they don't stop there. There is a suite of command-line and GUI based tools to make it easier to search your sites for sensitive data using Googledorks. View image How do we defend ourselves against Search Engine Data leakage? We use the "SITE:mysite.com" and the google dork to see what data we are leaking. Without automation it is very time consuming to try hundreds of Googledorks against one site. So what if you have 1000 or more sites? You probably just ignore the threat and hope for the best. Their SearchDiggity project comes to the rescue. With their tool you can plug in multiple domains and easily use the unfiltered BING results to keep tabs on you the sensitive data search engines are finding on your sites. View image All of the tools and the Google Reader OPML are available for download here: http://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/ http://pauldotcom.com/2010/10/real-time-google-hacking.html
  4. the.red

    the.red

    multam de primire.
  5. the.red

    the.red

    Salut. Sunt un tip ce pune pe prim plan gandirea ofensiva. Student in prezent. Programare c/c++/vb 6.0/vb.net 2010. Stiu in mare php / mysql / mssql pentru sqli / xss / lfi / etc etc. Prind repede. Hobby-uri : inot, sala, ciclism, gimnastica, fizica (mecanica si optica la nivel de internationala). Am intrat pe forum sa cer niste ajutor. Dar trebuie 10 posturi. Asa ca "astept".
×
×
  • Create New...