Blog - Page 12 of 20 - Laboratory B

Insecure Defaults Lead to Mass Open Proxies in China | InfoSec Resources

Insecure Defaults Lead to Mass Open Proxies in China | InfoSec Resources.

Oh this is handy..

A little trick to extract stored FTP details – DigiNinja

A little trick to extract stored FTP details – DigiNinja.

You are on a test and pop a box which has an FTP client on it. On investigation you find it has credentials stored but the boxes they are for aren’t in scope. Knowing the passwords could be reused on other boxes that are in scope you really want to collect them.

You could try grabbing the credentials file and trying to crack it but this might be an easier way…

Set up an FTP server on your machine then modify the hosts file on your popped box to point all the hosts with credentials to your machine. Then start a TCP sniffer on your machine and ask the client to connect.

The client will find the server and send the credentials which you can simply pull out of the packet capture.

This will also work with other plain text protocols such as HTTP basic auth and POP3 as long as you can get your own “fake” server to respond with enough initial info to trigger the details to be sent.

That is a cute little trick isn’t it!

Wow!

I want Lab B to be like this but with computers and stuff!

Libyan IP space..

# Country: LIBYAN ARAB JAMAHIRIYA # ISO Code: LY # Total Networks: 5 # Total Subnets: 299,008
41.74.64.0/20
41.208.64.0/18
41.252.0.0/14
62.68.32.0/19
62.240.32.0/19

via .

Just saying..
nmap -sn -PE -PA21,23,80,3389 –traceroute 41.74.64.0/20 41.208.64.0/18 41.252.0.0/14 62.68.32.0/19 62.240.32.0/19

Asus motherboard box doubles as a PC case | ITworld

Asus motherboard box doubles as a PC case | ITworld.

With a little epoxy this could be made permanent!

iPhone-based universal IR remote – Hack a Day

iPhone-based universal IR remote – Hack a Day.

I totally had the same idea three weeks ago!

Cryptome: More HBGary

Always wonder what the big boys of InfoSec sound like when they are talking to each other and in the office. Now’s your chance visit the HBGary pages of Cryptome.

All About Patents: From Hive76

All About Patents, is a short blog post to get you started on what’s up with patents. Etc

HBGary Goes AWOL from RSA.

RSA 2011: HBGary Goes AWOL | Liquidmatrix Security Digest.

I understand why they did this but on the other hand it’s hard to sell your protection services when you can’t even protect yourself…AND your afraid to show your face in public.

TarSnap

Haven’t actually used this yet but thought it was pretty cool:

Tarsnap: Online backups for the truly paranoid