Thursday, July 30, 2009

Presentation: Botnets

Delivered the session today. It was an interesting discussion and after some initial hiccups in the bot demo, it went fine.

Attaching the presentation in here.

Hope it would be helpful.

Best Regards.

Friday, July 24, 2009

RainbowCrack 1.4

RainbowCrack 1.4 is released

This version focus on more effective rainbow table file format. New features:

- New compact rainbow table file format (.rtc) reduce rainbow table size by 50% to 56.25%

- New rt2rtc utility convert rainbow table from raw file format (.rt) to compact file format (.rtc)

- New rtc2rt utility convert rainbow table from compact file format (.rtc) to raw file format (.rt)

- The rcrack/rcrack_cuda program support both .rt and .rtc rainbow table file format

- Conversion from non-perfect to perfect rainbow table is supported by rt2rtc utility

Smaller rainbow table significantly improve table lookup performance!

Best Regards..

Hacking CSRF Tokens using CSS History Hack

Detailed write up on new CSRF Token hack using CSS History:

Proof of Concept here:

Best Regards.

Anatomy of a Twitter Attack.

A Good write up on the recent Twitter attack:

Best Regards.

Monday, July 13, 2009

Quick update: Botnet lab test

It took quite a time to get this src up and kickin', and finally this seems to be working just fine, if not great. I had been planning to take up the botnet session, upon which I posted earlier here Botnet: The Silent Threat I and Botnet: The Silent Threat II. As most of us are already aware of the theory, it made little sense to me for just going ahead only with plain words and pics.

So I started setting up a test lab. And little had I known, this is going to be interesting; spent several nights up, and surrounded by dozens of bot sources. I checked out every source one by one. Public sources are usually broken, modules missing and need to be checked carefully. well, most of the src will compile smooth; but either they didn't connect back to the ircd, or start behaving undefined and in some cases, reached out to their respective mother ship.

As of now, I've been able to fix rx src, ago src runs fine but is backdoored. Some variants of rx, ago, phat etc n other private src absurdly starts up port scan of the ircd!!

I know rx is quite old, but I believe it is good enough for the lab test n video tutorial (rx variants are still out even today).

Anyways, this is what I have been able to test on rx 7.6 src:

1. DDoS - icmpflood, synflood, tcpflood, udpflood etc.
2. Spreader - dcom135 hitting a windows 2k box
3. Misc funcns - Keylogging, screen/webcam capture, remote shell etc.

I am using unrealircd for the irc server, wireshark/tcpview on the hosts for watching connections as they open and xchat client for attacker. I am hoping to add some new exploits to the rx src if I can get some time this week.

There's few other src here which I will focus on now that rx is up. These src have aim/msn and several other spreader functions besides common windows sploits. Hope to get these up before weekend.

Ok, I guess I'll take a break off for few hours now. The morning sun is about to rise and shine.

Best Regards.

Saturday, July 11, 2009


I know I haven't posted much lately. Been out on few projects and just couldn't take out time to blog.. :dunno:
Back today only.. so can now start working on the preso in progress..

Will be sharing some' soon.

Stay connected.

Best Regards.

Wednesday, July 1, 2009

SPAM Template...

Variables, links...fill in the blanks, anyone?

Ain't it Interesting :)
From: Dwayne Mendoza []
Sent: Tuesday, June 30, 2009 3:48 PM
Subject: %SI_subj
Importance: High

%SI_rnd10 the most %SI_rnd11 %SI_rnd12 of all men?

Does your %SI_rnd13 make it %SI_rnd14 for you to %SI_rnd15 yourself in %SI_rnd16?

%SI_rnd17 the %SI_rnd18 inside %SI_rnd19! Give your %SI_rnd20 the unlimited charge of %SI_rnd21 and desire!
You can %SI_rnd22 it simply by %SI_rnd23 one pilule %SI_rnd24! The perfect %SI_rnd25 of deisire-improving %SI_rnd26 with %SI_rnd27 of real life tests and thousands of testimonials!

Your %SI_rnd28 being a %SI_rnd29!


The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.