More password dictionaries

Last month, I posted about some password dictionaries I’ve collected. Well, thanks to a hacker who compromised PHPBB’s site, I added another. There’s a big caveat to this one, though – these passwords are apparently based on ones that were cracked by the hacker, so they’re only an accurate representation of weak passwords.

Continue reading

Password dictionaries

Greetings from 2009!

I have a real post planned for the near future, but for now you’re stuck with something short (and probably more useful, ultimately). I just wanted to draw attention to a few password databases I put on my wiki. You can find them here.

Continue reading

How NOT to do CAPTCHAs

Yes, this is a real CAPTCHA that I ran across.

Continue reading


Hi everybody,

I spent most of last Saturday exploring how SysInternals’ PsList program works, and how I could re-implement it as an Nmap script. I quickly discovered that the HKEY_PERFORMANCE_DATA (HKPD) registry hive was opened, then it got complicated. So I went digging for documentation and discovered a couple journals posts written by Microsoft’s Matt Pietrek wrote back in 1996. Those led me to the WinPerf.h header file. The three of those together were enough to get this working.

Continue reading

ms08-068 — Preventing SMBRelay Attacks

Microsoft released ms08-068 this week, which fixes a vulnerability that’s been present and documented since 2001. I’m going to write a quick overview of it here, although you’ll probably get a better one by reading The Metasploit Blog.

Continue reading

Calling RPC functions over SMB

Hi everybody!

This is going to be a fairly high level discussion on the sequence of calls and packets required to make MSRPC calls over the SMB protocol. I’ve learned this from a combination of reading the book Implementing CIFS, watching other tools do their stuff with Wireshark, and plain ol’ guessing/checking.

Continue reading

Matching passwords

Sometimes, I can’t help but laugh…

Continue reading

What does Windows tell its guests?

Hello everybody!

Lately I’ve been putting a lot of work into Nmap scripts that’ll probe Windows deeply for information. I’m testing this with both authenticated and unauthenticated users, mostly to determine how well error conditions are handled. Every once in awhile, however, I notice something that the anonymous account or guest account can access that seems odd. And today, I felt like I ought to post a blog, so you get to hear about it!

Continue reading

What time IS it?

How synced up are the clocks on your servers? Ignoring your system times may give an important clue to attackers. Read on to find out more!

Continue reading

My Scripting Experience with Nmap

As you can see from my past few posts, I’ve been working on implementing an SMB client in C. Once I got that into a stable state, I decided to pursue the second part of my goal for a bit – porting that code over to an Nmap script. Never having used Lua before, this was a little intimidating. So, to get my feet wet, I modified an existing script – netbios-smb-os-discovery.nse – to have a little bit of extra functionality:

Continue reading

NTLMv2, as promised, plus some random SMB stuff!

Last post, I promised I’d post about NTLMv2 once I got it implemented. And, here we are.

The LMv2 and NTLMv2 responses are a little bit trickier than the first versions, although most of my trouble was trying to figure out how to use HMAC-MD5 in OpenSSL. The good news is that LMv2 and NTLMv2 are almost identical to each other, with only one minor difference.

Continue reading

LANMAN and NTLM: Not as complex as you think!

As I’m sure you’ve noticed with my first two posts, my NetBIOS/SMB project is taking up most of my time. I hit a bump this weekend, and almost got to the point where the only valid answer was throwing things; luckily, however, I figured it out. I did make a new enemy, though: signed data types! The devil’s datatype.

Continue reading

ANDX… and what?

My current project, as you can see by my last post, is to learn how to work in Microsoft’s networking protocols (NetBIOS, SMB, CIFS, etc). This is obviously difficult due to the lack of standards and documentation, but there are two things that are seriously making my life difficult:

Continue reading

nbtool 0.02 released! (also, a primer on NetBIOS)

All right, maybe 0.02 doesn’t sound so impressive, but I’ve put a lot of work into it so eh?

Anyway, I just finished putting together nbtool 0.02. It is partly a test program for myself, and partly a handy tool for probing NetBIOS networks. Here is a link to the tool itself (I’ve tested this on Linux, OS X (ppc + intel), iPhones, and Windows (cygwin)):

Continue reading