Ron over at SkullSecurity had a great 2 part series on using poorly coded password reset snippits used on popular code sites. He goes into depth about how the password reset works , different methods of resets, and how to use the reverse code to crack itself.
Check it out , it’s a great read:
Hacking Crappy Password Resets – Part 1
Hacking Crappy Password Resets – Part 2
Programmable embedded devices have the capability of being detected as a HID device , just like a keyboard or mouse. So if you have physical access and a minute alone you can compromise a system with something the size of your thumb. The possibilities are endless, HTTP/FTP download, injecting binaries into debug or Powershell etc.. Also this device is cross platform which means Windows,Linux,UNIX and Apple are all vulnerable.
Here’s an example project we made for a Windows7 box that adds a new Admin user to the system and hides that user from the logon screen. the whole process takes about 16 seconds , with most of the time taken by the device being detected as a keyboard and the driver installed. The device costs about $20 and can be found here
Lost your IPhone passwords? Just jailbreak it and recover all of them, they’re all in plain-text 🙂
Time it takes a hacker’s computer to randomly guess your password:
of course unless they’re using a nice setup and using gpu power 😀
MAPDAV is designed to use what is known about a user or users (ex, username, first name, middle name, last name, etc) on a unix/linux system from a /etc/passwd file and tries to come up with probable combinations that could be the user’s password. An administrator could run the output through a cracker and see if their user’s passwords are anything easy to guess.
For example, if we had a passwd file entery such as:
chrisa:x:107:102:Chris Anderson:/home/chrisa:/usr/bin/bash
We could have MAPDAV derrive some possible passwords, such as chrisa, chrisanderson, andersonchris, canderson, ChrisAnderson, Anderson Chris, CHRIS, plus any other combinations you entered. It has quite a few other features you can use to modify the output to have arbitrary characters, be in reverse, and other useful things.
Out of a sample of 30192 users, MAPDAV 1.0p8 cracked 4.7% of the passwords on the default settings, 1.2% of which were NOT the same user/pass. This combind with a good conventional wordlist could give good crack results.
The hackers uncovered the hack in order to run Linux or PS3 consoles, irrespective on the version of firmware the games console was running. They found it was possible to calculate the public private keys, giving users the ability to sign their own software and load it into the PS3. By knowing the private key used by Sony the hackers are able to sign code so that a console can boot directly into Linux. Previous approaches to running the open source OS on a games console were firmware specific and involved messing around with USB sticks.
Read more: http://www.theinquirer.net/inquirer/news/1934470/hackers-mock-sony-ps3#ixzz19cCnto6t
The Inquirer – Computer hardware news and downloads. Visit the download store today.
http://fail0verflow.com/
Darth Null had a nice writeup on how to make crypt(3) rainbow tables. After being told that the salt made it impossible to generate Rainbow Tables, unless you went through the trouble to create 4096 different tables (one for each salt) the reason cited was the presence of the two-character salt at the beginning of the hash. He went out and devised a solution couple of nights later, it was able to actually read, write, and process crypt(3) hashes in their native form (as opposed to a flat hexadecimal dump of the hash). He wanted to submit it for schmoocon but didnt get accepted , so rather than sit on the information, he decided to release it on his blog.
The whitepaper can be found here:
Readers of Gizmodo, Lifehacker and other Gawker Media sites may be among the savviest on the Web, but the most common password for logging into those sites is embarrassingly easy to guess: “123456.” So is the runner-up: “password.”
On Sunday night, hackers posted online a trove of data from Gawker Media’s servers, including the usernames, email addresses and passwords of more than one million registered users. The passwords were originally encrypted, but 188,279 of them were decoded and made public as part of the hack. Using that dataset, we found the 50 most-popular Gawker Media passwords.
At least two popular passwords are science-fiction references: “trustno1″ was Special Agent Mulder’s password on “The X-Files,” and “thx1138″ is a George Lucas film that envisioned a dystopian future. Other popular passwords are just plain-old geeky: “dragon,” “superman,” “princess,” “starwars” and “nintendo.”
Outputted into a 500MB torrent file, currently residing on the popular torrent tracker ThePirateBay is a database dump of about a million or so commenters and staff passwords.
Inside the torrent file lies a file entitled Readme.txt. This file is potentially the most sensitive of them all, for it holds the usernames and passwords used by the entire Gawker staff, focusing particularly on Gawker’s founder Nick Denton.
The usernames and passwords to Denton’s Google Apps, Twitter, Campfire accounts are all listed; Denton uses the same password for them all.
Also some gaming sites ftp passwords were stolen too..
Though all of the passwords were encrypted,simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you’ve used the same passwords.
