Last month, 4iQ found a massive password list containing 1.4 billion usernames and passwords from previous breaches. The data is broken up into directories and files according to the first few letters of the username to allow for quicker searching using the included query.sh script. While this makes searching for specific users very easy, it is difficult to search the 41GB data dump by domain name for users from an entire organization.

Read More

What’s the problem? The Internet is a cesspool of script kiddies and automated bots, so I always recommend reducing the attack footprint on web servers as much as possible. Some day I’ll get into some additional defenses, but for today, here is something that will get rid of a huge amount of unwanted traffic. If someone is going to attack my servers, I at least want them to have to be targeting me and my domain names instead of just blindly stumbling upon my server by its IP address.

Read More

Continued from Security Camera Hacking … Overview and Goals The goal of this phase of my analysis is to learn more about the camera and any vulnerabilities it might have. I will use a traditional dynamic analysis approach, including: Recon\Intelligence Gathering Threat Modeling Vulnerability Analysis & Exploitation For reference, my standard setup can be found here. Phase 1 - Recon and Intelligence Gathering Before I start doing any recon though, I establish a screen session on my attack box in case I get disconnected.

Read More