Credential Dump Analysis
As time goes on, there are more and more credential dumps appearing online. There are databases from LinkedIn, Adobe, MySpace, Snapchat, Tumblr, Twitter, and many others. In an effort to understand peoples’ password habits, I am importing them into my own database. From there, I can answer questions like the following:
- What are the most common passwords?
- How much password reuse occurs?
- Can a good password list be generated from these databases?
- Can I generate hashes from these databases to test for weak passwords?
To do this, I have a Dell PowerEdge 2950 with 4 physical cores and hyperthreading to achieve 8 logical cores. It also has 64 GB RAM, running CentOS 7 and MariaDB. Because of the huge number of records and limited resources, this database has to be optimized quite a bit. As I make further progress, I will make blog posts under the category of “Credential Research.”
This project is on github: https://github.com/4ndronicus/credential-research
What goes into capturing and exfiltrating data related to the use of a workstation? Is it memory-resident? Does it send via UDP to a DNS port? What types of things are done to establish persistence? These questions and others are of interest to me. So yes, there are lots of keystroke loggers out there. My interest lies not in using a keystroke logger, but understanding on a deeper level exactly what things can and are being done to steal valuable data. At the OS and network levels, what could we be looking for? Rather than finding one every time I wanted a particular behavior, I have written my own keystroke logger in C++. I can modify the behavior as necessary. Compiled as a statically-linked binary, it has no OS-level dependencies. Everything it needs is compiled right in, making it easily portable.
This project is on github: https://github.com/4ndronicus/keylogger
Remote Access Tool
Very similarly to the project involving the keystroke logger, I want to know how these things work. What is necessary at the network level to detect them? How could I connect to one remotely, even outside the target network? Which ones currently exist, and how do they work? Again, rather than finding one every time I wanted to see specific functionality, I put my own together in C++.
This project is on github: https://github.com/4ndronicus/remote-access-tool
The first controls of the CIS 20 Security Controls involve making an inventory. To this end, I put together a simple inventorying system. It grabs basic information about each system in the network, whether Windows or Linux. It then posts that information to an API, which puts it all into a MySQL database. You can then browse through and see what you have running on the network. Written in PHP, Bash, and VBScript.
This project is on github: https://github.com/4ndronicus/inventory
About 15 years ago, I was interested in steganography. Being the budding developer that I was, I decided to write a steganography program in Visual Basic 6.0 (I know, right). Back then, this program was used in an encryption course in a Master’s Degree program at Ft. Leavenworth, Kansas. If you can find all the OCX’s it needs, it will still fire up and you can play with it.
This project is on github: https://github.com/4ndronicus/steganography