Librarium Whitehat
Blog Pics
"Inveniam viam aut faciam" : I will either find a way, or I shall make one

Adeptus-Mechanicus - BlogMe

Electronic “architecture” promises

In real life, big companies and organizations build impressive buildings to demonstrate to visitors and clients how worthy and valuable they are. Banks have done this for decades, government buildings, etc. The not-too-subtle idea being that only very wealthy and powerful organizations could afford to do this, so we could trust them. And that worked. The problem is that we still have have same instinct on the internet. We see a great looking website, slick layout, etc and we think that we should trust the company because surely only a professional company could do that… right? Not so much.

Take a look at Brian Krebs recent article :

Infamous Hacker Heading Chinese Antivirus Firm?
Address : <>

As always it is a good read, but take a look at the address used for this “Canadian” business 5334 Yonge street, Toronto..

..not exactly trust inspiring. So remember, fancy electronic “architecture” is just a cheap pysch trick playing on our real-world architectural biases – always do a bit more investigation… or read Brian’s blog :).

Published by erich, on November 14th, 2012 at 3:55 pm. Filled under: GeneralNo Comments

Metasploit – Getting Keystrokes

Metasploit is a great tool, and it allows you to not only do some cool things, but being able to do those cool things in a useful way. A good example is when I was looking at dumping the keystrokes from a bunch of compromised machines, there are 3 possibles options.

Address : <>

Published by erich, on October 23rd, 2012 at 1:00 am. Filled under: GeneralNo Comments

The…. Hyundai of the Beast

Published by erich, on October 22nd, 2012 at 5:27 pm. Filled under: GeneralNo Comments

Update – LinkedIn Hashdump and Passwords

Update – 20 September 2012
Ok, I have gotten past 80% cracked, so here is the latest dictionary and dictionary analysis. The exact figures are:
masked (150) = 3274239 of 3521180 / 92% done (246941 left)
unmasked (100) = 2022350 of 2936840 / 68% done (914490 left)
total = 5296589 of 6548020 / 82% done

Now before I get into the analysis of the passwords, I browsed through them for interest’s sake. Now I know we often say these bad passwords are chosen by users who do not know about good passwords, but is that always true? hmmmm…
# grep -iE “cissp” ./linked.dic

Address : <>

Published by erich, on September 21st, 2012 at 1:57 am. Filled under: GeneralNo Comments

EHarmony – Plaintext and Hashdump

Well, I have cracked more then 80%  of the EHarmony  hashdump so time for me to report on the passwords and release the plaintexts. I will update this page as I get to 90% and so on. I used cracking this hashdump to test my LinkedIn plaintexts and to explain some hashcat basics (see here).

  • the hashes are MD5, but there seems to be a few non-MD5 entries that hashcat will complain about
  • the hacker who released them has removed all duplicates
  • EHarmony converted all lowercase to uppercase thus greatly reducing the keyspace for cracking
  • I am guessing that these passwords represent a password rules change, there are some passwords that look like they were cut off at 14 characters but also a very few with more then 14 characters. Also there are almost no passwords with special characters in them. I would guess that at some time EHarmony changed the password rules and this hashdump represents passwords from before and after that change.
  • Here is the hashdump
  • Here are the plaintexts (currently 1258045 of 1513805 or 83% done)
  • Here are some rules which were generated by hashcat when using the “g” option

Address : <>

Published by erich, on September 15th, 2012 at 7:09 pm. Filled under: General1 Comment

Hashcat – Cracking EHarmony hashes easily

I have recently been using hashcat to crack through the linkedin hashdump (see here). So I figured that if I wanted to show some easy steps of how to use hashcat, lets start by using what I have found for linkedin against the eharmony hashdump. This will be a way to see how “valuable” the linkedin dictionary is and how to use hashcat.
Address : <>

Published by erich, on September 10th, 2012 at 2:01 pm. Filled under: GeneralNo Comments

Updated – LinkedIn hashdump and passwords

masked (150) = 3108522 of 3521180 / 88% done (412658 left)
unmasked (100) = 1647836 of 2936840 / 56% done (1289004 left)
total = 4756358 of 6458020 / 73% done

The updated dictionary is here, and the specific non-standard rules that have worked for me is here.
Address : <>

Published by erich, on September 9th, 2012 at 1:59 pm. Filled under: GeneralNo Comments

LinkedIn hashdump and passwords

Unless you have been living under a rock (not judging, just that you may not get wireless there) you should have heard about the 2012 LinkedIn data leak. The hacker has released about 6.5 million hashes.

Now none of this is that new, but I think this list is very important since this is an actual verified list of user passwords. Not a dictionary of “could be” but a list of “has been”. This means from a reuse point of view it is very useful. For that reason I am putting up the list of hashes I have already cracked. I do not have a dedicated cracking rig or GPU’s or Amazon or such, this is just little old me plugging away at the list. Get it here.
Address : <>

Published by erich, on September 3rd, 2012 at 1:55 pm. Filled under: GeneralNo Comments

Trouble with assumption

The ISG Whitehat usergroup in SA did me the honor of asking me to do a talk, and I did one title ‘The trouble with assumptions’. The basic premise is that our understanding of risk is dependent on how probable we think any specific occurence is. If we think it is remote, then the risk is lowered, if it is highly possible then the risk is increased. I wanted to apply this principle to how much trust we place in the source IP of network transactions.
Address : <>

Published by erich, on March 29th, 2012 at 1:48 pm. Filled under: GeneralNo Comments

Linux + Wine + World of Warcraft + Intel

I have recently moved from OSX to a linux laptop, and yes I am happy with it. But I wanted to play “World of Warcraft”. Just a strange impulse I have now and again. Anyway, I figure “no biggie”, setup Virtualbox, install Windows and then install WoW and away we go.

Not so much. I installed virtualbox, windows and WoW. I spent a long time downloading patches. But the damn game would not play. Turns out that virtualbox and directx are not good friends. So I installed the extensions and enabled the directx. No go. Ok, bruised but not defeated. I will use wine, the windows virtualization layer to install WoW, there are lots of posts about it on the web.  So I figure “no biggie”, setup wine, install WoW and away we go.

Not so much. Wine worked. The install worked. But the launcher.exe did not. I could fire up the wow.exe binary, but could not login as the latest patches were not there. Ok, more reading showed me you could manually install the patches. So I downloaded and installed, but it did not work quite as advertised. Now it’s personal.

I spent a long time reading posts and fiddling with wine settings, winetricks, upgrading wine, different kernels. Until I said screw it. I started up virtualbox, fired up the windows instance, let WoW update fully. Then I created a shared folder and copied my entire ‘World of Warcraft’ folder to my linux box. Then in linux I started up wow.exe, and all was well. Latest patches, I could login, create a character and all was well with the world.

Not so much. I logged onto the game with my new character and it bombed. Needless to say I was … not silent at this point. Browsing the interwebs told me that having an Intel graphics card as a dead-end. The advice was get another PC. Not so useful. But then I saw a post that mentioned installing ‘driconf’ to make a change, and it worked!!

So, if you are on Linux, want to play World of Warcraft and have an intel graphics card, here is how you do it in a failsafe manner:

  1. Install virtualbox
  2. Using virtualbox setup a windows guest
  3. Setup shared folder between guest and host
  4. Download the WoW client for windows
  5. Install WoW on your windows machine
  6. Startup WoW and let it download all patches
  7. Once patching is done, copy your entire game folder to the shared folder
  8. On your linux host, copy the shared folder files to your wine folder
  9. Change permissions as needed to make sure you own the files
  10. Make sure Wow.exe starts by using wine to start it.
  11. If you see the login screen with the latest patch, thats enough for now, quit WoW
  12. Install ‘driconf’
  13. Run ‘driconf’ and a gui window will show up. Go to the ‘Image Quality’ tab
  14. On this tab set the ‘Enable S3TC texture Compression’ to ‘Yes’
  15. Close that window
  16. From a terminal window type ‘regedit’. This will start up a registry editor for the wine environment
  17. Find this key HKEY_CURRENT_USER\Software\Wine\
  18. Highlight the wine folder in the left hand pane by clicking left on it. The icon should change to an open folder
  19. Right-click on the wine folder and select [NEW] then [KEY]
  20. Replace the text New Key #1 with OpenGL
  21. Right-click in the right hand pane and select [NEW] then [String Value]
  22. Replace New Value #1 with DisabledExtensions (Notice it’s case sensitive!)
  23. Then double click anywhere on the line, a dialog box will open.
  24. In the value field type GL_ARB_vertex_buffer_object
  25. Now you can run wow.exe through wine, login and actually play
So yes, it is possible to play WoW on linux with an Intel graphics card. You may have better luck running Launcher.exe under wine in which case you will not need the virtualbox steps. But for me, the above list is foolproof


Published by erich, on November 16th, 2011 at 3:39 am. Filled under: linuxNo Comments