phr34kc0der

Members
  • Content count

    484
  • Joined

  • Last visited

Community Reputation

35 Neutral

About phr34kc0der

  • Rank
    SUPR3M3 31337 Mack Daddy P1MP

Profile Information

  • Gender
    Male
  • Country
    United Kingdom
  1. And a million software engineers died, shouting "descriptive variable names!"
  2. Was this on a home router or something? Did you try pulling off the firmware or trying to access the filesystem/config some other way? I'm thinking looking for UART/JTAG ports on the board. This excites me. I wonder whether it's disabled, or just removed from the web interface.
  3. Are you trying to find the addresses of other players? I've not used Cain and Abel for many many years but from what I remember, it does ARP poisoning to perform Main in the Middle attacks. It probably performs ARP sweeps to find hosts and this will only work on your LAN. Unless I'm misunderstanding Xbox Live (could happen, I don't own an Xbox, or really even play games), your XBox will be connecting to a server somewhere and so will have no knowledge of the IP addresses of other players. As these hosts are not part of your local network, an ARP sweep will not disclose those addresses either. Note: everything I said could be wrong. Cain and Able could have changed since I last used it, and my assumptions about XBL could be incorrect.
  4. Need more reasons to ditch RC4 in TLS? 52 hours to recover encrypted cookies. Not a super practical attack but kind of interesting. http://www.rc4nomore.com/
  5. Ah, I see. Burp can be used as a client (the repeater tab), although it's not well suited to it. It's best if you have a client that already generates requests and use burp to proxy then modify requests. It does have the advantage that it will let you perform a multitude of security testing against the web service. You could try soapui. I've used it a little on Linux and despite it's name, it supports REST web services. It may be a little less slick than paw though (just judging from the screenshots).
  6. The question is a little confusing. Are you saying you want to create multiple accounts in a web app that doesn't allow multple accounts? Is this an external web application? If so, changing your MAC probably won't help much. Once traffic leaves your network, nothing will see the MAC address you use on your internal network adapter. As a side note, you can change MAC address without using a VM. If the application is using your IP addess to identify you, you should be able to jump through a proxy. If they store a token or something in a cookie (of other client side storage), you should be able to delete it (or open a private windows/new browser/new browser session etc) to bypass it. You could even script something with a little *nix or powershell knowledge. I guess it boils down to this: try a few things. Figure out how they detect you, and find a way to bypass it. I personally can't think of any way they could detect you that couldn't be bypassed. Some would slow me down (e.g. requiring a phone number for registration) but you first need to know what they check.
  7. Are you looking for something like burpsuite or mitmproxy? Portswigger offers a free version of Burp, but has some limitations. It's extensible via plugins. Alternatively, curl can work in a pinch and obviously great for scripting.
  8. It's a mindset. You hack to learn, you don't learn to hack.
  9. Ethereal? Development stopped on that years ago. It's now Wireshark. I'm not sure on the current state of things, but a few years ago there were a some tricks avalaible to do this. The basic idea was to get the user to navigate to a page you controlled. This page would contain links to webpages and some css to somehow highlight which links have already been viewed. Javascript could then be used to query for these links. I would imagine that this has been fixed in recent browers, but it might give you something to work with.
  10. So what are the other values? Random values on the stack or something?
  11. Pretty interesting. I checked it out and i'm getting the same result. Could srand() be a wrapper for something? If anyone knows i'd be interested in the answer.
  12. Not had any experience with this but you mentioned chmod, so did you try this in linux? If its creating a virtual CD rom drive then I guess it'll be read only so maybe try copying the data locally, formatting the drive and copy the data back. Also i'm pretty sure that windows will stop autorun if you hold shift when you first insert the disk (or drive in your case).
  13. What were you doing at an all girls catholic school?
  14. If that means what I think it means you are an idiot.
  15. "A week" I said. HAH!