2014/10/13

list.exploitsearch.net

list.exploitsearch.net is my attempt at creating an online searchable repository of security related lists. What kind of lists? Well, pretty much any list that can be stored in a manner similar to "[type], [value]". So for example, it is fairly easy to store a list of common passwords... "[passwords], [123456]" or a list of common Unix usernames... "[usernames], [root]". The site can also store lists of other items such as common browser user agent strings, reverse shells which can be written on one line, one line back doors, known malicious IPs, and so on. There really is no limit to the types of data that list.exploitsearch.net can store and provide out as needed.

The only site imposed limitation is that all the data be actual/live data. That is to say, all the data that is to be stored should have been actually seen "in the wild". So, what does this limit? The easiest place to see this limitation is in the password list. This site will only store passwords that have been known to have been used by actual people. So, it will not be string all possibly 8 character passwords. If you want that list, you can easily create it your self via some other mechanism.

Also, all/most of the data contained in the site has a fixed life span. Depending on the nature of the data, the life span can vary. For example, the lifespan of passwords may be 1 year, where as the life span of malicious IPs may just be a few weeks. After the life span of a piece of data has been reached, it will be removed from the standard list generation process, thus helping to enforce that the lists that are generated contain only up to date information. There may be an API parameter that will allow the generated lists to contain old data at some point, but currently this is not possible.

The goal of this site is to allow security researchers, consultants, pentesters, etc... an place from which they can pull a list tailored to their specifications of common passwords, usernames, database columns, browser user agent strings, one line reverse shells, etc...

If you have data you would like to have added to one of the current types of lists or if you have an entirely new type of list you would like to have stored here, feel free to let me know.

The site is still in Beta, but should be usable.  Over the next few days/weeks, the site will become more full featured and the types and amount of data will increase.

Let me know what you think. What types of data/lists can I add that would make this useful to you?

Phishing with www.SafeLogin.co

As a security consultant and penetration tester, one of my various activities I would have to perform was a phishing exercise.
“Phishing is misrepresentation where the criminal uses social engineering to appear as a trusted identity. They leverage the trust to gain valuable information; usually details of accounts, or enough information to open accounts, obtain loans, or buy goods through e-commerce sites. Up to 5% of users seem to be lured into these attacks, so it can be quite profitable for scammers . many of whom send millions of scam e-mails a day.” — as quoted from OWASP
A few days ago, a colleague pointed me to www.webscript.io and to a simple phishing site he created on it. I took a look and was very impressed by the simplicity of it and how easy it was to set up the phishing site. For a complete writeup on his “Phishing with WebScript.io” experience, check out his site: http://averagesecurityguy.info

This got me thinking, while webscript.io is an amazing site, it is overkill for a simple phishing site. I thought I could create a simple site (just a few back-end scripts, apache, etc…) that could act as a “Proof of Concept” phishing site generator.

…and thus was born: http://www.safelogin.co

www.SafeLogin.co is a bare bones web site which allows a visitor to set up a phishing site of their very own (only for sites they are legally allowed to, as per the Terms of Use). All they need to provide is a target URL (the site to be cloned) and a unique phishing site name (.safelogin.co). All sites are kept alive for 7 days, at which time all data is erased. 

www.SafeLogin.co does not (at this time) provide capabilities for sending the phishing emails, that must be handled by the user.

Please take a look and if you experience any issues or have any suggestions, please feel free to let me know.