@cmlh Christian Heinrich

May 24
Permalink
A Maltego Graph leveraging the “Just T[he]IP” Local Transform of gamearena.com.au and is available from GitHub and CodePlex. According to http://www.telstra.com.au/abouttelstra/media-centre/announcements/bigpond-games-site-security-incident.xml, 203.46.104.10 is “operated by a third party company”.  However, this is disputed since the last identified hop of the route to 203.46.104.10 is 165.228.157.30 which resolves to telstr516.lnk.telstra.net (the complete list of route hops is available from visualroute.visualware.com).

A Maltego Graph leveraging the “Just T[he]IP” Local Transform of gamearena.com.au and is available from GitHub and CodePlex.

According to http://www.telstra.com.au/abouttelstra/media-centre/announcements/bigpond-games-site-security-incident.xml, 203.46.104.10 is “operated by a third party company”.  However, this is disputed since the last identified hop of the route to 203.46.104.10 is 165.228.157.30 which resolves to telstr516.lnk.telstra.net (the complete list of route hops is available from visualroute.visualware.com).

Apr 29
Permalink
» Maltego Transforms for Facebook v0.11.0 Alpha Now Available

I have added a number of Maltego Local Transforms for both the GraphAPI Album and Photo Facebook ID, including:

  • From Photo ID to Album ID
  • From Album ID to Picture Connection
  • From Album ID to Name and Link
  • From Photo ID to Image, Name and Link

An example Maltego Graph is hosted on @GitHub with the examples Facebook ID quoted in the GraphAPI documentation and has been reproduced below (click to enlarge the image)

Maltego Graph 

Apr 21
Permalink
» Maltego Transforms for Rapleaf Alpha v0.4.0 Now Available

These Maltego Local Transforms returns the “Location” and “Gender” (Basic) Fields from the Personalization API from Rapleaf 

Please refer to the https://github.com/cmlh/Maltego-Rapleaf/wiki for further information.

Apr 17
Permalink

Facebook - Maltego Local Transforms

I have released a number of Maltego Local Transforms for the Facebook GraphAPI which list who was invited to an event on Facebook, such as “BlackHat” or members of a Facebook Group, such as “RUXCON”.  A complete list of these Maltego Local Transforms is available on GitHub.

These Maltego Local Transforms are available to download from Google Code.

Apr 12
Permalink

Metadata of @AnonW0rmer from #CabinCr3w

Updated on 27 April 2012: The image with the metadata that was hosted on TinyURL has been removed and both Facebook Users have been marked as “unavailable”.

I have produced a Maltego Graph hosted on GitHub with the GPS EXIF Image Forensics Local Transforms from Recx Ltd of the image from the PasteHTML page referenced in the statement of Scott Jensen:

Maltego Graph

The following were also noted during this OSINT exercise:

  • imgur removed the EXIF and GPS data from each uploaded image, as observed within exhibits #1, #2, #3 and #4.  However, the articles of clothing (or lack thereof) are similar to the image hosted on TinyURL.
  • The Latitude and Longitude of the image are -37.857,145.2503.
  • The relationship with Kylie Gardner (the woman in the image) was correlated to Huginio Ochoa’s Facebook.
  • Searching for the UserID of “higochoa” e.g. deviantART or Twitter, and also ”HiginioOchoa” e.g. ning might result in additional examples of membership of other Social Networks.  Further correlation could be achieved by exploring the relationship to @OzGirl (i.e. Kylie Gardner), such as this example.
Mar 20
Permalink

RDP Vulnerability on Microsoft Small Business Server

I estimate that there are approximately 292 web servers for Microsoft Small Business Server (SBS) with RDP (possibly) enabled based on the Maltego Graph hosted at GitHub which the SHODAN and BuiltWith Transforms. 

Mar 16
Permalink
» Maltego Local Transforms for Gravatar Images Alpha v0.0.3 Now Available

This Maltego Local Transform returns a Gravatar Avatar/Image based on their e-mail address.

Please refer to the https://github.com/cmlh/Maltego-Gravatar/wiki for further information.

Feb 28
Permalink

Gravatar - Image - Maltego Local Transform

I developed three (3) Maltego Local Transforms that return a Gravatar Image and MD5 hash of an e-mail address as shown in Maltego graph below:

Maltego Graph

The Alpha v0.0.2 release is available for download from Google Code and the repository is hosted on GitHub, including the Roadmap, etc.

I would like to thank Andrew MacPherson from Paterva for his review of the Alpha v0.0.1 release. 

Feb 21
Permalink

OpenSSH - Fingerprint

This is a preview of my first article that will be published in the second printed issue of Secure Computing Magazine (Australia).

These series of articles will be based on the slides that I presented at SAGE-AU in November 2011.

The article has been quoted in its entirety as it will be shorten for publication due to pagination for print.  

A “fingerprint” is a more visual and shorten representation of a OpenSSH Public/Private Keypair that reduces the rate of error when viewed by an End User or System Administrator when correlating a OpenSSH Private Key to a OpenSSH Public Key (or vice versa).

When generating a new OpenSSH Public/Private Keypair using ssh-keygen (with default values excluding the comment) the fingerprint and associated ASCII “randomart image”[1] are automatically displayed:


The key fingerprint is:
be:7c:7e:07:9a:4a:db:a6:02:1e:c7:90:a2:b0:e2:94 christian.heinrich@cmlh.id.au
The key’s randomart image is:
+—[ RSA 2048]——+
|                 |
|                 |
|     .           |
|. . o            |
|.o.. o  S        |
|+E  o o.    .    |
|+  . +  o  o .   |
| .  . .o += . .  |
|       .**o. .   |
+————————-+
Inline image 2
Screenshot of ssh-keygen -C “christian.heinrich@cmlh.id.au“ Execution on OSX
The above fingerprint and associated ASCII “randomart image” can be reproduced at a later date with ssh-keygen -lv -f ~/.ssh/id_rsa.pub and  the same fingerprint is displayed for the OpenSSH Private Key i.e. ssh-keygen -lv -f ~/.ssh/id_rsa (i.e. without the .pub file extension) to identify the related OpenSSH Public Key transmitted to the remote host.

OpenSSH can also display the same fingerprint in “BubbleBabble” [2] encoding i.e. a series of pseudowords, with the -B command line option to further improve readability over hexadecimal e.g. on OpenBSD 5.0:  

cmlh@openbsd$ ssh-keygen -B -f ~/.ssh/id_rsa.pub
2048 xobar-defab-pitom-byrok-zokos-geden-zopov-nedog-segeg-rykoz-noxax/home/cmlh/.ssh/id_rsa.pub (RSA)

In addition, the associated ASCII “randomart image” can also be displayed with the “BubbleBabble” [2] encoding with the -Bv command line option to further improve readability e.g. on OpenBSD 5.0:

cmlh@openbsd$ ssh-keygen -Bv -f ~/.ssh/id_rsa.pub
2048 xobar-defab-pitom-byrok-zokos-geden-zopov-nedog-segeg-rykoz-noxax/home/cmlh/.ssh/id_rsa.pub
The key’s randomart image is:
+—[ RSA 2048]——+
|                 |
|                 |
|     .           |
|. . o            |
|.o.. o  S        |
|+E  o o.    .    |
|+  . +  o  o .   |
| .  . .o += . .  |
|       .**o. .   |
+————————-+



REFERENCES
[1] http://marc.info/?l=openbsd-cvs&m=121321826818823&w=2
[2] “The Bubble Babble Binary Data Encoding” ftp://ftp.ietf.org/ietf-mail-archive/secsh/2001-08.mail
Feb 13
Permalink
Another approach would have been to contact a single journalist and showed him/her the vulnerability in action. This would have protected the site’s customers much better and alerted us all once again to the vulnerabilities that exist on the web.
Sophos’ Naked Security Blog