[Bookmarked] Internet Archive has Games!

Sometimes I find funny things in Twitter (https://twitter.com/lucyamorris/status/687731006187540480). I’m going to write some blog posts with these items so that I can remember where I found them and share them with others.

Internet Archive has Games

cthulhucy tweeted out about the Internet Archive web site having old computer games available to play via a web browser. A great time killer!


[Bookmarked] Social Media Explained

Sometimes I find funny things in Twitter (https://twitter.com/monadarling/status/494932964669538304). I’m going to write some blog posts with these items so that I can remember where I found them and share them with others.

Social Media Explained

Social media, in all its varieties, can be daunting to understand much less participate in. This pic from (((DawntJalluss)) on Twitter (and found many other places on the Internet) explains it simply.



[Bookmarked] Pizza As A Service

Sometimes I find funny things in Twitter (https://twitter.com/RichGx/status/494572357898756096). I’m going to write some blog posts with these items so that I can remember where I found them and share them with others.

Pizza As A Service

Seems like more and more services are being offered as a service in the cloud. Sometimes people have trouble understanding the options. The graphic below, pulled from the https://www.linkedin.com/pulse/20140730172610-9679881-pizza-as-a-service post by Albert Barron (https://www.linkedin.com/in/albertbarron) in 2014 helps explain things in a manner that really hit home for me.


Mutillidae Session Hijacking Lab


This is a list of steps to perform to perform a web application session hijacking attack against a logged-in user of a web app. It uses the wonderful Mutillidae (https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project) vulnerable web application for the victim server, Burp Suite (free or pro, https://portswigger.net/burp/download.html) and a web browser (in this case, I’ve chosen Firefox).


This post presupposes that you already have Mutillidae, Burp and Firefox installed and running. If not, please refer to those sites for details on how to accomplish those goals.

  1. Set up Firefox to use Burp
    • Here you can edit the Network settings inside the Advanced section of Firefox’s settings area to add the Burp local proxy. Burp defaults to run on TCP port 8080. So you’ll need to use localhost for the host/IP and 8080 for the port.
  2. Launch Burp and confirm that you can get traffic from the browser. If not, troubleshoot that then move on.
  3. In the Mutillidae application, visit the http://YourIPHere/index.php?page=login.php page.
    1. Click the Please register here link at the bottom of the page to create 2 new users.
    2. Create 2 different users in this section.
  4. Go to the login.php page (http://YourIPHere/index.php?page=login.php) in your browser and log in to the application using one of the user accounts.
  5. Go to Burp and look for the response from the server for the successful log in. It should have 2 new cookies that were set in your browser.
  6. Go to the Mutillidae app in the browser and browse to another page.
  7. Send that new request from the Burp Proxy to the Burp Repeater and ensure that both application cookies were sent in the header of the packet.
  8. Press the GO button in the Repeater function to send an unmodified request to the server.
  9. In the response frame, you should see that that user is logged in (in the header of the response as well as in the HTML).
  10. Now, in Burp Repeater, alter each of the cookies that the application set and resubmit the request. See if the username in the response packet changes.

Next Steps could be…

  1. Extract the cookies from Burp and insert them into the browser to become the other user and browse around the application
  2. Use Burp Intruder to fuzz the cookie value and find other users that you could become. (Keep in mind who the first user of the application could be).

Ghostery: A Browser Extension You Need

What if you were driving down the highway in your car and had to slow down every mile to read an advertisement? And what if those advertisers knew where you had been and who had gone with you? That would annoy and cause concern for many people but we tolerate this on our computers and mobile devices all the time. Our web browsing behaviors (sites we visit, what we search for on those sites, what we do on those sites) are being used against us every day. But this does not have to happen and I’m going to show you how to stop it.

There is a free extension that you can add to your favorite browser of choice to stop advertisers and others from tracking your browsing behaviors: Ghostery (https://www.ghostery.com/).


Extensions and add-ons are pieces of software that someone else has written. They, themselves, have the ability to track and alter the information you send and receive from web pages. I tell you this so that you don’t go wild and start installing untrusted add-ons in your browsers. There are malicious extensions out there. These two extensions, right now, as of the moment of this writing, are solid, pieces of software that you can trust.


Extensions in Google Chrome

Here is how you get to the “Extensions” area of the Google Chrome web browser. Press the settings button (pancake-like three lines in the upper right) of the Google Chrome browser.


From there, choose More tools and then Extensions.


Observant readers will note that the URL chrome://extensions/ will get you to this same place.

Now, you may not have any extensions loaded in your browser. If that is the case, your next screen should appear similar to the one below. You will want to press on the browse the Chrome Web Store link to go to the place where we will find the extensions.


If you do have one or more extensions loaded, then you will need to scroll to the bottom of your browser window where you should see a link such as the one below to Get more extensions. That link should take you to https://chrome.google.com/webstore/category/extensions?hl=en-US (or the correct one for your area of the world).


Just hang on while I get the Firefox users to the right place.

Firefox Add-ons

Firefox users should also click on the pancake-like settings menu in the upper right of their browser and then select Add-ons.


Again, you may or may not already have some add-ons installed in your browser. In either case, select the Get Add-ons option on the left side of your new window. Observant Firefox readers will note that the page that you are on is about:addons which is a fast method of getting to this page.


Safari (OSX/Mac)

Safari can load Ghostery too! So, launch the Safari web browser and go to the upper left menu item named Safari. Click it and you will see Safari Extensions… which you should click.

Why, Micah? Why?

Why am I showing you how to navigate to these areas of the applications you probably use every day? Sure I could just say “Click here and install the extensions” (which I will below). Just as it is important for you to understand how your car works, it is also important for you to understand how to modify your web browser settings.

How To Add an Extension/Add-on

If you have followed me to this point, adding the correct extension is simple. Firefox, Chrome and Safari all have search areas within their extension/add-on areas. Type in Ghostery and press the search button (or hit Enter).

For Ghostery, you can also just visit https://www.ghostery.com/try-us/download-browser-extension/ in your browser and press the appropriate button for your web browser. The links will take you to the correct add-on web page.

You are looking for a little, blue PacMan ghost like the one below.


You will want to add this to your browser or install it (each browser has a different name for it). Once installed, it may take you to a tutorial to help you understand the options. Go through it and set it up how you like. You will also notice a little ghost in the browser now (usually up top). This is the way you can quickly get back to Ghostery to change options.

The important piece for Ghostery is on the Blocking page. You will want to ensure you SELECT ALL to shut off all ads and trackers. See below for how it should work.


I will warn you. This will block things that may cause web sites to not work. That is OK because you can always unblock certain sites or choose specific parts of a site to be unblocked.


Oh No! My Site Doesn’t Work!

Ghostery sometimes will cause web sites to not work properly since it prevents your browser from loading all of the widgets and trackers the web site wants you to. In these cases, you have a couple of options: Pause Blocking and Whitelist Site.


Pause Blocking

If you just want to stop Ghostery from blocking anything for all the web sites you are visiting, choose the Pause Blocking option and reload the page. You will need to Resume Blocking to take advantage of Ghostery’s features again.

Whitelist Site

There are some web sites that you may trust and it may be fine for them to track you or provide you ads. In those cases choose the Whitelist Site option to essentially turn off Ghostery for just this site. Next time you visit this whitelisted site, Ghostery will not block content.

A Third Choice

There is a third choice in what to do when Ghostery is blocking a feature of a web site. That is to selectively turn on, one by one, the features that Ghostery is blocking. Turn one back on and reload the page. Did that fix the issue? No? Do it with another one and reload the page.

A Final Choice

The way that I browse the internet may be similarly to the method you use. I have my favorite browser and, whenever I need to go to the internet, I launch it and go. This browser definitely has Ghostery installed. If all of the above 3 methods for getting a site to work fail, I open a “less secure” browser that does not have Ghostery installed (for example, Internet Explorer) and visit the site there. This can help you. Protect your main browser and have a fall-back one that is less secure to use when sites look weird in your main browser.

Mobile Anyone?

Did you know that you can install Firefox onto many mobile phones and tablets? Google Chrome too. When you install it, make sure that you install the Ghostery extension to protect your mobile web traffic.


Mind over body

This 5 minute clip from the 2006 movie “Facing the Giants” (http://www.imdb.com/title/tt0805526/) recently made me think about my dedication and drive. It is “The Death Crawl Scene” where an unmotivated person shows himself and his team that if you cannot see the “finish line” you can push your body harder and farther than you thought you could.
Many times our minds quit WAY before our bodies. In this time of instant information and feedback (how many steps you took, how far you have walked|biked|run, how fast you went…), we sometimes prevent ourselves from just going and doing.
This past weekend I left my GPS at home when I went backpacking. I was going with 8 highly-skilled people and, on the Appalachian Trail, you really just follow the white paint marks (blazes) until you reach your destination. With this crew and the well-marked trail, I wasn’t afraid of getting lost.
I’ve not really hiked/backpacked for about a year due to work and injury and, because of this, I wanted a short backpack hike. I knew I couldn’t do more than 5-7 miles. We picked a simple 5.5 mile hike to a camp site and then a 1.2 mile day hike (without stuff in our backpacks) to Chimney Rock overlook. I focused on not twisting my ankle, talking to my friends, and enjoying the hike. I knew we were only going 7ish miles and I could do that.
We got to our camp site, set up camp, relaxed, and then went on the extra hike to a gorgeous overlook. Took our time there and then came back. I knew my legs would only take me 7ish miles. Mentally, that was my limit but because I hadn’t brought my GPS or my smart watch with me to monitor the distance and my steps, I didn’t know how far we’d gone. When some of the others in the group checked their GPSs and found we’d gone over 11 miles I was stunned and thrilled that I hadn’t let my mind stop my body from enjoying a beautiful trip and a great trip.

Harvesting Whois Data for OSINT

At work I was given the task of figuring out at least one method to find some of the domains that were registered by my company’s employees but that we may not have known that they registered. Anyone can visit GoDaddy or PSI or 1and1 and register a domain. We wanted to find out anyone that that registered a domain with an “@MYCOMPANY.com” email in the domain registry. Once I figured out how to do this, I found some really interesting things!

Registering a Domain

In case you don’t know this, when someone registers a domain name like “webbreacher.com” or “osint.ninja” they use a registrar such as Go Daddy or Network Solutions who then does the work of reserving the domain and tagging it as owned by a certain person/organization. There is some personal or business information that you must provide to the registrar for them to make the registration of the domain you want. Most will want your credit card info first🙂 and also personal information such as your name, home/business address, phone, and email(s).

Personal v. Private Registrations

When you register a domain, many times you have the choice to have the registrar “mask” your personal information that you use to purchase the domain. This is helpful to keep your personal information, well, personal. Instead of using your personal data, the registrar uses their data and then keeps track, internally, who is the actual owner of the domain. For my purposes of finding out what employees are registering domains using our company email address, this masking of their info presents a problem.


One of the main tools that people use on unix, linux and Mac systems to look up the registration information about a domain is called whois. From a command line or terminal window, a user can type whois example.com and the registration information for that domain will be returned. This should include names, emails, phone numbers and more…unless the registrant is using the whois masking feature of their registrar.

Some caveats here are that whois data is many times stale, old, or just very wrong. Many registrars never check the information that is self-submitted when registering a domain. If I wanted to register insertmydomainhere.info as Barack Obama at 1600 Penn Ave, Washington, DC, there are some registrars that would be happy to take my money. Take whatever responses from whois as suspect data until verified or corroborated with other information.

Using whois is great if you want to retrieve the information about a single domain. In my case, I wanted to search ALL domains for any registration information with my company’s email address domain. Using whois for my task, I’d need to request every single domain name with whois and then scrape the results for “@example.com” to complete my task. Laborious if not impossible.


The best place I found that had a reverse whois lookup that would allow the searching of whois data using registrant information AND wildcards (such as *) was the viewdns.info site. Let’s show an example using the dhs.gov domain. Using the ViewDNS web page at http://viewdns.info/reversewhois/?q=%40dhs.gov you can retrieve the first 500 hits on domains having the @dhs.gov string in them somewhere. Below are some of the results.

@dhs.gov entries found in Whois records


This was a huge time saver for me. ViewDNS also has a great API to pull these records down in XML and JSON formats which are easily used in scripts and other programs.

So…I was happy and yet confused. I thought that there may be something wrong with the site. Looking at the bottom of the above picture, you can see that fema.net is a domain that has the @dhs.gov string in the registration somewhere. This makes sense since fema.gov is a DHS entity and fema.net is something DHS might register to prevent someone else from registering it and tricking users. But, did you see the farrellswebservice.com and celticwarriorsmc.com domains? Those do not look like DHS domains. Let’s take the farrellswebservice.com domain and do a command line whois on it.

farrellwebservice.com whois data

Well that solves it. There was no problem with the web site. Under the red arrow is the @dhs.gov email account that the viewdns.info site found: keith.farrell@dhs.gov.

Moving into OSINT

I hear some of you saying “So what?” Well, in the world of OSINT we try to tie pieces of data together. Getting email addresses, phone numbers and addresses for people is key to furthering investigations. We can use this data as pivot points (additional search terms to use to find even more information about a target) to augment your OSINT data. In the above pic for the whois output of the farrellswebservice.com domain, we have all of these pieces. Keith Farrell’s name, home address, phone number, personal and business email addresses are out there in the public for anyone to harvest.

So what happened here? It seems like some people use their work emails for personal registrations. While I only use my work email for work purposes, I do know people that use their work email for non-work purposes.

Applying this Information

OK. So we can easily pull up all the domains registered with a certain email domain. Again, so what? Well, what if those domains showed interests of the employees of that company? What if they showed personal information or pictures of a person’s family? In fact, if you visit some of those domains from our results above in a web browser, that is exactly what you get. Check out http://farrellswebservice.com/ and http://bostonjrhuskies.com/.

So now we have:

  • First and last name
  • Home address
  • Phone number(s) which may be work and or personal
  • Email(s) which are work and may also be personal
  • Personal interests
  • Pictures of family
  • In some cases we have much MUCH more (check out http://dancommiato.com/)

Attackers could use this information:

  • For reconnaissance prior to a cyber or physical attack to gather information
  • Phishing or pretexting data to better-craft emails or scripts that victims may fall for
  • Social engineering
  • Espionage….and so on

We can also take this data, export it to a CSV (Comma Separated Value) file and import it into a spreadsheet program or visualization app like Paterva’s Casefile (free – http://paterva.com/web7/buy/maltego-clients/casefile.php). Doing that, we can see connections in the data such as all domains registered on a certain date or by a specific registrar. This data can help you determine if a specific domain was registered by the organization and is most likely a work domain or if someone else may have registered it.


How do you prevent this? Most domain registrars allow you to make your domain registrations “private” or “masked” so that, instead of your personal (or work) information being displayed when someone looks up the domain registration, it is the information of the registrar that is shown. For example, let’s look at what the whois data for the osint.ninja domain are:

whois osint.ninja

When I registered that domain, I selected to pay a little additional and have GoDaddy replace my personal information with some generic information pointing to their systems. Anyone having an issue with the domain (or network traffic coming from it) could contact GoDaddy and then they would know to contact me.

Additionally, try to limit the places where you use work information for personal purposes especially if that data is or could become public.

For all you OSINT people out there, I bought the $20/month API access to viewdns.info’s data and have scripted this process (and doing subsequent lookups). It does require an API key from the site. If this is something you do regularly, I highly recommend purchasing the API key. Oh, if you are thinking of just scraping the data from the web site…don’t. Viewdns.info actively blocks IP addresses that do this. Trust me. I still cannot get to this site from home.😦

Like this post? Tweet to me @OsintNinja or @Webbreacher.