TwitPic – Scraping Exif Data

A couple of days ago Dr. Johannes Ullrich did a real interesting post on scraping gps data from twitpic posted photos from twitter users.  You can read the original post with graphs over at the Internet Storm Center blog. He wrote a couple of perl scripts for use with the exiftags tool.

So I was inspired to do a similar trick without the perl script and using my favorite, Exiftool by Phil Harvey.  So here comes yet another one of my automators for OSX.  You can download it in the zip below.  Just copy the imagecsv.txt to the root of your user home folder.   Then run the automator app.  You can of course edit the app in Automator to see how it works.  It will prompt you for the twitter user name of your target.  Then it goes to twitpic, scrapes their rss feed of all full sized images and runs exiftool on them.  It makes all the output in a folder on your desktop using the twitter user name.  You may alter what fields the exiftool puts to the exifdump.txt file by editing the imagecsv.txt.  It is just a print format file under the rules of exiftool setup to be tab delimited.

Just make sure you have exiftool installed or you wont get the tag dump.  You will end up just getting all the pictures scraped from the user’s rss feed.

OSX Automator – TwitPic – ExifScrape


crowbarPGP – Version 1.0.1

I have finally released my crowbarPGP Cocoa application.  Included in the Install DMG you can download below is a folder called Extras.  I put several OSX Automators in it that I have found useful or mentioned in other blog posts.  You can edit them in Automator to see how they work.

I also added a new preference that lets you choose not to growl notify the found password while still getting a notification.  Soon I will add that to the other crowbar apps.  I also finally fixed the code to automatically ignore the carriage return character that comes from dictionary files originating on the Windows OS.  This too I will shortly add to the other crowbar apps and release through the auto updates mechanism.

crowbarPGP is a dictionary attack tool for cracking PGP ( Whole Disk Encryption and PGD virtual PGP Disk files.  It requires 10.5 or 10.6 OSX.  One key thing. I included the PGD attack feature.  However I found a memory leak in the pgpdisk command last year.  I informed PGP of it and provided them the backup material.  Unfortunately my contact is no longer with PGP and the memory leak is still there in the recent v10.0 PGP for Mac OSX.  So I strongly suggest you do not use that feature until they patch it.  When they do I will post a blog update and likely do a small version increment to the program through the automatic updates feature.

Thanks again to Paul Figgiani for his patience in making GUI layout and improvement suggestions.

Thanks as well to the following code and frameworks:

crowbarPGP - Download

Rough Draft OSX Automator – Password Extraction

I have had various discussions with other forensics folks about password dictionaries and their use with my crowbar tools.  So I am doing some experimentation using Automator plus shell script and perl script.  I really think a lot of forensics folks who use Mac OSX forget or underestimate Automator.  In my case I am using it to draft some password extraction tests.

You can download the automator app with a sample text file to run it on.  You can get it from here:PasswordExtractor Automator

Of course it is easy for you to edit the automator app in Automator and see/edit my scripts.  Here is a summary of what it does.  And it becomes more clear if you run it on the included text file.

It has you select a file and runs it through strings.  It sorts it and drops out duplicate strings.  Then it runs that base dictionary file through a perl script several times each time is a slightly different variant.  It is looking for certain flag strings then grabs all the remaining text on the line after that flag text and makes it into a stack of passwords.

It looks for all case insensitive occurrences of pw, pwd, pass and password and they can be followed by any of the three symbols. = – or :

It then takes the text following those text strings and starts at the first letter and dumps that to a line as a password and increments one letter at a time till it hits the full length.

So in essence if the password you really need is embedded in say a URL with pass=supersecretpassword then you will actually get a file where ONLY supersecretpassword occurs on a line in a dictionary.  Perfect for your dictionary attack tools.


Scripting Acrobat Reader Updates – nmap and psexec

The latest round of adobe patches are a pain for IT staff to implement.   If you allow automatic updates then many machines updating the full reader installer from Adobe is likely to knock out your wan or Internet links.  Too much traffic.

Manually running around and installing the update is also a pain for IT and consumes a lot of man hours.  So I love to make script packs for them to automate things.

To use these scripts you need to do several prep things.

  1. Download and put nmap binaries for windows in the folder you will run the scripts from.
  2. You will need to install the winpcap driver for the nmap scans to work.
  3. Download psexec from the Microsoft Sysinternals site and put it in the script folder too.
  4. Download the adobe reader installer and put it on a network share.
  5. Create a toss off domain user account that simply can map to the network share of the acrobat. I put it in a subfolder of that share called acro93 for the version I am installing.  Because if you have your domain setup reasonably well you want only authenticated users to connect to shares etc.  You will delete this account once done.

Next come the scripts.  We have the master script we call acrobat.bat.  This script pushes a second bat file into each target host.  You need to put your target hosts into a text file in a format that would be accepted by nmap.  A subnet, indvidiual ips, hostnames your pc can resolve.

Continue reading “Scripting Acrobat Reader Updates – nmap and psexec”


More Brainnnzz

I admit it I love Zombie stuff. From video games to movies to books/audio books. Right now I am enjoying a couple of Zombie related podcast novels. And of course we can’t forget the awesome Zombie song by Jonathan Coulton: “re: Your Brains”

Escape: The Zombie Chronicles by James Melzer

Dead Mech by Jake Bible


Video – Podcasting Mix Minus Setup for Multi Track Recording and Skype

I walk through how I have mix minus setup to my Mackie 802-vlz3 board for multi track podcast recording. This goes along with my other video on using audio hijack pro for multitrack recording. I do realize you can pan one channel left and another right (such as the recording host and the music-fx) then record that coming out of the master mix. I don’t do this because it creates the extra work in post processing of having to break them apart into mono tracks. Plus doing individual hijacks in AHP lets me apply different audio processing stacks to the capture live as recorded. This setup works well when wanting to record all three tracks on one end when using skype. You might want to do this for interviews or when your cohost is traveling.