Python directory finder (dirb)

If for some reason you find yourself on a machine you cannot get dirb or dirbuster on here is some quick code for how to achieve similar results using python 3.

It takes a word list from your common.txt file (change the name in the code if needed) and tries to connect to the url you have given it + each line in the .txt file and then gives a positive result if the full url path gives back a response.

The code doesn’t have any sort of rate limiting so if your target has systems in place to block DOS attacks you may start getting false negatives.


#!/user/bin/python
#scans for web directories from a word list
#replace common.txt with your wordlist
#for python 3

import requests

def requests(url):
    try:
        return requests.get("http://" + url)
    except requests.exceptions.ConnectionError:
        pass

target_url = input("Enter Target URL: ")

file = open("common.txt","r")
for line in file:
    word = line.strip()
    full_url = target_url + "/" + word
    response = request(full_url)
    if response:
        print("Discovered directory at this link: " + full_url)

The code comes courtesy of a course on Udemy taught by the very eloquent Eduardo Rosas

Interview with Burpsuite creator Dafydd Stuttard

Here’s an old video from 2015 showing an interview with the creator of burpsuite answering a few questions about how it started and why he initially started developing the tool. Like a lot of security applications it seems to have started its life as a hobby project which kept growing with new features until enough people found it useful for it to become mainstream.

Here are some useful timestamps:

6:30- interview starts
13:10 – how burp got its name
29:30 – Burp spider
32:45 – Server side template engines
40:00 – pricing
45:00 – the wider security community
46:30 – Recommendations for vulnerable test applications

Its interesting to note the difference in presentation between Dafydd who most likely spends his days presenting security ideas to IT managers at corporate jobs compared to the two podcast hosts who seem to be trying to create some sort of cross between the stereotypical hoodied hacker and Joe Rogan. As the security industry matures I’m expecting we’ll come across more of the former.

Hints and Tips for PythonChallenge level 8

This is a page of hints for the Pythonchallenge.com level 8 challenge

It does not contain the answer so you can use as many hints as you want but still have to put everything together yourself to complete it

Note: A lot of these challenges have multiple different ways of solving them, the hints here might not match to what you have found already.

Expand for hint 1

Think of the noise small insects make when they fly around.

Expand for hint 2

Have you found the username and password text in the source?

Expand for hint 3

The start of the text may give you a clue as to how it is encoded/compressed

Expand for hint 4

This compression needs to use bytes instead of strings

Expand for hint 5

If you know the compression library but can’t get the decompression working try compressing some sample text to give you a better idea of what it should look like.

Hints and Tips for PythonChallenge level 7

This is a page of hints for the Pythonchallenge.com level 7 challenge

It does not contain the answer so you can use as many hints as you want but still have to put everything together yourself to complete it

Note: A lot of these challenges have multiple different ways of solving them, the hints here might not match to what you have found already.

Expand for hint 1

Concentrate on the image.

Expand for hint 2

The code is in the grey pixels in the image, ignore the coloured bits.

Expand for hint 3

What ways are there to store data in colour values?

Expand for hint 4

Have a look at the PIL python library

Expand for hint 5

Can you automatically extract the colour values of each block?

Expand for hint 6

If the values are all within a certain range, could that be converted using a character map?

Hints and Tips for PythonChallenge level 6

This is a page of hints for the Pythonchallenge.com level 6 challenge

It does not contain the answer so you can use as many hints as you want but still have to put everything together yourself to complete it

Note: A lot of these challenges have multiple different ways of solving them, the hints here might not match to what you have found already.

Expand for hint 1

The picture is a clue to a filetype which contains the challenge.

Expand for hint 2

The Paypal link isn’t a trick, it has nothing to do with the challenge.

Expand for hint 3

Can you use code from a similar challenge to automatically navigate these?

Expand for hint 4

Check out the comments in each of the files.

Expand for hint 5

Can you collect the data from the comments in the correct order and map it?

Expand for hint 6

All the comments in the correct order should show a word

Hints and Tips for PythonChallenge level 5

This is a page of hints for the Pythonchallenge.com level 5 challenge

It does not contain the answer so you can use as many hints as you want but still have to put everything together yourself to complete it

Note: A lot of these challenges have multiple different ways of solving them, the hints here might not match to what you have found already.

Expand for hint 1

Browse the source code for files you can download

Expand for hint 2

Say the challenge name out loud, does it sound like any python libraries?

Expand for hint 3

Think of small preserved cucumbers

Expand for hint 4

The 2nd part involves organising the test

Expand for hint 5

The organised text should spell out a word

Spotting mobile passcodes/patterns from a distance

 

A quick warning to anyone who has a very simple passcode to their phone, you never know when you’re being recorded on camera or being watched across the room, if your passcode to get into your phone doesn’t involve your hand moving around to different keys too much its likely very simple for someone to guess your code. Someone entering the code 123456789 will be obvious to spot by the hand movement, as will someone using a passcode with only 1 digit repeated

As seen here with Lance Gooden unlocking his phone whilst being recorded. even though we can’t see the mobile phone screen it’s fairly obvious what the passcode is:

 

The same applies for unlock patterns which are a simple L or backwards L shape.

In Lances defence this could be a burner phone which only has a Whatsapp chat with the family, or he’s actually far smarter than he appears and has temporarily changed his code for the day if he knew he was going to be recorded. but it does highlight that if you are using a passcode/pattern as your only method of authentication to get into your phone you should try to use different characters as much as possible.