Archive for the ‘Tutorial’ Category

Remove the facebook annoying seen label

June 12, 2012 Leave a comment

Do you like the new facebook “feature” that tell’s you when someone sees your messages?!

I think I can assume that only stalkers like this new feature… 🙂 I don’t like to put any pressure to reply my messages, and I don’t like when someone asks why I’m not replying.

TLDR – here

If you want to know how this is done, it’s very simple!

So every time you see a message your browser sends a request to a facebook page saying that you saw that message.

How do I find this things?!

Simply open chrome in debug mode and switch to Network, next use an account to send a message to you and see what shows when the seen message pops up on the other side. You’ll find something like this…

And this is it… All we have to do is to block this request and it’s done. 🙂

So how do I block this?!

It’s very simple if you are talking about chrome, can’t say about others because I’m not familiar with their extensions, on chrome you just need to filter the request using…


If you check the documentation you have an example that is almost exactly what you need.

   function(details) { return {cancel: true}; },
   {urls: ["*://*"]},

This simple code blocks any request going to , so you need to change this piece of code to match the facebook url found earlier.

Something like this: “*://**” and it’s done!

So make your own plugin or download this one available on Chrome web store

Make Chrome your default browser on Debian testing

June 8, 2012 1 comment

I was having a few problems setting chrome to be the default browser, don’t know why but the browser can’t set itself as the default browser. There’s no error this function simply has no effect.

So how do you do it?! It’s very easy and simple…

First you need to set chrome as your default alternative.

sudo update-alternatives –config x-www-browser (Select chrome as default)

If you are using gnome…

At first I thought that this was enough… Well it wasn’t and after one or two reboots I wasn’t able to open links from pidgin, for example.

Here comes the second part…

sudo cp /opt/google/chrome/google-chrome.desktop /usr/share/applications/.

sudo update-menus

And you should be ready to go… 🙂

PasteMiner – a pastebin monitor

Pasteminer is a monitoring tool for pastebin, with the following features:

  • Multi-threaded (But it’s python, these two don’t mix very well)
  • Proxy’s can be used to collect information
  • Filters data using White List or Black List
  • Filters can be a simple keyword, a Word List or a regular expression

TLDR -> pasteminer 🙂

Well this was something I coded a while back, I was doing some experiments with pastebin and used this to collect information about what was being uploaded.

I was doing this experiment for multiple reasons, but mainly to test a few theories. Well, first it’s a good way to keep up-to-date about the trending subjects that pull more users to open or view spam messages or to run virus. The usual and more common subjects are, iPhone jailbreak, movies, music, stollen and premium accounts etc. These guys don’t waste time they are up-to-date on what the users want!

As an example lately pastebin has been flooded with diablo3 “hacks/cracks” nothing more than scam/hacking attempts. So we can say that pastebin is a good source to get the latest malicious software samples about these subjects, to be dismantled and disabled stopping the operators before they manage to hit someone.

Continuing with diablo3 example, blizzard could gain some insight on how these pirates are working by simply keeping an eye on pastebin and other similar sources. Creating patterns and applying them in the “wild web” to detect these scam attempts on their products.

Pastebin is also used by hacking groups to post some of their achievements, usually this is done by posting private information about their targets. If a company is monitoring pastebin and some group posts sensitive information, an alert can be generated sent in matter of seconds, and in these subjects a quick response is everything.

This is the obvious and direct advantage of monitoring these sources, but this is just one among many. For example we can go further by “keeping an eye” at these leaked user data and checking if an employee of our company was a victim. This situation can be a huge security problem, because normally we use the same passwords for different services. When a situation like this is detected the compromised accounts can be disabled and a warning issued to the employee requesting to fix this problem.

While I was testing pasteminer there was an *individual* work submission of a class in my university, and just for fun I tried to see if anyone shared some code from the submission, to be clear I wasn’t attending that class :). Just in a few hours I was successful in this search since it was very easy to search for a couple of keywords.

There are a lot more of uses for a piece of software like this, these are just some of the most simple.

The code is very simple and may have/has some bugs, it’s not a piece of art but does it’s job as a POC very well. 🙂 served it’s purpose well. I wasn’t planing on realeasing it but changed my mind and decided to post this and I ended writing a lot more than I expected 🙂

Thank you for reading this even if it doesn’t have a single line of code!


Categories: Tools, Tutorial

python/sqlite Date

April 10, 2012 Leave a comment

I was doing some work with sqlite3 databases in python and got a few problems with dates.

First problem was with datetime.strptime. I was coding a multi-threaded algorithm and found the hard way that this function isn’t thread safe! And python returned an exception complaining about failing to obtain a lock (mutex).

Fix: Simply execute some command using datetime.strptime *before creating* any thread.

datetime.strptime(“2012-04-10 22:22:22″,”%Y-%m-%d %H:%M:%S”)

Second problem, after fixing the threads issue now python was returning a “ValueError: unconverted data remains:”. This is a simple fix, there was some part of the date string that was being ignored.

Fix: Use this as a format “%Y-%m-%d %H:%M:%S.%f”

For last my sqlite3 now was using a different time from my machine, after a small search found that if you are receiving dates from an external source to the sqlite3 engine you should add the “localtime” to the call.


  • strftime(‘%s’,’now’,’localtime’) – This returned GMT (my system time)
  • strftime(‘%s’,’now’) – This returned GMT -1 (maybe a default)

I hope this helps someone with the same problem 🙂

Obfuscating messages in

March 11, 2012 Leave a comment

A couple of days ago I was playing with pastebin, and started to “crawl” around in their website, at the same time I was reading a few news about botnets and decided to go deep into this subject, specifically their C&C. How they normally controlled the botnet using IRC channels, among others, there are a few nice references about this subject on the wiki page.

Then I was viewing some bots “pasting”. Some are clever, this is me guessing :), they even change their message structure or text to avoid hashing and add a very long list of TAGS at the end to make sure they popup on the results of any crawler. Others just send a very long list of links to download services.

So if you are monitoring the posts how do you prevent your crawler to index these messages? My solution was to look for common points, like blog links or some other characteristics. After analyzing some of these posts a thought crossed my mind and I mixed both subjects…

I thought that I could easily pass messages around pastebin that will be “ignored as spam” in most cases, using these spam messages to obfuscate the real content of the post. When I get something like this in my mind I wont rest until I get some results, positives or negatives…

So I decided to look even closer to the messages, and found two possibilities of doing this. Here’s a link to some spam messages that I found.

  1. On the first message we can use the TAG list as dictionary and hide the messages there.
  2. On the second we can use the link codes to hide the message, this means that a simple solution will not be able to give valid links to files, but it’s not impossible.

As I didn’t wanted to spend a lot of time on this subject I followed the first option.

First I got all the TAG’s from the message and created a list. To make this work I needed to be able to encode a TAG into a 0 to 255 value, so I started testing and ended up with this simple function:

# last - last key used, keyword - TAG
def makeKey(self,last,keyWord):
	# make a hash from the keyword
	key = hashlib.md5(keyWord+self.salt).hexdigest()
	# some operations that use the last value
	# to generate an index to a byte in key
	# get that byte
	val=int("0x"+byte, 0)
	return val

Given the last calculated code and a keyword will generate the next code. I tested this function with the dictionary, adjusted a few things in the dictionary and created a few helper functions and was able to use the TAG’s to pass messages YEY!

In order to make the message pass as a normal spam message I still needed to add some more random TAG’s and add the normal spam text before the TAG’s.

At this point I was able to hide a message in an apparently “normal” spam message, and even pass multiple messages with different encodings or from the socket point of view, different ports.

But you only need to send a message if there is someone waiting for it 🙂 so I needed a way to distinguish these “special” messages from a “normal” message. I was already spending too much time in this subject, so I came up with a simple solution and made a checksum using the dictionary and inserted it in the first line of the message.

Please keep in mind that this was a code made in a few hours after work, and a proof of concept, so it may not be the best or the most pretty… 🙂

def checkHeader(self,control,header):
	spl=header.split(" ")
	except ValueError:
	for i in xrange(len(control)/2):
		seq = control[x:y]
			key = hashlib.md5(h).hexdigest()
			if(seq in key):
	if(sum==l and base==len(spl)):
		return True
		return False

def makeHeader(self,control,limit=50):
		for i in xrange(len(control)/2):
			while True:
				header+=random.choice(self.keylist)+" "
				key = hashlib.md5(header).hexdigest()
				if(control[i*2:(i*2)+2] in key):
			return header

Now I was able to identify a message addressed for me from other messages. At this point I thought, well I did it, it’s possible, time to stop now! And I did stop, but I was talking to one of my friends and he convinced me to share this, I normally don’t do this I simply get over it and start thinking on something else…

But since he convinced me into sharing this, I decided to make the code more fun and made a simple shoutbox over pastebin. It’s not very easy to use because you’ll have to open a link and fill the captcha every time you send a message, it was not my objective to try to bypass pastebin spam control system.

Keep in mind that this is a proof of concept code, probably has many bugs in the obfuscating algorithms or they aren’t secure or fail in some cases. And I know that this isn’t a viable way of chatting or making a shoutbox due to many constraints.

BUT remember that I was doing this to try and pass hidden messages in normal spam messages, creating a system capable of sharing messages anonymously, under the subject of botnet C&C. By doing this little research I can conclude that ignoring spam may not be a solution in some forms of investigations. And I think that probably this was already thought and done or being used by someone else.

Without delay here you can find this simple code and some screen shots of it working.

shARPWatcher Protect your android phone from faceniff and droidsheep

February 19, 2012 Leave a comment

shARPWatcher is an application to protect your android phone against arp spoof attacks, used by software like faceniff and droidsheep. 

This application has two modes:

  1. Rooted phone – Preemptive mode: As soon has your device connects to a network it prevents all spoof attacks, rendering them useless (Low battery consumption and 100% bullet proof).
  2. UnRooted phone – Best Effort mode: It keeps monitoring your phone, from time to time, searching for attacks if it detects one and the disconnect on attack option is on it deactivates your wifi, otherwise sends an alert.

To be completely protected against these attacks you need to have a rooted phone, otherwise there’s always the chance  the attacker gets what he wants.

[How to install]

Simply go to android market and search for “sharpwatcher”, follow this market link or read the qrcode. 🙂

[How to use]

It’s very simple to use and you almost don’t need to configure anything.

  1. Tap the shield image to turn on or off (Green WiFi symbol On, Red WiFi symbol off)
  2. You need to turn on or off with your WiFi disabled, turning on with an already connected WiFi may not protect you.

Rooted phone (Preemptive mode) it’s all you need to know… 🙂

For UnRooted devices (Best Effort) you still have one more option!

  • Disconnect under attack check box

If you have this option checked when an attack is detected shARPWatcher will disable your WiFi preventing any further damage. If this option if off then it will send a notification warning you that it detected an attack.

IMPORTANT: If sometimes on preemptive mode your connection seems to stop working for a while it’s not shARPWatcher fault. It means that you are under attack and it’s not working for the attacker 🙂

shARPWatcher UI

shARPWatcher UI

sslstrip mod to support plugins

December 4, 2011 Leave a comment

This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of

This is my modification of sslstrip to support plugins. was removed so you cant install directly this version
use it only from the folder

I created this to help me on some tests I did, it got a lot easier. This code isn’t perfect, far from it…
For someone that hasn’t much experience in python this was made in record time… don’t be too hard on the errors
it might have.

Screen shots:

Starting sslstrip example

Some actions printed

Some more


  • Do it like you where installing normaly sslstrip
  • Don’t use wont work. This is a experimental version.


  • To activate plugins add the -x or --s1plugin option in the command line

####### Plugin Info #########

File structure:
|____ plugins (All plugins are here)
|                 |____    _OSFinder (Plugin folders, each plugin has it’s own folder)
|____ * (All the other files, you don’t need to change anything)
It’s easy, so if you know what you are doing you shouldn’t have a problem understanding
if you can’t then don’t change anything 🙂

About plugins folder:

  • A plugin is only loaded if it’s folder HAS the file
  • Deactivating a plugin Rename or remove “”
  • To be loaded a Plugin must have a file named with a class named S1Plugin respecting the rules

Plugin class:

  • EventSender it’s an empty plugin, you want to create a new one use that and remove what you don’t need
  • What can you do and listen: (I think I don’t need to explain)
  1. onResolveHost(self,client,host,result)
  2. onHostResolvedSuccess(self,client,address)
  3. onHostResolvedError(self,client,error)
  4. onCleanHeaders(self,client,headers,result)
  5. onClientConnection(self,host,headers,client,path,postData,url)
  6. onSendSpoofedFaviconResponse(self,client,icon_path)
  7. onProxy(self,client,host, method, path, postData, headers, port, ssl)
  8. hijackConnection(self,client,url,clientConnection)
  9. onVisitUrl(self,client,url,postData)
  10. injectContent(self,client,contentType,data)
  • Store and read values on disk (settings.db) -> sqlite3
  1. storeValue(“key1″,”ohhyeah”)
  2. readValue(“key1”)
  • Communicate between plugins
  1. View _OSFinder and UrlLogger plugins for reference

Modifications on

Find this:
print “\nsslstrip ” + gVersion + ” by Moxie Marlinspike running…”
# —— SizeOne Mod —————————————
# import The event manager class if detected
from s1plugin.S1StrippingProxy import S1StrippingProxy
#create replace normal classes
strippingFactory.protocol = S1StrippingProxy
# ———————————————————-

I think it’s all I have to say for now

More Info: