Sparc Flow > Quotes

“Unfortunately, Drupal’s hashes are salted (a random string is prepended to the password), making them time-consuming to crack. Even hours after launching John, we cannot get a positive result. It looks like the passwords are pretty strong. Our only other option is to plant an SSH key.”
― Sparc Flow, How To Hack Like a Pornstar: A Step By Step Process For Breaking Into A Bank

“However, if we replace 13 with ‘14-1’, for instance, we get back the product 13. Interesting. This could mean that our arithmetic operation was actually executed by the back-end system. To be sure we try again with ‘product/13+1’37 as well as with ‘product/(select 14)’.”
― Sparc Flow, How To Hack Like a Pornstar: A Step By Step Process For Breaking Into A Bank

“The interesting part though, is that – by default – MongoDB does not require any authentication whatsoever. If someone has the (great) idea of exposing it on the internet without minimal security optimization, anybody can access its content. A quick search on Shodan48, a global internet search engine, gives an idea of just how many (unrestricted) MongoDBs there are in the wild”
― Sparc Flow, How To Hack Like a Pornstar: A Step By Step Process For Breaking Into A Bank

“Now to discover which applications are present on a system, we simply send a hello request (SYN packet) to every port available and see which ones respond. That’s the main idea behind a port scanner. If we receive a ‘hello back’ (ACK packet) we know a service is listening on that port. The tool may then send additional requests to get more information: product name, version, etc.”
― Sparc Flow, How To Hack Like a Pornstar: A Step By Step Process For Breaking Into A Bank