Ideas and perliminary findings:
  • Reddit seems to have implemented some hidden ssl encryption for the login process. I'm seeing an ssl handshake happening even though the entire page is not https
  • Reddit's session cookies are passed along unencrypted... this opens the door to session jacking which might be a whole lot of fun
  • Reddit's private messages are hard coded into the html, no javascript trickery there.


Using Justniffer's http traffic reconstrctor a full wepage of the messages was captured. Oddly enough this did not show up until after a few clicks into the web page... there must be some delay in the processing, somewhere.

Redid a packet capture with wireshark and managed to find the exact packet containing the private message. All that's left is defining a rule to catch it in the future.
packet saved in the "ripped information" folder.

All work done on clean installs of virutal machines using virtualbox.

1x Backtrack 5 x32 Install using 1400MB of memory and 65MB of video memory
1x Virgin XP install using 1024MB of memory and 20MB of video memory
(XP install to be cloned as needed for simulated social activity)

Procedure for imaging XP clones.
1)Simulate activity to be analyized later
2)Shutdown XP machine
3)Insert BT5 Iso as virtual CD
4)Boot into BT5 Forensics mode
5)Attach external media through virtualbox (we will use this to save the image)
6)Manually mount external media using mount -rw (forensics mode mounts in read only by default)
7)Use AIR to make an image of the main harddrive where windows is installed
8)Verify that the hashes match and that the copy completed sucessfully
9)Power off the VM

Method-1.html(2.25 KB) meghancaiazzo, Aug 6 2013, 9:34 AM
Method-2.html(788 bytes) meghancaiazzo, Aug 6 2013, 9:35 AM
Method-3.html(2.24 KB) meghancaiazzo, Aug 6 2013, 9:35 AM
methodsUsed.html(395 bytes) meghancaiazzo, Aug 6 2013, 9:33 AM
redditSetup.html(705 bytes) meghancaiazzo, Aug 6 2013, 9:27 AM
resourcesIncluded.html(1023 bytes) meghancaiazzo, Aug 6 2013, 9:30 AM

M1-grepdhtml.txt(879 bytes) meghancaiazzo, Aug 6 2013, 9:37 AM
M1-outputhtmlcapture.txt(6.01 MB) meghancaiazzo, Aug 6 2013, 9:36 AM
M1-rawcapture.cap(581.89 KB) meghancaiazzo, Aug 6 2013, 9:36 AM
M2-inbox(25.61 KB) meghancaiazzo, Aug 6 2013, 9:37 AM
M3-grepdhtml2.txt(115 bytes) meghancaiazzo, Aug 6 2013, 9:38 AM
M3-messagesandposts.html(138.17 KB) meghancaiazzo, Aug 6 2013, 9:39 AM
M3-rawcapture2.cap(3.01 MB) meghancaiazzo, Aug 6 2013, 9:39 AM
M3-searchme.html(387.09 KB) meghancaiazzo, Aug 6 2013, 9:40 AM
justniffer output(4.00 KB) meghancaiazzo, Aug 7 2013, 10:07 AM
justniffer_output.zip(1.49 MB) meghancaiazzo, Aug 7 2013, 10:07 AM

You must Sign-In to post a comment.