Lazy hacking - Stealing password with no effort

What's worse than a lazy hacker?

A lazy sysadmin.

Nowadays any sysadmin can rely on thousands of online tools and services: files scanners, converters, editors, for any needs you might find an online service that helps you in the daily IT routine.

I've been (and sometimes still am) lazy too, and often used one of those free sites for a “one time task” like converting or editing a file for which I didn't have any proper tool installed, or didn't want to install nor pay for crappy tools; but what you'll read below has somehow changed my perspective and made more cautious about this habit.

Have you ever heard the way of saying “if you're not paying for it, you are the product”? Well, this sentence fits in a scary way to this site:

https://apackets.com/

Apackets.com allows you to view online different format of packet capture files; the site is great, has a very nice interface, it's easy to use  and, up to a certain extent, it's free.

Most of the limitation of the free usage are well explaind in its FAQ, for example: you can't upload files bigger than 25MB and... the last 100 files (freely) uploaded are kept on a public page/feed:


As you can see the layout is great and for every file/capture the site automatically shows the protocols involved; so, if the lazy sysadmin has uploaded a file containing plain text credentials, they'll be exposed for everyone's benefit.

Let's bel clear: the site is perfectly legitimate and everyithig I'm writing here is well explained on the site itself, but do you always read the terms of use don't you?

While only a few of all caputers might contain credentials, and usually most of them are only internal/private systems, if have patience you can get fully working credentials just by staring at the screen and refreshing every once in while.

Here are some examples:

Be careful and thank me later.