|
RFC2324 posted:Its a home lab for my partner and me, between my system overengineering, and her network overengineering, it's pretty rare for us not to have something broken. That's why you have a separate uSFF box for the stuff that you actually need online 
|
#
?
Apr 9, 2023 14:05
|
|
|
|
| # ? May 23, 2024 09:19 |
|
|
BlankSystemDaemon posted:The one thing Edge got right, is that it implements a sandbox that's enforced from a higher privilege (ie. by using VMENTER/VMEXIT for hardware-assisted virtualization). --edit: TBH, I'm surprised that Microsoft doesn't enable the AppGuard stuff for more or third party applications. Combat Pretzel fucked around with this message at 17:11 on Apr 9, 2023 |
|
#
?
Apr 9, 2023 17:07
|
|
|
Combat Pretzel posted:Hmmm? You mean the Application Guard session? That's really just spinning up a virtual machine in Hyper-V and doing RemoteApp kind of business.
|
|
#
?
Apr 9, 2023 17:27
|
|
|
Capsicum is great and I also want pledge. BSD’s jails were the state of the art for a long time too. Fertile ground for security innovation.
|
|
#
?
Apr 9, 2023 21:35
|
|
|
crossposting since thread audiences seem different enoughThe Fool posted:LAPS got a massive update: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747
|
|
#
?
Apr 11, 2023 18:44
|
|
|
The Fool posted:crossposting since thread audiences seem different enough
|
|
#
?
Apr 11, 2023 19:13
|
|
|
The Fool posted:crossposting since thread audiences seem different enough
|
|
#
?
Apr 12, 2023 11:26
|
|
|
Arivia posted:that means rfc's partner is breaking her employer's homelab Kinda slow on this but are you implying I am a man? :P And yeah, I think trying to get the home services somewhere stable is gonna remain a goal for a long time 💖
|
|
#
?
Apr 12, 2023 21:50
|
|
|
RFC2324 posted:Kinda slow on this but are you implying I am a man? Ack, sorry for any offense.
|
|
#
?
Apr 12, 2023 22:02
|
|
|
Ars had that writeup of AI-generated password candidates today and it mentions RockYou being (obviously) outmoded. What publicly-accessible password corpus is the gold standard today? Surely red teams aren’t expected to go darknet shopping…?
|
|
#
?
Apr 13, 2023 21:43
|
|
|
Is this where I could be an annoying brat and ask a bunch of question regarding offensive testing? I was recently given the opportunity to sink or swim. The most i've ever done was hook up burp suite to some automated UI testing to have burp do it's thing. Along with some 'manual' sql or xss stuff using a local known vuln php site. I'm familiar with most of the exploits from a academic perspective but doing this IRL from the outside seems different. I guess this is a question of where to begin if I've already go a scope for domains and permission to start and have access to do black/grey box testing if need be.
|
|
#
?
Apr 13, 2023 21:59
|
|
|
Shumagorath posted:Ars had that writeup of AI-generated password candidates today and it mentions RockYou being (obviously) outmoded. Link the article please. sterster posted:Is this where I could be an annoying brat and ask a bunch of question regarding offensive testing? Try HTB Academy or Tryhackme a similar guided pentesting course. Focus on the web stuff. It's too big a topic to explain in a forums post, you need to practice.
|
|
#
?
Apr 13, 2023 22:05
|
|
|
sterster posted:I guess this is a question of where to begin if I've already go a scope for domains and permission to start and have access to do black/grey box testing if need be. If you already have scope that's like 50% of the battle for doing infrastructure pentesting. Now you have to think like one of those scary eastern Europeans wearing a hoody with a matrix screen saver, you have a target, now you need to scan your target. If you're not worried about setting off alarms, taking a hot minute, or breaking stuff don't be afraid to run through every applicable scan tool you can think of. At the very least nmap for everything, nikto for webservers. Once you've run your scans and you have a bunch of services and stuff you could potentially poke at, that's when you can start looking at vulns for all the services that you found, and then you test, carefully, if those vulns work. Then you do a lot of boring paper work. Shumagorath posted:Ars had that writeup of AI-generated password candidates today and it mentions RockYou being (obviously) outmoded. What publicly-accessible password corpus is the gold standard today? Surely red teams aren’t expected to go darknet shopping…? RockYou might be outdated, but people are still using those passwords. I've seen some infrastructure creds in the wild that could be nailed by rockyou. edit: thinking about it, with the advent of infrastructure as code, will that mean I no longer have to pentest in prod and can instead have a devops nerd boot me up a sandbox that I can freely destroy or is this not feasible except at giant companies? Defenestrategy fucked around with this message at 22:27 on Apr 13, 2023 |
|
#
?
Apr 13, 2023 22:21
|
|
|
https://weakpass.com/ for all your dictionary needs. You need to also add in keyboard walks, understand masks and character substitution, & user patterns if you want higher crack rates. quote:Surely red teams aren’t expected to go darknet shopping…? No, of course not! Never! Perish the thought.
|
|
#
?
Apr 13, 2023 22:26
|
|
|
Defenestrategy posted:edit: thinking about it, with the advent of infrastructure as code, will that mean I no longer have to pentest in prod and can instead have a devops nerd boot me up a sandbox that I can freely destroy or is this not feasible except at giant companies? IME it's not feasible at giant companies because they can't really replicate prod in a useful way. They can change it, but too many things will expect to be the only instance of something running, or have a hard-coded rendezvous point, or similar. DNS is often something that gets hosed up badly if you try to just copy the terraform and run it again, with things colliding in CDN and LB configuration or other things. Maybe someone at Google could spin up their own gmail, but I doubt it comes with its own copy of spanner and suchlike.
|
|
#
?
Apr 13, 2023 22:40
|
|
|
spankmeister posted:Link the article please. Thanks, I know that I need to practice on being able to track down what is and isn't a priority. I suppose I was looking for more of a process in evaluating a target and where to begin. Thanks for the suggestions I'll start looking into. Think I've got HTB creds somewhere too. Defenestrategy posted:If you already have scope that's like 50% of the battle for doing infrastructure pentesting. Thanks for the info. This will be web application stuff mostly and I luckily have a test env to play around with too! I'm already feeling out of my element but this make sense and gives me a starting point.
|
|
#
?
Apr 13, 2023 23:07
|
|
|
spankmeister posted:Link the article please. https://arstechnica.com/information-technology/2023/04/the-passgan-ai-password-cracker-what-it-is-and-why-its-mostly-hype/ The point of the article is to poo poo on PassGAN hucksterism, but the comment about there being much better lists in addition to good masks / rules was what interested me. I also didn’t know Markov models were in play now; it’s been a while.
|
|
#
?
Apr 14, 2023 00:18
|
|
|
This paper from Florida State U used Markov models in 2010. I think they hit peak popularity in 2014 or so when everyone started maxing out their DDR3 systems with RAM and finally had the 32GB they needed to really make useful chains with rockyou+known previous.
|
|
#
?
Apr 14, 2023 01:20
|
|
|
Speaking of password cracking, bitwarden now supports Argon2id for password hashing. Though it's not very helpful on the performance tuning side. I wish the apps had a quick perf test so you could check out how it performed. Also apparently on some platforms going above 256MB size can cause out of memory problems due to limitations.
|
|
#
?
Apr 15, 2023 15:40
|
|
|
If anyone wants a new gizmo to play with, flipper zeros and accessories got restocked today. https://flipperzero.one/
|
|
#
?
Apr 17, 2023 22:24
|
|
|
I've got a Flipper Zero, and it's a fun little tool/toy. I haven't found anything productive to do with it yet, but I'm glad it's in my toolbag. The silicon case is worth it, too.
|
|
#
?
Apr 17, 2023 22:28
|
|
|
Wizard of the Deep posted:I've got a Flipper Zero, and it's a fun little tool/toy. I haven't found anything productive to do with it yet, but I'm glad it's in my toolbag. Mines been sitting on my desk after I cloned an elevator key fob and a garage clicker thing. Haven't used it since.
|
|
#
?
Apr 17, 2023 22:34
|
|
|
Looks like fun but they're $300 CAD plus shipping/tax, which is absurd
|
|
#
?
Apr 17, 2023 22:51
|
|
|
Yea it's just a toy for sure but seems to have a decent community around it and I have never let it go that I didn't get a tamagotchi when they were all the rage. THANKS MOM.
|
|
#
?
Apr 17, 2023 23:05
|
|
|
I love mine but yeah it's a toy compared to my more expensive RFID/Badge cloner. Still worth it.
|
|
#
?
Apr 18, 2023 03:31
|
|
|
hell it's a toy compared to a cheapo proxmark clone too but it's getting on towards time to dig it out, update firmware, realize its still kinda useless, and put it away again
|
|
#
?
Apr 18, 2023 03:54
|
|
|
Took me a second to figure out that it wasn't just me
|
|
#
?
Apr 19, 2023 02:20
|
|
|
I thought they did something stupid to the mobile search at first
|
|
#
?
Apr 19, 2023 02:25
|
|
It’s working fine for me except rafikki posted:I thought they did something stupid to the mobile search at first My search page is now serving articles under the search bar what the gently caress
|
|
|
#
?
Apr 19, 2023 02:52
|
|
|
i am a moron posted:It’s working fine for me except Same, it was breaking in a veryyyy weird way. Like only returning sponsored results and news articles and video links. bonus outage graph vs promoted tweet 
|
|
#
?
Apr 19, 2023 03:31
|
|
|
Hey is the network down? The internet isn't loading!
|
|
#
?
Apr 19, 2023 07:01
|
|
|
spankmeister posted:Hey is the network down? The internet isn't loading! Well I noticed it right when I was in the middle of rewiring my home network/server closet as well as tinkering with my network wide ad filtering and a ton of other stuff so my first thought definitely wasn't "Google is broken"
|
|
#
?
Apr 19, 2023 15:44
|
|
|
most of the really fun flipper stuff seems to require a board attachment which is a small bummer.
|
|
#
?
Apr 19, 2023 16:47
|
|
|
Famethrowa posted:most of the really fun flipper stuff seems to require a board attachment which is a small bummer. Can’t look right now, but like what? Curious what the more fun uses of this device are
|
|
#
?
Apr 19, 2023 22:18
|
|
|
namlosh posted:Can’t look right now, but like what? Curious what the more fun uses of this device are you can do some wifi/Bluetooth fuckery with a esp32 board. deauth attacks, packet capturing, password cracking. obviously there are better purpose-built professional tools but it's not bad for teaching yourself a whole suite of fun tricks. e. should mention it's a custom firmware as well. I think they try to keep plausible deniability with wifi especially. Famethrowa fucked around with this message at 22:48 on Apr 19, 2023 |
|
#
?
Apr 19, 2023 22:30
|
|
|
Anyone use Keeper before? It's showed up in someone's list and were doing a demo on it.
|
|
#
?
Apr 21, 2023 15:14
|
|
|
I used it at my last gig. Not going to lie, I did not care for the ownership/sharing options. Fine for individual use
|
|
#
?
Apr 21, 2023 20:11
|
|
|
Yeah I'm getting nervous about this already when they said if X leaves the company just transfer it!
|
|
#
?
Apr 22, 2023 14:15
|
|
|
God drat aws, its 2023 , can we get some basic "export to csv" to all of your security services findings? The fact that you still expect your customers to set up this god awful workflows of sns and lambda to export findings to a csv is loving pathetic.
|
|
#
?
Apr 27, 2023 17:13
|
|
|
|
| # ? May 23, 2024 09:19 |
|
|
Sickening posted:God drat aws, its 2023 , can we get some basic "export to csv" to all of your security services findings? The fact that you still expect your customers to set up this god awful workflows of sns and lambda to export findings to a csv is loving pathetic. are you forgetting aboot aws athena, or conesis firehose or one of the 30 other products?
|
|
#
?
Apr 27, 2023 17:14
|
|
