Cybersecurity & Hacking Thread

>conection not safe
I will acess from my secure VM just to make sure.
Thanks for the tips user, the site seems real interesting.

hey interesting, thanks for sharing.

oh cool a new /hmg/ that's just as dead as the old one

Unfortunately Jow Forums is made of larpers.

Jow Forums is full of basic ass consumorism during the day.
maybe at night youll have better luck but also because these topics require some actual technical knowledge.

you're better off just joining

I was wondering, is "cracking" programs considered reverse engineering?
What are some practical uses of Reverse engineering aside from cracking programs?

I'm supposed to hack into a certain website using a bot to brute force it, log in and log out 50 times.

I found the password but now whenever I try to log in I'll get spotted as a bot after the 10th successful login, the thing is even when I type this shit manually they flag me as a bot, at first I thought they stored cookie data or something but it's the same when I switch browsers, switch operating systems, switch os and use a vpn, change ip adress and change ip adress and use a different machine.

So I'm guessing they actually block you from logging in ten times with the same signature, and I have no idea how to bypass that.

Here's the link btw : challenge.flinks.io
username and password are both "2222"

Is sha-256 still secure if i don't use salts? From what i have heard and read there haven't been any collisions.

Maybe there is a timer?
Like, 10 logins under 30 mins will get you blocked.

It's possible, but I'm pretty sure if you stay idle for too long your ID is cleared out.

AMD reverse engineers games based on Nvidia GameWorks to optimise driver performance with them, because they don't have access to the source code.

>amd
Now that you talked about it, would it even be possible to reverse engineer a piece of NVIDIA hardware and make my own video card?

No.

Attached: 1509558114200.jpg (721x540, 117K)

Did you try random user agents?

get a twitter account

How do i know i fully understand metasploit?
I did all exploits on the metaaploitable exploit guide

Obscure your browser fingerprint and useragent user

>Obscure your browser fingerprint and useragent user
How?

>browser fingerprint
>Browser fingerprinting is a powerful method that websites use to collect information about your browser type and version, as well as your operating system, active plugins, timezone, language, screen resolution and various other active settings.
What the fuck how did i not know that? where did i sign to allow this bullshit

By sending a custom useragent and using settings that aren't unique.

>sec thread
Are tempmails worth using?
What are their utility aside from avoiding spams?

do you mean using it, or the software's internals?

>hackthebox writeups
>"penetration tests with nessus"
>merch begging
>vip status
>desktop/battlestation threads

If you think Jow Forums is full of LARPers, public infosec/hacking communities are absolutely overrun. Pretty much every large public security community has been totally overrun with n00bs, n00bs pretending to know shit, and zoomer types who just want to socialize. Many Hats Club? Thug Crowd? Yes, 0x00sec too. Pretty much all of them are shit larping social clubs.

If you have an M.S. in computer engineering, sure.

the LARP never stops, the LARPers just get more serious

>All the world's a LARP, And all the men and women merely LARPers; They have their exits and their entrances, And one man in his time plays many parts, His acts being seven ages.

I dont want to be just a script kiddie i want to understand pentesting, tough i think just doing the exploits lisyted on the guide doesnt even qualify me as a script kiddie.

Anons please keep the thread alive, i am gonna sleep but as soon as i get up i will study all that shit

Always always use salts. Collisions are not the concern. Salting means hackers can't brute force commonly used passwords against your hashses without actually hashing, meaning they can compare hundreds of thousands of password hashes in seconds to find a match.
Further than this though don't roll your own crypto shit in general. People have already spent countless hours creating libraries of secure crypto implementations, use those for all purposes outside of pure education.

Hacking a cute gf~

Say I have a simple cipher using the following scheme:

C = k1 ^ Enc( k2, P )

In other words, a plaintext block is encrypted with key k2 and the result is XOR'd over key k1. k1 and k2 are not necessarily the same length. Say k1 is m-bits and k2 is n-bits.

Two plaintext/ciphertext block pairs are known and the encryption function is known. Find k1 and k2.

What does a meet-in-the-middle approach on this scheme look like? Does it even store anything? Are both PT/CT pairs necessary? I believe I have a solution that's worst case O(2^(m+1)) time with constant space, but that wouldn't be a MITM, would it?

plug dick into usb port
begin hax0ring it

>tfw no hacker gf
JUST

great if you need to register for a website and you don't want to give the site your actual email. helps with downloads and other things as well as temp forum accounts. probably used to create social media bots. lots of temp email services allow you to create your own email address so in theory you could use the same email for actual long term website accounts and just type the email address in every time. that's not very secure though.

exploits aren't hacking. you need to practice the stuff listed in ocsp so you can break into systems without using exploits. hacking is complex and requires a lot of knowledge.

What are timezones?

This never works because time spent talking is time not spent learning.

go aircrack some wifi networks and try to penetrate machines

only your own wifi networks and your own machines of course

How to get into cybersecurity in the UK?

>How to get into cybersecurity in the UK?
the same way as in any country

Go RE WOW's current x64 client, dump it and fix the IAT +obfuscation fuckery and release it.

Yes.

Attached: phone2.webm (694x394, 207K)

The /Sec/ FAQ has info specifically on the UK.

Thankyou

God i wish i knew cryptography so i could help you.
Does anyone know a good book about cryptography?

>so you can break into systems without using exploits
Wait is that a thing?
I tought you only could invade systems exploiting the vulnerabilities of said system?

Most of the "breaking into" work is just social engineering now.

>social engineering
Fuck, i have social anxiety i will have trouble with that shit.

Well, you can still become the pentester that does the owasp checklists and asks for the money. But as far as I know the biggest "hacks" on history started with some phishing, the last big robbery to my country's bank started with a well planned email and only once they were inside they could do like 6 months of pivoting to get the cash.

How do people fall for it?
I tought companies were stepping up the security awareness of their employees.

>How do people fall for it?
No idea, the target was probably some stubborn old lady that won a prize or something like that.
Which reminds me that I wanted to try some phishing emails to see if I could get some easy cash.

OSCP is pentesting, ie identifying exploits and using them. it's not exploit generation except for 1 buffer overflow problem on the final test

The Discords I've seen are just basically drama fests. If you show your power level at all then you are overwhelmed with "gib hint for HTB" or spend your time calling out people who can't tell you what ctrl/alt/del does.

Adding to this when someone does ask an actual question they are bullied. When Jow Forums is a more welcoming and understanding community, you know the discords are a shit.

It's sad.

He's an idiot. He's saying you want to be able to do it without using public exploits (i.e. Making your own) but huge chunks of the OSCP is about finding, modifying, and using public exploits.

I'd hazard that most people who post here have been here a while, or emulate the manners of those who have, so basically we're mellowed out compared to the vocal teenagers who frequent discord, since discord is the new cool place

There's a new generation of channer and a bit of a culture clash between them and the people who have been here. The zoomers here behave as they do on every other site on the internet. They make 1-3 word replies with memes and never say much else. They act like if anyone types out more than that they wrote a fucking novel. Since they're all phone posters they assume it's hard to create or consume text based content. Despite this they think they're experts on anything and everything they watched a youtube video about.

OP, that twitter screencap is comedy gold, thanks for the laughs

My fucking manager, the "IT director" owns his own IT business and makes bank, but has to watch a youtube tutorial everytime he sets up a VPN... don't get me wrong, I do as well, but I don't demand a 6 figure salary.

>jealous of what someone older and with more experience

Then do something about it instead of bitching. If you think you are so fucking "deserving" then ask for it.

I think you'll be surprised at how little entitled little shits like you are really worth.

test

Wanted to get into pentesting. Been a linux user for about a year, dont know anything past that. Where should I start as a beginner lads??

>Does anyone know a good book about cryptography?
The AEL has a collection but be prepared to download a total of 501 GB of stuff.

OP pic related goes for any degree. You can learn that shit online for free, but without a degree nobody is going to take you seriously in high end fields. They want the person that spent 4 years getting a degree, got nearly straight As, took internships and apprenticeships, and has experience.

It's the same as being able to learn law online, but not being able to be a licensed attorney by just passing the bar. Or learning medicine online but not being able to be a pharmacist. There's no proof of what you know, there's no guarantee. Even with work experience you could be coasting on bullshit, which wouldn't fly in other professions.

Person could just be having a shitty day and make a mistake

It could be a really good phish: clean reproduction of some form w/ no spelling mistakes, relevant to something recent the company/person did, url is not obviously suspicious, from a trusted/look-a-like account somewhere else

Honestly it's an art and companies will never be ahead of the state-of-the-art

OSCP, HTB, vulnhub, abatchy.com/2017/03/how-to-prepare-for-pwkoscp-noob

>501 GB
>of books
What the fuck how many books there are one million?

I don't know, I haven't downloaded it. I heard the index file in plain text alone is 2 MB in size. This is gargantuan.

How do i make sure i am not being scanned every time i acess a website?
Ever since i discovered html5 canvas and fignerprinting i got paranoid.

Bros, i am studying metasploit RIGHT NOW.
I am following the guide on invading metasploitable.
But what do i do after i learn all these exploit?
What is the next step?

check out amiunique.org/ and find that you're absolutely screwed no matter what you do...
Only way to prevent most of it is to use noscript but that breaks most websites and makes you even more unique, so yeah.. thats a huge issue currently noone really has an answer to

Seems like laptop and using public/stolen wifis is the way to go then?
Would that even work?

>user complains about fingerprints
>user tells him to go to a website which is made solely to get your fingerprint

>don't roll your own crypto
anyone remotely interested in cryptography, numero fuckin uno right here.
>don't roll your own crypto
>don't roll your own crypto
seriously

I don't think you understand how browser fingerprinting works
the solution you're proposing is effective if you're trying to hide from ip profiling only which isn't an issue since 1. noone uses this technique anymore (because) 2. most people have dynamic IP's anyway (think mobile devices), so ip's are not reliable for the companys/actors you're trying to hide from. (IPv4 only)
the issue with browser fingerprinting is that you can be tracked even when you change your IP frequently since it's checking canvas size, WebGL renderer, readable cookies, etc... these together create the fingerprint that identifies you.

everyone's being tracked everywhere anyway, at least they're showing you exactly what they track

>>don't roll your own crypto
Why?
Wouldnt your own crypt who no one knows how works be the best?

So not even running everything inside a VM can save me?
I-i guess we finally cyberpunk now

this only makes sense at first thought...
resources.infosecinstitute.com/the-dangers-of-rolling-your-own-encryption/

well yeah basically
The only thing we can do now is to do our best to not be unique in our fingerprints but that is harder than it seems actually..
I'm just waiting for someone to create a browser extension that automatically feeds websites the currently most used identifiers.
that, right now, would be the only way in my opinion

surprised I haven't and glad I don't run into those people. 4chin has its share of issues, but it's irrefutable that its name alone is a decent deterrent (heard its mention on campus in person, "dude stay away from there, Jow Forums's a cult!"). Couple that with its increasingly archaic presentation and barrier-of-entry mannerisms and you've got places with HN and here being the best places to start with topics like these despite the low popularity if only for the sake of lower concentrations of larpers and flakies.

For sure. It's a scrap of paper, but it's a ticket for admission. Stay in school guys, self-taught devs can get jobs but that's not in the security sector and similar areas.

Well I mean, it ultimately boils down to getting someone to click a link. Hell, you could forgo the interaction entirely and go full dispersal; leave a shitton of usbs of whatever you want to inject everywhere. Statistically, there will be people curious/stupid enough to straight up plug them in without complaint. And if we want to get into just how easy social engineering can theoretically be, give your coworkers/project partners storage media containing "contributions" on the current assignment or straight-up "oh you're going to the bathroom? Here let me type in a cool idea I got on your computer".
Not the brightest ideas mind, but we're just talking about how the slightest bit of effort can constitute as gaining access.

Attached: websurfing.jpg (1280x1631, 1.31M)

try changing your mac addr and ip as well between attempts - if you cant change the ip at least change the mac addr

unless you're a prodigy, the chances of you rolling something legitimately amazing is close to nil.
>related anecdote: thought what I wrote was hot fucking shit, turns out I was the ten millionth person to invent ROT13
when coming up with potential forms of encryption, it's very easy to think that what you have is uncrackable when the existing knowledge at work is superficial.
it's practically on the same plane as basic programming, have you ever written a program that hasn't been crashed or bugged by another person's usage? Now times that by multitudes as you release it into the wild except with the additional layer that people who do break through aren't exactly enthused about telling you your encryption is weak.
if you're talking about hiding your plaintext personal diary or something that only stored locally, sure, use what you personally wrote. Industry and mission critical use? Use Einstein's proven works instead of something you wrote on a napkin.

Since the nsa broke aes 256 which cryptography should use now?

I'm not a professional, but pretty sure there's only a handful of algorithms cleared for legal use by the NSA (obvious reasons). csec is all about limiting the attack surface of your own materials while trying to find chinks in others' armor, nothing is impenetrable, as the three letter agencies have proven many times.
to answer your question with my limited knowledge, AES is still functionally viable. It's unlikely that what you're encrypting will be broken and those with the capacity to do so, would do so regardless if they so decided.
and if your secrets are so pivotal that the NSA finding out would ruin you, y u posting on the chans

mac address is layer 2 and doesn't get sent to websites. typical filters are: time based for username, ip address, user agent, cookie, session token. some sites use more complex fingerprinting things that require javascript.

As a teen I used to 'hack'. I can't imagine being in that space professionally. It's all scammers. You cannot solve a human problem with technical solutions.

>They want the person that spent 4 years getting a degree, got nearly straight As, took internships and apprenticeships, and has experience.

My classmate got a 2.9 after five years and managed to get into grad school and got a job at Okta with a six figure salary. I got through interviews fairly easily before even graduating.

I think Jow Forums likes to make excuses.

In parts there is probably some influx of Gen Z people which is said to be a rather different kettle of fish from Gen Y. In this specific case, I guess many in this thread are regular /cyb/ posters, which is probably the most comfy general on Jow Forums.

>surprised I haven't and glad I don't run into those people.
Like any city Jow Forums has good and bad parts. Generally both Jow Forums and /sci/ have knowledgeable people around.

>4chin has its share of issues, but it's irrefutable that its name alone is a decent deterrent (heard its mention on campus in person, "dude stay away from there, Jow Forums's a cult!").
That probably misses the target. The Jow Forums cliche is that the majority has Aspergers, while Reddit is home for the ADHD crowd. The cultures are very different.

>Couple that with its increasingly archaic presentation and barrier-of-entry mannerisms and you've got places with HN and here being the best places to start with topics like these despite the low popularity if only for the sake of lower concentrations of larpers and flakies.
If archaic interfaces were the sole key I guess Usenet News would win, hands down. These days it is pretty quiet.

Attached: Yuko_Tsuno_mural_Verviers_2018_cropped.jpg (2415x2857, 1.65M)

Also depends on what colleges.
>tfw trying to get into UC
mm, could have sworn I had more hair.

lonely is the night

Newbie here, does HN stand for HackerNews or is there any other HN i am missing out ?

I actually like how slow sec threads are, at least we havent retards here with their ironic shitposts

>interest in sec and in pentest
>in reverse engineering
>in coding
>but also love my games and animes
Bros i dont have enough lifes for all my interests FUCK