/cyb/ + /sec/ - Cyberpunk/Cybersecurity General

/cyb/ + /sec/ - CYBERPUNK/CYBERSECURITY GENERAL
Previous threads: [ archive.rebeccablacktech.com/g/search/text//cyb/ /sec//type/op/ ]
THE CYPHERPUNK MANIFESTO: [ activism.net/cypherpunk/manifesto.html ]

- - - - - -

/cyb/erpunk [6 April 2019]
The Cyberpunk Manifesto: [ project.cyberpunk.ru/idb/cyberpunk_manifesto.html ]

The alt.cyberpunk FAQ (V5.24) [ ftp://collectivecomputers.org:21212/Books/Cyberpunk/Alt_Cyberpunk_FAQ_V5_preview24.htm ]
What is cyberpunk?: [ pastebin.com/pmn9vzWZ ]

Cyberpunk directory (Communities/IRC and other resources): [ pastebin.com/AJYry5NH ]
Cyberpunk media (Recommended cyberpunk fiction): [ pastebin.com/Dqfa6uXx ]

The cyberdeck: [ pastebin.com/7fE4BVBg ]

- - - - - -

/sec/urity [XX XXXXXXXXX 20XX]
The Crypto Anarchist Manifesto: [ activism.net/cypherpunk/crypto-anarchy.html ]
The Hacker Manifesto: [ phrack.org/issues/7/3.html ]
The Guerilla Open Access Manifesto: [ archive.org/stream/GuerillaOpenAccessManifesto/Goamjuly2008_djvu.txt ]

The /sec/ Career FAQ (V1.9) [ ftp://collectivecomputers.org:21212/Books/Cyberpunk/Security/sec_FAQ_V1_Preview9.htm ]

Why Privacy Matters: [ youtube.com/watch?v=pcSlowAhvUk ]
"Shit just got real": [ pastebin.com/rqrLK6X0 ]

Cybersecurity basics and armory: [ pastebin.com/rMw4WbhX ]
Endware: [ endchan.xyz/os/res/32.html ]
BBS archives: [ textfiles.com/index.html ]

Reference books (PW: ABD52oM8T1fghmY0): [ mega.nz/#F!YigVhZCZ!RznVxTiA0iN-N6Ps01pEJw ]
Additional reading: [ ftp://collectivecomputers.org:21212/Books/Cyberpunk/ ]

- - - - - -

OP Post: [ pastebin.com/8Hk5Ks7h ]

Attached: 1521431904255.png (2000x1000, 2.92M)

Other urls found in this thread:

mega.nz/#F!Xa5RFaQD!WpUnSypj8QDkYp6_iousPg
mega.nz/#!dNtQWSRK!XeJEOgMQqWkb1U1IC1u-ZIei4LlqjHJaEIWPAiBmENE
blog.torproject.org/new-release-tor-browser-85
pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
yro.slashdot.org/story/19/05/22/2212232/huawei-executive-accused-of-helping-steal-trade-secrets
archive.org/details/cyberpunkeducator
information.rapid7.com/dynamic-payloads-for-av-evasion.html
youtube.com/watch?v=1LZCb4HJlkI
mega.nz/#F!LX5kWAqK!uAuIctwzTqatFFe5NXfoKA
thelightstreamchronicles.com/webcomic.html
twitter.com/SFWRedditVideos

/cri/ + /nge/ - Cringe General

Attached: 1557055551796.jpg (640x640, 137K)

california english

ded

Yesss! I missed you guys!

Remember the backup archive at ftp://50.31.112.231/pub

Attached: 1475147064143.gif (240x320, 3.27M)

No idea if rebeccablacktech has an api (would be nice to know if they did), so for now I scraped the /cyb/ archives and created Jow Forums-style json files compatible with my wip terminal client. if anyone is interested in them:

mega.nz/#F!Xa5RFaQD!WpUnSypj8QDkYp6_iousPg

Attached: eyeconnect_sample2.png (564x514, 20K)

Pretty cool. Can you process them with a regular or text browser, like w3m?

I got a free subscription to lynda from my college. They have some good videos on there. Unfortunately most need to pay to see them. That's lame. I downloaded one of their beginner courses on networking. If people are interested I can grab more. Could add them to the pastebin or something.

mega.nz/#!dNtQWSRK!XeJEOgMQqWkb1U1IC1u-ZIei4LlqjHJaEIWPAiBmENE

BASED OP, ALWAYS POST THIS

definitely interested, would be much appreciated m8

What is the diference between command shell payloads and meterpreter payloads?
They bot use CLIs, i get it that meterpreter is fileless and has more features but aside from that what is the diference? also why command shell exploits exist when meterpreter exist?

I second God bless your soul

How do I XSS a react textbox form?

We really are ded uh...?

by figuring out how to bypass their filters?

Also remember AEL:

Do you mean to ask whats the difference between a msfconsole shell and a mfsconsole meterpreter? A mfsconsole shell is just a network tunnel that connects directly to the system shell. A meterpreter handles a lot more things, such as the "sysinfo" command, which will output info on the system despite what OS you are running, or the "download" and "upload" commands for example. I think the direct shell option exists just because it would be less likely to set off alarm bells to the AV, but I could be wrong (even though everything in msf sets off the av).

I am currently writing a web based framework for pentesting collaborations.
It currently has (or will have) these features:
- chatting
- graph to display cve's and their severity
- nmap scan + results
- dir scan for websites
- nikto scan
- exploit search
- shellcode search

Does anyone have any ideas on what else I should add to it? Would people use it?

pic related is it so far (css is a work in progress)

Attached: pentest_framework.png (1906x933, 83K)

=== /sec/ News:
>New Release: Tor Browser 8.5
blog.torproject.org/new-release-tor-browser-85
Note:
>There are bug reports about WebGL related fingerprinting which we are investigating. We are currently testing a fix for the most problematic issue and will ship that in the next point release.

Sounds completely useless. You're just making a crappy C2 server except without the control part.

SFTP please

Not really, it provides a good way for pentesters to collaborate on a project, and share findings. It has no relation to C&C's.

Yes please. Do you have a server you can volunteer?

>even though everything in msf sets off the av
So is metasploit useless? I tought you could evade the AV with encoding techniques.

AV works on comparing hashes of software on the machine to previously found malware. All of the msf payloads hashes have already been stored by good AV's, including the payloads after encoding.
MSF is alright for automating the exploitation phase itself, but its not good for actually generating reverse shell payloads. You should just use small reverse shells, and connect to them with nc. pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

That being said, msf is fine if you are just doing a ctf or something (but you still may as well learn how to do it without any tools)

I see, i guess thats why OSCP needs you to learn to do pentesting without metasploit.
But does this apply to dinamic payloads as well?

=== /sec/ News:
>Huawei Executive Accused of Helping Steal Trade Secrets (theverge.com)
yro.slashdot.org/story/19/05/22/2212232/huawei-executive-accused-of-helping-steal-trade-secrets
>The Journal quotes a newly released hearing transcript that offers some details in a largely locked-down trial. According to its write-up, CNEX claims that Xu -- one of Huawei's rotating chairmen -- "directed a Huawei engineer to analyze Cnex's technical information." The engineer then allegedly posed as a potential CNEX customer to obtain details about its operations. CNEX also says that Xu was briefed on a plot to surreptitiously gather information from Xiamen University, which had obtained a computer memory board from CNEX. According to the Journal, Huawei lawyers admitted that Xu had been "in the chain of command that had requested" information about CNEX, but they denied that any trade secrets had been stolen.

Everything leaks - and end up in China.

What do you mean by dynamic payloads?

/cyb/ Movies:
>The Machine (2013)
>Johnny Mnemonic (1995)
>The Matrix (1999)
>Chappie (2015)
>Elysium (2013)
>Virtuosity (1995)
>The Lawnmower Man (1992)
>Lawnmower Man 2: Beyond Cyberspace (1996)
>The Terminator (1984)
>Blade Runner (1982)
>TRON (1982)
>TRON: Legacy (2010)
>Escape from New York (1981)
>Escape from L.A. (1996)
>Rollerball (1975)
>RoboCop (1987)
>Nirvana (1997)
>Transcendence (2014)

/sec/ Movies:
>Sneakers (1992)
>The Net (1995)
>Takedown (2000)
>The Fifth Estate (2013)
>Blackhat (2015)
>Enemy of the State (1998)
>Hackers (1995)
>WarGames (1983)
>WarGames: The Dead Code (2008)
>Swordfish (2001)

Jow Forums Movies:
>Disconnect (2012)
>Antitrust (2001)
>Pirates of Silicon Valley (1999)
>Office Space (1999)
>Her (2013)

/cyb/ Documentaries:
>The Cyberpunk Educator archive.org/details/cyberpunkeducator
>The Internet's Own Boy: The Story of Aaron Swartz (2014)
>RiP: A Remix Manifesto (2009)
>TPB AFK: The Pirate Bay Away from Keyboard (2013)
>The Net - The Unabomber, LSD and the Internet (2003)

/sec/ Documentaries:
>Hackers: Wizards of the Electronic Age (1984)
>Hackers Wanted aka Can You Hack It ( (2009)
>New York City Hackers (2000)
>We Steal Secrets: The Story of WikiLeaks (2013)
>Citizenfour (2014)
>Terms and Conditions May Apply (2013)
>All Watched Over by Machines of Loving Grace (2011)
>Snowden (2016) [Biopic?]
>Zero Days (2016)

Jow Forums Documentaries:
>The Code (2001)
>Revolution OS (2001)
>BBS: The Documentary (2005)
>Get Lamp (2010)
>From Bedrooms to Billions (2014)

Series:
>Dark Angel (2000)
>Person of Interest (2011)
>The Expanse (2015)
>Mr. Robot (2015)
>Altered Carbon (2018)

information.rapid7.com/dynamic-payloads-for-av-evasion.html

>exploits use open ports to execute code to give acess to the target machine
>payloads give you a shell session
But dont you need a shell session to run commands? How do the exploits(which come before payloads) do this then?

wrong link my bad

ok i am a retard i forgot to post the right link youtube.com/watch?v=1LZCb4HJlkI

>But dont you need a shell session to run commands?
usually, yes. But let's say a webserver is running some script that doesn't sanitize user input, an attacker might be able to subvert its flow and inject shell commands.
Also look into shellshock exploit.
Another scenario is where you buffer overflow some service and get to run a shellcode that might give you direct shell, reverse connect, adduser, download n execute, or any other kind of useful evil command.

>How do the exploits(which come before payloads) do this then?
Aleph one - smashing the stack for fun and profit is a good start. Things evolved since then but you get an idea of what's going on. Then there's plenty of similar, like heap overflow, off by one, null pointers

hello retarded larpers
does mommy know this is what you're using your computer for?

People who frequent these threads are pentesters(or people who want to be) not muh haxx0rs

OSCP exam next Saturday.

faggot larp general

whatever you say kid

>page 9
bump

Attached: 1546796789612.jpg (1920x1080, 279K)

Any news from KMS (knowledge management system) user?

Ok i am really starting now, having my fun on metasploit with metasploitable(touygh i know my journey will get way harder, i dont even know assembly yet), but is there any way to specify which payloads/exploits/nops/auxiliaries i which "show" to show me?
I mean i type show exploit and it shows EVERYTHING when i am only interested on linux exploits

Still sore hmg tanked hard, again?

Hi, a question, i just tested a meterpreter here and i got meterpreter, i could get hashdumps for the password, but is there any reason to do it when i have meterpreter acess?

ur better off using unicorn to bypass antivirus it shows up as a text file but is an executable file could be sent in an email as a not or something

or for macOS u can hide a payload in metadata

If a guy knows my ip can he nmap me over the internet or does he have to be in a internal network with me?

he can do it over the internet but if he only knows ur local ip it doesnt really matter

fuck off faggot I hardly ever come onto these threads but why do you have to piss in other people's cheerios

Pentest student, here.
How would the sending of exploit trough opened ports go without metasploit, is there a way to do this without metasploit?

Let's be honest. You can phish a macos user without a redirect or anything fancy.

>the dnc

how do you hack websites

Learn networking before trying to exploit things.

Most (remote) exploits are just scripts that send specific data to a port to make the software, kernel etc handling that information behave in a way it is not intended. This means that you can send an exploit through any program or script that communicates with another system, an example of such a program would be sockets in python or netcat.

desk?

I see, do you know of any good book that covers the networking basics?

As long as you have remote access on the router disabled, no ports forwarded and your firewall properly set up then your network is pretty much resistant to most attackers from outside the LAN

You do know that its possible to bypass windows firewall right?

I was talking about the router level firewall. While yes the windows firewall could be bypassed, it would certainly make it harder for an outside attacker

In no particular order, for learning the concepts:
1) Computer Networking - Top Down Approach -- Kurose, Ross
2) Computer Networks -- Tanenbaum
3) TCP/IP illustrated -- Richard Stevens

For programming:
Unix Network Programming Vol 1-2 - Richard Stevens
This will cover unix networking in C. I would strongly suggest anyone to learn Network programming in unix using C over learning in languages like python.

>python
I am actually leaning toward lower level languages like assembly since i dont want to be a script kiddie, i actually dig pentesting and exploit development.
Thanks!

Why over Python? Python is more accessible and "easier to understand"

Although its similar to exploit dev, you should look at reverse engineering too

>download metasploit 3
>it takes 2+ hours to build
>tought it had finished(it was already on desktop built i tought it had finished
>shut it down
>it hadnt finished
>when i shutdown the vm self deleted since it wasnt finished
T-thanks

just a random pic from a /bst/ thread.
A bump in need is bump indeed
a bump with pic is better.

Attached: pure.gif (400x292, 366K)

we are a security thread right?
Why dont you guys make a script to bump the thread whenever its on page 8? i dont do because i am a shitter

Also remember the MEGA archive: mega.nz/#F!LX5kWAqK!uAuIctwzTqatFFe5NXfoKA

How about you first learn how fucking English works, then ask your question again

>hashdumps for the password,
>but is there any reason to do it when i have meterpreter acess?

So you can get their passwords. Next time maybe you want to RDP in as a user instead of just dropping a nuke through their front door. Perhaps there is a user on a different box that’s the same as this one you just popped, trying a password you already have is a good idea

A few more issues of cyberpunkcomics since last thread:
thelightstreamchronicles.com/webcomic.html

Attached: p266m.jpg (960x873, 708K)

>page 10
bump

What DNS server should I use?
I am thinking a random Chinese owned one since IDGAF if the chinks look.

Attached: 1555486424764.jpg (714x806, 62K)

OpenDNS

If you don’t care if the Chinese look, why do you care if the West looks?

Because I don't live in china

how do i become hackerman if i can't install kali linux because my dad won't let me remove windows 95 from his computer

Buy new computor

Thanks.

Keep in mind that a lot of VPN providers are Chinese owned.

There is always only one real way: hard work.

Is the CollectiveComputers ftp down for anyone? Can't seem to get on.

Only reason I want in is to download some C# programming books... Anyone have any links if CC is down again?

Reminder that certs are for retards and vulnerability research is the only true computer security field

I too have tried for several days to get in but I cannot. Thankfully we have a spare site:

poorfag cope

Yea, unfortunately I cannot find any of the books on programming in there, must have gone through it several times! We need to the admins of the ftps to actually update both with eathothers content

Enjoy your security+ running ms08-067 from metasploit for 50k a year skid, I'll sell one bug and make more than you make in a decade

>my low impact submission on hackerone will make me heaps more than uuuu

>Enjoy running ms08-067 from metasploit for 50k a year skid

That sounds excellent

>too stupid to even know what selling a bug is
Yeah keep thinking that hackerone is where real bugs are sold and they're all worth 10k retard

If you need books I guess the 501 GB AEL will do:
The AEL-user is a regular also here.

10k hypothetical dollars. post proof you are smart enough to find anything worth remotely that much money

I don't have anything to prove to some certhaving ITT tech retard on Jow Forums
You already proved you don't know what real bugs are when you brought up hackerone

nice backpedaling poorfag cope more

My ida license cost more than your car does
how many times have you installed kali this week? i bet your neighbors are super impressed at you running aircrack after paying 60k to learn how to use it at itt tech

>paying more of your mother's money than my car is worth to LARP this hard

Maybe you'll find a real big one day lil fella, you're going to have to put down the burp suite and metasploit though and actually learn how to reverse engineering, I know they didn't teach you that in your for profit school but that's how those bugs that other peoe wrote for you work :)

i don't need to, i get paid regardless. keep LARPing though, one day when your parents die it can be YOUR basement

Paid pennies at some shithole nobody company to set up firewalls? Nice dude that's epic
Sorry you weren't smart enough to make actual money and decided to go blue team :)

pennies are worth more than your hypothetical money. maybe if i stare at IDA all day like you i can make big bucks like you!.

Keep coping lil fella, it's okay to be jealous, it doesn't change the fact that I made more last month than you did last year

i made more than you made by like times infinity dude lmaoing at your cope

Stay mad poorfag

keep LARPing poorfag