Which version of TLS is being used here?
Which version of TLS is being used here?
With the growing need for privacy I had diverted some of my research towards the importance of secure communication. Based on my research I have found two of the most primitive applications for communication are Signal and Threema. Arguably, voice/ video ...
Are the devices that use the wifi at risk? In a situation where the attacker has your router admin password they pretty much control your router. So if they control your router can malware be sent to the devices you use? Can the malware be sent directly t ...
The file user_pass.txt, generated from smb_enumusers, is not a "Escritorio".
W
here is it?
the file user_pass.txt, generate from smb_enumusers, is not a "Escritorio".
w
hat is her location?
Thanks
I bought a USB Bluetooth adapter and my PC now has Bluetooth available, but while it's connected it is makes a "HID Keyboard" show up in my "Mouse, keyboard & pen" setting in Windows (which I can remove until I re-plug it again). Does it mean the device i ...
I recently came across a vulnerability which was caused by unsafe deserialization (Java) and the user of the Apache Commons library commons-beanutils. The ysoserial project references commons-beanutils 1.9.2, so I thought that there might be a later versi ...
i hope someone could help on this. i have a Moxa 810 managed switch and i am trying to configure the access via HTTPS. In the swtich i have already allowed https with ./certstrap i created a CA and generated (signed) a ssl certificate that i deployed in t ...
In most common web applications that support multi-factor authentication the user is first prompted for their username and password, and only after a successful first authentication the user is prompted for their TOTP token. Why is that? Are there any sec ...
In most common web applications that support multi-factor authentication the user is first prompted for their username and password, and only after a successful first authentication the user is prompted for their TOTP token. Q: Why is that? Are there any ...
If I wanted to open these methods in my REST APIs securely, how can I do that? What validations should I apply?
I have a certificate signed by https://www.noip.com which I'm using in my website (https://angola.sytes.net
), but the certificate is only recognized by some browsers in some places.
If you take a look at my website you'll see that the certificate was issu ...
I have a certificate signed by https://www.noip.com which I'm using in my website (https://angola.sytes.net
), but the certificate is only recognized by some browsers in some places.
Is that related to the certificate signer? Where can I get a free certifi ...
Over the years I've noticed that more and more login pages implement an eye icon next to the password field, that on click toggles between hidden and plaintext view of the password typed in that field. Why is this feature becoming more widespread? Why wou ...
During working with anydesk i repeatedly receive an error like : The Connection Reset By The Other Desk Sometimes with this error my wi-fi connection disconnects. What is this error? Nowhere on the internet there is such an error. Is my wi-fi provider a ...
I have been using Windows Product Key Viewer for ages to read current Windows' serial number. I had never any hack- or virus-related issue about this application. A few days ago I have installed Bitdefender and one my OneDrive started to download a number ...
So I had linux mint with fde, had sensitive files on it, shut down my pc, and reinstalled a new linux mint OS with fde. What are the chances of data recovery from the first OS?
I noticed an error in my event viewer logs about certificate with specific thumbprint unable to be renewed. After I dug some more, I found that the certificate in question was accompanied by two other certificates located in Trusted Root Certification Aut ...
I noticed an error in my event viewer logs about certificate with specific thumbprint unable to be renewed. After I dug some more, I found that the certificate in question was accompanied by two other certificates located in Trusted Root Certification Aut ...
I am trying to connect to a supplier API but they have a whitelist of the IPs which can consume their API. I gave them my server IP so that they could add it to the whitelist but it is still not working. I suspect this is coming from my company proxy whic ...
I am trying to connect to a supplier API but they have a whitelist of the IPs which can consume their API. I gave them my server IP so that they could add it to the whitelist but it is still not working. I suspect this is coming from my company proxy whic ...
I found a project that uses T-SQL's newsequentialid() for one of their external ID columns which is used for public APIs. When that column is added to an existing table, each row gets an incremented GUID. Is this bad? A malicious user could quickly work o ...
passwd.txt
root:x:0:0:roo
t:/root:/bin/bash
shadow.
txt
root:$y$j9T$q/teA6wUZ
R80tSBEoiAmN/$lUdns2DwxLS
sdR2N9MgN71OSRW/atRkjyi.F
/1fmq29:19135:0:99999:7::
:
error
sudo john cracked1.txt
Using default input encoding: UTF-8
No password hashes loaded (see FAQ)
Scenario The following bash commands create an empty file test.txt, encrypt it using a default algorithm to test1.gpg, then append the line new line to the original file and encrypt it again to test2.gpg. Each of the gpg commands prompts the user to enter ...
I am building a web form in PHP, is just for the user to request information about my services or send comments, so I don‘t need the user to be logged with a username and a password, no databse. I have the validation and sanitation scripts already for t ...
At my local medical center in New Hampshire, USA, every new encounter with a patient – office visits, booking appointments by phone, etc. – begins with the patient providing their name and date of birth. This is fine if I initiate the phone call or if ...
At my local medical center in New Hampshire, USA, every new encounter with a patient – office visits, booking appointments by phone, etc. – begins with the patient providing their name and date of birth. This is fine if I initiate the phone call or if ...
For my memoir, I need to find documentations about TLS applications such as mail server protection and security of electronic transactions. Waiting for yours suggests
As I read here and there, it seems like SMS isn't encrypted. Let's say I live in an appartment building. If someone uses a cellular modem to intercept my SMS messages, can they determine my name from the phone number and the personnal information within t ...
As I read here and there, it seems like SMS isn't encrypted. Let's say I live in an appartment building. If someone uses a cellular modem to intercept my SMS messages, can they determine my name from the phone number and the personnal information within t ...
I’m writing a script to get the encryption status of Time Machine disks.
I run defaults read /Library/Preferences/com.
apple.TimeMachine.plist and grep for LastKnownEncryptionState. This works fine for different sorts of USB disks, but remote NAS disks a ...
Imagin I have a company. For the public website, I create key pair and ask a trustworthy CA to sign my public key. Now I have a valid Signed Certificate. So, for my private applications which are running on different machines in LAN network of the company ...
Cryptography is a core security service, and is generally considered a specialty that is difficult to get right unless one knows what they are doing. Furthermore, cryptography API misuse is rampant and the cause of many security vulnerabilities. This ques ...
How can I trace network attacks where a stalker observes my traffic and other malware (including implanting malware/reconnaissance)
W
hich services or methods should be able to identify the activity?
How can I trace tricky APT (Advanced Persistent Threat) network attacks where a stalker observes me? Which services or methods should be able to identify the suspect? APTs (Advanced Persistent Threat) and other malware (including implanting malware/APT re ...
I have been a victim of cyber attacks for more than a year now. No matter how many times I'd change my accounts, password, devices, network; these people and their stalker would identify me and have access to my devices. They're doing things like deleting ...
I have been a victim of cyber attacks (more like cyber terrorism) for more than a year now. The perpetrators got me because I converted to Judaism recently. No matter how many times I'd change my accounts, password, devices, network; these people and thei ...
When I want to install Ultrasurf extension it gives me this message: So I do not understand what this "Change your search setting to: smartwebfinder.com" wants to do. When I go to this website : smartwebfinder.com it redirects me to google.com Why does i ...
I was just watching premium content on a tech learning web application , Just noticed that when I opened snipping tool the video gone hide. I then searched for it and ended up at MULTI DRM protection which is simply mechanism to protect such type of conte ...
I am new to IT certificate world, I have 3 questions that have not found on google yet or not sure: I am a Software Developer in a NGFW Router company that works on cybersecurity related work(Certificate, TLS, FIPS-CC). I think I am working on 2 of 8 dom ...
I see connections to Amazon AWS servers, and since everyone can register servers on Amazon, how do I know if my PC communicating with a safe Amazon server, or with a server which a hacker registered? If I search for the IP, all I can see is that it belong ...
I'm addicted to this game, and while I don't want to delete it, I want to be able to encrypt/lock it in a way where the decrypting/unlocking takes a day, and ideally during that day I can cancel the decryption process (hopefully by that time my urges stop ...
I just pulled down the repository for an elite penetration testing tool call sn1per I want to use this tool to scan a list of websites. My goal is to automate the steps of a manual penetration test. Any help with this would be greatly appreciated. The ste ...
This is my sources.list:
deb https://http.kali.org/kal
i kali-rolling main non-free contrib deb
http://security.kali.
org/kali-security kali/updates main contrib
non-free
But when I do an update it see repositories I have removed like this:
Ignorato:1 ht ...
I keep getting a discord rate limit for one of my bots but I'm not sure where my code is sending multiple requests to the server. Does anyone know where in my code I might be sending an exceeding amount of requests? If so how could I change my code? # Imp ...
I’ve seen many HN comments bashing on SMS being insecure. But WhatsApp and signal both use it as their primary authentication method so it can’t be that bad? Why is it bad? What attacks are it susceptible to?
I need to transfer a file from my work macbook pro to my personal windows laptop via a USB stick. My work laptop only allows USB encrypted with easylock endpoint protector client to be writable. So i set a generic password like 123456 and let the easylock ...
Hello I'm using Metasploit versus Metasploitable2 VM.
I'm trying the following exploit:
multi/http/php_c
gi_arg_injection
That should works for the php version in use.
The exploits seems to works but I don't get any reverse meterpreter tcp shell
[*] Start ...
I am still new in cyber security and social engineering based hacking. If someone can access your Facebook account without you getting any notifications and send false messages Impersonating your Facebook friends, what kind of hacking is that?
I was able to log into my Facebook with the incorrect spelling of my email address. I think this might mean my Wi-Fi is hacked or is this a random Facebook issue?
I was able to log into my Facebook with the incorrect spelling of my email address. I think this might mean my Wi-Fi is hacked or is this a random Facebook issue?
I'm sharing my hacked phone's Wifi connection with tethering, so my data travels trough it from my PC. I'm using VPN both on PC, and phone. My phone(facebook account, camera) got hacked, but I made a factory reset, and changed my passwords. I'm using fire ...
I am tring it get GnuPG to work with my SmartCard-HSM 4K on Windows, using the GP4Win bundle. Kleopatra doesn't recognise the SC-HSM 4K at all, even though, it DOES recognise the YubiKey 5 NFC in BOTH PIV and Openpgp Card apps. When trying to use the GPA. ...
Having issues in finding cross site scripting. I need some best resource for learning cross site scripting (xss)
This OWASP recommendation says:
it is highly recommended to use the Cache-Control: no-cache="Set-Cookie
, Set-Cookie2" directive, to allow web clients to cache everything except the session ID
But the mozilla docs say
The no-cache response directive ind ...
Hello I have BeeBox running on a VirtualBox Machine, but when I try to connect to the IP of the machine from the browser of my host computer I cannot connect to it. How can I solve it? So how can I setup bee-box so I can see the bee-box server? Thank you!
TLDR: With PIE and ASLR enabled, am i able to calculate the base address of other parts of an x64 elf binary (e.g data segment, stack) if i know the base address of libc? ------- Hi, I'm looking at an x64 elf binary with ASLR, PIE, and NX constraints. I h ...
I am currently trying to implement my own cryptographic IBE scheme within GPG. I understand that rolling one's own crypto is frowned upon, yet, this is for research purposes only. Is there an easy method of implementation within GPG to add my custom encry ...
I was doing a VAPT assessment in which I see some JSON body in the request which has orgid deviceid So there any possibility to get XSS in json body?
We need to send a plain text email with user-specified input. For example, if a user is an attacker a plain text email can contain alert(1) It looks like mail clients should treat it just as plain text and it shouldn't pose any threat to end recipients. ...
Assuming I want to use different mail addresses for different purposes and using either a catch-all configuration (*@example.com) or mail extensions (e.g. me+*@example.com) (where * can be replaced with anything). But for simplicity and because of using a ...
I want to keep my macbook from going online. I know how to disable wifi. Can I prevent my macbook from connecting to the internet if a LAN cable is plugged into it?
When I'm trying to anaylze CVEs to detect which jars are affected by the CVE, I getg confused. let's take as an exmaple this CVE: CVE-2022-22978 in the description: "In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestM ...
I tried to get aircrack-ng running but to no avail on a native ubuntu machine. There are no problems with wifi in normal usage. I used these steps: sudo apt-get update sudo apt-get install -y aircrack-ng sudo airmon-ng check kill multiple times until no ...
Is there any techniques that I can follow in order to make a strong password that I can´t forget? And is there some secure places where I can keep these passwords?
I am looking for some examples of private key leakage or compromised keypair (via insider attack, configuration mistake, etc.) that lead to certificate revocation. I am particularly looking for cases when CA was compromised but can also use info on leaf c ...
I have a need to whitelist two sets of 0/23 IPs (which could amount to approx 1200 IPs) along with 10,000-20,000 ports (UDP). We have historically never done it and feel very uncomfortable doing so. Is there anything we can do to feel secure from a risk a ...
I have a need to whitelist two sets of 0/23 IPs (which could amount to approx 1200 IPs) along with 10,000-20,000 ports (UDP). We have historically never done it and feel very uncomfortable doing so. Is there anything we can do to feel secure from a risk a ...
So, we recently launched our website, and things are going great so far. But since last night we have seen that some end-users browsers are making calls to strange URLs. We don't know how or why the browser makes those calls. Our guess is that the user's ...
I have a vulnerability scanner than detected a security vulnerability in a particular package. Let's call it package "[email protected]". [email protected] is used by other dependencies, such as this: [email protected] > [email protected] > [email protected] > [email protected] Typically there's a recommended version upgrade ...
I'm trying to implement a mechanism that allows me to maintain a list of SSL server certificate public keys that have been verified as trusted during an application run time. For example: Application makes an HTTP request to a server SSL handshake takes ...
I want to cross-sign a third-party certificate (third-party-client.crt) with my own root ca (r1).
To do this, I use
openssl x509 -in third-party-client.crt -CA /etc/pki/r1/ca.crt -CAkey /etc/pki/r1/private/ca.ke
y -out third-party-client-cross-
signed.crt - ...
im not so tech savvy so i'll try and explain my situation. when i always open my laptop it has this wierd opening popup of a couple cmds and dissapears rather quickly, i never thought about it since i didnt know what it did. now after a while i was gone f ...
I have a stalker, and six months ago, he got my someone to evil maid my devices with a USB stick that person had borrowed (which then took me three months to discover). This attack appeared to have rootkit'ed my devices with a VM level rootkit. Currently, ...
I'm new to SpiderFoot tool and I have Kali Linux on my system and want to use SpiderFoot that has installed by default, for the first time. But I get an error: Warning: passwd file contains no passwords. Authentication disabled. Please consider adding aut ...
For testing purposes, I need a PGP key for a specific uid that has already expired. Using gpg --full-generate-key only gives me the following options: Please specify how long the key should be valid. 0 = key does not expire = key expires ...
As outlined in Security Bulletin MS14-025, Microsoft acknowledges the way credentials had been stored in the group policy field "CPassword" is insecure and is not to be trusted any more. However according to their own Developer Documentation, they themsel ...
Let's analyze the following scenario:
User authenticates with session cookie
I have CORS enabled (like Access-Control-Allow-Orig
in: * - header)
I use CSRF Token to prevent CSRF attacks and I include it in HTML document's body
Is it possible to perform C ...
Is whois, nslookup, recon-ng a form of Active reconnaissance or Passive reconnaissance?
This was a fresh VM with msedge and winscp,why is msedge making a readoperation on winscp
Say an attacker sends a malicious request to the following path in order to execute remote code as part of OGNL injection attack:
/${Class.forName(
"").getMethod(&
quot;getResponse",nu
ll).invoke(null,null).set
Header("X-COD",
Class.forName("javax
.script.ScriptEngi ...
I have been working on an app that uses a combination of different encryption methods; some of them are libraries, and the most important ones are my own implementations. The app is cross-platform that are compiled natively on desktop (Linux, Windows, Mac ...
I was given a standard non-admin user and a workstation to perform internal pentest assessment. To my surprise, I was able to open cmd prompt as administrator, use psexec and gain a SYSTEM shell giving me local admin access. Is it normal to let standard u ...
Have there ever been reported cases of duplicate IMEI numbers, whether un-intentional or deliberate? Link to the Wikipedia description of the IMEI number or International Mobile Equipment Identity number
Question to all Incident Response Practitioners, I am trying to show a series of events from different platforms in a timeline graph to establish the activity of an object (login events, alerts etc.) across various security tools. Say I was looking back ...
I have an USB Token (brand 3SKey) containing a certificate "C" with its private key stuck on a machine "A". The certificate is obviously not exportable and I'm not interest into using 3rd party tools to try to extract it. This certificate is used exclusiv ...
The (anti) CSRF Token should protect user from executing a action on the website by clicking a link or a form that is created by an attacker. In the application that I want to secure I can't use an existing framework and I can't use html forms everywhere ...
I am looking for a "best practises" approach for creating SPAs protected using OIDC + PKCE. Most of our applications are hosted on two independent web servers with a load balancer routing requests to them in a round-robin configuration. Our SPAs are almos ...
I was signing up for an app for a credit card I have and I encountered an SMS 2FA format I had never seen before. The code was 47φ[3/5] - that is two digits then capital Phi then the fraction three-fifths. To input there were on-screen buttons, 0 to 9 th ...
I was signing up for an app for a credit card I have and I encountered an SMS 2FA format I had never seen before. The code was 47φ[3/5] - that is two digits then capital Phi then the fraction three-fifths. To input there were on-screen buttons, 0 to 9 th ...
I was signing up for an app for a credit card I have and I encountered an SMS TFA format I had never seen before. The code was 47φ[3/5] - that is two digits then capital Phi then the fraction three-fifths. To input there were on-screen buttons, 0 to 9 th ...
Question#1
whitewinterw
olf answer says
the circuit level gateway CHANGES the source ip address of outgoing
packet(from the internal network point of view).
Two different TCP connection are formed, inbound and outbound.
Question#2
I didn't get what A ...
I'm trying to understand the logical flow of SSL certificate. Suppose I have a website running on a machine. I generate a CSR file that contains information (e.g. common name, organization, country, ...) and my public key, so I sign those with my Private ...
I don't know much about AD or Windows security. As in this question, I understand that pwd change notification can be useful for both users and for system administrators. As an AD administrator on Windows Server 2012 R2, can I configure the system to noti ...
Hi guys I'm doing a CTF on vulnhub and I need to brute force SSH, I've got 6 usernames and 15.000.000 passwords to try so I'm brute forcing with hydra by running hydra -L users.txt -P $LIST/rockyou.txt -t 64 -o hydra_bruteforce.txt ssh://grotesque2 but i ...
N m K m j T triumph guy will e💚🗡🧬🏰🏈🥣
🛴🏍k CC B get Ty V bb
I'm running into a challenge where I have control over the return address and the base pointer through my input, however the program null byte terminates and the addressing scheme only takes up 6 bytes. I'm using leave gadget to control the stack pointer ...
I'm trying to build a simple, public facing, mock/placeholder API service. As in the user can create a mock API response for a given URL on my site, mysite.com/abc123, and then they can make HTTP requests to that URL and receive their supplied response fo ...
If oauth2 is used with the state parameter (I know it's not required by the standard), wouldn't this ensure freshness, i.e. that authentication just happeneded ? What additional security can OIDC bring ?