#cybersecurity-questions

hi guys! since nobody has posted @here, I figured I'd start! I've been in the industry for about a decade now and am happy to answer any questions anybody has about pentesting, vulnerability research and exploit development. I am a senior pentester and I do tool development for a different company as well so if anyone wants to ask any questions feel free to post in here or DM me! 🙂

Hi @split dagger - I would like upskill in career in Security space, I have been working in End user technology services in managing Mac devices. Can you share me guidance here to start with -. It’s really puzzling for me while searching in internet, red, blue teams.. please please suggest

Hey man! I completely understand where you’re coming from. Security is a vast arena with so many different options and career paths to pick from. Even if you know what interests you, it can be very intimidating! Where do I begin? What skills do I need? Can I even do it? How do I know I’m making progress? We’ve all been there.

The good news is, is that the security community is amazing and is always going to be there to help push you forward on your journey! I wouldn’t be where I am today without my peers.

Would you like to DM me so we can chat more about this? I’d be happy to point you in the right direction and guide you where possible!

Sure, thank you.

who can help me get an ip address?

call your IPS

XD

quit asking sletchy questions in the channel man

https://fbi.gov

Bro -_-

What—did you realize how stupid your question sounds?

Go outside, kid.

you don't gotta be mean about it, just leave it at that

I am a beginner and I would like to learn :(((

we all know, he knows, we gotta be respectful

I beg to differ, but I'll leave it at that

ping website.com

there ya go

There's a guy on Discord who insults me and everything and I'd like to have his IP

and yep there it lol

you can help me or not

.

^

Bro :/

Move on with your life. You won't be getting help with illegal activity here.

ah sorry

My bad

There's a block button on Discord. Use it instead of trying to break the law

Hi! I have a few questions. For context, I’ve been a penetration tester for about 11 months, and I’ve recently been assigned to a cloud VAPT (Vulnerability Assessment and Penetration Testing). I can't reveal much information, but I have no one to turn to for help, and I lack experience in this area. To build a foundation, I took the ARTE course.

Since it’s a white-box test, I’ve been running various tools, but I don’t have the confidence to fully support some of my findings. I want to be accurate and relevant to the client by genuinely understanding whether the issues flagged by open-source scanners (like Prowler and ScoutSuite) are real concerns or not. I would really appreciate some advice from all the wonderful people here.

Hi my man

If you want to go over the details of the findings with me (redacted) and give some context, I can help tell you what I would do in those situations

It can be difficult in the beginning making executive decisions about your clients, but you've been trained and are the expert in this situation, so if you don't want to share, I would say trust your gut. If you are really unsure, confer with your client to determine whether or not certain things which were identified are intended to be exposed or not. You do have to know when to draw a line though which is the hardest part imo

Some clients will ask you to downgrade findings severity, but you may feel that they are very critical, and you have to either find a balance with your client through discussions with them, or stick with your initial judgment.

I'm sure you can remember at the beginning, wondering whether to report an XSS as a high, medium, low, critical, whatever. You're just repeating the same process.

Thank you so much for offering to help! I will be really happy to received your perspective on some of the specific findings. I’ll PM you shortly with some redacted details of the findings. Your guidance will be invaluable to me, thank you so much again for being willing to assist! 🥲.

Of course man!

I may be hopping off soon, but if you send over your questions I can answer as best as I can real quick! If not tonight, tomorrow morning for sure

Thanks for offering to help! I’ll send over the details later. Feel free to review them whenever you’re available, whether tonight or tomorrow morning, no rush. I really appreciate your time and assistance!
🥹

Hi everyone,

I'm beginner in IT security especially in pentesting.
I'm writing to ask some questions about pentesting.
I have a job interview next Tuesday and I'd like to have your perspective as a pentester.
According to this: https://www.wizbii.com/company/sysdream/job/stage-securite-pentester-h-f could you tell me what kind of questions you will ask at the job interview?
What do I need to know about pentesting?

During interviews for a Penetration Testing role, I've commonly encountered the following questions:

1. Web/Network Methodology: What are your methodologies used for web and network penetration testing.

2. OWASP Top 10 Question: what do you understand about OWASP Top 10, like for example what is broken access control?

3. Vulnerability Questions: Specific questions about vulnerabilities like SQL Injection, where I was asked to describe the vulnerability, provide a proof of concept, discuss its impact, and suggest remediation methods.

4. Scenario-Based Questions: For example, handling a situation where a client refuses or rejects the findings. These questions assess how I communicate and manage client relationships, especially when there's disagreement.

I'm not sure if this will be useful for you... As your job role and mine are somewhat different. So I hope it will help 🙂

Hi,
I am a software developer trying to change the career into cyber security. I like Pen Testing and I am following TryHackMe rooms and learning paths at the moment.

I have some questions related to Cyber Security. Greatly appreciate it if you can point me in the right direction.

1. Do I have to have any cyber security certs? If so, which one is the easiest so I can start small?
2. Is TryHackMe and HackTheBox is enough to learn things and become hireable in Cyber Security field?
3. I like CTFs, but I saw some CTF competitions require a team. How do I get into a team and how to decide what each member do?

1. HR typically with scan you out without a cert. Unfortunately that's been my experience in the past. You'll want probably OSCP or CEH (which sucks but is common for HR people)

2. It's enough to learn things yeah, but nothing will beat true experience.

3. You can join the team I play on as long as you participate! That's our fearless leader's only rule really. 😅

Though I will say that CTFs, while fun, are not practical in the sense of you're gonna be seeing that in a real engagement. You might, but it's unlikely.

For example, this was a solve description for a recent CTF we played, "zlib oracle with xs leak, flask max redirect length"

Like there is like a .00001% chance of that occurring in the wild haha

I agree with @split dagger on all points.
I’d like to add more on THM/HTB: sure it is a way to learn, but most of the boxes are unrealistic. Sometimes because they’re too easy, most of the times because they’re too crazy.
I link for you three posts from my blog which could be useful for you:

• https://grig.ooo/posts/failed/.
• https://grig.ooo/posts/oscp/ (In the case you’ll go for the OSCP).
• https://grig.ooo/posts/jobhunting/.

Other than that, I would suggest you to get into bug bounty to learn web skills and soft skills (Reporting and communicating with triager). In the case you’ll go for it, do not chase money, work to learn, period. Study on portswigger academy and enrich your knowledge by reading published bug bounty report (Hackerone is plenty of them).

To learn skills related to infrastructure/network, go to Vulnlab which is great for that kind of stuff. Then, it would be so beneficial to set up your own vulnerable AD lab, to do so, check out GOAD by Orange.

Hope you’ll find this useful @gray compass

awesome..thank you @azure sandal

Welcome

What?

Why?

it needs at least one parameter like python sqlmap.py -h to show the help menu

Anyone have any interview tips? I have a red team engineer interview next week?

I guess be yourself is always the way to go

you don´t want to end in a place where you are not comfortable or they are not comfortable with you, so just show them what you know, and most important, don´t try faking what you don´t.

And show interest in the position of course

Thanks sort of an interesting position. I already work at the company and have worked with the pentests teams before and this new red team engineer position is an internal listing they asked me to apply for. So it’s not as much of a shot in the dark.

Hello ! Im new here! I need one support my Mac OS and iOS iPhone..
Have one guy talk portuguese?
Óbv i Pay the support

???

how to pyass httpOnly when xss script

and how to fix it

anyone do any work with istio or service messhes lately?

May You know if Microsoft introduced some security feature to edge? I try to still ntlm hash via xss (POC), had request on responder: „sensing ntlm authentication request” but not response from client appears

Are you on internal or external network?

Many internal networks don't allow NTLM to go past the internal network space

external perspective, host without vpn just standard edge browser login and responder set on external vps. Application works on docker inside azure vm

I would not expect that to work ever. Most VPNs and internal networks don't allow NTLM to be exchanged over public IP ranges.

When you see writeups about NTLM phishing and stuff, those people usually already have a foothold internally and are just using a private IP when writing out the <img> tags.

NTLM can be used over the network, but it requires a client-side application to craft an HTTP request with Authentication: Digest ... inside the request.

So you'll rarely get a situation where NTLM phishing is the way. I'd suggest giving OAuth Illicit Consent phishing a try. No creds have to be entered, but instead the user "consents" to the application, and then you can gain limited access to their account via the MS Graph API.

Thanks for Explanation!

More specifically I should've said, "Most VPNs and internal networks don't allow SMB connections to be established over a public IP."

So I facing with the situation where the current configuration cause prevention from html injection. Somehow frustrating due to in the form I facing with blacklist and could not find possible xss payload instead of ie browser support or tags for ntlm droping xd

Try this ^^

It's worked for me more than standard phishing, because the user gets redirected to Microsoft.com to perform the consent. They then think, because they're on microsoft.com, that it must be legit!

hmm may You got some writeup for this, never trying it before

https://github.com/AlteredSecurity/365-Stealer

hello.

I want to know how to use the file encoded by shikata_ga_nai.

How do I do that?

Invoke the encoded shell from the rwx area of ​​memory?

Seems like you already know the answer to your question.

You can change the output format to elf/exe with -f elf so it's already in binary format

Read the docs or google before asking in the future though, all of this is very well documented.

https://github.com/rainerzufalldererste/windows_x64_shellcode_template

https://gist.github.com/procinger/a65c8bde824a10294a4a6966de5a47b4

For linux

thank you.I'll read it.

Hi guys, for internal attacks, what are thr most suggested? I am talking pth and other....

steam gift 50$ - steamcommunity.com/gift-card/pay/50
@everyone

https://tenor.com/view/jonah-jameson-mouth-gif-24811570

Carlos are you familiar with the current AD apple exploit? I'm searching for a cyber security professional that can assist me in regaining control of my devices both Mac os and iOS as they are all under control of a network domain admin. There are just at first glance thousands of apple users that have been hijacked through the open directory or directly services fork of the Mac OS. It's very serious and while I'm not a researcher I'm well versed in IT and without doubt is the worst malware/hijacking I've ever seen or could conceive truly. With limited Microsoft windows experience I've been told that all the attackers need is a apple users phone number and a reply from a text message and all devices contained in the apple id are under control of the AD admin. Please excuse me if parts of my terminology aren't adequate but in closing I should mention that all my devices are hijacked and after using NSA level bitraser erasure my hard drives still contain a hidden HFS+ partition and in the recovery environment one of the first sequences is contacting the AD node and before Mac OS is even reinstalled the attack has begun. As I mentioned going out in a bit of a limb I'm suspecting this could be happening to a an enormous amount of users and I have also been told apple is aware of this which is discouraging to say the least but in reaching out to you to get your take and see if your interested in having a look. I'd be happy to compensate you for your time. Your thoughts, Jeff

May someone have simmilar issue with aws_iam_review

got syntax error and start thinking if this should be run on lower version of python

actually you need to run it in a higher python version

I don't have info about this. Any links or something I could read to take a look?

Put this to docker python 3.9:

inz@inz-VirtualBox:~/Desktop/Tool/aws_iam_review$ sudo docker run aws-iam-review
File "/app/aws_iam_review.py", line 112
print(f" - {colored('Privilege escalation', 'green')}: {', '.join(f"{p}" for p in ppal_permissions['known_privesc_perms'][:MAX_PERMS_TO_PRINT])}{more_than_str}")
^
SyntaxError: f-string: unmatched '('

could You give a version of python on which You test it ? :d

python 3.13 should work

Yep its working 😄 one more question if output looks like this:

inz@inz-VirtualBox:~/Desktop/Tool/aws_iam_review$ python3.13 aws_iam_review.py default
[-] No OpenAI API key specified.
[-] No analyzer found

it means that the provided account was not loaded correctly? (in credentials got 3 parameters:
aws_access_key_id
aws_secret_access_key
aws_session_token

The tool is using an AWS access iam analyzer. If it cannot find one or create one, basically the tool cannot work. Take a look in the readme about the needed permissions

okej, so additional access should make it work, I just thinking if in case of federation it will also dill with such appoach (strange thing if I go to the console in our AWS I just see roles but 0 users)

fortunately thats not that strange anymore. Mature companies using properly identity providers won't have users in AWS and I'm seeing this more and more frequently
In any case, even with federation you should be able to get temporary AWS tokens, for example okta allows to get AWS tokens even if you are loging through okta to the aws web console

So I need to ask our admins for adding additional policy to my current test account: arn:aws:iam::aws:policy/AWSAccessAnalyzerReadOnlyAccess and I will be able to check if in company we do not use potential dangerous policy sets ? 😄

Yep, you need more perms to use that "new" AWS API

Ok I will try and let know thanks Carlos!

Hello! I am looking for a Personal firewall and network monitor for windows something like glasswire any recommendations ?

Wazuh is free

https://github.com/Safing/portmaster

Which tools You recommend to security assessment for k8s (i typically use scoutsuite and kubench)

Anyone know why I have these

What your the best made payload in msfvenom?

May someone pass this course and could share a feedback about it: https://smartcontractshacking.com

Or give some better alternatives 😁

hi @gusty laurel

This course is good, I took it last year

I published an article on Medium titled "A Comprehensive Summary of RCE Exploitation Techniques" (https://medium.com/@ZAC_SEC/a-comprehensive-summary-of-rce-exploitation-techniques-6f55c904a7cb), covering almost all common RCE methods. I was wondering if you experts could help review it and let me know if there are any missing techniques or suggestions for improvements. Thank you so much in advance! 🙏

fei chang hao !

Is the HACKTRICKS (AZRTE) AZURE RED TEAM EXPERT good with zero Azure knowledge?

Yes! It stars from the basics explaining how Azure and EntraID works, how permissioms work...

@radiant sparrow Hey carlos! Hopefully you dont mind me pinging you just to ask about a PR i submitted to linpeas that failed but failed for an unrelated reason to my PR(the AWS module seems to have smth goin on). Should i make another PR or is it once the aws module is fixed then my pr can be processed again? sorry to ask ahhaha id never submitted a PR before

yes, no worries! I just merged the PR!

Thanks a ton : ) That was my first ever PR so I spent half the time fixing the code and the other half figuring out how to make a PR ahaha

https://github.com/prowler-cloud/prowler/releases/tag/5.7.0

Prowler update booooyys

Comment installé kali linux de a z

does anyone know if the hacktricks-feed is an RSS feed somewhere so i can feed it into my collection? or what the bot works against?

Hi, it's not a RSS feed, it finds the new in several ways and generates the reports you see there. Currently it just send the info here and in Telegram. I don't know if I will update that but what would you suggest?

Honestly was just thinking about grabbing the info to put into a notion library of sorts then if you query notion AI since it’ll have it all there it could answer potential questions while having all the latest research and whatnot available to it

You could use the discord or telegram API to monitor those channels and get the posts wherever you want I guess.
The idea is to later use more IA to automatically update hacktricks from these posts also

I’m currently building a network scanning tool that wraps around existing tools like arp-scan, masscan, and nmap. The idea is to scan large subnets (e.g. a /16) in parallel for better performance.

However, I ran into a problem: if my host is assigned to a VLAN with a /24 subnet mask, how can I scan hosts in other VLANs within the larger /16 range?

You should be capable of scanning any network if you can reach it

Check your routing table

You might be restricted to your vlan

Hey everyone, so, I have a question not related to technical skills exactly.
I’m doing pentests and frequently the sheer volume and breadth of data is just massive. Thousands of servers, users, etc.
One of my biggest challenges is organizing this information into notes and querying it. By the end of the engagement I often have a more complete listing of the org’s assets than they do! Prioritizing all of this is hard too - there’s credentials and what services you have tried them against, there’s exploits and their results, etc.
Right now, I’m using an Obsidian for taking notes alongside various data files for tracking all of it. I often have an excel spreadsheet for tracking my most promising data. I’m kind of envisioning a database scheme for tracking this information and I bet there’s some good stuff on GitHub but so far I am not aware of anything pre-made that’s portable, can be shared easily across my team and super promising.

I’m just wondering what other red teamers and pentesters are using to organize their engagement data and if you have resources, blogs, templates etc. you’ve found helpful. Thank you

https://github.com/GhostManager/Ghostwriter

Have not used this myself but heard good things

That looks nice! I haven’t heard of it. Thanks for letting me know about it. Maybe I’ll try to stand up a demo this weekend and try it out

Sirius — 20:12
Hii guys
i need a help
i have received this task
Please work on below activities

Definition of secure configuration document for Windows 11

Script for checking compliance with above security standards
You first identify parameters which you will include in Windows 11 SCD then work on assessment script
can anyone help me out with this task

Hey,
Does anybody have any guidelines how to do a review of 'Amazon Q' ? I don't think tools such as i.e. scoutsuite even cover this 🙁

Is UAC Bypass – Activation Context Cache Poisoning (ctfmon.exe, CVE-2024-6769) https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/windows-c-payloads.html#uac-bypass--activation-context-cache-poisoning-ctfmonexe-cve-2024-6769 still working for windows 11 current builds ?

Setting Up Splunk Universal Forwarder https://medium.com/@ghdghiggjjh/setting-up-splunk-universal-forwarder-on-windows-and-linux-for-your-home-lab-7cf6e4dab55b

I think they got fixed