Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "metasploit"
-
Hacking/attack experiences...
I'm, for obvious reasons, only going to talk about the attacks I went through and the *legal* ones I did 😅 😜
Let's first get some things clear/funny facts:
I've been doing offensive security since I was 14-15. Defensive since the age of 16-17. I'm getting close to 23 now, for the record.
First system ever hacked (metasploit exploit): Windows XP.
(To be clear, at home through a pentesting environment, all legal)
Easiest system ever hacked: Windows XP yet again.
Time it took me to crack/hack into today's OS's (remote + local exploits, don't remember which ones I used by the way):
Windows: XP - five seconds (damn, those metasploit exploits are powerful)
Windows Vista: Few minutes.
Windows 7: Few minutes.
Windows 10: Few minutes.
OSX (in general): 1 Hour (finding a good exploit took some time, got to root level easily aftewards. No, I do not remember how/what exactly, it's years and years ago)
Linux (Ubuntu): A month approx. Ended up using a Java applet through Firefox when that was still a thing. Literally had to click it manually xD
Linux: (RHEL based systems): Still not exploited, SELinux is powerful, motherfucker.
Keep in mind that I had a great pentesting setup back then 😊. I don't have nor do that anymore since I love defensive security more nowadays and simply don't have the time anymore.
Dealing with attacks and getting hacked.
Keep in mind that I manage around 20 servers (including vps's and dedi's) so I get the usual amount of ssh brute force attacks (thanks for keeping me safe, CSF!) which is about 40-50K every hour. Those ip's automatically get blocked after three failed attempts within 5 minutes. No root login allowed + rsa key login with freaking strong passwords/passphrases.
linu.xxx/much-security.nl - All kinds of attacks, application attacks, brute force, DDoS sometimes but that is also mostly mitigated at provider level, to name a few. So, except for my own tests and a few ddos's on both those domains, nothing really threatening. (as in, nothing seems to have fucked anything up yet)
How did I discover that two of my servers were hacked through brute forcers while no brute force protection was in place yet? installed a barebones ubuntu server onto both. They only come with system-default applications. Tried installing Nginx next day, port 80 was already in use. I always run 'pidof apache2' to make sure it isn't running and thought I'd run that for fun while I knew I didn't install it and it didn't come with the distro. It was actually running. Checked the auth logs and saw succesful root logins - fuck me - reinstalled the servers and installed Fail2Ban. It bans any ip address which had three failed ssh logins within 5 minutes:
Enabled Fail2Ban -> checked iptables (iptables -L) literally two seconds later: 100+ banned ip addresses - holy fuck, no wonder I got hacked!
One other kind/type of attack I get regularly but if it doesn't get much worse, I'll deal with that :)
Dealing with different kinds of attacks:
Web app attacks: extensively testing everything for security vulns before releasing it into the open.
Network attacks: Nginx rate limiting/CSF rate limiting against SYN DDoS attacks for example.
System attacks: Anti brute force software (Fail2Ban or CSF), anti rootkit software, AppArmor or (which I prefer) SELinux which actually catches quite some web app attacks as well and REGULARLY UPDATING THE SERVERS/SOFTWARE.
So yah, hereby :P39 -
Managed to get a fucking meterpreter shell without human help for the first time today!
It was a VulnHub challenge, for the record, but damn that felt good!
For those who don't know; this is a remote command execution thing ran on compromised systems by (malicious) attackers using the Metasploit framework.
I have done tons of pentesting but not on system level so this is quite an accomplishment for me 😊4 -
Well, I was Always into Computers and Games and stuff and at some point, I started wondering: "why does Computer Go brrr when I Hit this Button?".
It was WinAPI C++ and I was amazed by the tons of work the programmers must have put into all this.
13 year old me was Like: "I can make a Game, cant be too hard."
It was hard.
Turns out I grabbed a Unity Version and tried Things, followed a tutorial and Made a funny jet Fighter Game (which I sadly lost).
Then an article got me into checking out Linux based systems and pentesting.
*Promptly Burns persistent Kali Live to USB Stick"
"Wow zhis koohl".
Had Lots of fun with Metasploit.
Years pass and I wrap my head around Javascript, Node, HTML and CSS, I tried making a Website, worked Out to some extent.
More years pass, we annoy our teacher so long until he opens up an arduino course at school.
He does.
We built weather stations with an ESP32 and C++ via Arduino Software, literally build 3 quadrocopter drones with remote Control and RGB lighting.
Then, Cherry on the top of everything, we win the drone flying Contest everyone gets some nice stuff.
A couple weeks later my class teacher requests me and two of my friends to come along on one of their annual teacher meetings where there are a bunch of teachers from other schools and where they discuss new technology and stuff.
We are allowed to present 3D printing, some of our past programming and some of the tech we've built.
Teachers were amazed, I had huge amounts of fun answering their questions and explaining stuff to them.
Finally done with Realschulabschluss (Middle-grade-graduation) and High school Starts.
It's great, we finally have actual CS lessons, we lesen Java now.
It's fuckton of fun and I ace all of it.
Probably the best grades I ever had in any class.
Then, in my free time, I started writing some simple programs, firstvI extended our crappy Greenfoot Marsrover Project and gave it procedural Landscape Generation (sort of), added a Power system, reactors, Iron and uranium or, refineries, all kinds of cool stuff.
After teaching myself more Java, I start making some actual projects such as "Ranchu's bag of useful and not so useful stuff", namely my OnyxLib library on my GitHub.
More time passes, more Projects are finished, I get addicted to coding, literally.
My days were literally Eat, Code, sleep, repeat.
After breaking that unhealthy cycle I fixed it with Long Breaks and Others activities in between.
In conclusion I Always wanted to know what goes on beneath the beautiful front end of the computer, found out, and it was the most amazing thing ever.
I always had constant fun while coding (except for when you don't have fun) and really enjoyed it at most times.
I Just really love it.
About a year back now I noticed that I was really quite good at what I was doing and I wanted to continue learning and using my programming.
That's when I knew that shit was made for me.
...fuck that's a long read.5 -
!rant but help?
I currently have Kali (for labs I'm working on to teach myself the things I didn't learn in school), Ubuntu (downloaded for school), and Fedora (downloaded for my database class)... other than Kali already having Metasploit in it, I don't see a difference between these and I know there are more versions of Linux.
What would be a good starting place for every day use, that'll support Citrix receiver (required for work no idea what its requirements are but I can find out, if i can't use it in Linux, I'll dual boot) and virtual box (or other virtual software, don't mind learning new systems), and that i can also have room to grow for security learning?18 -
i wrote a website, a server in go, a small os in c, a game in js, a game and server and web scraper and other desktop apps in java, mobile apps with flutter, a website with php also, implemented aes in go, wrote a parser in java. done sysadmin stuff on my vps and pihole/openvpn/nextcloud on my rpi. learn about c vulnerabilities and used metasploit. attempted to write an interpreted language. did some led displays with arduino. currently learning tensorflow.
i have never...
- written a driver
- made a game with a game engine
- created a file encoding
- implemented an oauth2 server
- made an api
- worked with vr
what am i missing? i want to be a very well rounded dev.13 -
Have defective supermicro server, but the ipmi is working and could tell me what's going on.
Only problem is, I don't have access to it since the last owner didn't provide it to me.
So I thought let's try metasploit.
Setup local network with a second server, connect to local* address.
"Welcome to intel integrated BMC web console"
What? Its a Supermicro, did the owner reflash the ipmi? What the heck.
Msf: scan adress ....
ipmi found bla bla bla.
Msf: zero cipher scan.
... Voulnerable to zero cipher.
Was pretty happy but the doubt kept creeping in.
On my WS that isn't connected to the ipmi of my server, I go to that ip address.
Bam
"Welcome to intel BMC ......"
MOTHERFUCKER.
What are the odds that some fucker has his ipmi open to the public on that exact same address that my board was configured to.
Well, actually pretty high I guess.
Fuck. Shit.
That didn't go as planned. -
I planned to make some tutorial videos on NMAP, Metasploit or similar tools.
Which platform should I prefer? YouTube or udemy?
Note: I am not planning for monetize5 -
Hi!
I want to know if there is possibility to find a vulnerability on a .jar file.
I tried to install Kali on VM (for now) and tried to use metasploit but I found that it attacks the inter system on a indicated ip address.
There are many application or video (and so on) for my problem?
This .jar file is an application and I want to do pentesting...
Sorry for my poor english but it isn't my native language.
I'm new in pentesting wolrd 🤣8 -
Probably !dev
How should I inform a government website that one of their user password combinations is in a short metasploit password list. The list name is tomcat_mgr_default_userpass
The top exploit db vulnerabilities for tomcat verison did not work so kudos to them on that. I am just a script kiddie
Edit :- Forgot to mention I am an Indian citiizen9