My girlfriend doesn't talk to me anymore after I said I helped the new girl to do some penetration testing.

Bruteforce IRL

So I recently bought my first house (yay!).

Whilst doing the initial viewings I saw the below on the backyard and thought "hey that's neat, I can leave a key in there for when I come in late and my fiancée is asleep.

Fast forward to moving in day and the previous owners hand me the keys so I ask "oh yeah, what's the code for the keysafe" and he just looks at me completely blank, so I'm just like "the box on the wall out back" and he's just like "oh! So that's what that is. No we've never had the code for that, bye."

Being a pen tester I'm just stood there dumbfounded thinking "How the hell can you have a locked box attached to your house and not want to know what is inside!"

Anyway, that brings us to now where I'm stood outside in December on a Sunday morning brute forcing my way into my own keysafe.

I wish this didn't run so many parallels with my work life 😂

So back story... I opened up my own company a while back. I provide not only general IT and phone repair etc but I also do ethical penetration testing and patch the holes.

Before opening my own business me and some buddy's went out to a bowling ally and bar to have a few drinks. I wanted to see what their network was like... I hacked into their entire network in less than two minutes. From my iPhone. I was in their switches, I was configuring their printers and fax machines. Lord knows what I could have done if I had my laptop.

Anyways, back to the rant... I got this text today. 😂😩🔫

!Story

The day I became the 400 pound Chinese hacker 4chan.

I built this front-end solution for a client (but behind a back end login), and we get on the line with some fancy European team who will handle penetration testing for the client as we are nearing dev completion.

They seem... pretty confident in themselves, and pretty disrespectful to the LAMP environment, and make the client worry even though it's behind a login the project is still vulnerable. No idea why the client hired an uppity .NET house to test a LAMP app. I don't even bother asking these questions anymore...

And worse, they insist we allow them to scrape for vulnerabilities BEHIND the server side login. As though a user was already compromised.

So, I know I want to fuck with them. and I sit around and smoke some weed and just let this issue marinate around in my crazy ass brain for a bit. Trying to think of a way I can obfuscate all this localStorage and what it's doing... And then, inspiration strikes.

I know this library for compressing JSON. I only use it when localStorage space gets tight, and this project was only storing a few k to localStorage... so compression was unnecessary, but what the hell. Problem: it would be obvious from exposed source that it was being called.

After a little more thought, I decide to override the addslashes and stripslashes functions and to do the compression/decompression from within those overrides.

I then minify the whole thing and stash it in the minified jquery file.

So, what LOOKS from exposed client side code to be a simple addslashes ends up compressing the JSON before putting it in localStorage. And what LOOKS like a stripslashes decompresses.

Now, the compression does some bit math that frankly is over my head, but the practical result is if you output the data compressed, it looks like mandarin and random characters. As a result, everything that can be seen in dev tools looks like the image.

So we GIVE the penetration team login credentials... they log in and start trying to crack it.

I sit and wait. Grinning as fuck.

Not even an hour goes by and they call an emergency meeting. I can barely contain laughter.

We get my PM and me and then several guys from their team on the line. They share screen and show the dev tools.

"We think you may have been compromised by a Chinese hacker!"

I mute and then die my ass off. Holy shit this is maybe the best thing I've ever done.

My PM, who has seen me use the JSON compression technique before and knows exactly whats up starts telling them about it so they don't freak out. And finally I unmute and manage a, "Guys... I'm standing right here." between gasped laughter.

If only it was more common to use video in these calls because I WISH I could have seen their faces.

Anyway, they calmed their attitude down, we told them how to decompress the localStorage, and then they still didn't find jack shit because i'm a fucking badass and even after we gave them keys to the login and gave them keys to my secret localStorage it only led to AWS Cognito protected async calls.

Anyway, that's the story of how I became a "Chinese hacker" and made a room full of penetration testers look like morons with a (reasonably) simple JS trick.

Everytime I tell someone I write scripts and test security of new hardware/software, I get
"oh that's so cool, what's that called?"

"penetration testing"

*Room goes silent and wide-eyed*

Vulnerability scanning is not penetration testing.
Vulnerability scanning is not penetration testing.
Vulnerability scanning is not penetration testing.
Vulnerability scanning is not penetration testing.
Vulnerability scanning is not penetration testing.
Vulnerability scanning is not penetration testing.
Vulnerability scanning is not penetration testing.
Vulnerability scanning is not penetration testing.
Vulnerability scanning is not penetration testing.
Vulnerability scanning is not penetration testing.
Vulnerability scanning is not penetration testing.
Vulnerability scanning is not penetration testing.
Vulnerability scanning is not penetration testing.
Vulnerability scanning is not penetration testing.
Vulnerability scanning is not penetration testing.

Watch out for these fucking bug bounty idiots.

Some time back I got an email from one shortly after making a website live. Didn't find anything major and just ran a simple tool that can suggest security improvements simply loading the landing page for the site.

Might be useful for some people but not so much for me.

It's the same kind of security tool you can search for, run it and it mostly just checks things like HTTP headers. A harmless surface test. Was nice, polite and didn't demand anything but linked to their profile where you can give them some rep on a system that gamifies security bug hunting.

It's rendering services without being asked like when someone washes your windscreen while stopped at traffic but no demands and no real harm done. Spammed.

I had another one recently though that was a total disgrace.

"I'm a web security Analyst. My Job is to do penetration testing in websites to make them secure."
"While testing your site I found some critical vulnerabilities (bugs) in your site which need to be mitigated."
"If you have a bug bounty program, kindly let me know where I should report those issues."
"Waiting for response."

It immediately stands out that this person is asking for pay before disclosing vulnerabilities but this ends up being stupid on so many other levels.

The second thing that stands out is that he says he's doing a penetration test. This is illegal in most major countries. Even attempting to penetrate a system without consent is illegal.

In many cases if it's trivial or safe no harm no foul but in this case I take a look at what he's sending and he's really trying to hack the site. Sending all kinds of junk data and sending things to try to inject that if they did get through could cause damage or provide sensitive data such as trying SQL injects to get user data.

It doesn't matter the intent it's breaking criminal law and when there's the potential for damages that's serious.

It cannot be understated how unprofessional this is. Irrespective of intent, being a self proclaimed "whitehat" or "ethical hacker" if they test this on a site and some of the commands they sent my way had worked then that would have been a data breach.

These weren't commands to see if something was possible, they were commands to extract data. If some random person from Pakistan extracts sensitive data then that's a breach that has to be reported and disclosed to users with the potential for fines and other consequences.

The sad thing is looking at the logs he's doing it all manually. Copying and pasting extremely specific snippets into all the input boxes of hacked with nothing to do with the stack in use. He can't get that many hits that way.

Valve employees trying hard.

Me: I'm a computer major along with an added specialisation in Information Security. So besides learning code and software development, we also do a variety of security related stuff like penetration testing and so on.

Others: Oh great that means you must know how to hack Facebook.

*makes me flip every time*

So one of the apps I develop and maintain is going to get penetration tested.

I recieved an email if I could whitelist all their ips so they could get acces to the system. Without any further details.

Like wtf? Arent you supposed to be testing if you can get acces xD

Next thing they will be asking passwords and keys xD and if I could build in a backdoor.

Tonight was the regionals of CPTC, a relatively new competition about penetration testing. Here's our master plan, dont tell anyone ;)

!rant but seeking für help

Hi!
So my boss came to me yesterday and asked me if I could do some penetration / security testing for a web application our company made.
Interested in learning it and being familiar with HTML, PHP, JavaScript and MySQL I said yes.
Though I have some really basic knock edge of the subject (E.g SQLInjection) I was wondering if you know any good website / udemy course or whatever that can get me started.
I don't mind if there will be a certificate at the end but it is not necessary.

Thank!

We had 1 Android app to be developed for charity org for data collection for ground water level increase competition among villages.

Initial scope was very small & feasible. Around 10 forms with 3-4 fields in each to be developed in 2 months (1 for dev, 1 for testing). There was a prod version which had similar forms with no validations etc.

We had received prod source, which was total junk. No KT was given.

In existing source, spelling mistakes were there in the era of spell/grammar checking tools.

There were rural names of classes, variables in regional language in English letters & that regional language is somewhat known to some developers but even they don't know those rural names' meanings. This costed us at great length in visualizing data flow between entities. Even Google translate wasn't reliable for this language due to low Internet penetration in that language region.

OOP wasn't followed, so at 10 places exact same code exists. If error or bug needed to be fixed it had to be fixed at all those 10 places.

No foreign key relationships was there in database while actually there were logical relations among different entites.

No created, updated timestamps in records at app side to have audit trail.

Small part of that existing source was quite good with Fragments, MVP etc. while other part was ancient Activities with business logic.

We have to support Android 4.0 to 9.0 of many screen sizes & resolutions without any target devices issued to us by the client.

Then Corona lockdown happened & during that suddenly client side professionals became over efficient.

Client started adding requirements like very complex validation which has inter-entity dependencies. Then they started filing bugs from prod version on us.

Let's come to the developers' expertise,
2 developers with 8+ years of experience & they're not knowing how to resolve conflicts in git merge which were created by them only due to not following git best practice for coding like only appending new implementation in existing classes for easy auto merge etc.

They are thinking like handling click events is called development.

They don't want to think about OOP, well structured code. They don't want to re-use code mostly & when they copy paste, they think it's called re-use.

They wanted to follow old school Java development in memory scarce Android app life cycle in end user phone. They don't understand memory leaks, even though it's pin pointed by memory leak detection tools (Leak canary etc.).

Now 3.5 months are over, that competition was called off for this year due to Corona & development is still ongoing.

We are nowhere close to completion even for initial internal QA round.

On top of this, nothing is billable so it's like financial suicide.

Remember whatever said here is only 10% of what is faced.

- An Engineering lead in a half billion dollar company.

Do you think a dual core laptop with 2gb RAM on it can run Ubuntu and Kali Linux? The solely purpose is for programming (ubuntu) and ethical hacking / penetration testing (linux) ?

tbh, I’m learning linux because I want to try a new OS. Any tips so that I can easily adapt to this OS?

PS. I know this is a googleable question but I just want a perspective from this community.

Penetration tester tools, any comment? Reddit has an opinion

I've deployed an instance of OWASP Juice Shop on Heroku, if anyone wants to practice and/or learn pen testing or just web based vulnerabilities in general it's an amazing application to learn from and practice on.

Your progress is dependant on the cookie, so it won't affect one another.

owaspshop.herokuapp.com

It's free, so if you want to deploy your own instance you can.

Has hacking become a hobby for script-kiddies?

I have been thinking about this for a while know, I went to a class at Stanford last summer to learn penetration-testing. Keep in mind that the class was supposed to be advanced as we all knew the basics already. When I got there I was aggravated by the course as the whole course was using kali linux and the applications that come with it.

After the course was done and I washed off the gross feeling of using other peoples tools, I went online to try to learn some tricks about pen-testing outside of kali-linux tools. To my chagrin, I found that almost 90% of documentation from senior pen-testers were discussing tools like "aircrack-ng" or "burp-suite".

Now I know that the really good pen-testers use their own code and tools but my question is has hacking become a script kiddie hobby or am I thinking about the tools the wrong way?

It sounds very interesting to learn https and network exploits but it takes the fun out of it if the only documentation tells me to use tools.

A long way to go from Windows to Linux...
from GUI to CLI
from Wifi to WifiCracking
from Website to WebPenetration
from Windows file system to Penetration testing
from Windows to Gnome
from dir to ls
from ipconig to ifconfig
from google to information gathering

Anyone have much success with Kali/WiFi penetration testing?

I've been tasked with trying to break WPA security within a couple of hours without a dictionary attack - is that even possible?

I have an Alfa AWUS036NHA capable of monitoring mode if that makes any difference. It's my first time trying anything like this.

When your job description says you are a mobile developer, but when you started working, you have started handling teams and doing web penetration testing. Then after 2 yrs of that still no salary raise. =.=

Hey guys, I'll be starting my oscp/pwk course soon, any suggestions as to what should I study beforehand or types of attacks I should practice?
Thanks

Has anyone used Parrot OS ? I'm preferring this over Kali linux for penetration testing.

Pure development...no sysadmin, penetration testing task...

Made a new friend with my lame social skills lmao. So I was walking around in Uni Library, looking for prescribed books for my courses, ran into some senior looking for some Penetration testing guide, since there weren't any so I just passed him some of the stuff I always carry with me, DRM-free content and all lmao.

!rant

Coworker: *Watching a DefCon talk*

Me: *walks over and notices an image on the slide of a woman sticking a cotton swab in her mouth with text saying "get paternity testing"*

Me: Paternity testing? But that's a woman!

Coworker: *silent for a second* What? Oh! *gets closer to screen, chuckles*

Coworker: It actually took me a second to catch that because I wasn't looking at the video, I was looking at the side "related videos" or the ad and I was like "no... did you mean Penetration Testing?" But even then, this is DefCon, so there aren't any women--or at least less than 3. And then I saw it in the corner and was like "Oh, I see it. But yeah, Paternity.... Oh wait..."

Me: Jeez, it really did take you a while...

Coworker: Yeah. All the while I was thinking "What the heck are you on," and then there was the "Oh, I get it" moment

Me: At least you got there

!rant
Cheap laptops for running Kali/Arch? Will be used for learning penetration testing.

Was thinking an older Lenovo Thinkpad or something like that?

Can anyone help me with Penetration tools on kali linux

In Website Penetration Testing , It's actually a war between Who knows best about the services and practices the other person has implemented.

Building Fortresses, not Firewalls: Ethical Hacking Meets Software Development

In the digital age, security is no longer an afterthought; it's the bedrock upon which our online world rests. Yet, traditional security measures often resemble fortresses – imposing, but vulnerable to unseen cracks and tunnels. To truly safeguard our systems, we need to think like the enemy, like the nimble figures scaling those walls: ethical hackers.

Enter the exciting realm of DevSecOps, where ethical hacking practices are woven into the very fabric of the software development lifecycle (SDLC). This proactive approach is akin to building castles with security in mind, each brick meticulously laid to withstand even the most cunning siege.

Why Ethical Hacking in SDLC?

Imagine developing a critical piece of software, only to discover a gaping security hole after launch. The damage could be catastrophic, exposing sensitive data and eroding trust. Ethical hacking flips this script. By integrating penetration testing, vulnerability assessments, and threat modeling throughout the SDLC, we proactively hunt for weaknesses before they can be exploited.

Think of it as a friendly sparring match, where the ethical hacker throws their best punches to expose vulnerabilities, allowing the development team to fortify the software's defenses. This constant testing and refining leads to robust, secure systems that can withstand real-world attacks.

Benefits of DevSecOps:
1. Reduced Costs and Risks: Early detection and patching of vulnerabilities are far cheaper than dealing with a full-blown data breach.
2. Improved Software Quality: Security becomes an inherent part of the development process, leading to more reliable and trustworthy software.
3. Enhanced Brand Reputation: Demonstrating a proactive approach to security builds trust with customers and stakeholders.

Putting it into Practice:
Integrating ethical hacking into the SDLC requires a cultural shift. Developers, security professionals, and testers need to work together seamlessly, sharing knowledge and fostering a collaborative environment. Here are some key practices:
1. Threat Modeling: Identify potential threats and attack vectors early in the development process.
2. Static and Dynamic Code Analysis: Use automated tools to detect vulnerabilities in code.
3. Penetration Testing: Simulate real-world attacks to uncover hidden weaknesses.
4. Security Awareness Training: Educate developers and other stakeholders about security best practices.

Tools of the Trade:
A plethora of tools empowers ethical hackers and security professionals in their quest for a more secure digital world. Some popular options include:

1. Kali Linux: A distribution packed with security tools for penetration testing.
2. Burp Suite: A web application security testing platform.
3. Metasploit: A framework for developing and executing exploit code.
4. Wireshark: A network traffic analyzer for identifying suspicious activity.

The Future of Security:
As technology evolves, so too must our security practices. DevSecOps, with its embrace of ethical hacking, is at the forefront of this evolution. By building security into the very fabric of software development, we can create a safer, more resilient digital world for everyone.

Remember, in the ongoing battle against cyber threats, ethical hackers are not the enemy; they are our allies, the architects of digital fortresses that stand strong against the shadows. So, let's embrace DevSecOps, sharpen our ethical hacking skills, and build a future where security is not just an afterthought, but a fundamental principle.

I encourage you to explore the world of DevSecOps and ethical hacking. Whether you're a seasoned developer or just starting your journey, there's always more to learn and contribute. Together, we can build a more secure digital future, one line of code and one vulnerability patch at a time.

Do you have any questions about DevSecOps or ethical hacking? Share your thoughts and experiences in the comments below!