1. 2

    Working with motion and some cheap Chinese cams.

    1. 1

      I can’t host much stuff at home because I live in a remote-ish place with no landline Internet. I only self-host a few services on an RPi and a (discontinued) Chip board to stream music, and “daily” jobs about the weather, work, or local news.

      Email (postfix, dovecot, …), plus a bunch of other services (nextcloud, znc, some ruby/go things) run on an old Kimsufi server (1 core, 2gb RAM, 1TB disk) ; a.k.a. SoYouStart in the new world.

      1. 2

        a (discontinued) Chip board

        I have a cluster of 7 (+3 on the way) CHIP running Docker Swarm. I hosted my DNS infrastrcuture (DoH proxy + unbound + ELK + custom scripts that I am going to migrate to DoH proxy + know resolver + Prometheus + custom scripts), motion to control webcams, Home Assistant, an Instagram bot, a Wiki and a Mercurial repository for my scripts. Next step is adding public blogging, ELKflow and an RSS reader (problably Miniflux).

        1. 1

          Which firmware are you using these days on the Chip?

          1. 1

            I am using this: http://www.chip-community.org/index.php/Flash_from_command_line

            The main problem that I have is that several repositories are not available anymore. Anyway I found some mirrors that are working fine. If you want I can share my first setup.

            1. 1

              Thanks, but I found the same resources. I was wondering if there was more advanced community projects around that little board.

      1. 4

        Attending one of the biggest security conference in Italy: https://www.hackinbo.it/

        1. 6

          Is this for only HTTP, or are they abusing their certs to MITM HTTPS for injecting javascript too?

          1. 3

            Do they have a trusted CA to use for a MITM? I don’t think they do.

            Regardless, assuming they did that’d be a completely different level of attack that would be noticed and discussed on MDSP and would almost definitely lead to their CA being distrusted by browsers.

            MITMing HTTP sucks. MITMing HTTPS from a privileged position (outside of a client trusting your intermediates) is untenable.

            1. 2

              HTTP only. Comcast has been doing this for a couple years at least so I’m not exactly sure how this is news.

              I am no fan of Comcast in the slightest but I don’t consider this an attack as much as a poorly conceived notification system.

              1. 1

                Is it possible to make SSL injection without installing a certificate on the client?

                I have been worked with bandwidth optimization appliances (Sandvine) for an ISP some years ago and they are able to inject JS in HTTP traffic, not in HTTPS

              1. 4

                My former boss (founder of the company, without any technical experience) force me to use static routing because he did not trust routing algorithms. Every network outage was a nightmare, because we have to reconfigure routing rules by hand.

                1. 1

                  I thought we worked for the same company until I saw that you said he was the founder of the company. In the early 2000’s we had a similar experience, but it was the head of IT at the time. He didn’t understand dynamic routing so he refused to use it. This was at ~50 locations, all statically routed on your otherwise pretty standard hub/spoke MPLS network. One night one of the admins just replaced it all with BGP and didn’t say a word. IT Director didn’t find out for months.

                  1. 2

                    This guy was so stupid that he want to keep the mail server in the office (everyone suppose that he reads our mailboxes), connected with an ADSL lines that frequently have problems. Guess what is happened when a disk has problems, when Chris from marketing send 100.000 marketing emails or when a software has problems and send email alerts every minutes (yes, we use email for event notification).

                    I can write a book about the stupid stuff that he force us to do.

                1. 3

                  Flying to Houston, meeting my boss and my teammates. First time in the USA for me

                  1. 1

                    Setup a K3S cluster at my home with a bunch of C.H.I.P. devices

                    1. 2
                      • Preparing for my new job, starting Monday

                      • Deploying a Docker Swarm cluster over 7 C.H.I.P.

                      1. 2

                        Any suggestion for a Mercurial hosting service?

                        1. 3

                          Working with architects on renovating a 150-year old Kyōmachiya and trying to imagine ways to move back to Kyoto while continuing working on engineering challenges I’m passionate about. Sadly, Kyoto’s not exactly a major tech hub.

                          1. 1

                            I have written lot of scrapers too in Python (I also create my own basic framework based on BS4 + aiohttp in order to plumb my own scraping pipeline), but right now I think Golang is a lot faster and very easy (using colly+goquery). I am not using REPL for Python, then it’s not an issue me. Anyway you can use Go Playground in order to have something similar to REPL. Golang is less “battery included” comparing to Python, but concurrency is amazing

                          1. 2

                            Going with my wife to her former workplace (a very nice seafront touristic village). She will hang out with former colleagues, I will relax reading “Deep Learning” by Goodfellow, Bengio and Courville and improving my Golang scraper.

                            1. 1

                              How do you like scraping in go? I have done tons of scraping with python, and I imagine (perhaps wrongly) that not having a REPL to create scrapers is pretty difficult. Of course, ease of concurrency might make up for it.

                            1. 6

                              Trying to get back into radio “stuff” so i picked up a rtl-sdr (https://www.rtl-sdr.com/), This is what is called a “software defined radio”. Somewhat like a fpga for radio. The rtl-sdr is super cheap, $30 for a kit with the receiver and some antennas.

                              My first attempt will be messing around with ADS-B. I’m still learning about it but it seems to have something to do with aircraft positioning. I’m near a few airports so i should have luck with this.

                              Anyone else into radio???

                              1. 1

                                You can do lot of stuff with RTL-SDR stick. Try to find emergency services, public utilities or airplane to ground communication

                              1. 2

                                Learning Chinese.

                                1. 1

                                  Writing a scaper to convert an online Chinese course in a podcast.

                                  1. 2

                                    Installing Docker + Docker Swarm in a cluster of C.H.I.P. for my home lab.

                                    1. 1

                                      Ooh! Using a guide, or blazing a trail of your own?

                                      1. 2

                                        I am using a guide. It’s not easy because you need to compile all the modules needed

                                    1. 1

                                      This was a really nice write-up, thanks!

                                      Apologies if this is off-topic but this seems like a lot to ask someone to do for an interview. How long were you expected to spend on this?

                                      For example, the company could have cut down on your time requirement by expending some of their own time and effort creating the environment. I suspect they would have a higher rate of returned tests: perhaps more subtly, you would have learnt more about how they work and who they think their clients are.

                                      If you were happy to do it, all good. But I feel like this is bad interview technique on the company’s part.

                                      1. 2

                                        Apologies if this is off-topic but this seems like a lot to ask someone to do for an interview. How long were you expected to spend on this?

                                        They give me around 1 week, but working full time I spent almost 4 days on it.

                                        For example, the company could have cut down on your time requirement by expending some of their own time and effort creating the environment. I suspect they would have a higher rate of returned tests: perhaps more subtly, you would have learnt more about how they work and who they think their clients are.

                                        You are right, but I think they decide to leave me “alone” just because they want person that can solve every kind of problems by themself. It’s a startup that has just passed a Serie B round, then they are not still structured well.

                                        If you were happy to do it, all good

                                        It was a challenge and I was glad to be one of the two persons who passed it :)

                                        But I feel like this is bad interview technique on the company’s part.

                                        Yes. The company was not very professional because they suddendly disappear after 4 interviews and they stopped replying my email. This is one of the reasons why I decided to publish the writeup.

                                      1. 10

                                        Just some quick feedback as someone who has been in the consulting game for quite a while that you and others might find interesting or helpful to how the OffSec world works;

                                        I used the first techniques that I found working

                                        This is actually what you want. In a real world test you might have a week to do 40,000 live hosts on a network and the “low-hanging fruit” that you find might actually give the client the most for their money. If you can prove easy ways in and provide them with feedback that can systemically fix issues, it doesn’t matter how easy it is. Plus ease of reproduction is valuable in it’s own right.

                                        a demo version of Mikrotik RouterOS

                                        I’m not certain I understand the logic of this, was this to connect into the VPN? A bit confusing and as a person doing the hiring I’d like to hear some justification for this. It’s not a huge deal, just a curiousity to see how some people think.

                                        the payload will be encoded using msfvenom, in order to evade with shikata_ga_nai encoder

                                        I see this a ton on entry level testing write-ups and as someone who contributes to the Metasploit framework, shikata_ga_nai doesn’t work on any remotely up to date AV for the past probably 5 years. I’d even be skeptical that they were using AV at all. Did you do anything special with it? Why did it used to be so good at AV bypass?

                                        The rest looks pretty solid imo, good job :)

                                        I’d personally have no hesitations hiring someone who can do this and at least explain their methodology. Remember, the reporting is actually the product from a Penetration Test, so while the technical bits are really important it also really matters if you can create a report that is consumable by the client and can give all the remediation steps on top of issues discovered.

                                        Some other quick tips that might be helpful to you in future testing, check out the impacket examples and understand how they could impact an AD network. One of the most common mechanisms for attacks these days is to simply abuse AD built-in functionality to gain Domain Administrator. Why even bother with the PSExec route if you can user a kerberoasting attack to gain access to SPN accounts (which are often privileged). Oh, and persistence generally isn’t a huge deal, in a pentest scenario you aren’t trying to secure your footholds, you are looking for bredth of issues not depth.

                                        1. 4

                                          I’m not certain I understand the logic of this, was this to connect into the VPN?

                                          No. The whole environment runs on one of my own laptops (I spent one day preparing everything with KVM). One of the requirements was to run a simple firewall (no NGFW), then I decided to use Mikrotik for this purpose.

                                          Did you do anything special with it? Why did it used to be so good at AV bypass?

                                          Not really. The AV was only Windows Defender (as required by the interview) and shikata_ga_nai seems working well to avoid it. After the interview, I tried also different encoding and most of them was recognized by Windows Defender. I think that a most advanced AV will recognize also shikata_ga_nai encoding, but I did not try it. This could be a good starting point to learn more about AV evading techniques. Thank you :)

                                          Some other quick tips that might be helpful to you in future testing, check out the impacket examples and understand how they could impact an AD network. One of the most common mechanisms for attacks these days is to simply abuse AD built-in functionality to gain Domain Administrator. Why even bother with the PSExec route if you can user a kerberoasting attack to gain access to SPN accounts (which are often privileged).

                                          Thank you for the suggestions. I already know impacket and I have used in other PT. I have also tried kerberoasting, but I was finding some trouble (I don’t know it so much, then probably I was making some mistakes) and then I decided to use something that I know working, mainly because of limited time.

                                          Thank you very much for your feedback, I really really appreciate it!

                                        1. 17

                                          We finally launched gambe.ro, the italian equivalent of lobste.rs. This week I(we) have to work on the first batch of feedbacks and maybe work on a dark theme that can be contributed back to lobste.rs

                                          1. 1

                                            As italian, congratulations! Can you send me an invite? :)

                                            1. 2

                                              You can request it directly on the website.

                                            2. 1

                                              I guess there’s no .te for Aragos.te. Looks great though!

                                              1. 1

                                                Yep, indeed. We briefly considered spaghettialloscogl.io but we went for gambe.ro

                                            1. 4

                                              Preparing for OSCP with HackTheBox.

                                              1. 2

                                                Buy a small Mikrotik (like hAP Lite) and configure it to enqueue the traffic on a 100k queue. You can also made some more specific rules, like putting videos packet in a low priority queue.