/netsec/

/crypto/, when?

So it's not illegal to hack certain things?

That's what Wargames are.

Also what the hell is this about:

?

Doing Wargames and learning about network security, reverse engineering, assembly code, etc. will make you learn more about computers/coding/hardware/low-level things/networking/etc. then almost anything else.

Especially the one who called OP a skiddie, what are you talking about? The links he posted are very non-skiddie when used correctly. You aren't going to get anywhere with Wargames/CTF/Vulnhub/etc. with script kiddie tricks and 'skills'.

It is now a script kiddie level skill to be able to reverse engineer something on a box while ssh'd into it, using gdb on said box, and then compiling your exploit, with the shellcode you wrote/modified, and then getting it to execute?

A skiddie certainly wouldn't know a EIP from an EAX or a JMP from a MOV or what a NOP sled is.

Give me a break.

If any anons that are interested in this sort of thing are actually thinking against it because of posters like that trying to say that this sort of thing is 'juvinile' or something then ABSOLUTELY ignore those feelings.

For example if you watch this:

opensecuritytraining.info/IntroX86.html

You will know more about low-level computing then most people, and that is just a start.

Or, correction, more importantly then SSHing into it, actually getting a shell via the exploit you wrote after finding a vulnerable application running on said system.

dickhead whitehad

Leave the thread NEET

Fuck off, no one cares about you asshats trying to show everyone this shit. This art takes pacience, skill, and NO SPOON FEEDING LIKE YOU AND OP ARE DOING.

Seriously, fuck off back to plebbit and your shitty dipshit bug bounties. Let the real men do work

Do you actual use terms like 'whitehat', 'blackhat', 'greyhat', etc.?

A hacker is a hacker no matter what the media wants to portray or use terms like 'cracker' to differentiate, yada, yada.

A person can be breaking the law and still be considered a 'whitehat' by some if it's a 'noble cause'.

You are just fucking ridiculous or a 'black hat' wannabe that thinks it's more important to maintain some image then it is to feed the basic needs of every hacker: curiosity.

Nobody is spoon feeding anyone here, just having a discussion of ideas (something all hackers enjoy), talking about projects, etc. etc. and if you don't feel the absolutely burning need to not only share ideas but explore new ideas then you don't need to be involved in this. Keep to your fantasies.

Why do you think Defcon, HOPE, B-sides, Chaos Communication Camp etc. are so important to hackers? BECAUSE WE LIKE THIS SORT OF THING.

Are talks at Defcon and HOPE also 'spoon feeding'? People writing articles for 2600 'spoon feeding'? Prisoners requesting white papers because they are bored as hell after being locked up for ridiculous 'hacking' crimes, should they be ignored as well?

You are a troll, poser, or someone learning about exploits and such so that you can live out some 'dark web' fantasy.

Take a screen shot of you owning a high-level CTF/Wargame/Vulnhub box and you can call the poster a 'skiddie' or say they are spoon-feeding people 'the art' (laaaaame LARP-esque way to term things by the way).

Otherwise it's literally the same as people saying their martial arts are 'to dangerous for the ring' and that's why they will never enter an MMA fight.

You sound like a literal cartoon or 90s hacker-movie cliche.

mudkips anyone?

>Why do you think Defcon, HOPE, B-sides, Chaos Communication Camp etc. are so important to hackers?
They've never been important to hackers. They're more of a joke

Is everyone in netsec a mega dork who uses terminology like owned and doesn't wash? I'm interested in the area but hate the culture.

>Take a screen shot of you owning a high-level CTF/Wargame/Vulnhub box
Lel. Implying that is some sort of achievement

No, why would you ever think that? Probably some of the least NEET people are the netsec.

Owned is a term that is used though, but you probobly have a sour taste in your mouth about it coming from outside the community. I understand that gamers and shit have ruined it to mean "HAHA OWNED YOU FGT PWNEDPWNED" but the term comes from literally owning a system. So it's not even slang.

Once you have root access on a system you for all intents and purposes are and owner of that system, so you 'own' it.

So if someone says 'I owned that box/system/whatever' it is not in the gamer way, it is in the literal way.

OP here. Let this thread die please. I fucked up. I regret everything.

Real OP here. Fuck you.

>literally wrote multiple paragraphs on the terminology of "owned"
Why are whitehats/"security experts" always so lame?

I have some experience pen testing web apps and know some encryption, and can write scripts. Is it too soon for me to take part in capture the flag games? I want dank prize moneys

We get it dude, you are a badass.

I will never be as badass or knowledgable as you. The information you've provided so far is invaluable. Thank you for being a part of this community and using your time here to help others whom know less than you

Defcon wasn't a joke in the beginning, now it's a parody of itself. The others ones are just a rip-off or money grab attempt.
It's never too early to try, but probably to early for you to win.
Mr.Robot has brought the idiots like you out of the woodwork.

any beginner friendly ones?

so many edgy kiddies here, i suggest learning the C programming language first. familiarize yourself with that language. Then go on to learn about the processor and how ti handles instructions given. After that study the OS you plan on exploiting. Learn technologies that prevent people from attacking them (ASLR, NX-BIT, Stack canaries). Then Learn how to bypass those said technologies. Also, LEARN ASSEMBLY!

>The other ones are rip-offs or money grab attempts.

CCC is older then Defcon and HOPE started almost at the exact same time.

Oh and B-Sides is (are, since they happen all over the place) free.

>Mr.Robot has brought the idiots like you out of the woodwork.
The idiots like me have always been here. Mr. Robot is just as much of a cringe as that guy's post. Season 1 was decent though

Most are beginner friendly to some extent but there are no "classes" per say so you won't win. But there will be plenty of challenges that will fit your skill level, especially of "Jeapordy" style CTFs where you can choose and pace yourself. So you are competing against yourself essentially (as a beginner).

Now as far as online CTFs/wargames I would say go through Bandit on Over the Wire as your first.

So, i've been studying netsec for a little while now but i just realized, it's not realistic to get a remote job from it, isn't it?
How can i make money with websec? Consistent money to pay the bills.
Bug bounties aren't that reliable.

Why don't you guys stop giving a shit?
If you think this thread is edgy and teen, don't give a shit, just hide the thread.
If you're angry that someone in this thread thinks you're an edgy teenager, just don't give a shit, ignore his post and contribute to the thread.
If you're an edgy teen you won't be able to do a simple fibonacci on assembly anyway, so what's the harm? If you're not, why bother getting into blunt arguments.

Anyone posting in this thread that doesn't know assembly should ... find another hobby.

A friend of mine found out a vulnerability on a certain model of routers and through a search engine (I don't remember the name other than it was out of a Gibson book) basically made an application to exploit every single ones of those devices around the world and use them as proxies.

That was pretty cool and he did most of the work himself, I can understand what he did but probably wouldn't be able to do something like that myself

Found an SQL exploit. Should I contact the website maintainers or let it be?

Contact the webmaster or the sysadmin and tell them the bug. Give them time until you post it public on twitter or any other kind of website.

you can absolutely work remote. some companies will hook you up with a VPN connection to get into their stuff, others may send you equipment for testing.

i w4nt 411 the sk1ds 2 leave

how does one hack games like, lets say, csgo?

go to hackforums and sort the csgo forum by most replies and download the first trainer u see
ez wins

#include

auto main( int argc, char **argv ){
std::cout

>not unknowncheats

Penistesting is a meme job. It's 80℅ paper pushing, 15% fear mongering, and 5% running automated scanners. Companies aren't protected from hackers after the penistesters have finished their job and collected their check. For 1, the penistesters won't find everything, for 2, the penistesters are only testing the company's systems/networks/applications in their current states, and for 3, hackers don't play by the same rules that penistesters do. It's a pointless/lame job, and the only reasons I can imagine a company hiring penistesters is if they're being forced to or for PR. Security should fall into the hands of the developers and administrators. Infosec is cancer, much like this thread

Ok, ignore it then.

>into the hands of the developers and administrators.
pajeet is too lazy for that

It's not about being lazy or not. Pajeet isn't even aware of what is or isn't safe in his PHP website. Pajeet barely knows what a compiled language is, pajeet would be unable to even read assembly code. Pajeet doesn't know the difference between source and object code.

Not only pajeet, but a whole lot of you don't know anything about security or safe code, you think safe code means closing ports on your server's firewall.
Websec is a completely different area of study that requires specialization, there are thousands of hours of material to study from until you can be a good hacker, and even a remotely good websec programmer.
A lot of you seem to mistake hollywood and television for what hacking really is. It's not something flashy or cool, it requires a lot of dedication and a LOT of study, definitely more study than you spend reading the documentation for the weekly JS framework that just got released.

If you don't like the thread, don't post on it, if enough people don't like it, it will die. But please, leave the entitled little childish behaviour for Sup Forums. Momma and papa aren't here to do as you wish whenever you cry loud enough.

Sadly I fell for the infosec meme. I worked as an Information Assurance/Evaluator and Penetration tester, using NSA IAM/IEM and various other methodologies.

I can vouch for what this user said. Black hat crackers have all the time in the world to craft their attacks. While we have to perform tests in a timely manner (usually within 30 days or whatever the constraint the client set up).

After that, 80% of our time is paper pushing, just so we comply with laws and regulations. The rest of the time is spent running automated scans, which again only find known vulnerabilities.

Now, on to hacking. First, this thread is not about hacking, it is about security at the application level, and privacy. There are many other layers. Second, if you really want to learn this, go and study math, low level programming, web development, networks (routing, switching, protocols), encryption, etc.

There are so many subjects. Each with its own charms. This art cannot be spoon fed. A good skill a researcher has is finding things on their own by extensive searching. This thread kills that spirit. OP should hang himself.

t. Reformed Blackhat who fell for the infosec meme and is now working as a hardware dev.

new copypasta?

This thread isn't spoonfeeding anyone. This information can be found in a simple google search, it's an enviroment for people to post in.
Sadly, it turned into a Sup Forums thread.

Then let those who seek the information find it by themselves. It will enhance their google-fu.

Anyone who wishes to even read assembly will have to look for themselves besides this thread existing or not. You're creating a pointless elitism based on simple information.

If you wanna be good at anything this thread won't be enough. You're gonna have to read a lot, test a lot and code a lot. The point of these threads os for people to talk about what they already do.

You are handing them a vast amount of information that they will not be able to process all at once. Furthermore, you are advocating mediocrity by handing out in a silver plater previous research. Let them find it on their own. That is the joy of hacking. The hacking spirit is about researching and finding out how deep a rabbit hole is.

All these babbies will whine and want information delivered in the same format, therefore slowly depriving themselves of the thrill of a hack.

This is the problem with many millenials. Most do not understand this concept, therefore reaching a plateu.

Continue being an ignorant, but you will find these words true.

I advice everyone to research, as stated on a previous post, about low level programming, math, networking, crypto, etc. this will lead you to become a great true hacker (hacker in its original sense).

And please, do not ever use Mr. Robot material for an infosec thread, it adds to the cancer it already is.

They will not be able to proccess at once, of course not. Because this is not spoonfeeding.

Spoonfeeding would be a step-by-step tutorial on how to deface a website, 300 hours of network theory isn't spoonfeeding. Most of the material posted in this thread isn't even good enough for you to learn from for christ sake.

howto.hackallthethings.com/

This is a great source into infosec, the teacher is really good. But it is expected of you to know about C/C++, assembly and computer architecture.

You also need to at least know what a security flaw is in a C program, otherwise you'll be at a loss. I recommend the book "secure coding in c/c++".

What a bunch of balagona.

Of course this can be true but it's not the rule. Pen-testing is incredibly important especially now that 'the internet of things' (aka 'the internet of shit') is such a big deal.

And as far as 'fear mongering' goes, spreading FUD is a cardinal sin among pen-testing.

As far as 'running automated scanners' being the end of things. This again is a cardinal sin; ie: people that hand in a Nessus report and call it a day.

There are shit pen-testers and there are good pen-testers.

A good pen-testing company will give you an incredible detailed report in two forms, one for technical minded people and one for HR/management types. They will also tell you EXACTLY how to remedy the situation.

What they can't do is go in and actually fix everything themselves.

tl;dr the types of penetration testers you are talking about are looked down upon very much. Unfortunately, as you know, there are plenty of them around.

I worked as a pentester, and you are incorrect.

Information Assessment and Evaluation will provide detailed reports of all vulnerabilities. Pentesting only catches the low hanging fruit, of course it reports the vuln found, but these are not all. Assessment and Evaluation will cover all technical(application, network, etc.) vulns, Assessment will cover non-technical (Policies, procedures, compliance).

>if you really want to learn this, go and study math, low level programming, web development, networks (routing, switching, protocols), encryption, etc.
This guy knows what's up. I recommend starting with networking(start off by downloading a good TCP/IP book and reading it), encryption, and then low level programming(C/asm). Math is definitely good to be familiar with, especially when you get into cryptography.

>t. Reformed Blackhat who fell for the infosec meme and is now working as a hardware dev
Are you really reformed though? :^) Those getting into security to go into the infosec field will never feel the feelings or the rush that only being a blackhat can provide, whether for good or bad.

>Pentesting only catches the low hanging fruit
guess how the majority of companies are compromised

So are you really trying to imply that all penetration testing is exactly the same as vulnerability scanning because that is what your company equated it too?

Can we ignore the meta posts for a second? If you think infosec is useless ignore the thread, if you think it's useful contribute.

I think the best way to look at it is that there no 'black', 'grey', or 'white' 'hat hackers'. There are either hackers, and then those that use these skills as only a professional job.

If you have the hacker mindset it doesn't matter if you are in a 'white hat' security position at the moment, your mind just simply works in a different way then most people and you will follow that mind to whatever you deem are the right places or simply wherever curiosity may bring you (for better or worse, depending on if you can (or even want) to stop yourself from doing certain things or not).

Whereas if you are strictly a 'professional security' type person you will stay inside whatever box you have put yourself in.

credential attacks

I'll take time constraints for 1337

If you are a company and you hire a pentest first, you are wasting money.

First hire an Assessment to check all policies, procedures and non technical aspects are reviewed and fixed.

Next, the evaluators will find (not exploit) technical vulnerabilities. Once these processess are done and the findings are fixed then you can hire a pentest.

And even still, a pentest has a fixed time constraint, and most of the pentesters will be able to investigate more. 30 days (depending on client) is not enough. This is why they fall back to automated tools. When you have around 15,000+ to investigate, routers and switches, you will not be able to hit them all.

Why waste money on a pentest only to find your password policy sucks. Get an assessment and evaluation first, then think of a pentest.

If you think a pentester is a hacker, you are wrong. These guys only know basic exploitation, basic networking, simple scripting, and a lot of tools. Most pay for an expensive tool like Core Impact or Cobalt Strike where they get 0days.

Another reason they need automated tools is because of reporting. A vast mayority of your time will be dealing with legal procedures, LoA, RoE, reporting documentation, and the final deliverables for the customer.

This will happen in a shitty company. Most companies I've worked for are limiting their L1 help desk techs and have decent procedures to verify account holders.

I agree with this for the most part, but what you are saying isn't the fault of the pen-testers. It's not their fault if someone hires them off the bat instead of working up to it.

Also:

>If you think a pen-tester is a hacker, you are wrong.

This I know as an absolute fact is wrong. I know plenty of extremely passionate hackers that work as pen-testers and I am very, very surprised that you don't.

You truly get it. You're one of the few quality posters left on this board

(Person who spoke of the Nx-bit, stack canaries, ASLR, etc.)
This is why you don't take a basic job that only requires the CEH certification. It's a joke, focus on something that actually takes skill; Like for example i'm into the reverse engineering field. (Not as a Job...yet, its what i study everyday). Learn to read the assembly of a binary and translate it into Pseudo C and actually study the system you plan on exploiting. I mean, i studied the x86 and ARM assembly languages, just because i understand the assembly languages doesn't mean i will be able to reverse engineer some linux kernel mode rootkit if i dont even understand the linux kernel....It's all about studying and planning before doing anything..The Certs usually just speak for you and say "Hey, hire me because i can run this tool against your server and possibly pwn it without knowing its inner workings."

>Reverse engineering.

Truly the best way in the entire world to be connected to the 'soul of the machine'. I never fully understood this term and thought it was semi-pretentious until I actually started studying and learning all I could about extremely low level things/reverse-engineering.

It completely changes your out-look on computers.

I recommend this course if you haven't' taken it already:

coursera.org/learn/build-a-computer

(It isn't about building a computer as in legos, it's about building a computer (OS and all) starting with only a NAND gate).

>This I know as an absolute fact is wrong. I know plenty of extremely passionate hackers that work as pen-testers and I am very, very surprised that you don't.
When you're in a penistesting mindset you aren't in a true hacking mindset. A hacker will stop at nothing to get access. He will go and hack a telecom to get a 2fa code sent over sms. When you're penistesting you're in a constrained mindset, because you have boundaries you have to work in. Hackers have no boundaries, and that is the real beauty of being a hacker. Boundless

upvoted

You didn't say 'hackers who are pen-testers for their day job don't get to exercise all of their skills, determination, curiosities, etc. when doing pen-tests' you said 'pen-testers aren't hackers'.

> calling anything related to computing "art"

Uuuuuuggggghhhhhh, shut the fuck up

i think you're lost
there you go

Wait, what? How do you even start to get them to tell you that info?

you ask them for it?

?

No I mean, in what situation does a help desk even have access to that info, and how would you possibly convince them that a normal end user would need that kind of info?

im pretty sure you could get helpdesk to connect you to the appropriate channels

after all that's what they're there for. to help

Look up 'live social engineering' on youtube for real-time examples.

Not as easy as it sounds.