Nytro

Beginner’s Guide To CTFs How To Start With Security Capture The Flag Competitions. Security CTFs, or Capture The Flag competitions, are a great way to learn how to hack. They are competitions where competitors compete to try to find a “flag” to prove that they have hacked into a system. Why do CTFs?Permalink They are one of the best ways to learn specific security skills, like binary exploitation, web exploitation or reverse engineering. And since you often play CTFs in teams, CTFs are also a great way to make friends with likeminded security nerds. There are many collegiate-level CTFs where you can compete with fellow students, and you’ll find that many practicing security professionals play CTFs as well. Finally, CTFs train your hacker persistence. The CTF experience of getting stuck in a challenge, persist and finally finding a solution models real-life hacking scenarios. CTFs teach you to remain patient and optimistic when you are stuck hacking. Types of CTFsPermalink There are two main types of CTFs: Jeopardy-style and Attack-Defense-style. Jeopardy-style CTFs are essentially a list of hacking challenges that you can complete for flags that are worth a certain number of points. These challenges involve exploiting a vulnerability or solving a programming challenge to steal a “flag”. Teams compete to see who can find the most flags and gain the most points under a time limit. The hacking challenges in Jeopardy-style CTFs are often sorted by difficulty levels, so beginners can easily participate as well. There are often different skillsets that you can choose from, from cryptography, reversing, binary, web, programming, forensics, networking challenges to problems that are a mix of some or all of these skills. A more advanced version of CTFs is the Attack-and-Defense-style CTF. In these competitions, teams defend their own servers against attack, and attack opponents’ servers to score. These CTFs require more skills to compete and are almost always done in teams. For example, the annual DEFCON CTF finals is an Attack-and-Defense-style CTF. CTF skillsPermalink There are two very important things that you’d have to learn to do in order to start participating in the CTF world: finding teams and learning to gain new skills. How to find teamsPermalink First, how do you find teams to enter CTF competitions? If you are a high school or college student, see if your school has a cybersecurity club. These clubs often have already established CTF teams that you can join and compete with. On the other hand, if your school does not already have a club, try starting one and gather likeminded people! Before you know it, you’d have a group of teammates who are passionate about hacking as well. If you don’t belong to a school, social media is a great way to find teammates. Twitter is one of the best ways to reach out to people you want to collaborate with. Hacking forums and infosec discord channels are also good for this. How to gain the required technical skillsPermalink For beginner Jeopardy challenges, specific technical skills are often not required. After all, that is what you are trying to learn! However, it is good to have a basic understanding of how to use the command line and to have basic programming knowledge. More advanced technical skills can be gained by completing easier challenges or by googling. It is also helpful to keep in touch with the latest security news, as CTF challenges are often based on recently found vulnerabilities. List Of CTFs To Play NowPermalink Most CTF challenges run within a specific timeframe and are only available to registered teams. However, there are a large number of “always-online” Jeopardy-style CTFs that you can start playing right away. For a lot of these CTFs, you don’t need a team and can play without a time limit! Web exploitation CTFsPermalink Pentesterlab is a pretty good resource to start learning web penetration testing. In their challenges, you can read about the details of a vulnerability first before you exploit them hands-on. There are a wide variety of challenges available, from basic XSS to recently discovered web vulnerabilities. The Hacker101 CTF is another good resource. It has a large list of simple challenges that are aimed at building web hacking skills, with a focus on vulnerabilities that are most likely to show up in bug bounty programs. Reverse engineering CTFsPermalink If reverse engineering is more your vibe, you can check out this site. Crackme hosts many broken programs that you can try to hack. You can find broken programs on a variety of platforms: Windows, Unix, and multi-platforms. As a fun challenge, you can even write your own vulnerable program and share it with others! Mixed CTFsPermalink OverTheWire is the site that I recommend most beginners to start with. It is where I started playing CTF challenges. It starts with teaching the basics of using the command-line and programming. Then you are given a wide range of challenges to choose from: from web security, binary exploitation to reverse engineering. Hack This Site! is also a pretty good one. It is a little like OverTheWire in that is has a variety of challenges, ranging from super easy to advanced. It is also one of the few places where you can find forensics and steganography challenges if that’s what you are into. Live CTFsPermalink Finally, if you want to participate in a live CTF or an Attack-and Defense style CTF, check out CTFtime.org for a list of current and upcoming CTF events. CTF Etiquette!Permalink Before you go on to playing CTFs (and having the time of your life!), here are a few sacred rules of CTF participation that you should keep in mind. First, absolutely do not post solutions and flags online! The purpose of CTFs is to help people become better hackers through the mental struggle of solving challenges. Giving solutions away is denying the chance for others to learn. On the other hand, you also should not try to google solutions or ask for flags online. You can ask for help, discuss with others or even collaborate in solving a challenge, but asking or googling for solutions takes away from the experience. Even if you try to understand the solution, it is not the same as working hard to and finally finding the answer yourself! Have Fun!Permalink CTFs are a great hobby that ultimately makes you a better hacker. In fact, many of the most skilled hackers came from CTF backgrounds. I hope you’ll find the experience rewarding as well. Best of luck and have fun! Categories: Hacking Updated: September 10, 2020 Sursa: https://vkili.github.io/blog/hacking/intro-ctf/

Unde sa ne inregistram? Pe acel opensc? Dread? Nu am idee care sunt.

Pentru cei interesati sa prezinte, asteptam CFP: https://rstcon.com/cfp/

Da, in general cei care isi risca libertatea astfel probabil isi vor lua cat mai multe masuri, atat sa se asigure ca atacul le iese, cat si ca nu sunt prinsi. Ca tot veni vorba, acum X ani am discutat cu cineva de la o banca care se ocupa de partea cu securitatea ATM-urilor, fizica. Si mi-a zis o chestie foarte interesanta legata de skimmere (acele device-uri care iti copiaza datele de pe card, de banda magnetica). Eu cand merg la un ATM trag ca taranul de partea in care se introduce cardul si de tastatura. Iar el a zis asa: "Daca gasesti vreodata un skimmer, il pui la loc si pleci. Apoi daca vrei poti anunta politia. Acel skimmer ii costa pe ei o gramada de bani, pana la 10.000 de $ si pentru el ar fi in stare sa te taie in miezul zilei. Cu siguranta e cineva prin zona, nu pleaca si isi lasa device-ul nesupravegheat". Ceea ce fac altii prin afara si se filmeaza cum descopera ei astfel de lucruri poate fi periculos.

Nu cred ca "informatiile necesare" sunt o problema. Din cate stiam eu, puteai sa iti cumperi singur un ATM, cred ca era vreo 5000 de $, de pe ebay, aliexpress sau mai stiu eu ce. La calcule e important zidul in care sunt prinse pentru a-si da seama cat explozibil sa foloseasca si e bine ca nu folosesc prea mult... De fapt nici nu cred ca e nevoie, altii prin SUA le trageau direct cu masinile alea mari ale lor (motor de 5L, cred ca trage). Eu sunt curios cum sparg apoi seiful. Cu siguranta se poate, probabil si cu un polidisc (si multe discuri schimbate).

RST Con va avea loc pe data de 20 noiembrie 2020 (vineri). Asteptam sugestii si in legatura cu "site-ul oficial": https://rstcon.com/ De asemenea asteptam aplicarile pentru prezentari.

Da, e vorba de o inflamatie la coloana vertebrala. Scria pe undeva ca "se mai intampla" la testarea vaccinurilor. Cipul are prea multi tranzistori si undele sale bio-electro-magnetice interfereaza cu undele encefalo-neurlogice transmise de catre coloana vertebrala in corp (acele mesaje de Keep-Alive intre coloana si organe pentru a determina downtime-ul unora). Un fel de Human Jammer acest cip... Mama, as fi bun de facut o mizerie dinaceea de site conspirationist, as face avere.

UDP vs. TCP: A Quick Comparison Sep 7 2020 Some background you may or may not care about# I took a networking class in college. It wasn’t a great experience, as the professor was at the school really just to pursue research, leaving us peasant students to 5-question long exams, each 25% of our grade and with .05% of the content from 200+ long slide decks. Needless to say, it wasn’t a very useful class. So here I am, some number of years into my cybersecurity career, able to recognize and speak about different network protcols at fluctuating levels depending on the day. It’s time to change that. I want to understand, like really understand what’s going on. This blog post is going to cover some of the most fundamental concepts in the networking world: UDP and TCP, two transport-level protocols. UDP (User Datagram Protocol)# UDP is a connectionless, message-oriented protocol. It functions through the sending and receiving of packets without having to establish a connection between a client and server. As a result, once a message has been sent, there is no further communication with the message receiver. Additionally, the packets are not numbered. This means that packets are not guaranteed to arrive in order, or even to arrive at all. UDP does not wait for acklowedgement of message receipt, it simply yeets the message and moves on. Due to its connectionless nature, UDP is good for real-time information delivery. As messages are told to be transmitted, they are transmitted. Packets may be dropped due to lack of congestion control. Because the sender isn’t waiting for an ack, nor is the receiver going to send an ack, dropped packets will go unnoticed by both the client and server. This is okay in certain real-time examples, such as streaming. A momentary glitch will not deter a viewer. This also means that UDP is able to support broadcasting. Error checking in UDP occurs through a 16-bit checksum. The checksum is used as follows: the sender computes the checksum corresponding to the data being sent and stores it in the header; upon receipt, the receiver computes the checksum using the received data and compares it to the checksum in the header. It’s important to note that the checksum is mandatory in IPv6 but not IPv4. The UDP segment, or the data portion, of an IP packet includes an 8-byte header followed by variable length data. The header is composed as follows: The first 4 bytes of the header store the port numbers of the source and destination. The next 2 bytes of the header store the length of the UDP segment. The last 2 bytes of the header store the checksum. TCP/IP (Transmission Control Protocol)# TCP is a handshake-based, connection-oriented protocol. TCP provides a continuous flow of data through a manner of sending numbered packets which ensure correct receipt order. While this takes more time than UDP, which sends as instructed and receives as is, it makes TCP the more reliable transport protocol of the two. If packets are dropped, they can be recognized as missing and then retransmitted. The reliability provided by TCP makes it a choice protocol in situations requiring packet receipt acknowledgement and/or ensured packet delivery. However, this reliability and congestion control behavior comes at a cost of overhead. TCP is slower than UDP due to the latency created by establishing and maintaining connections. Checksum use is required by TCP, for both IPv4 and IPv6. This ensures error detection despite IP version. A TCP header is between 20 and 60 bytes. Like the UDP header, there are reserved bytes for the source and destination port numbers, there is also a field to store the amount of data to be transmitted during the session, and the checksum is included towards the end. The large quantity of additional header space, compared to UDP, is used to store information required to establish connections, maintain connections, and support the acknowledgements required for the reliability aspects (i.e. syn/ack behavior) of the protocol. TL;DR# UDP is the less reliable protocol, but can be used for real-time data delivery, including broadcasting, due to its constant stream of packet transmission. TCP is a more reliable but slower data transport protocol used for data transmission between two endpoints. It uses acknowledgements to confirm packet receipt. Both protocols support checksums, which should be utilized for error detection. Sursa: https://casey.is/blogging/udpvstcp/

Dar la noi banii oricum sunt de plastic si se pot spala (la propriu) ma gandesc. Doar sa nu fie ceva foarte special care sa nu iasa. E posibil.

Am tot auzit de acel lucru cu marcarea banilor, dar oare e pe bune? Nu cred ca s-ar mai face atatea astfel de porcarii daca ar fi. Banii sunt tinuti in casete, fiecare caseta cu un anumit tip de bancnota. Dar nu am vazut sa fie altceva pe acolo (am vazut bancomat deschis, de aproape sa zicem). PS: Mai e un mit conform careia "Brrrrr"-ul acela cand sunt adusi banii ar fi doar un MP3, are cineva idee? De fapt asta e singura mea reala curiozitate legata de ATM-uri

Sincer, poate ar fi mai simplu sa il cumperi, nu pare sa fie tocmai scump (private version nu comercial).

Bancomate aruncate în aer în orașul Otopeni. Autorii nu au fost încă găsiți 08.09.2020 07:40 FOTO: amator Explozii marți dimineață în orașul Otopeni, unde două bancomate au fost aruncate în aer. Fațada clădirii unde erau aparatele a fost distrusă. Oamenii spun că explozia a fost atât de puternică încât au crezut că este cutremur. Inspectoratul de Poliție al Județului Ilfov a fost sesizat marți dimineață cu privire la faptul că la parterul unui bloc din orașul Otopeni a avut loc o distrugere. Din primele verificări s-a stabilit faptul că distrugerile au avut loc la două bancomate ce aparțin unei bănci. Bancomate aruncate în aer în orașul Otopeni - FOTO: amator La fața locului s-au deplasat polițiștii orașului Otopeni împreună cu efective de pompieri și specialiști din cadrul IGPR, precum și conducerea IPJ ILfov. Au fost luate măsuri pentru delimitarea perimetrului și conservarea locului faptei. Nicio persoană nu a fost rănită, dar au fost înregistrate pagube materiale. Polițiștii ilfoveni fac verificări și investigații pentru a stabili ce s-a întâmplat și pentru a-i găsi pe autori. Sursa; https://www.digi24.ro/stiri/actualitate/bancomate-aruncate-in-aer-in-orasul-otopeni-autorii-nu-au-fost-inca-gasiti-1364787 Ce oameni... Daca tot nu sunt tehnici, macar sa le traga cu o masina mai mare ceva, cel putin asa e riscul mai mic ca oameni nevinovati sa pateasca ceva. Oricum, succes la deschiderea lui.

Ah, hydrogel bio ala era cu cipuri si senzori? Eu il folosesc pe post de lubrifiant, isi face treaba! PS: Hidrogel gasiti pe emag: https://www.emag.ro/hidrogel-horticol-1kg-hidrogel1000/pd/DCSM7CBBM/ Asta e epica: "acesta s-ar conecta la rețeaua wireless, Internetul Lucrurilor (IoT – Internet of Things)" - Trebuie sa fii retardat (stiind putin IT) sa crezi mizeriile din acel articol. Un microchip 5G cat un bob de orez? Cu tot cu antena? Apropo, am lucrat la o firma unde un coleg citea standardul 3G sau 4G nu mai stiu ce era atunci, acum ceva ani. Mizeria aia de document de specificatii avea 2-3 MII de pagini. De ce ar folosi 5G si nu GSM normal? Vor sa aiba viteza de download de peste 1Gbps cand trag porno 4K sau 8K la noi in corp, nu? Ba, eu inteleg ca exista Gigel care fac bani din vizualizari ale dobitocilor pe mizeriile pe care le scriu, dar in cacat, sa vina cu niste teorii ale conspiratiei mai pertinente si mai logice. Probabil nici bunica-mea nu crede cacaturile alea.

Am inceput sa facem cate ceva. Revenim cu detalii cand avem ceva cat de cat functional.

Mai degraba aduna spam, o gramada... Sugestia mea ar fi sa primesti mesaj privat aici si sa nu iti lasi mailul public.

Nu stiu daca ajuta, dar daca crapa random servicii (e.g. Apache, MySQL) poate sa fie de la resurse putine. Eu am un "vps" pe DigitalOcean pe care tin xssfuzzer.com si imi crapa random. Dupa ceva cautari prin loguri problema pare sa fie cel 1GB de RAM. Dar na, mie mi se rupe de acel site, mai mult il folosesc pentru teste.

Complet nu cred ca se poate, doar in cazul in care ambele sunt rootate si ai o aplicatie care stie sa cloneze tot. Dar setarile le poti reface rapid.

Ne apucam de treaba, va tinem la curent. Multumim pentru idei, vom face demo-uri cu mai multe solutii sa vedem pe care o alegem. Intre timp, votati in Poll, ne ajuta statistic si sa stim pe cine ne putem baza. Vom face o noua categorie pe forum in care vom discuta toate detaliile daca e necesar. Si veniti cu idei, nimic nu e batut in cuie. Incercam sa fim complet transparenti. Primul pas: https://rstcon.com/

Nu sunt asa multe, dar in principiu nu trebuie sa le inveti pe de rost si sa te gandesti la "cat de naspa e daca". 1. Cat de naspa e daca "conduc drogat"? 2. Cat de naspa e daca depasesc cu 10kmph viteza maxima? Dar cu 50kmph? 3. Cat de naspa e daca X? Si iti dai seama dintre raspunsuri care e cel mai potrivit. Pentru punctul 1 cu siguranta nu o sa fie "avertisment verbal". Si faci teste multe pe drpciv.ro (neaparat aici, nu pe alte mizerii). Si inainte sa apesi pe "Raspunde", copiezi intrebarea. Daca vezi ca ai gresit cauti titlul intrebarii copiat pe Google si o sa o gasesti pe scoalarutiera.ro cu explicatiile de rigoare alaturi de raspunsul/raspunsurile corecte.

Da, cam asta e singura problema pe care o vad: nu ne pricepem la dinastea Dar gasim noi o solutie. Ma gandeam la Zoom (video conferinta + mic chat pentru intrebari) + Slack (se pot face canale publice si private) - insa ne vom uita si la Team si Discord. Momentan eu sper sa gasim cat mai multe persoane interesate ca participanti.

Persoane de pe forum sunt seniori si team leads la echipe de security prin toata tara si prin afara. Intradevar, pe forum sunt si persoane care doar vor anumite lucruri gratis, scopul nostru e sa ii indrumam. Asa am fost si noi si asa am crescut. Si o conferinta ar fi un bun pas spre educatie.

Salut, in urma unei discutii la bere cu niste baieti de pe forum am pornit ideea ca o conferinta online a comunitatii ar putea fi utila pentru toata lumea si ar fi realizabila fara un efort prea mare (e.g. locatie, sponsori etc.). Asadar, undeva anul acesta, probabil prin noimbrie (data o putem decide impreuna) am vrea sa facem o conferinta online in limba romana. 1. Va fi online 2. Vor fi prezentari (45-50 min, pauza 10-15 min), probabil pe parcursul unei zile 3. Va fi un CTF, vom incerca sa il facem cat mai diversificat 4. Participarea va fi gratuita 5. Nu oferim bani sau altceva celor care prezinta sau ne ajuta dar putem iesi (in functie de cum evolueaza lucrurile cu Covid) la bere Am vrea sa stim in primul rand cam cate persoane ar fi interesate de participare si ce idei si sugestii ati avea. Ulterior vom deschide un call for papers pentru a gasi prezentari si ne vom apuca de treaba. Din punctul meu de vedere e o singura problema: ce platforma sa folosim pentru conferinta? Cum sa se desfasoare? Deci, ce parere aveti?

E ok, nu e cu shemale cum mai posteaza altii

Doar ca idee, ce lucruri interesante ati vazut pe acolo? 0day-uri de Chrome? Privilege escalation pe Windows 10? Tehnici noi de atacuri?

De unde stim ca este forumul tau? Supara si tu niste oameni care se ocupa cu asa ceva. Au picat unii servicii imense care investesc milioane de dolari in infrastructura, cu siguranta se poate pica un site de jocuri.