Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
0xACAB
@fabacab

In Host key verification failures:

🔰 🏴 Historically, and in SSH's output today, this kind of active interception is termed a "man-in-the-middle attack." While the author concedes it is undisputably true at the time of this writing that most such malicious behavior is conducted by men, this term carries sexist implications and is also technically inaccurate. We therefore use the gender-neutral and more accurate term "machine-in-the-middle" instead.

:smirk_cat:

0xACAB
@fabacab

@/all For those of you who remember last year's AnarchoTech NYC CTF games, several of us participated in a cybersecurity challenge known as PicoCTF. It is designed for middle and high school students, but that doesn't mean they are trivial problems.

It is happening again this year! If you want to be on our team, message me privately, and I'll loop you in. Last year was a lot of fun. You don't have to be in NYC to participate, but you do have to dedicate a chunk of time to play with us (since there are a limited number of spots per team). We typically "meet" in a private channel (so as not to wreck the fun for anyone else). You can play asynchronously, but it's more fun if we coordinate a time to play together so that we can pair on challenges and thus learn more along the way. If you've never done this sort of thing before, I suggest that you set aside an entire weekend, at a minimum.

If you can't commit to this, no worries! You can still register to play independently and still chat about your progress here and/or elsewhere. Registration is free and does not (technically) require your legal information. Use Tor and a disposable mail service if you need the added privacy.

Have fun, and I'm looking forward to playing this with some of you when the game starts on September 28th.

0xACAB
@fabacab

Not sure if folks are particularly interested in this, but I started writing up another practice lab that begins closer to, well, the beginning. It's an introduction to new kind of introduction to the command line, focused on security of course, called Securing a Shell Account on a Shared Server.

And here's (one reason) why you might want to read it: it's got a fictional narrative. :)

0xACAB
@fabacab

Imagine, for a moment, that you are an employee at a company with a mainframe system, or a student at a prestigious university that had a computer department. You come in to work or school and sit down at your desk. On your desk is a machine with a monitor and a keyboard. There is no mouse. There is no tower with a blinking light. There are no hard disk drives, no compact discs (CD's), and no thumbdrives anywhere in your office. There is only a keyboard with a long cable coming out the back, and a monitor with a similar but thicker cable.

On the monitor is a power button. When you press it, the screen flickers. Slowly, a green phosphorescent light shines from the video monitor in the shape of text. The text reads:

Login:

This moment is arguably one of the early geneses from which all modern computing was born. This simple experience of digital access is both the promise and the power that we will be exploring during this lab. If you can understand at a deep and philosophical level exactly what happened when your imaginary alter-ego from the 1970's turned on that monitor, then there is nothing that happens on a computer today that will be a mystery to you.

What you are seeing is the result of electrical charges sent from the mainframe, located somewhere else on campus, over the cabling and ultimately into a cathode ray tube that fired electrons onto the glass of the video monitor. The glass is coated with phosphorescent dust, which shines when charged. The result is your invitation into Wonderland: Login:.

camille
@ssempervirens
hi everyone! camille here :) does anyone have any experience with web scraping? there's something i'd really like some help with and i'm a bit stuck... i've never really scraped before. would be happy to pay someone or otherwise compensate with food/drinks etc
0xACAB
@fabacab
@camfassett I sharpened my teeth on Web scraping. What kind of tool are you thinking of using, and what sort of data are you hoping to collect? There are a lot of options, which is both good and bad. You can find a lot of Web scraping examples in my GitHub repos if you think that looking at pre-existing tools doing this will be helpful for you. I have examples in Python and JavaScript, mostly, with some PHP libraries. So if you are using any of those langauges, I can probably point you in the right direction.
camille
@ssempervirens
I have scraped a couple things using beautifulsoup before, but that's about it. only in tutorials, never in the real world or on a real project. essentially i want to use a python script to scrape a list of URLs for text of legislation
0xACAB
@fabacab
@camfassett Okie, well…let's take this private for a bit and then if we need more help from the group we can come back.
0xACAB
@fabacab

Hey all, does anyone have any experience programming in Lua? There have been two independent situations in the same number of weeks in which it would have been extremely helpful for me to know more about the Lua programming langauge than I do. The first is when I took a look at an Nmap NSE script, which was Lua, and the second was when I found myself needing to write a Wireshark protocol dissector, but hoping not to dive too far into Wireshark's C API because all the documentation keeps telling me that using Lua is faster for prototyping.

A lot of the Lua stuff I'm finding seems to be revolving around game development. That's nice and all but not really what I'm interested in. I have, of course, found the Lua reference manual and its getting started sections, and they're…fine. The book they recommend is also…fine. It has a lot of maths examples, which I don't care for. I'll read them if there's nothing better but I just thought I'd ask for advice in case anyone knows of a diamond in the rough for these sorts of tasks.

(P.S. Please don't tell me "use Python." I know Python is the go-to language for a lot of stuff these days. When Wireshark and Nmap get Python bindings, I'll use Python. In the mean time, help me learn Lua. Thanks.)

0xACAB
@fabacab
For those curious, I think I'm getting the hang of this, and you can follow my progress here. :)
EcstasyandVendetta
@EcstasyandVendetta
Curious to see anyone work out anything with Lua because I DO want to use it for a game add-on. :laughing: I found it a little impenetrable when I first sat down to mess with it.
0xACAB
@fabacab
@EcstasyandVendetta It helps a lot to be somewhat familiar with C already. Evidently, Lua is designed to be a "higher-level C" and even has a native type (userdata) that is basically just a pointer into some memory space. So I was able to pick it up much quicker than I expected.
(Dunno if you've done any C stuff, but if not, and you're having trouble with Lua, maybe read a tiny bit about C? I'm not sure if that's actuall useful. Just a thought.)
I spent most of today reading the Lua Reference Manual and nothing was making sense until I read half-way through §3. Then it kinda started clicking.
EcstasyandVendetta
@EcstasyandVendetta
The first intro to programming class I ever took (not counting things taught in grade school that may have involved turtles) was basically C for Dummies--but of course I forgot all of it. Thanks for the advice, though, it's a way in!
aubrel
@aubrel
The 2018 picoCTF is now open! Anyone who wants to play along can just jump in as an individual -- we're not actually playing this competitively, and I at least might be throwing some ideas and questions in here. :)
0xACAB
@fabacab
It is fun! :)
0xACAB
@fabacab
Whoooo. Well, I'm done for the day. Got through a bunch, have a score of 4,985. I'm pleased by these puzzles, they seem like a good level of hard. How's other people experience been so far?
EcstasyandVendetta
@EcstasyandVendetta
I had some issues getting the game to run early this afternoon but it might just be my old'n'busted laptop that I use for hacker stuff. I've updated all browsers and am giving it another shot. :stuck_out_tongue:
0xACAB
@fabacab
FWIW, you don't need to do the game portion if you just want to tackle the problems. I didn't even look at the game until the end of the day.
EcstasyandVendetta
@EcstasyandVendetta
Yup, found 'em!
nialbima
@nialbima
COMPLETELY spaced on
nialbima
@nialbima
PicoCTF, but I'm down to work on that this afternoon
camille
@ssempervirens
hey all! how do i join your team for picoctf? 😇
0xACAB
@fabacab

@camfassett Welp! We discovered recently that they changed the PicoCTF mechanics this year. Last year, you were able to re-submit the same answer as someone else on the same team and the game would tell you whether or not the answer was correct. This made it possible to be on the same team but still solve problems (and thus try your hand at learning from them) individually. This year, the game doesn't permit this. Which I suppose makes sense if you're actually a physical classroom, but makes less sense for our situation. Sooo, weirdly, we…no longer really have a team.

You can still create an account as an individual (which you'd need to do anyways), though, so if you wanted to try your hand at the challenges, the best thing to do is simply register at https://2018.picoctf.com and then ping this channel when you're trying a puzzle. :)

aubrel
@aubrel

Hey all lemme ask you something: what year is it?

Because I just spent the good part of a night and a bit of this morning trying to troubleshoot a problem with a USB boot disk thinking there was some bullshit about the filesystem I had to do some hardcore Matrix-fu on and you know what the actual solution was? The USB wasn't getting enough power. The solution, ultimately, was to unplug that shit and then literally wait 5 minutes and plug everything back in again. ???????????????????????????????????? Leaving me staring at the solution's success murmuring softly, "It's 2018" over and over again.

Anyway, for anyone who runs into this problem potentially, what happens is when you try to install an OS using a USB as your boot media, you might get this error that says device descriptor read/64 error -110 -- that last number may vary. Essentially this is a sign that the USB isn't getting enough power to actually serve as a filesystem. After that, you get dropped into an emergency mode shell such as dracut.

To fix this:

  1. Turn off the computer.
  2. Unplug the USB.
  3. Unplug the power supply in the direction of the circuit (so, unplug the computer first, then unplug the connector to the transformer, then from the wall).
  4. Wait 5-10 mins.
  5. Plug everything back in, in the opposite order (wall first, then connector to transformer, then to laptop, then USB).

I did not think this would work, but lo and behold, it fucking did.

whatever man
Most of those sources talk about Ubuntu, but of course the OS doesn't matter -- I was installing Arch when this happened.
0xACAB
@fabacab
:-O
aubrel
@aubrel
Additionally, sometimes when you do this, you may still see that device descriptor read/64 error -### error, but sometimes you just have to give it a little more time and it will actually work. Another thing to try is to put the USB into another USB port, if you have one.
0xACAB
@fabacab
That…is…perplexing.
aubrel
@aubrel
Anyone have any experience with setting up IRC servers and clients
and have any recommendations?
aubrel
@aubrel
Found this great guide by Digital Ocean on setting up an Inspircd IRC server, plus client setup and use with Shaltúre, a fork of Atheme.
aubrel
@aubrel

Update for those who are enthralled with IRC: the above linked Digital Ocean guide turned out to be out of date enough that many things have changed. The newest release (alpha) of InspIRCd came out 5 days ago, also!

So, using the official InspIRCd wiki is proving to be much more fruitful thus far. Specifically, these installation instructions. I'm trying to get this set up now on a Debian stretch VM. Wish me luck, I'll reportback here. :)

EcstasyandVendetta
@EcstasyandVendetta
Note to @camfassett @nialbima and/or anybody else who is messing with PicoCTF, I'm trying to work through the problems independently since it was never a "competitive" endeavor to begin with and will be gradually working to get to the end of it-- (as @meitar mentioned, discovered last weekend I couldn't "catch up" on problems other teammates answered) -- so, happy to use this space to discuss hints/problems/etc. (disclaimer: I am neither a coder, pentester, nor other expert, just a total amateur working on learning new things)
Also there's a dusty old CTF channel where some of us were working on the 2017 competition -- AnarchoTechNYC/CTF
aubrel
@aubrel
:confetti_ball: I managed to get an instance of InspIRCd up and running! :D Woooo! I also wrote Ansible roles for it. My hope is to genericize them enough so that they can be useful as modules for anyone who wants to automatically do this -- but first, I have to roll in a client configuration as well. For anyone who wants to try their hand at setting up an IRC server by hand, I highly recommend the very verbose and long-running InspIRCd; their developers are very cool, the code is riddled with jokes, and the documentation is really great. (Their wiki seems small but it's because most of the documentation is actually IN the config files themselves.)
Anyway the point is that hopefully soon I'll have a generic version that anyone can use to spin up a functional and secure (I hope?) IRC server and client combo with more or less the push of a button. :)
aubrel
@aubrel
Anyone have a favorite IRC client? :) I just tested out my new server using irssi, which seems to be pretty straightforward. Mobile clients also of interest!
0xACAB
@fabacab

Exciting! :)

I have been a little preoccupied as well, working on an Ansible role for Tor Onion services.

aubrel
@aubrel
Am switching gears to making a Prosdony Jabber server. XMPP+OMEMOftw?
aubrel
@aubrel
Learning bits and pieces about OMEMO and how XMPP works generally. I like this world! It's more or less simple to understand. Sadly, there are almost no TUI/console/text-based XMPP clients that support OMEMO, although some folks have been working on adding it to Profanity for a few years now.
Anywhoozlebees, this means that if I want to make a Jabber server that uses a "default" client that supports OMEMO... I have to transition for now into the GUI world. :( OH well.
aubrel
@aubrel
So I'm moving on to check out Ignite Realtime, makers of the OpenFire server and Spark XMPP client. They apparently do support OMEMO. Wish me luck!
0xACAB
@fabacab
@/all There is the potential of a paid opportunity for a qualified PHP developer to help me implement PGP/MIME in my WP PGP Encrypted Emails plugin for WordPress, sponsored by a company in the Netherlands. Is anyone here interested in this or know someone who might be? Please PM or Signal message me for details.
0xACAB
@fabacab
Not sure if this is of interest to anyone but I just contributed what I think is a pretty flexible Ansible role to backup simple servers using Duplicity. I just started using this for my own simple servers and it definitely makes backups less of a headache since all you have to do to schedule a new one is define a new dictionary entry in the duplicity_backup_jobs list. :)
0xACAB
@fabacab
0xACAB
@fabacab

Unsure if anyone here can help but here's a problem I'm running into: I'm trying to have Prosody make s2s connections in a very small test network (two machines). I want userA@s1.invalid to be able to speak with userB@s2.invalid. Classic federation, nothing complex.

I can make this work when not using s2s TLS connections, but whenever I try to make s2s connections over TLS, I see a policy-violation in Prosody's error log (when set to debug), which says Encrypted server-to-server communication is required but was not used. This message comes from this part of the code.

I can't quite figure out why this is happening, though, because I've already:

  1. Generated TLS certificates on both machines, and installed them into Prosdoy.
  2. Installed each certificate on the other machine's root trust store (i.e., into /etc/ssl/certs using dpkg-reconfigure ca-certificates).
  3. Verified that the TLS certs are trusted on the other machine by using a Jabber client (mcabber) in strict TLS mode (set tls = 1) to verify that the mcabber client on s1.invalid can log in and authenticate as userB@s2.invalid from s1.invalid (ensuring that s1.invalid's root certificate store trusts s2.invalid's newly generated TLS certificate), and vice versa.

Sooo…I'm at a loss. It appears as though Prosody's s2s connections just aren't using TLS at all, even though I have explicitly required them and, AFAICT, set it up correctly so that it works flawlessly for at least c2s connections.

Here is a test branch of my current code in a Vagrant multi-machine environment that describes the above situation:
https://github.com/AnarchoTechNYC/ansible-role-prosody/tree/f079a7717876631295b8f045067c9d45c34a85a3/tests

If you want to try it out, the Vagrantfile at that commit should be all you need:

vagrant up && vagrant provision --provision-with=tls

Thanks in advance.

0xACAB
@fabacab
Anyone here practiced with Volatility? I'm playing a CTF courtesy TechLearningCollective.com and am not experienced enough with this tool to know what I'm doing wrong. I have a memory dump, but none of the vol.py plugin commands give me meaningful output, as far as I can tell.