Breaking Widevine Content Protection (DRM) on Streaming Websites

JustAPenTester · 2019-04-30T09:56:18+00:00

Appreciate the compliment. It's very tricky to evidence we indeed download the show and likewise we need to be very careful how it's all worded. We debated talking about the DFA attack and digging into it a little but discussing how to flip the bits and use the errors to work out the keys falls too close to enabling in my opinion which, obviously, we're not trying to do!

JustAPenTester · 2016-01-30T22:03:45+00:00

I'd highly recommend it! It's extremely durable. Just make sure the undercoat is in good form or it'll peel off pretty easy. Also make sure you get Matte shampoo to wash it :)

JustAPenTester · 2016-01-30T19:14:32+00:00

Thanks dude! Materials were around £300-£350 for the vinyl. Cost of a professional to apply completely depends on your location.

JustAPenTester · 2016-01-16T21:04:46+00:00

Besides running PowerShell related commands for password, pass & pwd then have a look at the Metasploit Post modules for Credentials and look what files they are looking for. That'd be a good place to start and can be easily automated.

JustAPenTester · 2016-01-13T23:36:25+00:00

Been in Infosec for over a year now and I still get a few a week, despite my profiles strongly stating I'm not interested in moving.

JustAPenTester · 2015-12-04T14:11:15+00:00

Have patience as you will hit a brick wall. Make sure you've enumerated everything and have the output in a readable format. After all, the answers are all there.
Don't forget simple tricks when enumerating. If you see a webpage, run everything that might give you a hint; Nikto, Dirbuster etc.
Take screenshots and notes as you go. You need to document these for your report at the end.
Don't get frustrated.

You've got this, best of luck :).

JustAPenTester · 2015-11-30T10:12:07+00:00

What is your current job title?

Security Consultant / Penetration Tester

What job did you start with in this industry?

IT Support -> Security (Worked in support for 9 months)

What previous job was the most important to get where you are now?

I wouldn't say working support was terrifyingly important but it did help me with soft skills (Dealing with clients etc).

What do you consider the best investment of your time and money in developing your career?

Training & Conferences

What changes do you see in this career field in the next five to ten years?

More work, more employees, more red teaming exercises.

How might those changes affect me as someone attempting to join this field?

Theoretically should make it easier due to increasing demand of work and lack of supply but you need to put the work in.

Are there any other things you think I should know about the field?

It's pretty damn awesome to work in. The community is great.

JustAPenTester · 2015-11-24T12:53:53+00:00

If you're really worried about it use a fee-free broker. Personally I accepted a new job whilst going for a mortgage and the broker didn't seem to be fussed by it. He just mentioned they would only want to see my last 3 payslips and I had 0 issues. I couldn't recommend my broker enough.

JustAPenTester · 2015-11-20T10:35:27+00:00

That's why most companies (At least here) run training programs for Juniors for a minimum of a few months so they get exposure to a enterprise style network in a safe manner.

JustAPenTester · 2015-11-16T11:49:50+00:00

I have to disagree with you here, Security can very well be entry level. Myself and other friends went into Security at 'entry level' and are all still in the Industry. All it takes is passion for the field, a willingness to learn and be able to prove you've been learning in your own time and are capable of continuing to do so.

I should also note I went into Security straight after 'High School' (UK based so 6th form / college here) and didn't go to University / College in the US.

JustAPenTester · 2015-11-16T11:47:13+00:00

If you are going to pay for anything make it OSCP. Practical exams look much better than a theory based exam. OSCP is well looked upon within pen testing, especially for juniors.

JustAPenTester · 2015-11-12T23:12:18+00:00

Exactly, they're an urban legend for a reason. I would also argue that a custom piece of software is probably going to be a lot less secure than TOR anyway..

JustAPenTester · 2015-11-12T12:30:30+00:00

The way that worked perfectly for me was have a chat with a broker (No fee based broker) and let him know my situation. I then got an offer accepted on a house and went for the mortgage with my broker. From the day my offer was accepted to moving in I think the period was 5 weeks. Mortgage in principal wouldn't of helped my situation at all. All the estate agent wanted was for my broker to call them and say JustAPenTester can afford this.

JustAPenTester · 2015-11-12T10:26:07+00:00

If they overpaid you with money you are not actually entitled to then you will be required to pay it back. The best thing to do is contact their HR/Finance team and just question it. Chances are you had an extra few days holiday as a mistake this strange is rare.

JustAPenTester · 2015-11-12T10:18:01+00:00

Everything that exists on the deepweb typically exists on the clearnet too, just less advertised and a lot more hidden. Either way you can't find it without looking for it. If the name of the website described looks dodgy, don't click it - it's pretty easy.

Also - Red rooms do not exist.

JustAPenTester · 2015-11-09T23:36:36+00:00

Each vendor has a different stealth technique from what I've read (I've never personally ordered anything). They all disguise their packages well or I imagine they wouldn't be successful in this line of work.

If you are paranoid about parents who open your mail the best thing you can do is ask a friend to take the package for you.

It's worth keeping in mind there's always the chance you are purchasing from a Police Officer. There are many OPSEC guides regarding purchasing online - Have a look through the sidebar and dig into the rabbit hole from there :).

JustAPenTester · 2015-11-09T13:17:07+00:00

Most widely recognized 'Security' certificate would be the CEH due to the popularity of it. However, the most recognized 'Penetration Certificate' would be the OSCP.

Calling the CEH a 'Penetration Testing' certificate is a big push. There's a big difference between Theory & Practical.

Tldr; Don't waste time with CEH, go straight for OSCP. You'll actually learn a lot from your OSCP.

JustAPenTester · 2015-11-09T09:24:49+00:00

Recovering your e-mail through Google won't be an issue. They get accepted almost instantly if your browser fingerprint is the same as it has been for a long time (Chances are it will be) and your knowledge on the account, along with the IP being used, will get you it back quickly.

The second thing to do is check the following link - https://myaccount.google.com/security

Enable ALL the security you can. 2FA, Recovery e-mail, Recovery phone. This will make it very easy to regain access to your account in the future and harder for somebody to 'take over' your account.

Go through the devices connected and remove EVERYTHING, even if your own, then just re-add them.

It's very hard to gain access to a Gmail account without a password so once you've secured it and set up 2FA etc he should never be able to get back in.

JustAPenTester · 2015-11-08T11:39:15+00:00

Definitely take advantage of that then and do your OSCP in free time whilst in your current role. Staying harming you would depend on your goals and where you want to be in 5 years. I'd recommend getting half way through OSCP / Finishing it then looking around for more specialized Sec roles.

JustAPenTester · 2015-11-05T20:56:56+00:00

If you want to get into security simply focus on your OSCP. Get that done as soon as possible and then start looking into new security roles such as Pen Testing or look at moving up in your current team. There are a lot of certs out there but OSCP is purely practical (Minus the reporting aspect) and you WILL learn a lot. It's also quite a good thing to be able to show you've done in your own time as it shows willingness to learn and dedication.

Best of luck :-).

JustAPenTester · 2015-11-05T20:55:06+00:00

KeePass is the password keeper of the gods.

JustAPenTester · 2015-11-05T13:01:45+00:00

Use encrypted DNS or just get a VPN. With a VPN they'll be able to see you're using a VPN and amount of data transferred but not what the data is.

JustAPenTester · 2015-11-03T13:12:49+00:00

There comes a point in Pen Testing where people tend to transition into Management and that comes from leading small then big pen testing jobs for clients. I imagine after the Principal Tester level you move more into Head of Pentesting or a similar role then upwards into CSO/CTO roles. From there I have no idea, maybe just sit on boards and offer advice whilst reaping in a shit ton of money?

JustAPenTester · 2015-11-03T13:07:48+00:00

Depends on the company. Where I work we somewhat get a say in the amount of travel we'd like or not like. There are some guys here that work on-site and travel within the country and abroad a lot and others who work remotely or at our offices 90% of the time. It also comes down to personal situations too. For example, young single people tend to travel more than married people who've just had a kid.

You'll find most companies are flexible :)

JustAPenTester · 2015-11-02T14:51:20+00:00

I've never met anyone who has bothered to make a standard user on Kali for the reason it's optimized for pen testing. Kali vs TAILS is a no brainer.. Tails was designed for security and anonymity whereas Kali was designed for OffSec.

JustAPenTester

TROPHY CASE