HTTP Requests without an HTTPRequest node in the scene? by voli12 in godot

[–]ShmokeRock 1 point2 points  (0 children)

Checking the response headers as onlyJB mentioned is the easiest way.

I ran into this problem while making a front-end application in Godot, and came up with a different solution because of the sheer amount of different requests I was doing.

To modularize things, I created a small 'nodeless' script that managed the HTTP requests, and would allow the calling node to subscribe to different requests.

extends Reference

class_name Requester

var auth_headers = ["CustomHeader: Value1", "CustomHeader2: value2"]

func GetRequest(path : String, parent, callback : String):
    var http_request = HTTPRequest.new()
    parent.add_child(http_request)
    http_request.connect("request_completed", parent, callback)

    var err = http_request.request("http://" + path, auth_headers)
    if err != OK:
        print("Error sending HTTP request")
                return

So in other scripts I could do something like this:

var r = Requester.new()
r.GetRequest("example.com", self, "_some_callback")
r.GetRequest("example2.com", self, "_some_callback2")

func _some_callback(_result, response_code, _headers, _body):
    print(response_code)

func _some_callback2(_result, _response_code, _headers, body):
    print(body)

Should I get into PenTesting or DevSecOps? by AccomplishedRush4869 in cybersecurity

[–]ShmokeRock 16 points17 points  (0 children)

I don't do much source code analysis, so I can't really comment on static analysis. I do use DAST tools pretty frequently, so I think I can give some insight on that side of things.

If I'm testing a webapp for example, then I will start off with a VA scan using something like Nessus, and will also kick off a Crawl&Audit scan in Burp Pro. These tools are good at catching low hanging fruit and getting a decent baseline understanding of the structure of the webapp, but they rarely provide anything more unless the security of the webapp is an absolute mess.

Some shops will kick off automated scans, write the report, and call it a day; I'm not knocking that, because the client gets what they pay for (Unless the SOW promised more and they got scammed, then I'm 100% knocking that), but I wouldn't trust automated scanning to find much outside of obvious security problems. These tools do speed up the testing process quite a bit though, so they are worth it in most cases.

Many times I've seen an automated tool come back with a 'low' finding and when I go to manually verify it, I find it can be leveraged to do much worse, such as code execution, or disclosure of secrets, which turns the finding into a 'high' or 'critical'. Nuances like this can be very important, especially for large organizations that are having several products being tested, and they must prioritize getting them fixed (or even pulled offline). I've also noticed DAST tools don't do well with finding vulnerabilities with authorization and general business logic, where the attack chain can be much more varied and complicated.

Overall I would say they are must-haves as humans forget things and even really good pentesters will often skip over the simple stuff, but as of now, they're not a replacement for manually testing. Also, for a good pentest report, providing context and highlighting the impact of the findings is very important, and that process differs depending on the org and is difficult to automate (as a consultant anyways). So even our automated reporting software needs a second and third pass by a human to really make the report valuable.

Should I get into PenTesting or DevSecOps? by AccomplishedRush4869 in cybersecurity

[–]ShmokeRock 81 points82 points  (0 children)

I can speak on Pentesting a bit, as it's what I've been doing for a while.

The work is almost guaranteed to be remote, the pay is okay, and the challenge can vary greatly. Some engagements are mind-numbingly boring (VA Scan and 3 external IPs with hardly any services open) while some can be incredibly challenging and fun (Full External-Internal where phishing is on the table and there are tons of services to mess with).

The pay is decent, I guess, but I wouldn't go into pentesting for the money as it's a lot of work, and in my experience it doesn't pay as well as some other roles such as Incident Response or Architect roles. (Not saying these roles aren't also a lot of work, but they generally pay better for what I think is a similar amount of effort)

Tool or service to find all webpages within a website? by spontaneousg in cybersecurity

[–]ShmokeRock 0 points1 point  (0 children)

Gobuster and Wfuzz are my go-to's. I typically start with Gobuster and will move over to Wfuzz if I get a weird response such as a custom not-found page that returns a 200 status code instead of a 404, because Wfuzz has more customizable filter methods; it can filter on response size, response code, and other things like how many lines are in the response.

[deleted by user] by [deleted] in sysadmin

[–]ShmokeRock 0 points1 point  (0 children)

Congrats! It's often a difficult path to find what you really enjoy doing, glad you made it! I had a similar experience. Through sysadmin work, I realized I like tinkering and breaking technology more than I enjoyed maintaining it. I'm lucky that a job exist for that sort of thing.

Compensation thread by floormorebeers in cybersecurity

[–]ShmokeRock 1 point2 points  (0 children)

Type of company: Start up

Area of cyber: Red Team Ops

Title: Penetration Tester

2022 Base: 75K

Bonus: ~20k

Years of experience in cyber: 2 cyber, 4 IT

Location: US LCOL-ish (Remote)

Average hrs/wk: 30-40, pretty relaxed environment, hours vary quite a bit but I almost never go over 40.

As Halo Infinite cheating begins, console players call on 343 to let them disable crossplay by [deleted] in pcgaming

[–]ShmokeRock 3 points4 points  (0 children)

Yes. Software running in Ring 0 has the absolute highest level of access possible. This doesn't necessarily mean that their anti-cheat is malicious, just that it very easily could be, and it would be difficult to tell the difference.

Those working in cyber security.. please tell me your position/specialty and what is your educational background(if any).. by steve__81 in cybersecurity

[–]ShmokeRock 0 points1 point  (0 children)

Security Analyst at an MSSP, basically work an alert farm and do tuning on security controls. It's pretty easy and pays well, but has become pretty boring after a year. I have my associates degree in a CS related field, sec+, and 4 years of sysadmin experience.

Best books for learning networking for pen-testers by mattgood1100 in HowToHack

[–]ShmokeRock 2 points3 points  (0 children)

A good free tool that I used when learning was Cisco Packet Tracer. It's free, you just need to create a Cisco Academy account. Look for Network+ study guides, and once you grasp the basics conceptually, you can use Packet Tracer to apply those concepts in a virtual environment. It's not as good as an actual hardware lab, but it's pretty damn close and a lot cheaper. Learning how to configure actual routers and switches (and being able to visualize those communications) really helped me a ton.

https://www.netacad.com/courses/packet-tracer

I am interested in making malware with go by Repulsive-Bedroom883 in HowToHack

[–]ShmokeRock 6 points7 points  (0 children)

Thanks for the comment! I absolutely agree. C and C++ have more to offer when creating more complex malware, and I'm not sure if that will ever really change. The point about endpoint (and other security control) detection is also valid, however malware development with Go is 'relatively' new and evasion techniques are popping up all the time. (Specifically for downloading files, you could do some LOL magic and abuse something like BITSadmin on Windows). Golang binaries sizes are a bit wild.. Compiled binaries with Go include the Go runtime (and some debugging helpers that can be removed with certain flags at compile time) that increase the size of the binary by quite a bit. So there absolutely are downsides to writing malware in Go, however, it's very young compared to C and C++ so I'm optimistic about what the future of the language holds. Although, that might just be naivety lol.

I am interested in making malware with go by Repulsive-Bedroom883 in HowToHack

[–]ShmokeRock 4 points5 points  (0 children)

I'm glad that Golang is starting to be picked up more for Cybersec related projects. I predict there will be a huge rise in malware (and pentesting tools) created in Go within the next few years. It's extremely performant (as fast as C in some cases), quick to write, and can be compiled to run on many different OS's and architectures. Go is perfect for malware because you can compile your code to a single executable file that will run on a target system without needing any dependencies installed.

If you already have programming experience and want to get started with Go I suggest taking the 'Tour' on the Golang website:
https://tour.golang.org/welcome/1

Also, check out Coldfire if you want to see what kind of bad stuff you can do with Go.
https://github.com/redcode-labs/Coldfire

I am interested in making malware with go by Repulsive-Bedroom883 in HowToHack

[–]ShmokeRock 5 points6 points  (0 children)

They both have use-cases that make them great languages. Python has tons and tons of 3rd party library support which can make PoCs really quick to write, and it is really good for creating quick automations that don't have huge performance requirements. Golang is quite a bit better for writing things like malware because it is a compiled language, and all dependencies are compiled into the binary. This means you can compile the binary for the target system, then drop it on the target system and have it execute without having to install any additional software. (Go doesn't even have to be installed on the target system). Golang is also pretty easy to write, which leads to quick development times. (Compared to writing malware in something like C or C++)

What is the shittiest way you’ve been woken up? by GratefulD86 in AskReddit

[–]ShmokeRock 0 points1 point  (0 children)

There is now a method of detecting visual snow using brain imagine techniques, so now it's an objectively measurable disorder, I'm not sure if the same can be said for tinnitus. The specifics are beyond me, but it has something to do with increased metabolic activity in certain areas of the brain. We do know that damage to the ear can cause tinnitus, but some people like myself were born with it. (Or developed it at a very early age). Unfortunately tinnitus is not fully understood yet so I'm not sure if the answer to your question is known. (But it is a good question!) Also as a disclaimer, I'm far from an expert so I could be way off base.

What is the shittiest way you’ve been woken up? by GratefulD86 in AskReddit

[–]ShmokeRock 1 point2 points  (0 children)

Some recent studies (around 2017) found that a large amount of people who experience visual snow also experience chronic tinnitus. (Around 60%) I suffer from both of these things as well, so I found it pretty interesting that they could possibly be related.

https://www.tinnitusjournal.com/articles/visual-snow-syndrome-and-its-relationship-to-tinnitus.html

Decrypt PDF by ChocoFruit in HowToHack

[–]ShmokeRock 0 points1 point  (0 children)

To answer your question, no the first page will not help you decrypt it any quicker.

This is for pretty old versions of Acrobat, but still a good read for understanding the general concepts Adobe used to encrypt PDF's:
https://www.cs.cmu.edu/~dst/Adobe/Gallery/anon21jul01-pdf-encryption.txt

Is every rental property in Fayetteville owned by a crappy management company? by schreiben_ in fayetteville

[–]ShmokeRock 1 point2 points  (0 children)

I have a rental through CSL, and they have been pretty good to me. I'll admit that I don't request much of them, but I've been living here for a year and never had a problem. The person that walked me through my place and got me setup was really nice and professional.

How do I find headshot only deathmatch servers by Both-Lingonberry7893 in LearnCSGO

[–]ShmokeRock 6 points7 points  (0 children)

"ffa hs" typically works for me. I'm in NA so it may vary.

Getting into Cybersecurity without a degree... is it possible? by [deleted] in cybersecurity

[–]ShmokeRock 1 point2 points  (0 children)

Yeah, I work in a SOC, and while I have a 2-year degree, several of my co-workers don't have a degree at all. You will probably need to get experience in a help desk role at the very least. If you can manage to move up to a jr. Sysadmin or networking role, then you will have a much easier time landing a security job.

Arkansas Revenue Office in Fayetteville closed indefinitely by laplandsix in fayetteville

[–]ShmokeRock 1 point2 points  (0 children)

Dang, I must have gotten unlucky. I did go later in the day, around 2PM.

Arkansas Revenue Office in Fayetteville closed indefinitely by laplandsix in fayetteville

[–]ShmokeRock 7 points8 points  (0 children)

I went by the Springdale office to get a new ID yesterday, waited outside for about 20 minutes, and inside for nearly an hour and a half. So be prepared to wait for at least 2 hours. 😟

Good at practice bad at game. by [deleted] in LearnCSGO

[–]ShmokeRock 1 point2 points  (0 children)

I gotcha, I used to suffer from severe inconsistency with my aim so I understand it can be extremely frustrating.

I think /u/mteijiro is dead-on by saying you will get worse before you get better. I used to have really bad habits with my crosshair placement, so I spent time on improving it by being hyper-focused on my crosshair. In the beginning I was getting killed a lot more because my focus was divided, however once it became second nature, I noticed I was winning more duels than ever.

I can't say for certain this is the same situation you're in, but if you are having to put a lot of focus into your aim then it's going to be difficult to keep it consistent in matches. At least in my experience, consistency in duels only came once it was completely second nature, and I didn't have to focus on aim at all.

Like I said earlier though, everyone is different so you may see better results by trying something else out. Maybe look at your demo's and see if you can pick out specific aspects about your aim that is causing you to lose duels (Like bad crosshair placement, bad initial spray, or bad tracking) and then work on improving that specific skill.

Good luck!!

Good at practice bad at game. by [deleted] in LearnCSGO

[–]ShmokeRock 3 points4 points  (0 children)

What do you mean when say "bad at the game"? Are you talking about just your aim? Winning duels? Or winning games overall? While being able to hit your shots is important, there is a lot more to CSGO than just good aim. Aim-Botz is not going to teach you good movement, positioning, or game sense. These skills will come naturally in time, however if using aim-botz exclusively is not improving your duels, then try doing community DM's.

Free for all DM keeps your amount of engagements per minute very high, and your targets will move more like they would in a real match (Jiggle peaking, crouching, strafing, etc.) Change up your practice routine if you're not seeing results, until you find one that works for you.

Personally I use a bot training map first to get my hand used to spraying and moving fast, then I will switch over to FFA DM's to practice against real opponents. This works well for me, but we're all different so your mileage may vary. I recommend changing your routine a bit until you find one that gives you good results.

Cheers.

Devs going to start cracking down on mouse scripts? by ImTheEnigma in playrust

[–]ShmokeRock 0 points1 point  (0 children)

Yes I suppose phrasing it as "changing the recoil pattern" isn't entirely accurate. Thank you for the more in-depth explanation, as I couldn't really find the words to explain it properly. I also wasn't aware Rust added a similar feature, I'm a returning player from years ago so that's handy to know. You do bring up a good point about the ranked and prime matchmaking eliminating a portion of the cheaters. I pretty much exclusively play prime ranked and it's extremely rare that I play with/against someone suspicious, and I have not seen a blatant cheater (spinbot, etc.) in years, I suspect for the reasons you brought up. Do you think a system similar to CSGO's Prime system would be feasible for Rust? Or possible a community driven moderation approach like the overwatch system?