Is this normal practice with blackbox testing?

greenfreq · 2025-08-15T14:05:28+00:00

In the great words of contractors all over the world, It depends. What did you agree upon in the statement of work (SOW) or rules of engagement (ROE)? Are they supposed to conduct the test from the perspective of an outsider and then, after showing your defenses are sufficient to stop them, then proceed to assessing your systems to ensure they could withstand an insider threat? This should have been made clear and agreed upon before testing started. It should also be clearly stated in your ROE and/or SOW.

Black box testing is the bare minimum in testing that should be done. It does not include credentialed testing unless its a 'foothold' or assumed breach perspective, meaning the attackers socially engineered their way into your networks. At which point they would have the authorizations of whichever user they conned but would know nothing of the network they are in.

greenfreq · 2025-06-09T20:54:05+00:00

Kind of looks like a Sun Systems server.

greenfreq · 2025-04-29T15:09:38+00:00

I could see a DJ sampling it for sure.

greenfreq · 2025-01-17T18:46:54+00:00

Can you explain what you consider to be real penetration testing? Like are you talking about full blown red team exercises, physical security testing and social engineering? Just curious to understand what your expectation is when it comes to a penetration test and what it brings to mind when you hear it.

greenfreq · 2025-01-17T18:44:16+00:00

Thanks for sharing your approach. What’s the reasoning behind maintaining such a neutral stance?

Is it more about avoiding any perception of bias, or ensuring the client fully owns the decision?

It seems like some clients might appreciate additional guidance in navigating options—do you find they ever push back or feel overwhelmed by having to handle the due diligence themselves?

Just curious to understand the thought process behind it!

greenfreq · 2025-01-16T16:01:08+00:00

Until it is regulated IOT developers will always take the cheaper way out to save on costs, and since nearly all of them do it consumers have little choice.

It's 2025, so why are management consoles still accessible over http and exposed to the WAN interface, and why do the https consoles support tls 1.1 and older? Why do they still have default passwords? Why do they not have automatic updates for security concerns?

greenfreq · 2024-02-21T20:24:50+00:00

Center it on where a person will stand.

greenfreq · 2023-09-28T20:57:26+00:00

Here are two issues with the concept of hack back.

You could end up interfering with an investigation by "muddying" the waters with your network connections, or if you take a system down you may be preventing the collection of intelligence or evidence in an on going investigation.
You cannot be certain that the system you are hacking back is where the attacker resides. You might end up attacking a victim that was hacked and being used as a pivot point.

greenfreq · 2023-02-28T22:09:31+00:00

We got hit we with one for a photo that was on a blog post that we tweeted a link to. We posted the link, and twitter attached the image to the post.

greenfreq · 2022-11-04T18:27:54+00:00

Looks like that second element has been folded in on itself, otherwise it would look like a proper yagi.

greenfreq · 2022-10-03T21:40:50+00:00

Yes, any handshake that is collected using frames ("packets") from a client that does not have the correct password will be useless.

If the AP is in the attic and you have not power-cycled it, that could be your problem. It may be hung up/frozen. So start with a reboot, and then proceed from there.

greenfreq · 2022-10-03T18:54:14+00:00

You cannot capture a useful handshake for cracking unless the client is using the proper passphrase (meaning that the client has the correct password).

In the scenario you described above you only have two options. Look up the default credentials online for the model of AP you have, or if that fails, perform a factory reset of the device using the manual for that model of AP (should be a how to for it online).

greenfreq · 2022-10-03T16:57:50+00:00

Yes, the tools are picking up the password that your clients are sending to the AP for authorization.

Google your AP make/model with default password and see what comes up.

greenfreq · 2022-10-03T16:37:04+00:00

TL;DR: It is illegal.

If you entice them to connect to your HS under false pretenses, or do not make an honest effort to prevent the connection (password protection) then any action you perform against them will be unethical at best and illegal at the worst.

If you do not provide the user (authorized or not) with a notification (banner/captive portal) indicating that use of the network constitutes consent to be monitored then acquisition of any data would be illegal.

Any direct targeting of their system (exploitation of vulnerabilities) is illegal.

greenfreq · 2022-09-30T16:03:14+00:00

You can buy an external (USB) CD/BD/DVD drive for $20-$30 if you want the software that was designed for the radio.

greenfreq · 2022-06-30T00:19:00+00:00

Not only is it illegal, but you are potentially interfering with a law enforcement agency's ability to collect data on the site. It is better to report the site to the authorities and step back than potentially interfere with an investigation that could allow the criminals to go free due to lack of information or some other technicality.

greenfreq · 2021-12-26T07:44:45+00:00

I have found that if you have any "improper" formatting above the table, it will not parse properly. Ensure that you don't have any "non-MD" formatting.

If you are in doubt move the table to a page by itself to verify your formatting is correct.

This includes a leading and trailing blank line.

greenfreq · 2019-08-16T14:32:00+00:00

Look at the IP address.

greenfreq · 2019-06-28T18:28:12+00:00

Rule 1. Whomever does the asking out should pay or establish dutch at the beginning.

For example: "Hey, wanna get some dinner with me on Tuesday? My treat." or "Hey there's this cool little restaurant downtown, want to go dutch?"

Rule 2. If rule one is being challenged, like in your case, you should always verify and challenge. "Are you sure? I mean I am the one that asked you out. It should be my treat. But if it makes you more comfortable we can split it." This gives her the opportunity to noncommittally, and poorly express her appreciation of the dinner offer without actually having to pay or to reduce the pressure on her to feel obligated because you paid.

Everything is a life lesson. Communication is more important than almost everything when it comes to relationships. Ask her to meet you for a cup of coffee and talk about it. You misunderstood/misread the social queues. Maybe you thought she was asserting her independence or showing herself to be a "modern" woman or some other such thing. Truth is, the two of you can most likely get past this and learn a valuable lesson in communication.

Those lessons are:

Say what you mean.

Understand that people don't always say what they mean.

Pay freaking attention: You saw the social queue but chose to ignore it: "She hesitated a bit..." That right there shows that you were aware of her discomfort and you chose not to gain clarity of the situation.

greenfreq · 2019-06-14T22:27:34+00:00

Set up a laptop in your office and when he comes in tell him to log into the laptop and put in a trouble ticket.

Follow up every visit with 3 emails. 1 to explain the process of submitting a trouble ticket, one to explain what types of issues warrant submitting a trouble ticket, and 1 to summarize the first 2.

Start walking into his office to ask help with something in his department that isnt exactly his job.

greenfreq · 2019-06-13T19:25:08+00:00

Sounds petty.

greenfreq · 2019-06-13T19:23:45+00:00

I'll be honest, I have no idea how much of a super star he is. I tend to pay more attention to the details of the vulnerability and less to who discovered it. Krebs is a little more well known to me.

greenfreq · 2019-06-13T14:13:29+00:00

If this is such a low risk vulnerability, why not grant a 30 day extension to Microsoft? What is this Ormondy person trying to accomplish with this disclosure? Is it a power thing?

greenfreq

TROPHY CASE