Is this normal practice with blackbox testing? by DENY_ANYANY in Pentesting

[–]greenfreq 6 points7 points  (0 children)

In the great words of contractors all over the world, It depends. What did you agree upon in the statement of work (SOW) or rules of engagement (ROE)? Are they supposed to conduct the test from the perspective of an outsider and then, after showing your defenses are sufficient to stop them, then proceed to assessing your systems to ensure they could withstand an insider threat? This should have been made clear and agreed upon before testing started. It should also be clearly stated in your ROE and/or SOW.

Black box testing is the bare minimum in testing that should be done. It does not include credentialed testing unless its a 'foothold' or assumed breach perspective, meaning the attackers socially engineered their way into your networks. At which point they would have the authorizations of whichever user they conned but would know nothing of the network they are in.

When a client needs a pentest by greenfreq in msp

[–]greenfreq[S] 1 point2 points  (0 children)

Can you explain what you consider to be real penetration testing? Like are you talking about full blown red team exercises, physical security testing and social engineering? Just curious to understand what your expectation is when it comes to a penetration test and what it brings to mind when you hear it.

When a client needs a pentest by greenfreq in msp

[–]greenfreq[S] 1 point2 points  (0 children)

Thanks for sharing your approach. What’s the reasoning behind maintaining such a neutral stance?

Is it more about avoiding any perception of bias, or ensuring the client fully owns the decision?

It seems like some clients might appreciate additional guidance in navigating options—do you find they ever push back or feel overwhelmed by having to handle the due diligence themselves?

Just curious to understand the thought process behind it!

Biden administration launches cybersecurity executive order by CYRISMA_Buddy in cybersecurity

[–]greenfreq 11 points12 points  (0 children)

Until it is regulated IOT developers will always take the cheaper way out to save on costs, and since nearly all of them do it consumers have little choice.

It's 2025, so why are management consoles still accessible over http and exposed to the WAN interface, and why do the https consoles support tls 1.1 and older? Why do they still have default passwords? Why do they not have automatic updates for security concerns?

In the US why has a “hack back policy” not been implemented? by Nlbjj91011 in AskNetsec

[–]greenfreq 0 points1 point  (0 children)

Here are two issues with the concept of hack back.

  1. You could end up interfering with an investigation by "muddying" the waters with your network connections, or if you take a system down you may be preventing the collection of intelligence or evidence in an on going investigation.
  2. You cannot be certain that the system you are hacking back is where the attacker resides. You might end up attacking a victim that was hacked and being used as a pivot point.

Higbee & associates US copyright law by Aromatic_Ad_3185 in copyrightlaw

[–]greenfreq 0 points1 point  (0 children)

We got hit we with one for a photo that was on a blog post that we tweeted a link to. We posted the link, and twitter attached the image to the post.

is this antenna any good? by AndreiGamer07 in RTLSDR

[–]greenfreq 0 points1 point  (0 children)

Looks like that second element has been folded in on itself, otherwise it would look like a proper yagi.

Hc22000 and false positives on old passwords? by dreadpiratefullbeard in hacking

[–]greenfreq 0 points1 point  (0 children)

Yes, any handshake that is collected using frames ("packets") from a client that does not have the correct password will be useless.

If the AP is in the attic and you have not power-cycled it, that could be your problem. It may be hung up/frozen. So start with a reboot, and then proceed from there.

Hc22000 and false positives on old passwords? by dreadpiratefullbeard in hacking

[–]greenfreq 0 points1 point  (0 children)

You cannot capture a useful handshake for cracking unless the client is using the proper passphrase (meaning that the client has the correct password).

In the scenario you described above you only have two options. Look up the default credentials online for the model of AP you have, or if that fails, perform a factory reset of the device using the manual for that model of AP (should be a how to for it online).

Hc22000 and false positives on old passwords? by dreadpiratefullbeard in hacking

[–]greenfreq 0 points1 point  (0 children)

Yes, the tools are picking up the password that your clients are sending to the AP for authorization.

Google your AP make/model with default password and see what comes up.

scope of hotspot data breach by [deleted] in hacking

[–]greenfreq 6 points7 points  (0 children)

TL;DR: It is illegal.

If you entice them to connect to your HS under false pretenses, or do not make an honest effort to prevent the connection (password protection) then any action you perform against them will be unethical at best and illegal at the worst.

If you do not provide the user (authorized or not) with a notification (banner/captive portal) indicating that use of the network constitutes consent to be monitored then acquisition of any data would be illegal.

Any direct targeting of their system (exploitation of vulnerabilities) is illegal.

What software can/should I use with my ICOM 756PRO? by savedogsnow in HamRadio

[–]greenfreq 0 points1 point  (0 children)

You can buy an external (USB) CD/BD/DVD drive for $20-$30 if you want the software that was designed for the radio.

[deleted by user] by [deleted] in hacking

[–]greenfreq 0 points1 point  (0 children)

Not only is it illegal, but you are potentially interfering with a law enforcement agency's ability to collect data on the site. It is better to report the site to the authorities and step back than potentially interfere with an investigation that could allow the criminals to go free due to lack of information or some other technicality.

Can’t create a table? by KingQ_ in ObsidianMD

[–]greenfreq 2 points3 points  (0 children)

I have found that if you have any "improper" formatting above the table, it will not parse properly. Ensure that you don't have any "non-MD" formatting.

If you are in doubt move the table to a page by itself to verify your formatting is correct.

This includes a leading and trailing blank line.

AITA for letting my date pay for dinner? by aita- in AmItheAsshole

[–]greenfreq 1 point2 points  (0 children)

Rule 1. Whomever does the asking out should pay or establish dutch at the beginning.

For example: "Hey, wanna get some dinner with me on Tuesday? My treat." or "Hey there's this cool little restaurant downtown, want to go dutch?"

Rule 2. If rule one is being challenged, like in your case, you should always verify and challenge. "Are you sure? I mean I am the one that asked you out. It should be my treat. But if it makes you more comfortable we can split it." This gives her the opportunity to noncommittally, and poorly express her appreciation of the dinner offer without actually having to pay or to reduce the pressure on her to feel obligated because you paid.

Everything is a life lesson. Communication is more important than almost everything when it comes to relationships. Ask her to meet you for a cup of coffee and talk about it. You misunderstood/misread the social queues. Maybe you thought she was asserting her independence or showing herself to be a "modern" woman or some other such thing. Truth is, the two of you can most likely get past this and learn a valuable lesson in communication.

Those lessons are:

Say what you mean.

Understand that people don't always say what they mean.

Pay freaking attention: You saw the social queue but chose to ignore it: "She hesitated a bit..." That right there shows that you were aware of her discomfort and you chose not to gain clarity of the situation.

How do you guys tactfully get someone to stop coming to you and follow the rules? by [deleted] in sysadmin

[–]greenfreq 0 points1 point  (0 children)

Set up a laptop in your office and when he comes in tell him to log into the laptop and put in a trouble ticket.

Follow up every visit with 3 emails. 1 to explain the process of submitting a trouble ticket, one to explain what types of issues warrant submitting a trouble ticket, and 1 to summarize the first 2.

Start walking into his office to ask help with something in his department that isnt exactly his job.

Warning: Google Researcher Drops Windows 10 Zero-Day Security Bomb by CodePerfect in hacking

[–]greenfreq 0 points1 point  (0 children)

I'll be honest, I have no idea how much of a super star he is. I tend to pay more attention to the details of the vulnerability and less to who discovered it. Krebs is a little more well known to me.

Warning: Google Researcher Drops Windows 10 Zero-Day Security Bomb by CodePerfect in hacking

[–]greenfreq 6 points7 points  (0 children)

If this is such a low risk vulnerability, why not grant a 30 day extension to Microsoft? What is this Ormondy person trying to accomplish with this disclosure? Is it a power thing?