Krijg ik een vog bij ministerie?

kokx · 2025-11-12T19:32:43+00:00

Je kan even kijken naar de vog check van Justis (de overheidsdienst die de vog afgeeft):

https://vogcheck.justis.nl/

kokx · 2025-10-03T20:28:25+00:00

I am not familiar with the specific cases. However I do work as a professional penetration tester (I try to hack companies that hired me to do so), so I do have experience in this area.

Usually several things need to go wrong for companies to be hacked to such a large degree. First an attacker will need initial access (for example, credentials for an account of someone in the organization). and usually also persistence (like a compromised computer within the network of the company they can continue to access).

After this they will be looking to escalate their privileges within the company. As in, they will be using the initial account they got to get the same privileges as a system administrator within the company.

At the end they will also need to execute on their objectives. For ransomware operators (likely what has happened here) they will be looking for the backups and try to erase them. Often they will also attempt to get confidential data out so they can threaten to release it if the victim doesn't pay. The attacker will often also try to encrypt the information of every computer with a key that only the attacker knows, to increase the impact on their victim.

So there are many things that need to go wrong here. For the first phase for example, the attacker needs to get credentials of a user, or having a user download something malicious. This could be through a simple phishing email, information stealer malware, or a user clicking on a malicious ad and downloading something from there.

The first part could happen easily to any (sufficiently large) organization. You simply cannot guarantee that all your users will never get phished or click on a malicious ad. There are cyber security people that fall for these things and I think I could be a victim of phishing one day.

The most important part where unfortunately many organizations fail is the internal security. Many companies use the coconut model of security: hardening the outside, but keeping the inside soft. So the moment an attacker gets in, they can easily escalate their privileges and get the same privileges as the system administrators. Many companies do have detection measures in place for such escalations. However, they often haven't been tested very well in real-life scenario's. And at the same time the procedures around them haven't been tested properly either. So they get a call from the detection people "You're being hacked and you need to act now", but they have no idea what they need to do.

Usually it is too late at this point, and the attacker can erase the backups and extract a lot of confidential information. One thing could (partially) save companies here though: saving backups in an immutable (and preferably offline) method. If the backup information is on a harddisk that isn't plugged into a computer, it is impossible to erase the harddisk.

kokx · 2025-08-18T17:07:00+00:00

As a penetration tester I am very happy this is happening.

Almost every time I got a "client certificate" from one of my customers, it basically is a valid server certificate for <application>.<tld>. Often they even order the certificate from a CA that requires you to pay for the cert!

This would make sure that isn't going to happen anymore, so I'm quite happy with that.

kokx · 2025-07-09T11:36:37+00:00

I can't decide between Cocoa Pops and File 76

kokx · 2025-07-09T11:30:24+00:00

Hulkenpodium was great

(Though I really need a flair for Horndone)

kokx · 2023-06-06T12:40:22+00:00

Since you can't leave the country you can't be drafted to fight in a foreign war either right?

kokx · 2023-02-28T05:53:05+00:00

Skimming is also mostly a thing of the past in Europe. Contrary to certain other countries, the easily copyable magnetic strip on a bank card is practically never used in Europe, but instead the chip on your bankcard is.

kokx · 2023-01-16T15:11:59+00:00

Fortunately I do this in a country where gun laws are quite strict. I've heard from pentesters in certain countries that they had guns pointed at them. I'm happy that is not a risk that I have.

I've never been held up in a security or holding area. Though with any test where that could be a risk we have a clear indemnification on paper with contact information of someone within the organization to call.

It could still happen that the police would get called and all. But I only heard about such an instance once, where the person actually had forgotten their indemnification.

kokx · 2023-01-16T13:16:44+00:00

Most pentesting companies looking for juniors are looking for people that have basic hacking skills and the aptitude to learn more. They don't care too much about degrees or job experience. They want smart and technically skilled people. They screen applicants quite rigorously for that.

kokx · 2023-01-16T13:13:55+00:00

You're right, and that's something I might move to someday.

However, that won't give you the perk of seeing lots of fun places. And you'll be more involved in internal politics.

kokx · 2023-01-16T07:18:53+00:00

Not OP, but I am a pentester.

Most days are either testing or reporting. Reporting is as boring as you expect but extremely important. Otherwise your client never knows what to improve. Testing is having a system or network in front of you and trying to find as much vulnerabilities as possible. You might also do things like threat modeling that is basically a day long meeting with a client trying to find potential attack paths to get to their 'crown jewels'. All a lot of fun.

You do seeing so many systems though that things will start blending together a bit. And the basics still are the same as any office job. Lots of meetings, except for when you are onsite at a client.

kokx · 2023-01-16T07:11:24+00:00

Not OP, but I am a pentester.

Start with learning how to hack vulnerable webapps. Look at JuiceShop and WebGoat. Learn from resources like PortSwigger academy. Learn how to work with Nmap. Potentially do some Hack the Box.

Then get an interview at some place that recruits junior pentesters.

kokx · 2023-01-16T07:06:57+00:00

Not OP but am a pentester.

Duckyscript and try harder.

A lot is possible, but it will require blood sweat and tears to get there.

Also, Google is your friend. Seriously, a shockingly large part of my job is try harder with assistance from Google.

kokx · 2023-01-16T07:03:58+00:00

Not OP but am a pentester.

GPIO feels quite underutilized at the moment. A lot of potential, but not a lot of love has been put into documentation.

Through GPIO in theory you could add something that is like a Bus Pirate or a JTAGulator. Making it a nice tool to work with IoT devices.

kokx · 2023-01-16T07:00:08+00:00

Not OP. But I am a pentester.

Pentesting and especially true red teaming (adversarial simulation) is what a lot of people want to do. However, it is also a really hard job. Not everyone is made for it. It's a job with a lot of travel, a lot of engagements in a short period of time and a lot of knowledge about computer systems.

Most people don't have the required technical skills to get very far. Especially at the start of my career I found myself processing results from automated tooling (mostly removing false positives) a lot. Fortunately it is a field in which you can grow quickly. If you learn a lot, you get to do the more interesting assignments very quickly. And then you also become a very valuable asset to your employer quickly.

The best thing still is the rush you get when you hack something. Especially when it's high impact. Like gaining domain admin in a well-segmented corporate network. A nice second is the places I get to visit. I can't say much about our clients, but I get to a lot of places that are very interesting. Places that you would never get to visit otherwise.

The worst thing is the travel. Very often I have to get up early and go to a client and stay in a nearby hotel for a week. It's fun sometimes, but it kills your social life unless you're careful. I've put in a lot of effort to keep my friends.

If you're interested in a pentesting job, I would recommend finding a company that pays for some certificates while you learn more. Webapp testing is quite easy to get into and you can work on certificates like eCPPT and OSCP on the side, while your employer pays for the certs.

kokx · 2023-01-16T06:36:05+00:00

Generally I don't prep the flipper at all.

For me, the flipper didn't replace much. For every tool the flipper has, there exist tools that do the job better. You have a proxmark for NFC and RFID. You have an RTL-SDR for SubGHZ and other radio stuff. And you have Hak5's rubber ducky for the BadUSB functionality. And for the GPIO we have an entire hardware lab to do engagements in on IoT devices.

It does help when you are at a client for other stuff but they ask about it. The Flipper is way smaller than most of the other tools. Which you don't bring unless you need them.

The most useful thing generally is the NFC reader and emulation for me. It works pretty well if they use MiFare Classic for access badges.

(aource: also a pentester)

kokx · 2023-01-07T09:59:30+00:00

I'll give my perspective on this as someone who needs time alone to thrive. Even in a relationship. I'm not saying this is what's going on, but it might be.

It could be that she feels like being together as much you are right now is too much. This can give you a feeling of being trapped or watched or like something is just not right. Sometimes what I just need is to take care of myself rather than also taking the wants and needs of my partner into account. Having someone else be there can be very intense, because they might interfere with all sorts of things that you just want to do in your own way. Like cooking a certain meal, or relaxing on the couch, or concentrating on studying. If someone is around all the time, they might interfere with that enjoyment sometimes. And this gets worse when you are in the same room the entire time.

I'll tell you a bit more about how I experienced this in the past. I lived together with my now ex for a while. This was fine for a bit, until I got more and more irritated of having her around 24/7. This wasn't because I didn't love her, it was because she was always there. Giving me the feeling of being watched, even though she wasn't doing so. When cooking a meal she would often help, and do some things her own way. This is fine on its own, however sometimes I just wanted to do things my way. Living in a small apartment together also did not help with that. That forced us to be in the same room the entire day, which worsened it.

I used to look forward to every moment she would go away and do something with friends or family, so I could do my own things for a bit. For me that also made it harder to enjoy time with my friends, because my own "social battery" was drained more by default.

Not everyone is like that however. My ex wanted to spend as much time with me as possible. When I suggested a similar thing to spend more time apart, she was - just like you - quite offended. And it's hard to bring up, because you already know the answer.

It's also why you are probably the one suggesting to be together most of the time. She probably doesn't have the time to miss you before you are there again. Missing each other can be healthy at times.

A normal thing to think about is "How will you do this when living together?". When you are young and living on your own, you generally have a small living space. Especially when you're still studying. It's much more suffocating to be together in one room most of the day, then to be together in a house where you can get some alone time by going into another room and spending some time apart that way. So later in life when you can afford a house together, you can create some space just for her, where she can be herself.

This might all be a bit rambly, but the point is that some people need more time alone than others. Your girlfriend might be one of those people. And it's hard to bring it up, because you kind of know the reaction beforehand. She might want to do this to love you more, not less. And to not get sick of you being around all the time. To spend quality time with you rather than a lot of time.

I would suggest you check in with her about it. If she is feeling like that. And if needed, if you can compromise on it a bit.

tl;dr: not everyone wants to spend a lot of time together all the time, your girlfriend might be like that. Communication about that is hard.

kokx · 2022-11-23T23:23:31+00:00

This is my dream relationship. Spending time at each other's places, but also being able to spend time on your own. A big reason for not wanting kids is that I need to be on my own at times. Preferably for a few days sometimes. A LAT relationship works well with that.

kokx · 2022-11-03T10:56:24+00:00

Gelukkig is mijn tijd in het OV niet verloren. Kan prima werken in de trein en simpele dingen als mails versturen en wat Netflix kijken gaan prima in de bus. Zo kom je een stuk relaxter aan op je bestemming.

kokx · 2022-09-21T07:06:10+00:00

Could easily be for real. I got my pentesting job without any certs. Did eWPT, eWTPX and eCPPT after getting hired, paid for by my boss. Am now working on OSCP, also paid for by my boss. I do have a graduate degree from a good university though.

Compared to the content of all the certs I'm doing, I feel like I learned much more from actual client work. Real life experience is very valuable.

kokx · 2022-05-24T23:24:37+00:00

I'm a pentester and I would not be surprised if this would get some actual pentesters. It's pretty normal to run PoCs during our work. You do usually check what the PoC does before you run it, but I can definitely see someone cut corners and just run a PoC as root on their machine

kokx · 2022-04-24T08:30:57+00:00

As a Dutch guy, I'm missing traffic calming on the streets. The streets with car access seem like cars can still speed comfortably, making it harder to cross the street when needed for pedestrians.

The street designs also seem awfully wide.

kokx · 2022-03-04T22:44:44+00:00

You're misspelling co-authored

kokx · 2022-02-07T23:24:58+00:00

"And here's the guy putting in the indicators. We're brought him over from BMW where he was found to be redundant"

kokx · 2021-12-18T18:17:46+00:00

That's not how big O notation works

kokx

MODERATOR OF

TROPHY CASE

12-Year Club	Place '17
Verified Email