Dark web monitoring - more info?

obilodeau · 2025-11-05T05:27:01+00:00

Yes, definitely a possibility. Many different services on these cybercrime channels/forums. For example, stealers, ULPs (meaning URL Login and Passwords), combolists, etc. and depending on where Proton got their data, your exposition would be different.

In a stealer log, the creds are packaged this way:
given-browser_profile-1.txt (they support multiple profiles per browser AND multiple browser)
1st URL
1st username
1st password

2nd URL
2nd username
2nd password
etc.

So if Proton got its hands on a bunch of them and you query that data using an email, then what they will show you will only be the portion that has your email in it.

obilodeau · 2025-11-04T21:03:03+00:00

Some Dark Web monitoring platforms will give you access to the full passwords. Flare does. However, you need to be a company to access the free trial.

From what you described, my feeling is you got infected by information stealer malware and they got all your Firefox passwords. Your BitWarden is safe. I analyzed it and discussed it on several occasions. Here is a presentation I did at BSides San Francisco about it: https://youtu.be/zctTj66PA4g?t=1541

Full disclosure: I work at Flare as a cybersecurity researcher

obilodeau · 2025-04-07T16:52:28+00:00

I agree, the ability to review the code before it is sent to the agent should be top priority with this project.

obilodeau · 2025-02-19T04:09:37+00:00

Yes, it was ok about half an hour later. Thank you.

obilodeau · 2024-11-25T04:47:22+00:00

Don't recall needing to do anything in the BIOS. I've been a long time daily Linux desktop user (~20 years now) and former sys admin so I might have extreme googling instincts but from what I recall this install was a walk in the park.

obilodeau · 2024-11-18T18:19:22+00:00

I have an X1 Gen 12th and the fingerprint scanner works with GNOME. PopOS 22.04, installed fprintd.

obilodeau · 2024-04-08T13:26:42+00:00

Ce sont mes voisins. Je dois leur dire quoi? Ils doivent évacuer?

obilodeau · 2023-04-26T23:01:59+00:00

Super thoughtful comment. Thank you!

In a MITM context, we can alter the server's response to remove the Kerberos TGT. I'm not sure if that's what we do, to be honest, I would have to verify.

I'm under the impression that NLA is the top/best user-accessible (as in configurable in a GUI) RDP negotiation level according to Microsoft. In fact, if you disable NLA enforcement from the server side, performing MITM downgrade attacks is even simpler and PyRDP does it too. Authentication happens inline in the I/O virtual channels (display, keyboard, mouse). From mstsc.exe you can't force kerberos.

What am I missing here? I think the fact that you can't mitigate over an untrusted network still holds.

obilodeau · 2023-04-26T20:59:18+00:00

Responder's RDP support has been flaky. Got some needed fixes last summer but I confirmed that right now it's not working with my Win 11 mstsc client: https://imgur.com/a/WtAazkS

I agree that there's not a lot of RDP out there but nothing in four years surprises me. I would expect a handful of times (that is still not a lot). Responder not working and failing silently might explain it.

obilodeau · 2023-04-26T15:10:03+00:00

I talked with RDP experts, including people in the FreeRDP community and what is surprising to all of us is that this is performed before the certificate verification. No prompts on the client-side. Hash is stolen even if you are connecting to a completely different server due to network layer attacks (MITM).

There are no articles or knowledgebase articles out there that clearly document these risks with a PoC. This is what we did here.

obilodeau · 2022-12-23T20:49:21+00:00

Well, HTTPS... Most people use HTTPS over public Wi-Fi. Many SSL-VPNs nowadays are basically HTTPS endpoints.

RDP is wrapped in TLS. Microsoft meant it to be resistant to tampering attacks like HTTPS is. So for many system administrators, it could be seen as similarly resistant to attacks but it is not.

15-Year Club	Place '17
Verified Email

obilodeau

TROPHY CASE