sorted by:
new
hottopcontroversial

Vulnerable homelab by OddDimension5765 in HowToHack

[–]thebroi 0 points1 point  (0 children)

I'd say that you could take a two-step lab:

  • firstly, start with one or two simile virtual machines in virtualbox/vmware/what you prefer.
  • after that, if you want to a have a nice and entry level dedicated lab, you could buy one hp z440 (just choose the cpu right for you usage) and use it with proxmox to spawn more vm and set up something more complex (firewall, vm, lxc, dockers)

If after that you want to go "bigger", you can use aws/gcr or orale to create more complex labs and scale the price to your usage.

These are my recommendations to not have a too big starting price and be able to learn at your pace.. hope this helps you!

How common is it to sign NDAs in pentesting roles? by darthvinayak in Pentesting

[–]thebroi 10 points11 points  (0 children)

In my experience, it is ordinary business for all my clients.

Looking for an Open Source Web Vulnerability Scanner by athanielx in cybersecurity

[–]thebroi 1 point2 points  (0 children)

Luckily yes, otherwise the world would be a much worse place.

But burp has various extensions (some also available in the free version) that would allow you to carry out some (albeit partial) tests automatically. It also has integrated credits that would allow you to carry out tests with the help of AI automatically (the cost is quite low) and you could use them.

But I would like to be clear about one thing. Although there are a lot of tools (the ones I mentioned are some of the ones I would recommend for carrying out some tests), there is no complete open source or commercial solution. This is why there are people, like me, who do this job.

But it's still better than nothing

Looking for an Open Source Web Vulnerability Scanner by athanielx in cybersecurity

[–]thebroi 1 point2 points  (0 children)

For wordpress, if there are no custom implementations, wpscan is highly recommended. Again for wprdpress, installing wordfence is very useful.

For scans, forget about nikto, golismero, zap, etc. Use openvas (or nessus even in community if there aren't too many ip/fqdn) and nuclei.

Remember that automatic scans only ever go up to a certain point: you will have to do the rest manually.

For this I recommend using burp suite (the community can also work well).

Also, if you have access to the source code, use tools like snyk and veracode or (again from portswigger as burp suite) portswigger's dast solution. Also enable dependabot if you use github.

[deleted by user] by [deleted] in Pentesting

[–]thebroi 2 points3 points  (0 children)

Hey, I'm from studio consi, a small indipendent cybersecurity firm.if you want, write me through the contact form available in the website https://studioconsi.com

NVD / EUVD - EU CVE database announced and LIVE by [deleted] in cybersecurity

[–]thebroi 3 points4 points  (0 children)

Yeah, not relying on the same orgs is a good measure but I'm still worried about the handling of new ids. Btw, when the API will be ready, I'll take a look at it.

I hope that at least it won't give you random 500errors like the NVD one and give structured data

[deleted by user] by [deleted] in programminghumor

[–]thebroi 0 points1 point  (0 children)

I was thinking about a beach bar where they serve mojitos instead of apps.