/r/AskNetsec

Photograph via snooOG

Dedicated to those passionate about security.

A community built to knowledgeably answer questions related to information security in an enterprise, large organization, or SOHO context.

 

Questions on how to get started? Check out the following subs:

 

Question on issues regarding personal security? Check out the following subs:

Please read and abide by our Rules & Guidelines

/r/AskNetsec

213,915 Subscribers

1

if you click a link someone sends can they see your camera or your screen

if i clicked a link someone sent me can they see my camera and my screen? if someone’s hacked my phone how can i get them out (iphone 13)

0 Comments
2025/01/05
07:13 UTC

0

Web application avoid use burpsuite

Hello, I am writing to you to find out if you have any solution for this type of cases. I will give you 2 examples.

1.- Open the website https://facturadigitel.digitel.com.ve/ from a browser without burpsuite then open it with any browser where you have burp configured and even with the default one.

2.- Another website https://es.cam4.com/ .

For a moment I thought it might be the trick of checking the TLS version since in some sites where use is restricted you only have to use TLS version 1.3 and you already bypass the protection, but in these cases I don't know what to do.

8 Comments
2025/01/05
02:43 UTC

3

Recommended password auditing tool?

so its common knowledge that you shouldnt use the same password for everything. Unfortunately ive gotten lazy about it over the past year or so and now I want to go over all my passwords and change them up. Are there any tool you would recommend that can go through my saved passwords and mark recurring ones and helps me change them?

4 Comments
2025/01/04
21:04 UTC

1

Generate unknown category traffic for PA logs

Hey folks, quick question for you all. I have a splunk search that I built to query for any traffic that is categorized as unknown in the PA firewall logs, but I am not sure how to generate traffic that will be categorized as unknown so I can test this. I do have a Kali VM available to me in order to do anything I need to be able to test this. Any ideas would be greatly appreciated

0 Comments
2025/01/04
06:27 UTC

4

Automated DAST via Burpsuite Pro

First of all Happy new year to the great community.

I am looking to automate DAST in our CI/CD pipelines. I check ZAP but it is not comprehensive in detection when compared with BurpSuite.

BurpSuite professional doesn't supports large scale automation as their restapi has very limited functionality. They have a Enterprise version which is crazy expensive and uses the same engine.

I was taking look at this https://github.com/vmware/burp-rest-api, this worked perfect on older versions of Burpsuite till 2022.xx versions but with th lastest one it doesn't works. I have taken a look at Monotoya API to write scripts, but the problem is that it needs to be loaded and is not interactive like a restapi defeating the whole purpose of automation. I tried running a small server but it seems burp doesn't supports it.

Any thoughts/ workaround on this. Or any cost effective solution which doesn't limits on url scanned like most of them do

0 Comments
2025/01/04
05:47 UTC

2

Use-after-free vulnerabilities

I'm new to android kernel exploitation and decided to start with research on different vulnerabilities, CVEs and build from that. I settled on UAF, I've researched on how it works, the causes, mitigations and created a cpp code that is vulnerable. I'm now looking for somewhere I can practice exploiting and spotting it in code. Are there any sites or platforms with this? Any advice on how to proceed would be appreciated.

3 Comments
2025/01/04
01:29 UTC

1

Need Help Analyzing a PDF for Malicious JavaScript

Hey everyone,

I’m analyzing a suspicious PDF file and need some help determining if it contains malicious JavaScript. Here’s what I’ve done so far:

  1. Used pdfid and found /JS (but not /JavaScript), which suggests the presence of embedded JavaScript.
  2. Decompressed the PDF using qpdf and searched for /JS in the decompressed file, but couldn’t find anything.
  3. Tried pdf-parser and peepdf, but the results were inconclusive or overwhelming due to object streams (/ObjStm).

I suspect the JavaScript might be obfuscated, hidden in encoded streams, or event-driven (e.g., triggered by /OpenAction or /AA).

Can anyone help me:

  • Extract and analyze the JavaScript (if it exists)?
  • Identify if the PDF is malicious?

Here’s what I’ve tried so far:

  • Tools: pdfid, pdf-parser, qpdf, and strings.

If needed, I can share the file (via a secure method) for further analysis.

Thanks in advance for your help!

7 Comments
2025/01/03
23:32 UTC

3

Audit mechanism to detect Chrome "Glove Stealer" exploit?

I am looking for any insight or guidance to help me educate a security consultant we have enlisted to analyze an intrusion we had in a Google Workspace account of one of our directors.

Backstory:

One of our directors experienced an account intrusion in which the bad actor extracted all contacts and then proceeded to send out 2000 emails to those contacts in batches of about 200 recipients. The email sent directed recipients to open a document in HelloSign. Here are the specifics of the breach and my immediate analysis, sent to our cyber insurance agent and their security team:

------------------------------------
Short description: Google Workspace account was accessed by unknown actor and used to send phishing email to about 2000 recipients

  • Suspected exploit: Glove Stealer
    • Breached account was not prompted for 2FA even though it's in force for the Google Workspace domain
    • Google Workspace "suspicious login" alert was not triggered even though the login was performed from a geolocated IP several hundred miles away
    • For the duration of the breach (about 20 minutes from the time the first malicious email was sent), bad actor was replying directly from breached account to inquiries about legitimacy of the email from recipients and instructing them to click the link
  • Affected account was suspended immediately upon discovery of breach
  • During security incident post op, it was discovered that 2 actions were executed:
  • Based on evidence detailed above, alerts were enabled and tested to report ANY email blocking or Contact exports from all users
  • Threat actor made a second attempt to breach another account, and the alert reporting the blocked email provided a window to immediately suspend that account as well. Several attempts to access the second account have been made since it was suspended on 11/30, as reported by GW "failed login" alerts 
  • Date of incident: 11/27/2024, 11/30/2024
  • Date discovered: 11/27/2024, 11/30/2024   

------------------------------------------------

As I pointed out, there were no other indications or alerts that this account had been breached. My suspicion that Glove Stealer was the mechanism was just an educated guess. From what I can tell, there are no security tools yet available that could give me more concrete evidence that my conclusion is accurate.

As an added precaution, I also disabled the "remember this device" option, domain wide, in the Workspace admin console.

During this episode, users in our GW domain received similar emails from other orgs, which led me to believe there was a coordinated campaign to propagate this exploit and gain whatever data could be captured and used from the phishing emails.

For someone like me, a one person IT department for a sizeable non-profit, who doesn't have a lot of infosec training, this is nightmare fuel. Given the apparent absence of defense against this, I would imagine it keeps lots of sysadmins up at night as well.

TIA for any feedback on this.

20 Comments
2025/01/03
16:55 UTC

1

Seeking Roadmap & Mentorship: My Path to Becoming a CTI, Malware Analysis, and Dark Web Intel SME

Hi r/AskNetsec

I hope you're all doing well. This year, I’ve decided to focus heavily on improving my skill set in Cyber Threat Intelligence, malware analysis, dark web intelligence, and OSINT. I’ve already set up a FLARE VM and REMnux environment for malware analysis and have some foundational knowledge, but I want to go deeper and become a true subject-matter expert.
The problem is, GPT can give me broad topics to study, but i feel like i need some real mentorship or a roadmap from folks who've been there, done that,

Right now, I work in a SOC that doesn’t have a dedicated CTI function, and I’m hoping to change that by establishing or at least kickstarting that capability within the team. My ultimate goal is to track APT groups and their campaigns, perform robust malware analysis, and leverage dark web intelligence more effectively.

I am not good at articulating what I want, so I took help from GPT to make sure I'm asking the right questions that would help me out in this situation.
Here are my key concerns and the main areas where I’d appreciate the community’s insights:

  1. Roadmap & Structure
    • What would be a good learning roadmap for going from intermediate to advanced in CTI, malware analysis, and OSINT?
    • How do you bridge the gap between theory (e.g., reading about it) and hands-on practice that leads to real expertise?
  2. Resources & Courses
    • Which paid or free training programs, labs, or certifications provide the best return on investment?
    • Any specific courses or platforms you recommend for diving deeper into dark web intelligence?
  3. Building a CTI Function
    • For those who have implemented CTI capabilities in an organization without an existing structure, how did you approach it?
    • What are the first key steps to take when introducing CTI processes, tools, and frameworks to a SOC?
  4. Practical Application & Mentorship
    • How do I gain meaningful hands-on experience, especially with dark web investigations and advanced malware analysis?
    • Are there any mentorship programs, open-source projects, or community groups where I could collaborate with more experienced professionals?
  5. Overcoming Imposter Syndrome
    • I often struggle with feeling like I’m not “expert enough” to be in these areas—any advice on how to stay motivated and confident as I learn?
    • How do you stay current and validate your knowledge in such a rapidly evolving field?

I’m more than willing to invest time and resources into quality materials or structured courses if they’ll truly help me level up. Any guidance you can offer—whether it's about labs, communities, courses, or personal experiences—would be incredibly valuable.

Thank you in advance for any advice, suggestions, or mentorship opportunities you can provide. I’m excited to take this next step in my career and to contribute more effectively to my team’s security posture.

Looking forward to your insights!

1 Comment
2025/01/03
11:44 UTC

5

My Android TV Box no longer receives security updates. Is it a problem to continue using it if I restrict its access on my firewall?

I have a Chinese TV box certified by Google (SEI Robotics) that stopped receiving security updates in 2021. I set up a restrictive policy in Zenarmor and created a whitelist of domains to access YouTube and Netflix. It is connected via Ethernet and isolated from the rest of the network. Is this enough to keep using it, or has it already become a paperweight? If it has malware, could it bypass these defenses and access my network or leak my credentials?

I thought about buying another device, but from what I've researched, there’s nothing available that promises to receive security updates for a reasonable period (at least 10 years). I don’t want to make the same mistake again. Thank you!

9 Comments
2025/01/02
17:17 UTC

5

Professional PCAP analysis for intrusion detection

Are there any professional solutions for scanning pcap files in search of a possible intrusion into the network?

8 Comments
2025/01/02
15:49 UTC

0

How to detect a rootkit in the motherboard's BIOS or operating system?

I've been experiencing problems and headaches lately with sudden performance drops in certain applications I'm using, and honestly, I don't know what to do anymore. I've formatted and reinstalled the operating system (Windows 10) several times, but it didn't help. In addition to this performance drop, I notice strange things like quick screen flickers. I always keep the HW Monitor program open to monitor the system. One time, I was watching the computer idle and noticed that the 'program was maximized on its own,' the scrollbar started scrolling, and the screen with the CPU usage check 'opened by itself.' What kind of virus or malware could this be? How can I detect it? I've run Kaspersky several times, and it doesn't detect anything. I've never seen this behavior before, and I've been using computers for 20 years. Could it be a rootkit? If so, is it possible for this criminal to alter the functioning of specific programs or even limit the hardware's performance?

I was recommended this sub because there are more people accessing the same local network on other computers/devices. Could what I've been experiencing be a local network attack? If so, how can I protect myself?

15 Comments
2025/01/02
15:39 UTC

0

Taking Cyber classes

I am needing to encode my custom script to evade detection. But I am not allowed to use metasploit. any help would be awesome

Thanks,

3 Comments
2025/01/01
00:02 UTC

0

Was I correct in refusing QuickBooks access to my browser history and other personal information?

QuickBooks online no longer connects with my bank after an update by the bank.

In order to solve the issue, QuickBooks as to get on a zoom call and wanted me to share my screen while logging in to online banking so they could see my banking settings.

They wouldn't be able to see my password but would see my account numbers, BSBs and transactions.

When I refused, they asked for me to create a HAR file of my activities on the banking website.

I refused again to which they said "we'll delete the file when we're done"

This seems wildly irresponsible and makes me question using QuickBooks in the future.

Am I overreacting?

7 Comments
2024/12/28
23:54 UTC

76

Why is it so hard get an interview for cybersecurity jobs even though I have 2+ years experience. ?

I feel like Cybersecurity industry job market is very vague, maximum of the companies only selling their courses. Most of HR just ignore the resumes. It's tough to get a job in infosec, but at the same time I see very dumb people make it to good position in big cybersecurity companies.

I have applied to multiple companies even with referral I think it's hard to get interviewed.

107 Comments
2024/12/27
18:25 UTC

0

Ethical hacking learning material

Hi. I'm in my begginer Pen testing journey and haven't really had a platform where I can learn from experts. I get that hackthebox or tryhackme are more of lab work. I would love recommendations of platforms where I can learn. If possible free or not too costly. Thank you.

2 Comments
2024/12/27
17:29 UTC

0

Better alternative to free "virus scan" software?

Hi,

If you happened to be concerned that there was a possibility that a device in your possession had some sort of nefarious software installed, but you wanted to check with something more robust than free scanning software, what would you use? Any professional services that are more in depth than your typical free Norton security scan or something similar? Thanks for your help!

25 Comments
2024/12/27
14:05 UTC

0

How do you protect against Google dorking attacks?

I've been researching Google dorking techniques, and I'm curious how organizations actually defend against this. It seems like such a simple attack vector, but potentially devastating.

I wrote an article exploring some common techniques here: Article

But I'm really interested in hearing from those on the defensive side. What strategies have you found effective? Any particular tools or approaches you'd recommend?

7 Comments
2024/12/26
21:16 UTC

0

Uncovering Persistent Cyberattacks: Seeking Guidance on Rare Hacking Techniques.

I want to share a personal experience with the hope that someone here can guide me or provide information about a type of cyberattack that, as far as I know, is not well-documented online.

For years, I have been a victim of persistent hacking that has affected almost all my online activities. It started with seemingly strange but simple occurrences: unexpected mouse movements, password changes, and website modifications while I was browsing. At the time, I thought it was a virus and tried multiple solutions: formatting hard drives, reinstalling operating systems from scratch, switching to Linux (even Kali Linux), using VPNs, learning about firewalls, and setting up a firewall with pfSense. However, the problems persisted.

Eventually, I discovered that someone had physical access to my devices. After further investigation, I realized that the security breaches were related to default-enabled Windows services, such as SMB direct, port sharing and Somes windows system files compromised. These allowed a level of espionage that compromised all my personal information: emails, social media activity, financial data, job searches, and even travel planning.

What worries me most is the lack of available information about this type of hacking, which involves a combination of technical vulnerabilities and physical access. Additionally, I understand that in many regions, these activities are clearly illegal. It was only thanks to artificial intelligence that I was able to identify the main causes, but I still have many unanswered questions.

Has anyone in the group experienced something similar or knows where I could find more information about these types of attacks? I’m particularly interested in understanding why services like SMB are enabled by default and how they can be exploited in these contexts.

I appreciate any guidance or references you can share. I’m sure I’m not the only person affected by this, and I would love to learn more to protect myself and help others.

Thank you!

36 Comments
2024/12/25
01:57 UTC

0

Nmap Scan on my home network's public IP returned an open 2034 port with `tcpwrapped`. Should I be concerned?

So very recently I decided to start learning some new stuff. Very sorry if this is not the right place to ask this. I just wanted to go ahead and check what would happen if I ran the most basic nmap command on my public IP and got the following output:

sudo nmap -sV -O <ip>

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-21 04:59 CET

...

Stats: 0:05:57 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan

SYN Stealth Scan Timing: About 84.63% done; ETC: 05:06 (0:01:05 remaining)

Stats: 0:06:17 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan

SYN Stealth Scan Timing: About 85.23% done; ETC: 05:06 (0:01:05 remaining)

...

Stats: 0:14:37 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan

NSE Timing: About 0.00% done

Nmap scan report for ip

Host is up (0.0034s latency).

Not shown: 999 filtered tcp ports (no-response)

PORT STATE SERVICE VERSION

2034/tcp open tcpwrapped

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: WAP|phone|firewall

Running (JUST GUESSING): Linux 2.4.X|2.6.X (93%), Sony Ericsson embedded (92%), Fortinet embedded (85%)

OS CPE: cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:sonyericsson:u8i_vivaz cpe:/h:fortinet:fortigate_100d

Aggressive OS guesses: Tomato 1.28 (Linux 2.4.20) (93%), Tomato firmware (Linux 2.6.22) (93%), Sony Ericsson U8i Vivaz mobile phone (92%), Fortinet FortiGate 100D firewall (85%), Fortinet FortiGate 1500D firewall (85%)

No exact OS matches for host (test conditions non-ideal).

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 878.84 seconds

Since then I tried running the scan again with both `sV` and `sS` and I am unable to reproduce it. Just getting `filtered scoremgr`. Is this something to be concerned about, or is this some kind of nmap false positive?

8 Comments
2024/12/21
05:25 UTC

6

WEC/WEF, Cribl, and the internet, oh my!

You all seem like the proper crowd to ask and get an opinion. I've recently taken on a new client who has Cribl setup in their environment for gathering up all their log data and then ship it off to a SIEM. They currently aren't gathering up windows logs from their client devices because laptops are going on and off network. Most users aren't reliably on VPN when off network since they use a lot of SaaS solutions which would cause a delay in logs until they connect to VPN or come into the office. They are using Defender for AV so there's no agent there to ship logs like if it was some next gen AV. I saw that Cribl supports WEC with authentication via certificates or kerberos.

My thinking is to spin up a Cribl worker in the DMZ, configure it for ingest via WEC, issues certs from the internal CA to load on the worker and the clients, and then open up the WEC port to the internet. Saying that please poke holes in my idea for security risks.

7 Comments
2024/12/20
21:57 UTC

2

Firewall activity log issue

I have a question about the Fastvue firewall system. Is it possible for a activity log to show a website being 'hit' when the user did not actually browse that site? There is an incident of a prohibited site being hit (and obviously blocked immediately) and the user in question definitely not browsing that site. Are there circumstances that might cause this to happen? Also, the system registered that there were 50 hits on this site over a 4 minute period. Isn't this unrealistic considering that the site is immediately blocked? Many thanks for any help offered.

6 Comments
2024/12/20
11:37 UTC

1

OpenVas scan not working

I have setup OpenVas on a Kali Linux VM. When attempting to run a scan of the vm, it goes through, however with 0 results. When i attempt to run a scan of the host machine, it is stuck at 0%.

I have made sure the feed status are updated.
I tried disabling firewall on the host while scanning but that didn't seem to change anything.
I've looked at the logs within /var/log/gvm/gvmd.log , but it only has task status update.

Any advice would be appreciated as I am still new to Vulnerability Assessment and this is my first time trying anything of the sort.

7 Comments
2024/12/20
05:19 UTC

0

How can I setup vulnerability management (not one time assessment) in my cybersecurity practice?

Hello everyone, i wanted to check what could be the perks of vulnerability management, instead of quarterly or annual vulnerability assessment checks? How can we achieve that? What are some points (in terms of roadblocks/challenges, team, tool/platform) should be considered before planning this? Can someone help me out here.

13 Comments
2024/12/19
19:34 UTC

6

New Windows Privilege Escalation Vulnerability!

A vulnerability in the Cloud Files Mini Filter Driver allows local attackers to escalate privileges on affected installations of Microsoft Windows: https://ssd-disclosure.com/ssd-advisory-cldflt-heap-based-overflow-pe/

0 Comments
2024/12/19
16:33 UTC

3

Google drive is somehow blocked even though I have open port for 443 traffic in firewall (Zyxell)

I have this strange behavior with not accessing the google drive. The infrastructure is debian. So I thought the problem was the dns. I changed my /etc/network/interfaces /etc/resolv.conf to use googles dns as third alternative.

Flushed the dns on my debian dns server with systemctl restart bind9. Some times for a slight second I could access the drive. But then the access disappeared. I have tried removing the cache in browser but it does not seem to work either. Also tried with chrome internal tools. But nothing there.

So the last option would be something with firewall. Found this . https://support.google.com/a/answer/2589954?hl=en

I am not very familiar with zyxell but do i need to add all these domain names to my firewall in adresses?

Edit:

This is the solution that worked for me but I am not sure. I took a look on the already existing rules and read some of the documentation. Some people use content filtering too. This works for me.

Steps to Allow Google Drive on ZyXEL

  1. Check Google Drive Connectivity:
    • Open a terminal and run: curl -v -k https://drive.google.com
    • This will help you check the connection and get the IP address for Google Drive.
  2. Add Google Drive to Address List:
    • Log in to your ZyXEL USG310 WebUI.
    • Navigate to Configuration > Object > Address > Address.
    • Click Create New Address.
    • Set the following:
      • Name: Google_Drive
      • Type: FQDN (Fully Qualified Domain Name)
      • FQDN: drive.google.com
    • Click OK to save the address.
  3. Create an Allow Rule:
    • Navigate to Configuration > Security Policy > Policy Control.

    • Click Create New Rule.

    • Set the following:

      • Name: Allow_Google_Drive
      • From: any
      • To: any
      • Source: any
      • Destination: Select Google_Drive from the list
      • Service: Make sure HTTPS is selected
      • Action: allow
      • Log: Enable if you want to track traffic
    • Click OK to save the rule.

3 Comments
2024/12/19
11:39 UTC

0

I want to give my grandparent an amazon echo. How should I protect it?

Because it's tied to my account, but I'll be leaving it in her assisted living facility, I want to make sure there's nothing she can do on accident (or the orderlies on purpose) to cause problems. I already have voice purchasing turned off. Are there other controls to worry about?

I can't turn on kids mode because then it would be restricted to kids only stuff.

16 Comments
2024/12/18
23:37 UTC

5

Will learning cyber defense or OSINT help with offense?

So I’m doing hack the box academy and was thinking once I get good enough at HTBA I could learn more OSINT or learn blue teaming on a different learning platform to improve my red teaming skills.

Is this a valid approach? Are any of these platforms good for this purpose to complement htba in a year or two when I get better at red teaming?

Here are the blue teaming/OSINT platforms I have found:

https://www.securityblue.team/

https://www.kasescenarios.com/

https://inteltechniques.com/

https://cyberdefenders.org/dashboard/

I heard all of those are credible but will they help with ethical hacking?

Also, how much will studying digital forensics and OSINT give me a better understanding of privacy, security, and anonymity online? In an interview on David Bombal’s YouTube channel, OccupyTheWeb said to be anonymous online you need to know both OSINT and digital forensics?

3 Comments
2024/12/18
08:21 UTC

2

Network homeland help

I am currently majoring in CS, but I am directing my focus towards cyber, networks, pen test and more. And I’ve been super interesting in building a home lab for these purposes ^. I was seeing that you can make use of an old desktop or computer as a server, using proxmox and more things. I’ve been doing research but I can’t seem to wrap my head around how this server can overview my other computers in which I will be deploying the VMs for pen, analysis. It’s more so mapping it, and figuring out the network scheme to see if it’s possible or if it makes any sense. Any help?

9 Comments
2024/12/17
21:37 UTC

6

Looking for a more affordable alternative to ZeroFox for Cyber Threat Intelligence and dark web monitoring

Hi everyone,
I’m a cybersecurity analyst for a mid-sized company, and we’re looking for a reliable but cost-effective solution for dark web monitoring. We recently tested ZeroFox, and while it’s excellent, it’s far too expensive for our budget.

Our main priorities are:

  • Monitoring dark web forums, marketplaces, and leaked databases
  • Identifying stolen credentials, sensitive company data, or impersonation attempts
  • Integrating the tool seamlessly via API or SaaS
  • Providing actionable alerts for potential threats

We don’t need an enterprise-level tool, just something solid that focuses on dark web intelligence and monitoring.

Are there any more affordable alternatives to ZeroFox that you’d recommend?

Thanks so much for any suggestions!

17 Comments
2024/12/17
12:31 UTC

Back To Top