/r/AskNetsec
Dedicated to those passionate about security.
A community built to knowledgeably answer questions related to information security in an enterprise, large organization, or SOHO context.
Questions on how to get started? Check out the following subs:
Question on issues regarding personal security? Check out the following subs:
Please read and abide by our Rules & Guidelines
/r/AskNetsec
Hi,
It might be just a routine thing, but because of my recent experience with being hacked, I am just hyper vigiliant about everything that feels off.
So, recently like 20 days ago(23 Oct) I got hacked basically session hijacked or somehting. Since then I formatted my all devices windows, android everything.... and reinstalled windows 11...
Now recently 7th Nov I updated my windows 11, and 9th Nov when I opened all my chrome profile there was a prompt saying that.
```
"Microsoft Power Automate" added
Another program on your computer added an extension that may change the way Chrome works.
It can:
Access the page debugger backend
Read and change all your data on all websites
Communicate with cooperating native applications
Enable extension
Remove from Chrome
```
When I checked installed apps then there was a app called Power Automate Desktop with updated date `8th Nov`, along with other microsoft apps.
I just want to be sure that its normal and done by microsoft rather than my device being compromised again
This might be a no brainer but i wanted to be 1000% sure. basically, i wanna play geforce now at school and i want my steam games on there but, obviously, id need to log in with my steam account. I thought if i logged into my school geforce account at home and linked my steam account on my wifi and just never log in at school it would be okay? theres no way they even see it right?
Hey Guys,
I'm currently busy with my graduation internship and I do research regarding the supply-chain security risks within our company. We also need to comply to the new NIS2-directive which puts an emphasize on supply chain security.
Now for my first sub-question I focussed on explaining what NIS2 is, what it means for our company, etc. And than I focussed on selecting a cybersecurity framework which provides best practices / guidelines for conducting a risk-assessment and also a (maybe the same) framework that specifies supply-chain controls so we can mitigate our risks.
I would like someone with some experience about NIS2 and frameworks such as NIST CSF, ISO27001, etc, to read my research question and give me feedback!
Please leave a comment or send me a private message!
Hi everyone
I have been trying to put together a subdomain enumeration script but I have been running through issues and noticed I didn't understand things in DNS. I was wondering if you could help me clear some stuff up.
What is the difference between DNS bruteforcing and resolution? If resolving means making sure the given host lead to a non-404 status code then what does bruteforcing do?
I have been trying to figure out which tools among puredns,massdns,shuffledns to use and I wonder if you guys are aware of some benchmarks out there or anecdotal experiences on the matter
I tried massdns but I have ran into extremely long times parsing the output at the end of the task; is there a work around other than data refinement through the massdns TMP file?
anyone knows a web security scanner library "codebased" supports => python 3.11 but not like ZapV2 because it's needs a proxy
I'm working on a javascript UI framework for personal projects and im trying to create something like a React-hook that handles "encryption at rest".
the react-hook is described in more detail here (https://positive-intentions.com/blog/async-state-management). im using it as a solution for state-management. id like to extend its functionality to have encrypted persistant data. my approach is the following and it would be great if you could follow along and let me know if im doing something wrong. all advice is apprciated.
im using indexedDB to store the data. i created some basic functionality to automatically persist and rehydrate data. im now investigating password-encrypting the data with javascript using the browser cryptography api.
i have a PR here (https://github.com/positive-intentions/dim/pull/8) you can test out on codespaces or clone, but tldr: i encrypt before saving and decrypt when loading. this seems to be working as expected. i will also encrypt/decrypt the event listeners im using and this should keep it safe from anything like browser extensions from listening to events.
the password is something never stored (not in a DB or local storage) the user will have to put in themselves to be able to decrypt the data. i havent created an input for this yet, so its hardcoded. this is then used to encrypt/decrypt the data.
i would persist the unencrypted salt to indexedDB because this is then used to generate the key.
i think i am almost done with this functionality, but id like advice on anything ive overlooked or things too keep-in-mind. id like to make the storage as secure as possible.
I feel that those are the common knowledge routes
I am logged into my school account only on chrome, and using my personal laptop but can they see other windows besides chrome even if I'm on home internet?
I have a weird little network setup at home for a little while today. I'm setting up a Netgear RS500 wifi router at home so I can take it to the local bar and install it for their customer's wifi.
For now, at home, the setup looks like this:
My Laptop
| (via wifi)
v
Netgear RS500 Unifi Access points
| |
v |
network switches <---|
|
v
Sonic Wall
|
v
Comcast Modem
|
v
Teh Intertubes
The Netgear is just under test as I set it up, so hopefully I can just drop it in for its replacement at the bar. The Unifi APs implement my regular home network, and those internal switches also connect to other wired ethernet devices throughout the house.
In this configuration, I don't expect that the Netgear router is visible to the outside world by any path, at all.
But the logs on the Netgear router show some concerning activity:
[Internet connected] IP address: 192.168.0.114, Thursday, November 07, 2024 17:42:38
[remote login] from source 127.0.0.1, Thursday, November 07, 2024 17:36:36
[DoS Attack: RST Scan] from source: 3.165.160.121, port 443, Thursday, November 07, 2024 17:33:53
[DoS Attack: RST Scan] from source: 198.35.26.112, port 443, Thursday, November 07, 2024 17:33:11
[Internet connected] IP address: 192.168.0.114, Thursday, November 07, 2024 17:12:39
[DHCP IP: 192.168.1.3][Device Name: SLIVER] to MAC address 74:04:f1:43:86:86, Thursday, November 07, 2024 16:52:38
[DHCP IP: 192.168.1.3][Device Name: SLIVER] to MAC address 74:04:f1:43:86:86, Thursday, November 07, 2024 16:48:58
[DHCP IP: 192.168.1.3][Device Name: SLIVER] to MAC address 74:04:f1:43:86:86, Thursday, November 07, 2024 16:44:34
[remote login] from source 127.0.0.1, Thursday, November 07, 2024 16:44:00
[DoS Attack: RST Scan] from source: 13.224.14.90, port 443, Thursday, November 07, 2024 16:43:37
[DHCP IP: 192.168.1.3][Device Name: SLIVER] to MAC address 74:04:f1:43:86:86, Thursday, November 07, 2024 16:43:35
[Time synchronized with NTP server] Thursday, November 07, 2024 16:42:50
[Internet connected] IP address: 192.168.0.114, Thursday, November 07, 2024 16:42:38
[Time synchronized with NTP server] Thursday, November 07, 2024 16:42:19
[Internet connected] IP address: 192.168.0.114, Thursday, November 07, 2024 16:42:17
[Initialized, firmware version: V1.0.1.60] Thursday, November 07, 2024 16:42:15
How could it be that devices in 3.165.160.121 and 198.35.26.112 could hit the Netgear's upstream port? It's behind the Sonic Wall, so how would foreign 443 traffic ever get through?
If they are able to target specific people and tap their phones, aren’t all phones vulnerable? How can someone prevent this?
i'll be honest, i would use it so i can get infinite free trails.
preferabbly anything that would let me sign into it (so i can verify stuff) and will self destruct after i time that **i** can set.
thanks for any help
Hi guys,
Recently my company has put together a document with all the security requirements that applications must meet to be considered "mature" and compliant to the company's risk appetite. The main issue is that all applications (way too many to do this process manually) should be evaluated to provide a clearer view of the security maturity.
With this scenario in mind, how can I automate the process of validating each and every application for the security policy? As an example, some of the points include the use of authentication best practices, rate limiting, secure data transmission and others.
I know that there are some projects, such OWASP's ASVS, that theoretically could be verified automatically. At least level 1. Has any one done that? Was it simple to set up with ZAP?
PLease explain I used and indian Rat to build apk. I used no ip ddns because I have dynamic ip. also I used port 22222. Now I wanted it to be attached to an image file or whatever file it can attach to with binders like fatrat and make it clean under antivirus. What software is the simplest is there a way to do it. please help. After I generate apk what file should I bind it with and how does the binding process work in general because it itself is asking me the lhost and lport so is it a double connections. THe indian built rat I am using is Droid spy. What would be the right approach to doing this thing? Like what will be the right stack that gives me this functionality
Hello, when I download an XML report output from the interface, it contains around 82,000 lines, but when I try to download it using gvm-cli
, I can only get about 22,000 lines. It seems as though the report format might be applying its own filters. After importing a different XML report and saving it, what steps do I need to take for the trust phase? Alternatively, how can I modify my command to ensure I retrieve the full output? Is it possible that it’s timing out or limited to fetching only up to 1,000 rows?
I have tried using separate commands for High, Low, and Medium levels, but the report content did not change. Here is the command I’m using to try to retrieve all data:
--xml '<get_reports report_id="299481b1-8af8-4afb-bb04-8547375f7477" format_id="a994b278-1f62-11e1-96ac-406186ea4fc5" details="1" rows="-1" ignore_pagination="1" levels="hmlf" />' > last-3.xml
If I run the following nmap scan,
nmap
192.168.1.254
I get
Starting Nmap 7.92 (
https://nmap.org
) at 2024-11-06 22:12 CET
Nmap scan report for _gateway (192.168.1.254)
Host is up (0.0090s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
445/tcp open microsoft-ds
554/tcp open rtsp
5357/tcp open wsdapi
5678/tcp open rrac
8090/tcp open opsmessaging
9091/tcp open xmltec-xmlmail
Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds
I tried logging into the admin portal but it barely has any configuration options. Just wondering if any of this is susceptible to being hacked by people on the internet and how I can test for security holes.
Thank you!
Hi! So I have my external ports and firewall set up and secured using a combination crowdsec, tailscale, and cloudflare.
I want to protect against brute force attacks coming from inside the network (LAN, internal IPs) as well. Is there a way to do this? Or am I misguided in even wanting to?
Im currently doing a assement on security and I want to use wannacry as a example of a ransomware, just wondering if anyone know if it actually loses your data if you didnt pay. I couldnt seem to find any examples online so im thought i would ask here.
I'm planning on setting up a drive with some VMs with different OS's that I could practice, but I'm don't know where to start.
I would appreciate if you could share some knowledge, videos, articles, etc
Lets say i have a PC that is infected with a malware (Riot Vanguard, the anti cheat software). This PC connects to network Z.
I also have other devices such as my phone, that is connected to network Z
Question is, what can this PC do to my phone? Can it infect it also?
Security for Open source projects
Hello,
I’ve been asked to plan to implement a security assessment on an open source project and implement security controls and security best practices for open source.
Does anyone have any experience securing open source projects. If so any ideas?
Thanks
Hi all
looking for an advice. I have an environment I need to expose to select (external) users over the internet. End goal is to provide them with an RDP session to a server. I'm currently using wireguard vpn, giving out a config to the users, that allows them to connect to the environment's network and launch a local RDP client with proposed server details.
It works fine for the most part, but some of the users complain that they have no control over their workstations and wireguard client does not play well without admin rights.
Is there any easy/free way of exposing RDP securely in some other way? Some sort of HTTPS broker so that the client side could use a plain browser to connect to the service?
If you use Google, it's via SSL https. So the ISP can't see your searches. How come we read stories of criminals getting busted for their google searches like "how to hide a body" etc? Other than the police confiscating the computer / doing data recovery on browsing history etc.
Having learned about IMEIs, I decided to give it to imei-tracker.com to see whether the website can really track it.
It didn't, and instead it asked me to do "something else", after which I immediately closed the site. What can they do with my IMEI? Ideally I'd assume that because it doesn't identify my SIM, I'm pretty safe. Am I wrong?
I had a meeting with a Microsoft representative today who talked extensively about threat hunting through automation, specifically through AI, machine learning, enrichment, and general automation in Defender. He emphasized how these technologies could streamline many repetitive tasks in threat detection, enabling faster response times and allowing hunters to focus on more complex, nuanced investigations. I somewhat agree - automation is certainly important, but it’s not a silver bullet. So, is automation really what it’s all about?
Interestingly, the representative wasn’t very supportive of aspiring hunters learning the manual procedures of hunting; in his view, automation was the only way forward. This raises important questions: does relying solely on automation risk losing the critical skills and intuition that come from hands-on experience, or is automation truly the future of effective threat hunting?
For context, I work as a threat hunter myself. I’ve hunted mainly using Elastic, OpenSearch, and QRadar—and, in recent years, in Defender as well. Curious to know your views on the questions above
Evaluating vulnerability scanners for a hybrid setup—leaning towards Nessus Expert (50% off on Black Friday) for its unlimited host scanning and FQDN capabilities.
Options am considering: Nessus Expert Tenable Cloud/Security Center Qualys InsightVM.
Currently using SentinelOne but need something stronger for misconfigurations, like default passwords and permissions. I prefer agent-based scans for authenticated results, but worry about SSH security on laptops/servers. We need to scan in AWS, On-prem and remote employee endpoints which keeps on moving.
Trivy handles container scans well, so it’s not a priority. Cost matters—Nessus is pricey ($57/agent), while Qualys seems cheaper. Looking for advice on effectiveness vs. cost in a hybrid setup.
Were there any ransomware attacks that used keyloggers to help infiltrate a network?
Hey all,
I’m working on a MITM tool tailored for real-time mobile traffic analysis that might fill some gaps left by existing options like mitmproxy or Charles. Here’s the pitch:
VPN-Based Setup: The tool works via a VPN configuration that includes an automatic certificate installation process, so there’s no need to be on the same local network as the target device. This makes setup easy, even for mobile testing on the go.
MITM Proxy-Style UI: Users get access to a familiar proxy-style interface displaying all captured requests in real time, with filtering and sorting options.
I’m interested in feedback from those who regularly use tools like mitmproxy or Burp. What features or pain points could this address? Would the VPN setup be valuable in your work?
Thanks in advance for any insights!
Hello! I recently passed my CompTIA Security+ exam, and I'm looking for opportunities to gain hands-on experience through an internship. Does anyone know of any sites or places where I could apply? Also, if you have any advice for someone just starting out in cybersecurity, I’d really appreciate it. Thank you!
Other than standard password settings. I’ve never really thought about this type of security. Should any settings be set other than basic password settings?
Hey everyone!
I'm about to start this two-year cybersecurity program, kinda like an associate degree. It includes a mandatory internship and might lead to a job after, which is awesome, but I know there's a lot to learn and I want to be ready.
Anyone got any tips on how to make the most of this program? Like, I want to really get hands-on with stuff. Specifically, looking for:
Any advice would be awesome—thanks in advance!