The folks that run the website RTL-SDR have a comprehensive list of all the software defined radio (SDR) software, both commercial and free. That list can be found here:
Default password lists
I’ve decided to centralize the default password lists for multiple vendors. I’m making this a sticky post and will update this list when as I find these types of sites:
* http://bit.ly/2S6SToW – NETGEAR Default Password List
* http://bit.ly/2S37j9u – Linksys Default Password List
* http://bit.ly/2S3gPJV – D-Link Default Password List
* http://bit.ly/2S8KWzJ – Cisco Default Password List
* http://bit.ly/2S37FwQ – Default Router Usernames and Passwords (multiple vendors)
* http://bit.ly/2HrgT3O – Telnet, MySQL and other Linux and Windows service passwords courtesy of n0tazombie.
Always available CTF Labs
I have identified the following CTF labs which are 24/7 and most if not all are free:
* Immersive Labs: https://immersivelabs.online
* pwnable.xyz (good for people new to CTF): https://pwnable.xyz/
* 365 CSAW: https://365.csaw.io
* CTF101: https://ctf101.org/
* Shellter Hacking Express: https://shellterlabs.com/en/contests/
* Backdoor: https://backdoor.sdslabs.co/
* ShellWePlayAGame?: https://shellweplayagame.org/
* RootMe: https://www.root-me.org/?lang=en
* OverTheWire: https://overthewire.org/wargames/
* Virginia Cyber Range: https://portal.virginiacyberrange.net/
* Hack The Box: https://www.hackthebox.eu/
* FuzzyLand: https://fuzzy.land/
* Hacking Lab: https://www.hacking-lab.com/index.html
To everyone that made me aware of these thank you!
Article: 15 Ways to Bypass the PowerShell Execution Policy
I ran across this awesome article discussing different ways you can disable and/or bypass the execution policy in PowerShell. Turns out they found 15 of them! This is critical when you are performing penetration tests and using techniques such as “living off the land”.
Article: Amazon confirms it keeps your Alexa recordings basically forever
Well it turns out the folks wearing tin foil hats were right about this! Now if only Facebook would admit it’s tapping my cell phone mic to generate advertisements on my Wall… 😉
Burp Suite now supports WebSockets
While I was trolling around on Twitter this morning PortSwigger tweeted about their latest release of Burp Suite which now supports intercepting WebSockets. Check out their release note regarding v2.1.01. This feature also appears to be in the Community version as well as their Professional version:
Articles: Women in Security
To all the female engineers in information security, here’s are some articles regarding women working in technology. Most of the articles are inspiring while others show how far women have come in technology but also there’s still a lot that needs to be addressed before women get the recognition that they deserve in this field.
Article: New Silex malware is bricking IoT devices, has scary plans
If you haven’t changed your IoT devices credentials from their defaults, you should! This botnet is using default credentials to take over the IoT device and corrupts the embedded Linux operating system by overwriting it’s storage, dropping the firewall, etc. To get it back up and running you will need to re-flash the firmware in most of the cases.
https://www.zdnet.com/article/new-silex-malware-is-bricking-iot-devices-has-scary-plans/
Article: US cyber forces struck Iranian military: report
The US has opted to make the first strike be cyber and not kinetic against Iran for shooting down an unmanned drone. This just goes to show you that cyber-warfare is here to stay.
https://thehill.com/policy/cybersecurity/449908-us-cyber-forces-struck-iranian-military-report
OWASP releases Zed Attack Proxy v2.8.0
OWASP has just release their latest version of the Zed Attack Proxy (ZAP or ZAProxy for short) intercepting proxy. This is an open source and free competitor to PortSwigger’s BurpSuite. I have taken the liberty of cloning the repo and you can find it here:
https://github.com/h0w1tzr/zaproxy
You can also download their pre-compiled installers for Windows, macOS and Linux here:
Article: BGP event sends European mobile traffic through China Telecom for 2 hours
I just found this article that is definitely concerning to me as a network engineer.
A similar technique was also presented at DEFCON 16.
Article: Sad SACK: Linux PCs, servers, gadgets can be crashed by ‘Ping of Death’ network packets
Reading the write up on this vulnerability and current PoC exploits it looks like this is at most an annoying DoS that won’t lead to remote code execution at least:
https://www.theregister.co.uk/2019/06/17/linux_tcp_sack_kernel_crash/