iamnoxtras

Unfortunately, I got some other problems with the nano:( When a client connects and tries to do anything eventually the browser returns: DNS lookup failed...I've tried installing the DNS spoof module, but not even that site is loading. Anyone had this problem before? I also tried to spoof the AP's MAC, and then no client could connect/the nano disappeared from the list of available APs from the client...

MarcSThe1st: as saf mentioned, that would be the endgame of this. I know the MAC and password of the AP so a successful 4-way handshake can be made and the client would not suspect anything. This is also possible in a 'real' scenario, cause the MAC of the AP is known to all, and the WPA2 password could be 'derived' by other means. skib: no 4. Also happened to me. But it does connect sometimes.. still didn't figured it out what I did to make it connect, though...

thank you. Do you know if there are SDRs that can get a signal >2 GHz

Hi, Sorry to hijack the discussion, I just have an antenna related question: Can the Basic SDR dongle receive any signals, even > 1700 , if I add some other antenna (like a 2100 MHz one) to it, or is it software/hardware limited?

Q: Can the Nano spoof an SSID with password? Cause when I start it up, my phone alerts me that there is an open wifi, but it's not connecting automatically... so can it be configured to 'just get' the traffic from the real router and show the same WPA2 connection? (now I have my router with WPA2 and the nano, same SSID, but no WPA2) Q: Can't the Pineapple ask for WPA2 password from the client?

Masscan scans the entire internet in 3 minutes (per port) with two 10Gbps ports and no limiting from your provider:) http://blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html

watching today's episode, I found a utility for this? I could change the code a little, add it to a ducky, run it with &, and voila.. an almost invisible web server waiting for all my commands:) I could then just call up the IP, ask for any file, and execute any command directly from a browser... Granted. The logged in user does need to be root.... maybe someone can find a way to circumvent this?

wel,, it's just a novelty thing... proof of concept. It adheres to standards to the extent that it send the browser correct mime type and connection type and content length...that is all browsers need.

Hi. Good idea, I'm uploading the code to github to: https://github.com/noxtras/bashserver It doesn't have any real uses. I just thought it's cool to write a webserver:) I will now create a simple one in C:)

Recently came across a bash only web server (using netcat) at http://paulbuchheit.blogspot.ro/2007/04/webserver-in-bash.html I fiddled a little with it and turned it into a decent web server, with server logs and all. (no IP captured, just the query string and timestamp) It supports file downloads, it servers static html, PHP, Python and binary files with arguments (GET). It checks for 404 errors and it keeps a server log. Fun facts: 5 times slower then nginx (for a single user) executes binary faster then displays static content php is the slowest :) php files need to be .php python files .py binaries .cb (C binary:) ) It's great if you just need a server for a short period of time and don't need security... It only works on Linux. (I've tested it under ubuntu) I had great fun working on it. I hope you'll have as much fun with it as had. If you find an use for it, drop me a line. server.zip

yeap, mitm attack is possible if i'm using the IP... for those , like me, who didn't know here's a nice tutorial: http://www.youtube.com/watch?v=-hd7XG-b6uk&list=TL61k0R0Lah-k

Thanks for the info! I just read an article about MiTM on https, so that would be possible. Indeed a master key defeats the purpose of SSL.. I think I just realized what journalists are talking about the NSA wanting a 'master key' from providers... Do they just mean 'master key' (of a hotel for example) like a backdoor? So it's not a decryption master key, but a backdoor of any kind.... Java had a lot of problems last year and people are not used to update Java so when a security bug is found, it can be exploited for a long time.... About the VPN part, the thing is I'm a decent server side programmer in python, php, nodejs, creating a custom, secure, VPN client would require someone with at least as much experience in c++ as I have in scripting languages. Is a MiTM attack possible if I'm using just an IP, no domain name? I know a domain name can be easily spoofed, but an IP address? I know searching will be a problem. I watched the latest episode of Foundation, and the founder of Evernote has the same problem with encrypted notes.. I think for now, I'll create an index, with subject, sender, date, has attachment. You can search your emails (sort of) and your data is still secure.

Well, the NSA can also ask for the current master key. My question was if a master key does exist in the first place...and if it's possible to snoop SSL traffic, with or without a master key.

Hi Midnite, can I call you Snake?:) I don't think it's a conspiracy theory, I was reading somewhere that one of the authorities was hacked about a year ago and the end result was that the hackers could say that they are site X or site Y that had a certificate issued by that authority... That said, I have no idea where to start researching on this. With Lavabit gone, I want to start a new secure email alternative (hosted in Germany or locally here in RO - thou, Romania is a BIG kiss ass for the US, so don't know how long till the local police would take these servers down) and I do mean secure: I would recommend users to use the secure site by IP (to avoid DNS takeovers..or what are they called) and to had just a server signed certificate (this is the problematic part of the service). If the Cert authorities DO have a master key, then this will be the only safe choice (self signed cert), however if someone that feels at home with SSL can confirm that the NSA can only hack the 4k key...they the service would be easier to use.

Hello! Does anyone know how can the NSA spy on https traffic? As far as I know (Please correct me if I'm wrong), a SSL certificate has a public key, a private key and the issuer has a MASTER key? And that key is used by the NSA to listen to https traffic? What about a https connection without a 'certified' SSL certificate? When my server generates it, it only has a pair of keys, no MASTER key..... Does this mean that this type of a https connection is safer then one with a Verisign issues certificate? Why does Darren keep saying that https is not that secure, and a VPN is more secure.. only because the data can be compromised at the receiving end? Looking forward for an enlightening discussion.