Jump to content
Hak5 Forums


Global Moderators
  • Content Count

  • Joined

  • Last visited

  • Days Won


About digininja

  • Rank

Contact Methods

  • Website URL
  • ICQ

Profile Information

  • Gender
  • Location
    Sheffield, UK
  • Interests
    Hacking, Coding, Climbing

Recent Profile Visitors

18,000 profile views
  1. digininja

    Malware distribution technics?

    Homework question?
  2. digininja

    Offline app with 2FA

    Your original question was about licencing your software, 2FA is about authenticating users, they are two different things. Anything you do that is purely client side can be cracked, whether it is a basic password, USB token, 2FA codes (which are just passwords if you think about it), anything. They are cracked either by modifying the software and disabling the check or by working out how codes are generated and creating a code generator. If your 2FA codes are just MD5 of the current timestamp then I can create an app to generate a code whenever I want to. My suggestion for fingerprinting for licencing is just as vulnerable as a USB token except it requires one less USB port and can't get lost in a desk drawer or pinched by your kids to play with. - Do not copy/reuse any code (especially authentication part) from other softwares, this will make you more vulnerable. I'd disagree with this, find a project which is specifically written to do whatever you want and use that. No offence meant, but it doesn't sound like you are an expert in this area and so trying to roll your own authentication or licencing is probably going to end badly. It might not get hacked as no one might care, but the code probably won't be the best.
  3. digininja

    Offline app with 2FA

    Give us some more information, who mentioned it, is there some context?
  4. digininja

    So I pissed off the feds ...

    I'd burn it all down and move house, sounds like they've got you well and truly in their grasp and are unlikely to let go. With pin hole cameras there could be one in every nail and screw head in your apartment and you'd never know unless the doors fell off the cupboards because they used cameras instead of nails, that might give it away. I'd also stay off the Raspberry Pi, did you know that if you sum up the ASCII values of all the letters in the name you get 745 which is the year Kulun Beg died and I think we all know what that means.
  5. digininja

    Offline server authenticating method

    Most solutions like this will take a fingerprint of the installation then require an initial internet connection to sign that fingerprint. The app checks the fingerprint when starting up and fails if it doesn't match. If you can't get that initial internet connection you give the user a text file with the fingerprint in it and they then have to get it onto the internet where they send it to you, you sign it and send back the hash, they input the hash and all is good to go. You just have to be careful about what you fingerprint, too little and it can be cloned, too much and small tweaks to the machine break it. You can also build expiry dates into this so the app expires but that relies on them having a working and up to date clock on the machine.
  6. digininja

    Pen Testing

    Have you tried going back to your testers? They should give you full support after the test not just deliver a report and walk away. You can ask if you want though.
  7. digininja

    OSINT on individuals

    Find @webbreacher on Twitter, he is king of OSINT and regularly publishes stuff about it.
  8. digininja

    I found a Pineapple in landlord's utility closet

    A different way to look at this, call the device X. Is X the main AP for the building? Easy way to tell, look for an alternative AP, if there is, turn it off and see if you still get wifi. If X is the main AP, then bad things could be happening. If X isn't the main AP, try connecting to an open network that doesn't exist, if you can, then something is running that shouldn't. If you can't, then it is unlikely X is spoofing APs. If X isn't the main AP and isn't spoofing things, is it on the network? Turn off all other devices, except the main AP, and then do a network scan. See what is left, if there is a Linux box with 22 and maybe 80 or 1471 open then browse to it and see what you get. If it isn't on the network then it could just be doing passive things and there is nothing you can do to detect that. With whatever normal access you have, try connecting to a HTTPS site you've never connected to before which doesn't do HTTPS preloading (google it all), my site would be one. If you get a valid certificate then it is unlikely that there is any odd SSL man-in-the-middle attacks going on. Try a traceroute to the main AP and to external sites, see if you get an unexpected additional hop before the AP or directly after it. If the room it is in has a door going to the floor, pick up a cheap ring and roll it under the door then call the landlord and ask him to come and open the door so you can retrieve it, while doing it, get a proper look at the device. My guess would be that it isn't a Pineapple and that nothing odd is going on as that is the most usual way things work out.
  9. digininja

    Hacking phone that connect fair wifi

    If your boss won't listen to "it's illegal" tell him "it's not possible", he can't force you to do it if you don't know how. If it's your fair, you set the rules ban any recording devices.
  10. digininja

    What security precautions do you take?

    I use one of these: https://www.pcengines.ch/apu2.htm Before that I had one of their Alix boards, both work really well. I added an SSD drive so there was space to work on it and store logs, I found that using an SD drive sometimes mean problems upgrading as there wasn't enough room to run the upgrade script.
  11. digininja

    What security precautions do you take?

    I said if you weren't already running everything through the VPN things would be leaking. If you want to do it the easy way, my setup is a pfsense box sat in front of my modem which can be set up to connect to my VPN server and run everything through the VPN. That way I don't have to worry about individual machines, the firewall does it all for me.
  12. digininja

    What security precautions do you take?

    I can see the hosting company the VPN is running through, is it one you set up yourself or a commercial offering? If you built it yourself then that is easy to track back as they talk to the hosting company and get a list of IPs who connected to the box and the details of the person paying for it. If it is a commercial offering then there are ways of monitoring traffic content and meta data to tie inbound traffic to outbound and work back from there. It would all need warrants but then so would doing it at your ISP level. If you aren't currently running all your devices through the VPN then you will be leaking at least some info to the ISP.
  13. digininja

    What security precautions do you take?

    Don't forget, if the government want to watch your traffic, they will just put a tap on the VPN end point. Sure you get it but a lot of people miss that their traffic has to emerge from the VPN somewhere and at that point it becomes visible to anyone who is on the route or can request traffic. Do you stream movies through the VPN? If so, that is likely to eat up your allotted bandwidth pretty quickly.
  14. digininja

    What security precautions do you take?

    You say any network, do you do all these at home as well? VPN and hardware locks as well? If you do VPN all the time, what are you defending against, your ISP? Do you trust the VPN endpoint more than them?
  15. digininja

    Open VPN Client for Amazon Firestick

    Unlikely. I'd set the VPN up on an access point and have the firestick connect to that.