digininja

Why did you title did BurpSuite Pro then ask about the free version? If you are getting certificate warnings then you need to import the CA certificate into your browser. Browse to http://burp and follow the instructions.

What you are asking is illegal so you won't get any help from here. Talk to the Instagram team. Before you come back with "but it's my account" or anything like that, it doesn't matter, Instagram isn't yours and that is what you'd be trying to hack. And attribution is a bitch, just because they have a .ru email account, doesn't mean they are Russian, I could sign up for one if I wanted, the only challenge may be to read the registration form.

Unfortunately, without a lot more info, your question is too vague to give any specific help. How good are your HTML and JavaScript skills? I'd suggest looking at the SecurityTube web app testing videos, they cover stuff like this and should give you a good idea of what is going on. And if you are following a course, I'd look for a more up-to-date one, anything still using XP as a victim is very out of date.

Ok, Mona, wfuzz and yersina.

It all depends what you want to do, are you interested in looking at layer 2 protocols, digging through shellcode or testing web apps? And don't forget, Kali is just a Linux install with tools preinstalled, just because they are in there doesn't make them good, not being in there doesn't make them bad.

Kali is just Linux with a lot of security packages so it won't get in the way of Kali but it may affect some of the tools but that would be the case whatever distro they were installed on. Pick the tools you think you'll be using, install them in a vanilla Kali and in your pimped up version and compare results. My guess would be things like nmap which do special things at layer two with packets might not be happy but something like Nikto pointed at a web app wouldn't care less as long as it's layer seven packets get through.

I know nothing about Qubes but in my opinion, the answer depends on what you want to do with Kali. If you are doing any kind of client based pen testing with it then you'll probably want to come from a fixed, static IP so that the client can identify you If you are doing things where you want to be anonymous, go through Tor Normal browsing and computing, it depends on your paranoia level

There was a discussion on one of the mailing lists about it recently and I thought the conclusion was that you go them when you challenged, maybe not.

Based on various data points, I have a feeling SANS is available in your country, and is indeed based out of your country. The cheapest option to get the books is to take the challenge exam, with that you get a copy of the books and an exam entry. The next step up is On Demand which doesn't have 617 but does have 560 and 660. As you can't program yet, 760 would be way above your level so I'd recommend starting with one of those and working up. https://www.sans.org/ondemand/courses/all/

Short answer, it doesn't matter, pick one and learn it, once you have the concepts you'll be able to move into other languages much easier. Longer answer, it depends what you want to write scripts to do. Research that area and see what other tools are written in and that is probably the best language. Other option, find out what languages your friends know and learn those, with friends to help it is much easier to pick up something new.

Go on the course, any other way of acquiring the digital books is piracy. As a SANS instructor, I frown on this type of thing.

First off, learn how to ask proper questions: https://digi.ninja/blog/asking_for_help.php

Google this, it might help: krack proof of concept github Remember, only use this on your own devices, if you ask questions about how to use any scripts and we don't think you are using them in areas you have permission to be using them, then you will get told off.

If you are running chrome this is supposed to be a good option: https://chrome.google.com/webstore/detail/parental-controls-web-fil/dpfbddcgbimoafpgmbbjiliegkfcjkmn?hl=en I don't know if any off hand but I bet there are some good lists for Squid3 that will also block undesirable stuff. But if all you want is YouTube then you could probably lock the browser down to just that URL, you can definitely do it at Squid3 level or do it at DNS level.

Install the older browser then use a proxy to drop all requests to the update server so that it doesn't know that it is out of date.

Get out and meet people then. Most of the people I know who change jobs, do it as a result of who they know in the new company, especially in either smaller firms or big firms with dedicated security teams. Another option is to get a job with your current skills in a company that has a security team and then somehow slide your way across. Become the bridge between your team and theirs or put in some extra hours helping them with things. I was on site with a client a few weeks ago just as a guy was moving from basic call centre member to the security team. He had introduced himself to the head of security, told her what he wanted to do then put in hours to prove it. Was really good to see him swap his call centre ID for a security one. He was mostly self taught in a small Scottish town with very little local resources.

For the real world side of this, get yourself to conventions. In the UK we have BSides {London, Leeds, Manchester}, SecuriTay, and, in my biased opinion, SteelCon. Various areas also have Defcon groups and OWASP chapters. The social side of security is a huge one when trying to get a job, there is a lot about who you know and who you impress at the right time. That doesn't mean you have to have amazing skills to impress, just be enthusiastic and show it. Most smaller firms, when they hire, they hire on enthusiasm and if you are at a con raving about the talk you've just seen or the lab you've just built at home then it will do you a lot better than any cert will do.

Why not go and look?

Check pentester academy and security tube, well worth the money.

So you were trying to spider a site that didn't really exist, that could be your problem. If --debug isn't there you aren't using the latest version, get that from my git repo and use that instead.

If you run it with --debug it will show you all the URLs it finds and will say either why it is following them or why it is ignoring them. My guess would be that the links coming off the homepage go to a different URL and so are considered offsite and not touched.

General rule of thumb, if you have physical access then you'll win. GRUB doesn't make any difference. Full disk encryption would but you are unlikely to get that on a CTF box.

Get in touch with AOL, if you send them proof of death then they may be able to reset the password and allow you access. Any attempts to guess or brute force the password would be considered illegal access despite the situation so do not attempt it.

Send us all a pcap of the 4 way handshake and PM me the password and I'll confirm that you know it, then you can have your game.

Last time I used ckFinder it was just JS based, nothing server side, so just intercept the POST and put whatever data you want in.