digininja
-
Posts
4,005 -
Joined
-
Last visited
-
Days Won
210
Everything posted by digininja
-
Bigger lists are not always better. Most serious password crackers use smaller lists and rules.
-
The lack of HTTPS on login doesn't really mean much as the standard is to use a self signed certificate on then which can then by spoofed by anyone with man in the middle.
-
I know nothing about the devices but would be interested to have a look at what is leaking.
-
Give a bit more info. Do you mean it sends packets to the VPN and you can see the IP address of the VPN server? @biob do some googling for published issues with it. If there are loads, reject it and put on something else. But also consider your risk profile, where you are going to be using this, are there likely to be people going after you who have the necessary skills to carry exploit any issues. Using it at a hacker con, probably, using it in a quiet country cottage in middle of nowhere, probably not. If you are leaving it alone in your hotel room, are you worried an adversary could perform an evil maid attack? That is where defining risk comes in.
-
Define "trust". I generally find that anyone who asks the question "can I trust X" can't trust it which is why they are asking the question in the first place. Whether others trust X is irrelevant, that person never does. So install openwrt and be happy.
-
Glad you fixed it.
-
just a warning, as a new member you are limited to 5 posts a day so make sure your next one is a good one as you won't be able to do another till tomorrow.
-
For attachments, did you try this? and if nothing is getting through then you've probably messed networking up somehow, check routing and firewalls. Try a simple netcat listener on port 80 and browse to that to see if that gets through.
-
Try browsing to 192.168.0.17:4001 from the phone and watch for traffic, see if any traffic can get out to it. And to upload images, there is a file attachment feature at the bottom of the editor.
-
Have you tried monitoring traffic from the phone to see if it tries to reach out? Can the phone definitely see the Metasploit listener? i.e. is there any NAT'ing or firewalls in the way?
-
I've never had to do it but I'd assume you could probably work it out by sniffing authentication traffic. Each of the main types should have distinct fingerprints, for example looking for anonymous usernames Vs real usernames in the visible traffic. I'd also look at their network and base a guess on that, eg if they are a committed Microsoft shop then it is probably PEAP and CHAP.
-
This is why I was asking about using the command line to check that the credentials supplied were able to be used to connect to the database.
-
I've got no idea what is broken either. The hints I'm giving you are how I would debug it. Make sure the database user is in place, check the creds are as expected, watch logs to see connection failures, get each individual bit working on its own then in combination.
-
Try the postgresql client, not the metasploit console.
-
A perfect first learning opportunity then. Find out how to connect to postgresql from the command line and check the user exists and is working, if not, create a new one and see what happens. Testing is all about learning, don't turn down this chance for some for free.
-
It's all changed since I last used it but from those errors it looks like you haven't created the msf user in postgresql or when you did you set a different password to what it is expecting. I've no idea how to set it, Google should tell you though.
-
You've provided a blob of hex, say that it is something to do with a password backup and nothing else. Think about what we might need to be able to help you with the problem, for example, something fairly obvious would be what software package the file is from. At the moment, the best I could say is that is a very strong complex password that I wouldn't like to try to type into any application that I use.
-
keep going...
-
And....
-
Do you have any context to this? Is this school homework, a CTF or some file you found lying around?
-
It all depends on the implementation. If done correctly then it shouldn't be, if done badly then it might be.
-
It's fun. Just remember though, that for all the time on screen, there is usually at least twice the time in the office planning, having meetings, writing specs and doing reports.
-
ye, I'd agree with that
-
I've no balls, that is why I stay away from random onion sites.
-
you were stuck on level 4, then 2, now 5. Keep persevering, you seem to be working your way through it on your own.
