digininja

You can do this with any OS. As Parrot OS is Linux based, you'll need to look at iptables https://en.wikipedia.org/wiki/Iptables

I'm going to be pedantic and say that you can execute attacks on anything, the problem is, whether they are successful or not. (And yes, you can, Macs are just like any computer and suffer from remote vulnerabilities)

I've got a box with Amazon using their GPU instance. I've not used it for a while but it was ok. Search for blog posts by Carrie Roberts and Spence on alternativesec.xyz about setting it up.

It says install MS16-047 as it is a better patch than MS16-007. The MSXX-XXX is the patch, the long numbers are IDs for the knowledge base articles that discuss the issues.

This update replaces all these others. I.e. MS16-047 replaces MS16-007.

Notice the little * at the end of the column name? *The Updates Replaced column shows only the latest update in any chain of superseded updates. For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab). and the number of the knowledge base ID

I've not got a link to hand but search the SANS webcasts for one on struts by Moses. He explains a lot about it and goes into details on how it works. One of the things he explains is there is no way to detect the vulnerability without exploiting it. There are things to look for to spot that struts may be in use but nothing to reveal the exact versions.

I'd send it back as not usable under warranty then if you can't log in and use it.

Have you tried contacting the supplier? There are plenty of sites that give lists of default IP camera credentials, I'd go through them and give them all a try. These things usually reuse firmware so there is a lot of password reuse.

They can both be made to do the same things, the Interceptor just takes a lot more work and effort.

I created the first Interceptor on a La Fonera + I think, really old hardware but worked fine. You can build any of the Hak5 products yourself on commodity hardware and that is how most of them start, the Pineapple started on a basic Fonera then developed. If you want to build your own to save some cash the go for it, there is nothing stopping you and it will probably be a brilliant learning experience. There are two reasons to buy the products, the first is to save time and effort, if you want a tool that works straight out of the box and has active community support, then that is what your money is getting you. The second reason is to support the show, cash raised from the shop goes to keep the Hak5 shows on the air.

Do you have consent?

What do you mean by access? Do you have consent to access them?

You've got it the wrong way round, he was asking about disabling it in the browser not on a site.

It depends on what you allow to run, if you are very careful and selective then maybe. Some sites are insisting that you allow JS to allow their adverts to load before giving you access to the content. If you do, then any malicious advert served through that network gets you owned. There have also been a few recent examples of sites which have been compromised and things like JS based crypto miners added to their own, local JS libraries so if you allowed that, otherwise legit site, to run JS then you'd be owned. So I'd say it isn't pointless, just really hard to make work without making it pointless by allowing too much to make it useless.

Like you say, good luck using the internet without JS. I tried it for a while years ago and it was a pain then, having to whitelist all the sites that I wanted to use and then tweak the policies to get things working. I think that it is a nice idea but one that is doomed to failure.

It is an amazing area, you just have to keep a very open mind and never rule things out.

Even if it was HTTPS not HTTP, it wouldn't matter as I have full control of the content you are viewing, the only difference is whether you are viewing it over an encrypted channel or not. The lesson, not meaning this in a bad way, is never to think that you are perfect and don't make mistakes or do things you really know that you shouldn't. For anyone who doesn't believe me, read up on how Anonymous was taken down. One small slip by Sabu brought the whole thing down and regardless of what you think of them morally or ethically, they are/were a bunch of very intelligent people. Back to your original question, as I said, there are loads of different ways they could have got you and, without a lot more info that could only really have been collected at the time, you'll probably never know. You could try keeping an eye on this history list, maybe daily, and if you notice any additions then check your browser history for that day. You can't rule anything out as even top corporate sites can include malicious adverts, but you might be able to spot a pattern and narrow things down.

If I'd redirected you to a page that had a bunch of youtube videos embedded in it then that would have achieved the same as you were describing at the start. You don't need to be "attacked" or to be vulnerable in some way, you just have to use the internet.

There you just proved that you will click on a HTTP, not HTTPS link from a random stranger. Everyone does it, most people won't admit it though.

You can call yourself whatever you want so yes, could be. Or they could have other bits to their bot that also do crypto mining and this is just the bit that you've noticed. If it is this, you could have got caught in loads of different ways, have a look at this <link removed> for some ideas.

I don't see how adding extra videos to your watch list would help in crypto mining. I can see it being used to increase the viewer rate of certain videos. The attack would be to silently open a tab or use an iframe and auto play the video muted so that as far as youtube is concerned you've watched the video in a legit way. There is probably a minimum time that would be needed to count as a watch before the window could be closed.

Please don't hijack other people's threads, create your own.

Got it all working, I've documented it in the original Github ticket but the short answer was that you need to rename a file so the mysqli extension gets started later in the init process. https://github.com/ethicalhack3r/DVWA/issues/222#issuecomment-369179468

Turns out php runs as a service on Fedora so you have to restart it after making changes. After that I check the status of the service and get this error: Feb 28 23:14:15 localhost.localdomain php-fpm[893]: [28-Feb-2018 23:14:15] NOTICE: PHP message: PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/modules/mysqli.so' - /usr/lib64/php/modules/mysqli.so: undefined symbol: mysqlnd_global_stats which I think is caused because of a mix between the official MySQL release and the built in stuff that is expecting MariaDB. The solution I've seen suggested for this is to use the Remi repo rather than the official Fedora one but that hasn't helped.