Hello together.

I need your help. Im a junior Pentester.

Tomorrow I need to pentest a Macintosh workstation but I have no idea where to start. Users can login via LDAP and I will do a white box pentest.

Any suggestions where to start?

That moment when an SEO 'expert' asks if changing ip addresses will put his sites lower in Google.

I'm a fucking Linux engineer, how am I supposed to know that?!

Please live up to your fucking title "SEO *expert*" and don't ask some innocent Linux engineer about this shit 😡

Hacking/attack experiences...
I'm, for obvious reasons, only going to talk about the attacks I went through and the *legal* ones I did 😅 😜

Let's first get some things clear/funny facts:
I've been doing offensive security since I was 14-15. Defensive since the age of 16-17. I'm getting close to 23 now, for the record.

First system ever hacked (metasploit exploit): Windows XP.
(To be clear, at home through a pentesting environment, all legal)
Easiest system ever hacked: Windows XP yet again.

Time it took me to crack/hack into today's OS's (remote + local exploits, don't remember which ones I used by the way):
Windows: XP - five seconds (damn, those metasploit exploits are powerful)
Windows Vista: Few minutes.
Windows 7: Few minutes.
Windows 10: Few minutes.
OSX (in general): 1 Hour (finding a good exploit took some time, got to root level easily aftewards. No, I do not remember how/what exactly, it's years and years ago)
Linux (Ubuntu): A month approx. Ended up using a Java applet through Firefox when that was still a thing. Literally had to click it manually xD
Linux: (RHEL based systems): Still not exploited, SELinux is powerful, motherfucker.

Keep in mind that I had a great pentesting setup back then 😊. I don't have nor do that anymore since I love defensive security more nowadays and simply don't have the time anymore.

Dealing with attacks and getting hacked.

Keep in mind that I manage around 20 servers (including vps's and dedi's) so I get the usual amount of ssh brute force attacks (thanks for keeping me safe, CSF!) which is about 40-50K every hour. Those ip's automatically get blocked after three failed attempts within 5 minutes. No root login allowed + rsa key login with freaking strong passwords/passphrases.

linu.xxx/much-security.nl - All kinds of attacks, application attacks, brute force, DDoS sometimes but that is also mostly mitigated at provider level, to name a few. So, except for my own tests and a few ddos's on both those domains, nothing really threatening. (as in, nothing seems to have fucked anything up yet)

How did I discover that two of my servers were hacked through brute forcers while no brute force protection was in place yet? installed a barebones ubuntu server onto both. They only come with system-default applications. Tried installing Nginx next day, port 80 was already in use. I always run 'pidof apache2' to make sure it isn't running and thought I'd run that for fun while I knew I didn't install it and it didn't come with the distro. It was actually running. Checked the auth logs and saw succesful root logins - fuck me - reinstalled the servers and installed Fail2Ban. It bans any ip address which had three failed ssh logins within 5 minutes:
Enabled Fail2Ban -> checked iptables (iptables -L) literally two seconds later: 100+ banned ip addresses - holy fuck, no wonder I got hacked!

One other kind/type of attack I get regularly but if it doesn't get much worse, I'll deal with that :)

Dealing with different kinds of attacks:

Web app attacks: extensively testing everything for security vulns before releasing it into the open.
Network attacks: Nginx rate limiting/CSF rate limiting against SYN DDoS attacks for example.
System attacks: Anti brute force software (Fail2Ban or CSF), anti rootkit software, AppArmor or (which I prefer) SELinux which actually catches quite some web app attacks as well and REGULARLY UPDATING THE SERVERS/SOFTWARE.

So yah, hereby :P

Oh this subject 😍 I'll post stuff once I've got my keyboard. This is going to be fun 😊

This is so fucking, fucking annoying.

Client (through ticket system): here's new nameservers my domain has to use, please enter them thank you!"
Me: you can easily do that yourself! *gives link to extremely fucking easy click-done tutorial*
Client: oh but I'm not technical, could you please do it anyways?

HAVE YOU EVEN FUCKING LOOKED AT THE LINK?!

THIS SHIT HAPPENS EVERY GODDAMN DAY.

I fucked up hard for the first time yesterday at work.

Came in and expected a huge speech from the bossman.

He called me to his office:

Explained me where I went wrong and what I should do next time with a big smile on his face!

First ever job interview (in my field) went well and I got the job two days later! (my current one).

I'm getting scared from the other stories though 😅

A little ago I helped my dear @Divisionbyzero out with some server problems. He was stuck on them for ages and i solved them quite fast, something I'm actually proud of!

Now he sent me a thank you package!

This is the first thing I ever got for using my skillset to help someone out 😊 (work not counted)

Thanks mate! (couldn't turn the image for some reason)

Finally moved. My Internet speed went from 500kbs in general to 50mbs!

I can finally download por.... ISO's without having to wait for hours!

Never let anyone make you believe that just because you don't have a specific skill which is 'required' for your dream job/a job you really want, you won't be able to reach it.

I've heard countless times that I could never do anything with programming/linux (server) engineering because I'm freaking bad at maths. They always said it was a requirement to understand it in order to become good at those two things.

Except for a few simple tests with 'okay' marks, I never got a good grade for it and failed it entirely at every school.

Guess who's a programmer (free time) and a professional linuxer right now!

It just pisses me off when people tell someone that because they don't possess a skill, they won't be able to make it to what they would love to do.

!dev

I'm moving out soon and normally when the hallway is filled with stuff/boxes, the landlord doesn't like that and you might get a warning.

I take that quite seriously and thus always tried to keep it clean.

Now I'm moving in a few days, hallway is filled with stuff and the landlord told he doesn't like that at all.

I can't be bothered much, my new room is already available, good luck with kicking me out now 😋

I hope I'll be able to release the new/refreshed version of the security/privacy blog today.

Feel free to test stuff out and report back when it breaks!

Also, feel free to pentest it. The only thing I ask is to, if you find any vulnerabilities, report them instead of passing them to malicious people/abusing them.

And yes, post sorting will be fixed ;)

Was working and decided to go get a drink so I Took my headphones off.
Just in time to hear a colleague say: (in Dutch it sounds better) Beste Bob, krijg de tering.

English equivilant: dear bob, go fuck yourself.

Giggled hard 😆

Because the RSS feed is still down, hereby.

The post about what I personally take for security and privacy measures is up.

Hopefully you can learn something from it or even email me some tips!

Going to do tonight's blog post about my own security setup since that's an easy one and I'm working on rewriting the blog which gets me quite some bugs to solve!

I'm wondering how paranoid people will find me afterwards 😅

Mother of god, choosing a topic for today's security/privacy blog post is hard!

I have too much choice 😅

I promised I'd post my setup some time ago. Moving soon so hereby my current setup!

DB/Systems teacher starts all his lists at 0

Going to start rewriting the security blog this evening.

Any more ideas for features/tips etc?

My life's purpose is complete.

It's quite awesome how some people can make you realize how much you actually know about some stuff and how skilled you are on a certain subject.

Shoutout to @404response for making me realize that i actually know quite some stuff about security/privacy and also a shoutout to @devisionbyzero for making me realize that I'm actually quite good with linux/linux servers :).

Thanks guys!

I got the job and meet my new team... "Damn they are experts... I'm nothing"

Guy called in because he wanted to get an IP white listed on a server. He wasn't authorized so i told him to send an email from an authorized email address.

He didn't like that very much and asked if another engineer was available (he talked to him more often so he thought that engineer would just do it. We need those kind of requests by email.)

Walked over to my colleague and explained what that client asked for.
'let him send an email!'

Told him i ready told the client that but that the client wanted to talk to him instead.

'sure, connect him through and then come back so you can hear him after i ask him to mail us!'

Connected him through. Client explained the situation.

Then he says with the sweetest voice and a 'get rekt' face: 'could you send me an email about that? 😊'

Let's just say that the client sounded everything but happy xD

Wk88 i basically see "I'm a beta that belittles myself, because everybody else seems to be so much better than me.."

While I certainly know how it feels, that mantra & mindset will lead to void or null.

It's a self-fulfilling prophecy and life's a bitch that'll keep ya down if you let it.

It's gonna be rough, but ye gotta stop calling yourself inadequate and start working on honing your skills.

No great feat happens over night, it takes practice and dedication.

This guy has hacked everything.

Someone is mining Bitcoin in town

the result was unexpected

Reading other people's rants.

At my sisters place together with my parents. Showed my 100K accomplishment and I'm now showing my mother around.

It's funny how certain terms are hard to grasp for not so techy people!

Bought this Lenovo thinkpad netbook a while ago.

I was told it has 4gb ram.

Just did a free and free -m command.

It shows nearly 8gb of ram.

😯😍