Show newer

@tinker @TheGibson I set up a YubiKey as primary (either U2F or TOTP) and print a backup on paper (either recovery codes or original TOTP key) that I keep in a box in my house, which I intend to update to a fire safe. Also if U2F is available I have a backup U2F key at home so I'll register both my YubiKey Neo and the U2F key.

@deutrino I mean, Google Authenticator is stored completely locally, doesn't pass keys back to Google. That said I keep my TOTP keys on a YubiKey with Yubico Authenticator I was super glad to find out you can keep TOTP codes on ab#yubikey with Yubico Authenticator

So, do the and vulns create avenues for container or VM escape?

@x_cli The LastPass app is actually extremely secure. the LastPass Authenticator isn't for some reason...not really sure why that is, but I've been advocating for hardware tokens instead of software ones for a while. (LastPass Authenticator is just for TOTP tokens)

@deavmi More that I'm new and don't want to make a bunch of noise without something to show them.

@jerry I can see several attack vectors with some of the bad practices going on here, but nothing I'd be comfortable exploiting without establishing rules of engagement with the company.

@c0re wouldn't that only get my traffic unless I do ARP poisoning?

@liw Yeah, that's where I was going, but the network layer was better protected than I realized, even though the transport layer is insecure.

@tinker While that's interesting, It looks like it requires taking advantage of arbitrary code execution, which would definitely not be in scope at this time. I was hoping to go say "look at all the credentials I was able to grab just by sniffing packets" so I could light a fire under their ass. Looks like the WPA2 Enterprise network put that just outside of reach.

Thanks for the help everyone! Ultimately I'm pretty sure I'd need to use ARP poisoning, which is definitely out of scope as this isn't a sanctioned exercise. Alternately from an insider threat perspective I could capture traffic on the insecure servers, but I'm gonna call that out of scope for now as well.

Pleasantly surprised to find the problem isn't quite as bad as I expected, but still not great.

@galaxis @thomas Yeah, Wireshark can do monitor mode, but because it's WPA2 Enterprise the traffic is encrypted on the network layer, so no dice

@onefivecharlie @thomas Yeah, in this case I think I'd need port mirroring or some other type of attack. I think I overestimated how easy it would be to capture those http packets on the local network, especially since WPA2 Enterprise is in use.

@rrix Looks like it requires an exceptionally old version of Firefox.

@somarasu @thomas Wireshark uses promiscuous mode by default. I've also tried turning on "monitor" mode which seems to give me other people's traffic, but not in a format I can read. I think I'm being foiled by WPA2 Enterprise.

@galaxis 802.11x on the WiFi. I have ethernet access as well. I do not have admin access. I'm currently using a Mac, but have access to other stuff.

@thomas So far I'm pretty sure I'm only capturing my own traffic

@varx Yeah, so far I think I'm just getting my own traffic. I'm on a MacBook Pro 2015 if that matters. I have access to the wired network, but I don't think I have direct access to the switch.

Hey guys, what tools would you recommend for capturing credentials sent over http on a local network? I need to make a point at work

@kelbot @Patrickme @jjg bloated, yes. Slow is less common. Generally speaking the only "popular" sites I've seen that are slow are those that have enough value otherwise to put up with the slowness.

Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.