Royce Williams

Immunity demo appears to show RCE: https://vimeo.com/349688256/aecbf5cac5

Somewhat duplicative of Twitter awareness, but just in case: See thread. Full PoC, it appears.

Fascinating! Also, there's a 20-year-old easter egg in the accompanying doc file! (Note that since these are public hashes with known provenance, they don't fall into the "no hashes" rule) root:ur/1tzsUmWXK2:0:1:system PRIVILEGED account:/usr/users/root:/bin/csh user1:abhtIHPO06GAs:101:20:name of the guy:/users/something/user1:/bin/csh user2:cdudDg6nVEZGA:102:20:name of the girl:/users/something/user2:/bin/csh user3:efRxqpKNiiMHQ:103:20:name of the dog:/users/something/user3:/bin/csh SPOILER ALERT (highlight text below for answers) ur/1tzsUmWXK2:curious abhtIHPO06GAs:well cdudDg6nVEZGA:done efRxqpKNiiMHQ:;)

Wow, @james mckinlay - I hadn't previously heard of StarCrack! Looks like it was previously at: http://www.chez.com/thes/starcrak.html http://thes.chez.com/starcrak.html ... but it has been gone for so long that it's not even in the Wayback Machine. For historical research purposes, I'd love to find a binary and/or some docs on StarCrack. Edit: Hey! https://packetstormsecurity.com/files/download/13743/starcrak.zip

FWIW, The Pi-Hole project has explicitly declared blocking DoH to be out of scope. TBH, I'm not sure how applicable it even is to try to refuse DoH at the DNS-lookup level (probably not much), but it was worth a shot.

Offline attack is still a thing - sometimes that's all you can get! Subjective, of course ... but IMNSHO: For speed (including on-GPU rules processing), envelope-pushing, and general password fu, hashcat is the best general solution (though I'm biased ;) ) For complex nesting of hash types (configurable via its 'dynamic' algorithm language), maturity of approach in the historical password-auditing context, and FPGA support (such as ZTEX - disclaimer: my page), John the Ripper is still a required tool in the toolbox For working with unknown hash types, arbitrarily nested iteration, and truncated hashes, raw performance on CPU, and platform coverage (ARM, etc.) MDXfind is very useful. For ease of arbitrary clustering: Hashtopolis is the strongest FOSS contender Hashstack likely the best commercial offering (though only available with their hardware) John the Ripper has OpenMP support if needed Both hashcat and John the Ripper support a basic work-splitting syntax (but you have to calculate the "blocks" of work yourself) hashcat also supports loose collaboration using its relatively new 'brain' server feature (upcoming Hashtopolis has direct support for brain, IIRC) So the short answer is ... it depends! ;)

This looks promising: https://bjgill.net/2018/02/05/usb-mapping/

It looks non-trivial to pass a YubiKey USB through Virtualbox to the browser. What's the right way to do that?

Maaaaaaaaybe? (Though one could argue that needing such a notice means you're not tall enough to ride the ride?) ;)

All things keys - all models (YubiKeys, Feitian ...) and protocols (U2F or FIDO2 or TOTP or ...) welcome.

For password defense and governance discussion.

Discussion of password cracking - techniques, tools, etc. Please do not request cracks or post hashes. Conversations that get too "in the weeds" about specific tools might be eventually gently encouraged towards a more specialized forum. :)