Starting an /r/asknetsec wiki. First, FAQ: What are the most frequently asked questions on /r/asknetsec?

Let's get started on an /r/asknetsec wiki. We'll start with FAQ: What are the most frequently asked questions on /r/asknetsec?

You know the ones. Rule-abiding or not, they still get submitted.

I'll compile some of the most common into a new wiki for the subreddit. If anyone would like to volunteer to help build it, let me know.

Touch here for the full post on Network Security Noblemen tumblr

Send CLI-based Web Traffic via Burp

Hi NetSec,

Something I've found myself scratching my head over recently, yet can't seem to get working properly. I am running a CLI application written in .NET that makes web requests. I'd like to be able to view, intercept and/or modify these requests via Burp.

I have Burp listening on localhost on the usual 8080 port. I have tried setting the proxy settings in the command line with 'netsh winhttp set proxy "127.0.0.1:8080", which didn't seem to work, I've tried setting the system proxy (Start > Proxy Settings > 127.0.0.1 8080) which also doesn't seem to work. I've tried using Proxifier and set a rule for Powershell / CMD to push traffic through 127.0.0.1 8080 which also doesn't work.

Does anyone have a method for getting this traffic pushed through to Burp?

Touch here for the full post on Network Security Noblemen tumblr

What stops E2E encrypted messaging apps from sending your private key to their servers?

As I understand it, apps like iMessage, Whatsapp, Facebook Messenger are end to end encrypted by having the app generate a public and private key on the users device.

The public key is sent to the servers so two users can communicate and the private keys remain on the device so they (and only they) can decrypt it.

With all this talk about “adding back doors” to messaging apps it feels like the government wants to break encryption the hard way when there’s something much easier and less noticeable they could do.

If the app generates both keys, and the user is never aware that this process even occurs, what is stopping the app from just also sending the private keys of people communicating to the server so an agency could decrypt their conversations?

Is there anything in the math of encryption that prevents this, or are all users just relying on the goodwill of app makers to not do so?

Considering any communication is occurring across HTTPS how could one verify that this key is not being sent?

Touch here for the full post on Network Security Noblemen tumblr

Hypothetical: Can I be sure that a hard drive reformat will allow me to keep a school laptop?

Hi, I am graduating this year and as such should return my school laptop back to school. However, for some odd reason, I am the only one who does not show up for a laptop return.

If I were to hypothetically reformat my hard drive and reinstall windows, would I be in the clear to keep the laptop for personal use?

The only thing keeping me uneasy about this is how some student's laptops got locked and required to be turned back in even after they managed to factory reset their laptops. Would a reformat do the trick? Is there ways to grab a hold of a laptop even post-reformat?

Thanks

Touch here for the full post on Network Security Noblemen tumblr

Is a Virtual Lab Environment Worth the Investment?

Greetings! I'm a help desk employee who is wanting to get into infosec and one idea suggested to me was to setup a home lab to practice. Right now I'm thinking of ways to justify investing in a used Workstation I can use to create a virtual home lab that can be used to get my feet wet in all sorts infosec tools and systems and gain more experience that way (I would normally just buy physical equipment, but I'm not made of money, especially with the way things are right now); But due to my lack of experience I'm having a hard time thinking of projects that are worth investing in for the Workstation.

The idea so far would be to create multiple VMs and network them together from within the the Workstation so I would have a network to exploit. The question now would be what exactly should be perusing with this setup? What kind of projects are out there that I can use to cut my teeth with and where would I find them? I could practice with Kali, look into some monitoring tools, tinker with VMware somehow (Again no money for large investments). I'm looking at this from a Blue Team perspective but I wouldn't mind looking at Pentesting either since I'm sure they intermingle a lot.

What would be everyone's recommendation for learning more hands-on infosec? Is there a good central hub to get project ideas from, or should I abandon all of this and look into more online resources (TryHackMe, HTB, etc)?

Touch here for the full post on Network Security Noblemen tumblr