HackerTrans
TopNewTrendsCommentsPastAskShowJobs

bynxbynx

no profile record

comments

bynxbynx
·w zeszłym roku·discuss
While I find this mildly annoying at times, it's a good reminder that I can just hardcode the port if I want HTTP
bynxbynx
·4 lata temu·discuss
Learning how to is half the fun!

There's a bunch of good tutorials out there on [dumb] fuzzing (presumably where you'll start). One starting point I'd recommend is taking a binary that accepts input from stdin and making some proof-of-concepts with AFL (https://lcamtuf.coredump.cx/afl/).

If you'd rather start from a code/library perspective (and not CLI), I'd recommend libfuzzer (https://github.com/Dor1s/libfuzzer-workshop/).

There's a lot of other fuzzers, techniques, and depth to the field, but I'd recommend inch worming through (speed up as you gain more comfort). The Fuzzing Book is good to help you understand the logic behind techniques and strategies (https://www.fuzzingbook.org/)

As for some management, there's a few decent "monitoring" systems out there; personally I just SSH in and check the fuzzer manually (I leave it running in a tmux pane), but if that's not your cup of tea I've heard good things about OneFuzz (https://github.com/microsoft/onefuzz) and LuckyCat (https://github.com/fkie-cad/LuckyCAT).

Happy to answer any specifics of the sort :)
bynxbynx
·4 lata temu·discuss
Anecdotal: I've seen a lot of people migrate to substack (not how much better it is, but I dont dislike visiting it like I dislike visiting a medium blog)
bynxbynx
·4 lata temu·discuss
I originally built my home server for academic use (computational physics), but after changing in security I've come to use it as a fuzzing playground.

Oftentimes I kick off a fuzzer on some OSS, e.g., GCC, v8, standard *nix binaries, and let it run for days/weeks/months. If I find anything I submit it to the appropriate people or make a PR, if Im motivated enough that week
bynxbynx
·5 lat temu·discuss
I've enjoyed dropshot (https://github.com/oxidecomputer/dropshot/) but recognize it's not for everyone :)
bynxbynx
·5 lat temu·discuss
Originally we were on IRC. As the team grew, more CTFs were being played - often concurrently - so having dedicated (private) channels for a given CTF and "sub" channels for its challenges gave us a lot more flexibility.

That being said, we've considered migrating to Discord, Zulip, or Matrix - just haven't gotten around to it yet.
bynxbynx
·5 lat temu·discuss
I help run the OpenToAll CTF team - while the primary focus for most are CTFs, the community (>500) has really expanded, e.g., (in the slack workspace) we have active channels for N-day repros, bug bounties with internal competitions, financial trading shop talk, and hardware hacking. You wont find much OTR or blackhat stuff ( due to slack ToS), but Ive found the community loves learning and discussing all things sec.

It doesnt hit your mark completely, but hopefully its somewhat helpful