Aggregator

Shodan（Shodan.io）是一个主机、联网设备搜索引擎，被誉为“黑暗谷歌”和“互联网上最可怕的搜索引擎…

新品上架

该系列文章将通过逆向的方式分析Tesla远程api，并自己编写代码实现远程控制Tesla汽车。该篇文章为第二篇，将主要讲解websocket抓包分析与编程实现对Tesla的远程控制。如果你还没看第一篇，请先查看第一篇内容Hacking All The Cars - Tesla 远程API分析与利用（上）。

0x00 Websocket通信分析

Tesla的召唤功能除自动召唤外，还支持手动的前进与后退功能。要想手机APP可以使用召唤功能，需要先在车机中开启召唤功能。

在测试时，建议寻找一块比较大的空地，然后设置抓包，使用手机APP进行操作。通过burpsuite抓到的数据包可知，召唤功能主要通过websocket来实现。但是分析过程中可以发现，burpsuite只显示了连接地址和发送的数据内容，并没有显示其请求的头，所以，当直接去连接时会返回401错误。

在这个时候就需要还一个工具了，本文选择使用charles。这个工具针对websocket的支持非常友好，不仅可以看到请求头，还针对发送与接收以不同的颜色区分显示出来，十分方便分析。

A new white paper from the NCSC explains the potential benefits of adopting a cloud-system.

Creating the world's best and most secure digital experience demands the very best industry talent. But as a responsible employer, we also understand how important it is to play our part in looking after those brilliant minds.

好多用户都不知道如何预估Nexpose的扫描任务时间，其实从任务未开始时，就可以计算出大约的时间。为什么不让大家看进度条？因为那个时间太模糊了，甚至太多人（包括网络和安全从业者）都对进度条有疯狂的迷信，反正我是不信

自用缝合怪内网扫描器，支持端口扫描，识别服务，获取title，扫描多网卡，ms17010扫描，icmp存活探测

我很早之前就想开发一款app玩玩，无奈对java不够熟悉，之前也没有开发app的经验，因此一直耽搁了。最近想

Human nature is to seek simpler and convenient ways to do things. One example is the sometimes onerous task of typing a URL into a web browser's address bar. Since users prefer short, easy-to-remember URLs, an internet trend is to use short domains for websites (e.g., edgedns.zone). With short website names, users benefit from the convenience of fewer characters to remember and type.

2020 年 11 月 11 日，苹果在本年度最后一次 Apple Events 上发布了全新的 ARM 芯片 M1、以及三款搭载了 M1 的 Mac：MacBook Air、MacBook Pro 13‘ 和 Mac Mini。在 WWDC 2020 库克宣布 Apple Silicon 后，这次 Apple Events 再一次掀起了热潮，不少 KOL 都把 M1 奉若神明，不少人...

In our 2020 edition of the Phishing and Fraud Report, we focus on how cybercriminals build and host phishing sites, the tactics they use to avoid detection, and how they’ve capitalized this year on the COVID-19 pandemic.

The second report examining how the NCSC's ACD programme is improving the security of the UK public sector and the wider UK cyber ecosystem.

本报告部分引自Week in OSINT栏目，每周推荐好玩实用的工具，站点，技巧，文章等，适用于任何领域的研究人员，分析测试人员。

This post is part of a series about machine learning and artificial intelligence. Click on the blog tag “huskyai” to see related posts. Overview: How Husky AI was built, threat modeled and operationalized Attacks: The attacks I want to investigate, learn about, and try out In this post we are going to look at the “Repudiation Threat”, which is one of the threats often overlooked when performing threat modeling, and maybe something you would not even expect in a series about machine learning.

A new skimmer attack was discovered this week, targeting various online e-commerce sites built with different frameworks. As I write this blog post, the attack is still active and exfiltrating data.

"What is phishing" is still a relevant question we're answering as the attack type and techniques evolve, victimizing even the most tech-savvy users.

介绍两种实战中碰到的案例！！第二种案例自己瞎折腾的，结果......

本文主要从技术角度探讨某次渗透目标拿取数据的过程，不对目标信息做过多描述，未经本人许可，请勿转载。今年开年以来由于各种原因，自己心思也不在渗透上，没怎么搞渗透，除了这次花了比较长时间搞得一个目标外，就是上次护网打了一个垃圾的域了。本文要描述的渗透过程由于断断续续搞了比较长的时间，中间走了不少弯路耽误了不少时间。

With the launch of the new version of the Security Update Guide, Microsoft is demonstrating its commitment to industry standards by describing the vulnerabilities with the Common Vulnerability Scoring System (CVSS). This is a precise method that describes the vulnerability with attributes such as the attack vector, the complexity of the attack, whether an adversary needs certain privileges, etc.

With the launch of the new version of the Security Update Guide, Microsoft is demonstrating its commitment to industry standards by describing the vulnerabilities with the Common Vulnerability Scoring System (CVSS). This is a precise method that describes the vulnerability with attributes such as the attack vector, the complexity of the attack, whether an adversary needs certain privileges, etc.