Tony

As Promised! I have decided to update my guide for preparing for OSCP. The guide is full of new updates and information to help you prepare for PEN-200/PWK 2.0. If anyone wants to read it here it is: netsecfocus.com/oscp/2021/05/0…

It’s time!

Probably one of my favorite @NetworkChuck Videos - youtube.com/watch?v=dbMXi9…, loved the take on his hatred for ai, but also loves it. Definitely in the same boat, it scares me how capable it has become in such a short time. The other thing that really scares me is the frontier labs will likely always be a black box. The specific thing that scares me is how they use the data they collect. AFAIK - The Terms of Service when paying for the API and Subscription are wildly different, and I don't see much talk about that. I believe the API gives the user a lot more ownership over the data, where-as subscription, it is retained longer, and there are far fewer legal protections. I hear numbers like my $200 subscription can cost them anywhere from $2000 to $10,000/m. That's a lot of money to lose, and I know the money loss is offset by many things like the majority of users not making full use of their subscription -- But I can't imagine AI always being this cheap. So, a fear is that I will become dependent on a service that I will be priced out of in the future. Additionally, many platforms (ex: reddit/twitter) put things in place to stop AIs from freely harvesting data, but I don't think those types of stops really block them when users are installing tools on their devices. For example, the "anti-bot captcha" isn't really doing much when the user has an extension that gives the Frontier Lab the data behind that block anyway. Is this data sent to them? I really don't know but it seems the threat landscape has rapidly changed when it comes to data collection. I don't hate AI; it is wildly fun and does make me feel like a "10x engineer". I just hope it's a service that always remains available, and places don't start closing the doors once they have everything they need. As odd as it sounds, and I can't believe I'm saying this, but I hope GRC can aid us here. It would be nice if AIs obeyed when sites told them to go away, but my experience is the AI recognizes the site doesn't want them, but also acknowledges it could be prompt injection, so it trusts the user over the service. Obviously, the user could do some type of prompt injection so the AI doesn't see the refusal, and local models can always ignore it -- but atleast it would help places stop the unintentional leakages due to ignorance. I imagine it's easier to kick users off the platform that use prompt injection to bypass gaurdrails versus when nothing is stopping them. I really hope I'm just ignorant here, and someone can post why I'm wrong.

Have you ever seen a CVE and want to turn it into an exploit but don't know how? Check out my latest tutorial where I turn CVE-2018-1160 into a fully functioning exploit! Video can be found here: youtu.be/SOZDiB7uhdI

this guy got tired of copy pasting between claude code, codex, and gemini so he built a chat room where AI agents can literally talk to each other you tag an agent in the chat and it reads the conversation and responds. agents can tag each other too. the whole loop runs itself it's completely local + free and open source which is crazy the agents can even debate decisions, assign roles, and track jobs

Another Rotisserie joins the Rotas ranks. We scooped up Ken Nevers as our new principal security consultant. ONE OF US! ONE OF US! #wehacktheplanet #rotisseries

@HackingLZ @7h3h4ckv157 Howdy!

@7h3h4ckv157 Still lots of areas to do cool stuff I’m also not sure who still uses Kali

I truly wish I’d been born in the 1980s, so I could have pursued my passion in its golden age instead of today’s era…! What’s your take? :)

I've been packaging multiple new tools for Kali Linux 💠 adaptixc2: post-exploitation framework 💠 wpprobe: wordPress enumeration 💠sstimap: ssti detection 💠xsstrike: XSS scanner 💠gef: modern experience for GDB 💠fluxion: security auditing and social-engineering

#NetExec v1.5.1 with a security fix is now live on Kali! Please run `sudo apt upgrade netexec`

@MJHallenbeck Absolutely! In case there are any updates or issues in the future, I can check with the team to ensure it has been processed. Always happy to help!

@TJ_Null Thanks for the quick push!

* IMPORTANT Information Regarding NetExec * A vulnerability was reported to us and everyone should upgrade ASAP to the new release v1.5.1 (Kali release in progress): github.com/Pennyw0rth/Net…

@syndrowm I switch to my normal cli from time to time

@TJ_Null I'm still partial to normal cli... easier to pipe into scripts

I have to admit tui's look much nicer instead of using actual C2 clients.

@Hultoko @IceSolst 🚀🧨📊📦

@TJ_Null @IceSolst 🧐✅📈😎

Releasing tools is pleasant as long as you: - don’t say it’s “secure” or “hardened” - ask for feedback - cherish the feedback (it is super valuable) Too many fail at this and crash out or get defensive/combative

@HackingLZ Are you sure it is production safe to run in my environment?

It’s wild that people keep shipping agentic pentest frameworks on GitHub but don’t even ask the same LLM that wrote it “Is this vulnerable to indirect prompt injection?”

@HackingDave Did you built the GUI or did Claude do it? I want the prompt for that front end please 😁

Added a new gui to btrpa-scan, sonar effect. Will track and pinpoint based on distance as well as utilize GPS data if you have it. github.com/HackingDave/bt…

@lazzslayer @WWHackinFest @gryhathack Congrats to you both!

only a real one proposes right before @WWHackinFest so we could celebrate there 🏔️ @gryhathack

@n00py1 This screams “I couldn’t care less about opsec” let’s run everything that a “Red Team” would do.

I bet this shit goes so hard if you don't know what a red team is

You should checkout the Mimikatz Missing Manual that @Carlos_Perez has made. So much awesome documentation in there. github.com/darkoperator/m…