#cybersecurity

Ok, I just wanted the ability to use the public and private key I had

http://pycryptodome.readthedocs.io/en/latest/src/signature/signature.html

here you go

(Thanks for going out of your way to help me)

reading the docs is essential

you will always have to do that

Yea, I’ve just had experience with hashlib recently, this was the only bog standard encryption I had to do so I was wondering if there was a simple way to do it, but I will go through and read the docs

actually most of the help you will receive (when it comes to libs) is either from the docs or from stackoverflow if you really have some problem with finding something etc

Yea, I had assumed that there was a simple and straightforward way to encrypt something, and the decrypt something with asymmetric cryptography . Seems like I will have to go through a few more hoops though

But seriously thanks for the help

https://github.com/fox-it/BloodHound.py

Also: https://github.com/CoreSecurity/impacket/

holy damn, that's some futuristic level stuff:

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify.

I see harmj0y is really invested into AD environments

@cerulean falcon Yes, bloodhound is awesome. I was at the talk two years ago at defcon 24 where they open-sourced it, and its only gotten better since.

Enumerate domain using powershell scripts and dump to CSV

Import CSV into bloodhound

It creates a graph that you can then query for paths through the network

It's basically a treasure map of all the juicy places you need to hit on the target

Wow, for real? That seems awesome, gotta try that out :)

And you went to defcon? How it was? I've always wanted to go there

oh my

that's amazing!

@cerulean falcon They have an example dataset you can play with. Just clone the repo and follow the instructions on the wiki. https://github.com/BloodHoundAD/BloodHound

Yes, went last year and the year before

Planning to go this year

I enjoyed it

It's nice to go with someone, but I think you'll meet more people if you're alone

Lots of stuff to do

Of course there are all the talks, but you can also see those on youtube

What really makes it are the villages, the demo areas, the CTF areas, vendor zone, and various hangouts and such

There are villages for IoT/home, car hacking, ICS devices, wireless, networking (packet village, home to the infamous wall of sheep), social engineering

Also, the people that attend and present are actually really diverse

Like, the whole spectrum, even kids

Some are legit blackhats, but I think the majority are white/gray hats, generally interested in security, or just interested in technology

And a lot of gov't

tl;dr it's worth the trip

Oh yeah, movie nights (Ghost in the shell new movie was one I saw last year), and vendors throw legit parties but I haven't gone to any of those

Excellent resource for security learning, references, and real-world examples: https://www.sans.org/security-resources/

Does anyone have experience in packet capturing (not sniffing) in python? I can't find any useful library or tutorial for this. Any help / information would be great

scapy

@weak sapphire

also packet capturing is kind of like sniffing

with a little arp spoofing before

@weak sapphire scapy can capture and deconstruct packets

Also tcpdump and tshark are both useful command line tools on Linux for doing packet capture and analysis

I have some experience with deconstruction in scapy, and a fair amount in analyzing traffic and protocol reversing, so feel free to ping or message me with questions.

i've built some stuff in scapy too, it's nice

It's very nice

Layering is natural too by over loading the division operator

LiveOverflow on Youtube is cool

he doesn't really do Python stuff i think

but still good to learn security

universal concepts and whatnot

I'll have to check him out

BGP is the next thing, btw

https://arstechnica.com/information-technology/2018/04/suspicious-event-hijacks-amazon-traffic-for-2-hours-steals-cryptocurrency/

Extremely weak

There are enhancements but they have been implemented in a subset of ASes

Attack the smaller ISPs and abuse their ASes to redirect traffic whenever you please

Route poisoning at scale

yea, it's been a thing for a long time

these guys hacked multiple large ISPs and then used that to redirect traffic from AWS and google to their servers

they had millions in funding and stole millions in crypto

¯_(ツ)_/¯

anybody know how to use afl-fuzzer

american fuzzy lop?

no, unfortunately not

rip

sad

same tho

what is this section about?

talking about security-related things

this channel should really have a topic >.>

"Hacking, phreaking, encryption, and protecting yourself and your devices."

i should put it in #community-meta

Phreaking lol

I'm not putting in phreaking

it sounds like a hacker movie from the 90s

I put data sanitization instead. shoot me if that was stupid.

fucking american english

🔫

🍷 🔥

lol

https://www.reddit.com/r/Python/comments/8hvzja/backdoor_in_sshdecorator_package/

Hoooot damn

Just commented this on the Reddit thread: "Perhaps a way to "link" GitHub, Bitbucket, etc. accounts using OAuth would be beneficial. This would demonstrate that the PyPI maintainer is the same as the maintainer on the source repository.

Additionally, I think PyPI should implement and strongly suggest the use of 2FA for accounts. Package signing using a GPG key and comparison of that key to the one on the maintainer's account would also be a beneficial feature."

Thoughts?

My thought is that you could add this yourself

They accept PRs

That sounds like a great idea

Do any other package indexes have this?

the problem with GPG signing is that now you need a keychain and gpg tools

not everyone using pip will have that

also you have to add it to pip

true

Yeah, I just don't have the time or desire to at the moment.

Would like to contribute to warehouse at some point, it's a awesome project

Oauth and 2FA would both be warehouse additions to backend and GUI

GPG signing would require changes to twine and other related tools, but I don't think you'd need to modify pip unless you wanted to verify downloads @marble dawn

Holy shit https://thehackernews.com/2018/05/signal-messenger-vulnerability.html

Security researchers have discovered a severe vulnerability in the popular end-to-end encrypted Signal messaging app for Windows and Linux desktops which could allow remote attackers to execute malicious code on recipients system just by sending a message—without requiring any user interaction.

Would be horrible if that was an electron vulnerability

@orchid notch https://www.bleepingcomputer.com/news/security/security-flaw-impacts-electron-based-apps-such-as-skype-signal-discord-others/

thats old

and already fixed

wait

no its yet another one

hah

amazing

Alright uhm I I just checked my task manager and there's this tree.com process that i've never heard about, am I fucked or am I safe?

prolly save

The description for it is tree walk utility

tree.com is a built-in .com file on windows i believe, hence why you can do tree in the command prompt to walk directories

so it should be fine

thank you

i'm just a little worried because i inserted a usb that i borrowed from my dad and it didn't work at all so i thought i was injected with a payload

i think you have little to worry about

and if you do feel worried, just end the process

¯_(ツ)_/¯

alright thank you a lot man

i appreciate it

also i know why the process is there now

i forgot that i had used the tree command yesterday

oh haha fair enough then ^^

Lol

Kek

I always make sure my man @thorn obsidian

It's going well i'd say keku

Not yet i'm gonna learn loops today and then i'll dew it

I'm starting to get the hang of it though

I gotta study today and tonight tho cuz exams are like tomorrow

This is off-topic

^

https://www.zdnet.com/article/ex-intel-security-expert-this-new-spectre-attack-can-even-reveal-firmware-secrets/

wew

Hardware is the new XP

hey guys , does any one have good guide for IP tables ?

I use UFW 🙃

I use iptables but I look up the commands every time :|

xD

@last ridge if you look up netfilter (the kernel module that iptables uses) they have guides for a bunch of stuff, including iptables

they're moving to BPF filters anyway

just learn that

i've been using nftables lately but it's got really shitty documentation

thank you gus 😃

https://www.youtube.com/watch?v=LtSA-nUSLuM

what's a good book for pentesting like Violent Python but for Python3?

Why a book for python 3? It's all just about concepts etc

True I already got some books for general concepts but I referenced Violent Python as it gives example of stuff and goes more into depth with using Python for pentesting.

@orchid notch why not learn for 3 since you're learning already 🤷

no there is no re learning process involved for 3 when it comes to cyber sec

its all about concepts

sure have to change your code style n shit

but the rest stay the same

you an exploit scripter? 😏

or how much aware are you about python cyber scripts?

i know stuff about cyber sec with python

and i can promise you

that apart from the syntax the whole process stays exactly the same

you will maybe have to search new tools here and there

dats nice yo

and i do believe that that is the difference with updates everywhere. New concepts that makes way for better ways to code

What Nix said

There are a few nice new things in 3, and a lot of libraries that haven't been ported to 3 yet. That's about it it.

No point in having a book specifically for that version...

Fixing older examples to work in latest version is usually trivial

which python book would you recommend to start off with? For sec

blackhat python was nice

also
https://www.neowin.net/news/teensafe-leaks-user-information-including-childrens-apple-id

don't do this

I remember when v-tech messed up and it turned out none of their stuff was encrypted or hashed

@hexed onyx Violent Python

Followed by Blackhat Python

Will do then @safe bear ty

Violent python 👌

For general sec, The Hacker Playbook was great 😄

What makes you say that @thorn obsidian ?

Yeah, if you're already experienced, they probably aren't going to have a lot to offer, but for beginners or novices I thought they did a pretty good job

Well, it's a book on using Python for security

What do you mean

Which book are we talking about btw

There was a lot of forensics IIRC

Like parsing Skype and Firefox DBs

Yeah, looking at it right now, you have recon, forensics, analysis, evasion, etc.

3 and 5 are what I dug into the most last time I went though it

Overall, it's showing you how to put together scripts that take some tool(s) X that work with technology(s) Y to achieve some objectives

Since Security is a huge space and if you had a book with examples for every technology that you might encounter, it'd be thousands of pages and be out of date in months

This is just the basics, like oh there are things on the OS you can process to get useful information

Or you can script portions of your analysis of data you collected

Blackhat Python is better at the concepts, but I feel Violent has more real-world and immediately applicable examples

im in half way of the blackhat python and it's really nice

Make sure you do the examples and exercises 😃

https://gizmodo.com/ad-blocker-ghostery-celebrates-gdpr-day-by-revealing-hu-1826338313

pleased i never made an account for it now XD

Haha that's wonderful, no one has reply all'd

How to not get hacced by zucc?

This channel ded

https://github.com/CISOfy/lynis

https://www.theregister.co.uk/2018/05/30/spamcannibal_hijack/

haha

ÑÅ¡ñN&r@ÑDݼqø“ʽêNúȧݖÈ#ÚhfˆG¡ÃìÉí³ü2!¾¦nV²¯dk:öËjæ;:§W€ZT¾­:7¬æhð®Qî^ÞSLŸIx``` this is the contents of the file when opened in notepad

Anyone has an idea what kind of file this is, how I can decode?

where have you got that file from?

i'm using a client for a game and trying to reverse-engineer how they are sending some data

why arent you listening to its traffic directly then?

i was intercepting with Fiddler

that was a HTTP request from their file service

which game is it?

Minecraft lmao

but a custom client

what about deassembling it into normal java

oh and btw

https://www.grahamedgecombe.com/talks/minecraft.pdf

google next time

it's not htat

it's their files

has almost nothing to do with minecraft

their files

yes yes i respect their privacy

but it downloads to my computer

if they are doing http requests its somewhere in the java code

so get the java code

it's not Java

what is it then

it's a client that launches an instance of the game but has many more features like steam-wise

and what is the client written in?

i can see that it's using the .NET framework from some config files

so its c#

ew

inb4 Visual Basic minecraft client

well maybe its some sort of chunk from a zip or tar or smth

I guess, it just makes that HTTP request, and the file has absolutely no information for me, so i'm just weirded out

that type of content is usually when I try to open a .exe with a text editor, do you know what it's called?

They probably have some private binary serialization format

ÑÅ¡ñN&r@ÑDݼqø“ʽêNúȧݖÈ#ÚhfˆG¡ÃìÉí³ü2!¾¦nV²¯dk:öËjæ;:§W€ZT¾­:7¬æhð®Qî^ÞSLŸIx```

the weird charchters

The file itself has no interesting magic bytes

just looks like raw binary data

thanks for trying to help out boys

@patent oracle you can use a tool called ILspy to decompile .NET code

If there's no magic numbers I think it's often a raw write of a serialized object

Like if I did b64 encode on the memory of a class and wrote it

Instead of using Pickle, which has magic number iirc

@safe bear probably heavily obfuscated

Still worth trying

will

If it's third-party they might not have the resources or expertise to do much if any obfuscation

oh it seems like the launcher isn't obfuscated

thank you

do you know if you can search the entire project for a word in ILspy?

seems like I googled it and it says they would have to decompile the whole project which would take time

Probably have to decompile it then do a search

I've never used it personally

if you don't care about seeing the source code, you could just use strings on it and then grep the output for that word

^

Hashes?

Yes!

So generally I use Yukon Gold potatoes...

Is that a reference to something I am blissfully unaware off?

Hash browns 😉

It's an American thing

Anyway

Yeah, so a hash is a one-way function

You give the function some input of arbitrary length, and it spits out a fixed-length output

If the input is the same, the output will always be the same

it's basically an advanced modulo

Yes

The main use is verification of data integrity. If the input changes (e.g. a file was modified), the hash will also change.

Additionally, even if you know the hash, it's very difficult to determine what the input was.

Which is important for security

so ideally the hash must look like a random combination of characters when in fact it's not?

Yes

Let's say I have a file containing the location of our meeting. If I send that to you, and an attacker modifies it, I'll know it changed because the hash changed. However, if the attacker can find a way to generate the same hash, with a different input, they could change the location without us being the wiser. That's what's known as a hash collision.

Or more practically, if there is a piece of software you trust, and an attacker wants to insert a malicious backdoor without anyone knowing.

but why would the attacker modify it in the first place when all he's trying to accomplish is reading and decrypting?

because it's way more fun to change things

This is an issue of Integrity

Reading is Confidentiality

if an attacker knows where and what kind of hash belongs with the data, they can just generate a new hash, though. signatures are the solution to that.

The assumption is that you trust the hash itself is correct.

so are hash collisions the reason why applications may provide two types of hashes (maybe MD5 and SHA256) to verify integrity?

Yes, you need to verify the source of a hash, otherwise the attacker could just put in their backdoor, regenerate the hash, and give you the new hash.

a usecase that primarily uses hashes is password storage. if you have a server that performs logins for many many important accounts, you don't want to actually store the password, what if your system got compromised? instead, store your passwords as hashes. you can hash incoming passwords, and if the hashes match, then allow entrance. if someone steals your database, they can't get the passwords out of the hashes because they don't go backwards.

No, they usually provide multiple hashes so people can verify the integrity even if their tools don't support newer algorithms

If they're salted

If they're not, you use a rainbow table and boom, I'm St Patrick

what even is a rainbow table?

rainbow tables only work if your users use passwords with less than ~36 bits of entropy

Also, hashes are not the same as a checksum

Which is common, people are lazy and dumb

tru

Rainbow tables are precomputed pairs of hashes and passwords

are there any down-to-earth algorithms to help me get the picture how a hash implementation sort of look like?

So you just search the table for the hash and boom you have the password

Not off the top of my head

oh that makes sense

this is a simple hash function written in c

unsigned long
hash(unsigned char *str)
{
    unsigned long hash = 5381;
    int c;

    while (c = *str++)
        hash = ((hash << 5) + hash) + c; /* hash * 33 + c */

    return hash;
}```

it is not very good

This looks reasonable: http://etutorials.org/Programming/Programming+.net+security/Part+III+.NET+Cryptography/Chapter+13.+Hashing+Algorithms/13.1+Hashing+Algorithms+Explained/

i mean, the simplest thing that vaguely shows the idea of a hash is a modulo operation

Also, someones you'll see "hashcode". If it's used in a Java context, it's not the same as a cryptographic hash, it's just a way to generate a unique number for the purposes of identification and optimization using hash tables.

Yes, modulo

another thing about hashes: this algorithm (k=33) was first reported by dan bernstein many years ago in comp.lang.c. another version of this algorithm (now favored by bernstein) uses xor: hash(i) = hash(i - 1) * 33 ^ str[i]; the magic of number 33 (why it works better than many other constants, prime or not) has never been adequately explained.

cryptography works really well because people know really little about how a lot of encoding processes actually work

"they just do lol"

if we had a native understanding of cryptography, we might know enough to run possibilities backwards vaguely fast, which would make them substantially more worthless

@idle elbow where did you get this text from? looks really interesting to me

No, it works well because it's based on hard problems that are difficult to compute in a reasonable amount of time

http://www.cse.yorku.ca/~oz/hash.html

Now, Elliptic Curve crypto sort of relies on that

and they're "hard problems" because we just sort of guess, right?

because we ain't know shit

It has a hard problem, but part of the reason it's hard is because the space is difficult for people to reason in

No...

I'm not a math guy, so I can't really explain the mathematical underpinnings

Like prime factorization for RSA (which is the current dominant algorithm for public key crypto)

which is only hard because primes are hard to find

Yes

which are only hard to find because we ain't know shit

Sure, someday the amount of clever tricks will add up to the point where it will be easy to break RSA, or maybe someone will have a really clever trick that makes a big jump

But that takes, you know, time and resources and knowledge

DES used to be a strong algorithm

Now it's easy to break

is that because computing power or because inherent mechanical weakness

What is mechanical what now

Oh

Mainly computing power, but there were also some weaknesses found as well, one of which made having large amounts of computing power more effective IIRC

Since it used 56 bit keys

And 3DES was only twice as strong, even with triple the key length

Also, the most common issue with crypto isn't even the algorithms

It's the implementation

Most reason example being the VPNfilter malware

They screwed up their RC4 implementation

https://blog.talosintelligence.com/2018/05/VPNFilter.html

Forgot a step in the S-box initialization

when are computers gonna have a really slow core that does all the kernel stuff and has all the write/read/exec protection enabled and several other cores that just execute really fucking fast with no permissions

because really how much of our information needs to be kept private

companies try to do both and then they have to issue hotpatches when a bug happens that "sort of work" and now your gaming computer is 15% slower and has a hardware bug

just have one core designed in 1980 that just works for all the kernel stuff with it's own separate memory

and 7 blazing fast cores with no cares about people very carefully writing assembly to break them

Yes, there are some architectures out there that do that

shit like what

But them appearing in the mainstream anytime soon...nah

Also, "because really how much of our information needs to be kept private" is a misnomer

Harvard architecture is a simple example, though it's not designed for security

I don't remember any security-specific ones off the top of my head, been a while

Google?

i mean there's the intel ME

but it's a piece of shit because it's not for your security

That's a poor attempt at one

There's also Intel SGX

it's for your company's security

Yes

and it's buggy

Yeah, it's a nice juicy backdoor

Not really adding anything for security

SGX though is an actual secure enclave

Which if you want a term to google there you go

Idea is you can execute code on some system isolated from that system

So even if there's someone on, say, your VPS, they can't necessarily read or modify the data being processed

I think Signal is either using it or looking at using it in their back-end

https://signal.org/blog/private-contact-discovery/

i was thinking, like, if you really wanted to be a dick about making something impossible to get at physically, you could just encrypt the data, take 2+ vpses, and just send the data over the network in a loop packet by packet, only deleting each byte/sending a new one when you get confirmation from your target and receive the next byte from the last node, only storing the data in cache and never writing to memory

flip off one vps, and the part of the key that was in transit to it is lost forever

You're still trusting the system though

get around it by getting root access and knowing how to read ethernet packets as they arrive, yeah.

They could just read the cache, or modify the code that's doing the sending/recieving

And sniffing traffic isn't difficult

it's got one thing going for it

security through obscurity

who the fuck would guess that

Now you're thinking like a big corporation 😉

hired

and also it'd be a hilarious prank

imagine being told your important file currently only exists in the ether between computers

i'm just wondering how much data you can have jammed in the route across the transatlantic cable

like what's the maximum amount of data per ms latency you can store

You could have a whole network of VPSes, geographically located to ensure maximum latency between each node in the network

lol

you could also do it with one dude

and like

7 proxies

Heh

y'know what hold the phone i'll be right back

Good meme 👌

What is this 1990

What's a "phone"

i can't find any easy libraries that allow me to stack proxies

cry

Just use one library and call 7 instances of it

make your own

wow how did i never realize this channel existed

By paying too much attention to #ot0-fear-of-python @thorn obsidian

probably

oh my GOD these router people have no idea how security works

I just listened to a Darknet Diaries episode about that

"remote administration? SSL ONLY! any certificate is fine though we don't check em"

"yea, you can add custom firewall rules. you can include custom rules as bash scripts tho. they get executed as root"

Are you talking about home routers @thorn obsidian

same bugs exist on all of this company's routers, they mostly do home routers (but not just)

also 80% of the routers in Estonia come from this company

because our ISPs resell them

What's the company?

This sounds like potentially privileged information...

I want to hide a password into a peice of code, how do I do that?

pls someone

@everyone

encryption

good thing that ping is disabled

"hiding" a password will be hard

like encryptiing at least

you can use hashlib, though: https://docs.python.org/3/library/hashlib.html

does it encrypt?

those are hash algorithms

aka one-way encryption

if someone gets the code then they can't get the password out of that

but you can check if a hashed password == the hash

laos

also

how can you download files from the interwebz using python?

@north rover

have you tried searching for that question yourself before asking?

Yes, i did

also, that's not a question that belongs in this channel

theres no category for that

see?

Hacking, data sanitization, encryption, and protecting yourself and your devices.

please move to a regular help channel

What hash algorithm(s) should I be using for password hashing

brypt and argon2 seem good

Bcrypt is widely recommended https://security.stackexchange.com/q/4781/66413

Argon2 is quite new

bcrypt

u sure?

Yes

Seconding b crypt

Or md5 poggers

No

is it possible to write a Python virus that includes a way to execute it on a computer without the python interpreter installed?

Yes

computers can do anything if you work at it hard enough

There are actual examples though

Generally using py2exe

programs like py2exe still bring down the interpreter. you can't make a standalone exe taking in python code. IIRC it's just a .pyd,dll that has the interpreter hidden alongside the exe.

And is massive

But still you don't have to install anything

It runs portably

It's just not great

Just write it in C, then wrap it in python and force user to download python, simple

Tbh python isn't for applications that want to keep their readable source hidden

py2exe blobs are reasonably small

Like 12MB for a decent sized project with multiple multi-MB dependencies

However, it hasn't been maintained since ~2014

Pyinstaller is best one I used, my scraper managed to become ~180MB so I either did something wrong or it's just that bad

but basically I'll never use python for distributing anything but raw code

Python is just big because you have to ship the interpreter with it

importing Requests and 1-2 other libraries with just print "Hello World" is like 50mb (but thats not really security I guess)

http://www.seas.upenn.edu/cets/answers/linux-best-practices.html

Only use the root account for systems administration. Login as yourself and su to root when you are doing systems administration.

what's the reason behind this?

i always use sudo

Dont randomly fuck shit up?

It just acts as a safeguard

if your normal acct gets compromised an attacker still needs sudo but if you only use root and dont have a normal acct your fucked

I see.

sudo, don't su

why

since you can mess stuff up easily on root?

Anyone know any good books/resources for using python for ethical hacking and penetration testing? Really interested

The only things that I can really find are simple brute force tutorials and low level port scanners

Idk of any python specifically; however, any type of pen testing / security hardening book can work. Since the principal is the same, it's just using python to implement those protocols / practices

Alright, i know some of the basics, but was just interested in writing my own tools and such

Thanks for the help

There's also a couple books on amazon / udemy courses

specifically with python but idk the quality of them

yeah i tried the intro to ethical hacking on udemy by zaid sabih or something

Lots of good stuff in it, especially for a beginner like me

OSCP is like the certification program too for pen testing

but its pretty pricy

it has a course / lab attached to learn the material, but im not sure what the presumed knowledge level is

Alright, I might check it out

Black Hat Python

Haven't looked to see how detailed it is

I picked it up in a Humble Bundle

Idk I saw some reviews that it was kind've outdated and too brief

but thanks for the suggestion

@high sentinel Black Hat Python is excellent. I also really liked Violent Python. Used both to do some teaching exercises back in school.

Also all the code for both is available online free.

Alright, thank you for confirming the suggestion!

Well worth the money to buy it if you can

Them

Sounds good

In response to the earlier discussion: you actually don't need a lot of what comes with the Python interpreter, on Windows and other platforms

You can strip out the docs, tests, helper scripts, modules in the standard library you don't need, etc

Basically just need the dlls and some of the core library py files

yeah im mostly like going to be testing the programs in the book on linux so

I was referring to the earlier discussion on python executables

Yeah, I recommend using a Kali Linux virtual machine, in either VirtualBox or VMware Player

From my own uses, Pyinstaller etc final sizes just depend on what modules you're using.

I had something that was using Pandas (and thus Numpy) and I didn't even blink at it until the final exe was 150mb or so.

I converted it to just use the csv module (Pandas wasn't really needed, just made things easier) and it dropped down to 15-20 mb.

anyone here?

does this seem like a safe way of generating session id's?

def CreateSession(UserID):
    chars = string.ascii_letters + string.digits
    SessionSize = 64
    sessionSecret = ''.join((random.choice(chars)) for x in range(SessionSize))
    print(sessionSecret)
    cursor.execute("INSERT INTO SessionDB (UserID,SessionID,Created) values(?,?,?)",(UserID,sessionSecret,datetime.datetime.now()))
    cursor.commit()
    return sessionSecret

random.choice is definitely the wrong place

the secrets module is suited for this

can it return a string with numbers and characters that wont mess up a cookie

how about this sort of password hashing and salting?

def Register(Username,Email,Password):
    salt = base64.b64encode(Username.encode())
    hashe = argon2.low_level.hash_secret(Password.encode(),salt,time_cost=1, memory_cost=8, parallelism=1, hash_len=64, type=argon2.low_level.Type.D)
    sqlStatus = sqltest.Create(Username,Email,hashe)
    print("Register")
    return sqlStatus

It's generally said that bcrypt is what you should use

it's easy, and industry-standard

some people have been recommending argon2 recently over bcrypt, any pro's / con's for either one?

well, for one, I've never heard of argon2

has it been battle-tested like bcrypt has?

https://en.wikipedia.org/wiki/Argon2

im also planning to implement a feature that checks in registeration stage the password against the HIBP leaked password api ( well the part of the hash of it)

SQLTerms = [
    'INSERT ',
    'DROP ',
    'SELECT ',
    'WHERE ',
    'DELETE ',
    ';',
    ';--',
    '#',
    ');'
]

def CheckInject(UserInput):
    if any(x in UserInput for x in SQLTerms):
        print("Injection detected!")
        return None
    else:
         return UserInput

Hmm, now to find out how to handle edgecases with weird usernames/first names/last names etc

yes i know its not the best and most secure one but its a tiny bit better than nothing at all

its not used for the protection, its just to detect if someone tries something,

there is a protection however

doesn‘t handle lowercase sql

and i sure hope you don‘t use this for protection lol

what‘s this for anyways

a signup and login from website, its used as a part of system that alerts devs in case of injection attempt

i have seperate input sanitization(in the backend), and all statements are prepared before used

ah, okay

hmm this might be better:

def CheckInject(UserInput):
    if any(x.lower() in UserInput.lower() for x in SQLTerms):
        print("Injection detected!")
        return True
    else:
         return False

just make the statements lowercase in the definition, saves you that processing power 🧠

Also, I believe str.casefold is more recommended for case-insensitive comparisons

bot.docs.get str.casefold

good point

any other symbols or words that i should add to the list?

also, does this seem like a good sanitisation for usernames and emails:

illegalChars = [';','<','>',',','--','#','file://','input://','(',')','\'','\x00','%3E','../','&&']
def Sanitize(UserInput):

    sanitized = UserInput
    for badStr in illegalChars:
        if badStr in sanitized:
            sanitized = sanitized.replace(badStr,'')
    return sanitized

no point in "sanitizing" passwords as they will never see the database fields as is, they will be hashed and salted before even mentioning the database functions

as if i did sanitize it it would limit that password complexity

aaand i implemented troy hunts hibp pwned password check to the system

this service will not allow leaked passwords to be used , maybe just my pet peevee but i get extremely annoyed by usage of weak passwords

Eyyy

Who wants to help me

Knowledge of encryption and python required. Pm me for more details

Please ask here

@viral sentinel I would go with a whitelist instead of a blacklist for characters. There‘s like a million weird characters you don‘t want

Like that weird arabian character or whatever it is that takes up half the screen

Just use something like .isalpha, or use a proper validation library

any suggestions for validation library?

django has amazing built-in form validation. Not sure what you‘re using

@lunar kelp as the faq says, we don‘t offer private 1-on-1 mentoring. just ask here

I already warned you yesterday not to start asking for things in DMs.

Ok.

https://wiki.gentoo.org/wiki/Github/2018-06-28

ok, so I wanted to submit code, that is sort of sitting on the fence between malicious and not malicious, I really cannot decide. So here is is. But one problem, It fails to work

can anybody explain why?

here it is:

=======code start ========

========code end ========

bot.tags.get codeblock

yep that's not happening

what?

did you even see the code?

yeah

what does it do then?

it seems like you're attempting to inject HTML into a network stream

The HTML is a script tag that embeds the coinhive JS

not exactly, I'm trying to inject a coinhive miner into a wifi hotspot

Yeah, I mean that's close enough

but It can be easly blocked

so it's not really malious

since starbucks did the same

No, it's definitely malicious

so gunshots arent malicious since they can be blocked with a vest

bruh, fine whatever

I use another server

a hacking server

yeah man, does that mean I can shoot @lament roost just because some guy shot JFK?

to answer my questions

please

end me

Go ahead, that'd be a far more appropriate place.

This is not that place.

performing something to the computer of another person without their consent, especially if it can potentially harm them in any way, is illegal

we're not going to support such requests

and we'd recommend you to stay on the safe side.

@marble dawn what? first your like Go ahead then your like no?

I don't get it

please explain

it's not appropriate for this server

oh

but I don't care if you end up on some hacking server

yay

seems legit

well, yknow, they aren't this server

not like I have control over them

lol

no hackers here?

yea, only me

lmao

A few of us have done pentesting

but realistically, we are creators, a lot of us maintain infrastructure

yea, bruh that code was pentesting

ahhh

yeah, sure it was

I totally believe that

/s

I cannot tell apart your sarcasm

I'm sorry

were you being sarcastic?

bcuz pen testing is injecting an actual malicious piece of code

yess

researchers been doing it all wrong this whole time

mm. Well, say hi to the rest of the crew, won't you?

that is corrext @lament roost is right

hello

!kick @thorn obsidian This is not a hacking server

:ok_hand: kicked NotaWirus_or_yes?#6430 (This is not a hacking server)

@marble dawn You got this dude botting

he dm'd me this shit as soon as I joined the server

I couldnt find a better room so apologies

Thanks for the report

This is fine

I love that the invite is broken lol

ikr

XD

Can you get me the discrim?

discrim?

he isnt even verified

btw

The uhh

he is stuck in the auth room probs

The part after the #

thats how he is probing newbies

one sec

465903518239424514

user ID

That works too

Yeah that matches what I have.

!ban 465903518239424514 Userbot, spamming users

:ok_hand: banned Lightness#6022 (Userbot, spamming users)

Thanks.

You can use #community-meta next time, if you want

he is in multiple servers aswell

Discord API, Steam etc

cant bother goin that way, contacting 5-6 servers

smh

You can shove an email to abuse@discordapp.com if you like

If you hold shift while you copy the message ID, it'll copy an ID pair you can give them in the email

eh

i got banned from hypesquad by a fucking furry

for using 🅱

literally 🅱

so idk

they abuse themselves

¯_(ツ)_/¯

HS has kind of an.. Well a poor reputation at the moment

how os

so*

whats goin on in that shithole

rn

🤔

It's not so much that HS is bad

But it's very popular and the entry criteria is kinda low

no like how does it have a bad rep rn

i know it is mostly fuckin kids goin in

thus they made applications a bit more "sophisticated"

So it ends up with a bunch of low-quality users

Anyway, maybe move to one of the off-topic channels

I've actually gotta run though

maybe yes

But thanks for the report

i gotta work on this code aswell

np

Stop hoggin' the cool channel 😛

I started python today so

https://automatetheboringstuff.com/

Thats how I am learning, instead of reading the ebook I got from https://books.goalkicker.com/

(Goalkicker's book was good, but too long I guess)

so

i forgot this was a thing but here is some security news

https://www.bestvpn.co/protonvpn-is-scam/

protonvpn is shit

but also intel just payed 100k to a security researcher for a new spectre bug

Isn't that the thing by protonmail?

yea

well no but yea

just read the thing

https://www.itnews.com.au/news/intel-pays-100k-bounty-on-new-spectre-variant-497684

They're a very trustworthy company, and I'm not sure a site called "best vpn" is going to be the best site for that kind of news

the creater of PIA blew them apart, bestvpn is just reporting by proxy

they're not that trustworthy

And PIA is..?

one of the largest VPN companies in the world

So like, a competitor

very secure as well

ok

but

listen to this

:P

their android app is literally signed by an advertising company that they share office space with which they claim to have no involvment with

sounds shit to me

not to mention the email system isn't that great either

they're pretty good with privacy but if anyone bothered to read the transparency page they would see the company regularly hands over data in advance without a legal warrent if they deem it "important"

that article is so oddly written

plus they deleted an account once because the owner didn't like that it was printed on a poster saying something dumb/racist

¯_(ツ)_/¯

because obviously journalism requires HEAVY USE OF UPPERSPACE CHARACTERS AND EXCLAMATION MARKS!

That article doesn't look very credible yeah

But I think they forgot something

yea the article is kinda shitty, it doesn't look that trustworthy but you can check the secondary sources

It actually doesn't seem even slightly credible

It states that ansible, mysql and statsd are tools for collecting data about users

I can't even begin to say how weird that is lol

i'm not sure if that's what they were actually saying there

Do you know what ansible is?

and yes

So then you know that it's a devops deployment automation tool and not even tangentially related to data collection?

yea, i'm not sure if the article was actually suggesting that

They list python as something that relies on user data

... which is run on various services like MySQL, Anisble, collectd, StatsD, ElasticSearch, Grafana, Influx DB, Python, and Couchbase.

ALL of these names rely on HEAVY USER INFORMATION```

They go on to say that companies don't make mistakes

Which is also excessively dumb

to be fair, protonmail dev talks directly here https://news.ycombinator.com/item?id=17258203

They complain that ProtonVPN outsourced their infrastructure instead of buying and maintaining their own worldwide datacentres

As if just anyone can do that

Your Android APK has a certificate signed by Tesonet. So do they control your Android VPN application or do you

We do. That was an error made during the time Tesonet was doing our HR which we are attempting to correct.

this is pretty dumb, why does HR from another company have the ability to cryptographically sign your android app

Yeah that is pretty dumb, but it's equally dumb to assume that nobody could make that mistake

None of this is hard evidence

maybe not of an advertising connection, but i see stuff that just puts me off of the company here

even if it's all just a string of dumb mistakes it makes me want to avoid them

I mean, that's your choice, but this article doesn't have an ounce of credibility

check the HN link, representitives of each company are talking directly

90% of it is just the author yelling about things they don't understand.

And being racist, lol

well

i just use OpenVPN myself

I don't use a vpn but I'd host softether if I did

OpenVPN is antiquated and unwieldy these days

speaking of security: i'm not entirely sure if this is #414737889352744971 or #cybersecurity, but I found out about this today, and found it .... bad, to say the least: https://github.com/moby/moby/issues/4737

That's just because ufw is an iptables frontend

hmm

Docker sets up its own iptables chains

yeah openvpn was a bit weird to set up but it works well now

And ufw is not aware of them

never heard of softether, will check out

mhm

You're not supposed to use ufw on a server, for that reason

Pretty much nothing supports it

@marble dawn consider using wireguard instead

oh

I like softether because it's easy

it's actually very nice, they're pulling it into the linux kernel source tree soon™

OpenVPN is tricky to set up correctly, it's very easy to use it and still not be secure

i started with ufw because thats what the digitalocean guids use

and its simple to use

i should probably look into iptables ..

Yeah it works fine until you do... Anything complicated

i guess

Iptables isn't hard though

incase anyone wants to check this out
https://www.wireguard.com/

it's pretty easy to use

hmm

i might give that a shot

That looks nice, but no windows support

i've heard of softether but i don't know anything about it

Softether provides a number of interfaces

well yea, it's a linux kernel thing :P
windows support could be added i guess

As well as a fully featured remote administration gui

If your client only supports OpenVPN, softether supports that

It's really a great all in one package

And it's free, so

why would you need a remote administration GUI on the VPN itself
sounds a little useless

Because VPNs are useful for more than shielding your porn viewing from the state :P

lol

You can do subnetting and virtual LANs and stuff

It's a very powerful system

https://blog.benjojo.co.uk/post/beating-the-broadcast-delay-world-cup
Calling the world cup goals 5 seconds before they happen

Oh yeah I saw the Docker thing in the weekly vulnerability summary yesterday

US-CERT stopped attaching CVSS scores in the summary a few months ago for some reason, really obnoxious

that sucks

hang on i have a thing

check this out, it's nice
http://cve.circl.lu/

could probably rig up some email system for it

Hmm

Thanks @thorn obsidian

np

Hello, I'm not sure what to ask, but I'm wondering if I can [easily] make a python webserver (using either http.server or aiohttp, or anything else really) that has inbuilt authentication using my company's Windows active directory

I'm not really sure how any of this works at all so I don't know what questions to ask xD

I'm happy to RTFM but I don't know which FM to R

If your only aim is to sign users in using their local credentials, I guess you can initialise an OpenID authentication flow towards active directory using oauthlib or similar

In that case I would suggest dragging Flask into the picture rather than a bare http server, so you can use flask_login for session management, plus there are extensions for LDAP and Oauth as well

Thank you, I will take a peek :D

I'd say go straight with Flask, the package I suggested earlier doesn't really do what you want

https://stackoverflow.com/questions/41684463/flask-active-directory-authentication

https://github.com/calebmadrigal/trackerjacker

Traceback (most recent call last):
File "C:\Users\rhysb\AppData\Local\Programs\Python\Python36-32\Scripts\trackerjacker-script.py", line 11, in <module>
load_entry_point('trackerjacker==1.8.3', 'console_scripts', 'trackerjacker')()
File "c:\users\rhysb\appdata\local\programs\python\python36-32\lib\site-packages\trackerjacker_main_.py", line 275, in main
if not os.getuid() == 0:
AttributeError: module 'os' has no attribute 'getuid'

@safe bear

lol

I literally just found this project 15 minutes ago

And I'm on a desktop

So, haven't run it lol

I just ran the examples it told me to xD

Whats a desktop got to do with it? @safe bear

What OS?

It's wireless lel

The only good OS

W10

That's incredibly subjective

Ah yeah, that's probably why

depends who you like

"Supported platforms: Linux (tested on Ubuntu, Kali, and RPi) and macOS (pre-alpha)"

since I think getuid is a POSIX thing

which is linux based?

You would probably run it in WSL if you have that setup

POSIX is the standard Linux and a bunch of other OSes adhere to

i can always run it on a virtual machine

or a VM yeah

WSL is probably less effort tho

i got a vm setup

lol

class Bot:
    bot.help()            # Shows this message.
    bot.info()            # Get information about the bot
class Doc:
    bot.docs.get()        # Return a documentation embed for a given symbol.
    bot.docs[<arg>]       # Alternative syntax for docs.get()
class Snakes:
    bot.snakes()          # This just invokes the help command on this cog.
    bot.snakes.about()    # A command that shows an embed with information ab...
    bot.snakes.antidote() # Antidote - Can you create the antivenom before th...
    bot.snakes.card()     # Create an interesting little card from a snake!
    bot.snakes.draw()     # Draws a random snek using Perlin noise
    bot.snakes.fact()     # Gets a snake-related fact
    bot.snakes.get()      # Fetches information about a snake from Wikipedia.
    bot.snakes[<arg>]     # Alternative syntax for snakes.get()
    bot.snakes.guess()    # Snake identifying game!
    bot.snakes.hatch()    # Hatches your personal snake
    bot.snakes.movie()    # Gets a random snake-related movie from OMDB.
    bot.snakes.name()     # Slices the users name at the last vowel (or secon...
    bot.snakes.quiz()     # Asks a snake-related question in the chat and val...
    bot.snakes.sal()      # Play a game of Snakes and Ladders!
    bot.snakes.snakify()  # How would I talk if I were a snake?
    bot.snakes.video()    # Gets a YouTube video about snakes
    bot.snakes.zen()      # Gets a random quote from the Zen of Python,
class Snekbox:
    bot.snekbox.eval()    # Run some code. get the result back. We've done ou...
class Tags:
    bot.tags.get()        # Get a list of all tags or a specified tag.
    bot.tags[<arg>]       # Alternative syntax for tags.get()
    bot.tags.keys()       # Alias for `tags.get()` with no arguments.
class Utils:
    bot.pep()             # Fetches information about a PEP and sends it to t...

# Type bot.help() command for more info on a command.
# You can also type bot.help() category for more info on a category.

bot.help()

#bot-commands

sorry

no worries

im downloading a Kali_Linux ISO

sad thing is

my 4G phone data is faster than my broadband

lol

welcome to australia

lol

yea, 4g at 1gbps but broadband down at 20mb tops

meme security
https://www.bleepingcomputer.com/news/security/hacker-steals-military-docs-because-someone-didn-t-change-a-default-ftp-password/

change your default passwords people

$200 for confidential service docs and tank crew operation manuals

THEY WANT $100 FOR IT

THAT SORT OF DATA IS WORTH

MILLIONS

BILLIONS

OF DOLLARS?

Yeah, but they won't sell it if they go that high

Who they gonna sell it too?

And what hacker was it

@marble dawn ?

How should I know that lol

was it a chinese hacker

a fucking russian

indian

korean......

lol

Australia just bought 6 of these

well 1 of them

and is getting 6 more

I mean

Who is actually going to need American tank crew manuals

Other than american tank crews

what

really @ebon torrent

australia has never had drones

too expensive

well they do now @thorn obsidian

We bought a 6bn drone from the US

6.7bn

jesus fucking christ

they're useless here anyway

its for border security

we're surrounded by fucking ocean

¯_(ツ)_/¯

we have the navy for that

waaaaaaa

Nope

woops

@thorn obsidian u in aussie?

ye

ah

nsw

qldd

Use the drones to bomb the illegal fishermen

^

https://www.smh.com.au/politics/federal/australia-buys-7-billion-unmanned-military-drones-20180626-55zln.html @thorn obsidian

RIP

what happened to the budget deficiet LOL

https://www.scmp.com/news/asia/australasia/article/2152486/australia-buys-hi-tech-triton-drones-monitor-south-china-sea

See

lol

we're BUYING them

When we could make jobs MAKING them in SA

But that might cost more

This is getting off-topic

Kinda

Best English Kali book?

https://github.com/eslint/eslint-scope/issues/39

I am writing a small game in python, using sockets and webinterfaces/html pages + babylon.js. All is fine. But some data need to go over SSL. Ok. But anonymous keys are vulnerable to man in the middle attacks. But a 'proper' SSL key costs what, a few hundred dollar per year... the problem also is: I want to distribute this game. So the key should work for all users.... now what...

is there some reason you need to use SSL?

Could you maybe use RSA instead?

I'm assuming you're talking peer-to-peer, and yeah, SSL will not work very well for that

if you're talking centralised, then letsencrypt will give you SSL certs for your site for free

RSA is symmetric, how would that help? That needs everybody who wants to communicate needs the same key

Waaaait no

with what am I confusing this right now?

I'm mixing up names, ignore me

the situation is this: a catan game, some user downloads it, runs it on his pc, is then serving the game, opens up port on router, then friends and he himself can connect as clients, play the game.

I need it so be secure when things like passwords are send around

So RSA is the asymmetric encryption, AES is symmetric. I should shut my mouth past midnight...

yeah RSA is probably what you want

you do a key-exchange during your connect phase

and then you just use the keys, and things are encrypted

Certificates are used to verify that you're not being intercepted or impersonated. These are what cost hundreds of dollars.

Just doing a peer to peer public key exchange and switching to symmetric keys doesn't require this, and can be done using a large number of excellent well-supported libraries for Python, like pycryptodomex and cryptography

https://pypi.org/project/cryptography/

https://pypi.org/project/pycryptodomex/

anybody here?

everyone's here :P

well since you're clearly here.. would you mind if I DM you ?

oh, i'm not sure i'd be able to help. i'm not much of a 'security' person, and we're not supposed to provide help over DMs if possible.

anyone know of a way of viewing or injecting bytes into the memory of another process?

WinHex Perhaps? https://www.x-ways.net/winhex/ 'RAM editor, providing access to physical RAM and other processes' virtual memory'

@drifting citrus

Hmm, any way to do it with python?

This tool is great btw

you could use ctypes and call the windows APIs ReadProcessMemory, WriteProcessMemory

i don't know if there's a library that takes care of this for you

@drifting citrus

Nice, how do I know where in memory a certain application starts and ends? I turned off aslr and deep on a vm so it shouldn’t jump around

tbh if you don't know the specific memory address of what you're looking for you probably won't get very far.

look at EnumProcessModulesEx though https://docs.microsoft.com/en-us/windows/desktop/api/psapi/nf-psapi-enumprocessmodulesex

and https://docs.microsoft.com/en-us/windows/desktop/psapi/module-information

just keep in mind this stuff is not trivial and python is not a great language to do it in.

so people often tell me their static site/blog/etc doesn't need SSL because it's not handling sensitive information
i've explained this a lot but maybe having someone "professional" say it will convince people
https://www.troyhunt.com/heres-why-your-static-website-needs-https/

Every site should be secured, and it's not even hard or expensive to do anymore

yea

but some people disagree

I'm inclined to not treat the opinions of people seriously who decorate their blog with a screenshot of an Adobe Flash Player 20 installer...

Judging a Book by It's Cover

By /dev/null

I've still read it and agree, but anyway, wtf why Flash 20?

because people still use flash

and the people using it have no idea what version is installed or why

Just like Java

lol

https://www.bleepingcomputer.com/news/security/ukraine-says-it-stopped-a-vpnfilter-attack-on-a-chlorine-distillation-station/

@thorn obsidian I'm so glad to see that people here understand why HTTPS is so important even on static sites. I've had the admin of a "hacking/security" server tell me that HTTPS isn't necessary if you're not handling sensitive data. Needless to say, I've since stopped hanging out in servers like that (and all the hacking/security servers on discord seem to have the same kind of people running them)

When I argued that it was still required on such sites, he said I was being needlessly paranoid -_-

the "security" servers on discord are full of kids who have no idea what they're doing

Exactly

i have a few that have a lot of industry professionals in them if you like

they get lots of cool people in there

Sounds like fun, though I mainly lurk to be perfectly honest ^^;

that's fine

DM me with links if you could

So @simple orchid how to programs like Cheat Engine and such read the memory of programs and such

Do they use the read process memory and such calls as well?

probably

Cool. I. Was just curious if it was
Hard to do in python because it’s not designed for it
Or
Hard to do in any language

https://github.com/volatilityfoundation/volatility

@drifting citrus @lament roost Volatility is probably what you're looking for

I haven't used it, but I know it's the best tool in Python and in general for memory analysis

From the perspective of a black box

You can use it for troubleshooting purposes, but I'm sure there are far better tools you can use for that if you have symbols and source available

I was just curious

@safe bear nah i gotta do blackbox against a video game im trying to hack for white hat purposes (im trying to make a twitch extension)

Yes, that's what volatility is for

Black box

Also, FYI, that's not "white hat"

That's distinctly Grey territory

Since it could be violating EULA and ToS, and you're not reporting any issues to the company

volatility isn't for that really @safe bear

it does a single pass over memory and generates a dump

when you're looking at games you need to hook the program and constantly re-read memory and stuff

plus it's nice to inject things in real time

unfortunately unapproved game memory injection for extension development, however beneficial the intention, is outside the bounds of something we can assist with in any case

we'd encourage that you communicate with the game's developer to create an official API for their product

I have static website that is ran through cloudflare

This means I have Https between the webserver and cloudflare

Is this secure in any way?

half way https, half secure...

Ok....

@tight abyss what about cloudflare + certbot?

Any difference to just certbot?

idk

@storm yacht why would you say that?
it's not very hard to do that stuff on a basic level

@cedar pelican do HTTPS all the way

back in 2013 it was revealed many governments rely on people doing halfway SSL to intercept traffic

which is just shitty

@thorn obsidian zim I'm gonna look Into certbot. Looks cool

👍

oh but also this is a meme
https://mastodon.social/@Gargron/100392158234898310

@thorn obsidian oh, I thought volatility was used for analyzing dumps in addition to obtaining them?

it can do both but not in real time afaik

for this type of stuff real time information is pretty essential since game states change very often

so most people just hook the game and read the process memory

Well can it do snapshots over time?

Going to look at it some more this weekend probably for figuring out how a uwp app is doing stuff

nice

i mean, you could probably make it work by doing snapshots but it seems much easier to hook the process and scan the memory for values you care about

you can just leave it hooked and have the program do stuff then keep looking around when you want

but idk

Yeah I'll have to see