#cybersecurity

pretty displays 😃

Oh yeah

Love me a good readline interface

is that sarcasm

No

I really do like good "readline" (I don't know what the actual term is) interfaces, like Metasploit, Empire, etc.

yeah

CLI

lmao

good CLI

readable CLI?

¯_(ツ)_/¯

Yes

Many interactive CLI interfaces use GNU Readline so I've taken to calling them "readline" interfaces

But that's probably the wrong term

oh i didnt know that haha

Yeah

TBH it's a poor description

But dunno what the heck to call them

Because a "CLI" is really general

lmao

pretty CLIs

¯_(ツ)_/¯

ye

HACKERCLIS

I call them interactive interpreters

\

@chilly elk yes

How is this related to #cybersecurity

BEGONE

The trash at the right of pickle is not recognized

is gone thot

BEGONE!

Welp

i wasnt calling you a thot

just like BEGONE THOT

👀

@chilly elk I got gdude all that behind my back for using ret&#&#arded

So don't say thot or he's gonna to follow you

Shit I said thot

Hello gdude

BTW where did the people at tech went? @safe bear @chilly elk

And don't act surprised

"where did the people at tech went"

Yeah

Wut

/tech/

What's that

:thonk:

You know the tool is legit when the author is a weeb

weeb masters

@safe bear new Info/Recon Tool coming 👀

in python3 though

That's a bad thing?

what is?

Python 3

ohh nooo

bc Datasploit has something like this

but thats all python2

So what is this doing exactly

Twitter?

twitter information

yeah

it will have other Social networks as well

shows common hashtags and user interactions

going to add common keywords as well

Have you heard of https://github.com/SpiderLabs/social_mapper

Are you planning to open-source?

@safe bear yes ive seen that it was on OSINT top 10 i think

Probably

and we dont know yet. We might make it into a paid program

I saw it at DEFCON 26

Recon village talk

plz no

it will have a web interface eventually though

😦

Mmm

i will make one myself

with most of the tools

that will be OS

you can have this code if you want

https://gist.github.com/M4cs/8f761e4df6ce7921fac56efd1d51f81a @safe bear here is the gist

Oh awesome

@safe bear Do you have the part of Defcon 26 where he presents it? Sorry, I'm on the car right now

found it

https://www.youtube.com/watch?v=ejEkjbAyAMc

@chilly elk Great to see the new stuff

Known savaged you for a while

"Have you heard of" 😂

hahaha

BabySploit was a meme 😦

lol

It got popular fast

yeah thats true

the name lol

I wasn't intending to be savage, just wanted to point out a related work

But hey I'm alright with being accidentally savage

https://latesthackingnews.com/2018/11/27/mirai-bot-targets-linux-servers-through-hadoop-vulnerability/

Guess so @thorn obsidian
Unexpected comeback?

Unfortunately, that include majority of users.

What type of project should I be aiming for as a cyber security enthusiast?

@thorn obsidian the thing is that mirai attacks webcams and usually people dont really care about the update status of their webcams. Interestingly enough a research team actually wrote a worm to attack the webcams the same way, take them over, delete the mirai bot and then secure the cam against further attacks but as that still counts as hacking they werent allowed to use it

@thorn obsidian Whats new?

Posting this here because it's relevant to the topic. Been eyeballing this, but I'm reading negative things about Packt books. A few of these are actually full course videos. Can anyone tell me if this would be worth it? https://www.humblebundle.com/books/cybersecurity-packt-books

@granite harbor Do you want book recommendations on cyber security?
I heard about this topic though, I prefer O'Reilly media.

Not really looking specifically atm, but that slapped me in the face so I figured I'd ask. lol

Oh, still some of them are good.

I'll dig around a bit more, it's still up for 12 more days, so I've got some time if I decide to pull the trigger.

@thorn obsidian just because jha is locked up doesnt mean all those IRC skiddos wont keep it alive

Can’t spell his first name

Dev of mirai

is there a way to make a python file unreadable

no

at most you could obfuscate it

oh well time to learn a other languag e

this kind of idea is usually misguided, tbh

even if you were using a language that compiles directly to machine code, it's not possible to stop a determined person from reverse engineering it

they can disassemble it, run it in a virtual machine, step through one instruction at a time, etc

in general just trust that most people will follow the rules, and, like, if someone steals your product to sell a competing version you can sue them

1. it should be a python script that downloads an file then executes a executeable? 1. i dont know who steals it 2. im not over 18 to even sue 3. sueing would cost more then i would probaly get back

🤔

All 3 of these are true right?

Well, 2nd one is a maybe. I'm not sure of the relevance of it matters or not, but it is an abbreviation

they are true yes

Why do we have so many Macs

I can't memorize all this

aw

second one is the MAC of a pc iirc

Would you consider the statement true in a security exam?

(I'm not actually taking one now, just revising old exams in preparation)

mac is short for macintosh 😛

anyway, I'd say they're all relevant to security, too

depends on if it's a security exam where other network related or crypto related topics are in scope

Crypto-y

message authentication code is a crypto topic

The course is about software security .

Not much networks

i'd be inclined to say they're all true and try to challenge them if they mark any wrong

it'd be the worst kind of trick question

Thank you nontheless, Time to re-read the aspects of Scalability, maintainability and recoverability for software resilience

Yeah, I'd probably do the same knowing that they all represent something

if i saw any of the questions in isolation i'd answer true without a thought (well, I didn't actually know Media Access Control before today)

Me neither

But given that I know about it now..

Well, let's hope the questions dont come up

7&8- Network related
9- Cryptography related

👌

@silent pier All three are correct.

Mandatory Access Control is a general concept that is applied in many areas of security. The main competitor is Discretionary Access Control, which is what you see in Linux and Windows filesystems. Real world example is SELinux, which implements Mandatory Access Control (fun fact, SELinux was originally an NSA project, and they open-sourced in 2000.)

Media Access Control purely a networking term (it's a OSI Layer 2 technology). Real world example: run arp -a. The ARP table maps IP addresses (Network layer) to MAC addresses, aka physical addresses. They're unique to a physical interface, and used to address devices on a local switched network. (Also, I'm the developer of the only [AFAIK] Python module for MAC addresses...so probably know a bit too much about this).

Message Authentication Codes are actually commonly used in networks ("checksum") to check message integrity, e.g. prevent your neighbor turning on their microwave and making your bank transaction is 2^4 times larger.

(NSA reference for those curious: https://www.nsa.gov/news-features/press-room/Article/1637367/national-security-agency-shares-security-enhancements-to-linux/)

ARP is a bit complex...

Short version is that when you want to talk to another computer(1), but your computer doesn't know the MAC of that computer, then an ARP broadcast is used to discover the computer. Essentially, your computer sends a packet to every device in the LAN(2) "hey where can I find 192.168.0.1". 192.168.0.1 then responds with it's MAC address. There's also gratuitous ARPs, where devices can proactively broadcast their IP address. Either way, your hosts ARP table gets updated, and used for future requests.

As you can imagine, this is horribly insecure. The attack is known as "ARP spoofing", and it's the most common (and effective) form of a Man in the Middle attack. Ever wonder why public Wi-Fi is dangerous? Your data is often unencrypted. However, the higher risk is a man in the middle attack using ARP spoofing, since the attacker can not only read your data, but send you where-ever and what-ever they want, like malware instead of Google.

1. When I say "wants to talk to another computer", I mean by IP address. This is often known from configuration information (your default gateway), or a hostname lookup (usually on corporate/business networks).
2. LAN is a loaded term here. Really, it's any "broadcast domain". These are usually subnets, but could also be a VLAN (Virtual LAN), or a physical broadcast space (like wi-fi, or hubs if you're old).

tl;dr I know

This is helping me refresh a few things, going to teach this and much more to high school students in a few days...

Nice explanation, thank you

Very well explained.

Thanks.

This stuffs getting refreshed in my mind right now, so if you have networking questions now's the time lol

Lol, mind is blank now.

@safe bear https://pepy.tech/project/babysploit 3.7k downloads in 3 days...

LOL

Aren't you fancy

im just surprised it hit that many on pip

i dont remember posting anywhere

¯_(ツ)_/¯

hn?

hn?

ohh

hacker news?

they posted before it was on pip

i only put it on pip 3 days ago

Mmm

Im making a loader for a cheat

Basically getting a file (dylib) then using osxinj (dylib injector) to inject it

Yeah

because I don't wanna get banned

It's signature checking (anti cheat)

No

Im Talking about cs go

I can show u that injecting a dylib is perfectly fine

And won't be checked

Alright

Im making this for a special game Mode

where hackers play vs hackers

Yeah no. We're not going allow that here. It's an obvious ToS violation

You should know better

!warn @thorn obsidian Attempting to make a hack for CS:GO, which would violate their terms of service and rule 5 of our server

:ok_hand: warned @thorn obsidian (Attempting to make a hack for CS:GO, which would violate their terms of service and rule 5 of our server).

Im not searching help for the cheat

What the hell

No but you're advocating it and saying you'll even demonstrate.

Don't even act surprised

Yeah by pictures on the internet

and linking the GitHub to the dylib injector

I mean I can make it something more drastic if you prefer, but that's why I went with a warning

wow chill out

I was asking if u can decrypt a file

For an intent we don't support. Drop it.

Yeah I got it

lmao fire

@velvet isle If you've got nothing helpful or useful to contribute, don't bother saying anything.

@thorn obsidian Sorry if it wasn't clear when you joined, our rules and new user propaganda could use improvement. Basically this is not the server to discuss "cheats" and such things, since we have a fairly strict rule against helping with anything that's a violation of any Terms of Service or laws.

Does this channel only include security involving python?

I’d like to ask a question about web application security.

@quiet patio You can ask anything related to security.

Okay, thanks.

I’ve recently been testing a web application for a bug bounty. I noticed that input wasn’t validated in the user description input field. I used the classic payload <script>alert(1)</script>
It should have worked fine as the payload was being injected between <h1> and </h1> tags. (This is a stored XSS btw)
Anyway I went to the view user profile page and didn’t get an alert box. I went ahead and inspected the HTML and sure enough my payload had been injected between the h1 tags. After looking at the requests in Burp Suite I noticed that the x-xss-protection: 1; mode=block header was present in the requests. This meant that the browser will block XSS payloads from executing. However, this is only meant for reflected XSS right? In a persistent XSS situation the browser has no way to distinguish the XSS payload from the actual source of the page. So how is my payload not getting fired? It’s injected perfectly... could there be something else preventing it from firing? Thanks, I’m new to web application hacking so forgive me for any mistakes. Thanks!

I'm not experienced with web app security, but yes, that's for reflected xss

If you're actually injecting into the HTML, maybe try and run the attack locally?

Also, have you tried using a variety of browsers

@safe bear I never intended to do that and was searching help in making a python unreadable

@tight sentinel u shouldnt do ctfs if you dont know that

@quiet patio is the output being html encoded when you view the page source?

@quiet patio I believe that certain security headers disable code in <script> tags

Anyone has experience with objection and frida here ?

https://youtu.be/L3PPWVPg2WI

@thorn obsidian no

I believe my problem has something to do with the websites CSP security policy

Web app pentesting is something I wish to return to someday

Gotta ask perms before I play with whoever it is

@quiet patio If you're still confused I know a guy, he's a web application pentester you can ask him.

Woah robin is online

Whats new

I been preparing for exams still

Same.

Speaking of CSP - I just posted a security headers project in #303934982764625920 - would love any feedback

https://gbhackers.com/android-application-penetration-testing-1/amp/

can anyone make a better download checker for ios please as every time i get sent something on WhatsApp it downloads to my phone without asking and i want it to stop

TCP is 3 way handshake communication so it sends firstly 1) SYN by end system then 2) SYN-ACK by server 3) ACK by end system. So doing a nmap scan like $nmap -sV -p "port" "IP address"
So we receive a ACK packet that port is open(TCP scan), but how we receive a ACK packet when doing a UDP scan as it connectionless afaik. I searched on it but still confused.

As far as I know UDP does not return ACK packet.

It would be nmap -sS btw

-sV runs the version detection scripts, -sS is SYN

As far as I understand it, nmap is basically shooting in the dark with UDP

It has a bunch of scripts for known UDP services, like SNMP

A review of the Nmap docs confirms that

https://nmap.org/book/scan-methods-udp-scan.html

Table 5.3. How Nmap interprets responses to a UDP probe

Probe Response    Assigned State
Any UDP response from target port (unusual)    open
No response received (even after retransmissions)    open|filtered
ICMP port unreachable error (type 3, code 3)    closed
Other ICMP unreachable errors (type 3, code 1, 2, 9, 10, or 13)    filtered

It will try all of the scripts for UDP services (e.g. DHCP, SNMP with common community strings, etc.)

If it gets any sort of response, it will be marked as open

Any type of response considered as open?

Thanks, KnownError.

@thorn obsidian this is for any security questions even on iOS

if whats app automatically downloads files that is not a security problem?

at least not as long whats app didnt make a big mistake

Uhm

I got a question

are we able to decode binary data like this

neither

https://gyazo.com/0902ca4b73f720a3780419fe6a87447a

thats not binary

oof

im dumb what is it

hex

are we able to decode it

its just numbers

its like 1 2 3 13 3434

but with a different system

if its inside an executable or something it represents certain opcodes for the CPU

its

in sqlite db

"BLOB"

well then it is some sort of binary format maybe a jpeg or something like that somebody decided to store inside the db

so can it be decoded somehow

im getting an output like this

its just file content

there is nothing to decode about it if its part of a binary file format

I2MDUxODkzNjQ3NzY5NjIw.Du...

oh

but as its a BLOB it can be anything

there is not enough context for me to find out what to do with it

well i know what it is

then tell me

the key name? its just id

what

its an ID used for identify users and its stored in there

why would you store a user ID as blob

that doesnt make sense

yea idk

i know the actual id

but it has another layer im guessing

my id like MzE1OTE1ODE1O... and the decoded is NDI2MDUxODkz....

OH

I FOUND IT

oh im stupid jesus christ

yeah u do hex decoder first

then they rot 13 encoded it

or not

i did it but lost it

@thorn obsidian yea it is. I was inspecting it which didn’t show the HTML being encoded. The page source did though. My bad.

https://gbhackers.com/wireshark-2-6-5-released-vulnerabilities/amp/

all good @quiet patio glad you got it figured out

@safe bear

👀

fuck me

i need to stop rushing shit

i mean i guess cryptology works tho too

You made a GUI for BabySploit?

Nevermind, it's a website.
My bad.

@chilly elk looks like a gui based on settings button...what'd you do it in

@safe bear right now only the setting menu

needs work

What are you using to make it?

Qt?

pysimpleguiqt

Ah

Hence the questions last week, should've put two and two together 😅

yeet

@chilly elk Woah can't wait to see whats new

http://www.houseofbots.com/news-detail/4206-top-6-best-python-libraries-for-cyber-defenders-python-engineers-must-know-

@chilly elk Still confused..you made a GUI for it or a website?

https://www.theregister.co.uk/2018/12/05/flash_zeroday_adobe/

le fucking sigh

@upbeat palm GUI

Why GUI?
CLI gives the feeling and a good practice for new user since it mainly designed for the beginners.

@upbeat palm Just as a side project

@chilly elk Im hyped for it, so continue

Make it primary, it's damn good for beginners.

yes

yes it is still used

there is a major credit checking agency in the UK that requires Flash AND ActiveX support

"Major" being like in the top 50 or w/e in the country

somewhere.

https://blog.malwarebytes.com/threat-analysis/2018/12/mac-malware-combines-empyre-backdoor-and-xmrig-miner/

Empire oh lol

Talk about script kiddies

Indeed.

Development of exploit takes a lot of time.

So they grab one off the shelf

Except Empire is really really well known and has a ton of IOCs

Definitely stealthy 🙄

ioc?

Wow, lost internet just as I was about to respond for over an hour

Indicator of Compromise

ah

Generally it's used to refer to any traces of malicious activity

What that generally looks like are Yara rules (for network Intrusion Detection Systems), file signatures, and host artifacts (e.g. process names).

There's actually a special file format for sharing IOC information, but I don't know a whole lot about it beyond US-CERT sending them out sometimes

That was just bad practice, remember how some group made ransomware with PyCrypto.

so i just visited my optician and they had two devices where you could sign with a pen on a touch pad and from that it would digitally sign a document using that signature but without putting the written signature into the document
1st question: How can they be sure that if i sign there again i am actually the same person, nobody can perfectly dublicate his own signature its gonna be a tiny little bit off for the touch screen every time you sign so whatever public/private key they derivate from that signature is gonna be different every time too -> as a matter of fact the digital signature on the document should be different too
2nd question: How would one now verify that i actually signed the document if the computer doesnt get the signature in writte form (and doesnt get the private key too obviously as that would compromise the whole process) and the only way to prove i actually wrote my signature is to check if the private key equals my written signature (which i cannot replicate 100% accurately every time i sign)

Optician?

guy who makes glasses

but thats not important

its about the signature

god i must get one of the devices to check how they work.....

Only KnownError can know about this afaik.

i actually do have two ways worked out in my head

Why not to tell then?

first way, they somehow managed to derive the same key from the written signature every time
second way, the device saves an image of the written signature and the private key
when you then want to verify that a document is actually signed by somebody you check the signature on the thing using a public key you got from the written signature, then you send that public key to the device which then checks which private key corresponds to the public key and shows the image corresponding to that private key

and then you would see the written signature

Much more like Google lens work mechanism?

i am sure a guy who fakes signatures could trick the first mechanism

Performing image recognition.

image recognition based on one example image is not realiable enough for this

Then how it performs signature verification?

read my second way

Oh.

That might be a way to sum it up.
But I really wanna know about the mechanism of that device.

YES

me too

shoudlve asked where they are from

Next time?

in a year

heh

min

(-_-)

@safe bear you got any idea about the written signature to digital signature thing i asked above?

Honestly I don't know

When I've signed PDF documents, it seems like it takes my written signature, and encrypts it with my digital signature

ok i must have one of these thingies

That or it's just security theatre and the physical signature is the same as clicking a button

thatd be funny

where do yall find resources to write cyber security scripts for py

GitHub

https://github.com/sbilly/awesome-security

"awesome-*" repos are a great starting place if you want to learn what's out there

There are also a lot of repos that professionals use to collect their scripts

Just do some searches on GitHub and filter by Python language

Ok

thanks @safe bear

np

Hey, the proper way to encrypt AES with a string is to hash it's hash as the key, right?

https://github.com/sindresorhus/awesome

What you just said doesn't exactly make sense

The proper way to encrypt anything with AES using any key is certainly not to use just a key

You'll have to use something like CFB AES if you want to encrypt it properly

And how you shrink the key string down to 128 192 or 256 bit doesn't matter in the end as long as it's at the correct size

so I have a string, run it through scrypt, and then use that hash AS the key

is that ok?

sorry if I was unclear before

No that is insecure as it's using the default mode

You must use another AES mode like CFB to properly secure whatever you encrypted

scrypt uses a salt too, that still isn't enough?

The key is not related to the modes

If you use the default mode the blocks don't depend on each other CFB achieves that

That is a lot more secure

(that is btw the reason companies like Google build libraries which provide secure cryptographic functions because you can make so many mistakes even if you don't implement the algorithm behind it yourself (like using default mode with block ciphers))

yeah, I didn't know there was more too it than I initially thought

That is the exactly the problem these libs address

I'm using pyaes for my project

Default Mode

it's unfortunate these things aren't clarified in the actual documentation

Other modes

I think the difference is fairly obvious

very

https://github.com/ricmoo/pyaes#stream-feeder this is what I am using

Ah good

The example code is already using CBR

So your code actually does stuff to avoid the vulnerabilities of the default mode you just don't know that

well that's definitely a relief, you honestly had me worried for a moment

The modes thing is a huge problem in for example java

how so?

Java doesn't use secure modes per default, you have to specifically tell it to, so there is so much code which uses insecure modes

I wonder why it wouldn't be so by default

Somebody (I think Google) even wrote a linter to find such issues

from a novice perspective, that doesn't seem like good design

One would wonder about lots of things java does

that's one thing I like about python

after learning quite a bit about it through documentation and pycon videos, everything seems to be very well thought out

https://twitter.com/GossiTheDog/status/1072466957604192257

great twitter thread on Equifax breach

Seems good.

Good ?

I saw something about some cert expired 18 months ago

If I remember

Some cert?

SSL certificate

anyone good with assembly/binary files and willing to help me out?

Learning these days, not good enough to help.
Maybe LappySheep can help you. @cedar wasp

https://smallstep.com/blog/everything-pki.html

https://www.vulnspy.com/en-phpmyadmin-load-data-local-file-read-local-file/phpmyadmin_(allowarbitraryserver)_arbitrary_file_read_vulnerability/

Another week another critical vulnerability

Just read the weekly US-CERT vulnerability summary email :)

https://oversight.house.gov/report/committee-releases-report-revealing-new-information-on-equifax-data-breach/

https://arstechnica.com/tech-policy/2018/12/was-your-phone-imaged-by-border-agents-they-may-still-have-the-data/

Is it dangerous to show a MAC address?

no

alright

so if I was to send it to like 2 billion people no one could do anything

hypothetically

i mean they could assume that if they see that mac in a network it is you (although people can fake macs so that might not always be true)

also sending MAC addresses around is a necessary part of the process of routing packages through the internet

Reason I'm asking is that I'm working on a game for a gamejam and want to make it a psychologically interesting game

and your character is your MAC address

and I'm just worrying that I'll get into trouble as I'm sure the Youtuber who's hosting it is gonna upload a video of him playing the games

and if he leaks his MAC address it'll be all on me

in general other people cant really do anything if they know your MAC afaik

well as long as you arent on the same network that is

and if you are they can usually easily figure it out themselves

so no additional risk

alright, thank you

Just keep in mind they're not necessarily universally unique

In other words, don't use it for a unique player ID or anything

very nice lmfao cough cough skid @frank stirrup

What

Yoy can ignore them, @frank stirrup; they're no longer on the server.

@frank stirrup the game is gonna be like hacknet?

Sounds good

In hacknet, they use random ip's

More like doki doki literature club

In the sense that it looks at your data and files

And uses that to alter the story

@velvet isle

@frank stirrup Oh wow

I'm interested

https://www.quantamagazine.org/mathematicians-seal-back-door-to-breaking-rsa-encryption-20181217/

sealed a backdoor that was never there 🤔

if its mathematically provable that something is not possible it doesnt start getting impossible the moment somebody proves it

what about good old Shor's algorithm?

quantum computers arent good enough yet

and apart from being able to factor primes these two dont have anything to do with each other

So the article is bs?

wow

remote code execution in CISCO packet tracer 10 minutes after I started investigating it

What is dat?

cisco's network emulation tool

simulation, even

however, it's pretty good

quite accurate, devices work sort of almost exactly like their irl counterparts

it even includes scripting (in the form of Scratch modules haha)

Lol

@thorn obsidian well they are mathematically right but their talking about how people fix vulnerabilities in equations etc is just bs

oh ok

Oof

guys i have a question. lets say i wrote a keylooger, or a backdoor program in python that allows me to download or upload file from the device that i inject my program. if that device is android, is it still possible to run these programs? or they would only work on pc? if they would work only on pc, how do people hack phones?

i dont know if this is a silly question, but i wonder

I would actually consider it an inappropriate question and not the kind that we field here. @pale mountain

I would advise you to not ask about this kind of question in this server again

@quiet viper well, im sorry then. just wondered how do people actually hack phones

Again, not something that is discussed here

@quiet viper do you mind if i ask why? i mean the purpose of my question is actually understanding how to run programs on phone, and how can we protect ourselves from these kind of actions

Because while you personally may have pure intentions, the next person who comes around might not. As a rule, we do not discuss things of an illegal nature or give assistance on projects that would violate the terms of service of any other service.

See Rule 5

!rules

@quiet viper alright, sorry for bothering. thanks

Thank you for being understanding about it

@thorn obsidian Can you elaborate on the RCE in Packet Tracer?

Also I had no idea you could script it using Scratch...lol

@safe bear not before I write it up, disclose it to CISCO and get the okay to publish it 😬 sorry

Is hashing a password or something once enough to keep it secure?

@thorn obsidian No worries, I wouldn't expect you to share details, was just curious how you could even get RCE since it doesn't have any real external network stuff AFAIK

@tepid venture if youre doing it correctly, id say so

Salt and up to date hashing algorithm should suffice

@safe bear with the scripting included in 7.2, it sure does

it also has IPC, multiuser, etc

loads of stuff actually

Hey there

Got a security question

Anyone here willing to help?

@sick trail ask away and someone who can help will be sure to answer

!t ask

Hey there
Anyone willing to help with some server security/devops?
I'm receiving a bunch of requests from a certain IP in my flask application deployed using docker

185.224.134.225 - - [20/Dec/2018:15:30:33 +0000] "POST /xmlrpc.php HTTP/1.0" 404 164 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.224.134.225 - - [20/Dec/2018:15:30:36 +0000] "POST /xmlrpc.php HTTP/1.0" 404 164 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.224.134.225 - - [20/Dec/2018:15:30:37 +0000] "POST /xmlrpc.php HTTP/1.0" 404 164 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

How do I block this mf?=
Tried IP tables, Cloudfare blocking, but still recienving this WP vulnerability attack

lol wow...

Hold on

@sick trail Could it be a docker service ?

So, I'm using an ubuntu server on digital ocean

I'm using docker containers inside it

No, I'm pretty sure it's an attack on some sort of WP vulnerability. (which I'm not using)\´

However, I would still like to block this IP somehow

Any ideas?

No idea. Im doing some searches

it's quite normal to get requests from random ips trying common exploits on your server. but usually they aren't persistent as they give up after they find that your host isnt vulnerable

Yeah I had something similar in mind

Like how you can use shodan to find open s3 buckets

It works by sending requests

i have a server on scaleway and it gets all kinds of crap
id say that more than 98% of the requests are bots trying exploits

😄

nice little sample
0 genuine requests in here 😂
most of them get a 301 redirect to https and dont follow it

Just keep good practices in mind, and don't do silly stuff and the common exploit attempters will go away

silly stuff?

like wut

There are many silly request stuff one can do

it's just automated ip range searching usually so theres not much you can do anyway?

like query based of request body / url.
parse input from user etc

ahhh as in protection yeah

The future is cybersecurity is weird

Imagine, we can relay messages from our command line to slack then to discord

😏

I just wanted clean logs.

Clean logs.

Is that to much to ask?

😢

Lol

Clear them overtime then @sick trail

I know, but I wanted a way to have control over the ips that visit my container as well.

Or write code that excludes certain things from the logs based on some condition

I mean, is it to much to ask that when I block an IP on CF it just works

Yeah, but that doesn't solve my original problem

Bloking this little fucker

Hmm welcome to the future man

Nope, I refuse the future

That's how I just managed to block him

sudo iptables -I DOCKER-USER -s 185.224.134.225 -j DROP

Done.

I'm don't have to accept these guys pinging my server because they want

And I should have access to tools to block them.

For future reference, if you want to manipulate the iptables (firewall) of a docker container, make sure to use the -I DOCKER-USER flag

@sick trail try fail2block.

@verbal python thanks but I managed to solve it. See my previous message

@verbal python isnt it Fail2Ban?

Yes, it is.

Thanks, @orchid notch .

How could a hacker get my IP if i use a VPN? Let's say that they can't do it legally through a warrant, get me to install malware or find anything about my location through my social medias.

they probably can't unless they try to get on your network

i know that you can trace people using Tor by looking at the sizes of the data packets going through the Tor machines and if you see a data packet sent to a Tor machine with the exact same size of one that has just left the same machine and been sent over to www.shadywebsite.com then they can probably discern that it was you going to that website.

its probably the exact same with any vpn

i could be wrong however

does tor encrypt your traffic? or does it just bounce you around nodes such that it'd be a pain in the ass to track you?

iirc both

it uses onion routing which basically means it adds a layer of encryption everytime it goes to a different node

but the size of the data stays the same so you can still track it

so even tho youre intercepting encrypted data, you'd still know the size of that data

yeah

so you can see who sent it to the tor servers originally

isnt it possible that 2 people could have the same data size?

yes

which is why its not 100% foolproof

and isnt there a thing called packet lost?

tbh im not an expert on this so i probably dont know all the details - i just got the basics from a computerphile video

lol

heres the video if you want to watch it yourself

https://www.youtube.com/watch?v=QRYzre4bf7I

it mainly talks about encryption in that video tho

in which i am a big fan of

😃

Also, someone told me scrypt is better than bcrypt but I wasn't so sure, anyone can confirm or know which is the best and most efficient hashing algorithm?

@safe bear Linux display:

windows display

looks decent imo

@tropic bay Im glad to explain such thing to you

There are VPN's with different protocols and settings...

By default, some VPN apps encrypt your traffic and forward it over a secured connection through their servers and so on

However

Your real IP can be exposed via stuff like DNS leaking and WebRTC if the vpn app does not cater for security at these levels

No wait

f.vision is the site

refused to connect

Hm

Hold on

no no

f.vision connects

the 1st 1 didn't

I'll show an example

looks like nord did it's job?

Im using psiphon vpn

See my real ip is exposed still ?

Because of webrtc

The psiphon vpn app was not programmed to cater to fix that

so.. a gud example would be my picture then?

So don't look at vpn as a overall secured thing

Your pic shows one ip for both

Is it ugh?

no thats not the actual ip

the actual ip looks more like your's

😀

Yeah to conclude

It matters which vpn provider you use for security

Do read up stuff on them before you feel comfortable about your security

welll i thought they were all the same. i bought nord for 3 years cause it was cheap LOL

Lol

They are not all the same

They make us feel like that to make the explanation of the term vpn simple for non technical people

yeah

now u mentioned DNS leaking

Um

Doesn't need an explanation

Just refer to info about the vpn you use

But I don't know much about the dns part besides your isp can be exposed

Like how f vision showed us

Its just another kite paper security thing

😂

^

Plus you don't even know if free vpn services log your data

lol

All I do is bypass blocks to game sites

Or protect myself from mitm

well yeah. if you're actually trying to hide from the likes of the FBI, you'd need a lot more then that. mitnick talked in his book about how you'd need to run a lot of barriers infront of your pursuers. something like paying the vpn via prepaird credit card, buying a new computer and only use that computer at a public wifi etc..

o yeah?

sounds like youre rather strong on that stance

I don't need to hide from FBI

Them cyber stuff ain't that big in my country

Except that parliament got hacked more than twice

🙄

We have cybersecurity laws and people still get off with stuff

because we don't have the technology to catch cyber criminals

Im speaking of my country

We do have maybe but wth are they doing with it

Guyana

Neighbor of Brazil and Venezuala

lol

The physical security at our parliament sucks

well seems like we got guys run ning around encrypting their stuff with "password, "ilovemydog" or"12345" as their password. no wonder they get hacked lolol

Someone once came in dressed as Santa to give a politician a dictionary while he was arguing

Next time. I tell the security I used to do internship here and I want to see x person..
I get to go in their office while they are not there

Where the server room is

What even guys?!

Get better security

wow

yeah ikr

https://twitter.com/internetfreedom/status/1075954903279943681

that's nuts

😦

worse than nsa spying

i broke the system

idk if this is a good or bad thing tbh

@chilly elk Hydra in chapter 2? Maybe a bit early.

Should cover tcpdump and/or tshark if you have experience with them

nah just for fucks

i was just tryna fill it out

havent even finished chap 1

It's 0200 why are you awake

its 4am

im always awake

Oh yeah you're a eastie

im so confused with your hours of operation

That is by design my good sir

Well I think it looks awesome

thanks

i got the UI down basicallt

@velvet isle Darn it...(-_-)

But how are they gonna do it, sudden rise in cyber security won't help much, it will take more than 5 years just to get it accordingly.

https://m.economictimes.com/tech/internet/china-hacked-hpe-ibm-and-then-attacked-clients-sources/amp_articleshow/67187821.cms

"according to five sources"
which sources, bloomberg buisness news was also talking about having sources when they published their super micro stuff but never listed them

Gem from last year I just discovered: https://blog.0patch.com/2017/11/did-microsoft-just-manually-patch-their.html?m=1

https://blog.cloudflare.com/protecting-elections-one-year-retrospective/

@thorn obsidian why would it not be a good choice? From what I hear its viable, People just dont tend to use it because its not standard and some feel it needs further testing

My first assumption was it being cost effective, I would think that he was talking about proprietary hashing

if it's not a cost issue, hell. Go for your advice

Y(yeah) sure but you can alter how cost effective it is. And its not recommend ed to give up security for speed, to some degree ofc u can.

Are there any groups trying to update old Python 2 tools to Python 3 so that frameworks and what not could be updated?

i know about a group of people in fedora updating all the python stuff as they are kicking out python 2 before EOL, basically what they do is find python2 libs and the applications depending on them and then remove them / force the package maintainers to tell upstream to update their applications to python3

@orchid notch thats what i want to do aswell

since i see a lot of offsec tools using py2

its time.

new years resolution: update all py2 offsec tools to py3 lmao

is it a python2

kill it

@chilly elk There are some that can't be converted because they're relying on a target node's Python, notably Empire.

Since OSX system python is 2.7

And they need it to work on old versions of OSX and Linux

true

fair point

i want to use faraday since their BM head keeps bothering me about it

and asking to help

but i dont wanna write py2

Is anyone familiar with Paramiko library? I'm having issues authenticating due to a pre-login interactive banner while trying to ssh into a firewall

https://github.com/xoreaxeaxeax/sandsifter

https://www.ragsec.co.uk/using-uri-to-shell-via-discord

TightVNC server open w/ no password and DMZ is open

How screwed am I?

@ocean timber what's your VNC username

I think anonymous or whatever the default is

well, I haven't come across botnets that scan for VNC servers yet, however at least choosing a strong username would be way more beneficial

Def

But I was just testing it

I have no need for remote desktop

test VNC but stay far away from telnet 😂

Has anyone had issues with setting up https://mitmproxy.org/ transparent proxying on macOS, it doesn't seem as if the rule set from https://docs.mitmproxy.org/stable/howto-transparent/ in the macOS section are being applied.

To be honest, I have no idea how to approach enabling transparent proxying on macOS Mojave.

What is VNC @thorn obsidian??

Basically RDP

but safer ig, since exposed & open RDP's get scanned for, however VNC I'm still yet to see anything like that 👀

@thorn obsidian its basically when you share a graphical interface of a computer/server over the internet through some kind of protocol

I don't understand it cuz i'm new here

do you know what SSH is? and how you connect to a shell remotely?

Nope

.

do you know when u open cmd

Yes

and u get a black terminal

Yes

SSH is the same, but remotely

and you log into it

VNC is the same, but it provides you with the computer's screen instead of a terminal

So SSH is the dame as CMD?

well it's usually a bash terminal but yeah, you gotta log into it tho

its a protocol

also

also here https://en.wikipedia.org/wiki/Secure_Shell

But i don't need to log in cmd but SSH u need to log in?

well yeah cause if you don't set a password your server will get swooped within a day

ssh you need to log in with the credentials of the server you are trying to access

^

What u mean with server?

Do you know what a server is?

Nope

https://www.youtube.com/watch?v=zlv9dI-9g1U

+vouch

😂

Ahh thank u

It uses easy words to understand

A server is basically a computer

Okay thank u soo much @thorn obsidian @signal kernel @thorn obsidian

psh

np

yw

https://sdf.org/

I think they provide telnet & ssh accounts

@thorn obsidian https://www.youtube.com/watch?v=SwLdKeC8scE

wrong ping

😂

@thorn obsidian

look at the video i sent

explains stuff

I watching it

But what they mean by client?

@signal kernel

@thorn obsidian

they explain it

You may wanna check pinned message.

I did

you

anyone who requests from the server is a client

^

Ahh okay

in some cases you can have a server thats a client to another server

Oj

Oh*

good point, for example, when you visit a website, the website will be hosted on a server, however it might request information on an external database server.

Yup.

or since we're in 2018 it'd be you -> CloudFlare -> Your website -> Possibly an external image CDN and a database

2019*

o

yea

LOL

😂 I lowkey forgot

Hello guys. Who of you is interested in threat modeling presentation that'd contain notes and whatnot? It'd be based on a thread modeling book. If any of you are interested, kindly let me know if you might want anything in specific to make sure to tackle it or answer you on it. Please tag me if you send a message where you are targeting me.

@hexed onyx threat modeling ?

you have a book or sumn?

Threat Modeling: Designing for security.

send on...

https://medium.com/bugbountywriteup/sputnik-an-open-source-intelligence-browser-extension-da2f2c22c8ec?source=collection_home---4------0---------------------

thanks KGB but I'm not going to install your plugins

Is Dashlane or LastPass more secure? (I'd use KeePass, but I'm on a Mac :/)

Don't know much about LastPass or KeePass, but Dashlane has served me well so far

I've been using 1Password, and I don't really like it.

Based on what I know about dashlane, it has a master password that is not stored or transmitted over the internet. It does not store authentication hashes for new devices, so that you have to enter a token from a valid device to verify a new one. It stores your passwords locally and on their servers using AES-256 where your masterpassword is the key, that again is never stored anywhere.

Their services are hosted on Amazon AWS, and regularly audited by security experts. They provide the use of 2FA. They have a password generator. The functionality of it on desktop is super simple and makes life easy, it gets a bit more difficult on mobile, but probably because I have not enabled the auto fill in stuff there.

To get the full benefits you need the premium feature which costs a bit, but you can "cheat" it by recruiting people. Where if you recruit someone to register you both get 6 months of premium i believe it is.

That's about what I can think of on the fly about dashlane

Damn, you seem to know your way around

Thank you, Chibli!

I'd compare it to whats out there about the others and make the decision about it youself

I will, but thank you!

Haven't really found any Catches within lastpass

Does Dashlane publish the results of their security audits?

@thorn obsidian been in the same boat. Used 1Password but didn‘t really like it apart from the design. Also paying money to host my passwords on someone else‘s computer felt a flight bit wrong. I‘ve been using KeepassXC for quite some time now and I love it, its super great to organize everything with. There‘s also a browser plugin for firefox and global autotype for everything else. The only issue I have is finding a decent iOS app. Would highly recommend

ababout passwords..

this is just sad

Unsurprising

I'm a bit surprised that "penis" isn't on that list...

Maybe people are afraid of getting an error message like "Sorry, your password is not long enough"

😄

badum-tss

If you don't wanna install fancy GUI stuff use vault for password managing

Its made in python

https://github.com/gabfl/vault

info about sqlcipher

I am trying to use Violent Python to learn/do more stuff in Python regarding Pentesting but quick question: isnt crypt a default even in 3.x?

like I cant call the module in a function.

it gives me ModuleNotFoundError: No module named '_crypt'

_crypt is not part of stdlib

no like the book uses Python 2.6.5 if I recall right

crypt not _crypt

right ?

so crypt is still a part of Python's library

crypt isnt part either

at least not for me

_crypt would mean its a c module

This is what the author did

right after this

so yea

it 'is'

why cant i import it

😦

idk

I did import it in my Pycharm

runnin 3.7

OH

but I cant work it

I could try hashlib

you have to compile python with specific options so it compiles the _crypt c extension so it works

I dont think I can work it

thats the reason

so turn crypt to _crypt?

crypt is part of both for me

lets see

lets read the docs of that module

I dont understand what that is suppose to mean

so apparently its only available on POSIX which explains why i on windows cant do it

Mmh

mac is only partly POSIX so it might be that it doesnt have this crypt lib

Let me ask this then

cryptWord = crypt.crypt(word, salt)

Not sure which type of hashing is this

salt was defined as salt = cryptPass[0:2]

but yea

lets ask the posix crypt standard

http://pubs.opengroup.org/onlinepubs/9699919799/functions/crypt.html

(have to go now not sure if this helps ill be back soon)

well I am trying to make this work both on Windows and Linux so by best bet might be hashlib

yup

I recall SHA-512 was not 'decipherable'. Am I correct?

Only 'bruteforce' etc

everything is bruteforcable

lol

and tbh its just a matter of time until somebody finds a collision attack on SHA512 but for now its secure

technically true

PBKDF2 is a modern and great hashing algo tho

And argon2

and bcrypt

Situation matters for choice

You don't always need the best

PBKDF2 is for password derivation

never seen it used for hashing

    client.send("GET / HTTP/1.1\r\nHost: google.com\r\n\r\n")
TypeError: a bytes-like object is required, not 'str'```

import socket

target_host = "www.google.com"
target_port = 80

# Create a socket object
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Connect the client
client.connect((target_host, target_port))

# Send some data
client.send("GET / HTTP/1.1\r\nHost: google.com\r\n\r\n")

# Recieve some data
response = client.recv(4096)

print(response)```

Don't get why its string

I followed what my other book said

(changed my book to Blackhat Python)

I didnt do anything different or wrong

but yea

Anyone could help me? I could write .encode() but its not what I want afaik

yes you do

he is writing python 2.7

there it wasnt needed

@thorn obsidian

oh...

oof

but if I do .encode()

import socket

target_host = "www.google.com"
target_port = 80

# Create a socket object
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Connect the client
client.connect((target_host, target_port))

# Send some data
client.send(("GET / HTTP/1.1\r\nHost: google.com\r\n\r\n").encode())

# Recieve some data
response = client.recv(4096)

print(response)```

b'HTTP/1.1 301 Moved Permanently\r\nLocation: http://www.google.com/\r\nContent-Type: text/html; charset=UTF-8\r\nDate: Fri, 04 Jan 2019 19:55:58 GMT\r\nExpires: Sun, 03 Feb 2019 19:55:58 GMT\r\nCache-Control: public, max-age=2592000\r\nServer: gws\r\nContent-Length: 219\r\nX-XSS-Protection: 1; mode=block\r\nX-Frame-Options: SAMEORIGIN\r\n\r\n<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">\n<TITLE>301 Moved</TITLE></HEAD><BODY>\n<H1>301 Moved</H1>\nThe document has moved\n<A HREF="http://www.google.com/">here</A>.\r\n</BODY></HTML>\r\n'

Process finished with exit code 0```

I get this

not exactly what I am suppose to get, right

@orchid notch

@thorn obsidian maybe try connecting to another page whihc doesnt use ssl

i could imagine google doesnt allow http access anymore so it says document moved

hmmm which site would you suggest me to try

cause all the sites I tried are giving a similar string

http://example.com/ maybe

however the server responds with valid http so it apparently understood you are doing an HTTP request so the encode fixed your problem

Like I changed google to example

import socket

target_host = "www.example.com"
target_port = 80

# Create a socket object
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Connect the client
client.connect((target_host, target_port))

# Send some data
client.send(("GET / HTTP/1.1\r\nHost: example.com\r\n\r\n").encode())

# Recieve some data
response = client.recv(4096)

print(response)```

still same

b'HTTP/1.1 200 OK\r\nAccept-Ranges: bytes\r\nCache-Control: max-age=604800\r\nContent-Type: text/html; charset=UTF-8\r\nDate: Fri, 04 Jan 2019 20:29:58 GMT\r\nEtag: "1541025663"\r\nExpires: Fri, 11 Jan 2019 20:29:58 GMT\r\nLast-Modified: Fri, 09 Aug 2013 23:54:35 GMT\r\nServer: ECS (dca/24D5)\r\nVary: Accept-Encoding\r\nX-Cache: HIT\r\nContent-Length: 1270\r\n\r\n<!doctype html>\n<html>\n<head>\n <title>Example Domain</title>\n\n <meta charset="utf-8" />\n <meta http-equiv="Content-type" content="text/html; charset=utf-8" />\n <meta name="viewport" content="width=device-width, initial-scale=1" />\n <style type="text/css">\n body {\n background-color: #f0f0f2;\n margin: 0;\n padding: 0;\n font-family: "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;\n \n }\n div {\n width: 600px;\n margin: 5em auto;\n padding: 50px;\n background-color: #fff;\n border-radius: 1em;\n }\n a:link, a:visited {\n color: #38488f;\n text-decoration: none;\n }\n @media (max-width: 700px) {\n body {\n background-color: #fff;\n }\n div {\n width: auto;\n margin: 0 auto;\n border-radius: 0;\n padding: 1em;\n }\n }\n </style> \n</head>\n\n<body>\n<div>\n <h1>Example Domain</h1>\n <p>This domain is established to be used for illustrative examples in documents. You may use this\n domain in examples w'

no?

not the same

thats exactly what you want????

it gave you your html page packed inside an http response

@thorn obsidian

so TCP Client should do that?

this is the perfectly valid http response to your request

everything is behaving as expected when looking at the code and the result

https://www.reddit.com/r/ReverseEngineering/comments/ace2m3/come_get_your_free_nsa_reverse_engineering_tool/ed7trl2/

@thorn obsidian Why don't you just use requests?

Thanks for the share Jason

March 5th mark yer calendarz

Will be awesome to have another solid open-source competitor to IDA

The comments from hash_define make me excited

https://github.com/Mebus/cupp?files=1

What does cupp do?

It's basically made a word list for dictionary attack with the given inputs like Name, DoB etc.

If you're making a wordlist for specific person.

Ahhh

I was just using something like this a few months back while doing some OSINT stuff

can't remember the tool

Nice.

@safe bear Hemlock told me to ask such in #cybersecurity and not in Help channels

@thorn obsidian About what

Oh

Such questions; from my book

I was asking why don't you just use the requests library?

And doing pentesting and alike in Python

Oh

Im dumb

I just woke up so

https://github.com/requests/requests

What is an application banner grabbing or application banner?

I am a bit unsure what that means or is

There's a lot of articles about it, check out the wikipedia one or documents.

IIRC it's grabbing the response from connecting to a network service e.g. the MotD when you login to SSH

https://gitlab.com/edu4rdshl/blog/blob/master/why-telegram-is-insecure.md

I use Signal

I never saw Telegram as being any better than Facebook or Whatsapp

Interesting discussion nonetheless

The crypto discussion good as well

I really don't like that phone number shit though

Why not?

Do you not have a phone?

Signal is best, no doubt.

What do you people think about Wire? https://wire.com/en/

interesting

matrix is still my favourite though

https://matrix.org/

https://www.cyberscoop.com/house-democrat-bill-election-security-measures-2019-hr-1/

cause if I give you my phone number, you get my phone number. I can't as easily disassociate with that.

maybe I want to Signal message you but not get SMS from you. oops, can't, same ID.

@left pecan https://threema.ch/en

That may suit you over signal then

😉

@velvet isle https://gitlab.com/edu4rdshl/blog/issues/2 https://twitter.com/Edu4rdSHL/status/1081730231797510145

Some companies try their best to give us what they think is great while our desires are wild.

Just my opinion

¯_(ツ)_/¯

yeah lmao

Valid ✅

lol

(note from the FSF, free software does not have to be free as in free beer)

Does make it easier to sue for damages when you have a receipt

Hey, im trying to do a super simple example of a SQL injection on my own localhost server and im wondering what's the easiest way to set up a input field to be vulnerable to it?

Tbh im looking for a completely unrealistic example lol

id = input()
f"SELECT * from table WHERE id = {id};"```

Thanks c:

@safe bear did Macs leave here ? Not finding his @

@thorn obsidian U might find this interesting 😂

@velvet isle Nice!

Lol

We had him close some ports later on