#cybersecurity

@chilly flame Thank you 😃

No problem, hopefully it has what you're looking for.

I'll check it precisely when i back to work at night :). Anyway, even if it isn't it, then also thank you for try 😃

https://www.youtube.com/watch?v=kbn9UCRK2Qg

https://www.xudongz.com/blog/2017/idn-phishing/ - Are you protecting against addresses such as https://www.аррӏе.com ?

if I'm planning to change OS on my laptop (same machine; different os; windows to linux), is it necessary to regenerate ssh keys or can I just copy the ssh files over? security-risk wise

You can copy them over

Kind of depends on your threat model I suppose

@thorn blaze

ok great, thanks

Hi Scott thanks for helping my dude

Not sure what I helped out with but no problem

Is having https between a local server and Client a good idea for dealing with passwords being sent?

And is self-signed certs acceptable for local connections like this?

If you're talking about a client and server on the same LAN, self signed certs are probably fine.

Depends on your context of course.

@chilly flame They are on the same computer

It's a bit like "docker like"

I have a "dameon" of sorts

But it uses a http server

Not Unix sockets

oh if they're on the same machine just connect over localhost.

No need for SSL then.

I don't want non-root users listening in

I send passwords over the connection

Well that's down to proper user management and so on rather than SSL. If you don't want other users spying on the process they shouldn't have perms to interact with it.

But, if it's http, they only need to listen to localhost, or have I got that wrong?

If they're non root they shouldn't be allowed access to packet capture on any interface.. I think.

I may be having a brain fart.

Ok. That should be fine then.

I wasn't sure myself, but it sounds perfectly reasonable

If I generate a sequence of characters using the secrets module, can I then shuffle it with random.shuffle, or does that break the benefit of using a csprng earlier?

@craggy nest there should be no correlation between characters in the secrets module sequence, knuth shuffling it won't break that property, so you don't lose the benefit

ok, thats what i thought i just wanted to check. ty!!

@craggy nest keep in mind there's still some caveats, i don't know if you rely on the security of the shuffle, or just the secure randomness of the underlying sequence characters
If you rely on the security of the shuffle itself then you can still have a problem when it comes to how you perform it etc, say a time() or pid based seed could vastly reduce the number of shuffles you could generate from the sequence etc.
TL;DR: it is does not undo security of the secrets sequence, but there can be problems with regard to the security of the shuffle

ok, its for my implementation of the password generator for the qualifier, so i dont think it impacts security with my usage?

qualifier?

Code jam

tbqh, for a password generator i don't see the need to shuffle at all? why not just generate random bytes within the valid printable range (keep in mind that to do so with no bias you need to be a little careful how you handle reduction from say, full uint32_t range to the reduced printable range [0x20, 0x7e]

similar for uint8_t range, whatever the secure random stuff gets you, i didnt check the api

ah thanks, didn't know @ code jam, just joined here yesterday ;)

#announcements

cool, thanks

what i'm doing is, for the number/symbol requirements, i get a random number/symbol, and then i have to scramble them at the end so they aren't just sitting at the front? there's probably a better way to do it though

i see, this is to satisfy the requirement for a symbol or uppercase letter?
so suppose symbol is mandatory and length is 2 (you can generalize), you generate one random character, then one random symbol. you then shuffle.
whether symbol is at front or back leaks a little bit about the prng state of the prng used in the shuffle (as you used non csprng there). if you collect a bunch of those passwords, you can likely recover prng state and thus predict the outcome of the shuffle itself, thereby reducing search space if you have a whole set of passwords generated in sequence. this is a bit contrived, but a bit iffy imho.

also if you do it as i outline above you have a bias problem, if the first generated character is a symbol, you will then enforce the second one to be a symbol too, which is not good (though you can solve that easily)

im not sure i understand the last paragraph.

the thing checks if has_symbol == True if so, it reduces pass length by one and adds a symbol. then does the same but for upper case. then generates the remaining length of the password from all legal characters. so im not sure

also, what if you seeded random with the last character of the password? wouldnt that effectively make it so there wouldnt be a pattern?

So there's two things, let's consider bias first, and it's easiest to illustrate with length 2 passwords out of a set of 2 characters, 1 the symbol S, one the character C
What you expect for the probabilities is this:

CC -> 0
CS -> 1/3
SC -> 1/3
SS -> 1/3

Now what you have when you reduce length by 1 and then add a symbol is this:

CC -> 0
CS -> 1/2
SC -> 0
SS -> 1/2

After shuffling that becomes:

CS -> 1/4
SC -> 1/4
SS -> 1/2

Finally, if you decide to randomly add C or S when the first pick is S you'd get:

CC -> 0
CS -> 1/2
SC -> 1/4
SS -> 1/4

After shuffling that gets messier, but not in a way that gives you thirds.
That's what I meant by bias. It holds for larger character sets and longer passwords, but obviously the impact on the probabilities becomes smaller.

So really, things like this get complicated fast, and for small probabilities it's a lot easier to throw away things you don't want rather than generate what you want homogeneously.

As for prng state, it's a bit contrived, theoretical, and more complicated. The point is the symbol in the output leaks a bit about the prng state of the shuffle. The seed is unrelated at that point really (though a valid separate problem if it's shite).
The easiest way to see if there's impact is to, say, know/leak N sequentially generated leaked passwords, where N is enough recover the state of the shuffle prng. This which would then result in a reduced keyspace for passwords N+x where x integer and >= 1 (because you know the shuffle outcome you know the index where the symbol ends up at that point).
It's not huge, but I'd get rid of that correlation, and if you want to shuffle do the shuffle with a csprng as well just to be on the safer side of things.

Ok, I can see what you mean, as far as the statistics. I'm not super understanding the last paragraph, so I'm sorry if you answered this in there. If the C and S are crypto safely generated, does being able to predict the preshuffle results really matter?

Also as a solution, it sounds like it'd be better to generate a password of C and then if it requires an S pick a random C to replace with an S?

Updated a little, I made some mistakes writing it up initially.

The second thing is a minor and much more theoretical issue. The impact isn't huge, but I'd get rid of it in a professional tool. Doesn't sit right with me.

ok, that makes sense

Also, what do you mean by preshuffle? Aren't you post-shuffling?

like, if you were trying to crack it, not as the developer, does predicting the generated pass before it was shuffled actually help you at all if it was generated cryptographically secure?

Ah, you misunderstand, the context is different. Just a single password like this won't help afaics now (might need further meditation).
I'm talking about generating a lot of passwords with this thing. And then recovering a lot of those passwords in sequence, to recover the prng state.
That makes the following passwords you're not able to recover weaker because predicting the shuffle means you know where the symbol is, reducing search space for a brute force attack or whatnot.
It's contrived as I said ;P

ahh ok i get it now

thank you!

i got it to just using the secrets.choice() for all randomization. now if only i could speed things up :/ but i'm probably going to submit it like i have it now so it's accurate to my ability

random.choice() would be faster

right but it isn't crypto safe. i'm under the impression it has to be crypto safe, because otherwise the < 5 seconds bonus is trivial (or at least, it was for me?)

I don't believe it has to be crypto safe

• https://github.com/python-discord/code-jam-5-qualifier nope, sure doesn't

Doesn't say anything about cryptographically random, just random

huh

because with crypto I was at 6.5ish seconds, I just switched to random and ran the tests and got "+ When generating a password with 1 million characters, the execution time was 1.18 seconds.
"

i guess I just don't see how the bonus is difficult if you aren't keeping it crypto safe?

¯_(ツ)_/¯

how does salting work with hashes?

i thought that the way hashes worked was the server only stores hashes, and when authenticating a user, the hash of the password the user put in is checked against the hash of the correct password

but if the passwords are salted before they are hashed, then it seems like there is no way to compare the correct hash to the hash of the salted password the user inputed because they will always be different, even if the password is correct, because the salt will be different

You store the salt as well and use it in the hashing process of the inputed password as well.

@craggy nest quickly scribbled it up myself, and i'm at ~ 1.74s using the secrets module

so your inefficiency is elsewhere i think (or the hardware you run it on is horrible)

This relates to cryptography/steganography. So i have a flag and need to get a 12 digit alphanumeric string from within something in here.
I think it relates to this https://gyazo.com/07eb39cd025c719b64082d2d0b570d41

However heres more of the commands/things that can be explored
https://gyazo.com/93321deb9722d40cecb19ab900d84f1b
https://gyazo.com/29e53e472d0b046e647d5dfaf9dbd9ab

Im thinking its somehow within that but ive got no ideas about how to go about getting it

huh @storm trellis can i ask what time you get with random instead of secrets?

cant wait till its closed so i can see where im messing up :D

@craggy nest around 1.73 seconds

on a laptop, pretty cpu buff one though

@civic widget what website is that?

interesting

yeah i dont think hardware is my issue. i dont have anything too amazing, but its not like im trying to run it onna crappy netbook

it matters a bit, but not hugely, i mean i'm playing EU4 at the moment which sucks ~ 200% cpu , so it's down to 2.1 seconds now ;P

just rub it in why dont u :p

@leaden blaze is the salt stored in plaintext?

salt can be a simple string that get appended at the end

it can be anything really

hashed pwd can be lkjahnfjasjsdf and salt can be adding a dot at the beginning and at the end

But they should be different each time

And I thought salting was done before the hash

can be after or before

but preferably before hashing

You use salts before the hashing function, usually by either prepending or appending it to the password.

By creating a unique salt for each credential, you ensure that even when two credentials have the same password, the hashes will be different

but then it seems like it would be hard to determine whether the salted hash is the correct hash for the password

salt is just an additional input to the hash function, can be done separately (descrypt, iirc they permute the sboxes with it) or just inline with the password (concatenation).
the salt is public knowledge, so there's no benefit for cracking individual passwords, but there's benefits against dictionary generation, because for every word in the dictionary you'd need to handle every salt.

because it is public knowledge (typically presented as salt || hash) it's easy to determine whether the hash is correct, suppose there's a concatenation based scheme like H(salt || password) then a user provides the password, and as you know the hash and salt, you can now check H(salt||user_password)==stored_hash or so

It's a waikato one

If anybody has spare time and is bored and wants a fun little project to work on i'm working on a json and python object encryption/decryption library. Link is in #303934982764625920 https://discordapp.com/channels/267624335836053506/303934982764625920/585564025840992256

@chilly elk there's a few issues: you don't handle invalid padding during decryption, pad/unpad seems wrong for length == blocksize inputs, and i don't see any message integrity checks so tampering would lead to random decrypted data. When bitflipping the IV of the first block on purpose without an integrity check you get bit mutations in the plaintext after decryption which is far worse because it's controllable.
Consider:

a = AES.new('A'*16, AES.MODE_CBC, '\0' * 16)
s = a.encrypt('B' * 16)
a = AES.new('A'*16, AES.MODE_CBC, ('\0' * 15) + '\1')
print(a.decrypt(s))

Depending on the use case this property leads padding oracle attacks (your padding scheme won't help, you can differentiate between valid/invalid padding errors) and plaintext recovery.

TL;DR: don't CBC or add a decent integrity check, ideally encrypt-then-mac

@storm trellis Pretty good analysis

👍

Hi

how anti virus softwares check files to know if it is infected !?

Specific known signatures, and also heuristics.

about the signatures

please more explain

Anti-virus: "Does this file have a signature of a well known piece of malware? No? Okay cool, won't quarantine this."

In regards to heuristics: https://en.wikipedia.org/wiki/Heuristic_analysis

https://en.wikipedia.org/wiki/Antivirus_software#2014–present_(rise_of_next-gen)

https://en.wikipedia.org/wiki/Antivirus_software#Identification_methods

It's a pretty in-depth subject

We're mostly just scratching the surface

Does anyone remember U3 drive hacks from 10+ years ago?

Hi everyone

I wrote this simple script to find wordpress sites on a bunch of websites:

import requests

with open("targets.txt", "r") as ins:
    for line in ins:
        try:
            r = requests.get(line)
            print(r.content)
            if "wp-content" in line:
                print(line)

        except:
            pass

I am basically trying to get HTML source code for every website and if the keyword "wp-content" exist inside source code then my script should print that line (which is a website)

Here is grabbing html source code:

            r = requests.get(line)
            print(r.content)

And here is my little setup for getting Wordpress sites:

            if "wp-content" in line:
                print(line)

Am I doing something wrong here?

@earnest ridge You're doing a lot wrong, actually.

1. Not paying attention to robots.txt is a surefire way to get IP banned.
2. Implying that just because something has wp-content == WordPress is lazy at best. If anything, that's a pretty easy way to detect bots.

@thorn obsidian
I have one more way to find if a site is wordpress but that will require some brute-forcing directories like searching for default login path and again it might not be available in my whole list
I thought reading source code and getting specific sites would be better because I have tested on few sites already

@earnest ridge Yeah, brute-forcing would get you IP banned in my fail2ban filters.

So reading source code is harmless and easier, don't you think?
I mean if you have any better way to suggest?
wpscan also has a functionality to check if a site is wordpress or not but that's in ruby, i cant read ruby

I'm curious as to what the endgame is here

the program endgame is finding wordpress sites on a bunch websites, good for bug bounty automation
here is another script to get technologies on a website but I couldn't molest this in a way to identify wordpress sites only and ignore the rest

import builtwith

with open("targets.txt", "r") as ins:
    for line in ins:
        try:
            website = builtwith.parse(line.strip())
            print(website)
        except:
            pass

bug bounty automation?

bug hunting automation*

Why would you need to check multiple systems for this? 🤔

because I just collect sites which is available and offered by few programs in:
https://hackerone.com or https://bugcrowd.com
and then I can easily sort them out

I don't think that's how those sites work. Do you have permissions to check these sites/servers/networks?

Yes, there are some so called "Bug bounty programs" offered by companies and they allow you to test and get paid if you find vulnerabilities in their system

Besides I know my project can be used in many evil ways but it can be used in good ways too, these programs pay good for minor issues

@earnest ridge I know what a bug bounty is, thanks. What it sounds like is that you have a list of sites you got from somewhere else and you're wanting to know if they're WordPress. Which, is incredibly strange and comes off like you're just randomly scanning sites and hoping you find vulnerable sites. Perhaps I'm wrong and you can provide proof to the contrary. But until then, I can't help in this.

That's obvious, no problem

i guess you could scrape bug bounty sites for targets, and then scrape those targets for a set of horrible stuff (wordpress included) :P

I don't think I understand that, I am doing something else

yeah, i got a pretty good picture of what you're doing XD

Well I figured out I could use regex for it, once done i will paste a copy here so others can use for whatever stuff they want lol

try a bayesian wordpress classifier next, you could get rich and^W^Wfamous writing a brower plugin which purges that stuff from the interwebz

again you didn't understand what my script is supposed to do

alternatively i was being facetious

@storm trellis thanks for the info! ill look into a better implementation

@chilly elk gcm mode is pretty popular these days, but it may be overkill depending on design criteria

How do I go around proving that a a python module like PIL is safe for use?

To someone with not much python experience.

"define safe for use"

@orchid notch A multi-million dollar company who are hired to check the code "won't hack them internally"

So I have to prove the source code only has one purpose essentially

well I think you would be the greater risk than the python stdlib at this point lol but anyways

If you are the one who gives them the code there i no point for you to prove that its safe at all is it? If you as an attacker would try to get malicious code into a company you could just modify your reports in a way so it appears like its safe

No like.

pil safe to use? everything underlying it has been written in plain C, and there's a lot of hairy container format parsing going on...

I'm writing a program for them

and their "team" are checking it runs

would not recommend from a safety perspective really

They need to make sure I'm not scamming them.

So I need to prove whatever modules I use, are 100% safe

"ish"- they can do some checking themselves

right so you disregard any use of C code i see

scratch windows
scratch linux
scratch pretty much anything relying on libc (which is a lot)
scratch mac probably
scratch openbsd

------ @storm trellis

To that extent they could spent 30 seconds googling it and see it's very ubiquitous and has a clearly defined purposes

Yes, that's what I was thinking mark

But I live in Scotland....

well i would say that being in the python standard lib is definitely a safety guarantee to a certain degree

These people have no idea what's going on

@orchid notch not my argument, but PIL uncovers a lot of surface code that is reachable in most use contexts

PIL isn't in stdlib Nix

^^^

oh it isnt

Is there any image editors that are?

was it the other one?

pillow? the PIL fork?

yeah

Also not in stdlib

well well

I am linking all my code sources, this is going to be the closest thing to professional I can manage

@orchid notch pretty sure there's libc based remote memory corruption and other issues exposed too, but if you talk about attack surface, asking to prove PIL is safe... nah, not happening

Ok so

I can't use PIL

Well, based off of that, I can't prove python is safe, can I @storm trellis ?

Can I prove that PIL is used extensively in python?

@storm trellis again if you deem libc bad you are deeming lots and lots of user space applications simply insecure

no, but i'm arguing about the surface mostly, if your use case is you're handling arbitrary formats submitted by random users

Is there any python - official sources to back this up?

The more official, the better

@orchid notch did not say that, it just happens, i'm arguing from an attack surface perspective, and processing arbitrary uploaded images or so with PIL exposes a lot

Well I think you could manage prove PIL isn't nefarious but not that it is safe

The latter I suppose isn't necessary

The first, yes

If I can do that, that's fine

How do I go around taking about that?

Find a short quote e.g. from their docs summarising what it does. Talk about how popular it is

List noteworthy projects that use PIL

You could also mention the package is on PyPI and they take down malicious packages there (well, they try their best)

https://github.com/whatupdave/pil surprisingly pil actually only has 9 github stars

That repo is dead as fuck

yeah

Sharp probably is using pillow anyway

that's a lot less native code for the image/container formats than i expected though, so that's good

I'm using pillow, yeah

yeah would not recommend, i quickly glanced over it, and libImaging/FliDecode.c is garbage. Erronic src length checking which afaics quickly leads to memory leak of what is behind data back into the image buffer in the COPY chunk , misunderstanding of C integer promotion rules (not relevant further), and just all round complex horror.

and that's in ogling the code for 1/2 an hour

feel free to PR a fix in or open an issue at least

this is how open source works

and after all, isn't pil(low) (one of) the most common image manipulation libraries for Python anyway?

either that or just leave it and write an exploit dumping out interesting memory parts of the process space in output images and reconstruct session data or rsa p/q values or god knows what else

PILbleed

thinking mostly django or flask deployment there

@earnest ridge Why did you say I helped assist you, and then deleted the message?

Because I specifically said I don't want to help you because it came off as questionable.

@storm trellis this is supposed to be used so that if you have temp storage in a json file or something like I do you can encrypt that easily

would GCM be a good choice for that?

also this only encrypts values of keys so its not super intensive

you can see it iterates over keys and then encrypts/decrypts the value

@storm trellis also do you know if i should use pycryptodome over PyCrypto?

@chilly elk for that use case (assuming no one can tamper with temp storage, if they can write or create those encrypted files it applies) you're not dealing with padding oracle or integrity issues i guess. gcm sounds like overkill in that case, it's more applicable if you're in an adversarial context where things can be ... Mallory-ed. For your case just going with CBC AES is enough to prevent people from reading resting data on disk. I'd make this very clear to others in the module description if you keep things that way though ;P

As for pycryptodome, it's under active development as opposed to pycrypto and mostly api compatible, so probably yeah

@storm trellis Thank you so much for the detailed responses. Really appreciate the insight!

Here is my whole code trying to read targets from a list and perform correct determination of WP installation

import re
import requests
import builtwith

file = open('targets.txt', 'r')
url = file.readlines()
parsed = builtwith.parse(url)
score = 0
max_score = 2
if re.search('WordPress', str(parsed)):
    res = requests.get(url)
    if re.search('wp-content', str(res.content)):
        score += 1

    res = requests.get(url + '/wp-content')
    if res.status_code == 200 or res.status_code == 403:
        score += 1

    perc = ((100 * score) / max_score)
    print(url)
else:
    pass

Forget how many malicious things can be done with it

Question is why the following is not reading from lines:

file = open('targets.txt', 'r')
url = file.readlines()

The following is the correct form to scan a single URL:

import re
import requests
import builtwith

url = 'https://wordpress-site.com'
parsed = builtwith.parse(url)
score = 0
max_score = 2
if re.search('WordPress', str(parsed)):
    res = requests.get(url)
    if re.search('wp-content', str(res.content)):
        score += 1

    res = requests.get(url + '/wp-content')
    if res.status_code == 200 or res.status_code == 403:
        score += 1

    perc = ((100 * score) / max_score)
    print(url)
else:
    pass

if your target is wp it will display the URL so u can simply add it to the list of wp.txt
and if its not wp then it will skip with

else:
    pass

@earnest ridge readlines returns a list

@earnest ridge targets.txt? This looks even more questionable than the last version you posted.

Line.strip with 'with' doesn't work here @native vapor

@thorn obsidian it's just a name
If I added usa-govt.txt it wouldn't make a difference

wdym by that

i thought your problem was with the url

youre doing requests.get(url) but url is a list

@earnest ridge

@native vapor i meant like the following code read from a text file full of URLs:

import builtwith


with open("targets.txt", "r") as ins:
    for line in ins:
        try:
            website = builtwith.parse(line.strip())

            print(website)
        except:
            pass

@native vapor They've got a list of IPs/domains and are trying to check to see if each are running WordPress by checking if /wp-content exists. Which mind you, is a great way to get IP banned and a horrible way of actually checking if they're actually running WordPress.

I think the excuse was they were checking because bug bounties.

Which, isn't how bug bounties work - and you'd only have to check a single install ( hopefully your own ) and not a list of random IPs/domains.

i see

@thorn obsidian people ask these kinda question, I assume you never done these things

❔

@thorn obsidian you collect sites then their subdomains and test them all, and if something is vuln you just google the site to check to which program it belongs and then you report
now I am just telling you my method
if you dont wanna help sit down, no one asked you specifically

i still dont even know what your issue is

That's not how that works. Are you asking for permission before checking? Do you have a contract with the companies/groups/individuals behind these IPs/domains?

@native vapor I couldnt make my code read from lines, i dont know what to use except readlines in my situation

Because I'm leaning towards no

@thorn obsidian you dont know bug bounty programs, please google it

like i said requests does not accept lists

you told me "I know what bug bounty program is" but you actually don't what they are, they allow us to find bugs but they don't allow full compromise of their systems, they allow you to confirm something exist
Talk with HackerOne support team once, you don't need a signature of the company

@native vapor thanks

https://en.wikipedia.org/wiki/Bug_bounty_program - A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. - So again, you wouldn't be using a list of IPs/domains. Also, checking for WordPress of all things? How does that fall into a bug bounty? I doubt every single one of the IPs/domains you're checking have a bug bounty.

You also wouldn't be checking the sites themselves, you'd be checking the source code... Considering WordPress is... you know... open source.

dude! please check at least one program:
https://hackerone.com/newrelic

@thorn obsidian that was the easiest way I found

Then you're doing it wrong.

this way it works for me, I know how to do it, I have done manually multiple times, i know the whole process
i am using builtwith beside checking source code for a correct result

it does say WordPress username enumeration on that site

but its not eligible for a reward so idk what youre doing

Even if it was eligible, that only applies to websites with a bug bounty program.

@native vapor that's the point, I dont do things that others do or have already done

there thousands of vulns in WP, no one pays for user name enumeration

@thorn obsidian my list is taken from HackerOne

Except... Why do it if no one is paying? 🤔

I'd like to see that list.

Because why would you need to scan to ensure it's WordPress?

Because if it's a proper bug bounty, it'll already tell you it's WordPress.

🤔

you just want me to give you the list and tell you here is the list i collected with hands for two days???

@thorn obsidian I am trying another bug, in bug bounties you cant tell your methodology to everyone, you find something and you try to find it in all over the place

if you want a list, go out there, check every program's scope and collect them yourself

@thorn obsidian it wont tell you if its wordpress or not

Surely you jest?

@thorn obsidian I don't know wth you think it is, they tell us "do recon yourself"

https://hackerone.com/wordpress ?

@thorn obsidian the bug I am testing doesn't lead to pwn

@thorn obsidian even PHP has one like that, that's different, there are people out there using that CMS

We generally aren’t interested in the following problems:

Brute force, DoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.

@thorn obsidian 😛 please go and read more about bug bounties and how they work, i cant educate you in one day

@earnest ridge Why do you keep saying to read more about bug bounties? I know plenty about them.

because you don't know about them, you dont know how many websites in https://hackerone.com/newrelic
are using wordpress, php, apache old version... you dont know right?

So you create tools to find that out because you are the guy who go out there to hunt thousands of em

@thorn obsidian everyone has their own methodology, I dont need to tell about my own attack methods do i?

The way you're approaching this, the code you've written, and your general demeanor tells me that what you're doing is questionable and not legitimate. Rather than checking for bugs through proper channels, you'd prefer to go the brute force approach checking specific subdirectories on who knows which domains/IPs to ensure WordPress is on the system. Now mind you, there are MULTIPLE issues with your approach. Okay, WordPress is on the system, great. But which version is it? How would you be able to tell? What exactly do you hope to gain from knowing WordPress is on that specific system?

@thorn obsidian wordpress is on system, I dont need its version, it doesn't matter to me, my attack works on the latest versions and I dont need to expose it here

Second: if I find wordpress which I can find using https://www.wappalyzer.com/ as well, then i will be able to perform a specific test and no brute force to all sites

I hope that's clarified because I am not expecting you to correct my code anymore 😛

my attack works on the latest versions and I dont need to expose it here ? - So, report it to WordPress and get a bug bounty?

Because that just sounds like you're attacking random sites at this point...

I think next time I should drop my hard worked exploit.py in here

so everyone can read it and hunt all sites before i do

@earnest ridge We don't permit helping with projects that may violate site terms of service or laws, in this case vulnerability scanning without permission

!rule 5

This is my own opinion, but I think bulk scanning then looking to see if any of the results have bounties is lazy and irresponsible, not to mention has the potential to get you in trouble (or garner you hate mail).

He is scanning a list of URLs he has collected from Bug Bounties from what I read.

If that's the case he has every permission to do so, so long as the bounty has that URL in scope.

reading the backlog is great material for empirical research into the dunning-kruger effect

also entertaining

hello whitehat

I want to write data to csv file

i want toe encrypt it before writting

any ideas?

vernam cipher, guaranteed to have all the properties you like and has been occam's razored when it comes to complexity

and i will be able to decrypt it of course

it even allows you to distribute fake decryption keys so you get plausible deniability, as well as distribute your porn and family pictures in one feel swoop

you just hand out the different key when it's applicable, don't confuse them though, it leads to embarassement

so any guide to start from?

a nand gate

idk what is nand gate

https://www.nand2tetris.org/

things will make sense afterwards

ok ty 😃

(i'm being a bit of an arse, really, this was discussed in the backlog a few days ago with someone working on something similar, so i'd peruse it)

😃

unrelated, that site is a pretty good start on combinatorial and sequential logic, although it omits some basic EE issues such as propagation latency

mmm

maybe helpful

if you want to go nand -> xor -> vernam, yeah, it'll help

hey

if i encrypt an encrypted vernam

it becomes decrypted??

yes!

that's the beauty of it!

and it can decrypt to anything you want if you choose the key properly

wow

there's this little quirk it has concerning key size, but don't let that distract

i read about this but i don't understand

i won't get problems with unicode chars right?

no it wont, it just operates on a binary level

and I dont really see the purpose of building up the explanation of an XOR form NAND as its just

1 x 1 = 0
0 x 0 = 0
1 x 0 = 1
0x1 = 1

i know logic gates from embeded sys (if this is what u mean)

thats boolean algebra

1+1=1
1+0=1

0+1=1

0+0=0

1 * 1=0
0 * 0=0
1 * 0=1
0 * 1=1

and more stuff

1 + 1 = 1?

basic math

1+1=11

that's '1' + '1', duh

Ooof

I was talking about boolean algebra

Not maths

@autumn holly if you want to encrypt something always use a prebuilt library. making your own encryption is a good way to mess up and just waste a ton of time.
https://cryptography.io/en/latest/ has a lot of premade primatives you can use to easily encrypt something. there are also openssl libraries.
if you are trying to encrypt a file so that only your program can open it AND that program runs on the computer of the person that you DONT want to give access to, you are wasting your time. If its valuable enough you would want to hide it, they can easily bypass anything you do and access the data after its been decrypted on their computer.

@chilly flame He is scanning a list of URLs he has collected from Bug Bounties from what I read. - Except why would you bruteforce scan every domain/IP to ensure it's running WordPress, rather than download and check source code? Feels very questionable.

Well he's got a vuln he knows about and he wants to check for bug bounties that show it.

So he is scanning for it. That's what I read.

Exactly, breaking rule 5.

@gentle heron i want only to make protection so no kid can mess with it or any virus(like trojan)

so how can i store and encrypt data so the file can't be decrypted by its own?

vernam cipher fitted my needs but i had to avoid it according to errors in csv

for encryption you need a secret. be it some kind of binary key data or a password or anything similar

what kind of key you use and where your program shall get it from is the main question

the second question is which algorithm to chose, where the main two categories you can pick from are symmetric or asymmetric encryption

difference plz?

symmetric means same key for de- and encrypting, asymmetric means you have a pair of public and private key and you need one for encrypting and the other one for decrypting

which one suits your needs better again depends on your use case and threat model

so u mean symmetric is lower then asymmetric in security right?

not really, it depends on what you want to achieve

what i am gonna do ,save my day activities in csv file

the main project is calendar and i have the storing/protection task

let's assume i am a famous one ,what if my device got hacked,then i want my activities be save(maybe they snipe me)

seriously

I take it this is some kind of educational project, nothing for serious business?

of course

Okay, good to know.

i mean, if you have the file open and decrypted, then they can see it whenever you can

but of course one day this experience will be used for real things

and a virus can just delete the file

so encryption wont help

Then again the first question, where is the key coming from

@gentle heron if virus just deleted then he helped us

@tight abyss my idea: the key comes from C# software through tcp/ip

sockets

the key is constant in the c# software

why? to make it more diffiuclt for revese engineers ,but it can be hacked(but more difficult)

is that c# program on the same computer?

if so where does it store the key?

yes

if its 'on the computer' then the hacker has access to the key

making this a waste of time

the key is constant

so its just on the computer where the attacker can find it

doesnt really help any

and remember if the file is in use, its decrypted, and thus the attacker can see it anyway

let's assume hacker found it,i don't want him to decrypt it

and if it is in use,how to defend these hacks?

you can't really

yeah if the file is decrypted there is nothing you can do to defend it from someone that has access to the computer already

so @tight abyss u know my case, what is best choice?

look at how popular password managers do it, if you want to see real world applications in this scenario

you have a master password that the user needs to enter manually to decrypt the database

then the interesting part (the one password you need) gets load from the database and decrypted, and hold in memory like that temporarily so that you can access and copy it (or paste it somewhere etc)

after that, or a short amount of time, the tool would ideally wipe the cleartext password from memory again

the key to these though is the the program you use the read the database is also the one that decrypts it, so you couldnt protect say an excel document this way because it has to be visible to the os for excel to read it

and after some more time, it should also lock the database again and forget the keys you unlocked with your password

so how it can know that my password is right?

@tight abyss

@gentle heron so what to do?

The problem you can never really avoid is that whenever the thing that shall use your encrypted secret opens it, it can theoretically be intercepted by something malicious too, no matter how tight you secure it

You know the password is right because only then your secret database decrypts successfully

Some algorithms just produce garbage cleartext otherwise, some have error detection mechanisms like checksums and realize whether the pass was correct or not

so can u summarize me what can hackers do?

like the point:if file in use,then it is decrypted

right

if the file is usable by the user/their software, the attacker can see it
if the key/password to the file is stored on the same computer where it can be used, the attacker can see it
if the user has to type in a secret, the attacker can see it

at least in RAM there will be the clear-text information at some point, otherwise your real application could not use it

if an attacker is on the system where the file is going to be used, you have already lost

encryption of files is only useful if they attack the system when its not in use, eg by walking up to it while its turned off

i am gonna write this down

and of course you also encrypt communications (network) to avoid anyone intercepting the data

but if they ever have had access to the system, and you decrypt the files, they likely can access the data via whatever software they left behind

right

indeed when u talk like this i think that hackers can do anything

its just that you cant hide information from someone that on the system where you can access the information

so even if i encrypted it he will be able to decrypt?

not right away maybe, but if they see that the data is encrypted they can leave behind software to grab it next time you decrypt it

encryption is basically only/mostly really useful for data in transit (network communication, like https) and data at rest (e.g. disk/file encryption). you can not encrypt a running application or data in use. And for encryption, you always need a key, which needs to come from a secure source and over a secure channel.

he will be able to decrypt if it is in use right?(watching how we decrypt and do like us)

yes

or he can just directly access the data while its decrypted, since it has to be decrypted someplace on the computer in order for the computer to use it

i don't understand final part

how directly?

so for your user to use the data on their computer it has to be decrypted.
if the user can see the decrypted data, then so can any attacker with access to their system at that time

when i decrypt,i decrypt a copy in my software memory

oh i understand now

like screen capture?

or intercepting my software?

now you can use some tech to limit say userA from seeing userB's data normally, but an attacker likely has already bypassed that type of security

yeah or just running software that can directly read memory

if they can execute software as the admin or as that user, they can access the memory of that users programs

they can read ram memory ?!!?!

yes, thats how computer programs work

shint

they have to be able to read the memory themselves, and most computers are just set up to isolate programs in order to keep them from crashing each other, not to protect your data

there are new sandbox tech that are coming out that help separate multiple programs running under a single user, but most os's dont really do that

and an attacker can likely bypass those until they become much more mature

what is mean of bypass?

by default, applications can not access others' memory. But if an attacker somehow manages to elevate their privileges (admin/root rights) through some system vulnerability, they can also inspect the memory of other applications of any user. This is difficult and rare though, and not really something you can or have to protect your application against, unless it's a highly critical thing.

on most systems you can just use a debugger or similar apis to access them

most corporate computers would have that disabled i imagine though

@tight abyss so u mean i encrypt normally??

but only if you control the victim process, you can't attach a debugger to a running one

but bypass means to basically hack or exploit something in order to ignore whatever protection it offered

Yeah, you are obviously no secure programming expert, and neither am I. Encrypt your secrets at rest (when saved to files) and in transit (if you need to send them over a network), but don't worry too much about having them in your application's own memory. That is way more advanced that what seems appropriate in your use case

Just make sure you don't store your file encryption key together with the application and encrypted data

yeah honestly just assume that if an attack has access to the computer's files, you already lost

@gentle heron and this is the user problem not mine

use full disk encryption when you install the os and just turn the computer off when you arnt using this data if its that important

i don't understand any word XD

Protect against the scenario someone gets read access to your computer and your application is not running, e.g. after it was stolen while turned off or you were logged out of your application

so what will happen?

You can't do a lot to protect against someone with write access of any kind.

wdym what will happen?

idk !!

can the keys be constant(hardcoded)in my software?

doesnt seem like that really helps. the attacker can access that if they care that much about your data

so if they are in my system,they can ream my memory

just assume that if the attacker has obtained access to the system, that you need to reformat the computer

see what my software do and do like it

one way or another just assume they can

i know,if he got access then he own it(can do what he want)

either by modifying the program on disk or by changing how its run, or by watching the users keystrokes

That is what I meant earlier with protecting at rest and against read access only

you need to just protect the file while its not open with a password the user has to provide

and if you think an attacker has hacked in, delete everything and reinstall the os

i understand now

so let's speak in case of no hacker is in

how to protect the file:encrypt right?

and the key is provided by user

so when my software is off then no key is entered then my file is encrypted

right?

sounds right

you only get the password as input from the user and never write it to any file

yeah i am gonna do it

and when networking what to do?

Just use standard libraries made for that purpose

what to search for?

for web requests, implement https

for sockets/tcp ip

your server needs to have a valid certificate for that though

sockets is my case

tcp

if you have no http but raw tcp sockets, I think you could look into ipsec

ipsec is lib or u mean sec?

but I haven't really touched anything in that area myself so far

https://en.wikipedia.org/wiki/IPsec

so it will handle it for me?

it is a protocol standard first of all

you need to find some (Python) library that communicates using this standard and follow their instructions

can i find it in c# and python?

i mean is it famous?

I would be surprised if not

but idk, your searching is as good as mine

will i have to implement my code?

https://github.com/qwj/python-esp i wish this fit my needs

is ipsec vpn what he is looking for here? thats for tunneling networking as a whole, not a single stream iirc

omg, i am so confused now

seems like https or just a stream cypher is all they need

eg https://docs.python.org/3/library/ssl.html

https for 2 way local communication?

you can with stuff like web sockets/post but its not a normal socket. but the ssl library can do regular sockets

right, ssl/tls is enough, I was a level lower than necessary

so k

final thing

when we say certificates

what do we mean?

a file/some data that has been generated in a way that you can be sure you know who made it and also who says its trustworthy

typically you create a certificate, and it has a public and private part. you keep the private part and give out the public part. people use the public part as the 'key' to talk to you or to verify things you say, and you use the private part to do the opposite

but overall its just something you use to say 'this is me and these are the people that trust me'

mmmmm i didn't get sense but nvm

so what is low level hacks are there?

as things like reading memory:not all people and hackers can do it

Hacks to do what?

Bluray software has a long history of trying to protect itself and special keys but hackers still get to it with enough effort

@autumn holly Can you explain about not being able to read memory?

Reading memory of what? A computer?

Hi, I was planning on using a token based auth system internally for my app, kind of like discord does it.

My plan was to store passwords hashed by werkzeug (pbkdf2 and sha256) with a salt length of 64, but in the actual token HMAC it, where msg is the hashed password, and b64 it.

Is this secure and does it allow for easy validity checking?

Hello guys. Does anyone if there exists any weak python code to read and find vulns in? Not looking for broken black box applications (where they are all built and ready for usage), moreso for code reviewing.

@thorn obsidian reading the memory of my software(it was example as someone up told me it is possible)

@quartz terrace IDK how big companies protect like windows,what i mean as a noob hacker:what can i do to hack software ,and as medium level one and as expert

so i can start my security exp from scratch

@autumn holly get kali Linux follow tutorials for the utilities it has

@quartz terrace can't i from win?

@autumn holly virtualbox

@autumn holly That's not really an appropriate thing to ask in this server

At all

Member "3d" not found

@quiet viper how?

!tempban 351461021254287363 3d This is not the first time we have told you to stop asking about things that violate rule 5 on our server. I aren't going to help you learn hacking, we aren't going to help you void ToS of sites. If you decide to come back, I want you to keep that in mind. There will not be a next time.

:incoming_envelope: :ok_hand: banned @autumn holly until Mon, 10 Jun 2019 14:53:31 GMT (This is not the first time we have told you to stop asking about things that violate rule 5 on our server. I aren't going to help you learn hacking, we aren't going to help you void ToS of sites. If you decide to come back, I want you to keep that in mind. There will not be a next time.).

Theeeere we go

the saddest part is that even if it were an alright thing and people were willing to give detailed responses all the people who ask those questions would probably give up and go away anyway because it's harder than they thought

Hello, I have created an encryption program. Could someone test it and help me improve it? If yes, could you please DM me? Thanks

!no-dm Sorry, but it's generally discouraged here to take help discussions into DMs. Can't you post about your project here?

@thorn heron Can you post it here?

I have a backend endpoint where users are created, normally almost every endpoint needs an Authentication header, but in this case it's not possible, how can I make this endpoint usable only by the frontend? I was thinking of including a fingerprint with the payload but I have no idea how to generate/validate it

asking here because I think this is more security related rather then general #web-development

I was thinking of using PyNaCl for back and a js binding to libsodium for front

but how can I pass all the necessary data to verify

normally almost every endpoint needs an Authentication header, but in this case it's not possible - Why would it not be possible in this case?

Because to have an Authentication you would need to be logged in

which is not possible for new users who need to create one

I'm not sure how you've got it set up, but if a user doesn't send an authentication header it just means they aren't logged in.

Isn't that what I said? 🤔

When a user isn't logged in it won't have an Authentication header.

When creating an account for the first time the user does not have access to one, so I need a way to verify the request w/o the header in such a way that only requests from the frontend will be able to create accounts

Cookies?..

Is it worth the effort to setup a diffie helman key exchange if im going to pass a decryption key over https?

or is https secure enough to send it over as plaintext

https is encrypted, there's no need to layer your own protocol on top of it AFAIK

Then it shall be ignored.

So my plan is to have users provide a password which will be used to decrypt an uuid, and that uuid will be the key they have to provide to decrypt their data on further requests. Does this seem excessive or ok?

In efforts to not store the users password anywhere

A hash of the data itself will be used to determine if the uuid is the correct key, and a hash of the uuid will determine if the password is correct.

Except you're storing a hash of the uuid

So you're just moving what could be compromised from usernames/passwords to the uuid.

Which isn't actually correct, because you're having the uuid unlock the username/passwords

So unless the uuid is hashed+salted with something really good, ( PBKDF2, bcrypt, argon2, etc ), I'd suggest just hashing the contents of your db with the aforementioned algos + salts ^

Why those algos specifically? Because they're designed for password hashing and are purposefully slow, whereas using something like SHA256 or the like is not designed to be slow and can be cracked much, much faster.

The uuid shouldnt unlock the username/password though?

The password unluck the uuid, and the uuid unlock the users data

Perhaps I'm confused on the backend. So my plan is to have users provide a password which will be used to decrypt an uuid, and that uuid will be the key they have to provide to decrypt their data on further requests.

Yeah, which is why whatever you use needs to have a high level of protection around it.

Also not sure what you mean by unlock the users data

Is the data encrypted using this UUID?

But yeh i can salt and hash it with bcrypt

Yes

Ehh...

That was my initial idea at least

Any better suggestions?

Well, by https://en.wikipedia.org/wiki/Universally_unique_identifier - you're looking at a 128-bit number

The data will be finanical, so should be secured afaik

Which if you're securing data, especially financial, you want 256-bit

hm 🤔

just 256 random bits, or some form of structure?

If I was constructing a system for financial data I'd do what most everyone does these days and that's require the username/password, check that against what's securely hashed, and then require a TOTP that would timeout and require username/password again after 5 minutes or so.

PayPal does this, as well as a few banks.

What secures the data itself then?

What do you mean?

Incase the db is leaked for instance

Oh, you mean encrypting other parts of the db outside of username/password?

Yeah

What do you currently have implemented for that?

More or less nothing

Just sketched ideas of the mentioned uuid being used to aes256 a json of the data

If you're using a db, you ( hopefully ) wouldn't have the data in json. Have you worked with any kind of db or column encryption?

Also, what's the db? MySQL? PostgreSQL?

No, and I couldn't think of any better way to store the data as its nested x times.

Mongodb atm, cause it was the easiest to implement to start out

I havent done much architecture around storage yet, mostly the endpoints of the backend

The nested part has me interested. What kind of information are you storing?

You said financial, but I'm curious as to why the nested

income -> split into expensens which can be split infinitely into smaller categories

essentionally just want something i can draw piecharts and graphs like these out of

Alright, that makes sense. For PostgreSQL there's https://www.postgresql.org/docs/current/encryption-options.html - let me find something for mongo

https://docs.mongodb.com/manual/core/security-encryption-at-rest/

``The data encryption process includes:

Generating a master key.
Generating keys for each database.
Encrypting data with the database keys.
Encrypting the database keys with the master key.``

Sound like something that'll work?

Would i create a database for each user then?

No

or well, i guess mongodb calls em documents iirc

mongo would use a separate key to encrypt the db stored outside of it

Ok so the user has nothing to unlock their data with, the logic has to verify them before unlocking the data with its keys?

logic being the server

If I understand it correctly, yes.

That's a fair point, and would simplify the rest endpoints yeah

Should i just stick to password hash then, and just avoid the whole encrypt your own data logic

For financial data I wouldn't. I'd hope the entire db was encrypted

Yeah, thats what i meant. But the user doesnt have their own decrpytion key anymore

they have no control of the db in a sense

Oh, you mean encrypt the db through the natively supported method I linked?

Yes I'd go that rotue route.

I'm just trying to think of a way to not have normal logins where i have to store their password(hash) 🤔

guess I'm just trying to be too special

Outside of something like oAuth, I can't think of anything you could use especially for financial data.

Hm yeah

My idea came from how password managers do it

But implementing 2fa would defeat a lot of the issues with that I think

but there you store your own passwords encrypted (with online backups)

afaik

You're not really going to be able to find a good way of getting around passwords.

Ill take the password approach though

Thanks

unsure what that is, but it has a <3

I mean, there are some great ways of getting around passwords but you'd be hardpressed to get them working on a massive scale.

Keycards are fantastic, but who's system outside of the military allows this?...

If the whole system was enclosed in its own application / process sure i could probably find a way

but since its over rest, its a bit harder

Yeah, I get that.

Kinda sorta on-topic, but any subjective op-onions on the wekzeug.security module in the context of database encryption?

@neon fox It's pretty great. Did you have any specific question(s) about it?

Well, I'm not a security guy, but I'm using it for a cloud based LE app to store the entire certificate chain

( also, it's werkzeug, but I'm just nitpicking 😛 )

😄

LE app?

LetUsEncrypt

Ah, Let's Encrypt?

Nice.

yep yep

I won't go into my sales pitch

but basically, it's pretty good huh?

I'd hope to not dissuade you if there's more to it, but something like that already exists: https://crt.sh/

wait, what does this do?

You can search for certificates based on domain name and the like

What I'm making is kind of a holistic multi-tenant solution for automated certificate renewal/certificate deployment (w/ a proxy agent system for those hard to reach corners of sub-tenant environments)

AppEngine, and AWS have similar schtuff

but

this is a more of a drop into exisiting infrastructure solution

Interesting. Let's hop into one of the OT channels?

@thorn obsidian how do those certificate transparency messages work on that site? For example, the certificate for my site (https://crt.sh/?id=1509198238) says that certificate transparency logs point to Google.com googleapis.com. But when I go to the URL, Google gives me a 404. Or is that a question I should raise elsewhere?

@tough rain Can you explain why you think it points to googleapis.com ?

^ do you see a different log URL than I do?

That's just to do with certificate transparency, looks like the provider that presented the information.

If you scroll down you'll see your site on that page

The URL gives me a 404 though. How is that transparent? Any idea how I'd look into that?

Or maybe some more reading that I should do about certificate transparency?

https://ct.grahamedgecombe.com/

That https://ct.googleapis.com/logs/argon2019 url is just a Certificate Transparency log server

It's not supposed to be publicly inspectable?

https://www.certificate-transparency.org/what-is-ct

Considering that's just a log server, I don't understand why you're interested in it?

Because I'm interested in seeing what logs occur about certificates

Which is what https://crt.sh is for

https://transparencyreport.google.com/https/certificates also exists

Perhaps I am confused. I don't think that's answered my question. On the certificate-transparency.org link, it says:

Certificate logs are simple network services that maintain cryptographically assured, publicly auditable, append-only records of certificates.
Likewise, anyone can query a log for a cryptographic proof, which can be used to verify that the log is behaving properly or verify that a particular certificate has been logged.

It goes on to say:

Monitors are publicly run servers that periodically contact all of the log servers and watch for suspicious certificates.

What am I, as a public person with a website presenting a certificate, supposed to be able to audit and verify using certificate transparency? It doesn't seem like I have access to read the "append-only tamper-proof log".

On the Google.com link, I found: https://transparencyreport.google.com/https/certificates/6WMWO3OgkOGa9WLtj8Qwq%2B44EGQ%2FVuIyfSFgoBzYLNA%3D

I see the entry# is mentioned but I don't see the timestamp being correlated anywhere.

I think this is a rabbit hole of learning I don't have time to do though 😦

https://crt.sh/?id=1509198238 should tell you everything you need to know about that certificate.

organizationName being Let's Encrypt, which has a Validity of Not Before: May 20 12:02:26 2019 GMT and Not After : Aug 18 12:02:26 2019 GMT

Includes more certificate information, and at the bottom includes CT Precertificate SCTs, which are the log servers I mentioned before. Which this instance includes Comodo Mammoth and Google Icarus

Oeh transparency

I'm actually hosting a mirror as well @ https://transparency.d3vzer0.com/

Data is ingested via a Faust (https://faust.readthedocs.io/en/latest/) app and forwarded to Elastic

https://www.reddit.com/r/webdev/comments/bz29bp/i_found_a_bug_in_chromeff_on_macos_that_allows/

I found a bug in Chrome/FF on macOS that allows websites to play sounds at dangerously loud volumes, bypassing the OS volume setting. Heed my warnings.

Tempting to try it

This is obviously a software only thing right?

So if I have a hardware volume knob it won't bypass that?

I mean, that'd be great if it did.

is that not rather a bug in the OS then and not the browser?

after all it's the OS' job to handle volume control, the browser should not have a business in that

hello

@tight abyss Yep, its a specific MacOS bug

!ask just ask your actual question instead of waiting for people

There are thousands on the internet

db-ip is one

I repeat, just ask your actual question. It's unlikely someone will step up and commit to helping you while they don't even know the issue.

You don't want to understand it, do you?

Just ask what you want to know. If anybody has advice about that, they'll speak up when they read it.

Be more detailed than "advice about vpn". That can be anything.

(sorry if any of this sounded condescending or rude, that wasn't the intention. I just don't know how to word it more clearly)

it wasn't no were near "advice about vpn"

It was "Does anyone have ANY advice about making a proxy/vpn detection API"

not a vpn at all

And I take it you've had no luck with googling around for it? It does seem like a niche need

I have searched google

@spiral turtle What do you mean by I want experience from people that have made vpn/proxy detection APIs in the past - As in, detecting VPNs/Proxies?

Is there a specific question you had?

Was there a specific question lol

@spiral turtle ^

Just in general?

Do a reverse DNS and see what comes up

Are you writing a service for this?

yes

I'd start with the checks that https://whatismyipaddress.com/proxy-check does

I was planning that

I already looked at DNSBL tests

Have a Github we can look at?

nope

not yet at least

hey

how trivial is it to crack let’s say random alphanumeric characters about 100 characters in length? if generating a password, would random characters of certain length be enough to make brute forcing infeasible?

@latent kelp That would be impossible to brute force

just compute how many possibilities you have and how long it would take with a certain number of attempts per second

alphanumeric would be (26+26+10) at least, so 62 possibilities per char

makes for 62^100 possibilities for a 100 character password

>>> math.log10(62**100)
179.2391689498254

it's yuuuuge

doesn't matter if you crack a million, billion or trillion hashes per second.

brute force is so ugly

a 64 char length upper/lower/numeric/punct password would take like

forever.

@latent kelp Greatly depends on how it's hashed

Argon2? Ha ha ha ha ha ha, you're not ever getting it.

Something like MD5? It's more feasible.

more feasible, but still no chance realisticly

30gh/s for a 1080ti for example

10^197 aint crackin at that speed

even then it's not like he's asking about breaking a hash, just brute forcing right?

@mortal perch You have no idea the amount of money someone would put into cracking your hash

Didn't Moxie Marlinspike run a site that cracked hashes back in the day?

dude

10^197 (i cant read it's 179) is so big

Yeah, I'm aware

Alphanumberic would be UPPER, lower, digits. 26 + 26 + 10. 62. 62**100 would be 173447861573683247714730657655312620453056954417135042074757049646310930624726299506063242973147383207308074513192299800436397892378848380276295319872954494152239940714065219813376

yeah, this was calculated above

Like I said, would take a while but it's certainly not unheard of if you're using a horrible hashing algo.

with 1 billion 1080tis, it would take 6x10^162 seconds

¯_(ツ)_/¯

I don't see it as all that hard if you're an important person or that password is incredibly important to a nation state

if you have other info like spycams watching the user enter their password, sure

but else youre gonna need future tech or many times the age of the universe

1x10^145 ages of the universe in fact

Using a 1080ti - sure. But since we're talking a 100 character hash and the possibility of nation states, I don't think they're throwing just those at cracking it.

For all we know, there's an internal program designed to crack all known MD5/SHA256 hashes

Either way, realistically, yes, you're right. No one would be able to break it within any realistic timeframe.

100 charcter password not hash?

100 characters, hashed.

the hash wouldnt be 100 chars long tho

What?

An MD5 is 32 characters.

Hashing 100 characters, would still give you a 32 character MD5 hash, as that's how the hash works.

yes

the hash would therefore be 32 chars long

Yes.

I'm not sure where the confusion is tbh

i guess 100 character hash is ambiguous

there would be a hash collision long before the intended password in md5 right, so the amount of cracking time would be reduced

idk by what factor though

Yeah, that makes sense.

But see, all of this is implying MD5

indeed

Whereas if you're using something like bcrypt, argon2, pbkdf2, ha ha ha... Yeah, good luck.

LUKS uses PBKDF2 on Linux too.

https://twitter.com/netsecfocus/status/1140327019441528834

whelp, that's uhhh............

potentially a breach of the computer misuse act

a weird way to advertise

many number of things

How would it be a breach?

Say "It takes you to our website" - you're in the clear. It's done in the worst way possible and a child could do better, but, you know.

@thorn obsidian on the pbkdf comment, it highly depends how you use pbkdf, it's a wrapper around a hash function with a few additions to it, just using PBKDF2 with any round number and hash function won't make your system secure and thus PBKDF2 is as easy to get wrong as using a bad hashing algorithm

Well hopefully you're using a program/module that does this for you. Writing your own crypto is a no-no.

@thorn obsidian Could you answer my dm?

If you count using pre written PBKDF2 with self defined parameters (which as explained above can be insecure) as writing your own crypto, picking a pre written hash function from a set of hash functions also counts as that

@spiral turtle DM? I didn't get one

If it's anything important just say it here

!no-dm

@spiral turtle Go ahead and just talk here

oh

https://en.wikipedia.org/wiki/Reverse_DNS_lookup

He just doesn't answer you the second you ask

Be patient

No you're not blocked

Just doing several things at once.

I said

I'd start with the checks that https://whatismyipaddress.com/proxy-check does

@spiral turtle ^

hi guys,

i was wondering if there is a way to bypass buitins : none in python

https://nedbatchelder.com/blog/201302/finding_python_3_builtins.html

@thorn obsidian Can you explain a bit more of what you're trying to do?

i could imagine them being handed out willy nilly at an expo or something though scott.

just seems like a weird thing to do to me

@lusty flare You mean the USB devices?

yeah

Yeah, they're done in a horrible way. But legally speaking, they'd just need to explain "Plug it in and it goes to our site!"

yeah, context of how it's handed over is important

i imagined it as just being one of those arm bands in a massive bowl of arm bands at an expo stand and oh! look! it's also a usb stick!

Yeah, the dispersal of these things probably don't have a note saying "These do x, y, and z"

Does a program become any more secure if you hashed passwords used to encrypt files?

So user inputs password > password hashed > hashed password used to encrypt file

If that more secure than just user inputs password > password used to encrypt file

@gentle light you should use pbkdf2 for stuff like that, it internally works with a hash function

Oh, this looks nice, thanks!

hrm, pycryptodome doesn't have it

nvm, it does!

What's the best way to store a password in a database (specifically SQLite)

https://passlib.readthedocs.io/en/stable/ @cinder badge This is a great library that will handle passwords for you

Ktank

https://werkzeug.palletsprojects.com/en/0.15.x/utils/#module-werkzeug.security generate_password_hash and check_password_hash both work pretty well too

if any1 is looking for a hwid lock here

current_machine_id = subprocess.check_output('wmic csproduct get uuid').decode().split('\n')[1].strip()
with requests.Session() as (r):
    url = 'https://pastebin.com/raw/'
    check = r.get(url)
    check = check.text
if current_machine_id in check:


      
        else:
            main()
    main()

else:
    print('HWID not in database: ' + current_machine_id + Fore.CYAN)
    print(Fore.RED +'Dm me to auth you ')
    input() 

@thorn obsidian Windows only? Also, what is with the broken if?

@thorn obsidian show me

is it green

if current_machine_id in check:
        else:
            main()
    main()
else:

?

wellthats not right

do

That's what you pasted.

ik but u would use that at the end so like

.. What?

    def main():
        print(Fore.CYAN + "Option: " + Fore.WHITE, end='')
        msg = str(input())
        if msg == '1': 
            link = "https://pastebin.com/raw/"
            f = requests.get(link)
            print(Fore.CYAN + f.text)
            input()
                  
             
        else:
            main()
    main()

else:
    print('HWID not in database: ' + current_machine_id + Fore.CYAN)
    print(Fore.RED +'Copy the HWID and dm lonanll  ')
    input()

I don't see how this is security related

well

it protects ur prohect from being shared or if u were selling it

How?

I could trivially just remove that code.

🤔

@thorn obsidian Can you elaborate?

Hardware ID without any server side verification to the client that you're actually talking to the correct server and without a way for the server that you're not faking the hardware ID is a horrible solution for copy checks

just fyi, there's an even going on 1st July on one red team subreddit

it's simulation of attack that you can participate in

https://reddit.com/r/SecurityRedTeam

also, just posting some good resources to not forget myself and maybe do something good for people

https://www.amazon.com/Hacker-Playbook-Practical-Penetration-Testing-ebook/dp/B07CSPFYZ2

https://www.udemy.com/webhacking/
https://www.udemy.com/learn-python-and-ethical-hacking-from-scratch/

oh, also, this one is actually useful
https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson-ebook/dp/B004OEJN3I/ref=sxbs_sxwds-stvp?_encoding=UTF8&pd_rd_i=B004OEJN3I&pd_rd_r=ed6566da-8b64-474a-98a4-99f215317c0f&pd_rd_w=TKySK&pd_rd_wg=h0gzb&pf_rd_p=a6d018ad-f20b-46c9-8920-433972c7d9b7&pf_rd_r=JVEQHHAMTB3D9Q4TWF7J&qid=1560806420&refinements=p_73%3AThe+Hacker+Playbook&s=digital-text
since it touches more low level which never can be outdated

https://www.amazon.co.uk/Advanced-Penetration-Testing-Hacking-Networks/dp/1119367689/ref=pd_sbs_14_24?_encoding=UTF8&pd_rd_i=1119367689&pd_rd_r=d41fde4e-9145-11e9-9cdf-8fcb8b5a9bc7&pd_rd_w=3gL0G&pd_rd_wg=PZbzv&pf_rd_p=18edf98b-139a-41ee-bb40-d725dd59d1d3&pf_rd_r=WP8MYX9YSYBZ93V1NAKQ&psc=1&refRID=WP8MYX9YSYBZ93V1NAKQ
this one seem to be nice also

https://www.amazon.co.uk/Open-Source-Intelligence-Techniques-Information/dp/1984201573/ref=pd_sbs_14_8?_encoding=UTF8&pd_rd_i=1984201573&pd_rd_r=f7756ecf-9145-11e9-8b3b-2b91f1f69411&pd_rd_w=sSyGl&pd_rd_wg=2gOsE&pf_rd_p=18edf98b-139a-41ee-bb40-d725dd59d1d3&pf_rd_r=E24AM0ZXXJ5FEZ5PTQNM&psc=1&refRID=E24AM0ZXXJ5FEZ5PTQNM
osint is amazing, too
xen0remind

Amazon linkspam eh

😄

Those last three links could be cut down significantly.

Did everyone patch their Kernels for SACK yet? :P

Did earlier

your code is wrong

you can't use if foo == "bar" or "baz", it has to be if foo == "bar" or foo == "baz", but I'd just split the string and just compare the last digit as an integer

np

https://twitter.com/SecurityGuyPhil/status/1141466335592869888

Firefox 0-day used to target Coinbase

@thorn obsidian @spiral turtle Well, actually, a better way of writing that would be if foo in ["bar", "baz"]:

sure

I was just explaining how the or works

Oh, yeah, for sure.

I wasn't being rude though.

Fairly hard to convey tone over text, but I didn't mean to come off rude.

i didn't think you were being rude, if that counts 👍

😄

google ctf quali registration opening soon 👀
https://g.co/ctf

anyone here participating in the beginners quest?

Yup.

@upbeat palm Don't see you too much these days

@thorn obsidian Since I bought a laptop, I got myself involved in CTFs, Vulnhubs and other websites. BTW, congrats for helper role.

Ah, gotcha. Thanks! 😄

Have you gotten a good rank on anything since joining?

Well, Vulnhub is not much of ranking website. But I joined Tryhackme which hosts some of the machines and their own challenges, rank 9 on it.

@thorn obsidian

Not bad, out of how many?

~4K

It's fairly new

That's... really good.

Thanks, started reverse engineering but either it's hard or I am dumb.

It's pretty hard tbh

Highest reverse engineers get paid upwards of $400,000 a year, so.. there's that.

That explains it's difficulty.

You're participating in GoogleCTF?

That's like the highest 0.01% type though.

I don't do CTF, lol

Then? Bug Bounty?

I'm more security and application thereof.

Helping set things up, securing others, etc

More like Security consultant?

Kinda. For example:
You could setup a 200 character SSH password or you could just do ssh keys. If 2fa is a requirement/want, throw in the open source Google Authenticator PAM ( https://github.com/google/google-authenticator-libpam ) 😄

Oh

That's actually cool.

Naturally setting up fail2ban and enabling the SSH jails. 1 or 2 failures should ban for a minimum of 2 weeks.

If minimum is 2 weeks what could be the maximum?

fail2ban doesn't really work on maximums

It's more just "Start here, and go however high up you want"

Oh, that's a good thing.

If you truly want to make breaking in impossible outside of 0-days, ssh keys + google authenticator + fail2ban with 1 failure banning for several years, lol.

Several years, lol.

Could implement port knocking, and a firewall only for your IP too.

Woah, that way I'm almost inevitable

or just move ssh off port 22

used to get hundreds of attempts daily to ssh in, until I moved my SSH server to a non-standard port

0 attempts since

Random numbers like 6952?

yep

though it is security through obscurity and anyone specifically targeting you wil still find the server via nmap or otherwise

but it helps to keep the chinese bruteforcers away

Port Knocking will result in port discovery but still it's a good idea and combining it with Scott's method will be great.

and for fucks sake guys, have a passphrase on your ssh keys

++

@thorn obsidian Moving ports doesn't matter

Also, moving your ports to anything above 1024 means that non-root has access to that port, so no don't do that.

@cinder badge ^

which matters because..?

if your server is already compromised, it doesn't matter that it's not running on 22

Why would your server be compromised.... ?

that's just for binding @thorn obsidian

why else would it matter

only root can bind to 22

you can connect to any port ¯_(ツ)_/¯

so, yes, you can create a malicious ssh server, capture credentials etc and pose as the real ssh server

but if you can already do that, you're already compromised

https://unix.stackexchange.com/questions/16564/why-are-the-first-1024-ports-restricted-to-the-root-user-only#16568

Hopefully you're not doing anything higher than port 1024.

That's a pretty good indicator if you've been compromised.

your link doesn't answer my question

Sure it does

ssh doesn't auth based on the port number... that's just silly

... What?

The link explains the history behind why it's not recommended, and that non-root has access to above 1024

https://i.imgur.com/FOm3DWd.png

this is entirely irrelevant

we're not talking about 2004 rsh

Again, history

you haven't given me a reason why running an ssh server on 2222 is any less safe than 22

Yes, I have. Non-root users have access to ports above 1024.

you keep saying that

that's not a reason

it doesn't matter

Not sure how to explain it to you then. ¯_(ツ)_/¯

yes, non-root users can bind to ports above 1024

and?

the security implications of this are..?

I gotta agree with xx I really dont see your point there Scott

the only scenario i can see this mattering in is:
non-root user somehow downs ssh server running on 2222
sets up own, fake ssh server to capture credentials on port 2222

even with step 1 being hard (but not implausible, this can happen) this is entirely mitigated with the use of ssh keys

as you can't capture private keys like that

@thorn obsidian please i'm curious what i'm missing here

If you can get an account, any account, on a server ( Which, with a few exploits floating around these days, one recently fixing an exploit on the kernel... ), then you'll be able to bind to ports 1025 and up. Whereas, ports 1-1024 are only available for root. So, if you see an HTTP server running on 4444 - it's less likely to be legitimate.

To me what you're saying is "don't bind above 1024 cause clients will think your server is illegitimate"

But I still don't see an inherent risk

The risk is gaining access to your server/system/etc, crashing sshd, and booting a sniffer that acts like an sshd and throwing that on port whatever I want above 1024

remember there are also host keys

With recommendations from others ( like above ) saying "Oh just put your sshd on any port, it doesn't matter!".. that just furthers the problem. Oh neat, you're running sshd on port 48313? Well, crash it and then start a sniffer on the same port as a different user. How would you know the sshd was illegitimate? Do you check that every single time you login to the system?

That's my argument.

Also, if you're worried about ssh port scans - why not switch the port to 23 rather than 22?

How many scans are there for telnet rather than ssh 😄 ?

sniffer

I already refuted that point, see https://discordapp.com/channels/267624335836053506/366674035876167691/591684045629292575

How many scans are there for telnet rather than ssh :smile: ?

what? about as many, maybe even more because it's such a simple protocol

also you're saying it like crashing openssh is a trivial task

when the last public cve for a denial of service was at the beginning of 2018 @thorn obsidian

if someone's on your machine and can bind to any ports, regardless if they're in root-range or not, you have bigger fish to fry and other privesc attack vectors to look out for than someone "spoofing" an ssh server

Seems to me that it’s a trade off. The client is not guaranteed that the service running on the designated port is legitimate, but on the other hand, the server is less likely to get pinged by bots scanning for ssh servers to exploit.

@thorn obsidian What? CVE-2019-11478 is a DoS

🤔

that's.. a kernel vulnerability... nothing to do with openssh...

You brought up denial of service.

in the context of ssh servers

you said you'd crash sshd

I think you're missing the point

i would like to see you crash sshd with 2019-11478

Either way, my argument's been put forth - I've got to be AFK for a bit.

the real solution to this is to just not expose ssh to wan at all and use hopper servers or a vpn

What point are we missing?

I don’t know what he’s trying to argue

i don't know

Oh, he’s arguing that the end user cannot tell whether the service was started by root. Well, yeah, it ultimately comes down to trust

and you can never be sure whether root has been compromised or not

i don't get the argument

Exactly

Neat. Code?

Hi ther

There*

This ia definitely the wrong channel to talk about this

To talk in general

This isnt a general chat

Brb 1 sec

Tag me if ya need a thing

@spiral turtle I didn't see the code

@spiral turtle Preferably don't DM, just post here.

That way everyone gets the code

import socket
import ipaddress
import time
import os

proxyip = input("IP: ")

start = time.time()

try:
    ipaddress.ip_address(proxyip)

    def reverse(ip):
        if len(ip) <= 1:
            return ip
        l = ip.split('.')
        return '.'.join(l[::-1])    
except ValueError as e:
    print(e)


def DNSBL_1():
    DNSBL = 'zen.spamhaus.org'
    DNSBLQuery = reverse(proxyip)+"."+DNSBL
    RES = socket.gethostbyname(DNSBLQuery)
    response_code = RES.split('.')[3]

    if str(response_code) in ["4", "5", "6", "7"]:
        print("[✔] IP is listed in the XBL [Exploits Block List] [Spamhaus] ("+str(round(total_time, 3))+" seconds)")

    elif str(response_code) in ["2", "3", "9"]:
        print("[✔] IP is listed in the SBL [Spamhaus Block List] [Spamhaus] ("+str(round(total_time, 3))+" seconds)")

    elif str(response_code) in ["10", "11"]:
        print("[✔] IP is listed in the PBL [Policy Block List] [Spamhaus] ("+str(round(total_time, 3))+" seconds)")

    elif str(response_code) == "16":
        print("[❌] IP is NOT listed in the ZEN [Spamhaus] ("+str(round(total_time,  3))+" seconds)")

    end = time.time()
    total_time = end-start

def PROXY_ALIVE(proxyip, proxyport, timeout):
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(timeout)
        s.connect((proxyip, proxyport))
        return True
    except socket.error as err:
        #print(err)
        if str(err) is "timed out":
            return False
        return False
    except OverflowError:
        return "Invalid port range"
        #raise InvalidPortRangeError("The port number for the proxy is invalid! (Range: 0-65535)")

was the code

that's a lot less lines than i expected

which is a good thing of course

I cleaned up DNSBL_1

https://capturetheflag.withgoogle.com/#beginners for anyone interested

ty

password = "basicpassword"
username = input("Enter your username: ")
password = input("Enter your password: "
if username == 'root' and password == 'basicpassword':
    print("Welcome, root")
    print("You have full access to the server")
if username != 'root' or password != 'basicpassword':
    print("Incorrect username or password. Please check your input.") ```
How do I replace the password input with asterisks?

@obtuse siren normally you would use the getpass module, which does not use asterisks but simply doesn't print anything at all.

note that this does not work inside the IDLE console or other similar environments.

Does it work in Pycharm or would that be a similar environment

not sure

i'd say just try it and don't be surprised if it doesn't work - it's meant for running python in a real console window

@obtuse siren here's a word of advice, hash the password and only check against the hash, never store actual passwords in plaintext

but you probably already know that

Right. This was really more of a, how to get input from user and create input checking. Not necessarily anything going into production.

@thorn obsidian

good :p

did you solve the input issue

Actually I was using repl.it which is a online IDE so it wouldn't do what Random said, I still need to confirm if PyCharm allows the getpass module

Don't just hash, use PBKDF2, bcrypt or scrypt or something similar

that's still hashing..

Not "just" hashing

Well first bcrypt and scrypr are both hashing algorithms and pbkdf2 is hashing with a few bitwise ops to chain hashes in between

So

It's "just" hashing