#cybersecurity

i think it needs a private key system but not too sure

Alice uses her private key to generate a signature for a message. Bob receives the message and the signature, and uses Alice's public key to verify that the signature does indeed match the message - proving that it was signed with Alice's private key.

https://signal.org/blog/signal-pins/ Nice.

Also neat that they're doing:

As we move to support additional features the Signal community has asked for – like addressing that isn’t based on phone numbers and chatting with contacts that aren’t saved in an address book

wait... you weren't able to do that before? that's... an odd design choice for an IM app tailored towards the privacy-conscious

Hey I know this would be a wrong topic and there is gamedev topic, but I'm looking for someone who is good with python servers, so I think in that channel should be only specialists 😉 What is it about? I'm making fully powered by python mmorpg, using socket thread and pickle I make a simple server, but I'm struggling in working with that, so if there will be someone interested in it you can contact me, and get look at github:https://github.com/SylwesterEjkszto/Affiliation-First-Python-MMORPG

@thorn obsidian Yeah, this isn't the right channel for that. Did you mean #game-development instead?

Yeah, you're right, this isn't the right place for this.
You say you're "struggling" - if you have any specific issues you can detail, you'll be able to get help from one of the help channels: #❓｜how-to-get-help.
As a sidenote: this is a pretty ambitious project, even for a small team. Maybe you should take a step back first and figure out the puzzle pieces first, it'll be much harder to rewrite a completed project rather than getting it right on the first try.

@thorn obsidian hmm probably you're right, but this isn't commercial project and every little improvment in that code make me happier so I'll probably stick with it for a while 🙂

Im aware this could quite possibly belong in #databases but i think its security given it is sql injection. I am currently in a ctf (Nz csc) and one of the challenges is sql injection of which I am not very familiar with syntax etc. More of a no-sql type of guy, however in saying that I have gotten 1 statement to work but I need to modify it to see other tables and thats where I am tripping up? Any help is much appreciated:
Current working query: ' OR 1 = 1 -- ' ]
Link for proofs and help: https://nzcsc.org.nz/challenge7/

Here is the page: https://gyazo.com/b16b3a263b484fa0287fe0b2ecea26ed

The flag in question we are looking for is in the following format
flag:(12 character alpha numeric string)

isn't that just the Phone?

However, their main goal is to find the flag which will be a vital clue for them to identify the suspect.
seems to match that

I mean ill go test them all but that seems way to easy given how every other 'simplier (worth less) question has been

Besides, it should be in the format flag:((12 character alpha numeric string)

as in it actually has the prefix flag:?

yes

ah, ok then

heres two other flags
flag:a37666fc86de
flag:ee1e88cc549f

yeah, it's probably not phone then

yea nah

question if someone connects to your mobile hotspot and they go on reddit or something, would you be able to see an encrypted packet of that if u had an http sniffer on your phone

yep

dunno what you'd run on your phone, but on a regular computer "wireshark" will show you

if u somehow got a cert of that http sniffer installed on their phone

could u decrypt it

you wouldn't want the cert, you'd want the site's private key.

if the site is at all competent, they won't let you have it 🙂

all you can do with a cert is see if a request came from where it says it came from

wait im confused, I know charles and fiddler only decrypt the packets if you install a charles root certificate and put it into your trusted cert store

where does the private key come in

when I use those apps

I'm not sure this is the kind of conversation we want to be having here. This is a security channel but we are more trying to protect security here, we're not trying to talk about exploitation or interception.

?

@mossy junco That's how security works. You talk about how to break it in order to protect against attack.

Talking about putting interception certificates on client devices and decrypting their data does not sound okay

how do you protect security if u dont understand the vulnerabilities

@wind crescent I appreciate that, but we have harsh rules against this kind of discussion, not because we assume people talking about it are malicious but others can use it for malice

@mossy junco Then your rules are dumb

I think there's a difference between talking about ensuring client security and "decrypting" packets from "someone" connected to a "mobile hotspot".

No, not really

@wind crescent If you have any feedback I'd like to hear it in #community-meta, please revise the rules document at https://pythondiscord.com/pages/rules

MITM attacks are not typically things we facilitate.

this is a thing that happens tho? like I know sketchy VPNs will install their certs onto ppl's machines without consent, and http sniffers are essentially man in the middle attacks but u agree to it

Charles can be used as a man-in-the-middle HTTPS proxy, enabling you to view in plain text the communication between web browser and SSL web server.

https://www.charlesproxy.com/documentation/proxying/ssl-proxying/

for sure, I get that, the wording you used in the question just put me on edge because it appeared like it was being used maliciously

my bad

I'm okay with talking about MITM

I'll draft up a quick flowchart on how those proxies work if that is what you are asking @thorn obsidian?

that would be awesome

there's a project called mitmproxy which seems quite legit and non-evil

yeah, mitmproxy is fantastic stuff

oh I trust charles

@mossy junco Walking someone through how to do a real-world attack is very different than what was being asked. I'm not interested in rules lawyering.

fun fact, the guy who made it cofounded letterboxd

aldo cortesi iirc

mhm

letterboxd has v good security

better than like

most websites

@wind crescent as I've just stated, discussion on MITM, how to fix and so on is okay. what we try prevent is where questions are posed which provide specifics on how to exploit things. MITM is fine and I have shifted this to a focus which is more appropriate for this community

@thorn obsidian

as the name suggests, when you make a request to a site through a tool like MITM proxy, you just make a request to the proxy

@mossy junco Sounds like security through ignorance. Not knowing how things are exploited is exactly how things get exploited.

once the proxy receives a response it decrypts it and then re-signs it with the certificate that you have installed on your device

a self-signed certificate

This gives applications the feeling they are still talking to a real HTTPS connection and that it was the same request and all those things

and then the MITM proxy in the middle presents that data

so we could add that step in like so

@wind crescent I don't think it is security through ignorance, it's just the difference of asking "how do I do this malicious thing?" to "how do I protect my users from having this done to them?"

we're still getting the correct answer across

@thorn obsidian that flow chart should help show how a MITM proxy works

and the same technology applies in like MITM firewalls and stuff where content of the HTTPs request is inspected so that offending websites can be blocked (and that's the reason you sometimes have to install a certificate while using an enterprise network)

@mossy junco Except those are distinct. You often need to know how a malicious thing is done, and even want to try it yourself, in order to protect against it. This is common at every level of computer security education. If you take a security class and don't exploit anything, it's not a good class.

the "How mitmproxy works?" document is pretty sweet at explaining all https://docs.mitmproxy.org/stable/concepts-howmitmproxyworks/

@wind crescent I'm afraid that isn't one of the tasks we facilitate for (and I do agree with you that exploitation is a great learning technique, I've done a GIAC GPEN where we did all sorts of exploitation). We adopt these policies because it prevents us from accidentally informing malicious actors on how to perform a certain illegal task (which is also mentioned in the Discord Guidelines, and so therefore we adhere to closely https://discord.com/guidelines). There are many great communities which will teach you the specifics of hacking, techniques, exploits, etc. but we take things carefully here to prevent malice, something which other communities may not.

Again, should you want to bring it up further we are always open to criticism of our policies either through the #community-meta channel or through an issue on our meta repository at https://github.com/python-discord/meta/issues

thank you

@mossy junco The question was entirely hypothetical and it's extremely easy to see how it might be asked to protect yourself while using mobile hotspots, even if phrased from the perspective of an attacker. No actual exploitation tools were requested nor provided. Security is a positive-sum game. The more people who understand it and practice it, the better for everyone, and thus should be encouraged. I don't mean to be a pain in your butt about complying with guidelines, but that can be done with, "Hey, remember, we have to comply with guideline X, so please Y."

That's exactly what I did, I shifted the focus from exploiting a mobile hotspot with a MITM proxy to the workings of a MITM proxy, which answered the question posed.

At the end of the discussion we still had a discussion about the workings of MITM proxies, which I think answered the question

I'm not sure this is the kind of conversation we want to be having here. This is a security channel but we are more trying to protect security here, we're not trying to talk about exploitation or interception.
@mossy junco It is the kind of conversation you'd want to be having here. You do want to talk about exploitation and interception. If there is some specific guideline that would become a concern for the channel, my suggestion would be to cite it so we can understand what the concern is.

As I said, the guideline is section 14 of the Discord Community Guidelines: https://discord.com/guidelines

In general, you should not promote, encourage or engage in any illegal behavior. This is very likely to get you kicked off Discord, and may get you reported to law enforcement.

Maybe my wording was off in that initial response

We are definitely okay talking theoretical, we are okay talking technical, it's just a preemptive response from the moderation staff here to try shift questions which pose even a hypothetical to a more theoretical (because hypothetical can apply to real life, and malicious actors have demonstrated this prior).

Of course our top priority is ensuring security when users are building applications and we do try do everything we can to ensure that we can assist with that, though on occasion we have to moderate questions to ensure we fall in the right side ethically. Our demographic is primarily teenagers with time on their hands and we have seen in prior instances people using content from this channel for malicious purposes.

We'd rather not cite anything because we also don't want to preemptively scare people from posting, we'd rather have people post and then let the moderation staff tame the question to something which is appropriate for Python Discord. because we'd much rather try answer a question to the best of our ability than have it not be asked at all.

That was actually my underlying concern... scaring people off from asking exactly the sorts of questions they ought to ask in a security channel. In any case, all section 14 seems to care about is the legality so all you'd have to do is ensure the discussion isn't about committing a crime. Security research itself isn't a crime.

Agreed, that's why we don't cite things in the topic. If a staff member sees things and becomes alert to something that is borderline they can call in mods where we try to shift the discussion, we never try to end it unless it is blatant. In this case our legality alarm bells started ringing because the original question was about a mobile hotspot, reddit (a website the user likely does not control) and packet sniffing. These 3 things were all we had to go off so we came here to just nudge the discussion into a more theoretical territory. I'm aware security research is not a crime, but if not moderated security research can be used for a crime.

My wording in the original redirect probably triggered this discussion, and I'll admit I wasn't the clearest (it is early morning here and I'm rather tired). My intention was not to close down the discussion, just to try make it more educational, less hypothetical and more theoretical.

does anyone have any good encryption software name which will be very difficult to crack?

as i want to increase the security on my device

AES is the one to go for

PyCryptodome is the library for you if you are looking to do it in Python as well

https://pycryptodome.readthedocs.io/en/latest/src/cipher/aes.html

https://www.amazon.co.uk/s?k=Apricorn+Aegis+Secure+Key+FIPS+Validated+16+GB+USB+2.0+256-bit+AES-CBC+Encrypted+Flash+Drive+ASK-256-16GB+(Black)&i=computers&creativeASIN=B006DUKVSC&imprToken=U7n72--ns7fJXg-7cQrZHg&linkCode=g13&linkId=35810b066ea4aa2a7895523775b5316f&tag=fabathome-21&ref=as_li_ss_tl

what do you think of this @mossy junco

that looks good to me, AES 256 is pretty secure.

@mossy junco Not trying to be a pain in your butt, but to my eyes it was a very benign discussion even compared to information disseminated in plain view in many public security channels, including on reddit.

Don't worry about it, I'd rather speak about these things. Policies differ platform to platform, community to community, and that is just the policy we've adopted here. We are first and foremost a community dedicated to beginners learning Python, intense discussion on security exploitation is not a critical feature of the community. It's a mix of our policy and Discord policy and we've settled on the current bar for what we deem unacceptable. It's less about how benign the discussion was, we're not trying to end it there, it was just ensuring that further discussion didn't reach into territories which were risky to indulge. As the user clarified at a later point what they were seeking was less of a guide to exploitation and more just an explanation of MITM proxies, which is the kind of thing we can and will help with. Overall the policies differ case to case, no one is ever infracted for starting discussions unless they have very very visible bad intent (which obviously was not the case here, hence I just left a brief message), I've already explained how we don't aim to seize discussion, it is purely an action to try shift focus to a topic where we can provide more help, at the end of the day it's not just a policy to protect us, it's a policy we've adopted so we can be the best resource that we can be with the rule set enforced on us to the users asking questions.

We don't just do this to cover our butts, we redirect conversations to new topics to ensure that we can give higher quality, vaster help.

I think I'm going to have to call time on this discussion now, not sure I can continue at this hour of the day. I do appreciate hearing your concerns and I'll for sure bring things up with the staff team. If you have anything else do feel free to contact me in DMs at any point and I'd be happy to talk about things, but for now I think we should relinquish this channel to other people seeking answers.

I was just deciding how to say... Given the concern for resource optimization, I think we've already spent too many words on it.

Hah yep, good chatting though, always willing to take feedback on our policies

guys, is this correct for an User class on web application?

    def __init__(self, email, password):
        self.email = email
        self.password = self.set_pw(password)

    def set_pw(self, pw):
        hashed = bcrypt.hashpw(bytes(pw), bcrypt.gensalt())
        return hashed

to store hashed password?

seems correct, yes

oh, thanks, first time using hash

you may need to check types and ensure your hashing function returns the correct type (bytes vs. string) but that looks right

a

test = b'string' 

is bytes, right?

i'm thinking in something like this :

@site.route('/login', methods=['GET', 'POST'])
def login():
    if current_user.is_authenticated and current_user.is_admin():
        return redirect(url_for('index'))
    form = LoginForm()
    if form.validate_on_submit():
        user = User.query.filter_by(username=form.username.data).first()
        if user is None or not bcrypt.checkpw(bytes(form.password.data), user.password):
            flash('Invalid username or password')
            return redirect(url_for('login'))
        login_user(user, remember=form.remember_me.data)

yeah, b'abcdef' is bytes

and that looks good to me

i had an error on encoding

i changed some on the User class,

    def __init__(self, email, password):
        self.email = email
        self.password = self.set_pw(password)

    def set_pw(self, pw):
        hashed = bcrypt.hashpw(bytes(pw, "utf-8"), bcrypt.gensalt())
        return hashed

added utf-8 encoding

and at this point:

if user is None or not bcrypt.checkpw(bytes(form.password.data), user.password):
            flash('Invalid username or password')
            return redirect(url_for('login'))
        login_user(user, remember=form.remember_me.data)

had to add ", 'utf-8'" at the first line, after the form.password.data

does it affect security in any manner?

@slate osprey I would use Argon2, personally

Then you don't need to worry about generation of salts and the like yourself

https://passlib.readthedocs.io/en/stable/lib/passlib.hash.argon2.html

oh, sure, i'll change to argon 2

i was able to log in before

idk what happened, now i'm stuck in the login screen

can you help me finding the problem?

in my User model i created boolean fields

https://blog.miguelgrinberg.com/post/the-flask-mega-tutorial-part-v-user-logins might be able to assist here

yes, i got part of my code in this tuto

but the problem is : it was working, suddenly is not working anymore hahah

 form = DEBUG_LoginForm()

    if form.validate_on_submit():
        user = User.query.filter_by(email=form.username.data).first()
        if user is None or not bcrypt.checkpw(bytes(form.password.data, 'utf-8'), user.password):
            return redirect('/login')
        login_user(user, remember=form.remember_me.data)

        if current_user.is_authenticated and current_user.admin:
            return redirect('/Olympo/interface')
        elif current_user.is_authenticated and current_user.customer:
            return redirect('/Athens/interface')
        elif current_user.is_authenticated and current_user.salesman:
            return redirect('/Olympo/crm')
        elif current_user.is_authenticated and current_user.operations:
            return redirect('/Olympo/operations')

    return render_template('login.html', form=form)

if user is None or not bcrypt.checkpw(bytes(form.password.data, 'utf-8'), user.password):
``` looks wrong to me

How are you doing the roles currently?

yeah

right in the middle

if user is None or not bcrypt.checkpw(bytes(form.password.data, 'utf-8'), user.password):
``` looks wrong to me

@thorn obsidian i erased that "bytes" part

and it worked

Yep, sounds right 👍

Curious how you're doing roles though

about the roles

its really bad

hhahahahahaha

# the USER class
class User(db.Model):
    """
    An admin user capable of viewing reports.

    :param str email: email address of user
    :param str password: encrypted password for the user

    """
    email = db.Column(db.String, primary_key=True)
    name = db.Column(db.String(30), nullable=False)
    password = db.Column(db.String, nullable=False)
    customer = db.Column(db.Boolean, default=True)
    salesman = db.Column(db.Boolean, default=False)
    admin = db.Column(db.Boolean, default=False)
    operations = db.Column(db.Boolean, default=False)
    active = db.Column(db.Boolean, default=True)
    authenticated = db.Column(db.Boolean, default=False)

    def __init__(self, email, password, name):
        self.email = email
        self.name = name
        self.password = self.set_pw(password)

    def set_pw(self, pw):
        hashed = bcrypt.hashpw(bytes(pw, "utf-8"), bcrypt.gensalt())
        return hashed

    def is_active(self):
        return self.active

    def get_id(self):
        return self.email

    def is_authenticated(self):
        return self.authenticated

    def is_anonymous(self):
        return False

check this out

the columns

customer = db.Column(db.Boolean, default=True)
salesman = db.Column(db.Boolean, default=False)
admin = db.Column(db.Boolean, default=False)
operations = db.Column(db.Boolean, default=False)

i think it's better one column like db.Column(db.Integer, default=1)

and use that "system" of
1 - user
2 - account manager
4 - operations
8 - admin

Have you seen https://github.com/lingthio/Flask-User ?

jesus

spent my day trying to create this login

hahaha

and it stopped working again

i don't understand

Have you seen https://github.com/lingthio/Flask-User ?
@thorn obsidian i guess i'll stick to flask-login for a while

at least for trying to make this work

i'll change bcrypt for argon2

this one?

solved

Can I write prepared statements without choosing a database?

"without choosing a database"?

oh, like, prepared before a database connection?

um.. I'm using sqlite atm. Should i just prepare statements for sqlite?

prepared statements are an SQL standard thing, and (generally) don't change much between engines

the statement is prepared "inside" the engine itself

Thanks for info xx.

Hi

What emails services do you use guys?

Is there anyway to protect mongodb database? Like in the script you can see the url with password and login

Already obfuscated the file^

But i want to know if it possible to secure the database url and password better

@woven copper Mailgun does fine for me on some projects.

But i want to know if it possible to secure the database url and password better
@crisp belfry

Never put the user and pass in the file. And obfuscating doesn’t count.

You want to use a key vault of some sort and of course load them via environmental variables on the target environment if possible. The closer you get to following the 12 factor app pattern the happier you’ll be.

Hi

Hi

This is Roblox

Roblox uses Python

please try to keep the discussion on topic @signal kayak

\

@vivid fog Did you need help?

https://www.theregister.co.uk/2020/05/27/livejournal_26m_breach_rumour/

yay for troy hunt

I am thinking of developing a very basic ERP system for my company (50 employees and just a handful in the office working with the system) because their current sucks. Now.. security is of course something very important, but I have the feeling that their not-up-to-date SAP software is a greater risk than a web application?

@thorn obsidian I'm not sure what the question was in that

Sorry... haha Is a software such as SAP (which is connected to the Internet) on a laptop inherently more secure than a web application?

SAP's got a lot of built in security protections already

while SAP is quite a beast it's sort of widely used for a reason

No doubt! I think there is definitely . a reason for SAP to be where it is, nonetheless, its more of a "beast" for bigger corp. as the price is very hefty. Thats why I thought a Django Web App. with some good security practices in place might be a viable alternative

Oh, so the question is more "Can a web application be as secure as x?"

i see no reason why you couldn't home roll something as an alternative

@thorn obsidian exactly.

There's a decent amount you'd have to work with security-wise, but I imagine you've thought of that already?

A small list of things from the top of my head would be:

• Security headers: https://securityheaders.io
• Server hardening: which entails SELinux, etc
• Apache/Nginx hardening: which entails setting size limits, WAFs, etc
• XSS, SQLi, etc
  There's also https://cheatsheetseries.owasp.org/

MFA for user accounts, since you're storing i assume data about clients?

and some method of encrypting that data

@thorn obsidian Thanks for the resources! Yes, I have already thought about a couple of things that have to be done. I even thought about making the web access only through a VPN

https://github.com/pyauth/pyotp for 2fa as well

I've seen that one before, cheers!

But in a more abstract way of thinking (as in, without going into examples and/or details) is a website generally more vulnerable as an installed software?

That greatly depends on the software/website

I've seen pieces of software ( Zoom, with their malware-style install tactics on Mac ) that have done some fairly questionable things. Likewise for websites that want access to your camera/microphone/location/etc.

i mean if it's an internal tool just for use by staff then your exposure is pretty limited

That's true as well

i've got a couple of small flask services out there for customers that are just protected by a simple login form

but access is restricted to their business IP address

@lusty flare yes! That sounds awesome

@lusty flare Hopefully you're using something like https://werkzeug.palletsprojects.com/en/1.0.x/middleware/proxy_fix/?highlight=proxyfix#werkzeug.middleware.proxy_fix.ProxyFix so people can't spoof that IP 😄

🙄

that guy

This might be a stupid question, out of interest.. with the Covid 19 they might have to do home office. This means that x employees now need access from many different IP addresses. How did you/would you deal with this?

Did you whitelist every single IP address?

Connection via a VPN

ok, this sounds exactly what I would like to do with my ERP-System

A VPN would work best if it's for your work, but that approach wouldn't really work for clients and the like.

Why wouldn't it, if I may ask?

I imagine the employees have devices managed by IT, which you can add/manipulate VPNs and whatever else you wanted on them. It's not the same approach for clients.

Anyway, it's late. I'm going to head off 👋

thanks Scott! Have a nice day!

I don't see why you can't have VPN profiles for clients

We do this every day when pentesting something... a company gives us access to their testing environment via a VPN

for tonnes of different companies

just counted, I have VPN profiles for 27 different companies

depends on the clients you'd be getting

i have just had to tell someone to connect to their wifi before the vpn

"but my phone works"

4g, innit.

this is what Greg from IT is for

hahah - yeah, I think that really depends on the capabilities of the IT department. Ours... suck. hard.

https://www.theregister.co.uk/2020/05/27/trend_micro_driver_windows_10/

well that didn't take long

*A question about networking*
If I'm developing a protocol say finger
It runs on TCP port 79
When I run it, Should I use the default port of it or pick a custom port that's higher than 1500 I assume
~I've heard alot that I should stay away from the known/taken ports, Why do they exist if most of them aren't open when I check the open ports?~

Yeah, that's mostly what I was getting at - is the capabilities of IT. I haven't seen many that have separate VPNs for clients as opposed to employees.

@thorn obsidian I don't get what you mean to be honest, And you haven't answered my questions yet >.<

I was responding to the message up above about VPNs

I see

Also, when you say finger, are you talking about using it through IRC or some such?

I've mentioned it as a general example of picking the right port for a known TCP protocol

We can take QOTD as another example if that will make a confuse

You normally don't want to change the default port for something. It won't make a difference security-wise

If you're using a port higher than 1024, user's other than root can use that port.

Oh wow

So if I want a protocol to be accessable by any user I can choose a port higher than 1023 ?

Correction, 0-1023 are for root. 1024 and higher are not

https://unix.stackexchange.com/questions/16564/why-are-the-first-1024-ports-restricted-to-the-root-user-only

And why are there " default known ports " ?
To remove the confusion from users ?

The Internet Assigned Numbers Authority (IANA) is responsible for maintaining the official assignments of port numbers for specific uses.

Taken from https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Does that answer your question?

Nope

Or I don't know maybe it's the answer but I don't see it as one

Well

I can open a custom port which is higher than 1023 for a finger protocol and the client won't notice a thing

Why should I pick a specific port ?

I know I'm not forced to but there must be a reason for specifing ports for specific protocols

You mean, 80 for HTTP?

Well, No

I mean QOTD or finger

I'm talking in general. Are you referring to 80 for HTTP? 443 for HTTPS? etc?

Yeah

The IANA set those

I'm free to pick any port I want that's higher than 1023, Right ?

Hi guys! Can someone explain me how to use raw sockets in python and what are they?

Won't make a big deal ?

You could, sure. But any non-root user would also be able to use ports 1024+

What's the problem with that ?

@viscid peak https://www.tldp.org/LDP/khg/HyperNews/get/khg/18/1.html >.<

https://www.binarytides.com/raw-socket-programming-in-python-linux/

@thorn obsidian Btw, What do you mean by "Accessing it?", Just to make sure I'm not misunderstanding

accessing it?

What do you mean?

Are there big changes behind linux and windows rqw sockets programing?

Oh, I mean use it xD

I mean that ports 1024+ can be used by any user

*beetwen

Unlike 0-1023 that are tied to just root

When making a client interface let's say IRC that uses finger ?
Should I use ports 1023+ so anybody can access them ?

@viscid peak No clue to be honest, I'm almost done with questioning, You can leave your questions again after me <3

Are there big changes behind linux and windows rqw sockets programing?
@viscid peak setting up and closing sockets differ

everything in between is more or less the same

What's the right way to deal with Cookie consent for small businesses? Osana seems like the best option, but is pretty damn expensive for what it is - I feel like I could roll my own solution pretty easily, but it also seems like the kind of area where you don't want to be doing it yourself.

The problem is tracking the consent, it seems like it should be fairly easy, but given that all the paid solutions are pretty expensive, I'm wondering if there's something I'm missing

Does anyone know if it's possible to deobfuscate a program that was obfsucated using pyarmor?

import os
import time
from imgurpython import ImgurClient
from helpers import get_input, get_config
import tkinter

def authenticate():
    # Get client ID and secret from auth.ini
    config = get_config()
    config.read('auth.ini')
    client_id = config.get('credentials', 'client_id')
    client_secret = config.get('credentials', 'client_secret')

    client = ImgurClient(client_id, client_secret)

    # Authorization flow, pin example (see docs for other auth types)
    authorization_url = client.get_auth_url('pin')
    import webbrowser
    webbrowser.open_new(authorization_url) 

    print("Go to the following URL: {0}".format(authorization_url))
    write(client)
    return client
    
def write(text):
    file=open("client.txt", "w")
    file.write(text) 
    file.close()
    # Read in the pin, handle Python 2 or 3 here.
    #   pin = get_input("Enter pin code: ")

    # ... redirect user to `authorization_url`, obtain pin (or code or token) ...
def connecte_auth(client, pin):
    credentials = client.authorize(pin, 'pin')
    client.set_user_auth(credentials['access_token'], credentials['refresh_token'])

    print("Authentication successful! Here are the details:")
    print("   Access token:  {0}".format(credentials['access_token']))
    print("   Refresh token: {0}".format(credentials['refresh_token']))
    print(client)
    return client``` 
why ?
```bat
C:\Users\Famille\Desktop\imgur\def used>py tk.py
Traceback (most recent call last):
  File "tk.py", line 3, in <module>
    from auth2 import authenticate
  File "C:\Users\Famille\Desktop\imgur\def used\auth2.py", line 27
    file.write(text)
                    ^
IndentationError: unindent does not match any outer indentation level```

#❓｜how-to-get-help, also that project is deprecated and hasn't seen a commit in 2.5 years ( https://github.com/Imgur/imgurpython )

im not sure is it right place but

when i scan a qr code

program ask a permision to send me to the link

is it a part of a qr code or scanner program?

qr codes only contain information

your qr scanner might direct you directly to a link if that's what the qr code contains

which is pretty bad practice tbh, it shouldn't do that automatically

uhhh

is that book piracy or?

seems yes. random links to downloads are also shady af

gonna ping a <@&267629731250176001> for this one

yeah @tulip dagger we're not going to allow that one. please refer to rule 5.

hey does anyone know alittle bit of regex ?

im trying to find out what '?=' means

not related to #cybersecurity, but https://regex101.com/ is good for explaining regex patterns

enter your query and look for the explanations on the right

@summer aspen

thank you !

What license should I use for a Ren'py game? I want to be able to keep rights of all of the pictures and backgrounds and code, but I also want to allow people to let say, upload a video on youtube showcasing the game

Was someone adding 2FA for the web app? Any suggestions for the provider? (in Django btw)

@limber flicker Yes, actually. https://pyotp.readthedocs.io/en/latest/

I'd suggest checking the README for recommendations they give too

@lusty flare, heya bisk , just wanted to thank you again for helping out that other time got a solid 100%

cool! nice work.

hai hai

What are JavaScript data values? talked about here: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

@thorn obsidian Thanks for answer! I found two other libs, https://github.com/django-otp/django-otp and https://github.com/Bouke/django-two-factor-auth, even easier to implement I guess... I am not sure about all the pros/cons of dealing with it on my side or to use any third-party 2fa provider, still reading about it.

@limber flicker PyOTP has the most stars, so probably more people have seen it

Mind you, that probably might mean nothing, but it's the one I'd go with

@thorn obsidianIt is a good point. Now I am thinking, relying on third-party providers can be overkill if I don't really need all cool ways of auth.
Thank you again!

PyOTP sounds like what you want, considering it's fairly easy to implement

https://github.com/pyotp/pyotp

the only way to seriously obfuscate your python code is to compile it into another form
@lusty flare how do you put a wrapper

The thing is, a lot of decompilers can decompile it, and retain some of the source code.

You can't make a program that can't be decompiled by someone, considering the system needs to know how to decompile it in order to run it.

Damn, i gotta find out how to do that.

If you want to make it non-trivial to turn your code back into clean source, then compiling the Python code into C using Nuitka then compiling the C-code can work: https://nuitka.net/pages/overview.html

It's not perfect but it'll stop most casuals trying to look at your code

Thank you!!

https://www.xudongz.com/blog/2017/idn-phishing/
To prevent this in Firefox, go to

about:config
and set
network.IDN_show_punycode
to true
👍

For anyone thinking that Zoom is actually any level of good:
https://www.bloomberg.com/news/articles/2020-06-02/zoom-transforms-hype-into-huge-jump-in-sales-customers

Corporate clients will get access to Zoom’s end-to-end encryption service now being developed, but Yuan said free users won’t enjoy that level of privacy, which makes it impossible for third parties to decipher communications.

“Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Yuan said on the call.
( Emphasis mine )

yeah saw that

literally the quickest way to undo any sort of trust they'd been gaining

Jitsi is far better anyway ( and free! )

can i ask in this topic a question about selenium ? or wrong topic?

ooooh this cahnnel is interesting

i always wanted to learn exploiting and how to find vulnerabilities...

And how to write exploits which using the vulnerability

a lot of the talk in here tends to not go too deep in the specifics of how to do that

https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#rule-5-url-escape-before-inserting-untrusted-data-into-html-url-parameter-values
I'm confused about rule5. It starts off by saying to encode using %HH format. But then, in the warning message, it says to do something different. Is that warning just for when user input is a whole url, rather than just a parameter like a name?

I think the distinction here is whether the URL is constructed using a base URL + user data in a parameter value, or if the base URL consists or includes user data. In case it is the latter, the warning specifically states that you should validate whether an user-supplied URL is valid before using a context-specific encoder

ie, not URL encoding

because that would break stuff (as an example, https:// would be broken via URL encoding)

Oooh! Thanks very much xx.

What is the standard for generating salts for hashing?

nvm

To make it impossible for an attacker to create a lookup table for every possible salt, the salt must be long. A good rule of thumb is to use a salt that is the same size as the output of the hash function. For example, the output of SHA256 is 256 bits (32 bytes), so the salt should be at least 32 random bytes.

@silent pier https://passlib.readthedocs.io/en/stable/lib/passlib.hash.argon2.html handles that for you

https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html is also great to read

https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#salting

I'm not using python, or storing passwords. I'm just hashing a few values in our big data collection to avoid it being identifyable

https://decentsecurity.com/malware-web-and-phishing-investigation/ Neat

https://github.com/veeral-patel/learn-security-engineering - also neat

In the U.S. ( possibly other places, but I'm only aware of the U.S. ), you can copy/paste a spam SMS message that you've received and send it to 7726 ( S-P-A-M ) and it'll be sent to your provider and reported for spam.

Are there ways of decompiling or injecting code or even hooking i guess into compiled exe's from PyInstaller or py2exe?

i need a brute force scriprt to test my website login page

i need a brute force scriprt to test my website login page
@thorn obsidian

!rule 5

@tepid venture sure

py2exe doesn't employ any anti-debugging functionality

you can hook via a regular debugger and do whatever

https://gyazo.com/d96fd9c46c088b974c7936a82ed29075

description of channel

ok?

@ionic ledge Did you need some help with something?

no

@thorn obsidian any specific debugger you recommend? also what about injecting

How do you start hacking in Python

Is there any course out there?

Kinda depends on what you want to “hack”?

Like if u wanna reverse engineer stuff, can I suggest https://frida.re and binary ninja decompiler (unless u wanna bother learning radare2 or get a cracked version of IDA pro)

Both those have python bindings, so look up tutorials for those

I wanna hack peoples wifi so i can get their wifi passwords😈 😅

!rule 5

I think by "hacking", they mean "ethical hacking", not "Hollywood spy movie hacking". 😅

"I'm in!" Opens StackOverflow page

!rule 5
@thorn obsidian dude it's a joke

i know you can get in jail for it so.

"I'm in!" Opens StackOverflow page
@thorn obsidian 😂 🤣

do you guys know the grey hat Python book?

what is it about did any of you read it?

unfortunately, we don't really know if people are joking or not. A lot of people what you said with 100% seriousness

ghmph

you got a point

but i don't want to be a criminal.

Ever read the book from no starch press, GreyHat Python and BlackHat Python? would your recommend it?

I was legitimately gonna answer your WiFi question before reading it was a joke 😂

the easiest way to crack your neighbors wifi password is by kicking their door in and beating them with a wrench until they give you the password

What kind of neighbours do you have? 😂 just invite them for dinner, they’ll return the favour, and you can ask them their WiFi password as a guest

haha lol

think it's more a reflection of me and not my neighbors

my neighbors are not very forgiving

hehe

Is violent python a good book

anyone knows how to disable windows defender (smartscreen) for python files ?

Please ping me if u know

@brazen epoch Which Python file is it triggering on?

@brazen epoch why do you need to do this? What is your script doing that it's triggering AV?

Do digital signatures and digital certificates have anything to do with each other?

it seems they are different things, but teacher wants me to sign a pdf using a certificate (???)

a certificate created with pyopenssl

which I still don't know how to do

@thorn obsidian @thorn obsidian it's a keylogger...

!rule 5 @brazen epoch

@quick oracle a certificate lists a trusted public key. The corresponding private key can be used to sign stuff, which can later be checked against the certificate to see whether the signature matches the public key (thus proving or disproving the legitimacy of the signature)

anyone know to make a vpn?

Do I need to create a public-private key pair in order to create a self signed certificate?

The corresponding private key can be used to sign stuff
So, that means we sign stuff with a private key instead of a certificate?

@thorn obsidian

If it "signs stuff" by encrypting it with the private key, how do we check it against the certificate? Decrypt it using the public key?

And how do we know that public key is really from the entity we think it is?

Think of a certificate as a container of sorts. There's different things inside the container - what the certificate is valid for, who the certificate belongs to, signatures if it has been trusted (signed) by another certificate, and most notably the certificate's public key @quick oracle

A signature has nothing to do with encryption. The private key is used to simply create a signature of some data. That signature is usually appended to the data as a footer. Anyone can then use the public key to check whether the signature matches the data provided.

seriously the best way to jack someone's wifi is to get near the box and use the WPS button

i've done that in business places / other people's houses

just a quick boop, and i'm in.

is there anything wrong with allowing this?

its being processed in a multiprocessing.Process

and is sent via a multiprocessing.Pipe

does that make basic stuff like min and max unavailable?

also does that still allow me to import os and os.unlink things?

yes

unless you allow it

so i specified a list of functions the user can use

@brazen epoch You're making a keylogger and you expect it not to be tripped up by Defender? That's not going to hapen, and not something I'll assist in.

Damnit was a joke

It's a basic app

Which sends emails

I can't know whether it was a joke or not. Also, I have a script that does e-mail and it works just fine.

Yeah but windows defender blocks it

Can you provide a minimum chunk of code that triggers Defender?

Yeah i'll do that tomorow morning

10pm in france

Because my LockMsg script does e-mail, and it works just fine and I haven't heard of it triggering any kind of AV - https://github.com/Lvl4Sword/LockMsg/blob/master/LockMsg.py#L249

what is document.domain in javascript

?

apparently by changing it u can loosent the control SOP has on your communications

idk js thats y im asking

Anyone have any experience with OSQuery?

im having problems with TLS stuff. Trying to make it connect to a Flask backend

I made a self signed cert for my dev flask server like this

openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365

Made sure to run my Flask app like this

app.run(debug=True, ssl_context=('cert.pem', 'key.pem'))

And when i issue this command in osqueryd

sudo osqueryd --tls_hostname localhost:5000 --tls_client_cert=cert.pem --enroll_secret_env c2e8f53d-63b9-4836 --config_plugin=tls

it just spits this back

W0608 15:41:16.282819 118845 tls_enroll.cpp:76] Failed enrollment request to https://127.0.0.1:5000 (Request error: certificate verify failed) retrying...
W0608 15:41:20.379410 118845 tls_enroll.cpp:76] Failed enrollment request to https://127.0.0.1:5000 (Request error: certificate verify failed) retrying...

I'm not sure how to further debug this, i looked in a few /var/log folders but couldnt find any logs htat seemed relevant

my flask terminal didnt show anything pop up. I was able to connect with SSL in the command line to the server to see its response and it seemed ok besides "verification failed: self signed cert"

but supposedly you can use self signed certs with osquery

Can anyone suggest me books like violent python but for python 3?

you could run flask behind something like an nginx-reverse proxy that acts as a TLS terminator

@thorn obsidian

I think i might've figured it out

i think it had to do with how the key was being generated

I was getting wrong version when i enabled verbose mode ocasionally, which made me think something was wrong there

i cant get it to work with the client cert, but if i specify --tls_server_certs param it works

which for local dev work is good enough for me

nginx-proxy would be good logging middle ground though

i also found out osquery has a slack channel 😄

in this day and age i just use nginx as a reverse proxy for all the sites i host at work

nginx is nice for sure, never been this easy to spin up a webserver

apache is a configuration nightmare compared to nginx

Does anyone know how to have encryption with sqlite databases in python(ofcourse)?

I got my encryption algorithm working at last! =)
https://prnt.sc/swyjna

@thorn obsidian Encryption of what? The entire database? passwords? usernames?

@thorn obsidian yh the entire database(database isn't big), as such the databases cannot be accessed without a key or before being decrypted.

Sooo, I got myself a NAS now. How can I set it up so that a crypto-troyan that got accesss to my PC cant cipher the data on my NAS? (synology ds220j)

if it was going to access it, it already would have

and the issue is that any authentication method is going to ask for a password, then let your computer have access

which means the virus has access

short answer: don't have a virus

@thorn obsidian https://stackoverflow.com/questions/5669905/sqlite-with-encryption-password-protection has a decent amount of answers for that

short answer: don't have a virus
@woven gazelle

https://arxiv.org/abs/2006.03463 Neat

https://gizmodo.com/report-facebook-helped-the-fbi-exploit-vulnerability-i-1843988377

https://gizmodo.com/report-facebook-helped-the-fbi-exploit-vulnerability-i-1843988377
@thorn obsidian ofc they did, not even surprising

Anyone here good with wireshark? I could use a hand if so.

@narrow fog what do you need?

@thorn obsidian So, basically I'm doing this lab for my class, and I'm really new to this sort of thing: It's basically asking:

Q: Which Interface is connected to a local network (Ethernet)?

Q: How many packets have passed through the interface? Note: The total incoming packets, for each interface, are displayed in the column to the left of the Start buttons.

eth0 and how ever many you count?

feels like we're missing part of the question here

Packet Capture & Traffic Analysis with Wireshark (Lab
created by Rich Macfarlane. That’s what I’m doing.

I’d link, but you know

@lusty flare

hmm

https://www.theregister.com/2020/06/12/trend_micro_pulls_browser/

Trend Micro pulling some shit right now.

morning all. Could someone tell me what the equiv of ( in ruby ) "ECDSA::Format::SignatureDerString.encode" is in Python ? Is it util.der.encode_bitstring(s) ?

@thorn obsidian This may interest you
https://news.err.ee/113357/computer-hack-suggests-estonian-government-agencies-use-checkered-surveillance-program

https://www.eff.org/deeplinks/2014/09/statement-use-finfisher-members-freedom-online-coalition as well

@thorn obsidian This may interest you
https://news.err.ee/113357/computer-hack-suggests-estonian-government-agencies-use-checkered-surveillance-program
@thorn obsidian know for a certain fact that this is untrue

surprised ERR would publish this without checking with us first

How do you know it's untrue? Curious of sources myself.

NDA, but let's just put it like this

if this were true, I would know about it

100%

I've got doubts, to be honest.

hii!! uh i just had a question, i'm like really interested in cybersecurity and ethical hacking, i've been searching for days for like sources to learn from but i've come up empty, is there like a free e-book/courses i could look up? thank you!!!

@thorn obsidian In the free category, this comes to mind: https://www.youtube.com/watch?v=3Kq1MIfTWCE

thank you so much!!!!

hii, im really sorry to bother, i just have exactly this issue https://superuser.com/questions/998491/could-not-detect-the-operating-system-in-disc-image-of-kali-linux and i don't understand the response/what i should do

@thorn obsidian I think you can just click nexted and then tell vmware kali is debian

(also screen shot of the error pls? <3)

as in debian 9?

sure!

yeah

uh wait 7 or 9

one sec

(still want that screenshot)

its close enough to 7/8

cool

can you still select next?

yeah

hit it

it gives me the version choice, so debian x 64 bit?

yep

depending on the iso you got

but likely that its

it's 64

nice

so once you do that you should be able to install

🙂

do i need to like change the uh name? idk (virtual machine name)

optional - give it a good name

oh oki lol, thank you man, you're a life saver ahdkdj

no worries man

if you dont mind me asking

whats your goal with using kali?

learning about security?

idk, the cybersecurity stuff is just really interesting to me, and i wanna know more but i can't do much lol being like 14

yeah exactly

hahah

nah man

you gucci

oh! and if you are in the US. there is a great thing called cyber patriots

its a red vs blue competition for Highschoolers

I only ever did the college level one myself but you learn a lot!

i wish i was now ahskdj

sadly i'm not loll, but i'll read ab it, thanks!!

no worries man

i'm gonna try to make more of an effort to hang out in this channel

feel free to ask

!!! oh !!

one thing

Make sure with the kali install

WRITE. THE. CHANGES.

you can hit enter most of the install

but if you dont change the option at the end to write the changes.. it wont properly install

awh ty!! okay, i will, thanks man

How to create a digital certificate file (.crt, like this image) with PyOpenSSL?

yes, kali is based is based on debian

yes, kali is based is based on debian
@thorn obsidian Is also Parrot os?

Hello everybody, i am writing a small encryption program using the RSA encryption algorithm, but when i input a message i only get one number (Which isn't supposed to happen.) The code: ```python
message = input("Message> ")
publickey = input("public key> ")
privatekey = input("Private key> ")

import math

def RSAencrypt(pkey, prkey, mes):
for x in range(len(mes)):
ciphertext = ""
currentchar = mes[x]
charascii = ord(currentchar)
charciphernum = int(math.fmod(math.pow(charascii, pkey), prkey))
charcipher = charciphernum
ciphertext = ciphertext + str(charcipher) + " "
return ciphertext

print(RSAencrypt(int(publickey), int(privatekey), str(message)))

Hope someone can help.

Nevermind, i fixed the problem.

Hi guys! Can you get me a quick beginner question?

sure, just ask

no guarantee that we can answer, but then you're not paying us, so ... 🙂

Hahaha, I recently started cybersecurity and would like to know if the sql injection method is still worth doing.

definitely worth learning and being familiar with

it's as valid a techinque as it has ever been

and while languages like python by their nature make it slightly less likely to be a vulnerability it's still one of the most common issues

also, not just SQL - 'command injection' in general is the same thing but with terminal commands, other scripting language injections etc.

correction: python tends to make command injection slightly less common but it makes it easier to write shitty db applications so may make sql injections MORE likely

it is still extremely prevalent today - coming from someone who does as a profession

it's the "low hanging fruit"

it's also the foundation for a lot of other exploits

it's not just a case of memorizing an a4 cheat sheet

"webpage has loads of form fields? lets just test some escape sequences and see what happens!"

i know what it sql injection,
but I have noticed that a large part of the databases of some sites immediately block the attempted attack.

"oh hey look, i just dumped the entire user database."

it's a bug when it works

it's input sanitisation

no website should be vulnerable

if you weren't aware of that

so if they do things properly it won't be an issue

but a lot of people don't do it properly

when it works it's because someone didn't properly sanitise a user input field properly

yeah that's what im saying

but short answer yes absolutely

ok thx

the database will take commands given to it, it's the intermediary layer that's usually at fault

all i know is that i tried to sql injection to a company whose owner i know and it didn't work: /

String query = "SELECT * FROM products WHERE category = '"+ input + "'";

Statement statement = connection.createStatement();

ResultSet resultSet = statement.executeQuery(query);```

this would be SQLi vulnerable

since you're just smashing user input straight into the SQL query

we could then make that user input additional SQL statements

and it'd run those additionals

then feed us the results

PreparedStatement statement = connection.prepareStatement("SELECT * FROM products WHERE category = ?");

statement.setString(1, input);

ResultSet resultSet = statement.executeQuery();```

would be an example that isn't vulnerable

i googled these, i did not write them.

something something value substitutions or w/e

I also tried to do sql injection on a website that I found searching for "inurl: index.php? id =" but it still didn't work xD

results = sqlconn.execute(f"SELECT * FROM products WHERE category = {input}")

example vulnerable python line

I also tried to do sql injection on a website that I found searching for "inurl: index.php? id =" but it still didn't work xD
@sinful cliff Please don't test sites you don't have explicit permission to test.

Unless you like prison

!rule 5

yes i know that, i've used a vpn and it was just for testing

yes but you did not have permission to attack the site

or "test" it

in the UK that'd be a violation of the Computer Misuse Act

even if it worked, I wouldn't damage the site. He simply contacted the owners of the site and reported their vulnerability.

VPN providers will hand your data over to law enforcement if supplied with a warrant

It doesn't matter what your intentions were

Testing a site without permission is illegal

people have gone through very long and drawn out lawsuits doing exactly what you did

for "learning" or "fun" tested someone website

informed them of a breach

got arrested and charged

extradited to the US

all sorts of fucking crazy shit

But if I don't tamper with anything on the site and just contact the site to explain the vulnerability, can it be considered a crime?

yes.

unauthorized access to a computer system is a crime.

oh i didnt know that, thx for the warn

there are grey areas, for example port scanning, but actively trying to exploit something is definitely a black/white issue

successful or not

mate of mine who was into sec broke into lockheed martin's email server for contractors

hey was grey hatting, reported that shit on the download using TOR

then went through a paranoid hell for a few years

he didn't get caught but it didn't get patched either (this was ~6 years ago or so)

I never heard any case of someone who was arrested for attempting to inject sql. I thought attempts were not used in crime.

at least in the UK, you're "using" the system by attempting the SQLi

and you're using it in an unauthoirsed manner

yep cma is quite clear on that

it's like popping open a window on a house

you can say you were just testing to tell the owner if there's a problem bhut

But if I don't tamper with anything on the site and just contact the site to explain the vulnerability, can it be considered a crime?
@sinful cliff if you go testing your lockpicks on random houses in your neighborhood, is that a crime?

looks mighty suspicious

trying to pop open the window

not even popping it

eh

you have to open the window in this case to see if it opens

although i have reported injection vulnerabilities without testing before

since it's safer that way

(on open source projects lol)

In the country where I live (Portugal) I think that attempts are not a crime, but it is better not to try to do any shit that I don't know

i think the lockpick example is probably a better one

@sinful cliff there are plenty of places to learn and test this stuff as wlel

sometimes you might find the door isn't even locked

sometimes it's got a crap lock

but just trying the lock is potentially a crime

@thorn obsidian well yes

that's pretty much what you're doing

but digitally

plus, since this is a world made of nations

different nations have different laws on certain things

Germany pretty much made network security tools illegal at one point (maybe still are?)

stuff used day to day by security and network professionals

then any user using any vpn is not 100% secure because in case of confusion the company responsible for the vpn discloses the user's ip

so in germany is it "forbidden" to be a cybersecurity professional ?!

no, the law is unworkable, but it's the law.

we have lockpick laws in the UK that say if you're caught in public with them you have to provide a pretty good reason for having them

and VPN's aren't 100% secure because the VPN provider knows who you are already? o_O

¯_(ツ)_/¯

and say that security professional is not enough? Type shows the curriculum and the place where he works

my point is laws are broad and differ between nations, sure, but some things are pretty concrete

@lusty flare Because in principle yes, he identifies you by the ip and knows your location¯_(ツ)_/¯

yeah, i wasn't sure what your point was really.

but going to sites and testing them for SQLi without permission is very much something naughty

I think that there should be a law that was enforced worldwide, in which sql injection was allowed on the sites but if they discovered any vulnerability they were obliged to report it, otherwise they were punished. Simple

attention I went to sites that were allowed. The database had no protection at all.

I saw on the internet that those sites that are allowed to make attacks were searched that way. But there were some who couldn't do sql injection

Can you guys suggest a good book for developing python security tools except "The Gray Hat Python" And "The Black Hat Python" ?

@viscid plank Violent Python...

Great! thx

What is a "must know" programming language in Cyber security? Is it necessary to know a lower language like C/C++? Or could you do just fine with knowing a higher level language like Python? I'm debating about whether to learn C/C++ or Golang. I heard Golang is fast and has C-syntax but at the same time it's not a low level language. I already know Python and some intermediate concepts in C++ and JavaScript. And theese days you have a python library for almost everything, so why should you learn another language (other than the obvious reason, speed?). Or is it more about a "personal preference"? If this is not related to this channel/server, let me know.

I think it depends on what exactly the task you want to do with the language, I usually use python in CTF and Web Application Exploitation but I am not working on binary exploitation or something that depends on the low level so I don't use another language ( I also don't know if this is related to this channel )

What is the length of the actually required data in an RSA 2048 public and private key respectively

i.e. if you don't need to worry about optimising decryption times how short can a public or private key be

2048

minimum recommended

i use 4096

yeah sorry i mean the actual length in bytes

to store a public key specifically

how do you hide keys in python like your api keys for a cloud server?

"hide" from whom?

you shouldn't keep them in code

instead, they should be kept as environment variables

sorry for the late reply. how do I keep them as environment variables?

"hide" from whom?
from other users, just in case

users of what?

I am kinda building an app for raspberry pi which throws sensor data to cloud database, since I am leaving it in their location I just wanted to ensure that they could not get the possible keys for the cloud database

just asking on how I could prevent that kind of situation

well, that's impossible

if they have physical access to the device, they can do whatever; as long as the Pi needs API keys itself, they can extract them from the device

is there any workaround in that?

like kinda locking the rpi but it can still run the application in the background?

no, not really

Multi-billion dollar companies like Sony or Nintendo spend fortunes to lock down much more specialised hardware, yet people can still hack their consoles, since there's only so much they can do. Physical access = game over

Much more easier on a pi where you can simply pop the SD card out and read the keys directly.

or implant a script to echo those keys if they're obtained elsewhere, like through a trusted server

Goal: salt like this: "2c2d9fa7bf4b037640067f102c0c8707"
What I have:          "9DeCO9hfAyqoC+KkSCUd30YSG5FIbsmKGfnW/GmlCrA="

What I tried:python _salt = os.urandom(32) print(b64encode(_salt).decode('utf-8').encode('utf-8'))

@sinful cliff Not something we're going to entertain here

!rule 5

@slate fulcrum What's the salt for?

@thorn obsidian I got it working but I'm still not 100% sure its secure, its for provably fair thing so I can proof that the generated numbers are random and generated before users set bets

I haven't done the random thing yet tho

bets? What kind of bets?

You know csgo betting sites? like that

roulette, crash

That's not something I'm comfortable assisting with

ow y not

Where can I ask about true random?

If it's something you need help with, the help channels #❓｜how-to-get-help

but yeah, I'm using os.urandom(16) to get the salt, then add the random number in the end and hash with SHA256, if I give the client the hash, it should be secure?

ok sorry, im new at cybersecurity and i was just testing

I have a cipher based encryption code, it is a variant of a homophonic substitution cipher where a key is generated randomly for each letter of the alphabet and for each instance of the letter a random choice of key is used. My encryption works fine but when I decrypt it it mostly works bit there are multiple posisblities for the actual decrypted code, based on the position of th echoice.
My encryption returns the choices made, the keys and the code but as there are sometimes multiple instances where the code letter is valid it can return the wrong value for decrypted code
Does anyone have any ideas on another way to find out the letter from these variables?
Here s some of my code:

any help would be appreciated 🙂

Hey y’all! I’m new cyber security and coding as well but would like some advice on where to start. All help is appreciated

heyy!! im new too but i'm following this video which someone here recommended, its rlly helpful, u should maybe check it out!! https://youtu.be/3Kq1MIfTWCE

Message Authentication Code (MAC) vs Digital Signature?

Isn't it the same thing?

H=Hash
E=Encrypt
PR=Private Key

Where it says MAC it could also say Digital Signature, correct?

And Message-MAC is a signed document/message

no, they work on a fundamentally different basis

@quasi steppe

What is a "must know" programming language in Cyber security? Is it necessary to know a lower language like C/C++? Or could you do just fine with knowing a higher level language like Python? I'm debating about whether to learn C/C++ or Golang. I heard Golang is fast and has C-syntax but at the same time it's not a low level language. I already know Python and some intermediate concepts in C++ and JavaScript. And theese days you have a python library for almost everything, so why should you learn another language (other than the obvious reason, speed?). Or is it more about a "personal preference"? If this is not related to this channel/server, let me know.

Golang is becoming used a lot for speed-dependent attacks such a bruteforcing and stuff like asset enumeration. Ideally, you want to be familiar with all languages, as they all tend to have native vulnerabilities. If you only know memory safe languages, you may be totally unfamiliar with low level memory corruption vulns and such. If you only know C, you might not know how insecure deserialization and polymorphic type handling works in OO languages. Maybe you don't know PHP, so you're oblivious of the existence of type juggling/loose comparison vulns. For building simple POCs/exploits, obviously a high level scripting language is best, at least if it's a remote exploit. Nobody wants to write a remote exploit in C/C++. That's where something like Python or Go comes in. It really depends a lot on what you want to do. There are many routes you can take in cybersecurity. If we're talking like pentesting, webapp/network, then you're also going to need the know the basics of HTML, JS, etc.. There really is no "must known" language, but you should at least know CS basics.

“Uploading a file multiple times at the same time.” - https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload What do they mean by this?

this?

like maybe if you upload a large video file twice to the same server it might generate back an interesting error

as in the same filename simultaneously

Oh, duplicate filename causes the error?

Thanks Seagull.

@thorn obsidian so is the picture a MAC or a digital signature?

it really seems to me it is a digital signature

It is not.

this video agrees with me https://youtu.be/MaOyDcVMnXU?t=89

A digital signature can be verified using just a public key

No preshared exchange of secrets needs to be done

it can be verified using just the public key

Whereas with a MAC, it is calculated using a secret key. That same secret key is also used to verify the authenticity of the message

So the secret key must be somehow exchanged beforehand in a secure manner, as if anyone gets a hold of it, they can forge messages

so MAC uses symmetric key?

It is a fundamentally different concept from digital signatures - the only thing they really have in common is that they seek to provide authenticity and integrity of a message

so this #cybersecurity message is a digital signature and not a MAC?

it's part of a picture, maybe I should get the full one

D=Decrypt
PU=Public Key

That's generally not how MAC works. MAC has no concept of public or private keys

https://commons.wikimedia.org/wiki/File:Message_Authentication_Code.svg

it seems this MAC Algorithm could be a kind of hash + encryption, and that makes it very similar to the digital signature, except it uses the same (symmetric) key, while digital signatures use different (asymmetric) keys

correct?

Are all fields in a certificate mandatory?

Other than the public key

Is keyring the best library for storing passwords for python scripts?

@carmine wraith it could cause a race condition

And other irregular behaviors

I appreciate the answer @thorn obsidian . I will continue to look over which route specifically I might want to follow, then consider what languages would be necessary from there.

Np @quasi steppe I’m a security engineer for FAANG. I do a lot of white box penetration testing, so a lot of static code analysis. I see all kinds of languages. It’s impossible to know them all, but the concepts are similar

Oh ^^. Thanks talk less.

You are not allowed to use that command here. Please use the #bot-commands channel instead.

Anyone know what does “scapy contextmanagersubprocess” do? And can anyone explain it to me?

hiii, just wanted to ask if there's any ethical hacking / cybersecurity reliable certificates that could be taken for a person under 18 years old? like the ceh requires over 18, etc?

Is the only way to prevent ‘DoS attacks via SQL wildcards’, to remove those characters(e.g. % or _) from the user input?

use parametrised queries

this seems like a reasonable source of information

i think i read it before, even if it is php focused

https://kevinsmith.io/sanitize-your-inputs

Thanks bisk.

np

and please please don't not use it and do something else

so many people just go 'ah i can't get it to work' and give up

doing that will make your system vulnerable

in almost every case

always assume user input is malicious

because even if a user doesn't intend to be malicious

they're dangerous through their obliviousness

If you have a dynamic IP address, does the former IP address you had still contain your geographic location?

@thorn obsidian https://www.offensive-security.com/courses-and-certifications/

Hey I have a quick question some old friend I haven't spoke to since 2016 sent this link to me on instagram https://followthankhod.me/ipp.html I clicked it a few times dunno what happens, it just shows a blank page. Anyways, if any of you know what it it means please tell me. It's probably some IP Grabber dunno.

@carmine wraith Rule of thumb when it comes to DOS, a single request from a user shouldn't be able to force the system exhaust excessive resources by returning the dataset. As someone said earlier, wildcards (without restriction) shouldn't be permitted via user-input, or any metacharacters.

thank u sm, talk less

Security Connects with hacking right?

@thorn obsidian See the channel description.

Thats a yes

Thanks seagull and talk less.

I think SQLAlchemy did a prepared statement for me:
name = '%'
User.query.filter(User.username.like(name + "%")).all()
SQLAlchemy echos: WHERE user.username LIKE ? and then ('%%',) as the parameter.
That returned all usernames, instead of usernames starting with '%'.
What am I doing wrong?

% is a like operator

when you're name + "%" i assume it's joined them as strings to create %%

so when it process it it's like

"oh, find a username with the username of any number of characters / symbols?"

yeah 😦

you need to escape the %

in name, i mean.

you probably would've gotten a better response from a help channel or databases rather than security though :)

Thanks again bisk, very kind.

Hey I have a quick question some old friend I haven't spoke to since 2016 sent this link to me on instagram https://followthankhod.me/ipp.html I clicked it a few times dunno what happens, it just shows a blank page. Anyways, if any of you know what it it means please tell me. It's probably some IP Grabber dunno.
@thorn obsidian Yeah it's an IP grabber

You can open these links using a vpn

whenever you access any website that server knows your IP address

that's how the internet works.

Does anyone know any good pentest tools ?

whenever you access any website that server knows your IP address
@lusty flare ohh ok

for pen testing what?

i use a screwdriver.

hahaha

I'm trying to get started with ethical hacking. But almost all the tools are for kali, I want for windows

most of the tools are opensource so can be compiled for windows.

you could use kali in a vm

can you recomend some

i mean... tools are tools.

you say "i want to build something, what tools do i need?"

i can't answer that. :3

ok

nmap / wireshark are some fundamentals for networking

gdb for debugging executables

aircrack, airplay, etc, etc, etc

Thanks

i'm just saying you'd probably want to know how to use a chainsaw before starting one up.

theory before practical. :)

you might want to google for a recommended list of security blogs or something that have some intro articles.

I'm trying to get started with ethical hacking. But almost all the tools are for kali, I want for windows
@dusty tartan actual hacker here: none of the tools I use require kali

just usually a regular linux install

ok

and what tools to use is situational

Hello, I am a beginner in ethical hacking. I am in Europe and I would like to learn the different laws in cybersecurity and different reasons why something could turn wrong...

i'd recommend looking up the laws of your country in regards to Computer Misuse / Abuse and their implication in ethical hacking.

in general if you're doing things properly you shouldn't run into any legal problems because you'll have a document signed by people the saying "i let them do this because security".

And if I'm learning on my own?

the computer security institute came up with a "ten commandments" type thing that's pretty good.

Thanks!

if you're learning on your own you can run virtual machines to practice methods

only test on machines/services that either you're hosting or who have put out bug bounties

^

don't go sticking your nose into other people's stuff without permission is a key step

and in the case for bug bounties, triple check what things (and attacks) are in scope

EXPLICIT permission is the keyword here

big ol paper document

never think permission is implied

that says "yes, i, the very important man, said this person, this person, can do X to this computer system."

but also check out things like overthewire or hackthebox

otw is fun.

who host different challenges/machines designed for people like you to learn and test their skills

picoctf also comes to mind

Thank you so much!

but also, bear in mind, we ANAL

and as i recommended to apram above, it's probably worth googling around for some security blogs

there are some good ones out there on both actual methods and legal compliance

don't take any of our advice as solid legal.. well.. facts

ok...

man, i looked up that CSI ten commandments thing and it's actually uhh... heh

Thou shalt not use a computer to harm other people.
Thou shalt not interfere with other people’s computer work.
Thou shalt not snoop around in other people’s computer files.
Thou shalt not use a computer to steal.
Thou shalt not use a computer to bear false witness.
Thou shalt not copy or use proprietary software for which you have not paid.
Thou shalt not use other people’s computer resources without authorization or proper compensation.
Thou shalt not appropriate other people’s intellectual output.
Thou shalt think about the social consequences of the program you are writing or the system you are designing.
Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans.```

i guess that's a start

they tried real hard to cram it into ten

"insure"

is this correct here? I would've put "ensure"

i'm going to go with the stone tablet on this one

Quick question: facebook has a 10 photo limitation on marketplace to display. Will one be able to perhaps bypass this limit and if so, wouldnt that trigger a security mechanism that alerts for an ad with invalid number of photos and remove it ?

if they put a limit there, respect it.

I received this question and just wanted to imagine how does a check up like that work technically

¯_(ツ)_/¯

idk how you'd bypass any limit they put in place.

How come I can easily decrypt this GZIP encoded text H4sIAAAAAAAAC62Qyw3DIBBEG9pIO8vHtnJKDSlgCnALKT7AIuUARJaSy47nYR425zPsAkalEZYYaCkR8DAPh5E3MBOqyo0gUh07lTvxAptC7ZoCvyuOqaK-4xsuSYx1_x9EaSmq12qlXdLkhUbOB4JojeSRPaKU6c-bkx57jWc4WrM2XdAWHrFNX4V6QPQOgZiUQ0IZvUVvYqWqxk63KYXOcfiC4xxvC4kueFjwPPC84Mecm33lw7mdD9_pfPgtx8MldMsHvwGcxC66rAMAAA== in an online tool, but when I try to do it in python it doesn't work?

def _gzip(data):
    return gzip.decompress(bytes(data.strip(), 'utf-8'))
    #return zlib.decompress(bytes(data.strip(), 'utf-8'), 0)

zlib:
zlib.error: Error -3 while decompressing data: incorrect header check

gzip:
OSError: Not a gzipped file (b'H4')

wrong format, I guess

or maybe you need to base64-decode it first

i did

oh wait

let me try that

alright seems like that solved the issue, thank you

funny I tried it and got zlib.error: Error -3 while decompressing data: invalid distance too far back

Well i had a file that was all encoded in base 64 so i decoded it with this function

def base_64(data):
    return zlib.decompress(base64.b64decode(data.replace('-','+').replace('_','/').encode())[10:],-zlib.MAX_WBITS)

which then produced an xml file that had some text that was encoded in gzip

So i used this function again on that text and it worked like a charm

yikes, glad it worked

How come I can easily decrypt this GZIP encoded text
@exotic sundial the pedantic in me points out that gzip is not encryption, but compression

an important distinction

Thank you

Hello guys i found an example to send massages in python to facebook but it needs the username and pass. It uses the getpass library to get the pass. is it safe to use lik this?:

import fbchat 
from getpass import getpass 
username = str(raw_input("Username: ")) 
client = fbchat.Client(username, getpass()) 
no_of_friends = int(raw_input("Number of friends: ")) 
for i in xrange(no_of_friends): 
    name = str(raw_input("Name: ")) 
    friends = client.getUsers(name) # return a list of names 
    friend = friends[0] 
    msg = str(raw_input("Message: ")) 
    sent = client.send(friend.uid, msg) 
    if sent: 
        print("Message sent successfully!") 

So it kinda worked i found accounts logging in as mac computer and i found this in doc could it be the reason for mac logins? :

fbchat.utils.USER_AGENTS = ['Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/601.1.10 (KHTML, like Gecko) Version/8.0.5 Safari/601.1.10', 'Mozilla/5.0 (Windows NT 6.3; WOW64; ; NCT50_AAP285C84A1328) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36', 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1', 'Mozilla/5.0 (X11; CrOS i686 2268.111.0) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11', 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6']
Default list of user agents

I got prompted by face by suspicious activity ik 2 pass change and lot of login from mac. It was me so i dont think there is problem but now i have to use another pass 😦 .

What do you guys think? there is security risk in this?

But do you think there are security risks?

Do any of you guys know any good programs to learn ethical hacking?

Do any of you guys know any good programs to learn ethical hacking?
@icy perch Wireshark

@stable rover ok thanks I'll look into it

Yw!

Does anybody know how to get into a snapchat account without knowing the password?

Does anybody know how to get into a snapchat account without knowing the password?
@stable rover you can request a password reset, otherwise not possible and also without consent of the user thats unethical

@stable rover you can request a password reset, otherwise not possible and also without consent of the user thats unethical
@royal latch Thanks i want to recover my old account but i didnt use a right email to sign up on my old account. Can i still request a password reset with my current mail?

At that point you can email but odds are strong they wont help ya

sorry mate

anyone know how to send data like this

with python requests

the application type is multipart/form-data

yea

check out w3w3w3 on YT

headers = {
  'Content-Disposition': 'blah blah',
  'Content-Transfer-Encoding': 'blah blah',
  ....
  ....
  ....
}
r = requests.post(url, headers=headers)

hey, i want to study using udemy or coursera cybersecurity, does anyone have any recommendations for certain courses for beginners that go in depth? thank you!!

oh shit

@thorn obsidian check out https://youtube.com/w3w3w3

hey, i want to study using udemy or coursera cybersecurity, does anyone have any recommendations for certain courses for beginners that go in depth? thank you!!
@thorn obsidian I did the Introduction to Cybersecurity by NYU on Coursera recently. It covers all of the basic knowledge required for cybersecurity(not hacking).

@thorn obsidian Please keep the self promotion to a minimum

!rule 6

hmmmm yes. i got a DM linking to the channel too.

maybe escalate that to modmail

that ain't cool

yea sorry @thorn obsidian won't do it again, did not realise the rules. I also had seen a number of people commenting on learning "Hacking/Security/Python" and thought they may get some inspiration or ideas from one of my videos. That was all. 🙏

that's fine, you know now. :)

@dusty tartan oh okay, thank youu!!!

@thorn obsidian thanks!

@thorn obsidian np 🙂

How would you inject code into a compiled pyinstaller or py2exe?

well buffer overflow lol

many ways to inject code into any binary file/app does not have to be a pyexe lol

Would hashlib be a good idea to use for a actual secure password and user system or should i use a external system

@tough mountain are you considering saving the password?

Safest option is this: create a frontend random hash which takes in a private key from the server, take user input, hash the password with that random hash function and then send it to the server, save it in a db, then for the user to login you will rehash their password and compare the two different hashed passwords, if they match then password is ok if not then password is wrong

Yeah ik, Im just asking more if hashlib is actually good enough to be used with that system

or whether using a external lib will be better for it

Hashlib is the best imo

Would hashlib be a good idea to use for a actual secure password and user system or should i use a external system
@tough mountain Oh boy. The moment you start trying to make an authentication system you better be in for a ride. Personally my rule is look for a tutorial that is no older than 6th months. Dont try to write one from scratch as it'll probably suck

With just a quick google https://developer.mozilla.org/en-US/docs/Learn/Server-side/Django/Authentication this comes up and looks pretty good

I dont know if that meets your usecase

Hmm, That seems to be based with Django and it's system which does alot for you

the long ride begins xD

For the basic principle i think working it with / like Oauth2 is going to be the way to go

@tough mountain you could use OAuth2

max security

@tough mountain Really depends on what you're storing. Passwords? I'd use Passlib - https://passlib.readthedocs.io/en/stable/lib/passlib.hash.argon2.html

oh does this work like pbkdf2?

What do you mean?

Salt and hash method

That's not specific to pbkdf2, that should be most hashing algorithms today

Hmm I see

I'll have a look then ty

You're welcome 👍

@thorn obsidian what do u think is the best jwt library atm?

@south seal Depends on what you need. I'd suggest checking out https://jwt.io/#libraries-io

I am using jwt to create user sessions instead of using sessions

That is my module of choice

@thorn obsidian

Sounds like you've got what you need?

Yup

Just making sure

👍

No need to @ me btw, feel free to just post a question. I wasn't around for a bit.

Ah alright

Are you a security expert?

hii, i have a question. i use kali linux right, and like im learning more, but there was a tutorial that i saw where the person like used the computers terminal to like give commands while downloading kali at the same time? idek what they were but when i tried doing that, it wouldn't work, even when i copied the code. is it because i'm a second user on the laptop? but i'm also an administrator?

will i like not be able to use the terminal and like idk?

what

is this when using a VM

@thorn obsidian i have no idea what you said or what you're asking

are you asking how to use a terminal..?

no

there were certain commands that a person wrote in their terminal, i know how to open a terminal and stuff lol, but when i do it, it just doesn't work. it gave me some type of response a couple days back

my question is like, whether that's bc there is more than one user on the laptop, using the terminal doesn't work

does that make sense?

no

and yeah using vm does work, im just talking ab the terminal like with the pc

what do you mean "it doesn't work"?

im not using my laptop rn, but i'll get a photo when i do later today, it just doesn't give out the same result yk?

what command are you running specifically

it was relating to downloading kali linux, the person was writing commands at the same time to download it. but i already had it downloaded

could that be the reason?😳

I'm sorry, I really don't know what you mean by that

the actual command you're trying to run would help the most

Is the download done in background job?

it was this command, i don't remember the result that came up for me tho

i mean thatäs just uname

it should work fine and has nothing to do with downloading kali

am i supposed to set up the command prompt in like a certain way before? because like it says windows/system 32

these are linux commands

you need a linux machine to run these

not windows

ohhh okay, so windows has different commands? i thought that in the video windows was used

yes, windows and linux are very different and use different commands

ah okayy, thank you so much man

@thorn obsidian don't take this the wrong way, but you should get familiar with Linux first as an OS before trying to use kali linux to hack things

a lot of it requires you to already have a preexisting knowledge of linux on an intermediate (if not advanced) level

did they not actually ever install linux

i'm not lol!! i thought the person was using it while downloading linux for some reason, i am trying to get familiar with it first, thank you tho :)) @thorn obsidian

kali linux is not a good first distro

idk if you're talking ab me lol, but if it is, i did

really? what should i get started with then?

most videos i saw said that ://

I don't recommend Kali as a distro at all, even for hackers

it's mostly only used by people who think they instantly become godlike hackers by downloading and installing kali

for getting started with Linux, I recommend something like Mint or Kubuntu

rlly? oof gosh lol😳😳

ohh okay, i'll check those two out, thank you so much again!! :))

it's mostly only used by people who think they instantly become godlike hackers by downloading and installing kali
@thorn obsidian 100% True if you want to hack you need to know what in the background going on ,

and Kali gives you the right lab for hacking but it dos't make you a hacker

How do you feel about parrot? @thorn obsidian TBH, I don't have a reason to use 90% of the tools packaged out with those distros, but I liked parrot. As far as I can tell, the reason that kali exists is because when you get a classroom full of students to teach them pentesting, its just easier than helping them individually set up an environment to learn on figuring that probably more than a few of them will ahve very little basic knowledge.

So they're just like, "Fuck it, install this on a VM"

that's about the only scenario where i'd find it somewhat useful

hi, I've got a regex related question

is this the correct place to ask?

no

try #unix, maybe

well, I'm trying to parse a windows command output for a friend's task, so unix probably wont fit

Hi, is some of you familiar with the rules tab in firebase?