#cybersecurity

Do you mind explaining what RCE is?

I'll send you too a paste of the nmap.. But I have scanned from within local IP

Googled it.. Doesn't look wrong at all tbh

I might also fill in that in 4 weeks of having my linux machine up, I received 1,2 million connection attempts on ssh

Wait, you received connection attempts on SSH?

You mean on the second device?

I have 6 computers, so none on the ones I care for. Still info tho

But this is behind NAT

From what I've read from you and online, there's a high chance your device is compromised

Give me a moment

Alright, yeah, that's about all I can provide.

I've been searching a bit into it now myself

They are breached

Eeeehhhh...

^

Yeah, I'd get in contact with some security people on Twitter and get the word out if you can.

Provide everything you can

to me it smells like ISP created backdoors more than a hack

I'm starting uni for cyber security on Monday.. So yeah I'll probably get it spread

but poor security is poor security

and a backdoor is a backdoor

Oh, no, I've found several leaks of their emails

I'd contact Troy Hunt

what do you mean by leaked emails?

hostmaster@xxxxxx.net (one of their main DNS).. Found like 20 pastebins

Contact Troy Hunt

oooorrrrr, since you know the address, put it into HaveIBeenPwned first

https://haveibeenpwned.com/

Hmm, I'm not normally into publishing private information

and to be honest, a breach in their email security does not equal a breach in infrastructure security

It's their primary dns

it just smells of lax security over all.

yeah, but it's an email login for a generic account (hostmaster@)

it may have no direct link to their ISP infrastructure at all, it could be for handling complaints of IP address abuses etc

I've mapped it

@main sequoia It's got nothing to do about publishing private information. Do you know what HaveIBeenPwned or who Troy Hunt is?

Got a graph proving that the breached DNS is one step away

uhhh... an email address and a password isn't "breached DNS"

that's an account level breach.

Yeah of course. But I'll at least have a look at the pastebins before I publish anything

I'm not asking you to publish anything

I'm saying that if you give Troy Hunt information about this, like you have us, that'd be a good idea. Let them handle it.

They've dealt with numerous breaches/compromises, I'm leaning towards you have not.

Regardless, that's about all I can give on this topic.

I'm sure I'll get in contact with someone during the next few days about it, I wrote Troy hunt on a note

Thanks a lot for all the help! And after reading on what you said earlier, I'm going to get a new modem tomorrow

https://www.troyhunt.com/

good blog, even ignoring your issues

I'm Partnering with NordVPN as a Strategic Advisor

aaaaaaaaaaahahahhhhhhhh

they fucking need it.

time to readup on 4 months of blog posts. \o/

The breach has been registered on haveibeenpwned, at least the biggest one

All I am working on an lab where I am pretty sure I have found a deserialization flaw in Django authToken, but I am running into an issue where I could use some direction. The auth token deserialized looks like this:

{'id':1,'token':00000000-0000-4000-8000-000000000000}

The token app performs a validation check for the token prior to the pickle.loads. I am getting hung up on the expected length. The expected length is set via a Django Environment variable of 104.

        if ((Tokens.expected_length - 5) <=len(token) <= (Tokens.expected_length + 5)):

So I have to find a payload that will fit between 99 and 109 characters after deserialization. The payload below is 156 characters and the smallest I got was "/bin/sh -c id" for 116 characters. 3

class RCE(object):
def reduce(self):
import os
return (os.system ,(("/bin/netcat -nlp 7777 -e /bin/bash"),))

I think my approach is to send 2 payloads. 1 to reset the environment variable and the 2nd with a more traditional payload like a reverse shell. I am just trying to figure out how to set the environment viable via reduce. Any pointers or suggestions are welcomed. I have my exam next week and am trying to get in as much time reading source and testing as possible and I believe this is my last hurdle on this app.

[00:19] Magnus: The breach has been registered on haveibeenpwned, at least the biggest one

there are ~10bn unique records in haveibeenpwned

world+dog is in that breach db

https://www.theregister.com/2020/08/14/australian_critical_infrastructure_defence_plan/

critical infrastructure operators must not be allowed to hack back, but should “be empowered to take necessary, preventative and mitigating action against significant threats.” Under such circumstances, critical infrastructure operators should be given “appropriate immunities to ensure they are not limited by concerns of legal redress for simply protecting their business and the community.”

well at least they're only trying to hack the world in an emergency

rather than trying to ban maths again

https://www.theregister.com/2020/08/14/crest_investigates_ncc_group/

is there an official rules of creating a encryption algorithm or does anything go as long as you have your own method to decrypt the ciphertext?

Uhhh... Do you mean, like, guidelines?

Don't make your own encryption algorithm for prod unless you are a expert and know how to go through with a proof

@digital moth technically, there is no general oversight body for this, but yeah, a good rule of thumb is to not do it. The ones that are out have been tested and re-tested and then tested again for their security. If you write your own, there is nothing stopping you from using it, but just know, unless you have a background in crypto math, your algo is not going to be secure 😄

security by obscurity has not worked well at all for crypto 😄

unless you have a background in crypto math, your algo is not going to be secure
Even if you do have that background, you're most likely not going to be able to create a secure algorithm by yourself. I don't know of any cryptosystem that has had perfect first proof

That's why peer review exists

@digital moth and i say no oversight only in the sense that you can do whatever you want in your own context, but if you are in AU or EU or Cali (or processing Health or Financial info), there are absolutely monetary reasons not to do that lol

What do you mean by that?

HIPPA and SOX specifically call out the types of encryption one can use and still be compliant ... and if you are caught using anything else via an Audit, you can be fined

and AU and EU (and now Cali) have some similar legislation

its just a small self project nothing major as that

although the USG is trying really, really hard to kill crypto

@digital moth yeah, it's fun to try to implement Cesar cypher and other junk, but just don't plan to use anything for any app that you expect to be close to secure

hi

this is my keylogger video

I will add subtitles

anyone can help me ?

@regal void keyloggers is not something we're going to help with here

[18:26] j4ng5y: @digital moth technically, there is no general oversight body for this

there are actually several oversight bodies for encryption standards

NIST, for example.

hey ik this question is unusual but somebody did ask this , is the live server extension for vs code safe to use,like it starts the server at port 5500, does it opens the port

@lusty flare yes, but not one your HAVE to use to bring crypto to market. You certainly Should though lol

yeah, but they generally set the guidelines for what crypto formats are acceptable.

not that anyone listens to them

🙄

Yeah unfortunately

any python libraries or modules for controlling windows machine remotely?

!rule 5

We can't link you a RAT

@analog jacinth private

come

@thorn obsidian Whatcha need?

I want to learn how to ethically hack where do I start?

@ivory pier Google the CEH exam

That'll give you a good idea

@thorn obsidian ⬆️

@ivory pier root me

Can anyone help me make a password cracker

@fading rock nope

!rule 5

how about a wordlist generator

@fading rock that's called a dictionary

im an ethical hacker

Ok, then you should be able to do that already :)

i don't know much python

Then use the language you know. But we can't help due to the rules.

i just know bash

Knowing nothing of you, or your project, I have to assume you want to do malicious things. Go check out cybrary if you want to learn specifics.

ok

@thorn obsidian Why the ping?

i don't know

lol

@fading rock I would hardly think this falls into the realm of rule 5 (purely POC) but feel free to checkout my repo https://www.github.com/1fge/hashcracker

needs to be updated quite badly but that should be easy enough to understand

Why is it selecting mode for every word? Would be faster to just prederermine hash function

thanks @eternal veldt

i thought people that try to crack passwords all use john the ripper, and that's common knowledge. why would u need to make your own?

i heard that it is possible to crack an aes encrypted container with that tool within a month, even if the password is 20 characters long, with random numbers, symbols, and upper and lower case letters. not sure how true that is as i have yet to see that be done first hand

@tropic bay johntheripper is dead, pentesters use hashcat because it is more updated alot more options, what i mean is that it is versatile, it can crack complicated passwords, and you have a point, there is no need to invent the wheel

it can crack complicated passwords
@hollow vigil

complicated passwords such as the one i described above?20 characters long, with random numbers, symbols, and upper and lower case letters.

if so, is it as easy as " me hit button me get password" or is it more like a "i didnt eat sleep and shit for a month and i cracked the password, also i pulled all my hair out during the process"?

again, pure brute force,no social engineering, the dude's got no fb, twitter or any other social media accounts you could follow and look at to give you any clues, and obviously, his password wont be as simple as "mydickismassive123"

no way you can crack an AES container key in a month

if its a dictionary attack and an insecure password thats different

but a straight brute force against AES is implausible

for any normal key length

idk, i am hearing mix opinions on this subject, some say they can do it in 3 days

so what if u extend the time to 2-3 months, of straight brute forcing, would that be more plausible? let say you hire one of the better pen tester for such tasks

No

Its not plausible at all

like billions of years

dictionary attacks are different, but extremely simple to mitigate

https://crypto.stackexchange.com/a/48669

Why AES-128 and not AES-256?

because aes-128 is good enough no?

I'd argue otherwise

When you've got AES-256 why not use it?

performance maybe?

from what i read previously is only worth to do 256 if you are like top secret

maybe i read wrong

I've got my entire disk encrypted and I don't notice a performance issue.. ¯_(ツ)_/¯

but still 128 is very strong correct if i remember, it requires still very much power to crack

If you're encrypting something, it only makes sense to use the strongest you've got.

is it possible with todays computers you think?

Otherwise what's really the point?

Is what possible, cracking AES-128?

yes

Sure it's possible, same with AES-256. But it boils down to password and a few other things.

i think most people feel 128 is maybe more reliable or trusted?

... What?

most people - who?

because wasnt there some reports previously to say 256 is less secure

... No? Not that I've seen. If you can provide them, I'd love to see them.

i dont remember exactly, but i read this before one time

Otherwise it just sounds like FUD

On an unrelated note, I have to go AFK

complicated passwords such as the one i described above?20 characters long, with random numbers, symbols, and upper and lower case letters.
@tropic bay yes, the founder of hashcat cracked complicated passwords in 2 hours with 8 gtx 1080 ti

That's not AES tho, that's a hashing algorithm I'm sure

dunno, i forgot about it, ive just come across it when i was searching about johntheripper vs hashcat.

https://www.youtube.com/watch?v=1rUy-M7bxDc&t

heres the video mate if anyone is interested

That's definitely hashing

( FYI: Haven't seen the video )

alguien habla español?

@pure saddle This is an English speaking server, as per rule 4. Thank you 👍

what lib do ppl recommend for symmetric encryption? I plan on using a fixed key and manually seeding the IV (by guild ID) so that two messages sent in the same guild with the same content are encrypted the same

@wind fable Have you seen https://cryptography.io/en/latest/ ?

hm that's nice

this looks like a good replacement for the now-abandoned passlib too

https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/ this looks like what i want

passlib most assuredly is not abandoned 😄

https://passlib.readthedocs.io/en/stable/

2020-05-01: Passlib’s public repositiory has moved to Heptapod!

Due to BitBucket deprecating Mercurial support, Passlib’s public repository and issue tracker has been relocated. It’s now located at https://foss.heptapod.net/python-libs/passlib, and is powered by Heptapod. Hosting is being graciously provided by the people at Octobus and CleverCloud!

oh ho that's news to me thanks

TIL gitlab supports mercurial too

oh it's a fork

nice

@thorn obsidian between ChaCha20 and AES i think i'll go with AES because my IVs are always gonna be exactly 64 bits

Up to you 👍

another question

i'm really only encrypting at rest because discord is asking me to… my database server is on the same machine as my bot so there's no real benefit to keeping the key in the same place as the data it decrypts

is there a better way i should be doing this than just putting the key in my config file?

You can use environment variables or Hashicorp Vault for example

how is that any better

i mean how are env vars any better

those env vars have to be stored at some point. in my case they'd be in my systemd unit file which is in a world-readable place unlike my config file

Are you concerned about someone else accessing these, or is this a question about source control?

config file is not under SCM

So it's more being concerned about an attacker?

the concern is … well who knows, it's discord that cares about end-user data encryption not me

because the way i see it, as long as the application needs access to cleartext, there is no good way to do it

So when you say key, are you talking about a user token ( since you're talking about Discord ), or a static symmetric encryption key?

latter

flow is
bot receives user plaintext message → bot encrypts and stores in database

a uniqueness constraint is used on (guild_id, encrypted_content) which is why i want to use a custom IV

Is any of this presented to the user or is this strictly your setup?

it's completely opaque to the user

i'm currently doing symmetric encryption, but i didn't realize that the lib i use uses a random IV

so my uniqueness constraint is useless

Let me back up, so it's just the messages that are getting encrypted?

yes

the use case is

Is this to prevent someone from editing a message or some such?

no it's literally just for compliance lol

Ah, gotcha

let me pull up the docs on it

i don't know if they even specify why they want encryption at rest

b. Implement Good Security.
You will use commercially reasonable efforts to protect data collected by your API Client, including PII, from unauthorized access or use. These efforts will include, but are not limited to, encryption of this data at rest. You will promptly report to your users any unauthorized access or use of such information to the extent required by applicable law.

so yeah it's about unauthorized access

that wording implies it's not strictly necessary but when i applied for bot verification they required i do it

So this is a Discord thing they're requiring?

yes

Because you're a partner or some such?

I'm just curious where the requirement comes from

it's a new requirement where people with bots in 100+ guilds are required to "verify" their bot. They have to fill out a questionnaire about what the bot does, how the data is protected, etc and also submit photo ID

Huh, interesting.

https://support.discord.com/hc/en-us/articles/360040720412-Bot-Verification-and-Data-Whitelisting

Well, you can do it in a couple different ways I suppose

Trying to think of the best way to approach it is the problem

I mean, with it being a Discord bot I imagine you're not opening up any port for it?

Could be just a VPS with discord.py setup

correct, outbound connections only

however, i do have a website set up for the bot as it has an API

Hmm..

it's selfhosted on my friend's hardware, as such the physical security is pretty poor

i probably shouldn't say too much here haha

Yeah, probably not 👀

As long as you don't have any SQLi/CSRF/XSS/etc issues with the API/bot itself, and are focusing strictly on the encryption itself, there's nothing that comes to mind that would be considered "best" for encrypting these things.

I'm not really sure if you'd need to encrypt messages, honestly.

or keep them for an extended period, for that matter

keeping them for an extended period is part of the bot's function

I think joe would be the best person to discuss this with

Though they're AFK/asleep

Replying to @thorn obsidian from https://discordapp.com/channels/267624335836053506/366674035876167691/745131445462237215
👏

Mind you, I don't have a bot in more than a few channels 😄

i have a lot more than that

too many users

it boggles me brain

Yeah, I feel like joe would be the one to discuss this with

joe#6000 ?

Uhhh... lemme check

Yeah, that'd be the one. Though they're AFK and offline currently, so don't expect anything. Also, I'd suggest not PMing them and just posting here about it

i was planning on pinging

Mostly because for sake of transparency and to see what they have to say on the subject

I'm curious myself

i wonder if my best option is FDE

that way i don't have to implement it in each of my bots

@mossy junco When you've got some time, would like to know what you think about this.
Not sure as to what's required here and don't want to give any wrong recommendations. You seem well equipped for this, after all.

@wind fable Except that does nothing if the machine is on 😄

yes but

if it's stolen

unless they do a cold boot attack

Sure, but I thought we were talking about attackers?

we are

?_?

I mean non-physical

oh

no i'm talking holistically

Which is why the concern about leaving the key in the config

if they break in to my bots' shell account it's game over no matter how i slice it

Oh sure, that makes sense

But yeah I'd wait for a response from joe

k

I'm gonna finish up a few things and head to bed here 👋

Can't even spell

@thorn obsidian @wind fable FDE is the option most people have gone with

most people in my situation?

yep

FDE is compliant with Dev ToS & is a "reasonable step" in GDPR

it shows you've taken steps to protect the data

which, at least in the case of GDPR, is all that matters

shit, i've seen companies just do a report to justify why they haven't implemented FDE or other protections and even that can be compliant

I have a python application which is doing requests and there are network snifflers like CharlesProxy or Wireshark. I want to block the by SSL pinning/checking but I have no idea how. Can anyone help me? Would gift a nitro if it works out

me ban

@cloud citrus mmmh

I m thinking

I ping u if i fond answer

@cloud citrus so you just want to connect only if the site is secure? I guess let me ask what kind of requests they are before I just say "use https:// only" lol

@cloud citrus That's not something we'd be able to discuss here, sorry

This may sound dumb, but how do I make allowing a user to upload and run python code in a docker container “safe”

So they can’t use system commands and fuck up the actual machine

If that’s even possible

I've got my entire disk encrypted and I don't notice a performance issue.. ¯_(ツ)_/¯
@thorn obsidian about that, say you got 2 drives in your computer and you encrypt all of them. you start the os and you decrypt your system drive, are you then gonna have to manually decrypt the other drive?

@tropic bay Depends on how you setup your system. You can have it not prompt for a password if you unlock your system drive.

i see, i assume youre using bit locker?

hi

can someone help me?

password = input(int("Enter a 4 digit password:"))

while True:
    tries = ("".join(random.choice(string.digits) for _ in range(4)))

    print(tries)

    if tries == password:
        break

print(f"Your password is {password}")```

im trying to make a bruteforrcer, but i dont know what i did wrong

it said

 File "c:\Users\kuant\OneDrive\Desktop\Bruteforcing practice\passwordBruteforcer.py", line 3, in <module>
    password = input(int("Enter a 4 digit password:"))
ValueError: invalid literal for int() with base 10: 'Enter a 4 digit password:'```

@thorn obsidian you cant apply int() to a string like that , try int(input("Enter a 4 digit password:")) instead.
And you should use int(tries)==password.

@tropic bay Using Bitlocker would be complicated on a Linux system I imagine.

@thorn obsidian Buteforcers aren't something we can help with here, sorry.

you did input(int(...)) should be int(input(...))

Not really #cybersecurity related. We can go to an off-topic channel though.

hm, maybe i could just pm you?

You could, yeah. Go for it

when i enter a python discord server i feel like people here have brains as big as they can use it as their seat

when i enter a python discord server i feel like people here have brains as big as they can use it as their seat
@lofty geyser thanks! you calling me a big brain?

all ppl are big brain
u need to find out how to use it
-random guy from discord

Hello I want to make app where ordinary people can encrypt data and store data securely. Anyone wanna help me?

I would love to but I don't know how to do it

Me neither

what kind of data, who is supposed to encryp/decrypt, what does securely mean to you ?

if a person is using a Fernet object from the cryptography module (yes i know, never create security stuff yourself) to encrypt and decrypt file bytes, is it possible for an ordinary file (.txt, image, audio, etc. ) to contain bytes that are able to be "decrypted" by the Fernet object? i know that typically if you try decrypting undecipherable bytes, the fernet object will raise an error (normal files typically being undecipherable), but is it possible for an unencrypted file to contain bytes that are able to be decrypted?

@thorn obsidian (going off your discord status) what’s the killer project?

i am currently learning the python basics but how do i learn ethical hacking like web hacking?

with python

tag or pm me

@topaz igloo Web hacking very rarely uses code to achieve its goal, beyond automated tools

Really the only thing I can think of you would use python for in web hacking would be sending malformed packets with scapy

what would python do

with hacking

What I just said

like other than web hacking

you can use it to create like buffer overflow attacks and such, but most of the work is going to be outside of python, python is just how you implement the actual attack

If you are interested in learning about web hacking, http://www.dvwa.co.uk/ is a good place to practice

I would disconnect yourself from the internet before running this though tbh

I mean as long as you know what ports are exposed you should be fine.

Assuming no one else has access to your network

Right, yea 😄

hi im new

Then nice to meet you@thorn obsidian

is there any way i can send a request to a https website using socket?

@thorn obsidian I mean, technically that is what is happening all the time, so yes. It would be kind of difficult to do as a beginner though

Better off using urllib3 or requests

does http.client work too?

Sounds like it would

thanks

That assumes that python was compiled with SSL support, but if you just installed the package and didn't compile from source, it will probably work

what does that mean?

Lol, if you don't understand that, don't worry about it :D

i tried to look for how https works using wireshark but there was no activity at all

@brazen seal do you know how requests work?

Like, there was no Wireshark output at all?

yes

Unless you did a filter, that doesn't happen unless you misconfigured it

@thorn obsidian What are you trying to do?

send a request to a https website using socket
Can you elaborate on this?

What kind of request? GET/POST/OPTIONS/HEAD/DELETE/PUT?

get

i want to send a https request to my test website

pip install requests
and then
requests.get('https://your_website.example.com')

Do the pip install inside of a virtual environment, of course

virtual enviroment?

Yes

Also, not sure if this is on topic for #cybersecurity

what's the best encryption module?

@urban quest Encryption or hashing?

whatt's hashing again

@thorn obsidian https://virtualenv.pypa.io/en/latest/ for one such example

@urban quest https://en.wikipedia.org/wiki/Cryptographic_hash_function

oh

so it turns it into numbers

I heard about it

why would you use one over the other?

encryption and hashing do pretty much the same thing no?

No

Hashing is one way, whereas encryption is not.

oh so it would be really easy to decrypt a hash

No?

Encryption would be useful for full disk encryption of a device.
Hashing would be useful for a website to use on passwords.

You also don't decrypt a hash, that's not how that works 😄

To decrypt something, that implies it was encrypted. Which a hash is not encryption.

so

if I understand this correctly, you would hash a password and save it their profile so when they try to login, the password they enter is put through the hash function and tries to match the saved password

Exactly right

ohhhh

that makes a lot of sense

so yeah can you give me a module for hashing

Sure

cryptography is good for encryption right?

like I can rely on that

https://passlib.readthedocs.io/en/stable/ , specifically https://passlib.readthedocs.io/en/stable/lib/passlib.hash.argon2.html

You can rely on good encryption, yes. Things like Signal for example.

sick thanks for clarification and lib suggestions :)

If I hand you a Caesar Cipher and tell you "It's the best encryption ever!" you'll obviously have a reason to doubt it 😄

No problem, glad to help. Also nice to see someone have that "ah-ha!" moment when it comes to cryptography 👍

hey is there any good resources to learn ethical hacking and security systems ?

Why can't a virus be thrown onto cloud services like Google, Dropbox, etc.? Can a virus partially break a cloud service?

cloud services aren't executing files you upload into them

even if you did manage to get a malicious file in there they have scanners to check for stuff they know about

you'd have to find something that perhaps exploits that scanning behaviour to leverage itself and since the cloud is such a blackbox i don't think it's a realistic attack vector

even if you did manage to get a malicious file in there they have scanners to check for stuff they know about
@lusty flare for example .docx files? Google Drive by default can run and view a content of the docx file

yeah but they're not executing anything afaik

🤔

i might be wrong here, but as far as i understand it your browser downloads it and it's rendered locally

woooww

Why can't a virus be thrown onto cloud services like Google, Dropbox, etc.? Can a virus partially break a cloud service?
@wild dagger It is theoretically possible for there to be an exploitable vulnerability in cloudservices such as dropbox. However, the exploits for such services would be highly targetted to just that specific service. https://www.cvedetails.com/vulnerability-list/vendor_id-11159/Dropbox.html There are cves related to dropbox as in almost every other big software.

i think it is important to make the distinction from virus and from exploit though

a virus is made to infect, to spread. This is one targetted instance, dropbox is not executing, viewing or anything like that. So this limits us significantly in attack surface

the biggest attack surface would probably be to target logging, network capturers, linux kernel, and escpecially, the actual code used https://opensource.dropbox.com/ https://github.com/dropbox

@wild dagger point being, unless that "virus" is coded in a way that targets exactly to dropbox infrastructure, cloud service wont get affected

not to mention that dropbox definitely stores your files in a sandbox that is segragated from the their actual private network and that sandbox would never execute your files in the first place nor reallly parse them in any exploitable way like in older cve's

thanks everyone❤️

np

ignoring cloud providers, it's not been uncommon that websites with an upload feature have been vulnerable to that type of execution exploit @wild dagger

it's definitely happened before

you're just not likely to see it from the large cloud providers

f.ex iirc Wordpress had a problem with file uploads where you could rename a .php file as a .jpg and get it to execute it

that's some old shit though

i don't expect people are writing stuff like that anymore

well yeah there are bugs in wordpress, python libs, php, perl etc etc that can be leveraged for rce

always going to be

To anyone who wants to use it:
If you'd like to override the connectivity check within Android, feel free to use:
~~http://connectivity-check.netlify.app and ~~
https://connectivity-check.netlify.app

https://malv.in/posts/2018-11-08-self-hosting-the-wifi-connectivity-check-for-android.html
and
https://forum.xda-developers.com/android/general/guide-how-to-avoid-captive-portal-t3927561
both detail how to do so.

If you'd like to do this yourself, specifically within Netlify:

In your _redirect file ( https://docs.netlify.com/routing/redirects/ ), set the following:

/ /index.html 204!
/index.html / 204!

That way when you go to the site, the 204 will just work for HTTP or HTTPS 👍

Edit: Turns out due to https://community.netlify.com/t/security-headers-adding-includesubdomains-and-preload-to-strict-transport-security-header-to-sites-with-default-domain-name/19706, I'll need to come up with a different way to do the HTTP version of this 🤔

You guys use rolling main (default) or last-snapshot repo in your Kali Linux?

I don't use Kali. But it depends if you want more bleeding edge stuff that might be broken, or a more stable experience (I would prefer stable myself)

so last-snapshot it is?

Just leave it default

Do u use Parrot?

I don't need a special OS lol. I just use Fedora

cool

My friend has got this virus - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Program:Win32/Uwasson.A!ml&threatId=251357
In his Original Win 10 Pro and it is fully updated.
I have used all my chops, but I can't remove it neither could Win Defender. Any bright ideas?

@thorn obsidian malwarebytes would be my first try

@thorn obsidian just out of curiousity, how did you find out what virus it was?

i'm asking as i am studying cyber security

Already tried Malware Bytes, does not detect the virus.

Win Defender shows that virus is there but does not remove it @earnest token

oh.

i was thinking that was how.

but was not sure

I uploaded the compressed file on the Virustotal Scanner.

I told my friend to test the trial versions of some anti virus softwares that detect the virus.

@thorn obsidian When in doubt malware-wise, wipe the system completely and start from scratch.

anyone know where I can get free virus samples for testing?

@thorn obsidian That's not something we do here

!rule 5

“For testing.” How is that breakings laws or malicious

@thorn obsidian

@thorn obsidian Considering how many users are here, it can be used for malicious purposes by at least one of them.

Plus, casually spreading malware around isn't good regardless.

Im literally doing this for school. If someone else wants to spread ransomware, thats them

Just out of curiosity, what tests does one do with malware?

anyone know where I can get free virus samples for testing?
no one is going to distribute viruses here lol

One of my classmates took a cybersecurity class and they installed a specific program given by the instructor on a VM

Bruh thats not what im saying @spice plover

Im working with malware and stuff next year in school so I wanna start early

you're asking for viruses

that's exactly what you're saying

Can’t you just find malware on the internet it’s pretty easy

Hey can someone send me malware? Im bored and wanna get a load of people infected! not really...

The thing is, that we're really not trying to be jerks about this. Stepping back and seeing how it'd effect the server/users within is where we as staff are.

I don't think you need to install the malware on your computer to learn more about how it works and how to protect people from it.

If someone can use it maliciously, that raises red flags for us. It's about keeping people safe, and that comes first above all else.

Your acting like your staff when your just a helper lol

what?

I mean, I am staff though.

Damn someone’s mad lol

helpers are staff.

What is your learning goal here? Maybe we can help you find resources.

Nah im good. Wanted a website where I could find malware samples and everyones acting like I want to go round sending virus’s to everyone

I really dont see the problem

I hope you realize sending malware in this channel might get the discord banned

lol

Thats now how it works...

everyones acting like I want to go round sending virus’s to everyone
no one even said anything remotely close to this

He even offered to help you find resources

I dont get why @spice plover is so mad lol

He doesn’t look mad to me

Maybe open your eyes then?

i'm quite calm, actually. you seem quite mad, Vi

okay then

^

that's enough

Why don’t you just accept the help that the helper offered

...

!tempban 745412514837430394 2d Quite argumentative and passive agressively attacking other members and staff when asking for virus samples and told we cannot help with that. We've very clearly explained that we cannot distrubute viruses here in our community, no matter if it's for testing or educational purposes. Be sure to reread our rules and CoC if you decide to return.

:incoming_envelope: :ok_hand: applied ban to @lilac egret until 2020-08-26 04:28 (1 day and 23 hours).

@thorn obsidian I know what registry the virus is in, but it's risky to delete registry and stuff. It is actually something I never learned. I bet that my friend is no hacker, he asked me for help. I am sure he is looking for a less robust solution then just wiping it clean.

@thorn obsidian That's the solution I'd go with, tbh

If you're unsure of all the avenues a specific strain of malware has taken, you'll be unsure if you got everything.

Backing up/wiping/reinstalling, even if it's an OEM install, should take less than 24 hours to be back up and running.

I want to know more about encryption algorithms

u can look at fernet

@broken spruce What type of encryption algos? Symmetric or Asymmetric?

Hope I can share this here, I made a "pwnagotchi" this weekend that "eats" wifi handshakes. It was super fun! Build vid here: https://www.youtube.com/watch?v=2DIPVpcjR1I

Symmetric and About MD5

symmetric: AES,DES

I'm not a bot, so I'm not sure what you're doing.

MD5 isn't encryption, it's hashing

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard_process /
https://en.wikipedia.org/wiki/AES_implementations /
https://en.wikipedia.org/wiki/AES_instruction_set

as well as https://www.pycryptodome.org/en/latest/src/examples.html#encrypt-data-with-aes

If that doesn't answer your question for AES, can you describe as to what specifically you need?

Hello all. I have a good understanding of the basics of Python 3 and I want to learn about cyber security. Any recommendations from where to start.

https://en.wikipedia.org/wiki/Information_security

@grand current well ... in cybersec, SANS certs are held in high regard, same with ISC, EC-Counsul's CEH is like, the cost of entry for a lot of cyber jobs. For generally free learning, I tend to point people towards cybrary.com

https://cybersecuritybase.mooc.fi/

here @grand current

is it safe to say that you can't just de-obfuscate pyarmor code?

I don't have any pyarmor'ed code, just wondering

Anything can be de-obfuscated with enough time

Confused as to what you're asking, are you curious to the difficulty of de-obfuscating pyarmored code?

A user asked in a help session a while back how to de-obfuscate pyarmored code. I've only really worked on open source data science projects so it's not something that interests me personally.

however I think that user might have been of the impression that de-obfuscation is trivial.

Trivial for who? Trivial for a normal person? Probably not, trivial for someone who works with it, probably yes

anyone know what the GCKey actually is?

@misty egret
https://www.cic.gc.ca/english/helpcentre/answer.asp?qnum=794&top=23
taken from https://www.cic.gc.ca/english/helpcentre/results-by-topic.asp?st=23.2.2

Looks like a login of some kind consisting of a username/password

How do I get a GCKey?

To register for a GCKey, go to the sign in page and click the “Continue to GCKey” button.

Then, choose a user name and a password. It’ll ask you to create security questions. Keep a copy of this in a safe place in case you forget.

https://www.cic.gc.ca/english/helpcentre/answer.asp?qnum=796&top=23

So it's less of a key like in encryption, and more just a name.

That’s what I assumed ya, just wondering if anyone knew what it specifically was

Yes

With a DB you can at least encrypt everything

Unless you're symmetrically encrypting your CSV or something, they're hardly the same levels of security

What, If all data is encrypted then there it doesnt matter

Oh nvm read original wrong

Well i guess it kinda depends on what hashing u use for passwords

I am of the opinion that, just because you know how to use the csv module, that doesn't make it a replacement for a real database (I also challenge that sqlite3 is easier to use than csv lol), that being said, csv is not the most secure or performant method, but it'll work.

Tbfh redis is probably the easiest

Yeah, it's so hard to persist redis correctly though

And you WILL have data loss because that is usually a scheduled process

Not saying it's be a lot of loss if you do it correctly, but loss none the less

what would be the best approach to go on about changing static server responses into dynamic ones so that people can't tamper with the responses to get access into the app?

trying to figure out a way to get the server to send the response "randomly" while also being able to validate it on the client somehow

Can you provide some more details? What type of responses are these?

rn the responses are basic {"status": "Success"} responses when logins are successful

which can be tampered with easily

by editing the response

So your worry is a MITM attack?

basically, yes

I mean, you should have certs and whatnot to prevent that from happening, with that said - how could the responses be tampered with in order to accomplish something malicious?

my app makes an HTTP call to validate user's credentials, the server then responds with a static response with something like fiddler you can easily hang the HTTP call and change the response

which is why i am looking for a dynamic response solution

HTTP call to validate user's credentials
Meaning creds aren't going over SSL...?

they are, my bad

the problem is with the response part

since its all static, if someone finds out what the static response is for successful logins they can just edit the call with that response

So you're worried that someone gets a MITM, imitates the server, and captures creds to return a 200?

yes

You shouldn't be trying to return obfuscated / changing responses, IMO.

If this is all being done over SSL, there are much better ways to ensure the authenticity of the server

if you can give me examples or just point me in the right direction that would help a lot

https://security.stackexchange.com/questions/8145/does-https-prevent-man-in-the-middle-attacks-by-proxy-server

The answer to this question might be what you're looking for

I'd explain myself, but I'm a bit short on time right now, apologies

no worries, thanks

Happy to help 👍

@primal ibex the post mentions how its not possible for 3rd party attackers to decrypt the info getting sent to the client

in my case

the client itself is tampering with the data

@errant heath he means that if you use a bad hashing algorithm, not encrypting it is very bad

client sends login info to the server -- > server validates it and based on that returns a response with the status, the client can just use any tampering software to edit the response correct?

#python-discussion what's happening there then?

@errant heath lol, not even a little bit true unfortunately

@pure wagon not sure

@pure wagon accidental @/everyone ping

I think it's a great example as to why you don't use sudo account all the time

@thorn obsidian well, yes, but most auth mechanisms use some kind of cookie or session token that the server would invalidate. So even the client manipulating it wouldn't cause harm because the server sends back an unauthorized

well, my app uses that response to decide whether or not to start the program

if they tamper with the response they will gain access

no server verification after that

@thorn obsidian I would suggest you add a session token that is generated by the server and has to be used and revalidated on client comms then

It's not usually an overly complex middleware to write

@errant heath there are many lol, but even the best are technically breakable given enough time.

And if I heard a website I was using csv for auth, I for sure would not/quit using it

But yeah, I tend to use salted sha512

i can't quite grasp the concept yet, (if you can) can you just briefly run me down how its going to go from start to end @brazen seal

@thorn obsidian

1. Client request to server
2. Server sends back an auth request with a session token that it stores
3. Client provides auth info along with session token
4. Server validates auth
   4a. If auth is good, session token is used in every comm forward for the session
   4b. If auth is no good, server invalidates the token --- if that token (or no token) is used, then the server just responds with UNAUTHORIZED response codes

problem is, the app doesn't depend on API calls going back and forth

if they can run the app that's it

that's why i thought of making the response dynamic

so that they can't tamper with it

Session tokens do make it dynamic, but those aren't all sperate api calls, that is just session setup and auth

I don't know what your app is doing though, so ¯_(ツ)_/¯

@errant heath

I'm making a website that requires a login. Would it be a security problem to use a csv file to store hashed passwords and emails instead of a database?
Using a proper database ( Not SQLite, more like PostgreSQL, MySQL, etc ) is much better. If you're using a CSV file, you might as well use Python dictionaries. Which, is also a horrible idea.

What is python security used for

Sorry I’m mainly discord.py and basic python,

But looking to expand my knowledge

@pure wagon @sturdy cairn This is off-topic for #cybersecurity, did you mean to use one of the off-topic channels?

@sharp storm Can you elaborate?

@sharp storm Can you elaborate?
@thorn obsidian

What is this channel for? Coding security platforms?

Check the topic

Ah thx

@errant heath Also, hashing-wise, check out Argon2 and passlib in general: https://passlib.readthedocs.io/en/stable/
https://passlib.readthedocs.io/en/stable/lib/passlib.hash.argon2.html

@thorn obsidian were they not locked?

@sturdy cairn That doesn't mean you post in an unrelated channel

Bruv, sry I'm new,

@pure wagon No problem at all, just letting you folks know. Not trying to come off as a jerk. 😄

Ok thanks

@errant heath If you have other questions, I'd be glad to answer them if I can.

sorry to ask the same question again but i still cannot find a solution to my problem
when users input their credentials my app send over that info to the server to check if they exist in a DB then send back a static response with the status that will decide whether or not the app should run, since the response is static i am afraid anyone can just spoof it someone suggested i use some sort of session mechanism but my app doesn't rely on api calls, if they can spoof the response from the login server response they will gain access to the app

all i can think of is figuring out a way to make the response dynamic while also being able to validate it on the client to start the app

i am also open for any other solutions

thanks in advance

Well the issue here is that you are giving the client your app before the credentials are checked

Can you give more detail about what you are trying to do

Exactly what information you want to keep private, for instance (keep away from unauthenticated users)

@thorn obsidian Why is the response static? You should be using cookies or some such for authentication.

Though, if this is an application, what is the application for?

Because there are many instances where people should have to login - i.e, Spotify.
Though there are many services where people shouldn't have to login or have a login at all, like a notes app or some such.
So you'll need to provide more information of your application.

my app is a desktop python app (not the greatest for desktop apps i am aware) that people can purchase externally and their data would be stored automatically in a database, what i need the app to do is ask for the credentials send them to the server and validate the server response on the client to start the app

if the response is static it can be spoofed quite easily

Okay so it doesn't really matter if users can see the app without logging in because without credentials, it won't work, right

They need credentials for requests to routes that modify the database and stuff

So as long as you require auth for the important routes, checking if they are logged in on the client is fine

Am I misunderstanding what you are doing?

Are you trying to charge for a singleplayer game or something?

thats the thing, my app doesn't use any API calls so if they manage to spoof the response they can use the app without any hiccups

I see

Basically, your app just can't include the actual source

Until you verify their credentials

You could obviously do some crypto thing, but that's not a good idea

its all about the verification process, idk how to get it to have a dynamic response so it can't be spoofed and idk of any other solutions either

You could make an installer app

That sends a request to your server with credentials

Then your server decides whether to send the app itself

The installer app can be a desktop app or a web app

It can also be part of the portal in which they purchase the app

wouldn't it be better if i validate it inside the app itself though? people can just send the files around if 1 person downloads it

No because if they have the app itself, they have the thing your selling

And after reversing it, they can bypass the verification

No matter what, they can send it around

At some point, the code of your app must be run; at that point, no matter what you do, the owner of the hardware can get it out

the way i am understanding this is that, if we use the installer method and someone goes through with the credentials validation process they now have the files that have 0 authentication on them, if we were to use the dynamic response method though they can't spoof the response, so even if the files get shared around they can't get access. (this is just where i am at rn, i might be completely wrong)

Right but no matter what you do

Someone who purchases the app will be able to get a version of it that runs without auth

There is no way to prevent it

Someone who purchases the app will be able to get a version of it that runs without auth
@uncut hill how is that possible?

Well the app must be run at some point by someone who purchases it

If the computer knows what it's running, the user knows what it's running--or can find out

No matter what to do, you cannot prevent this--it's currently impossible

but if the auth is in the app itself, everytime it starts, they can't just disable that, can they?

They can

They can just disassemble it, take it out, and recompile

Im using these words loosely

Putting the auth stuff into the application has some advantages and disadvantages

If you put the auth stuff externally, at least one person has to buy it before there's a cracked copy

If you put it internally, nobody has to buy it at all

But it requires a bit more skill to take the auth out

yeah i think leaving it internally would work best for me, i think its safe to say most people won't take them/are able to disassemble an app just to take the auth out

i still have to figure out a way to get the response to be dynamic

You have a server that had a db with the people who purchased it right

When they log in, generate a token and put that token in the db

So they don't have to log in again

Don't worry about the token stuff if you're okay with requiring login each time they run it

yeah i was thinking of generating a token and only prompting relogging in if the HWID changes

but what should the response be if they are valid

this just keeps going back to my point of static responses

@thorn obsidian Okay, wow. There's a lot that you've said and there's a lot of issues I'm seeing.

So, having anything authentication-wise being static is a horrible idea

I imagine your program has a way for the user(s) to send a "Forgot a password" e-mail, yes?

Regardless of if the user exists within the database or not, you need to not make this an easy way for people to bruteforce usernames/e-mails

So whether they exist or not, the response right after inserting their username/e-mail should be the same. "A forgot password e-mail has been sent!"

The e-mail is the only thing that should be different. If it doesn't exist, let them know someone tried to use the e-mail. If it wasn't them, tell them they can sign up if they'd like. Otherwise, ignore the e-mail

Now, authentication-wise, what's your backend look like? Flask? Django? Something else?

Flask yes

Alright, so you're saying you don't have an API. Is this something you're planning on/open to?

well there is an API for logging in etc

i was just mentioning that after the login

the app doesn't use any other API calls

rn the login mechanism just checks if the credentials are valid and exist in the DB and return a static response which is bad

i am trying to make it dynamic while also being able to validate it on the client

Have you looked at https://blog.miguelgrinberg.com/post/the-flask-mega-tutorial-part-i-hello-world?

There are some issues in the tutorial, such as the logout being a GET request as opposed to a POST request with a CSRF token, but for the most part it's good

That should be able to help you with the login/authentication stuff

the login/authentication is all done inside the app, i can't really just render a page when the login is valid i need to send the client some response to let the application start

that article is still really good though, will help out with other things

@thorn obsidian

I mean, you could though. Have the client be the least amount of code possible and then have everything done on your site through the client

That make sense?

Are you sure you understand what this person is trying to do

@uncut hill I do

I'm also trying to assist as much as I can without knowing very much about their specific application

Fairly complicated when I don't have the source code, after all.

i think its much more simpler if the login is done inside the app itself

doing it externally seems redundant

and doesn't make much of a difference

What do you mean by done inside the app itself?

alright ao

you launch the app, it asks for your login credentials

sends that to the server

the server then replies with the response

based on that response

the app will start/exit

my problem rn is the response is static which makes it very vulnerable

thats about it

Which is why I was under the impression that there was a mechanism to send a Forgot password? link. Security is far deeper than "How do I do this one single thing?"

Did you look at Miguel Grinberg's Flask Mega Tutorial that I linked above? It details an API via Flask, as well as login.

it doesn't solve my problem though

in that article the backend prompts a page when the login is successful

Sure, what's wrong with that?

i need the backend to send a response back so that the client can use it to start the app (this app is a desktop python app, not a website)

I think the design of your application is wrong

It sounds like you have all of the bits of your application locally, and you're just waiting on an OK from the backend to allow your client's use, which isn't the right way of doing it.

Which could trivially be edited out.

any better alternatives?

Don't do that, first off. You want to have as much as you can on the backend

So if someone happens to override anything in your client, they don't get anything because it's behind a login

Which again, is why you need to harden against any kind of bruteforcing. Whether that's in your Forgot password? option(s) or actual login. Setting up a captcha for both is a good idea too.

Probably not what you want to hear, but from what I know so far about your application ( which, isn't too much honestly ), it's just a bunch of text-based data and nothing like a CAD program or heavily dependent on graphics/animations.

its a utility tool you could say

how can i setup all those on the backend while also communicating with the actual app running?

Well, there isn't a lot more help I can give unless I know more about the application.

If you have a Github repo or something you can invite me to, I can give some better recommendations. But until then, I can't exactly give very precise options here.

What?

Bro what are you talking about

NotEchoBot has a desktop application they want to sell

Sure, I got that.

First of all

There is fundamentally no way to prevent someone from sharing the app itself

This is the problem they are trying to solve

Which is precisely as to why you put as much as you can on a backend.

There are basically two options

Which is what I've brought up already.

No but you don't do random unecessary calculation on the backend

That would be like if minecraft did singleplayer calculation on the backend

Do... what?

They have a program which has a backend, and requires a login.

Minecraft singleplayer works entirely on the client

No they have two separate programs

They have a web app with a backend and a db

And a client-side application

@thorn obsidian
Which, the client-side application requires a login, yes?

Not necessarily

Basically, there are two options

Their options are to

1. have the login on a web page to download the app
2. have the login inside the app

Having the login inside the app is one of the options this person can choose

Why would you take a desktop application that works offline and put some of it on your server

Like I get that that makes monetizing easier, but nobody does that

There's plenty of people that do that

For example, when you use visualstudio, you can totally bypass the login and have the app work by itself

Microsoft does not move random parts of visualstudio to the server

Just because they want to charge for it

They use the fact that modifying it is 1. illegal and 2. has some barrier of skill

Either way, there isn't enough that is known about this program.

Can you name an example application that would work perfectly fine offline but had parts of it moved to the backend to make monetization easier?

Once you move that stuff to the backend, you are no longer selling an application—you are selling a service

If I knew more about what this program does, I'd be in a better position to help. But it feels like we're leering closer to an XY problem - https://xyproblem.netlify.app

This is literally not

We have sufficient information

1. there is a program this person made that functions offline

2. they want to charge for it

3. they currently have infrastructure for a web app w/ login

If this person wants to charge for the application, the question of how to prevent sharing is a pertinent one

Alright, so what's your recommendation?

I already stated the two options and their pros and cons

The model that is used most is charging for the application on some web page and letting you download it after logging in

The issue with this is that it is very easy to distribute the application after you buy it

Sure

There are ways to mitigate that, but there is nothing that prevents it fully

Sure there is

There is nothing that prevents it fully if they want to sell an application and not a service

You seem to have it pretty well solved, so I'm gonna step away from this.

I don't; I have two options

Have a good one 👋

Anyway, the second option that I explained earlier is to put the login in the application

This makes it so you can have access to the application without purchasing it

But the barrier of doing so is reasonably higher

yes which is what i want go for

to go for*

Is there anything you need help with in doing that

yes server responses

Are you using flask?

yes i am

Basically, you just want to set up some api route that takes a username password and gives a token

And maybe a route that takes a token and says if it's valid

so when how do i validate the response on the client to finally start the app?

Well what you can do is first have the app post the token to the server and see if it's valid

If there's no token, you prompt login

If login succeeds, you save the token and start the app

I actually don't think this is the best option to be honest

the login succeeds part is where i am stuck

true but I don't have a lot

to work with

if the token is valid, what should the server return?

It depends how you want to do it

You have a lot of freedom here

It could give json, for example

anything thats not static

With like { "valid": "true" }

or something

yeah but thats static, it can be spoofed

i am trying to find a way to make the response random from the server while also being able to validate it

What?

You're not gonna be able to prevent this stuff

Like can I explain what I would do in your situation

sure

It's not perfect but

On the web app, you give them a license key

The app saves the license key

If the app can connect to the internet, it checks the license

If it can't, it just starts

the app needs internet to operate anyway so thats not an issue

wait what is the app

idk how to describe it but a utility app that can automate a bunch of tasks + other stuff

okay sure

basically you can do something like

make it so whenever the utility app is connected to the internet, it ocasially checks with your server if the license is correct

that way, if you stop checking licenses, the people who bought the app can still use it

the periodical checks are a good idea

Like that's basically preventing low skill attacks

true

Disconnecting from internet and then turning internet back on after the app starts

This does not prevent stuff like blocking requests to your server and stuff

But I think this is the best you can do

so you think it would be better to just leave it static as is and periodically check?

Yes

making it dynamic will make it much harder to spoof but i have no clue where to start so

There's no point

If the request to your server fails, I would treat it as a true response

Since you will eventually stop hosting the backend

And you don't want to break it for everyone who bought it

1. request fails: OK
2. request gives valid response: OK
3. request gives invalid response: user has invalid token

yup sounds like a much better way of doing it

thanks a lot

Yeah

Wait, what? No. No no no no no.

Why would the request failing give you an OK?

All I would need to do is block the DNS request to your site with something like Pi-Hole and the license would come off as genuine

That's a horrible recommendation

Yeah that's true

I literally said that BTW

I'm saying you should do that because you are not charging people for a service; you are charging them for software

If you get tired of this or run out of money and you kill the server, you leave a bunch of people with dysfunctional software

If the request to your server fails, I would treat it as a true response
Since you will eventually stop hosting the backend
If you ever plan on not hosting the backend, you can push out a final version so that there isn't a license check or really a backend at all. You can have everything strictly local.

But saying "You should make your software insecure because eventually you'll give up on it" is.. wrong.

It's gonna be insecure anyway

Why would it?

Because all the code is still on the client

Thonk

How does that make the program insecure?

Because anyone could still use it without paying?

It's insecure in the same way that letting it succeed on request failure is

People can do stuff to use it without paying

@thorn obsidian If you'd like someone to take a deep look at your program and properly set it up, feel free to ping me. This back/forth of "You should do this" and "You should do that", without actually knowing what it looks like is being optimistic at best.

What?

Do you not agree with what I'm saying?

Like you can totally force request success for the use of the app

That is a design choice you can make

@uncut hill I think there are better ways of going about helping this individual, tbh

I literally gave a perfectly reasonable solution

Do you see a problem with the license key approach?

I'm not here to debate that with you

I'd just like to see them get the assistance they need

The specifics of what to do when a request fails depend on what they want to do with it

I agree that it could be better to only allow successes

If there are things that you think are problematic with this approach, just bring them up

Also, I forgot to mention a thing lol
@thorn obsidian You can also do some stuff to check if multiple people are using the same license key (token)—for example, if you receive repeated requests from different IPs, you know that multiple instances are used

Not necessarily. Someone could be using a VPN or have a different IP.

What?

I mean concurrently

People move, go to friend's/family

Multiple instances at once

That's why I said repeated requests

If you see an IP change, it could obviously be them switching networks

Getting alternating requests from two different IPs, though...

Depends on how they have it set up. If I buy a license of your program, how many installations can I have at once? Is this something that's been thought of?

What if I install it on two separate computers and one has a VPN/proxy/etc?

The exact implementation of this depends on how many installations they allow

Obviously, if you have two computers in the same network (say, siblings), this wont work

But there really isn't a better option

Oh, there is.

Unless you want to prevent people from running double instances on the same computer

Which seems stupid

This is why I offered them assistance. Coming up with a bunch of basic recommendations without source code is just that, basic recommendations.

What??

These basic guidelines are completely sufficient

🙄

They provide a reasonable starting point, leaving the specifics of implementation for them to do

And I am sure they are perfectly capable of doing so

I personally do not assume stupid until proven otherwise

Was completely unaware anyone was being called stupid here, which is incredibly rude and disrespectful.

I didn't say anyone was

It wasn't even implied

It's highly strange that you specifically said

I personally do not assume stupid until proven otherwise
if this wasn't the case.
Considering that you recommended that if their client can't connect, to just accept the license key, you can understand my doubt that you have their best in mind.

I said that because you're saying crap to me like

Not necessarily. Someone could be using a VPN or have a different IP.

Sure, which is a legitimate thing. How's that wrong?

Because I obviously know that?

Because any sane person would know that

Also, my recommendation came with an explanation of the costs.

I explained that someone blocking requests to the server was a real posibility

I was clearly not ignorant of it

no reason to keep going on about this, i now have a pretty good idea of what i am going to do. also, i think I'll log IPs and HWIDs then look at them manually rather than risking false positives

Cool, sounds good!

thank you both

My offer is still available if you want to take it in the future 👍

I wish you good luck on the project and hope to see what you come up with

will definitely keep it in mind

thanks

You're welcome, have a good rest of your day/night

you too

anyone can help me with python RSA criptography?

well, im using cryptography module

but how i can verify public and private keys?

this the code

AES is symmetric

You wouldn't have private and public keys

wut? AES isnt comparing public and private keys?

You're probably thinking of Diffie-Hellman / RSA

AES is a symmetric key algorithm

jasdfkj, is RSA, wrong name

well, this is the code using RSA cryptograph

this generate public and private keys with the message

but i dont know how to compare these 2 files like

the private_key is encoded with the username

how to verify these keys?

sht im fucking dumb, thats right

lmao, thanks @primal ibex sry

No worries, glad you solved it 👍

hello do you guys have any pen testing tips for kali linux users

What kind of tips

Like metasploit tips or other programs i can use

im kinda new to pen testing

Cant really say much about such things since other people in this server could have malicious intentions

Okay

sorry bout that

ok another question

i fixed the encription/decription of RSA

but, i want to give users the ability to add a encription to private key file

but the point is

i want to check if private key have a password or not

and if have, execute another way, the way of asking for password

an exemple:

def login():
    opnPassLog = input("Digite sua senha de criptografia: ")
    passL = input("Digite sua senha: ")
    with open(".rsa/private_key.pem", "rb") as key_file:
        if key_file.serialization.password == None: #The main point of question, how i check if the file have a password?
            print("F")
        private_key = serialization.load_pem_private_key(
            key_file.read(),
            password=opnPassLog.encode(),
            backend=default_backend()
        )

I'd just encrypt with AES and let the user tell the program if it's encrypted or not

hello everyone, I have a very simple kivy app that takes in user input to questions (some basic measurements of wildlife). I'd like this information to be sent to my SQL server.

I am new to all of this but I believe that a direct connection is a no no? So I need an API which I have no idea about. If you have any resources which will help me understand the Kivy-API-database relationship I'd be very grateful. Googling has led me nowhere on this one.

you need a backend server running

you can use a framework like flask/django

to route requests getting sent to your server then use that data to add it to your database for example

Ok I see, I'm assuming I can have the API and the database running on the same server? Then the kivy app sends requests to the API and the API posts that into the SQL database?

If this is all correct then I guess I just need to learn about flask.

yes, you are indeed correct

flask is fairly straight forward

there are a ton of tutorials on it too

goodluck

@acoustic brook What package are you using to work with private keys? Also, don't use == None to check for None. is None or is not None is better. https://stackoverflow.com/questions/3257919/what-is-the-difference-between-is-none-and-none

thanks a lot @midnight rose

anytime

@thorn obsidian "cryptography" package

can anyone give me a encrypted message by RSA method and the public keys please ? I create a program to crack it ._.

lol

My life is so cool

(No)

Please @cold palmng me because else I don’t wanna read the message

(Btw I’m french)

Uhh

If n is reasonably large this is infeasible

@thorn obsidian how big do you want the modulus

@uncut hill How long does it usually take? 🤔

it usually takes impractically long

a normal person will never be able to break 1024 RSA (the lowest)

unless they have a nonexistant quantum computer, of course

Either around a thousand year with all the computing power of the world iirc, or a 1024 q-bits cpu which will cost you all the money of the world

Pick your poison I guess

Hello. Can someone recommended me a place from where I can start studying ethical hacking?

Let's not talk about RSA bruteforcing anyway, rule 5 is a thing

Same for ethical hacking, I'm sorry but that's against rule 5

Isn't ethical (white hat) hacking legal?

I don't think it is, but we have no way of being 100% sure that you won't do anything illegal with this knowledge

I understand. I guess I will have to search/ask elsewhere

@thorn obsidian how big do you want the modulus
@uncut hill like you want

A easy key and another one more difficult to crack

and for each, a message from you, and another that says: "Key successfuly cracked"

what?

this is literally impossible

if i give a typical 1024 bit rsa key you will never be able to

and who isn't using 4096 bits by now anyway

watch the program just be

rsactftool

besides, it's easy enough to generate your own keys and encrypt something to test your program

not sure why one of us doing it would make a difference

I mean... if you really want

n: 22266616657574989868109324252160663470925207690694094953312891282341426880506924648525181014287214350136557941201445475540830225059514652125310445352175047408966028497316806142156338927162621004774769949534239479839334209147097793526879762417526445739552772039876568156469224491682030314994880247983332964121759307658270083947005466578077153185206199759569902810832114058818478518470715726064960617482910172035743003538122402440142861494899725720505181663738931151677884218457824676140190841393217857683627886497104915390385283364971133316672332846071665082777884028170668140862010444247560019193505999704028222347577
e: 65537
ct1: 6066156098568235467519633017464861842296703727604976419070731002802227538531193147555192662610987951370595969982846186298164460592559836241426372582467465522670825449349314380285956527013887536260154270390581398072509493737393900703247905047483082425808140821135610367615504535162389717744856699947373489285080529904621731314226449899201271121206194970574572513203080004784872339438937311642450928736477519992230219485831006910817374762728091686497787928003781481769427188938733485602941208904376895346138132048014422190819547315054788322112819840086034299080131364079552612155651542071920922326579792574184429657181
ct2: 18724220027602129248226562398219463549254317193069741400361736609765697615424946685603558395071527608509950626976243726789429492358476453276020947636298089165072976168189868686567558351638078751634511888527829666228736983392546729824063362868138436010081484888948397900461981314368457777843897391209441367228613478462330699808587411842786456936379298390209520337014665335504648957218931150638626685772104688554204659294363364674436003042538481747566368299989928877630024003601274277661173636736357241282517179396580810340072764606744368030330865486648276890274037292313266500127182532386499130023420359484552029199307

what did you say about my mother?!

smh.

@thorn obsidian

Yey

Ct1 and ct2 are ?

ciphertext 1 and ciphertext 2

the second one is "Key successfuly cracked" or something

Hey @uncut hill!

Ok thx

:33

@uncut hill if I crack the key, you buy me a kebab ?

x)

dude if you crack the key you'd be getting a friggin career for being super duper smart.

maybe the primes i chose happen to be in the prime number database

Yeah I know lol

someone try rsactftool

maybe the primes i chose happen to be in the prime number database
@uncut hill they are necessarily there

But to crack I’m don’t using the divide method

Because too long

I use another :]

what method are you using exactly?

o_O

Founded by myself

seems legit

¬_¬

I don’t wanna reveal it lol

there's literally zero way you have an rsa 0day

because rsa is provably secure given discrete log

But it’s not actually done

I don’t have finished the method