#cybersecurity

nvm

i mean yeah if you're doing legit portscanning then use nmap

but no one who is doing legitimate portscanning needs an api to anonymise them

Just curious besides peepdf, is there a way to take out all js in a pdf?

might be able to use something like pypdf4

say that you cannot hack website or you go to jail then nobody hack website iq 1000

wonderful contribution

Morning

Thank you for the tip @bisk I will check it out

On a GitHub Repo, only your added collaborators can push and pull code

Is that what you are asking?

what's the git server

and do you have authentication disabled somehow

Hey guys

I am trying to use John the Ripper to crack a simple hash I generated

But I need the executable

All help is appreciated

what

have you downloaded it then

kali comes with jtr by default

type which john into the terminal

which languages are a must for data security?

@fading plaza nothing happened

You mean the normal terminal right?

yes

How long of an RSA key is considered secure these days?

5v maybe @neat rampart

5v?

2048 at least

4096 for extra security

thanks

so i got an issue rn basically its a discord bot that gathers messages from users and stores them in a list, problem is if a user decides to put code in the list instead of a normal word (like sql injection) the command will be ran from the list when i use the eval() function, here is my simplified example

equations = ["os.system('tasklist')"]
for equation in range(0, len(equations)):
    eval(equations[equation])```
 anyone know a way around this so cmds aren't ran from a list just @ me thanks

why are you

what

firstly why are they called equations

secondly why not do for equation in equations

thirdly why are you doing this at all

tldr: don't use eval on user input

@thorn obsidian

@woven gazelle its supposed to be a discord bot that people put equations in the chat and after everyone puts their equation in it adds them all up and spits back the answer

i figured out a good way to do it anyway

what is it

https://gyazo.com/3346b5d72126bfd14c8b6567f6911358

right

and what's the code

listen

you dont use eval as a fucking calculator

thats just asking for a rce

(never trust user input)

(like, ever)

__import__("os").system("ls")

thats literally all it takes

and dont try to sanitize inputs to eval either

once an attacker gets access to os, your system is literally dead

@thorn obsidian ^

talking about sanitizing inputs in Python for eval, there was a conference about creating a language-level sandbox (basically what you want), and why it's inefficient: http://web.mit.edu/jesstess/www/pytennessee_sandbox.pdf

@fading plaza got another idea on how i could do it without using eval()?

https://levelup.gitconnected.com/3-ways-to-write-a-calculator-in-python-61642f2e4a9a

approach #3

@fading plaza ty, I knew about rce attacks prior to this just never that eval() had so many security flaws within it lol

Well it doesn't have security flaws

It lets you run arbitrary code by design

well it just leaves the gap open for attackers

is what i mean

Ye

Would be nice to have a more sandboxed eval

But there are a lot of problems with the idea

yeah thats what i was thinking but you could still access any class right?

Well the first thing that jumps out to me is that you would have to restrict imports

right but there will always be a way around that

sandboxing eval is basically impossible

if you block imports, there are still bypasses

ex: [].__class__.mro()[1].__subclasses__()[132].close.__globals__["system"]("ls")

Anyone know eval() vs exec()?

It's probably a simple question... I'm just bad at theory

eval is for expressions and it returns the value of the expr

exec is for statements and it always returns None

so exec("x = 2;print(x)") prints 2 but eval("x = 2;print(x)") errors

eval can be seen as lambda

So eval executes code (makes x = 2) but doesn't return?

If so, then what is the purpose of using eval over exec?

exec executes the code and returns nothing eval returns whatever happens in the string (just like lambda)... eval('{1:2}') would return the dictionary object, exec('{1:2}') would create the dictionary object but it wouldn't return it

Just like (lambda: {1:2})() would retuen thw dictionary object

So then why would you ever use exec over eval? Does it save time? Security concerns?

exec doesn't have the same restrictions as lambda

I mean if you wanted to execute code, why would you ever think of using exec when you can just use eval?

Imagine you want to execute code from a string (think of python bots eval command) and don't need to return anything and just want to execute code with no restrictions

So eval has restrictions?

Yes

code = """
def foo():
    print('bar')
foo()
"""
eval(code) # syntax error
exec(code) # works

If you want a better understanding of the restrictions you should look at lambda

But isn't lambda a one-line function?

Yes

So...

it's restrictions are just having one line...

Right?

Well lambda: def foo(): print('bar') wouldnt be valid either so lambda restrictions aren't simply having to be one line

Yeah true...

Cause a lambda is a function in itself, so...

You can't define a function in it

So... then why use eval() instead of lambda?

You can indeed define an lambda in an lambda

I meant you can't print inside a lambda

Oops

You can

Wait...

lambda: x = "foo" is also invalid

Wait I thought you can only return things inside a lambda, and printing is invalid

You can call functions and the value of what that function returns will be returned by the lambda

Well lambda: def foo(): print('bar') wouldnt be valid either so lambda restrictions aren't simply having to be one line
@trail mauve Wait so then what's the problem?

It's just a restriction of lambda

You can't create a function without using lambda inside if an lambda

But you can call one

eval can return values

exec can't

someone knows how to decrypt the file with the chrome passwords? (AppData\Local\Google\Chrome\User Data\Default and it's the Login Data file.)

That doesn't sound sketchy at all

why though

What do you call it when a hashing algorithm is guaranteed to have a unique output for each input within a given range?

I don't know if I understand the question, could you rephrase it a bit?

@fluid verge suppose you want to have a hashing algorithm that is only designed for integers from 0 to 100

Whether or not one chooses to try to hash something outside that range doesn't matter

And there can't be any collisions for numbers in that range.

so if you got h your hash function, x, y two inputs, you want to have x != y => h(x) != h(y)? Is that the property you are looking for?

in which case, h is injective/ an injection

@fluid verge yes, that sounds right

Hi everyone! I hope someone can help me with this error message:

xmlsec binary not found: /usr/local/bin/xmlsec1

This is in my settings.py file: XMLSEC_BINARY_PATH = '/usr/local/bin/xmlsec1'
I installed xmlsec1 on my mac by using: brew install libffi libxmlsec1
So I don't understand why it is not being taken into account. When typing 'which xmlsec1' in the terminal I get: /usr/local/bin/xmlsec1

Any help would be highly appreciated as I have been stuck on this for a while. Please let me know if I am missing any info. Thanks in advance!

morning

Hello!, i'm building an app that allows my user to register with a username and password, i store these as plaintext in my sqlite3 database, but i recently learned its a big nono, so i looked up how it should be done, i can either encrypt the passwords, or the database itself, i'm hoping to do the latter, but the documentation is confusing to a beginner like me, everything works i just need to encrypt and decrypt my database when my app uses it, any help would be appreciated.

not encrypt, hash

you don't encrypt and decrypt passwords you hash and salt them when storing and checking them

so that it's basically impossible to get the original password back again

ah thanks i'll read into hashing and salting a bit

where can i start data security from

hi?

hello @kindred pollen

hi @stray ore

can u tell me about some sources where i can start data security from
(i don't know anything atm)

@kindred pollen Im sure there are lots of angles/resources to that. One item I am dealing with currently is Amazon's "Well Architected Framework". Specifically their "Security Pillar" is a solid place to start and spider out.

https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf

thx

hi. i want to encrypt my data with my custom encryption. how can i split string input one by one?

i mean seperate all input one by one

If you want to securely encrypt your data, you don't use a custom encryption, as you can't be sure it is not deeply flawed. A custom implementation maybe, but not a custom encryption system

well what can i do to encrpyt my input

does python have a library for that?

depends what your input is

just a single string

block cipher?

for network like programs

messaging etc

block cipher or flow cipher, because they are really not the same

are they library?

I'm not sure, and I don't think so, but it wholly depends on what encryption system you want to use

i dont need a strong encrpytion method. i dont planning to do public online messaging program

If you have a block cipher, you need to separate your inputs into blocks of the correct size, in which case you can just iterate over blocks of your_string[k*block_size:(k+1)*block_size]

If you have a cipher like RSA, you transform your message into an integer, and cipher it whole, so it's not a problem

how can i transform characters to integer.

python will print an error

If you have a Cesar-like cipher, you need to work letter by letter

ord('A') will give the Unicode code-point of A. You can couple it with chr, which given a Unicode code-point will give you the character

i got it

so you mean i can get unicode of my input with ord()

It only works with single characters

you mean i still need to seperate my input one by one

to convert to unicode

Well just iterate over characters

what do you mean "separate your input one by one"?

input: "aaaaaa"

i need to seperate it like "a a a a a a"

and transfer them to a list

["a", "a", "a", "a", "a", "a",]

can i convert them to unicode by doing this

if you only need the list: list("aaaaa") == ['a', 'a', 'a', 'a', 'a']

Also, [ord(char) for char in "abcdef"] == [97, 98, 99, 100, 101, 102]

can ord() deconvert unicode?

[chr(x) for x in (97, 98, 99, 100, 101, 102)] == ['a', 'b', 'c', 'd', 'e', 'f']

and finally, if you have a list of strings that you want to turn into a single string, you can do "".join(your_list)

ok

i will try it

welcome

hi, i’m not sure to post this so i hope here is ok, i’ve been trying to convert a .py file into a .exe file using pyinstaller but it comes up with an error when i try to run the .exe file saying “ModuleNotFound error”. i used pyautogui and time modules so i’m guessing it’s the pyautogui module that’s causing the problem. what can i do to fix this?

which module isnt found

does it say

no it doesn’t

hi

Hi

So, is there a place where people can have like a 1 v 1? One of them are randomly assigned red team and the other blue team and then the attacker writes their program and the other guy/gal builds a defense? Or they could both be doing an offensive attack on the same system (not working together though) and whoever hacks in first wins? I guess a third option is who could successfully defend against the same attack.

hmmm

tryhackme koth?

a bunch of people try to root the same machine

to become king

and you need to defend your king role from others by patching vulns

@fading basalt

hmm

whats a good programm or modul to obfuscate python??

why do you want to do that

if you freeze to an executable it will make it a little bit harder for people to read the source code

Any discord servers dedicated to pentesting, hacking, etc?

there's a number

you might want to check out "The Many Hats Club"

@fading basalt

hacker101

@woven gazelle you can still extract the bytecode from executables generated using pyinstaller

yeah

but they did say obfuscate

generally i'd say there are very few good reasons that people have here for wanting to obfuscate

it's normally having put a password in the program or something

You can obfuscate by compiling to C using something like Nuitka

What is the use case

or cython

Cython only supports a subset of python and requires special syntax in the code. It's an option but requires a lot more work.

that mightve been true in the past, but isnt now

first up, any python file is valid cython

youll get some performance improvements etc but not as much as if you specifiy types

in terms of limitations of cython:

• no inspect support for cython funcs
• stack frames are not fully completed (no locals or co_code)
• literals of inferred types are not guaranteed to be the same object

i'd be surprised if you managed to run into any of these tbh

i never have

imo the only hard part is setting up a build process for cython, it took me a while to get used to and ive heard that it's worse on windows

last one sounds a bit nasty

so presumably ```py
"hi" is "hi"

only if type inference is active

which isnt the default iirc

here's the example they give

oh, and that example will always work as there's no type changes

sorry for not clarifying

wait so only floats

anyone doing float is float deserves a lot worse than it just not working sometimes lol

no, not that

since the type of b and c was inferred statically and then changes at runtime given a specific condition, new objects are created for each one in that scenario from a

@woven gazelle you shouldn't be doing that anyways

ye

that was my point

it stays being roughly as bad of an idea

but cython only really works with setuptools

trying to do it manually using the CLI tool

is pain

eh it's ok (at least on linux) if you have just a couple files

but if you have a complex setup then yeah youve got setuptools build config fun ahead

help i have been pwned from one website i changed my password and i checked it again and im still pwned

have I been pwned?

did you check the old pwd or the new pwd

also

wdym new pwd

which password did you search in haveibeenpwnrd

wait

to get in the same page here we're talking about thes right

https://haveibeenpwned.com/

yes

also

i dont think i can check my password in that

Xkcd correct horse battery staple

there's the pwd tab

sorry, im not sure if i understand what youre saying

Xkcd correct horse battery staple
what does this mean

that's a better method to generate your passwords

is that a website?

https://xkcd.com/556/

wait what
alternative energy revolution?

can I ask scripting question to search certain passwords in csv file?

my regex is not working properly

https://xkcd.com/936/

cool

does ny1 here know solidity programming for dapps??

i need some help

I don't know sorry|| @elder bison ||

@elder bison Why do you want to use dapps??

https://github.blog/2020-11-16-standing-up-for-developers-youtube-dl-is-back/

I'm not sure what's the correct channel for this but is there someone that can help me with some logic quetions about Timing Attacks?

I’m afraid this would fall under the rule 5

Oh

We can’t heelp you with that, sorry

I'm sorry

That's fine 🙂

No worries

Just for general knowledge it's for educational project at my school 🙂

But we have no way of verifying what you will actually do

Does it really break rule 5?

Seems like you basically couldn't actually talk about security here in that case

it's a fine line between talking about something in the abstract and going into specifics

always tricky to weigh up a question

Side channel attacks are still an open area of research, so... I don't think it breaks rule 5

i'm sure some generalised questions about side chan attacks would be fine

Especially about talking about preventing them

yeah and honestly if you have the technical knowledge to actually implement a side channel attack from something you learn here

you're gonna figure it out anyway

it's not like teaching someone how to run nmap on a website or something

if you're implementing side channel attacks, its a lot more likely that you actually know stuff about sec and aren't a script kiddie

Books for beginners?

any specific areas?

I would reccomend anything that has to do with networking and how devices and networks communicate with each other and the outside world. I'll see if I can find a link to a good book for ya @primal lily

This is a tad outdated but sstill has relevant information that I still use to this day https://www.amazon.com/Computer-Networking-Beginners-guide-Mastering-ebook/dp/B077PZXZF1

How I start in pentest?
what topics I need to research to start in pentest?

I would recommend looking at web app and common OSINT and experiment with common pentesting operating systems. At least thats what I did. Also look into content creators like 'The Cyber Mentor' and 'NahamSec' as they are pros at this stuff

what is OSINT?

Open Source Intelligence

ok thanks for the help

no problem

would anyone recommend some tools for OSINT?

If we get some obvious phishing attempts (e.g. someone impersonating Jason), how do we report them?

modmail i guess

who's jason

This is not the group and python is not the language for it if in the end you're gonna use wrapper libraries anyway

Honestly, I would recommend learning networking and other topics first and then pentesting. You could try studying for OSCP as well

Thanks

hey guys i need help with the following:
securing the api keys so you could pull them from a git repo but wont be available to copy or use, any way to encrypt the api key or something similar
i was told there is a a pythonic way to do it

why are you pushing api keys

@unreal wadi

im doing a devops course and we were told to use a free currency converter API, he API I found has a key and I was told by my instructors to find a way to make sure it is not in the code but still useable when we upload everything to github
I cannot upload the key itself into git

its a free API key that is open to the public

put the key in a .env file or something

add that to .gitignore

and then use os.getenv to read its value in your code

@unreal wadi

@unreal wadi you can encrypt API keys before push, but it's a bad practice to publish this kind of data

Hey guys i know this is for python but i have a virus on my pc and i took my op perms

It broke my pc

Pls help

op perms

avast, metadefender, malwarebites protect your pc next time ;-;

Hey guys, is there any recommanded open source library or framework for creating Threat Intelligence. I found YETI, but it not longer maintained. Thanks 🙂

I use kaspersky its better

any good libraries/learning resources for email reset

im building a flask app

if salt is basically a bunch of random special characters that help in secure hashing

then pepper is just a private salt that isnt saved?

Lol ok

How can I inject a webpage in my local network?

Like e.g., opening instagram will display Webpage blocked.html instead of instagram webpage

ping me if you can help

you need to modify the dns somehow, not sure

there's a few methods, the most common is to set up a DNS server and then have DHCP hand out the info for it

then catch attempts to resolve a domain and direct it to something else.

that's probably the most reliable solution

you could do some janky IP address based rules on the router

which means even when users aren't using your DNS server they're still holed.

ight

any

like

docs or something? @lusty flare

hmm... if you're unfamiliar with running a domain name server you could probably look into "Pi-Hole"

i think you can get some images which you could install as a virtual device on a PC on your network

then adjust your router's DNS settings to point to that virtual machine

it's the sort of thing where you need a dedicate device to act as the DNS server

Hello I am new to python

Can someone help me

@fluid bay I dont think this is the right channel for such a question

Ok

Anyone know if snekbox supports arbitrary dependencies somehow? Fortunately it has a lot of the libraries I need for my project, buttt

I forsee wanting to do some data visualization in a safe environment like snekbox (e.g. with matplotlib) but I don't see any way to install it as a dependency on snekbox

Isn't gambling illegal in most states?

I was assuming the least illegal case for them

ianal but it looks like online gambling is illegal for wa

anyways

!rule 5

what does the trans flag have to do with this

also my question: what does it have to do here?

careful, or you're gonna fall under rule 6

!rule 6

!ban 542103124542881808 homophobia

:incoming_envelope: :ok_hand: applied ban to @half sparrow permanently.

thank you for that

Came back to check for responses and was seriously confused for a moment lol

naughty

uh yeah so re your original question

i think you may need to rebuild the docker image

Yeah, I forgot to remove my messages to the banned user

what were they even doing in #cybersecurity

The user was trying to access online gambling sites accessible only to New Jersey residents, while he was in Washington state. they tried several things to bypass the restrictions through several things, and in the end, was asking for help on how to bypass the restrictions, because he could not think of anything more (they even asked for a NJ friend to leave they computer on and TeamViewer their way to the gambling sites, but that one failed as well)

wow this really isn't the place for that lmao

Hey so I am coding a custom test encryptor and I am making it so that every character you convert is a 100 character string. For example:
H = fwherfhr874jfusitmghhct6s834...
Do you think that if I put important things into it and encrypt it, would any other people be able to decrypt it? I am making this so that I can store passwords securely and something to do for a couple days

dont roll your own crypto

you can write your own crypto code, but never, ever, use your own crypto code as actual crypto

also

unless you actually know crypto in depth (hint: you probably don't unless thats your job description)
any crypto implementations you make will probably be flawed in some way

and even actual cryptographers mess up their crypto algos

more info: https://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own

@thorn obsidian

can you post your algo?

i wanna see if i can break it

Still coding it @fading plaza

I'll post the actual encryptor and you can analyze it if you want. No one is going to have access to the program except for everyone here, but I will definitely change it and improve it.

I read that thing you posted about and I am not going to use it for anything important. I might improve it and use it with friends to make secret messages

Once it is done tho

Which will take a couple days since I also have school

for not creating own crypto algorithms

There are so much knowledge to earn and you still don't know that you missed something

What purpose is for storing password? Do you want to store it like passwords managers do or you want to store in some kind of database like web services do?

I am going to use a password manager

I was just thinking of making a personal text encryptor

But I saw that J shouldn't do that

I am just going to make it so that I can text friends secrets if I need to or something

If you want to make your own password manager just use some well known KDF (key derivation function) to generate key from your passwornd and AES for encryption

You can use Argon2 as KDF or PBKDF2 with SHA-3 for example

Ok. Thanks for the suggestion!

Your welcome!

Remember about safe and unsafe cipher modes (forget about ECB, you should consider GCM or CCM)

If you are talking about pydis snekbox, then yes! You just need to add the dependency to the Pipfile, relock and rebuild the container, if you have any other question, feel free to ask in #dev-contrib

hi

Accidentally sent that lol

Is it possible to detect http requests / other requests using sockets? I am making a "firewall" (just for fun) that scans all incoming http requests and denies them (does not send them) if they are malicious

How about nfqueue?

I used nfqueue to catch outgoing DNS traffic to make some kind of DNS cache

I used this module https://pypi.org/project/NetfilterQueue/

But I think that maybe is more #networks than #cybersecurity

@cosmic monolith +1 you want NFqueue for that, its an option for IPtables that will allow you to write a packet filter/manipulator and run it in userspace so you dont need to escalate it to kernel level. I wouldn't use it for any performant networking requirements tho. https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/

I need to sandbox or filter user code so that it only has access to a subset of objects in the main program. This is for in-game scripting for a game that I am looking to write. How can I achieve this?

In general, but for Python in particular, you need to deploy a sandbox around the interpreter. If you want to build a language-level sandbox, you'll inevitably fail miserably (someone will play with your sandbox to try and destroy your system, and most likely succeed eventually)

hello! I was curious about something. I honestly did not understand encryption much other than "It makes things secure". But lately I found myself interested in learning more. I just want to ask if I understand the basic concept of encryption correct.

Encryption is using large numbers, such as from binary numbers and converting those numbers to another number base (like base64) with letters in it right? So, the idea is that when the binary numbers are converted to base64 they turn into letters. Which builds a meaningful text and thus creates a safe communication or something like that, say, between two friends. And you use binary system for large numbers so that encryption takes longer time to crack, right ?

I might have went quite off the rails here but like I said, I am very poor when it comes to understanding encryption

First of all, base64 is not an encryption - it's encoding

First encryption schemes were not about big numbers or even bits - many centuries ago people had different tools to do it

CAESAR CIPHER, etc are examples of these

there purpose is to make the message illegible without a key

Some encryptions nowadys too work like that

To decrypt, you need to give the key.

For example you can write whole alphabet from a to z: abcd...xyz
You can precede this with your key-word like "cat" for example and delete duplicates so you have: catbdef...xyz
Then exchange a to c, b to a, c to t and so on
It's simple encryption scheme

however, some encryptions nowadays use algorithms to convert the string to digits. They are strong and cannot be reversed

They are used for storing data which needs one way acess, eg: passwords

I see. So encoding does not really help with encryption then

Encoding is just different tool - for example if you want to transfer binary data as text, then you can use base64

Encryption is to protect data but you can encode ciphertext ofc

Ah gotcha

It’s just a tiny part of the whole scheme

So I should say then that what I was interested at was using programming for encryption

But above examples seems like less programming based?

The one with alphabet and CC thingy

I think that I don't understand - do you want to learn how ciphers work by implementing them?

I was thinking about using programming in python to essentially create(even if very simple) encryptions which I can use. Like programming encryption to send an encrypted message to my friend that has a gif inside it. Kind of small stuff like that

It's bad idea, making safe cipher is very hard thing

You should use well-known encryption schemes

There are many packages in Python that are ready to use so you can pick one of them and don't be afraid about safety of your data

Hmm, so I can’t really combine learning python with learning encryption I assume.

It’s just better to use libraries

What about cryptopals? Is that good way to understand encryption better.

There are two cases - first is how ciphers works
You can implement DES or even AES for educational purposes, it's nothing wrong with it
But second one is making own cipher - just don't do it

https://cryptopals.com/ ? I don't know it, but looks fine

Yeah that website.

I think that it's nice place to start

I see, thanks for the help

Your welcome!

I will try to learn more about encoding part. Seems like a good start

Also to be clear. I didn’t meant creating my own encryptions for serious stuff.

It was more about training little bit in coding by coding encryptions, and then use them effectively in really life by doing normal silly stuff

Like sending a cat gif

So start with simple and old ciphers like mentioned Caesar cipher, Playfair is nice too
Then you can try XOR ciphers
When you feel a little bit stronger you can try to implement DES and even AES but it needs some advance in developing cryptographic primitives

Feistel network is fine tool to produce ciphers and you can find some articles about this concept

how would one go about creating a hash function in python?

What hash function do you want to create? Your own?

yes my own

What do you want to achieve? Is it for educational purposes?

For production usage you should use already existing modules

yes its just for myself so i can learn, not planning to use if professionally or anything

i want to be able to have a function that i can call and pass a string to and it returns a hashed version of the string

Do you have an algorithm which do you want to implement?

yes i want to try to create my own algorithm to hash the string

is that too hard or what?

It's not too hard to create hash function itself but it's extremely hard to create secure hash function

You can check how old functions were constructed - like MD5 or SHA-1 - and based of this knowledge you can create your own

xxHash is also nice hash function but it's not cryptographic hash function - so it's not secure but it's really fast and good of hashmaps implementations for example

security is not a concern for me i just want to go from: e.g hello world to: 74f76D76fkjjhYd67

something like this

like maybe for examplei can loop through all the letters and randomize them?

Hash functions are not random - these algorithms are deterministic so for given input you always get same output

The simplest way is to create some variable, call them acc

Fill it with random value like acc = 0xAABBCCDD

Then you iterate trough 4-bytes blocks of text and xors these blocks into your acc

acc ^= block[i]

if i do this its not randomized?

You need to add padding to your text if it doesn't met this condition that it's dividable into 4-bytes blocks

ohhh i see

Hash functions are not random functions

For given input you always get same output

yea yea

thannks i will try this method

Your welcome

You can check MD5 algorithm - it's old and quite simple hash function

and btw is MD5 algorithm open source

like can i see the source code?

Yes, there are many implementations

In many languages

when exactly can i find the source code for it ?

How about in your search?

"MD5 source code Python"

https://github.com/timvandermeij/md5.py

is this it?

It looks nice and simple

but if its just available to the public like this then if someone still uses it can they get hacked ?

since the source code is public

so anyone can crack it right?

No, there is something like Kerckhoffs's principle

and what is that?

Algorithm can be publicly available and it shouldn't cause that it is breakable

You can read more about this rule in books or Wikipedia for example, my English is not good enough to explain it here in details

ohh i see thanks

i found it on WIkipedia

Okay

Hey could someone give me a hashing library I should be using

hashlib?

what's that

a hashing library?

I don't know what do you need

So... What do you need?

a hashing library that is supposed to hash passwords

So use hashlib and SHA-3 for example

Do you want to store this passwords in database?

yes

Then maybe use bcrypt or Argon2 if it's possible

oh ok

i guess i will use argon2

Good choice

As far as I remember there were recommended parameters in Argon2 specs for storing passwords

Oh, yes - https://www.cryptolux.org/images/0/0d/Argon2.pdf page 17

>> from argon2 import PasswordHasher
>>> ph = PasswordHasher()
>>> hash = ph.hash("s3kr3tp4ssw0rd")
>>> hash  
'$argon2id$v=19$m=102400,t=2,p=8$tSm+JOWigOgPZx/g44K5fQ$WDyus6py50bVFIPkjA28lQ'
>>> ph.verify(hash, "s3kr3tp4ssw0rd")
True

in the docs it shows this.
it is comparing the hash with the password.
So while checking would we need to store the password as well?

If you have database, where you store hashes, and you want to compare one hash to given password there is no need to store this password in database

But you need this password somewhere in RAM ofc

ohhh

@lapis radish how would I store the password in somwhere in ram?

First of all please write what you are building, when I get the concept it will be easier for me to find solution

a password manager

Okay

This is going to be GUI tool or console program?

gui

First what you need is encryption algorithm - block cipher like AES would be good choice

Using cipher you can protect data that you keep

oh i would need an alg?
I thought i would just have to hash the password and send it to db

But cipher is reversable, so you can decrypt ciphertext - you cannot reverse hash function

right

Start with creating simple file that stores ONE password

A cryptographic hash function (like SHA-x) should not be reversible

hashed or not?

No, you need to store password in plaintext - it's password manager so you want to retrieve your passwords

then isn't that pointless

well, it should probably be ciphered, rather than in plaintext

I wrote about it 🙂

You need to protect your data in different way

in what different way?

Using cipher

You should read what is cipher and what is hash function

ok

could u link it to me

Check some use cases

But creating password manager without basic knowledge of cryptography is pointless in my opinion

oh

You should start with something simpler

definitely

hmmm

Hash function, block cipher, padding, key derivation function - it's just a few terms that you should know

The point of a password manager is being able to safely (as in nobody not having a password should be able to access the database) store potentially critical information

Exactly

wdym by "nobody not having a password"

If you can't ensure that you can 1) retrieve information with the master password or any form of authentification, 2) nobody without the means of authentification you decided upon should be able to access your database, then what you have is not a secure password manager (fail number 1, you have a hashed database; fail number 2 and you basically have a plaintext database)

oh

How does ph.verify work in Argon2 for Python? How can it verify if the hash matches the password? Does it like save the password and hash somewhere?

when the user puts in a password it's hashed (and salted depending) and compared against the existing hash in the database

it does not store the password

When you save a password using argon2, it will create a string made of the password hash and its salt, and if you feed this string to the verify function along with the user input, behind the scene it will append the salt to the user input, hash it, and check if it match the first part of the string

you never need to store a users password

ever.

only the hashed version if you really need to store something

i mean for a login system you totally need to store their hash

there's uhh... no other way to verify

well, obviously

kind of how passwords work

¬_¬

except maybe another means of authentification

tell that to my school

you could OAUTH2

and just absolve yourself of any responsibility

plaintext password storage should be illegal, if it's not already

sounds like your school is too lazy to create some form of impersonation Aky.

it's not illegal

annoyingly

But you will make it mandatory to have another account to use your services

Vodafone still use plain text

as they send you your password in the mail

but it's stored hashed in their database

😱

but they can reverse it

but it's "secure"

according to them

fucking twats.

well, it's basically plaintext

One of these day I should just rainbow one of the school account and be like “you see why it is bad to not hash password?” >.>

wdym

You should only store the hash

yeah that's what I meant

i don't mean email, btw, they actually physically mail you your password

and here's the logic

https://twitter.com/virginmedia/status/1162756227132198914

10/10

Wait what

you also hash emails right?

with a salt?

nah

do emails need to be hashed with a salt?

nope

so just hashed

that's it

nope

so not hashed at all????

how can you do a password reset if you don't know their email?

.............

“It is illegal to open someone else’s mail”

i mean it is.

Because bruteforce attacks are legal?

do you want a quick rundown on best practice password storage SomeDude?

sure

in like... procedural steps

1. users visits your thing and types in username / pass
2. you receive that info and immediately run your hash algo over the pass
3. you compare the hashed password you got from that login attempt against the hashed password stored in the DB for that username
4. if it matches, you login. if it doesn't, you reject.

the password is never stored.

if done properly it exists in memory temporarily

as it's hashed

unless you specifically set something up between receiving the login attempt and hashing the password for that attempt (if using something like argon)

you will never know what anyone's password is

how do I store an argon hash?

I get this for Python '$argon2id$v=19$m=102400,t=2,p=8$Igc9sf3IoT4xCtLMR1XXug$0Cs+THo5Haf7kGQq5czdGw'

do I just store the entire thing

i haven't used argon yet as no projects since i learned about it have login systems

but i'd assume yes

i'd highly recommend going through an argon2 + python tutorial to have a quick read

do I have to salt an argon hash?

it looks like it's already salted

It's salted

i believe it can do that

i'm not hot on the specifics of argon tbh

https://argon2-cffi.readthedocs.io/en/stable/api.html#argon2.PasswordHasher

i still sha ¬_¬

.>

hey, they're internal tools

don't ride my donkey

hoe to fix this error https://paste.pythondiscord.com/oxecixoret.lua

how*

i don't think this is #cybersecurity related you probably want to look at #❓｜how-to-get-help and explain what you're trying to do etc in a help channel

Also probably not a good idea to store a password in plain text at least put it in hash or something

Anyone know any good bruteforcing tools

burp suite?

is a pretty good one for all-around stuff

Well a combination of tools

Metasploit is also a good one you can try

nah for websites

might use open bullet

Oh ok that's pretty good to.

Wait are you doing a login?

Have you tried logging in regularly? without forcing it first

If not try an sql injection

Here's a website I found which tells you how to do it https://portswigger.net/web-security/sql-injection

@lusty flare single sha? o_O

not even pbkdf 😦

@thorn obsidian first, make sure what you're doing is legal

secondly, hydra is pretty decent for bf

It's legal as long as you have permission from the owner :)

Why is Argon2 so slow compared to other hashing algorithms?

Idk

I think maybe because it goes through million iterations to salt the hash?

So, I'm getting started with hacking now and I want to know what not to do so that I don't do it. Any place online I can find like a list or something of no no's of hacking?

The 10 Rules of ethical hacking you must never ever break and if ya do you can well... You get some unwanted attention ;) https://www.dummies.com/programming/networking/obeying-the-ten-commandments-of-ethical-hacking/

Oh yeah and dont break into anything that is not yours or you don't have permission

for

okay thanks!

Did you have a question Heymanlol0n?

nope!

You have several parameters to determine algorithm speed like number of lanes or time and memory cost

bcrypt for example has just work factor but Argon2 has many more parameters and you can tune algorithm to your needs

Hey, can someone tell if a file has been copied at all? Like is there a digital footprint of sorts for that?

Asking for a friend

Please, more details

And how is it related with Python?

Well the file was a python file they were working on andnwas in a hidden folder. They believe someone copied it because the code he was working on ended up elsewhere, line per line exact same. But he doesn't have proof it happened. So that's why he was wondering if there is some way to tell.

Do you have access to machine with copied file?

I do not. They asked me because I know some stuffs, but I never dived deep into security. And I wasn't sure

Let me rephrase, I don't have access but they do to both machines

I don't see a way to proof that file is copied in that scenario

Ah darn, alright. Thanks for responding though!

Your welcome! If you find a way you can share it here

Ya I will see what I can maybe do to help em!

@crimson fable if the device wasn't mounted with noatime you can check the last access time, assuming you didn't opened it in the meantime

where to start this entire concept of security from.
no idea so asking

What do you want to achieve?

idk learn atm
and later get a job if possible lol @lapis radish

Ofc but there are several roles in security - you can be security architect or pentester and so on

data security

There are two sides, always fighting lol

if its a thing

I think you should start with "what is encryption" and how can you protect data

||and if possible hacking||

Data has some attributes that you can protect using different methods

which modules

what does it mean

It's joke

umm ok

!warn 690641855045697653 don't post harmful commands

:incoming_envelope: :ok_hand: applied warning to @lapis radish.

😦

...

oof

Sorry

||dm me ||

Catch some help channel

okay
and sorry u got a warn bcoz of me

Np

I didn't knew that some kind of humor isn't allowed

are u doing a job

related to coding?

Yep, I am dev and I am working with security related project

:O

But it's kinda offtopic

how much do u earn
if u can tell

Grab some free help channel, we can talk about "how to enter into cyber security"

i did

Which one?

#help-burrito

Okay

hello

hi

Need help with anything?

hey

is this channel about cyber security?

yes

Well, it's about python related to security. Considering all of that would be on your electronic devices and or related to the security of your application. Most instances you'd be talking about "cyber security". Which is about as vague as "security".

understood

will be checking here more then

I plan to start a career in cybersecurity and recently have been learning python at university

figured it would be a great asset to have

I'm not an expert, but I am a fan and subscriber of pentesteracademy.com . It taught me a lot about python and security. You should check it out! Could give you a reason to post in the channel for others 🙂

If anyone needs help with anything security related just send a dm

we prefer to keep things in this channel

as in the future other users may find it useful

say no hacking ur project then they won't hack it works I tried

easy as that

That’s like https://twitter.com/virginmedia/status/1162756227132198914

it's a good tweet isn't it

for all the wrong reasons

Hahaha yes

is it possible to prevent rootkit using python

how long or how much experience it will take me to make a software that prevent rookit attacks

why and how do shell injection attacks take place?

Why : because it will allow you to do things you aren't allowed to
How : rule 5, but let's just say that you gotta mess around with the parser

i want to prevent shell injection attacks because here's what i'm doing

Setup.exe --install-dir="<can be malicious code but its in quotes>"

That can be subject to injecting if the code contains quotes

i'm checking for malicious strings and commands like so

forbidden_list = [
    'system32',
    'Remove-Item',
    'erase',
    'del',
    'ri',
    'rd',
    'rm',
    'rmdir'
]

@void aspen well see the user needs to run the command for my cli like this
mycli install randompackage --install-dir="del C:\WINDOWS\system32"
And when my cli runs the installation:

Setup.exe --install-dir="del C:\WINDOWS\system32"

@void aspen is this a decent way to validate the command?

I'd say that you could use a path validator for that @worthy lodge

@void aspen does there exist any module in python for that?

I don't think so, but you should be able to make a little regex for that

ooh no... regex 👀

i've been hiding from it since forever

it looks very scary lol

Haha

Well, this is a good time to learn it, isn't it

yes lol

@worthy lodge shlex.quote?

hacking into my project = gay

0 hacks

lol

Lol

Hey #cybersecurity happy thanksgiving to everyone and hope you all have a good night anyways I have a question for you all what are some holiday hacks you have done before and if you have what was it a friendly prank on your friends or something... else?

Guys

Is sha512 better than sha256 for hashing passwords?

Somewhat

I'm wondering bcs i was working with hashlib and then I saw sha512

@onyx nacelle its better to use neither

and to instead use an actual kdf

such as scrypt bcrypt or argon2(the recommended one iirc)

scrypt is in hashlib

argon2 is at https://pypi.org/project/argon2-cffi/

@fading plaza i'm using shlex.quote now instead of "" but i don't see much of a difference between

Setup.exe /DIR='C:\Users\Shared'
and
Setup.exe /DIR="C:\Users\Shared"

what is the upside to using shlex.quote() ?

i am guessing it just inserts a quote on both sides of the string

lemme know if anyone knows about the use of shlex.quote()

oh wait this is windows

i have no idea how cmd.exe quoting works

but i think shlex is for unixy shells only?

my bad

@fading plaza ooh no this is a really big vulnerability

how do i prevent this from happening? i take the part after /D= as user input

ooh no

whats your full code

also is it possible for this setup.exe to take args like --install-dir "some/path"?

instead of an equals

So ya'll know how any phone number with 555 in it makes it a fake number right

is there an equivelent to that for credit cards

I'm trying to make a fake profile generator

@fading plaza it can take --install-dir="Some/path" yes

no like

without the equals

@fading plaza yes that works too

in that case it just inserts the = its almost the same

hm

then you can just use subprocess.run with a list arg

like subprocess.run(["setup.exe","--install-dir","some/path"])

instead of whatever you're currently using

@worthy lodge

since this way, it skips running a shell altogether

avoiding any shell command injections

aah alright thank you : )

@thorn obsidian

https://www.simplify.com/commerce/docs/testing/test-card-numbers

not sure if those would help

they at least match the format of cards.

so i made a login system that just uses a txt file, now that is not safe, what is a better and safer version of a txt file

ping me if response

use something like argon2

with a database

sqlite is a good way to get started with databases

as you don't need to install any software, there's a native python library

thanks

👌

Hello

Hello

Im making a password manager. I am trying to store encryted passwords in a database. I want to be able to decrypt them with a masterpassword such as 'password'. Can someone help i have been trying for hours with No success. @ me plz.

So you're wanting to hash passwords?

not hash though, surely?

since to unhash you'd need to know the password

which defeats the point of a password manager

sooo, encrypt and store

@cloud falcon check out aes

hello i need help for a pyhton scritp

wait actually aes might not be the best due to fixed key len

uh checkout other symmetric encryption

can someone help me ?

you need to tell us what you need help with

ok so i just want to do a script to communicate with a IRC serverbut i don't how i cant send and receive data from an IRC bot

I do a script with socket lib

my script can actually connect to the IRC server but i dt know how i can send and receive data from a bot IRC

the IRC protocol contains info on how messages are sent / received

How is it related with #cybersecurity ?

hmmm good question

i can think of one way

Maybe #networks ?

IRC is a common command and control protocol for botnets

:P

ok i go in networking thx

Hey guys I was wondering if I should use Oauth2 providers like google to verify/create the user. Then I generate a token from my server to the client(app) to verify if the user is logged in?

For some context I am using FastAPI for my webserver, and flutter for the frontend.

Is there a more secure way to call functions and variables than having them in a seperate file and doing:
from functions import * print(var1) function1()

Secure how

Generally that isn't a very good idea just because it's hard to tel what's going on

Wdym secure how

Like a better way for like making the code thingy for a discord bot in a seperate file so thst nobody can find out

Whaat it is

how would it be insecure

If someone had the bot id, because i am planning on putting my prograb on github but i cant let them use my code

So i need to have the bot id seperate from the main code

you mean the token?

generally you include that by setting it as an environment variable when you run the program

^

idk how not pushing functions.py is supposed to make it secure

hello guys, I've recently got into learning stuff about security, networking and databases mostly for ethical hacking. Do you have any sites you would recommend for practice or in general how you can apply those skills in an controlled environment?

I used https://root-me.org

Thanks @lapis radish, will check it out, seems like a very useful tool.

www.tryhackme.com is a good one and hackthebox

Does any know what he did to change the k

isnt that a font

what does this have to do with security

It is a brute force script

uh

right

but the letter k is just a letter k

I solved it

I was because i never sad choices i put choice

Is django default security worth it? Can it defend cyber attacks?

What do you mean

defend how

it won't fix security flaws in your application

Is this bad

source .env

# ...

ENDPOINT="https://$GITUSER:$GITPASS@$DOMAIN/$GITUSER/$PROJECT.git"

# ...

git push $ENDPOINT master 

People always say not to supply the url to the shell because it remains in the git history

I dont think this beats that does it?

Use a github personal access token instead

with an ssh key? Ive seen that feature but havent gotten around to it yet

Or, (better) a SSH keypair

Once you enable 2FA on GitHub you can't push like that anyway with the username/password combo

I have an SSH key for my dev machines, then for servers or CI/CD if I just need to pull a copy I setup a read-only access token

I only ever use my password for logging into the GitHub website, with 2FA

never, ever, ever for pushing code

If there's any PyCharm users in this channel, I run a static code analysis extension ($0) for security flaws. It has a lot of specifications for Django https://pycharm-security.readthedocs.io/en/latest/

Even if you don't use PyCharm (or the extension) the documentation has a list of common mistakes (under "List of Checks")

its similar to Bandit, but it has more checks, and fewer false positives because it uses the PyCharm type system and Python API

Bandit is also great 🙂

fr stand for french

and i want it to say french

not fr

@magic lodge wrong channel

#❓｜how-to-get-help

anyone here any good with aes

What do you want to know?

well, what's the problem?

Xor by same value

x ^ a ^ a == x

you'd probably need to do a ^= a >> 1

But this function is not reversable

Small disclaimer

indeed, looks like it. The shifting kills invertability

@thorn obsidian

It's probably the linearity killer of a cryptographic hash function

Probably yes

You cannot reverse shift operation

If you have for example 4-bit length vector like [1100] and you shift one time left you get [1000]

If you want to "unshift" it which bit should be on the first position? 1 or 0? @thorn obsidian

You don't know it

So you get [x100] where x can be either 1 or 0

In this code you lost 13 bits from left and 4 bits from right so you have 2 ^ 17 possibilities or 1 / (2 ^ 17) chance to get the correct value

Got any recommended libraries for end-to-end encryption? I'm gonna make a terminal communications app

I want it to be secure

anybody recommend any videos for python for cyber security

red or blue?

@hard frost offence or defence?

LiveOverflow's channel is pretty good. https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w

The good stuff is normally in conference talks, instead of a dedicated channel

defense

cyber security analyst is the goal after college

than convert over to read team

I have a fundemental level of python

How do you make more secure passwords in python? Bruteforced a sha2-256 password in seconds today. Seemed way to easy, maybe it was simply just an easy password

dont use raw sha2

use a dedicated kdf with a salt

such as argon2

which is a:slower and b:not vulnerable to rainbow tables

dont use MD5, SHA1, RIPEMD-160, Whirlpool, SHA256 or SHA512 🙂

https://pycharm-security.readthedocs.io/en/latest/checks/HL101.html

and a salt like hmmm said

length extension attacks don't apply for this usecase

only for MACs

those are the length-extension ones, the collision (weak) ones are MD4, MD5, SHA1. Short version is use blake2 + salt

don't use blake2

use argon2

it's specially designed for password hashing

Hi, I have a requirement of fetching MS Active Directory User hashes. Is it possible to do so without ntds.dit?

Is Bcrypt still recommended for passwords?

there's better options

but its still decent

Have you guys heard about the geforce 3090s password cracking speeds? Said to cut the time way back. Not sure why that was something they advertised for it though

was it

@vital lava do you mean stdlib crypt?

ah btw i want to ask a thing what thing should i use to encyrpt a string with a salt aka

a = something("thisismystring", "thisissalt")
print(a) #should return a hash that can only be decrypted by salt - "thisissalt"

Yep that warning from bandit is right

i didnt realize ctf exercises were just googling exercises

yeah pycrypto is really old

pycryptodome is a maintained lib that's almost fully api compatible

though cryptography would be better for new applications

how can i stop botnet using python

because i need to save people from these dirty malicious software

I'm still learning about all attacks

You need Anty DDoS software or something

depends on what the attack is doing, no? If it's a DDoS then cloudflare, if its individual PCs then anti virus.

Either way, it's unlike you can code something in Python that's better than what already exists 😄

@river nest My aim to defeat malwares

not much you can do with python against a botnet

and it's not like you can build a program that just miscellaneously fights botnets

@woven gazelle not botnet, i want to defeat malwares using my python program

any suggestion

what

oh

defeat malwares how

as in make an antivirus?

yeah a antivirus

Can it be detected by other applications that I screen sharing from Discord, for example a system I entered via Google ?

not sure if this question pertains to this channel but is there any way to prevent access to certain python class variables besides the .__ naming convention which doesn't actually prevent access

nope

is the short answer

and also probably the long one

anyone exp with akamai?

@violet abyss whats wrong with the current convention?

The variable can still be accessed and changed if you just do classname.__varName

On that note how are secure applications built into python

even if you're not storing passwords/sensitive information you don't want class variables to accidentally be changed either

because thats not how security works

its supposed to protect against users

not against other code

now i'm kind of confused, if there are no private variables in python, can the user at anytime read those variables

if so lets say you were using/moving/manipulating/analyzing potentially information that needs to be secured, how would you prevent it from being read

besides not allowing the user to directly interact with it...it seems like someone could use the python script and just watch the information that moves in and out of it if that makes sense

if the user can interface with your code

they can straight up just attach a debugger

and bypass any runtime checks you have

your code should trust other code that it uses/is used by

the untrusted input comes from the application's users

can you elaborate on what this would entail...is it good convention to have runtime safety checks

so essentially if you make an application through python, the user should never directly interact with it

in other words do you use some other programming language or tool where you take user input which then sends that input to your application, the application manages the input, and sends back an output to your trusted application

@violet abyss you dont necessarily need another language in between

its fine if the user input is passed directly to the app

as long as they can't write code that interacts with it

or other similar methods

that was poorly worded, sorry

what i meant was that a debugger can bypass whatever method you have for creating a "private" variable

Just check if there is any process of any debugger on

fine

patch cpython to dump variable values

or just patch cpython to always return false for a debugger check