#cybersecurity

Ive used base64 only for it to be compatible with bytes

So that u can Encrypt a file

An i even made an executable Encryptor for .NET binaries

By using the C# version of gCrpt

And I've made a simple meterpreter payload and it decreased the number of AV s on virustotal a lot

wait, it's even worse than I though: it's an alphabetical substitution on a base64 encoded text

so... all the digits and the two markers are not changed...

hi guys im looking to add a license key setup for my program that lasts 30 days then expires

any program can be reverse engineered to bypass license check

have you considered offering whatever "service"

via internet

you can have python on the back-end

it would be way more secure

https://en.wikipedia.org/wiki/Kerckhoffs's_principle

what security implementations can you actually do with python?

I have like, little to no knowledge of security. basiclaly just am a ML and software nerd

what do you mean security implementations

oh for the question above

Hi all, is anyone aware of python libraries that can extract the base of a web page to differentiate between local and foreign addresses. As I am scraping a website, I would only want to scrap pages within the domain

the base of a web page

i don't really know what that means, are you talking about restricting the scope of a scraper

@rugged stump
use Scrapy and in the spider, specify allowed_domains

I'm using beautifulsoup

I've kinda accomplished it with urljoin

Well, then you are creating your customer spider and you will have to implement the logic your self.

urljoin(url,'.')

Yep, it takes time to master the framework

Plus beautifulsoup gives more flexibility in coding

True

I thought of an interesting problem. You pick 2 points a, b in 3d space, such that the distance between a,b is a whole number. Can you find points a,b from distance d?

sqrt((ax-bx)^2+(ay-by)^2+(az-bz)^2) is an integer

you can find some points

but you can pretty easily come up with multiple sets of points for values of d

No I meant can you find the inverse if you only know d

@woven gazelle

you can find lots of inverses for some values of d

for d=1, a=0,0,0 and b=1,0,0 or b=0,1,0 etc

but a,b could be anywhere in the 3d space

well yeah

so

no

but then you could also say given a number n can you find it

and the answer is no

so i think the interesting bit is framing it in a way wher eit's not immediately obvious whether it's solvable

or where there are interesting conditions to it being solvable

hmmmm

for example in your question, if we ignore obvious cases like symmetry/swapping planes or swapping a and b and large values of d

it becomes pretty interesting i think

maybe write a python program to graph number of solutions as you increase d

double interesting

hmmm

because each value of d still has an infinite number of solutions

I have a python program to calculate d

so maybe fix a to 0,0,0

possibly

I was wondering if I could use this as the basis for some sort of crypto

idk if that would be possible

where d is public information

and a,b are secret

hmm yeah i was thinking more proof of work

or some kind of hash

i guess it makes use of similar things to prime using cryptography

where multiplying numbers is easier than finding factors

hmm

I guess f(p, d) would have to have an inverse

and if it used the values a,b to decrypt could be useful

my algorithm can generate 512-bit d very quickly

you know where a and b is because you have to allocate it

Obviously, but let’s say someone else who doesn’t have access to our system knows d, they can’t find a, b

I don’t know if this is the right channel for this, but is there any way to get the password to a pdf file?

Hi! Is there a way to improve the security of a http server in python?

yes

The only way is to crack it

We won’t help with that here

!rule 5

Right. It is the reason why I replied that it's even possible - not with ready-to-use recipe

Sure, your answer was fine

Yes- get the password from the Owner/Creator of the PDF file, thats the only real way- and they only way you should be doing

here is one way - https://github.com/codemation/easyauth

Thanks!

How do you store credentials in the environment in a virtual env?

Is there a way to do that?

And how does one store credentials using secrets instead?

@craggy lichen you don't store secrets with virtualenv. Virtual env is for you to manage python packages in a virtual environment so you don't have to install them globally and mess up other packages.
The reason behind it so you can have different version of a package installed and limited to the code you working with.

For secrets in general or variables... .env file has become a common thing, e.g: https://pypi.org/project/python-dotenv/
You store this in .env file that you never commit / checkout.
If you need to checkout your code, you can use git-crypt: https://github.com/AGWA/git-crypt

Or even better: BlackBox:
https://github.com/StackExchange/blackbox

But you don't have to checkout your code, you can use this encrypt your .env file.
Good luck reading! 🙂

Draw the LFSR of 1+x^2+x^5 and compute all the output sequences with start of [0 1 1 1 0].

what does this mean? my professor wants us to use pylfsr library, i dont really understand the documentation :c

@deep raft thanks. I thought .env files were for development and then you transfer them to the environment during production.

Will read the rest!

blackbox sounds difficult. I don't think I've ever used GPG before

I'll have a look at both though. It sounds interested to put secrets in github. I've been told not to do that

With Blackbox it's safe to commit your secrets as long as they are encrypted.

If your looking for offline, e.g not repo code, just encrypt your file with GPG without Blackbox.
I just recommended Blackbox since it takes care of everything, easy to use

But then if it's encrypted, how will my python code gain access to it?

I'd have to store the GPG somewhere right?

You have to trust the owner of the server when you run (the secrets file has to be decrypted), but let's say that you are taking backups or saving code on some shared server, then you can use GPG to encrypt secrets so they are only visible on the server where the code runs

well thankfully i'm the owner of the server

so i'll be encrypting the .env file, right?

and then decrypt it for use the dotenv_load

Can do that, but you put the password in the code then, might as well just leave it unencrypted

Unless you want the user to enter the PW at runtime, mind that the PW will be in the memory then

LFSR is just a shift register. There is quite nice article on Wikipedia https://en.wikipedia.org/wiki/Linear-feedback_shift_register
In your case poly should be fpoly = [2, 5] if I am correct. State can be any EXCEPT state = [0, 0, 0, 0, 0]

wait isn't the state [0, 1, 1, 1, 0]

Right, sorry. I was thinking forward that from any state we can iterate through every other

Why is

shell = True

considered dangerous in subprocess module?

if you have something like
subprocess.run(f"ls -la {folder}",shell=True)

then you can exploit this to run any command

using input like && echo "rce"

if instead, you do something like subprocess.run(["ls","-la",folder]), then that can't be exploited this way

@fresh flicker

OK

what that do?

show a incorrect output?

Hello, I’m being harassed online, can I share a post here to raise awareness about it?

idk maybe

no

Hello. I recently (2-3 days ago) bought VPS just to learn some stuff. I've installed apache2 and host flask app (simple app, returns 'ok' at '/') and attach domain. Today I checked logs. Is it normal that some, probably, bots are scanning my server already? Besides typical /login or /wp-login.php I see some weird stuff. I didn't share ip anywhere. How those bots are working exactly? Scanning random IP addresses?

there aren't that many IPv4 addresses

Ok so it's typical, right? Should I be worried? I have set up some basic security - strong passwords, change default ssh port, firewall, disable root login on ssh and stuff like that

Are your site was indexed by Google or other search engines?

I'm not sure. I attach domain to VPS on my vps provider admin panel, besides that I could share link to domain once on facebook messenger

I don't know how google indexing works, if it could index my vps by not adding it by myself manually or not

You can check your domain/IP in services like Shodan

If there are hits so here you are - bots come from those places

that's weird, domain was not found on shodan, but when I typed vps ip address, it shows informations about the server but also shows domain next to it, to some online store

btw. thanks for showing me shodan, seems like a useful tool

So you have used IP address, so funny

Your welcome, there are more services like this but I don't know all of them

Completely normal

Bear in mind whoever you rent the vps from has a limited IP range which bots will scan

You'll see SSH connection attempts as well as generic exploitation attempts with common web app vulnerability payloads

Just make sure SSH is set up securely and you don't have any random ports open

Thank you for the answer @woven gazelle

        while True:
            try:
                user_in = input("CyberCrack: CyberServe/scanner/wordpress/version > ").strip()
                if user_in.startswith("set") and user_in.split()[1] == "URL":
                    url = user_in.split()[2]
                elif user_in == "run" or "exploit":
                    initialize(url=url)
                elif user_in == "help" or user_in == "show options":
                    help()
                else:
                    no_such_command()
            except KeyboardInterrupt:
                return
            except NameError:
                fill_all()

in this code no_such_command() wont be executed

but fill_all() execute

pls solve this

first: it seems you'd want to ask your question in a general help channel

second: you have a NameError, which means you're using a name that isn't initialised

hw to fix it

I won't help you more, because this potentially breaks rule 5

!rule 5

!rule 1

!rule 1032

:x: Invalid rule indices: 1032

You have all the rules there: #rules

!rule 2

!rule 3

!rule 6

also seems relevant to this discussion

lmao why are you catching nameerror

because they are cybercrack scanner wordpress version

is there a way I can compress data (not file) into very very small string?

like from 2000 character to something like 1000 only or even less

depends on the data

if it's random data, you'll have a hard time reducing its size

it's an image encrypted to base64

kinda random depending on image

there's no library for it? or any easy way

I don't know

though I'm not sure this channel is the right one to ask this question

so where should I ask?

a general help channel (see #❓｜how-to-get-help)

I have a question about logging. Is there a better channel for that?

there doesn't seem like there's a way to win. I'm currently not uploading the env file and denying read access to anyone but the owner and hoping that's enough

@craggy lichen that's what I said, you someway have to trust the owner of the server. There is a chain of trust.

What you could do, is implement a logic in the code on the initialization to pull a config file from another server that you control, that way, in case of a compromise the file is not locally stored on the server where the code is. So you can block access to your server if something happens.

Maybe you could read a research paper on the problem:
https://scholar.colorado.edu/concern/graduate_thesis_or_dissertations/kk91fk911
"Securing Secrets and Managing Trust in Modern Computing Applications"

Thanks! Sorry for being dense!

hello?

ask away

you talking about @thorn obsidian

?

So I am building this security camera from a raspberry pi that has facial recognition, where when it detects a person it will send me an email and play a sound depending on the person. The only problem is that it does that every single frame, so I would be getting a million emails lol. I am trying to use epoch time but it does not seem to working. I will take a picture of my code and send it. Any ideas?

It starts at the if statements

@thorn obsidian that is not security related, check out #❓｜how-to-get-help

also please post code as text

not a picture of your screen

wheres the host file on windows stored

%SystemRoot%\System32\drivers\etc\hosts

and i presume the UAC will pop up if u attempt to edit it?

I don't know, I am not using Windows

ah alr

Why not use timedelta instead?

or rather have states.

so have an active state and an idle state. it starts in the active state, then when it detects something, take an image and move to the idle state for a certain amount of time.

You could use datetime.now() - datetime.timedelta(parameters) and see if it's more than the datetime before hand.

from datetime import datetime, timedelta
from camera import Camera

ACTIVE, INACTIVE = range(2)

def main():
    SecurityCamera = Camera("example@gmail.com")
    state = ACTIVE
    time_to_activate= None
    delay = timedelta(minutes=1)
    while True:
        if state == ACTIVE and SecurityCamera.detected:
            state = INACTIVE
            SecurityCamera.mail_picture()
            time_to_activate = datetime.now() + delay 
        elif datetime.now() > time_to_activate:
            state == ACTIVE```

something like this should do?

Better use enum.IntEnum as states.

You can also use threading.Timer to change state from INACTIVE to ACTIVE

hi can someone help or figure this out ?

assume i have code like this

aa = '\x4d\x4f\x52\x00\x00\x03\x08\x00\x55\x0d\x0d'
f = enc(aa) # aa -> aes enc -> base64 encode -> aa encrypted

test_dec = dec(aa) # aa encrypted -> base64 decode -> aes decrypt -> aa decrypted
test_dec

question, after i decrypted it, it become 'MOR\x00\x00\x03\x08\x00U\r\r' and not stay the same like before '\x4d\x4f\x52\x00\x00\x03\x08\x00\x55\x0d\x0d' how do i make it stay the same like before ?

What are enc and dec?

Those are your functions?

yes

it return strings

It's hard to say without knowing them, can you share your code?

ok

You don't need to paste whole code, just minimal example

Hello, can anyone please help me figure out what is a padding scheme in RSA

Hey I need help

Pls soemoen help

@joe

@mossy junco

First: don't ask to ask
Second: if it's general help you need, please use a general help channel

Uhh

I need help now understand

like I said: don't ask to ask and ask anyway

Oof stop it

I am not in the mood

just ask, really

What wdym?

what do you need help with?

I got brute forced what to do?

I installed something and now it's running in background and brute forcing my pc

What to do ?

what OS are you using?

Windows 10

can you identify the program running in the background (in the task manager)?

What to do?

@fluid verge

Uhh it's hidden

Should I send u the code?

The python code

It's an brute force file

:(

if you want to, go on

U know pythan I assume

I do

Hey @thorn obsidian!

Lots the code

What

I am dming u

okay

U there?

I didn't receive a message, so I'm waiting

Che k dms

Check u r dmss

@fluid verge u read it?

I read the file, yeah

What it does

How to remove it and all

Ppz tell

@fluid verge

I can't help you without a call context

@fluid verge what u mean?

@fluid verge what is that in short?

the huge string at the end of your file looks like a malicious load, but there is no reference to it anywhere else in the file, so it won't execute itself

Is that a bruteforce?

Or what?

I have no idea what it is

Like is that dangerous

Anyone else have?

bruh, just install malwarebyte !

I can dm u guys the file if anyone is good at it

payload .... ??

install fricking malwarebyte

@wispy sleet it would do anything

yes !

@restive hazel bruteforce

hmmm .....

U know?

i was testing it on multiple dangerous viruses..

just install malwarebyte

I used it's free trial

And it's hidden also

u have free option

Yeah

free trial is enough

yes

Ok

(usually)

yup

So then am I good ?

Are u sure?

:incoming_envelope: :ok_hand: applied mute to @wispy sleet until 2021-02-15 19:02 (9 minutes and 59 seconds) (reason: duplicates rule: sent 4 duplicated messages in 10s).

Ok

Lol

Sad

😭

reverse engineering time haha xD

hopefully, Malwarebytes will find and kill the process that's running in the background

I got the payload if you don't already, but it's too long for a discord message

other than that, it looks like a perfectly capable Minecraft server thingy

a gadget thingy, but hey! I'm not here to judge

Can you share me the payload. Maybe I can found smtg on it

ah, just some Minecraft account checker...... (Based on the file & thread) , it checks cape, pvp status, account ver across legitimate minecraft server (Hypixel)... and line 1178, its a type of payload, along with encoding.

@restive hazel so is it safe

?

@stone wraith

I need hel

P

Ppz

Plz

@buoyant tartan

Hello help me plz

@spice plover

Help me

Someone help me plz

@flat anvil

@ornate coral

Will anyone help me

@sick glen

Please don’t ping random people

Ok

Thx

Plz help

Ppz don't go

If someone has an answer they will answer, we are all volunteers

did you run it in virustotal

I didn't post the quaetion

I got bruteforced

Yeag

brute forced?

Yeah

I think so

I don't know why admin gone

explain

Uhh come on dm

Plz

I think there might be a misunderstanding. Staff members aren't available for on-demand on-call help.

Can u help me

I don't know what it is that you need help with.

Like plz

Can I dm u the code

Is it a brute force code?

Am I getting bruteforced?

Why is it that you want to DM people what you're working on? You can share code in this channel.

!code

What do you mean, "am I getting bruteforced"?

Becoz I can't send the file here

Hey @thorn obsidian!

You can copy and paste the code in question.

Look

It's long

!paste

Ok

Wait

Let me copy it don't go plz

I will look, though keep in mind that pinging random staff members asking for on-call help is wrong and I am not seeking to reward that behavior. I may not be able to answer your question.

plz

i am in need

sorry

That's fine. Did you paste the code?

!paste

how to paste it becomes a .txt file

That's fine. Please paste it and then put the link in this chat.

ok

i think this is the url

can u see the code?

Yes. One moment.

ok

take time its long sir

in the end whats the string is the burte force? in the background?

the end string is sus for me

ping me when u answer

if you don't know what the string at the end is for, do not run this program.

I ran it alredy lol

Can u take help with other so plz

I don't know enough about security to offer informed opinions. However, you should not run code from an untrusted source.

Yeah

But if it's an backdoor what to do?

Like how to re.ove it

I deleted the file

But if it's in the background

Then what

@magic barn u there bro? ( Sorry for ping)

I am no longer available to help with this.

Ok so whom should I contact with?

Like who is good at it?

You may have to wait for someone else to come along.

Ok

Whoever is availble for help ping me plz

Anyone for help available?

!run hello world

eek

hi

!print Hello world!

i need help

with what?

let em tell u wait

!print Hello, world!

oi

!print

!code

Does anyone here know changing mac address in windows

Are there any simple commands which we can enter in the cmd like:

ifconfig {interface} down
ifconfig {interface} hw ether {new mac address}
ifconfig {interface} up

in linux

Hello everybody. I am creating a function that at a certain time must generate an image via a site (fortnite-API)
if I send you the part of the code will you help me?

!request

!rules

How about https://docs.microsoft.com/en-us/powershell/module/netadapter/set-netadapter?view=win10-ps in PS?

Yes this one is good ||if not the best|| but it is not working when I type in Set-adapter...

operable program or batch file.```

This is the error

@lapis radish

Are you trying to type it in PowerShell?

No in cmd

Should I do it in Powershell?

property and retry.
At line:1 char:1
+ Set-NetAdapter -Name "Ethernet 1" -MacAddress "00-10-18-57-1B-0D"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Ethernet 1:String) [Set-NetAdapter], CimJobException
    + FullyQualifiedErrorId : CmdletizationQuery_NotFound_Name,Set-NetAdapter
``` It is coming like this when I try in Powershell

Ofc, CMD doesn't have cmdlets

Get-NetAdapter

At line:1 char:35
+ Get-NetAdapter -Name "Ethernet 1" -MacAddress "00-10-18-57-1B-0D"
+                                   ~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-NetAdapter], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Get-NetAdapter

Are you just pasting commands that I sent you?

Get-NetAdapter is to get available adapters...

Then use choosen name in Set-NetAdapter

Use general chat maybe, how is it related with security?

can i post a challenge here. it is security related as its reverse engineering-steganography?

As long as its not illegal or doesnt break any rules Id assume so

ok

Lost Files Challenge
So I have an image (512 x 512 pixels). and I somehow happened to mix up my files when I was copying them back over. and if you would be able to help me retrieve my precious files as they mean so much to me. I can tell you that the binary on the image has nothing to do with the hidden files I got a bit angry :slight_smile:. you can use any online tool or tools that you may know of. and you can create your own scripts that may aid you in the recovery of my files, there are 120 files in total. thank you in advance.
Image Link: https://ibb.co/7tbzC5n
who knows there may also be challenges in those files just for some added bonus if you get them.

Have you decoded the binary?

Then I'd check the file itself, since your told its 512x512 its likely it'll actually be 'bigger' under the hood so to speak. So likely something there

i made the challenge. just wanted to see if anyone wanted to give it a go

Ah

should have stated that

yea

well for anyone that may give it a go. good luck 🙂

@rancid ore solved

@fading plaza that was bloody quick

experience from ctf stego challs 😛

sighs

https://dontasktoask.com/

PrivateKey(203087101096906067215647033187908374281, 65537, 100280783047697899435315631453581430273, 180366354183713467841, 1125969984901120841) Can anyone explain me what rsa is returning in a private key tuple? I understand only exponent 65537, i was expecting one key.

So what you have is the following (in usual RSA notation): PrivateKey(N, e, d, p, q)

where N = p*q, d*e == 1 mod (p-1)*(q-1)

a RSA public key is the tuple (N, e), and a usual private key is (N, d), though you can speed up the decryption operation 4-fold if you use (p, q, d) as a private key, and use the Chinese Remainder Theorem to decipher the message

Is this the right channel to ask for help regarding github?

It depends If it's related with security go ahead

I can't get .gitignore to ignore my .env

so it kinda is 😛

So Im working on a JS discord bot, I've setup a branch template with .env containing just "TOKEN="

I've now created a 2nd branch, called current

The bot is only in a server where Im also in so it's dangerous in any way or form at this point

But it's also tracking .env in that 2nd branch

Looks more like #tools-and-devops for me

However show me your .gitignore

node_modules
.env
config.json```

I even managed to fuck up more, I removed the .env file from github itself

So it's Python server btw :v

it is

But im not here for help with the js part

this is just github trickery

Did you commit .env file before add it in .gitignore? Can you give me more details?

but now it won't even push due to version mismatch and pulling doesn't fix it either

No

The .gitignore has been there from the start

However, I didn't git init from the start

I made the template first, then did git init, added the readme, forgot I needed to do git init first, cut and pasted everything back in and voila

It's no matter when you call git init as far as I know

I see it's working perfectly for me - I created new repo, created file test, then call echo 'test' >> .gitignore and after call git status I see only .gitignore as an option

okay I managed to fix the pull within atom

so now I've got my branch current without .env

I've created .env

added TOKEN=test

odd

now it works

Magic

first time im really using github tbh

I think it's not related with your remote server

You just missed something

However if it works I am glad

just noticed

I managed to do the same trickery with node_modules

nobody will notice right

@obsidian sail

hey

can you send that code here so i can look at it

oh sure

import random
class Code:
    ascii_map = {i: chr(i) for i in range(128)}
    def Generatekey(self):
        keys=[]
        for i in range(0,128):
            keys.append(i)
        values=keys.copy()
        random.shuffle(values)
        encrypt_key={keys[i]: values[i] for i in range(len(keys))}
        decrypt_key={value : key for (key, value) in encrypt_key.items()}
        return encrypt_key, decrypt_key
    def encrypt(self,text,encryption):
        encoding=text.translate(encryption)
        return encoding
    def decrypt(self,text,decryption):
        message=text.translate(decryption)
        return message
keygen=Code().Generatekey()
encrypt=Code().encrypt(input("Enter Message You'd Like to encrypt:  "),keygen[0])
decrypt=Code().decrypt(encrypt,keygen[1])
print(f'Encrypt Key:    {keygen[0]}')
print(f'decrypt_key: {keygen[1]}')
print(f'Secret Message:    {encrypt}')
print(f'Message: {decrypt}')

what does chr do again?

it transforms an integer into a unicode character

if i recall correctly

converts an integer/char into unicode

ohhh i get it

guys what do i do about Trojan:Win32/Wacatac.D7!ml

i think i got it while trying to make a python file an exe

the one exe i download gives me a virus lol

pyinstaller?

this is your source file right?

then its just a false positive

yeah py installer

and somthing like nsis

yeah some AVs have issues with it

is there anything i can do to make windows not notify me every 10 minutes

yo

yo

anyone worked with python encryption?

https://dontasktoask.com/

I want to work on encryption and so far this is my code ```python
import random
class Code:
ascii_map = {i: chr(i) for i in range(128)}
def Generatekey(self):
keys=[]
for i in range(0,128):
keys.append(i)
values=keys.copy()
random.shuffle(values)
encrypt_key={keys[i]: values[i] for i in range(len(keys))}
decrypt_key={value : key for (key, value) in encrypt_key.items()}
return encrypt_key, decrypt_key
def encrypt(self,text,encryption):
encoding=text.translate(encryption)
return encoding
def decrypt(self,text,decryption):
message=text.translate(decryption)
return message
keygen=Code().Generatekey()
encrypt=Code().encrypt(input("Enter Message You'd Like to encrypt: "),keygen[0])
decrypt=Code().decrypt(encrypt,keygen[1])
print(f'Encrypt Key: {keygen[0]}')
print(f'decrypt_key: {keygen[1]}')
print(f'Message: {decrypt}')
print(f'Secret Message: {encrypt}')

i want to make it harder to decrypt through brute force.

I was thinking what I could do

how would the structure of my encryption look like

first of all, thats not how you're supposed to use classes

the right way would be to only create 1 instance of the class

and have encrypt_key and decrypt_key as instance vars

also, obligatory "don't roll your own crypto"

this is basically just monoalphabetic substitution which is pretty easy to crack

using freq analysis like https://quipqiup.com/

what does that mean?

was thinking about increasing the random range to 143,859 characters to include unicode

and allowing for unicode encryption

allowing for generation of between 1 to 2 key values per map.

or encryption it sequentially or 4 times

https://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own

@obsidian sail the input charset is still the same

a-z A-Z 0-9

frequency analysis doesn't care about the output charset

i was hoping it would accept arabic too

and basically all unicode characters

but after learning about aes I'd like to work on it at a byte level.

hm arabic would be harder to freq analyssi

i don't know what that implies but i hope that's good for security

um monoalphabetic ciphers are still bad for security tho

yea probably gonna work on it at a byte level

i wanna see how i can implement things from aes to this.

const Jimp = require('jimp');

module.exports = async function createCaptcha() {
const captcha = Math.random().toString(36).slice(2, 8);
const image = new Jimp(175, 50, 'white');
const font = await Jimp.loadFont(Jimp.FONT_SANS_32_BLACK);
const w = image.bitmap.width;
const h = image.bitmap.height;
const textWidth = Jimp.measureText(font, captcha);
const textHeight = Jimp.measureTextHeight(font, captcha);
image.print(font, (w/2 - textWidth/2), (h/2 - textHeight/2), captcha);
image.write(${__dirname}/captchas/${captcha}.png);
return captcha;
}

help

What is "salt"?

@limber nacelle just a little extra on top before it gets turned to a hash

i'm using scapy: what does it mean when it says received X packets received 0 answers???

example:

Begin emission:
Finished sending 1 packets.
....................................................................................................q........^C
Received 108 packets, got 0 answers, remaining 1 packets```

You sent DNS query and no answer for this query was received (however scapy got 108 other packets)

wrong language, this is a python server

not JS

Hi guys

Hi, need any help?

import time
class Console:
    def WriteLine(text):
        WriteLine=print(text)
        time.sleep(0.3)
        return 'compiled in 0.3 seconds'
    def ReadLine():
        ReadLine=input()
        return ReadLine
Console.WriteLine('Hello World')
Console.ReadLine()

Bruh why fake the return and time sleep lol

👀 its supposed to be c#

ah, so it's just sniffing on the interface waiting for the right packets and those are just the other packets that arrived in the meantime, thanks for the explanation!

If you want a js server, I can dm you the invite to one. And please, use code blocks.

because the speed of python reading is not elegant

Hey i want to learn ethical hacking plz guide me with some tutorials

@shrulob#7172

Nvm he left

What’s this?

No way about it, this is JS not python

Can somebody tell me how to handle reverse shell using python.

I mean something like netcat which will listen on port for reverse shell and then issue some commands in it

Do you want to build your own reverse shell?

Stop replying to that js code

Why did you post it in a python server?

Yo

hi, you got a question?

No actually I just got unnbaanned so.....

Lol

Well the reason is also pretty interesting

okay... whatever don't pollute #cybersecurity, though

K

Well I got one dout

Will you be able to help or should I go to the networking tab ?

depends on what it is you're asking

It's security based on networking

So...

ok, so what's you question, just ask, and you could transfer it to #networks if we can't help here

Im wondering if there is a term for a site requiring a password and an additional password like a secret question? If I understand things right, this isn't multi-factor authentication because it is two of the same type of factor, aka knowledge.

i've heard it called memorable information

in a banking context

would that be a problem/

Okay cool thanks. I'm still learning so trying to understand how describe things intelligibly.

However it is a second factor of this same kind

So it is multi-factor authentication then?

In my opinion yes

Consider next example

You have two factors to authenticate user: fingerprint and iris scan

Both are "who you are" but in my opinion it is a two factor auth system

hmm interesting yeah I dont know what to make of it. Maybe it doesn't matter but I'm curious

#rules

Over here can I ask my pentesting douts ?

It looks like a good place

K

What's the logic behind the "blackeye" project in GitHub

?

Just realised there's a topical security chat.
#help-carrot

K

Maybe you can ans my ques

Which one? There are few blackeye projects

This one 👆 👆

!warn @hasty dawn Don't ask for help with phishing tools here.

:incoming_envelope: :ok_hand: applied warning to @hasty dawn.

Well ok

welcome to the python discord

When I try to use python Crypto RSA and generate a key it gives an error : module 'time' has no attribute 'clock' any solutions?

Thnx

U may try from time import clock

cannot import name 'clock' from 'time' (unknown location)

Pls send the part where the error is occurring

The Kali Linux logo looks op

from Crypto.PublicKey import RSA

def generate_keys():
modulus_length = 1024

***key = RSA.generate(modulus_length)***

pub_key = key.publickey()
private_key = key.exportKey()
public_key = pub_key.exportKey()
return private_key, public_key

a = generate_keys()
print(a)

@dim tartan you're using an outdated version of the library

time.clock has been removed in recent versions of python

So I can't use RSA in python3?

You have cryptography.io library

There are RSA, EC and other asymmetric crypto

no you can

its just that your version of pycryptodome is too old

update to the latest version

if you're using pycrypto, please update to pycryptodome

ok thank you

pycrypto hasn't been updated in a long time

pycryptodome is almost completely api-compatable

how do people send packets to routers with python

? wdym

I'm a newbie nvm

o

😏

Yhp

hi

Can anyone please tell me what is r in RSA-OAEP

coz i'musing rsa for a project

https://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding#Algorithm

r is a randomly generated k0-bit string

Hey guys, I need some help about AES key transfer with Pycryptdome :)) #cybersecurity

I want to use a hybrid encryption protocol which works like this:

1. Create a key for AES protocol.
2. Send that key using RSA-PKCK_OEAP
3. Since both of them have same key, now turn to AES protocl
4. With using mode EAX, send "nonce, MACtag and message" together

Is it secure to send mactag and nonce directly without encrypt them again with key? Or the Pycryptodome module does it itself? I'm sending my minimized example code here bellow. (Note: I haven't got an cryptography class, so that I'm learning it by myself)

Hey @ionic flicker!

https://paste.pythondiscord.com/daqixonoqi.properties

Your security shoudn't rely on unknown IV/nonce

So, pardon me for not understanding it, you're saying me that security doesn't really depend on nonce or init.vectors? It doesn't change if I encrypted the nonce or MACtag, or something else.. I can directly send them on network?

I saw some CTF challenges that were based on IV/nonce manipulation to produce known plaintext with access to encryption/decryption machine without any knowledge about key.

However many file formats for example (like KeePass or LUKS as far as I remember) store IV/nonce in plaintext so I don't think that it's very vulnerable attack vector.

Oh thank you, okey then. I'll implement the method for my software.

Your welcome

Maybe there are smarter fellas whose have different opinions than mine

yeah yeah

How do I use proxies with the requests library?

https://requests.readthedocs.io/en/master/user/advanced/#proxies

after some basic help

whats the best way to post small amt code in channel

for an api, just do

import requests

url = '<your url>'

k = requests.get(url)

that's it

u can practice requests with beautiful soup or an api like https://openweathermap.org

I'm very new to this, but how would one go about encrypting a password and username?

More specifically, if I want to run a script on a server, how would I go about making sure that it (the username and password) is protected compared to plain text? I've heard of oauth2 connections but am very confused about the process

there is a possibility of sensible information be on plain text

like i dont even to acess the site or google it fancy, just use requests

I have an app. This app requires a license key to run it and I'll take that specified key on my site. My exe file request PHP file in my site to take that key but I don't want to that anyone can intercept web request and change it(like a burpsuite). I mean when my app request my site then if anyone change the response my file will accept a changed key. I shouldn't let this happen.

To solve this problem i thought like an algorithm that controls key integrity and accuracy.

the key consists of 5 part and each part consists of 5 number. it seems like:

43252-23523-62362-62363
the algorithm checks;

does the sum of the key equal to the specified integer?
does the last number in one section of the key equal the first number in the next section?
is the sum of the first 4 digits in any part of the key equal to the 5th digit when mod 10 is received?
what I want to ask is there an algorithm like this with other control mechanisms in python? or is there any way to do it?

@surreal rose usually for integrity you use a mac

such as hmac

what is hmac?

do you know what a hash or checksum is?

i know both of them yes

ok, so a MAC is basically like a hash with a secret key

it allows you to gurantee that the key hasn't been tampered with

and HMAC is just one common algorithm for a MAC

ok i will look it

thx

also this doesn't stop anyone from changing the key

why?

then how can i stop some poeple to change key?

@woven gazelle

why do you want this

i will make my program and i made license with cryptolens for this program the program have to send some key and information to cryptolens site

thats why

so if the license key is wrong, then it will just fail

what's bad about that

if someone tries to pirate your program, it won't work

if anyone create account in this site and change the information about request

he or she can use freely

well that's a flaw with your program then

wait so

what

your program downloads a license key, then sends it to cryptolens to check?

not download i will send key to customer

and he or she will use the program but

if anyone can write code or change the request which program send the cryptolens

program is used freely

thats why i want to check the key which receives program (my app)

your last message makes no sense

you want to check the key which the program receives?

when does the program receive a key

yeah

so i mean

it's almost always going to be trivial to pirate your program if your only anti piracy is an if statement checking the license

my man i will send key to the customer

then when customer write key the program, my program will request to cryptolens

if key is right cryptolens say to the program yeah its right

if itsnot say its not

when program send request to the cryptolens program also sends my user information

cryptolens will look at the license key by looking at my user information and verify if the key is available.

If someone else solves this and opens a different account in cryptolens and sets this information to query his own user account, then he will look at his user account and the license key he entered will be correct, so the application will be accessed for free.

Could I express it correctly

you mean changes your code/alters the request being sent?

alters the request being sent this part im asking for

r u there?

someone else should not change the web request sent by my program

you should proxy your cryptolens requests through your server, that way the key stays on the server and your local program cannot extract the key

hello

x)

Hey, what's up?

Hey i allready opened a help topic at florine

SIOCSIFFLAGS: Operation not permitted

Is it bad that I constantly spoof my MAC and HWID adress? (I am not qualified in the security field at all, I am a data scientist)

why tho

Hello guys, somebody knows where I can find documentation or information about how to develop an NIDS with python?

how to change proxy through python?

Not sure if this has been posted, but a 9.8 level severity issue has been detected (and fixed?) found in some Python versions, involving _ctypes/callproc.c, involving a buffer overflow due to unsafe use of sprintf:

https://nvd.nist.gov/vuln/detail/CVE-2021-3177

!code

print("hello") 

I have some code that i use to encrypt messages for a server and client that uses the cryptography module's asymmetric stuff, and at first i was getting an error:
ValueError: Cyphertext length must be equal to key size
Tracing back to the line where i decrypt, so i googled it and tried solving the problem by encoding in base64 before encrypting and decoding in base64 before decrypting, like so:

# Encoding (msg is of bytes type):
msg = base64.b64encode(msg)

# Decoding:
msg = base64.b64decode(msg)

But instead of solving it, i just got a different error, it encodes fine but on the line where i decode in base64 i get an error:
binascii.Error: Incorrect Padding
And i'm not sure how to solve this

Server - https://pastebin.com/MKsSz6sj
Client - https://pastebin.com/9C0Pf4Jj
Security - https://pastebin.com/r1Chmvqc```

Encoding/decoding with base64 is not a solution

Why when you send data you use decrypt?

wdym i decrypt

    def send(self, msg: bytes, crypt: bool = True) -> None:
        """
        Sends a message to this instance's connected client, and no others
        """
        msg_length = int.to_bytes(len(msg), 2, "little")
        self.sock.sendall(msg_length)
        if crypt:
            msg = self.security.decrypt(msg)  # <-- here
        self.sock.sendall(msg)

You are sending decrypted message and decrypting it on the other side

oops

i didnt notice

Double decryption?

    def receive(self, crypt: bool = True) -> bytes:
        """
        Receives, decrypts, and returns messages
        """
        msg_length = int.from_bytes(self.sock.recv(2), "little")
        msg = self.sock.recv(msg_length)
        if crypt:
            msg = self.security.decrypt(msg)  # <-- here
        return msg

let me go fix it and run it

yea i should encrypt it instead of decrypt it in send()

ok that was the problem

now i get a different error

hmm

Check your encrypt and decrypt methods.

Encryption: encode then encrypt
Decryption: decode then decrypt

Are you sure this is correct order?

shoot it's not

for decryption it shoul dbe like decryupt then decode right?

Right

You have ENCRYPTED(ENCODED(DATA))

So you need to decrypt it first

You can omit encode/decode and transport raw bytes but it's your choice

yeah no i still get the same error

😦

am dummy dumb

Check your send

What you are doing there?

Get message length, send it and then add padding, encryption and encoding

that looks right

How do you think?

i first send the length

Is the length same after those transformations?

wow true

oops

i would have NEVER thought about that

Padding can increase length

Encoding can change length (both increase or decrease)

still same error btw

UGHH

Encryption can also change length as far as I know because you are not using block cipher

whats a block cipher

kinda sad to see so many obvious but unnoticed errors in my code

Block cipher takes block of data (always of same size) and encrypts it

AES or DES are block ciphers

Block ciphers are better to encrypt data rather than asymmetric encryption

do they still have that whole asymmetric feature

cause thats kinda what im goin for

Nope, this is kind of symmetric encryption but there is something like hybrid cryptography

However you should start from the basics I think

when i first tried doing encryption stuff i did it for funzies but now ill have a project actually running on the internet and i think its best to actually have it be safe

so yeah

thats why i want asymmetric encryption

i actually got it to work in another project of mine but that was very different

It is working for me

>>> from cryptography.hazmat.primitives.asymmetric import rsa
>>> private_key = rsa.generate_private_key(
...     public_exponent=65537,
...     key_size=2048,
... )
>>> message = b"my secret message"
>>> public_key = private_key.public_key()
>>> from cryptography.hazmat.primitives import hashes
>>> from cryptography.hazmat.primitives.asymmetric import padding
>>> ciphertext = public_key.encrypt(
...     message,
...     padding.OAEP(
...             mgf=padding.MGF1(algorithm=hashes.SHA256()),
...             algorithm=hashes.SHA256(),
...             label=None
...     )
... )
>>> plaintext = private_key.decrypt(
...     ciphertext,
...     padding.OAEP(
...             mgf=padding.MGF1(algorithm=hashes.SHA256()),
...             algorithm=hashes.SHA256(),
...             label=None
...     )
... )
>>> message == plaintext
True

hmm

Are you sure that keys are valid?

idk what that means

as in they're the correct ones?

i am yea

I see that you send public keys through the network

ye

is there a better way to exchange them

Have you checked that server receives exactly what client sends?

oh

i should probably do that

let me do that

You can use Diffie-Hellman algorithm to create session key

yeah its the same

i checked it

How about your Security class? Have you tested it locally?

what does that mean

Open Python REPL and do what I did above

Encrypt and decrypt on same computer

so do that i added this at end of the security file and now i get

this

wtf i never even use '&'

oo i found an error

i was encrypting using my own public key instead of the other person's

so like the server encypts using his own public key and then beacuse of that the client doesnt know how to decrypt it

so i fixed that but i still get the same error

@lapis radish

Which one?

msg_enc shouldn't be a bytes type?

both

guess so, added .decode() when i check, but it doesnt get there cause of the error

still the & error when i test it and also the error when i run the server and client

that's a vs code error

try running it from the cmd

ah

I don't know about the server/client error tho

Researcher uploaded 3500 packages to PyPi that point to a malicious URL

https://twitter.com/DataNerdery/status/1366263351685226499

Social engineering is alive and well, apparently. Given that these packages rely on presumed familiarity ("numpyDjango") for their use.

It's also very reminiscent of a JavaScript exploit of the NPM repository that relied on a simple misspelling

The solution is to keep packages approved and local, with someone responsible for vetting

This is why I really like Docker Hub - you have official images that are shortnames (like ubuntu or redis) and you can publish your own image in your user-space (user/image)

U writing end2end chat?

Agreed. Abstracting the complexity away is always preferable. Of course, gotta have someone responsible generating those containers.

Wut

I mean you are writing E2E/P2P messages encryption ?

how to get the start and the end address of data region of a specific process?

how vunerable is a website running of a raspberry pi behind a home router with no security measures implement other then default ones???

It depends. If there are known bugs you can even perform RCE. However if you trust all of the devices inside your LAN don't worry.

I need to secure my web app how can I do thta

!voiceverify

i really appreciated man. thx for ur help. its sounds both more logical and nicer

This is a good place to start https://owasp.org/www-project-top-ten/

do u need python knowledge on bug huntign

no

most web exp can be done with just a browser plus a proxy like burp suite

python is just useful for automating stuff

i know you cant fully rely on it but cant you make your own encryption algorithm that does so much stuff that its unkown to the attacker what youve done, espically if you never disclose your encryption algorithm

Thats called security through obscurity and is generally considered a bad practice https://en.m.wikipedia.org/wiki/Security_through_obscurity

that's exactly the same as having a really secure secret password though

because you need to tell others how to use your encryption algorithm

which has the same flaws as a secret password

https://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own

just use a well-tested algo like AES

though you still need to be careful how it's implemented

the really easy approach would be to just use something like https://cryptography.io/en/latest/fernet.html

where all the internal crypto impl is abstracted into a higher level api

looks interesting, but the security of the API depends on the implementation details of AES

Can it do anything the ssl module can't?

ssl also works ig

It seems they're both built on top of OpenSSL

Makes me wonder if there's a LibreSSL module for Python

Hello ! I'm starting cryptography and I wanted to try a very simple example to store a hashed password and compare it to the hashed version of a password entered by an user. Then I wanna compare it and if they match, grant the access to whatever is behind. Here is what I did :

first of all I use the hashlib librairy to hash using the sha256 algorithm.

import hashlib # this module provides many hash algorithms.

m = hashlib.sha256() #sha256 CAN NOT BE DECRYPTED. it is simply NOT POSSIBLE.
# more, it will also provide the exact same byte sequence if you enter the right password.

key = "<insert key representation here>"

print("Now, let's play a game. The public key is the following one :")
print(key)

passwd = input("Type your password : ")
m.update(passwd.encode('utf-8')) # we encode the password to bytes.
encrypted_passwd = m.digest() # at this point we can store the encrypted password in there.

# It is pretty much public. Now let's try to guess this password from the public key.

if encrypted_passwd == bytes(key) :
    print("You're right ! The password was xxx")
else : 
    print("You failed miserably.")

Now what I don't know how to do is to store the right hashed version of the good password in the "key" variable so that I can compare it with the hashed version of the password provided by the user, but I can't figure out how to do it. Any clues ?

You should consider using PBKDF2 and not SHA256 for storing passwords

why ?

Also I managed to store the hashed password in a fine in binary mode and read it, so it's all good

It's slower by design

but is PBKDF2 more secure ?

Since it's slower it's harder to brute-force

That's the only real difference between them, they're both good options

but isn't a 256 bits hash physically impossible to bruteforce ?

https://crypto.stackexchange.com/a/1160/23623

I saw this thing online

You don't bruteforce it bit by bit

oh yeah

You use a wordlist

yeah sure you're right

it's funny how only hashing algorithm are better because they're slower

True lol

This might be of interest to you: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

thanks a lot ! My little program was for educational purposes only, so this will be coming handy :)

Also... passwd = input("Type your password : ") --> passwd = getpass.getpass("Type your password : ")

Just hides to password from being displayed when you enter it

yes I saw that one afterwards, thanks as well

Not a big deal when it's not attached to anything, but good to know for future reference

actually I would like to try this to crack a password with my code : https://github.com/hashcat/princeprocessor

this or any cool bruteforcing algorithm

Maybe try it on some of these https://weakpass.com/wordlist

guys i am using an external backend with heroku to authenticate users and i want to make a register, should i hash passwords client side? if i dont doesnt that mean that a plain text password is being sent to a server which is unsecure..?

Are you not transmitting data over TLS?

what is tls

Client-Server encryption

i dont know

im new to this

this is scary

Tried bruteforcing using a 500k words dictionary

I'm hashing the password every single time

What hash is it?

sha256, I believe python hashlib I'm using don't support PBKDF2 (yet ?)

actually I'm pretty sure a good number of passwords in the world is made up of one of those words with one to three letters afterwards

Try to add salt and/or peppers

after trying with a few capitalized letters Any "simple" password made of a word and a few numbers could pretty much be bruteforces in matter of seconds (way more if the password verification is made server-side)

what is sald/pepper ?

I heard of it but I don't how what it exactly is

Here's the function for PBKDF2 in Python: https://docs.python.org/3/library/hashlib.html#key-derivation

thanks !

A salt is a unique, randomly generated string that is added to each password as part of the hashing process. As the salt is unique for every user, an attacker has to crack hashes one at a time using the respective salt, rather than being able to calculate a hash once and compare it against every stored hash. This makes cracking large numbers of hashes significantly harder, as the time required grows in direct proportion to the number of hashes.

Salting also provides protection against an attacker pre-computing hashes using rainbow tables or database-based lookups. Finally, salting means that it is not possible to determine whether two users have the same password without cracking the hashes, as the different salts will result in different hashes even if the passwords are the same.

Pepper is the same thing, except it's stored externally and shared between all passwords

alright

cryptography is truly fascinating

I wonder when there will be a new AES

Can i encrypt / decrypt pieces of text with hash functions ?

Hashes are one-way, so no

what's AES ?

okay

But can I create a program that will decrypt a program only if the right password is provided ?

like, using the password as a key ?

without the possibility of reading the text by reading the code

Yes

AES is the Advanced Encryption Standard

Currently Rijndael

https://www.youtube.com/watch?v=O4xNJsjtN6E

thanks !

It's complicated stuff

You'll watch this and end up more confused than before you watched it

well, I truly can't thank you enough for the introduction you gave me to cryptography, but I think it's time for me to take a good night of sleep lol

have a good day / evening, whichever time it is for you !

yeah lol I guess it makes sens

You too

thanks

o_O i think thats (theoretically) vulnerable to a timing attack

use hmac.compare_digest to prevent that

Hello!
I am using a VM to run Kali Linux.
It runs perfectly but when I tried to shut it down it just “crashes”. It just stays on the shut down screen and I can’t even exit full screen. I am using Oracle.

Probably has something to do with ACPI

Try poweroff from the terminal

hello

how ae you guys

hi, what's your question or remark concerning security?

absolutely nothing

im just bored af

then you can go to #python-discussion

aahhhhhhhhhhhhhhhhhhhhhhhh okkkkkkkkkkkkkkeyyyyyyy

yeah, because of rule 7

!rule 7

hi

i need help with kali linux

Any details?

I have a question how hard is to take a persons info and play follow the persons employer because the last 2 places my father has gone to for worl has been ransomed

I am thinking they have his info and are playing follow the bouncing ball and hacking where ever he goes knowing that it will probably be a easy target as he will be new there

Hi

This question is to anyone in the world that has the understanding to help me dm me please

depence on the person and how strong there security is
if u are encountering with this maybe try ure local authorities
also a password reset onto everything would be a good idea

How hard is it to track

A user using social media

Track what?

Tracking a person can be easy or hard, depending on this user activity in the Internet

Ok thank you

What if they got a linked in account

Ok sorry

And never mind

And thanks

im trying

to crack my own wpa2 encryption

cant

it just retries the same pin

reaver –bssid (mac address of wifi) –channel (number) --interface wlan0 –vvv -no-associate

Doesn't Reaver only crack WEP?

nope

dumb question but does your router have WPS?

It would need WPS and for it to be enabled and for it to be old enough not to protect brute force on the WPS PIN

You can't really 'crack' WPA2 it's other mechanisms around it that might have vulnerabilities

It happens sometimes

true

Guys, do you think that keeping packages for your web application outdated can lead to GDPR (EU) penalty?

@floral adder potentially, yes. Organizations are required to implement "reasonable" data security protections. So, you should at least have reasonable package upgrading guidelines and protocols inside your organization, and follow them. If some breach happens, and it is determined that it was caused by an out of date package, you can at least show that you were following your "reasonable" package upgrading/updating guidelines.

Thank you for the answer, it's very useful! I was struggling to find any info about this topic

@floral adder No problem. I'm no expert, but I'm required to pass a GDPR exam every year (from my employer).

internal exam in your company, right?

Yes, but they use a vendor for the courses and training. This is mostly for certification compliance

May I ask in which country? I'm doing research for a small company that I work for

US-based

Oh ok, so I need to keep looking in my country then 🙃 Anyway, thanks again for the answers! cheers

Ya can’t seem to crack wps 2.0 with reaver

Word list is just too big

Is anyone familiar with ssl? I'm having a nightmare of a time trying to get it to work

SSL is a nightmare itself, and SSL alone is not used anymore, only SSL-TLS variants afaik

If you want to implement your own thing or just break something then you would have to understand how Diffie-Hellman works and understand lots of math and cryptography basics, which is pretty hard tbh

It may not be a good place to start playing with security

My problem isn't understanding SSL, its using the ssl module in python. I need to use anonymous diffie-hellman, specifically ADH-AES256-GCM-SHA384, in TLS 1.2. Running openssl s_server -accept localhost:8080 -tls1_2 -cipher ADH-AES256-GCM-SHA384:@SECLEVEL=0 -nocert from a terminal does what I want, however when I try to recreate that with python's ssl,

context = ssl.SSLContext(protocol=ssl.PROTOCOL_TLSv1_2)
context.set_ciphers("ADH-AES256-GCM-SHA384:@SECLEVEL=0")
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
sock.bind(("localhost", 4443))
sock.listen(0)
ssock = context.wrap_socket(sock, server_side=True)

I get a server side error no shared cipher

hey guys, i'm a newbie in this area and I'm not sure what I'm talking about, might not even be an issue and might be posting this in the wrong channel but here we go...
I'm having a lot of excel documents sent to my email that I plan to fetch with some pyhton code and take the contents of a specific sheet and throw it in a database on a sql server. It's fetched by putting it in a pandas dataframe and imported to sql. Now here's my quesion, how would I secure that the contents isn't some kind of inject attack or what ever it's called...?

As said go easy on me, I'm green as hell on this 🙂

Prepared SQL statements

so basically, don't use pandas.to_sql() to import to db

@topaz fable Do they [pandas] mention that to_sql is insecureunsafe?

@stiff acorn no, but not stating it is safe neither so i'm a bit better safe than sorry i guess, but as said I got no knowledge in this area

@topaz fable I do think that it is safe, being such a popular package, I don't think they would expose their users like that. Do you have examples of some of the attacks that you are anticipating? Try applying these attacks on the library and see how it responds.

@untold ermine Have you made it work? I couldn't reproduce this issue, context.get_ciphers() has everything it should, no errs for me

I haven't been able to get it to work. When I connect to it with openssl s_client -connect localhost:8080 -tls1_2 -cipher ADH-AES256-GCM-SHA384:@SECLEVEL=0 or an http.client.HTTPSConnection with the same context setup it crashes with the no ciphers error

Can you put it in 2 files maybe? I mean like server.py and client.py, it may be hard to tell whats wrong without testing it all the way

I have 2 files. One with the server code above and a client with py context = ssl.SSLContext(protocol=ssl.PROTOCOL_TLSv1_2) context.set_ciphers("ADH-AES256-GCM-SHA384:@SECLEVEL=0") connection = http.client.HTTPSConnection("localhost", "8080", context=context) connection.connect() Which can connect to the server created by openssl s_server... but not to the python created one

context.get_ciphers() on the server side and client side include ADH-AES256-GCM-SHA384 but it can't seem to agree on it

Thanks man, good approach. Gotta read up on that.

Thanks

idk if it belongs here but i wanna make an alert system basically whenever a token grabber/logger whatever u call it tries to access the place where the token is stored something is triggered

i dont know how to start with that

discord token

What module did you use @pure cairn

In python

i didnt use any i want to start from scratch i want some guidance

Ok

possibly modules and and links to docs