#cybersecurity

with p_1 + ... + p_n = 1

So I can pick any?

what do you mean?

like Can I plug any number into x

okay, let me give you an example of a discrete random variable: let X be the result of an unfair dice (so the x_is are 1, 2, 3, 4, 5, 6), and lets say that P(X)(1) = 1/2, P(X)(2) = 1/4, P(X)(3) = 1/8, P(X)(4) = 1/16, P(X)(5) = P(X)(6) = 1/32

so entropy is just advanced probability

not exactly, but you could think of it that way

in the terms of cryptography what can it be used for

the computation of the entropy of X (H(X)) would be (using the definition of expected value for a discrete random variable) :

H(X) = 1.9375 bits```

In terms of cryptography, entropy gives you upper bounds of the information amount you leak through ciphers

I see

for instance, you can prove that there is one and only one cipher scheme that does not leak information at all (as long as you can distribute the keys securely)

In pseudo-python 3.10 code, it would be something like that:

def vernam_cipher(message: iterable[bits], key: iterable[bits]) -> iterable[bits]:
  for m, k in zip(message, key, strict=True):
    yield m ^ k

Hey guys, I would like to learn cybersecurites, but I don't know where, some know where I would learn it.

https://www.udemy.com/courses/search/?q=cybersecurity&src=sac&kw=cyber

there's also a lot of free courses, oftentimes better than the content that udemy puts out....

what about cybersecurity interests you?

i would reccomend CTFs

Hello, is there a way I can have custom AES encryption/decryption in Python? I am looking for a lib that allows me to set custom ENC and DEC keys

http://icyberchef.com/#recipe=AES_Encrypt({'option':'Hex','string':''},{'option':'UTF8','string':''},'CBC','Raw','Raw')AES_Decrypt({'option':'Hex','string':''},{'option':'Hex','string':''},'CBC','Hex','Raw',{'option':'Hex','string':''})

@dawn flax Whats that?

It is a multitasking program that allows for type of encryption,encoding,compression,and data anaylsis

Well I need a solution in python for what I am doing

This is what I have in js which is working at,

function encrypt(bytes, iv, encKeyRounds) {
    const aesCbc = new aesjs.ModeOfOperation.cbc([1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16], iv);
    aesCbc._aes._Ke = encKeyRounds;
    const encryptedBytes = aesCbc.encrypt(bytes);
    return aesjs.utils.hex.fromBytes(encryptedBytes) + aesjs.utils.hex.fromBytes(iv)
}

https://pycryptodome.readthedocs.io/en/latest/src/cipher/aes.html

thats what im using rn

but icant find a way to change the ENC and DEC rounds

do pip install pycryptodomex

I am using it bro

oh

Check this

        cipher = AES.new(request.key, AES.MODE_CBC)
        cipher.encrypt(pad(data, AES.block_size))

So this creates a new cipher

with its own ENC and DEC rounds

I need to intercept that but I cant find any reference

https://pypi.org/project/pyaes/

seems to allow for rounds

Thanks!

you're welcome 🙂

I have a simple Password genarator but it dosent work

import random
    passwort(länge = 16):
    buchstaben = "abcdefghijklmnopqrstuvwxyz"
    ziffern = "0123456789"
    sonderzeichen = "!$%&.#_§)@"
    zeichen = buchstaben + buchstaben.upper() +\
              ziffern + sonderzeichen
    passwort = ""
    for i in range(länge):
        passwort += random.choice(zeichen) 
    return passwort
print("Langes Passwort: ", passwort())
print("Strukturiertes Passwort: ", 
      passwort(5) + "-" + passwort(5) + "-" +
      passwort(5))

Why it dosnt work?

What do you mean?

Why you don't have def before function declaration like def passwort(länge = 16):?

!t function

!e

import random
def gen_passwort(länge = 16):
    buchstaben = "abcdefghijklmnopqrstuvwxyz"
    ziffern = "0123456789"
    sonderzeichen = "!$%&.#_§)@"
    zeichen = buchstaben + buchstaben.upper() +\
              ziffern + sonderzeichen
    passwort = ""
    for i in range(länge):
        passwort += random.choice(zeichen) 
    return passwort

print(gen_passwort())
print(gen_passwort(5))

@lapis radish :white_check_mark: Your eval job has completed with return code 0.

001 | Xl7SwdgUi9DAYGYC
002 | Cbb57

Oh i have forgot that thanks

pwgen is a pretty good library for generating passwords. There's always the option to "borrow" source code from there.

lmao this is new, borrowing code from libraries, I've just been looking at source code to understand how library methods work or what parameters they need lol

and try using os.urandom to generate random bytes and the encode them in base64 to make some sense off of it (for having a password ofc)

!e

import os
import base64

rand_bytes = os.urandom(16)
print(base64.b64encode(rand_bytes).decode())

@near abyss :white_check_mark: Your eval job has completed with return code 0.

b'Pm//3ZyDOLLPnpRmcfyTfA=='

yaay

Are you talking about this?

!pypi pwgen

If you want to write smart password generator you should take a look on Markov chains

It’s simple and elegant way to generate memorable strings from letters or even words

I think you should use the Secrets module

Anybody need a password manager i wrote?

Since we're on it i thought id advertise lol

If your project is open-source, you can share it here

Yeah, i got some "fix-error" to do lmao
I'll share when its somewhat better lol

I created my own version of an encryption and decryption system in javascript. But, you have to type in the keys, instead of being the keys being automatically generated. I'm still working on that.

What encryption system are you using

Are you using Aes?

RSA

the simplest

I think

Well RSA is simple to program

import random
def gen_passwort(länge = 16):
buchstaben = "abcdefghijklmnopqrstuvwxyz"
ziffern = "0123456789"
sonderzeichen = "!$%&.#_§)@"
zeichen = buchstaben + buchstaben.upper() +
ziffern + sonderzeichen
passwort = ""
for i in range(länge):
passwort += random.choice(zeichen)
return passwort

print(gen_passwort())
print(gen_passwort(5))

def gen_passwort(länge = 16):
    buchstaben = "abcdefghijklmnopqrstuvwxyz"
    ziffern = "0123456789"
    sonderzeichen = "!$%&.#_§)@"
    zeichen = buchstaben + buchstaben.upper() +\
              ziffern + sonderzeichen
    passwort = ""
    for i in range(länge):
        passwort += random.choice(zeichen) 
    return passwort

print(gen_passwort())
print(gen_passwort(5))

!e

e

Hey @frigid egret!

import random
def gen_passwort(länge = 16):
buchstaben = "abcdefghijklmnopqrstuvwxyz"
ziffern = "0123456789"
sonderzeichen = "!$%&.#_§)@"
zeichen = buchstaben + buchstaben.upper() +
ziffern + sonderzeichen
passwort = ""
for i in range(länge):
passwort += random.choice(zeichen)
return passwort

print(gen_passwort())
print(gen_passwort(5))

https://paste.pythondiscord.com/ihanajuvex.py

the usual disclaimer about not using your own crypto code in production code (educational purposes is fine) applies

same disclaimer, "don't roll your own crypto"

@fading plaza Of course, I would never use my own crypto system in actual websites, oh nonononononon, this is just as a side project, because I am fascinated by cryptology.

👍

Yep. You can download it using pip install. It's in the standard packages. It's great because you can customize the length and the number of special characters you want in it. Just a quick tool just in case you don't want to implement something like this yourself.

unless if know what you're doing

You can also use this in the command line as well. pwgen -1 12 -y for instance will create a single password of 12 characters and one special character.

Yeah, thats absolutely why i made this thing lmao

can someone help me?

with what?

Is 5 byte key on xor equal to base10 range of 99999 or do I got it wrong?

bflag = bytearray.fromhex('2e313f2702184c5a0b1e321205550e03261b094d5c171f56011904')
KEYS_5B = tuple(x for x in range(99999))
``` I think Im overdoing that range

KEYS_5B = map(bytes,itertools.product(range(256),repeat=5))

i think @dapper verge

though you could reduce that range to just range(32,127) if your key is only printable ascii chars

does anyone know to deobfuscate pyarmor

v b

is this for me?

Hello , I've been doing some taint analysis with intel's pin tool , the issue is , when my program is compiled , throws this error invalid conversion from ‘VOID (*)(LEVEL_CORE::IMG, VOID*) {aka void (*)(LEVEL_CORE::INDEX<1>, void*)}’ to ‘LEVEL_PINCLIENT::INS_INSTRUMENT_CALLBACK {aka void (*)(LEVEL_CORE::INDEX<6>, void*)}’ [-fpermissive] INS_AddInstrumentFunction(Image,0) , is there something trivial Im missing out on?

nice

This may be a silly question but how do I write incoming information on my simple server, to a file.

What server do you have? How is it related to security?

A simple http server. And I want to see the activity for the day, if I’m not sitting in front of the server. I want it to write everything that happened to a text file, all incoming and out going information.

What do you mean by "simple http server"?
Apache? NGINX? Your custom one?

Custom one with python, local host server

So you want a log of all requests?

Norton internet security sucks

can anyone decompile a pyc file for me?

i tried to use python-decompile3 and i cant install

Just change the file extension from pyc to py

What are your favorite things to do in the realm of cyber security?

Ethical Hacking

Information security

Same

Ethical hacking has a more profound reason and also is a catchy name to flex it as your occupation

Lol im jk abt the last part

Very true😂

xD

Hi, i'm making a diary program, and a notable thing to take into consideration is security and privacy. I'd like to encrypt the users' diary entries, but i'm not exactly sure how to do this securely. Right now, there's token-based authentication on a Flask server, and i'm not quite sure of any ways to encrypt the entries based on that.

One idea from a friend was to make a key from the password and a salt when the user logs in, and save that to a database for later, and delete it when the session ends. Would this particular way be secure enough?

One problem with that is that i wouldn't be able to decrypt the entries when the password changes, so I don't want to do this. Does anyone have a solution?

where are you hosting it? in AWS you can use secrets management, in Azure you can use Key Vault

i am hosting it on my own machine as of late

When you save the key during session lifetime so I can say that it's not secure

You should encrypt whole data on the client's side

You can add one additional layer of encryption on server side but you shouldn't rely security on that

why should i encrypt data on client side?

i'm curious

Image that I am the creator and owner of the diary website. Do you know me? Do you trust me?

I don't think so

Then the only way to protect your data is to do it on your own

On the client side

This is the method which prevents your data from being read by me and my staff

Additionally I think that making whole client-side code as an open-source is the best solution at all

guys, how do I get started with security

I am quite proficient in python

I

I've been following

What's his name - Umm, Liveoverflow

But he's too complex

well, that's a start indeed

I don't understand all his videos either, don't worry about that (and I'm a future cybersecurity engineer)

i'm quite interested in cyber security as a whole

I'm in my 3rd year of my undergraduate degree

in computer science

Can you maybe recommend some channels

?

i don't really follow any other cybersecurity channel for now, though Computerphile sometimes mention security concepts (in a mostly accessible way)

aight

what's the road that you are taking>

*?

I mean

Considering you are a future cybersecurity engineer

I am technically a mathematics student 😂

In all seriousness, I am a MSc cryptography student (information theory mathematics) (it's my 5th and final year of undergraduate studies

I'm currently in an internship at a cybersecurity company that aims to evaluate and secure things like cars against cyberattacks

That's sooo cool 😮

What do you mean by "security"? It's big area when you can protect things, break things, work on new algorithms and so on

I know I know
I'm just intrigued by the concept

Hence wanna explore

and find the branch that I would go forward in

implementing algorithms, seeing how bad your implementations are, learning how to improve your implementations, and doing that all over again...

You should start with learning basics like what is cryptography, what is hash function, what is cipher, what is block cipher, what is stream cipher and so on

yeah, cryptography is basically the base of all cybersecurity, in my opinion

I know hash functions and hashing
But I'll be starting in deep with it thanks

Have you tried to implement any hash function?

Do you know what is the difference between one-way functions and cryptographic hash functions?

If it's interesting topic for you (for me it is) you can dig deeper and deeper 🙂

Yes I have
Had some practicals on it

For example one of my friends didn't like cryptography so much and he tried to check how programs protect against debugging

I get your point

Just need to start

I mean that this is also part of security. He tried even to break some simple malware anti-debug mechanisms or something similar

Hi, how can I tell if a Demandware site has activated bot protection at a given time?

By bot protection you mean scrapers detection?

is there malware analysis tools for python?

Hi, I'm trying to create an openssl certificate.
While generating the certificate and key, it asks for PEM pass phrase and then to verify it.

We dont need to remember this PEM pass phrase except for verifying?
And openSSL will use that PEM pass phrase to generate the certificate?

Probably there are apis

Yeah openssl does all the work. Ftp server program that I wrote uses the certificate and when someone runs the program it asks for the pass phrase, so I generated the certificate without a pass phrase

random question is there a python library that checks for unauthorized code injections into a website

As far as I know passphrase is used to protect your private key

The passphrase is used to encrypt your key. For convenience purposes, you can leave it blank

Yeah, nice.

If you are referring to sql injection, maybe give this a read:
https://realpython.com/prevent-python-sql-injection/

learn cryptography

Guys, I found a malicious library, how do I report it?

I researched the hell out of it and it doesn't seem to do much

https://pypi.org/security/ - you report it by email to security@python.org

Hi, is there any way to check if the user is tabbed in a specific program?

Are you mean that window is active and focused?

yes

As far as I know it's possible, for example take a look at QFocusEvent https://doc.qt.io/archives/qtforpython-5.12/PySide2/QtGui/QFocusEvent.html

thanks

Thanks, I already have

is there also a library that checks for cross site scripting in python

Honestly, I'm not sure.

If you’re on Windows you can also use the Windows API wrapper http://timgolden.me.uk/pywin32-docs/contents.html

I'm having some troubles, recreating this in python https://github.com/bitclout/identity/blob/625a4d2ced749c739850b2bbc3becc4c05740fda/src/app/crypto.service.ts#L123 . Not sure what lib I can use, or how an elliptic curve even works

src/app/crypto.service.ts line 123

seedHexToPrivateKey(seedHex: string): EC.KeyPair {```

So I am looking to recreate a minecraft name sniper and I was wondering if this repository is safe to use, since I will be testing it and work based off this project. https://github.com/MCsniperPY/MCsniperPY

well you can check to see if it has any explicitly malicious content

but even then you have no way of knowing if it will become malicious with an update

particularly for something unethical/ToS breaking like this

i checked the main .py and the .sh files and they all seem to be fine, but is there any chance that something can be like hidden and obfuscated?

I use a cookie to see if a user clicks "view mobile site" or "view desktop site" as an override. if they request url?mobile=1 on desktop, the cookie gets set to mobile, for example. I realized that the way I have this setup is vulnerable to CSRF. I want to implement protection against it as good practice, but I'm not sure what to use because importing an entire forms library for this seems kind of overkill

I thought I could just make it a POST request, but apparently not all POST requests trigger a CORS preflight, which is rather annoying

I was trying to understand how CSRF tokens work to better make use of them but I am kind of confused.

I don't understand how CSRF tokens can be both stateless and secure, because if it was stateless couldn't someone reuse it?

actually you could have a session cookie and make the validity depend on the csrf token combined with the session cookie or something

Still need assistance on this? penetration tester here..

I think I figured out a way to do it. Instead of having a form at all, I just had the client assign itself a cookie using javascript. That's good enough for me

👍 👍

Can we make a AI Voice Assistant in Python?

wrong channel

Can anyone tell me or give me link that how to get reverse shell with digispark?? pleasee need urgent?

Gotcha

Give me a sec

Here is the wiki https://digistump.com/wiki/digispark/tutorials/connecting

Hello 👋

I am doing a course on ethical hacking online
I want to ask that -
IS IT COMPOULSARY TO DOWNLOAD KALI LINUX TO LEARN ETHICAL HACKING OR PROGRAMING ?

It’s not necessary but it would probably help

Basically what Ryann said... You can hack with any OS but Kali is recommended because it comes pre installed with a lot of basic tools for hacking/pentesting

Hello, there is a way to create a token like OTP that is available for a period of time for severall users ?

Not that I know of.

For example you can share the TOPT seed with several users but why?

This is for a specific request, a discord server that is public but with external members (such as visitors) and internal. So it's to add roles to them automatically with a minimum of security

hi

Hi all, just wanted to share a short introduction to EasyAuth & FastAPI
https://joshjamison.medium.com/creating-secure-apis-with-easyauth-fastapi-6996a5e42d07

yes bcuz kali linux is an operating system that offers many penetration tools for ethical hacking

Hey @ruby bough!

Hey @ruby bough!

What's the best way to store my credentials safely? In an encrypted file?

Can you provide more details?

How should I store API keys?

Securely

😂

I think that putting in env vars is not the worst idea

Probably

Not really sure what is the best idea

Maybe env vars:

• you don't have single file when you store your configuration (like .env),
• attacker need to login on specific user (and specific process as far as I know),
• everything is inside RAM so shutting machine down will free your data.

sounds good

thanks

good pentesting resources?

Don't even trying to be an ass, but googling exactly what you just wrote should give numerous good examples.

hello

what the first thing one should learn to be a security researcher
I'm going to learn it

Can anyone show me the direction : Google is just confusing me

What do you mean by security researcher?

I mean to get into Cyber Security

You can do many things in cybersecurity - secure and verify code, secure infrastructure, perform penetration testing and even invent and develop new algorithms and protocols

Sorry if this question doesn't make sense

but I want to find bugs so what should I get into

Oh, no. I just want to make sure that I can cover area choiced by you

I have no idea if what I'm saying is making sense or not

Do you have any experience in web or mobile development (or any)?

nothing

I'm just learning python

Hmm

So to get into what I'm saying what path should I follow

like roadmap to be Bug hunter

I've heard something like Pentest Sql injection but I have 0 idea about those things , I want to learn but don't know what are the requirements for this

You can start by trying to find some capture the flags (CTFs for short) but from my point of view you need to have solid background about what is computer architecture, how computers works (memory management, what is process, what is buffer overflow) and so on

However I am not bughunter, I just tried to do some CTFs for fun few years ago

Looks Like I've found my answer

thanks. I appreciate you

https://giphy.com/gifs/outlander-season-4-starz-WO5Q7FsxJN2pjYc424

another stupid question :- I mean I have to watch video on youtube about memory management or what?

Hmm, I had classes during my studies about computer architecture but YT videos probably are good start point

thanks

i already did that? just asking to someone to recommend one of them. there are thousand of courses but which one would you recommend? you dont really have a point here

I'll ignore the retort, that is on the path to a much better question good work.

can a browser parasite damage my computer?

im trying to understand RSA encryption

and how to implement it into python myself

i am aware that there are libraries for it

but i need to do it with my own code

https://www.cs.drexel.edu/~jpopyack/IntroCS/HW/RSAWorksheet.html

i have gotten a handle on it with that website

but im not understanding how he gets the values for 1 mod(r)

cause if i plug it into my calculator i just get 1

for the values K such that K % r == 1?

uhhh

im not sure lol

actually yes

well, the values of K such that K % r == 1 are K = n * r + 1 for some integer n

great thank you

something like that is what i was looking for

you're welcome, then 😄

What exactly can be retrieved from a __pycache__? Source code only or even some values taken by vars? See how sensititve it is

Looks like it’s fine

@blissful raven pyc files, which can be decompiled via uncompyle6 and friends

to reconstruct equivalent source code

TLDR: __pycache__ leak is basically the same as a source code leak

anyone want me to pen test their network for free lmk

I....

that sounds hella sus

i know but its legit lol

Nobody is ever going to trust you

it's alright saying that you'll pentest a network

i dont expect anyone to pay me for it, im not extremely experienced

but how do they know that you won't do anything to their network if you do find a hole in their security

but i know how to work my way around networking so

yea hmu

Lol pentest is usally done under heavy contracts, no one is going to allow a random guy to pentest their system and its funny you actually thought to ask...

i know but its worth a try, just want to get some experience

hes trying to hack us!!!!!!!!!

lmaoooo

i am not gonna let u pen test my network lmao

ok then just say that

Go to hackthebox and show your skills there

yte even if ur not doing it maliciouslyi wouldnt let u

i cant be bothered to set up another vulnerable machine its too much effort

@icy sandalthis is something that should be left to professionals with whom one can make legal agreements. Please don't offer this service through our server.

you lot need to calm donw

down

I... what........ if you think setting up a machine is too much effort, maybe pentesting isn't for you

Let's all drop it for now.

its 2 in the morning i cant be arsed right now

Again, no pentesting arrangements should be made through this community. That's all that needs to be said

why dont u start a company that does this and then u can sign contracts and stuff and you can do it

i have like 4 set up already

There is nothing else to say. Please make no further remarks about this situation, and do not respond to this comment. Please talk about something else. DM @novel cedar if you'd like to discuss our policies.

but its just abit boring doing the same mahines over and over

!mute 808805061873762315 "1 day" Offering pentest services and refusing to stop talking about it after being instructed to stop.

:incoming_envelope: :ok_hand: applied mute to @icy sandal until 2021-05-10 01:21 (23 hours and 59 minutes).

yo is black hat python good

the book

Talk about something else. No further commentary.

Doesn't sound like it. You should only be interested in white hat.

white hat python book

ok

I mean, I guess it could be useful for knowing how a black hat might think, but if you're trying to learn how to use Python for good purposes, I'd steer clear of it

well there is a book called black hat python but i think its for ethical hacking

I'd inquire about it if you can

https://nostarch.com/black-hat-python2E

its this one

It is for Cybersecurity

yes

I mean you have to learn about it to become one....

become an ethical hacker

or a computer security engineer

something like that

maybe this one is better?

https://nostarch.com/ghpython.htm

hey, has anyone a method to avoid keyloggers?

I remember something that did that such as keystroke encryption I believe?

There is an App for that

do you have any idea on how to code it on my own?

No but take a look at this
https://www.techrepublic.com/blog/it-security/keyscrambler-how-keystroke-encryption-works-to-thwart-keylogging-threats/

It should give you an idea of how it works so you can do it on your own

ok thank you

anonymous but they use python

someone know a good free windows sniffer who stacks the ips connections?

i got one windows sniffer but it's too confuse, looks like he don't stack and has like thousands of lines showing the connections

How would one implement a separate verification key into each copy of a program?

The image below is the message structure of a message I am receiving py b'\xf9\xbe\xb4\xd9version\x00\x00\x00\x00\x00f\x00\x00\x00\xc3\x10D\x11' The magic value is 0xD9B4BEF9 when I send a message this is how I send it, following the structure in the image py return(struct.pack('L12sL4s', self.magic_value, command.encode(), len(payload), checksum) + payload) With this information how would I go about decoding the message above?

same thing, but with struct.unpack?

Hi, is this the right place for problems related to AES encryption?

sure

hi everyone - what are some Python projects you would like to see fuzze?

Regarding to security?

sure

wanna see the most illegal thing i own?

import random, pyautogui, time


chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()1234567890-=_+[]{}\|/?'";:.,<>"


length = int(input('enter the amount of characters in a password: '))

password = ''

for c in range(length + 1):
    password += random.choice(chars)
    time.sleep(5)
    pyautogui.typewrite(password)
    pyautogui.press('enter')
    time.sleep(1.5)

https://tenor.com/view/trollge-troll-the-day-of-reckoning-gif-19655212

Hi, can anyone help me to identify what type of vulnerability (OWASP Top 10) is this for the above codes?

that looks like homework

or a test

!rule 5

and it's not python anyways

Ah ok thanks

Hard to say, but the first thing which I want to have is good Hashcat bindings in Python

i dont even think hashcat has good C bindings 😛

Hashcat has awful interface as a library 😦

as in non-existent

um hello

However it's still the most powerful open-source tool

could also use some better docs

Nope, you can build shared library but you need some work to handle headers

Citation from Hashcat forum

source code is the best documentation

😂

well, the docs are non-existent for hashcat as a library, so 🤷

at least the cli tool has --help

Oh, yeah, that's right

Have you tried to work with Hashcat-as-library @fading plaza?

no

if i ever needed to do something similar, i would probably just use subprocesses

Nah, too simple lol

So I am working on an application that needs to store login information for email servers in a database, and then be able to feed the passwords into SMTPlib to send emails. What is the best way to do this without storing the password in clear-text in the database?

import socket as s

with open("IPADDR.txt","a+",encoding='utf-8') as F:
pass
host = 'INPUT SIGHT'
#google.com
print(f'IP of {host} is {s.gethostbyname(host)}')
with open(f"IPADDR.txt","a+",encoding='utf-8') as F:
F.write(s.gethostbyname(host))

Cannot you use some API tokens?

I don't follow. Like save a token I can use to unhash the password? Or like tokens from the email providers?

Tokens from email providers. You cannot store securely users' passwords in my opinion

That might work, the problem is these are user provided email servers that I have no control over or access to.

The common way is to create app and you can authorize this app and deauthorize later

Yeah if the provider supported that then I could do that.

Yep, it can be a problem

Personally I wouldn't write my password in any other service than my email provider

Small exception for Thunderbird because it's application on my computer

In my use case the user would provide a dedicated email account just for use with my app, so if it was compromised only emails sent by the app would get compromised.

Only what you can do from my point of view is to encrypt all passwords with the key which is entered when you launch your app

You cannot store this key in any file

Could the app then use that key to decrypt them to feed them into smtplib?

Yep, you are using the key to encrypt and store ciphertext in database and decrypt when you need to feed smtplib and your key exists only in RAM memory

However it's not a perfect solution

True, because the key has to be re-entered anytime the app is restarted. Also if the app crashed then I might not be able to decrypt the passwords?

This app is also a bot that runs 24/7, so that solution might not even work.

This is basically how Firefox's master password works, correct?

When you lost the key you cannot decrypt stores data

Maybe, I don’t know how Firefox‘s master password works

I don't know the under the hood, but for the user you enter it to be able to view your stored login credentials for websites.

But if I reentered the key after restarting the app I could still decrypt?

Yep

Ok that will probably work then.

no one knows

and you cant trust a file just because virustotal says its safe, its childs play to crypt an exe to make it undetected by all major AV. granted itll only last a few days/weeks before its detected again at which point youd need to recrypt

Hi guys , do you think that the attack on mariott in february 2020 was due to an error in crypting?

I know nothing about it, do you have some articles to share?

Should i good at math to be sercurity?

It depends, if you want to be a cryptographer or cryptanalyst then the answer is "definitely yes"

What do you want to do in security?

Uh

Hacking?

Idk im a kid dont judge me

@lapis radish cyber security?

Hmm, talking about hacking may break rule 5 so...

!rule 5

However good hacker should have knowledge about cryptography and being good in cryptography needs some basic math knowledge

@lapis radish they dont need algebra?

Algebra is used under the hood of cryptographic algorithms

Like in AES

Oh

Galois fields is what you need to know

For example

While you explain i have some question 1.should i learn algebra or linear algebra first

https://youtu.be/x1v2tX4_dkQ?t=889

I started with linear algebra on my studies, finite fields topic was a lot of lectures later

Oh

2. Calculus is important for machine learning?

Calculus?

Yes

Hmm... I had few lessons about machine learning so I think that I cannot help you with this question

There is channel #data-science-and-ml

That ok

Bruh i asked them but no one answer me

Dead chat

So sad

Yeah

So 3. How can l use linear algebra to real programming?

Use for algorithm?

Or just solve something else

You can use linear algebra to analyse functions and find minimums for example

Im waiting

https://youtu.be/JnTa9XtvmfI while you find example i have 1 question so WHY This course teach to long and Should i spent my time to learn this??

I mean that when you want to find minimum of the function you can use linear algebra, I cannot find any real example now

Like find maximum of the following function @thorn obsidian

.latex $\frac{e^{x^3}}{e^{x^8 - x + 1}}$

Only 11 hours? So sweet

I had half year of the linear algebra - around 3 hours of lectures per week

@lapis radish Wt

@thorn obsidian thats...

3 hours per week?

So that mean all of you learning are inside 1 course?

@lapis radish

I don't know, maybe

@lapis radish Thx for answered me country boy

Your welcome

Im asking to @magic barn

what?

He really good you might want to ask him

@magic barn hi

This channel is for talking about cyber security. idk anything about it

@magic barn what kind of work you are?

That question is not on-topic for this channel.

Ok personal

guys

i wanna help

this is the code

import subprocess

data = subprocess.check_output(['netsh', 'wlan', 'show', 'profiles']).decode("utf-8").split("\n")
profiles = [i.split(":")[1][1:-1] for i in data if "All User Profile" in i]

for i in profiles:
    result = subprocess.check_output(['netsh', 'wlan', 'show', 'profiles', i, 'key=clear']).decode("utf-8").split("\n")
    result = [b.split(":")[1][1:-1] for b in result if "Key Content" in b]
    try:
        print("{:<30} | {:<}".format(i, result[0]))
    except IndexError:
        print("{:<30}".format(i, ""))
#```

to see the wifi passwords

im getting an error

Traceback (most recent call last):
  File "c:/Users/moon/Desktop/wifiwindowscracker.py", line 7, in <module>
    result = subprocess.check_output(['netsh', 'wlan', 'show', 'profiles', i, 'key=clear']).decode("utf-8").split("\n")
  File "C:\Users\moon\AppData\Local\Programs\Python\Python37-32\lib\subprocess.py", line 411, in check_output
    **kwargs).stdout
  File "C:\Users\moon\AppData\Local\Programs\Python\Python37-32\lib\subprocess.py", line 512, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '['netsh', 'wlan', 'show', 'profiles', 'NET=NET', 'key=clear']' returned non-zero exit status 1.```

this is the error

this should probably be in a general help channel

why

[security]

so, if you're talking getting network keys, it's more related to #networks
If you just want help with your code, it's a general help channel you want

though have you tried to run the command that failed on a terminal prompt?

wdym terminal prompt

you're on Windows, so that would probably be cmd.exe

yes

but i have this error

does the command netsh wlan show profiles NET=NET key=clear even work on cmd.exe
If not, that's the source of the error, and I think most of us don't really have the skills to help you here

#networks is probably a better-suited channel for network tools like netsh

why not help? thats kinda the reason im here lol, why is it such a problem to spread psootivity around the community?

because helping with black hat hacking is kinda bad?

programming isnt all hacking, even then it should be fine. not all hacking is bad either there are alot of people who are ethical hackers legally

not all forms of black hat hacking are bad either im a black hat but im not a bad hacker

black hat, by definition is malicious

and you can get help

Just not on stuff that's potentially malicious

Dura lex sed lex, if you have different opinion about rule 5 you can send it to @novel cedar afaik

@lapis radish

Sir???

?

Can i speak another language in this server?

!rule 4

Please - read the rules #rules and keep conversation about security here

Yes?

@lapis radish

Why this server had this rule?

because its hard to moderate shit thats in other langs

if you would like to discuss our rules, please DM @novel cedar rather than pinging our staff.

is a RP3B+ using Ubuntu secure in the net 24/7 ?

Hmm, depends on your configuration?

basic out of the box

Out of curiosity I’ve made an ssh server that just logs all requests without doing anything. I keep seeing attempts to execute cat /proc/cpuinfo | grep name | wc -l, which I believe is an attempt to see how many cpus the server has. Any thoughts on what they’re trying to do?

Does anybody here done research in cryptography using python? Im interested also in digital forensics/penetration testing and Im looking to get advice as a undergrad for which path to take.

there are modules available for base64 and md5 some others too i guess but i dont think thats what you are looking for

hey is there any way to store a fernet key as a string?

probably

what are you curretnly storing as

i figured it out

had to read the docs

It wasnt lol but it was useful thing I didnt know so thank you!

Hmm, I would prefer to add some basic configuration

Does anybody here done research in cryptography using python?
What do you mean?

Sorry for the bad grammar lol. I wanted to get some advice from people who have done it. Im about to start undergrad research in this topic.

Hello. I am learning python programming. Can anyone with experience help me out with metasploit API. I am trying to write a program in python that sends webhook notifications to a slack/discord channel whenever a reverse session is created. ShellHerder an existing program available on GitHub achieves this by creating an on_session 'event subscriber' that metasploit alerts whenever a new session is created. However it is a Ruby module that needs to be loaded via msfconsole. The developer of ShellHerder wrote in the description that a future version of his program would use msfrpc to achieve same function. This is exactly what I am trying to do but cannot figure how to create an event subscriber via the API. I can invoke the session module to fetch a list of active sessions via the API but then this way I would have to constantly keep polling for new sessions whereas the event subscriber facility allows me to wait for metasploit to notify me whenever the session is created. Any pointers. Ty

I didn't know there was a api for metasploit

hello im new here

hi new here

um

hello if anyone is here

Hello, do you have any questions?

not anymore

Hello! Kinda of a stupid question but which VPN service would you recommend? I was told Mullvad is a good choice but I would like to get a more wide range of options

nord

vpn

To which activity do you need VPN?

For work I have my own company VPN which is hosted and managed in Azure, but this is for my personal computer, just to surf the web, maybe doing some payments and streaming

https://translate.google.com/translate?hl=pl&sl=pl&tl=en&u=https%3A%2F%2Fzaufanatrzeciastrona.pl%2Fpost%2Fjak-nordvpn-przez-rok-udawal-ze-wcale-go-nikt-nie-zhakowal%2F&prev=search

I don't trust VPNs so I don't use them to pay for anything online

If you want to use VPN to get restricted content (in your country) on video platforms for example then you should pick this one with the biggest infrastructure Afaik there are trials so you can check all of them and pick best one for you

oh

Original article is not in English but as far as I see translation is good enough

yes

Idk if this is the right place, but how does encryption algorithms like SHA256 work?

Does it seed from an original step and then iterates on a series?

Kinda like seeding the random generator for reproductible results in data?

I'm learning how JWT authentication works and it needs a secret key (probably the origin) and an encryption algorithm

SHA256 IS NOT encryption algorithm, it's hash function

AES, DES and similar ones ARE ciphers (encryption/decryption algorithms)

Basically hash function is an algorithm which takes data of different size and returns fixed-size output

!e

def create_hash(data: bytes) -> str:
  from hashlib import md5
  hash = md5()
  hash.update(data)
  return hash.hexdigest()

print(create_hash(b"data"))
print(create_hash(bytes(1024)))

@lapis radish :white_check_mark: Your eval job has completed with return code 0.

001 | 8d777f385d3dfec8815d20f7496026dc
002 | 0f343b0931126a20f133d67c2b018a3b

So these hash functions perform the same shift in bytes?

This is a little bit complicated than just shifting bytes

SHA256 is cryptographic hash function so there are few traits that must be met like changing one bit of an input should change about half bits of an output

!e

def create_hash(data: bytes) -> str:
  from hashlib import md5
  hash = md5()
  hash.update(data)
  return hash.hexdigest()

print(create_hash(b"0"))
print(create_hash(b"1"))

@lapis radish :white_check_mark: Your eval job has completed with return code 0.

001 | cfcd208495d565ef66e7dff9f98764da
002 | c4ca4238a0b923820dcc509a6f75849b

Oh I see

You should also know that hash functions should be irreversible - for given output it should be non trivial to find an input

ProtonVPN (Made by the same company that make protonmail) is good.

There is a metasploit api package you can use called pymetasploit3. I've been able to automate with it, but it has a bit of a learning curve.

Thats what I have been using myself sir. How to make a on-session event subscriber object using the API is what I am looking for.

The API has an internal session manager that you could reference.

The API, last I used it, established a session and held an object for it.

Am I not understanding your question?

And just to be clear, when I say API, I mean the py package if I was being confusing there

Umm kind of. I already used the session module that I think you are talking about. It allows me to fetch a list of active sessions. The event subscriber facility I am talking about is baked in eventdispatcher class as described here https://www.rubydoc.info/github/rapid7/metasploit-framework/Msf/EventDispatcher

Its probably me not being able to explain properly more likely

@smoky turtle no, that's it. And that event dispatcher manages the sessions in metasploit.

in other words, metasplit actually establishes sessions and manages them, the pymetasploit package just manages the events through metasploit.

If you wanted to make an object to manage these sessions more abstractly, then I think you could just use the session id as a way to distinguish the sessions.

Oh is it. So how can i invoke the add_session_subscriber object as described in that page. Can u point me a little

Right so what i am getting from your explanation is that i would need to modify pymetasploits code and customise it to achieve the functionality that i want

Actually, I'm not saying that. sorry. I still might be vague on your question. You use pymetasploit to establish a session in metasploit. Pymetasploit tracks the sessions and ids and commands that are used to use those sessions. If you want to use a session, then you use the pymetasploit to access the session and send a command, the workings of the api are hidden from you so you don't have to worry about them. If you wanted to do something special between sessions of your own, you can create code that will work with specific session ids kept in the pymetasploit database and invoke commands only to those of your desire.

Ok i think i understand the working better.

I did something similiar here:

I created my own modules that held client sessions, and I would invoke my own commands to those sessions and keep results

The code might be confusing, just note that the module.client.sessions.session(result['job_id']) is an example of me using a particular session to send a command

Ok. So what I am trying to do with my codeis that when i get a reverse shell, the program sends me a msg via webhook on a slack/discord channel

Interesting, you trying to discord your metasploit?

So with the on session subscriber, metasploit will send me a notification informing me rather than me constantly polling the session module and seeing if there are any new sessions

Oh ok

So a periodic query of the session isn't good enough?

You can create an async function to run as your subscriber query

Learning to code actually. But I thought it would be an interesting project since you arent at your workstation the whole day waiting for the reverse shell to pop up in a red team excercise

hmmm, yea, I think the pymetasploit package is not an async package last I used it a while ago, that may have changed.

I thought of that first and managed to code it. Was simple enough but then i read about this subscriber feature and wanted to see if it was possible since it would be a much better way than periodically checking

I think you should be able to do this easily, just don't remember how immediately right now.

Well if u come across it sometime in the near future please let me know

@smoky turtle This is a simple tutorial on sessions: https://github.com/allfro/pymetasploit

@smoky turtle It says "At this point, this exploit only supports one payload (cmd/unix/interact). So let's pop a shell:

exploit.execute(payload='cmd/unix/interact')
{'job_id': 1, 'uuid': '3whbuevf'}

Excellent! It looks like our exploit ran successfully. How can we tell? The job_id key contains a number. If the module failed to execute for any reason, job_id would be None. For long running modules, you may want to poll the job list by checking client.jobs.list. Since this is a fairly quick exploit, the job list will most likely be empty and if we managed to pop our box, we might see something nice in the sessions list:"

@smoky turtle If this is still the case, then I would create an async function that regularly poll the job by job id and when it sees a result, then you send that to your discord

Ty for your help kind sir

!e

Just got this random mail, should I be worried?

Worried?

Is that not your typical email spam / phishing attempt i cant really see what it says

its not from T-Mobile lol

Just don't download anything and u should be good

I didn’t downloaded anything I just opened the txt message on my phone

It said yo

Then I just turned off my phone for a while

lold

hey, is there a website to test if my selenium bot is easily detectable? like a website with some buttons, input fields and an antibot system

Hey, I don't know any sites like that

#Step 3

import random
word_list = ["aardvark", "baboon", "camel"]
chosen_word = random.choice(word_list)
word_length = len(chosen_word)

#Testing code
print(f'Pssst, the solution is {chosen_word}.')

#Create blanks
display = []
for _ in range(word_length):
display += "_"

#TODO-1: - Use a while loop to let the user guess again. The loop should only stop once the user has guessed all the letters in the chosen_word and 'display' has no more blanks ("_"). Then you can tell the user they've won.
guess = input("Guess a letter: ").lower()

#Check guessed letter
for position in range(word_length):
    letter = chosen_word[position]
    if letter == guess:
        display[position] = letter

print(display)

#Check if there are no more "_" left in 'display'. Then all letters have been guessed.

is there anybody here who can help me with loop ?

plz

There are several ways you could do it. I would probably use chosen_word in the loop condition:

while chosen_word:
    guess = .......
    # check guessed letter, remove matches from chosen_word

that way when the condition of "the loop should stop only once the user has guessed all the letters" will happen when chosen_word has had all the letters removed, and the loop will stop, since empty strings are falsy

!code

Also this isn't the right channel for that question

sorry if this isn't the right channel, but I was curious about pickled data in python. is it possible to scan pickled information prior to unpickling it? Or is it more along the lines of good luck on what you're opening if you don't fully trust it.

Since I know it can easily be a security risk to unpickled untrusted data.

instead of trying to use an inherently unsafe protocol safely

use an inherently safe protocol

like json or yaml

Hi am new

see also https://nedbatchelder.com/blog/202006/pickles_nine_flaws.html

Hey, do you have any questions?

i have a erorr

in my python code

security related code?

no

Check #❓｜how-to-get-help

!rule 7

ok sorry

I'm not actually pickling anything, it was from a hw assignment. We had to describe pickling and how it's utilized. Also, had to address some points for why it shouldn't be used. When I searched to see if you could scan pickled information I couldn't find anything. So was more for curiosity not use.

what ?

Paste code using codeblocks in the future

It is easier to read

ojjj i don't know that thing

are you pro in python ?

Define "pro" please

No problem, that's why I responded with !code

pro means professional

I am regular Python developer, what is the case?

do you know how i add my code in mobile app

?

Is it related to channel's topic? Please, pick some help free channel and ping me there #❓｜how-to-get-help

ummmm

!rule 7

i mean you could, but i dont really see why you would do so

if you're going to scan it first, you're better off just using a protocl that already restricts types to the same as the "safe" part of pickle

Hi does someone know a good and easy way to make my program able to tell which month and days it is based on social security numbers
I want it so it will give an error if the user inputs 043105 for example

does python have support for cryptographically secure random numbers? I know there's been some exploits where people used the date and time as a seed for a random # and it ended up getting hacked so I want to avoid that.

Ye another person helped me with the problem, I will just make a list with months under 30 days etc.

@proven raptor https://docs.python.org/3/library/secrets.html

this pulls from the OS csprng like /dev/urandom or whatever the windows equiv is

oh shit wrong ping sorry

@dull geyser

though you dont need to set the seed at all for secrets

(and you cant anyways)

crazy what hackers can manage to do

Hello Every body :)))

This is my tool in github:

https://github.com/sina-yeganeh

anyone knows how some hackers steal Maplestory IDs?

@thin marsh This is not the place to use bot commands, please use #bot-commands next time.

Anybody in here familiar with using ransomware with python?

Oh okay, sorry about that.

hackers are just normal people @dull geyser

The name comes from the MIT model train club

Normal folk, just think a different way is all -- We like to rob the bank you know?

The what could happen I suppose is what makes the hats me thinks

I''m terrified of prison.

I balk when people say hackers bad... Such a misnomer.

Somebody got to use the wands you know?

https://www.youtube.com/watch?v=CPp6hB9MsFQ

#zzap

I beg to differ :-)

How so?

I beg to differ too there @thin marsh

I should caveat that with real hackers, not pretend script kitties

hacking could be guessing someone's iphone password in middle school though

It can be yes @limpid viper

I wanted to be a hacker until I found out how humiliatingly boring it is

Hacking is just taking a system and doing something unexpected with is all.

It can pay the bills @thin marsh

So can money laundering and extortion, but that's not what we are really talking about

but that's not what we are really talking about
good point

I mean I suppose that could be fun, but something about an orange jumpsuit...

ATMs are especially fun.

Especially when you're a distributor of them. Little bit of wireshark == pasta

Finding a vulnerability must be the most boring thing to do ever.

If only crime paid ya know?

It's pretty easy to do depending on the context and surface area @thin marsh -- Depends you know.

Just today I found 14 RSA priv keys

Simple to do, scarily easy how bad it "could" be

I wouldn't say that finding rsa keys is finding a vulnerability

When you have no password on the key? Sure is.

It's a layer 8 problem

Something we been dealing with since Jan 1 1983

Damn tcp you know?

Humans....

Muggles and all

You know what I mean

No, I disagree. It depends on the vectors and such.

An RSA key exposed is a vuln, but on the human layer

Bad practices, easy to exploit.

14 keys mate...

Check + mate + $ [[ if -ne $evil ]]

Finding private rsa keys is like finding someone's password. That's not a vuln

A human left it behind, thus it is.

Layer 8. Wetware. The human, you and me.

I agree with @thorn obsidian on this one

Who needs programatically derived vulnerabilities when the worst of the worst is the PEBKAC.

If you think just finding a vulnerability is simply by finding someone's password or rsa keys, then you pretty loosened the idea of vulnerability to be so loose that a child can do it

My kid figured out my phones pattern... that's a vulnerability to you

Yes

You the human made it easy for me the attacker to bypass your stupid security practices.

If you shored up Layer 8 you solve 1/2 the problem right away.

Its why we made computers. not only for speed but to remove the human from teh equation

1 + 21 must always == 22

My idea of a vulnerability is a susceptibility in the system that allows for an actor to bypass the security measure or functionality

Humans will screw that up at somepoint

Sure.

And what if you bring sqli into the mix @thin marsh -- Would that satisfy you as a vuln?

A human introduced it, with their syntax. Rarely is it the actual computer that is to fault.

Sqli is a vulnerability yes

Did the machine magically place it?

Same concept

Humans are the weakest link sometimes. The lowest of the low hanging fruit as IQ varies.

Even hackers get popped with phishing scams at work, etc.

The programmer programmed functionality with the input, the lack of input checks and the use of that to execute code to bypass the functionality is a vuln

Anyways...

and so is putting in an rsa key to a backup solution

I would say a test of a vuln is that it can be mitigated

Ok

So you can perform grep -RHn "PRIVATE KEY"

Could that not mitigate the left behind ssh key?

My pt being is that "hacker" isn't necessarily bad.

Don't associate the word with criminal.

It's exposing a different vuln, not the rsa keys themselves. The fact you can do that in a system is confidentiality vuln

Sounds to me like you're excusing the humans 🙂

Yea, I wasn't saying they were bad, but normal people... ehhhh

Same reason places like Colonial get popped.

Your outrage is not on the same level. it should be even greater.

Wait, am I outraged?

I was trying to be funny with my hacker comment. I know some ethical hackers, but they are a different breed

Ethics, 🙂

Thats what it is all about, lines in the sand though. Shifting tides, etc.

I know, almost an oxymoron

Are you trying to open an philosophical pandoras box there?

Not really. I just bristle when I hear the word hacker thrown around.

I consider myself one?

One who plays with hacking or one who actively infiltrates systems that are not yours?

Both

Like I said though, legal.

I'm too small, too old, and too damn tired to deal with Prison.

It's not legal if it isn't authorized

"that are not yours" does not me "Unauthorized"

Haha, so your a pen tester

No

I'm just a hacker

Red team?

Pen tester is more active vuln hunting I suppose, very red

I'm more purple

Purple...

Yep

Imagine blue team, but with the freedom to do what I want for the most part.

Ah gotcha

I definitely don't own the systems I poke. I'm surely authorized though.

I've dabbled with hacking, thought about being one, until I decided it's the most boring thing on earth

It can be

Fun stuff though

Check #help-honey for boredom 🙂

Kind of stuck, bored, not wanting to move forward without another human, even though I can kind of wing it?

boredom sucks

I'm taking wifi-sparrow, and giving it a shot of whiskey followed up by a dash of mescaline.

Very cool way to learn PyQt auto-didactically.

Dude uses iw as his method for determining Access Point infos

Interesting way to do so, as you're leveraging managed mode and not monitor mode.

So I'm slashing scapy into it, and going pure monitor mode. Has the benefit of seeing all clients and not just the Access pt; in a darn GUI. Sick work and happy the framework exists. I've always wanted to learn QT.

Taking the current GUI and smashing it on the nuclear level

Best part it is GPL3, and thats okay because I love me a github

I used pyqt once. It was alright. I would go to another language for a GUI like C#

Yeah, but packet sniffing and dissection.

Name a lib for c# that does what scapy does.

You won't have any

Neither C nor golang, etc.

libpcap is great, but takes a trained mind to leverage.

Well, admittedly I haven't made a gui with C# yet, but I know it's a much more stable way to go

The overall framework of sparrow rocks though; it integrates a darn ubertooth one, as an overlay to the 802.11 schema in 2.4ghz

I suppose that depends on your interpretation of stable.

sparrow's method is pretty sound; hell it doesn't even use monitor mode sans the falcon plugin.

iw is going nowhere.

Stable code for the next 5+ years at min.

I guess for products. For typical analytics, I guess no reason to be picky

Cool gui though

You make that?

Nope

Not my work

I forked it though. Plan to learn how PyQt works

Nvm that's a wifi analyzer.l

While at the same time doing PRs to integrate scapy

This guy does it with pure iw... kind of a cool concept

I made my wife an app with pyqt. It's a pain to make into a self executable

That's one of the drawbacks.

Anyone have recommendations on a simple key authorization system / generator that still makes the public keys easy to read?

Just starting to learn about key authorization etc and could use some general guidance in the right direction

!rule 5

What do you mean? Can you provide some simple example?

File "osint.py", line 11
print("[+] Cent: https://beta.cent.co/@"+ user+"")
SyntaxError: invalid syntax

You are not funny.

@thorn obsidian Please stop spamming the same gif everywhere

Please be on topic.

Hello, does anyone know how to make a network script run with a proxy?

NVM i didn't know what I was really looking for or how to ask it but figured it out now thank you though

Stryngs had a very interesting discussion

Why and how do you use shlex? I was reading this link and it says you shouldn't even pass hardcoded text values to things like os system or file openings?? Why? They aren't user submitted... It wants me to run it through shlex. I can't find a good simple shlex guide though. https://infosecwriteups.com/most-common-python-vulnerabilities-and-how-to-avoid-them-5bbd22e2c360

Or is this just dumb

ive only skimmed the article but it seems to be saying that you need to sanitise user inputs, not hardcoded valeus

eg

We can use the ‘shlex’ module to sanitize the user inputs as “shlex” escapes the user inputs properly.
Always sanitize user inputs first before passing them to the system commands.

all his examples are hard coded tho so idk

thats why im confused

🤔

there's no user input there 🤔

i think the screenshots are just misleading

the article text seems fine

fair enough! haha

either way, you only need to be careful about input users can control - but be careful to consider all implications of user input

how do u use shlex even for user input? i cant find a realpython or other easy to understand guide, all the sites just link to the offical doc page. idgi

i get the whole sanitization point but idk how to do it i guess. ive never really done anything that takes untrusted user inputs like that

do u mean hashing?

oh ok

I have currently been working on making a cipher and i was wondering if anyone here could give me some tips or advice. Currently, it takes PlainText, reverses it, and then shifts the characters however much you want. After this, each letter is turned into its numerical value and a Key number is subtracted

It is currently Mono alphabetical which is an issue, as patterns are easy to find and exploit, so if anyone knows any way to use a keyword like the Viginere Cipher uses, i would be gratefull

Are you making a cipher for educational and fun I hope?

yep, just to learn more about them

There is strategy from AES authors, give me a second

this wont be used to actually protect anything

sure

if you want, i could post the code

I cannot find it, anyway... You have at least two different constructions - Feistel Network (like DES) and Substitution-Permutation Network (like AES)

First one is easier to implement, you have same algorithm for encryption and decryption afaik

but this means its not as secure

it's not really less secure, actually

You can share it if you want but if there are a lot of lines of code it can be time exhaustive for me

not to much

https://paste.pythondiscord.com/uyopucupuq.lua

Okay, I expected to see at least two functions

def encrypt(key, plaintext):
  ...

def decrypt(key, ciphertext):
  ...

is this bad?

It is harder for me to analyse

sorry

You have for example key1 and shift2 - what is the key, what is shift? 🙂

Key is the pair of key1 and shift2? Or just key1?

key is the number added to the numerical value, and shift is litterally shifting characters, for example, hello there would be: eHell other

with a shift of 1

from what I can read, I think the cipher key is (key, shift)

sorry?

im not sure what you mean

Yep, it seems that you are right

For a encryption scheme, you have 2 inputs, a key and an input plaintext, where the key will be used to encrypt the message

yes

i have multiple

3 i think

it seems that you have split your key into two parts, what you call key, and the shift

there is a key used to encrypt, and a shift that are needed to encrypt, along with the PLainext

key and shift are different parts

yes, indeed, they are, but they are both parts of what cryptographers would call a key proper

ohhh, i see what you mean

by the way, what do you think of the shift idea?

It's good operation if it's a part of the cipher, not the only one

so i did 2 things right

AES has shifts as well

the shift idea is a simple permutation, which is okay, but not sufficient

is there a more advanced version of shift, not the same but the same concept?

there's what called a permutation

Like

(1, 2, 3, 4, 5, 6, 7, 8) -> (8, 1, 7, 4, 2, 3, 6, 5)

is Caesar Cipher a permutation?

a type of one

A shift is a simple kind of permutation

Like (1, 2, 3, 4) -> (2, 3, 4, 1) is a shift, and thus a permutation