depends on your question

sorry, haven't used this server in a while

well it's not a very precise question

though you can just copy-paste it afterwards on a general help channel if it's not on-topic

I have to (I had the option to) basically pentest our school website

and my main focus rn is student's profilepictures

because that could get out of hand easily

your school offered you the opportunity?

they offered it both as like help and a little challenge for me

but they trust me

it's like a pretty big website but not that secure

I've already found some flaws

well, you shouldn't divulge anything about your school here, but do you have at least an idea what you want to ask?

I'm not very familiar with Networking related things but I wanted to know if one could just change some packets or whatever to get admin access

because it seems pretty likely

and someone shutting down the entire school isn't really a good thing

for networking-related things, you'd probably better ask on #networks

okay

thanks anyways!

for the rest of security-related things (if you have other questions, that is), you can probably ask here

how do I get truly random sets of data?

get a true random number generator?

There is no truly random numbers

but they are seemingly random numbers

Use entropy based ones

is there a way to use python like curl --cookies

what do you want to do exactly?

you can use python like that, but it has only specific flags

which you can get to know by python --help

!e

print("33"+("33")

@serene magnet :x: Your eval job has completed with return code 1.

001 |   File "<string>", line 1
002 |     print("33"+("33")
003 |                      ^
004 | SyntaxError: unexpected EOF while parsing

!e

print("33"+"33") 

!e

print(“ok”)

k

‘’’ok’’’

guys, if you want to play with the bot, just go to #bot-commands

also, stay in topic, please

so I want to try a cookie with different value and put it in a loop, apparently curl with bash is really easy

not with python

Hello , I've been looking into some security , given a shellcode , is there any automated way of identifying info like which architecture its run on etc , or do we have to manually disassemble it in different archs and see where it fits?

I've a question about oauth2. Should resource and authorization servers be in seperate servers? I'm trying to use Django OAuth Toolkit

Shell code in the sense?

a piece of assembly code injected into a program to execute arbitrary instructions

so you want to call bash command from python?

@fringe rock dont use curl, use requests

requests module

s!invite

hello guys
is there way to know if one's device is being tracked using python?

hey guys, is ssl the best way to secure a socket object?

https://paste.pythondiscord.com/fivediqide.py

Hi guys, i created an xxs script for my cyber security course. For the life of me i cant get it to work

https://paste.pythondiscord.com/hasakitiwo.sql

what's the error?

this is the issue im having

Is my screenshots not showing?

sorry, I sent it just after you sent the traceback

Ah ok

I tried this on the website called hack this site, which allows pen testers to try and hack the website legally, as i didn't want to accidentally hack an actual website.

I pasted the url in my code

remove the brackets, and you'll get a more sensible error

The URL parameter needs to be a string

I used raw_input but dosent work for python 3, then i tried input but still had issues

I'll try that thank you

line 7 yes?

yeah

should i keep the quotations marks or should i remove them as well?

yes, otherwise it's not a string

ok thank you

welcome

https://paste.pythondiscord.com/qevecoqexe.rb

hmmm, invalid syntax error for the colon

I said to keep the quotation marks

whoops, my bad lol

https://paste.pythondiscord.com/qinayewanu.rb

It fixed that error but now i have a NameError

yep, that's the more sensible error that I was talking about

you should be able to identify the variable name you used incorrectly, and the correct name to use to correct the error, now

https://paste.pythondiscord.com/icubevaxed.py

That's how my code looks atm

yes, I figured

can you read the NameError traceback? the problem is explicitly given at the end

req is not defined

so i know its because of that

yes, so you meant to use req as a name, but you didn't. What name did you use instead?

requests for line 9 and 11 but i never used req anywhere else but in line 13. So I would assume i need to change it to request

request =. So i should have named it the same thing in line 13

It worked!

Thank you so much!

https://paste.pythondiscord.com/aposomuven.rb

welcome 😄 . Next time, use a general help channel for a similar request, though 😉

I will. Again thank you

Has anyone ever attempted to make a web framework that is fully E2E encrypted?

Hey guys, anyone tried using GDB in order to attach a Python process and debug it?

Without restarting the process

https?

#bot-commands

hi there anyone with experience in bypass anti-bot from cloudfare?

to use in a web-scrapping project

@turbid folio we can't discuss such things here, as per our server rules

!rules 5

(meant to post 5, 8 is not relevant)

if an AES key is made up of 32 characters (numbers and alphabet)

does that mean it is AES-32 or AES 256?

AES-128, actually

assuming by "numbers and alphabet" you mean hexadecimal, which would mean each character is 4 bits

=> 32 * 4 = 128

aes key size is always 128 192 or 256

unless you're doing something really weird

Would you guys use Nmap or Wireshark

they have different purposes

nmap is for port scanning (and other more advanced scans)

wireshark is for tracking local traffic

thanks

I imagine AES 128 is plenty secure enough

I am currently competing in a cyber security comp and I am attempting to complete a buffer overflow question. I have the amount of characters required to overflow and the memory location I want to overflow to. But I am not sure how I can inject this memory location into the message payload we send to the server?

Like I have the characters, then after that I need to put the memory location but how do I get that to work with the address properly rather then a string

Am happy to provide further details / legitimacy if people want

Something to do with x86 calling convention. Although im not sure on how to use it

you'd probably want to watch LiveOverflow's binary exploitation playlist

Aight

im developing a webapp with a django backend and i need to store user data. im not exactly sure on what legally needs to be encrypted (or indeed what encryption django automatically does or doesnt) but is this a reasonable plan?

receive data on signup
encrypt with AES256 (i have the algorithm from a library)
store data
receive data on login attempt
encrypt with AES256
compare to existing entry to validate

im very new to security and argued against being assigned any security related stuff for the project but im the only guy in the office who even knows where to start.
if im leaving vulnerabilities or usability issues please tell me, and if im missing something as simple as encrypt=True in a kwargs for a django model please let me know that also

how do you generate your key, and how do you plan to store it? That might be a vulnerability

most user data should not be stored, and only if absolutely necessary for the functioning of the application (if data storage is a feature, then sure)

how do you plan to ensure that the existing entry is the correct one that the user has given at signup time? Or if it is not malicious in the first place?

If you have login information, you should never be able to decipher keyphrases or passwords, because once an attacker gets your key, it's as good a plaintext storage. Use secure cryptographic hashing with secure salting (there are good libraries for that, but I don't know the names, as I come from the more theoretical side of things)

Also, be sure you're using the 128-long block version of Rijndael (which is the AES standard), because some libraries claim that the 256-long block version is AES-256 (it is not, and this variant has not been tested as thoroughly as the now AES)

Finally, you probably want to read the GDPR if you want to store user data. It's complicated, but it gives a baseline of what you need to do. Also, it has to be respected if some part of your userbase is in the EU

And now that I think of it: protect your webapp against all kinds of script injection, database injection and so on as good as you can. There will always be bugs, but be ready to correct them as fast as possible

thats a lot of things to think about but i'll make sure i properly evaluate them before pushing the app to the server.

immediately though i can see that im leaning heavily on django's form and model packages for validating post requests, and i assume its completely possible to enter a script tag as your username or even email name.

I do however trust django to escape context data formatted into an html template, if i say that context["myvar"] = "<p>lorem</p>" then {{ myvar }} shows on the page as <p>lorem</p> rather than a p tag, but its probably a good idea to give a firm no to any form data that matches an html tag.

i'll look into any encryption django has built-in, and i'll read the gdpr as im pretty sure the uk still holds it despite brexit.

thank you for your help, i wouldnt have even considered some of the things you mentioned

You don't have to outright ban HTML tags, you just need to be careful with them. The GDPR needs to be applied if any of your user is from the EU. So if I (from France) decides to use your app, you need to be prepared to follow this regulation closely (or be fined quite a lot if reported)

I just have a bit more experience than you on that topic, because I'm from a Cryptography background, and the correct use of cryptography is basically the point of my internship (although my internship is very specific)

is there iranian in here?

why?

How can i implement an siphash_4u32 function in python?

why?

why not use a well tested MAC function instead of rolling your own?

but if you require siphash specifically you should use an existing library

!rule 5

@thorn obsidian

Is SHA1 or MD5 good enough for a non-security context, or should I go SHA256? I want to lighten the computational load.

Background: I want to store files uploaded by my users on a file system, and name the file some kind of unique hash derived from user data. It doesn't need to be "secure", (unless you guys can think of an attack that would effect my system). The only condition is that these files cannot be accidentally overwritten by other users (hashing collisions.

it depends on your scale, SHA256 is harder to having collisions, but store everything in one directory is the root cause.

In fact I don’t think it’s necessary to use hash as your filename just for avoid collisions. Append random string/timestamp to filename, split upload files into username folder if you have limited user, split into date folder if you have many files per day, use distributed storage service like S3 if you have massive files to store to avoid inode usage issue.

I want to create a demo of syn cookies with python, but i have no idea how to create the initial sequence number.
I would like to get some help😁

are you trying to implement user space tcp stack?

there are plenty example,like https://github.com/jvns/teeceepee

I'm trying to create the initial sequence number like they did in syn cookies.

maybe we can port this to python https://elixir.bootlin.com/linux/v5.2.2/source/include/linux/siphash.h#L49

Ok, I will try.
Thank you👍

I try to install 2 partitions of Windows on 2 different drives. Drive 1 with Windows 1 and Drive 2 with Windows 2. I try to find a simple solution without disconnecting the Drive from my System to keep sure that If I get a Virus on Drive 2 with Windows 2 that its not possible for the Virus to read and write and infect Drive 1. Iam open for any ideas 😉

I think you can just disconnect it virtually

!e print("wow" )

!e X = [[12,7,3],
[4 ,5,6],
[7 ,8,9]]

3x4 matrix

Y = [[5,8,1,2],
[6,7,3,0],
[4,5,9,1]]

result is 3x4

result = [[sum(a*b for a,b in zip(X_row,Y_col)) for Y_col in zip(*Y)] for X_row in X]

for r in result:
print(r)

@mighty light :white_check_mark: Your eval job has completed with return code 0.

001 | [114, 160, 60, 27]
002 | [74, 97, 73, 14]
003 | [119, 157, 112, 23]

!e import ctypes p = (ctypes.c_char).from_address(0) while True: p[0] = 0 p = p + 1

@mighty light :x: Your eval job has completed with return code 1.

001 |   File "<string>", line 1
002 |     import ctypes p = (ctypes.c_char).from_address(0) while True: p[0] = 0 p = p + 1
003 |                   ^
004 | SyntaxError: invalid syntax

!e exec(type((lambda:0).code)(0,1,0,0,0,b'',(),(),(),'','',1,b''))

@mighty light :x: Your eval job has completed with return code 1.

001 | Traceback (most recent call last):
002 |   File "<string>", line 1, in <module>
003 | TypeError: code() takes at least 14 arguments (13 given)

!e for i in range (0, 10): if (i == 6): #Stop the program at 6 just.. because raise SystemExit print(i)

@mighty light :x: Your eval job has completed with return code 1.

001 |   File "<string>", line 1
002 |     for i in range (0, 10): if (i == 6): #Stop the program at 6 just.. because raise SystemExit print(i)
003 |                             ^
004 | SyntaxError: invalid syntax

And why do you need to?

!e print("hi")

nice

!e import socket

@manic venture :warning: Your eval job has completed with return code 0.

[No output]

ok

if you want to play with the bot, please don't do it here

oh ok srry

there's #bot-commands for that

it's okay, I just have notifications on this channel 😅

!e print("Hello")

@rose cedar :white_check_mark: Your eval job has completed with return code 0.

Hello

!e print([ l for l in range(100)])

@rose cedar :white_check_mark: Your eval job has completed with return code 0.

[0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99]

!e import os
print(os.getcwd())

@rose cedar :white_check_mark: Your eval job has completed with return code 0.

/snekbox

#bot-commands

!e import os
print(os.getcwd())
print(os.listdir())

@rose cedar :white_check_mark: Your eval job has completed with return code 0.

001 | /snekbox
002 | ['Pipfile.lock', 'Pipfile', 'config', 'snekbox', 'user_base', 'tests', 'LICENSE']

!e import os
print(os.abspath())

@rose cedar :x: Your eval job has completed with return code 1.

001 | Traceback (most recent call last):
002 |   File "<string>", line 2, in <module>
003 | AttributeError: module 'os' has no attribute 'abspath'

!e import os
print(os.path.abspath())

@rose cedar :x: Your eval job has completed with return code 1.

001 | Traceback (most recent call last):
002 |   File "<string>", line 2, in <module>
003 | TypeError: abspath() missing 1 required positional argument: 'path'

please play with the bot in #bot-commands, and stop spamming evals to the bot here, keep it on topic

Ohh cool

Got it

Thanks

thank you

https://www.veracode.com/sites/default/files/pdf/resources/ipapers/security-flaw-heatmap/index.html

OPINIONS!?

reading

Providing secure authentication in SPAs has a number of challenges based on your application’s use case. New browser privacy controls like Intelligent Tracking Prevention (ITP) adversely impact the user experience in SPAs by preventing access to third-party cookies.

from https://auth0.com/docs/tokens/refresh-tokens

how ITP would affect the scheme with Refresh-Access token explained here https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/ ?

What's the impact of ITP on my JWT Refresh-Access tokens used accross multiple microservices?

Is RSA a good decision of encrypting a message?

Yes and no, best practice for security is kinda complicated.

for example, use RSA only won't provide Perfect Forward Secrecy

ok thx

Hi, I m coding a program and I want it launch with windows, how can i do ?

you want to start a process when windows starts? How is that relevent to this channel's topic?

maybe he is trying to boot malware with windows😆

@pure kayak If you want to test out !e, we have #bot-commands. Please don't spam.

how can i secure my password/

?

hey guys

hey

You mean create a good password or keep current passwords safe

Password managers are still helpful, but imo best password manager is a pen and paper

^^^

do you have unique passwords for every site AND write them all down on a piece of paper?

based on what you said

every single time you login to a site, do you scan your paper that has dozens of site/password pairs on it for the right site, then type a 20 char password with special characters and alphanumeric manually?

how do you login to your accounts if you're not at home?

anyways

@hasty pollen theres a good list of password managers here: https://watchyourhack.com/#password-managers

(along with some other security tips)

you can come up with a pattern, i used it before password managers. 90% of the password was the same from one site to another, but strategic spots were changed out based on the sites url/brand

and so i had a unique pw on every site but also was easy to remember

thats also bad

like if araye was my password, discord version could be say adraiye

if one of your passwords is leaked

then all of your passwords are leaked

thats literally false, youd need to have hacked/stolen at least 2 in order to put together the pattern

probably more than 2 like 3 or 4 for to be obvious

why cant you just use the password manager's builtin generator

any decent password manager can generate a fully random password for each site

i mean the man clearly doesnt trust the cloud if he wants to use pen and paper

you can host keepass locally

no cloud involved

that so helps when you are : at work, on phone, at home, at friends house, etc

uh dropbox sync

iirc thats the recommended solution

anyways im done arguing this its like you think your version is the only ok version. other methods exist. and shit, a non digital one is 100% the safest you cannot argue that. a hacker has no chance of stealing it, vs you could be ratted and lose all passwords

a properly secured non digital one yes

however

you also need to take into account useability

and pen/paper solutions aren't really user friendly

but if you're truly paranoid about this type of thing, then yeah they're the only solution

but for most people, password managers are better

Yeah the pattern idea isn’t great. Anything that’s not random can potentially make brute force much easier. The advantage of a password manager is you can easily create 20+ character long random passwords without it being inconvenient

Bitwarden is nice and open source. Keepass/keepassxc if you’re more paranoid

Yes

If you want to i can share a password generating script

I memorise random bullshit very well though

For some off reason

So I'll eventually remember one randomly generated string 😂

hello! Is there a set of built in crypto tools in 3.9 or do I have to install external libs or roll my own?

never roll your own

https://cryptography.io/

https://pycryptodome.readthedocs.io/en/latest/ (but only if you have to use low level stuff)

https://passlib.readthedocs.io/en/stable/

also https://docs.python.org/3/library/hashlib.html is builtin, but most of them are insecure for passwords

only roll your own if your implementation has been correctly and thoroughly tested against common attacks. In short, don't

Though resistance against common attacks is still a pain point in quite a substantial number of commercial and non-commercial applications

(Cryptographic libraries on Android still had known unsecure implementations of AES up until at least 2016)

just using HTTPS/TLS as your crypto stack is another option

That's an interesting idea. Of course, that's relying on libraries, which you may not trust, but the least trustworthy agent is yourself in crypto design and implementation.

HTML Is Better

?

??

wa

t

has anyone taken part in any ctf

I recently started an internship and the task in hand rn is to anonymize the database. What we are trying to do is that code goes through the csv/sql db and suggests user what anonymization technique could be used on what column, and then that anonymization is to be applied.
Any libraries that could be of use?

Hm, well, what needs to be anonymizeD?

Where do I start cyber security

I've learned the bare basics of python

@thorn obsidian use thei nternet bro, not that hard

Just going to place this here, in case of any interest - A short introduction to adding a Google Login to your FastAPI applications, the newest feature of EasyAuth
https://joshjamison.medium.com/add-google-login-to-a-fastapi-app-with-easyauth-c8c3e926ad0a

I would start with some basic ctf's Like tryhackme or hackthebox or if you dont really know a thing you can lookup picoCtf which is for beginners

should i take this intro to security class

as an elective

i wonder is cryptography a good library for generating API keys? I'm looking to implement API key generations with it

Have a look here. Standard lib. https://docs.python.org/3/library/secrets.html#secrets.token_urlsafe

i appreciate it . I wonder whether it is as safe as the ones suggested above . I heard those were a specialized library

Definitely question it's safety. If we're just talking about tokens/keys with arbitrary length, this will do.

woah

this channel seems cool

My goal is to be in cyber sec when i get older, what are some of the things that i should start learning or things that i need to learn in order to be able to get into cyber security? i have little to no experience in it.

Dm

Can I make a rubber ducky with python and like tinker m0 or a pi Pico?

Anyone have experience with anomaly detection and machine learning?

<head>
<p> hacking nasa... </p>
<p>hacking nasa... 25%</p>
<p>hacking nasa... 50%</p>
<p>hacking nasa... 75%</p>
<p>hacking nasa... 100%</p>
<p>hacked nasa sucesfully</p>
</head>

lol no

HTML is the best programming language, never underestimate the power of HTML

and code editor word

@hardy flax You can DM @novel cedar, this is for dicussing about security with python like encryption, protecting yourself, data sanitization, etc.

And please delete those screenshots

Are there some common practices/conventions to responsibly disclose security issues/vulnerabilities I find on random websites? Especially when there are no obvious pointers towards people I should contact.

I spose it depends on the website and who it represents

Maybe theres some higher authority for reporting cyber sec issues if its a specific country

if was a Italian/Canadian who runs the company

and the systme of hear team é gad

Hello,
I have an arduino that makes GET request on my django server to retrieve datas using HTTPS.
I have trouble using HTTPS with the arduino. What is the danger to use HTTP for only one url (the one for the get request) ? Also, is that possible? To avoid the redirect 301 for just one url, using Django ?

Always wondered whether you’re supposed to contact the FBI or .. something like that . Just seems like any group I thought of wasn’t going to be a group specialized in handling the issue .

Oh I see this means the security for the site owner. I saw it was about security for the general public

yeah, the site owner

I see it varies .. generally the site owners are looking to retrieve emails from their customers . Could look up who is hosting the site and let them know that the site is insecure.. I see they’re more likely to push the issue when it’s a valid point

Sometimes there’s a place for it on the sites support section, sometimes there’s not . I’m by no means an expert , just had an idea

would anyone know were to start learning cybersecurity by chance

I was reading up on Applied Cryptography and just made it to pg 49. Can someone explain why the hacker cannot decipher the half of a message when it is sent in Interlock Protocol? If the hacker already has the private key they switched out, they should have no issue deciphering it.

W3 dont need to worry about hacker if we dont use internet or any way to transfer data

Like magic

oh didnt see this channel

looking for security experts that can assist in tracking illegal wildlife traders

Ok Python - Java script
Poll

!rule 9

And if it is not paid, then you need to say it from the start

I give fact: RSA > AES

don't feed the troll, I suppose?

@fluid verge?

What in french this mean ?

I hope you are trolling if you're saying that "RSA is better than AES" is fact

Rsa is better

no not paid lol

Asymetric always better than symetric system

its for a conservation charity

for what set of criteria?

For the future ... Rsa is better against quantum attack

It was break with the algo Shor but still better than aes

No, just... no

Lmao no joke 😆

Yes

Shor break rsa and aes

Theoricly

If it's already broken with a quantum algorithm, it's not good for post-quantum

Yep but rsa stronger against it

Just saying lol

Ofc it was broke but stronger than aes

I give another fact: ceasar algo > rsa > aes

ok, don't feed the troll, bye!

wdym ?

Its not a troll lol

you're just trolling, but that was a good one, thanks for the laugh!

For the rsa no but ok bye

so... AES-256? Shor's algorithm simply reduces security by the square root of the initial security

so instead of 256 bits of security, you just get 128 bits of security, which is still way too much computation for brute-force (even with quantum computers)

Yes aes 256 is very good

ok, now you seem reasonable. So it's not AES that's broken, it's AES-128

import os
import base64
import subprocess
import random
from Crypto.Cipher import AES


with open("file.exe", "rb") as binary_file:
    binary_file_data = binary_file.read()
    encoded_data = base64.b64encode(binary_file_data)
    base64_message = encoded_data.decode('utf-8')
    random_key = os.urandom(16)
    base64_key = base64.b64encode(random_key)

    binary_file.close()


payload = encoded_data
encrypted_key = base64_key

bs = 128
ks = 256

aesKey = base64.b64decode(encrypted_key)
aesBytes = base64.b64decode(payload)

decipher = AES.new(aesKey, AES.MODE_ECB)


with open("Encrypted.exe", "wb") as Encrypted_file:
    Encrypted_file.write(decipher.decrypt(payload))

When i open the Encrypted.exe file I'm getting this app can't run on this pc

@fluid verge"seem reasonable" 😆

is file.exe supposed to be encrypted?

yea

And you are reading a random key? If so, you basically can't be sure it's the key that was used for encrypting the file

so the keys may be different ?

are you encrypting file.exe or decrypting it?

encrypting it

and then writing the encrypted data in another exe file

you can't run an encrypted file, it's garbage data unless you decrypt it first

It's not like you don't look like trolling. Discrete log and prime factorisation are completely breakable by quantum computers, and AES has only a square root reduction in complexity. So in fact, AES > RSA

how do i decrypt an exe file?

you reverse the steps you did to encrypt it to get your original file back

you need the key to decrypt an encrypted file, with the same key (and scheme) as was used for encryption

what if it's a py2exe file?

or pyinstaller

that doesn't matter

you encrypt an exe, it's no longer executable

you can decrypt it back into the original exe, and run the original

so when i run it it should decrypt?

you can't run the encrypted file

period

how do i make it run xd

if you are trying to do this to protect your code, abandon this idea. you were told as much in your help channel

the file i'm trying to protect is getting false positives on virus total

yes, that's just something that happens with pyinstaller onefile

unless you build pyinstaller yourself

@fluid vergeWell for now i never see a website with a 256 key, even amazon and google still go on 128. Probably its too long for a user 😫

If we all got the time we will go one 2048 bit aes and it will be secure !

There is no 2048 bits AES. It's not in the standard, and it's not even in the proposed scheme

It was a joke ...

And no i just see a website on 256

aes 128 uses less computation than 256 for negligible increase in risk, that's why it's used

Is it possible to decrypt exe files using python?

If you know the encryption scheme and the key, there's no problem with that

python can be used to decrypt packets from close wireless spots

with wireshark, or it just capture packets from the interface im connect to

what's wireshark ?

i don't know exaclty

its gossip, and he tells every details even the lenght of the packets

https://infosecwriteups.com/picoctf-2021-transformation-6242546fba02

does anyone know how useful GIAC qualifications are?

cool

:incoming_envelope: :ok_hand: applied mute to @thorn obsidian until 2021-06-19 20:03 (9 minutes and 59 seconds) (reason: mentions rule: sent 85 mentions in 10s).

!ban 854121856789774336 go troll somewhere else

:x: User is already permanently banned (#40032).

Nice and quick :P

What just happened

ping?

yes

i got pinged

Just someone spam-pinging. They've been removed from the server

Ping

Certs and Qualifications usually depends on the area or company. If you want to know what's relevant in your zone, try looking for recruiters posts on indeed or linkedin or glassdoor. Filter the best looking ones and get a sense on what's needed.

i think i have a giac

is gcfe a giac

yes it is

yeah theyre pretty good qualifications and they will teach you stuff even if you're an industry veteran

but yeah it really depends on industry and who you're looking to get hired by

probably worth trying to get your job to pay for it as well

probably you should look for CTF servers which usually also include cryptography challenges

I don't know any discord server to learn the modern cryptography but
may be this will help you "https://cryptohack.org/challenges/"

also https://cryptopals.com/

@solemn cedar Please don't try to ping @everyone or @here. Your message has been removed. If you believe this was a mistake, please let staff know!

you mean decompile? yeah but its hard and the best you are gonna get is some spaghetti code unless you format it, plus the function and variable names are going to be gibberish unless you have some really good AI

or it might store some IL instead of assembly if the dev compiled it to run in CLR

security through obscurity is rough to break through but not impossible

you would use a crypter that would bind a stub to the file so when its run it decrypts it, you can also build one that decrypts it in memory but thats getting onto the virus side of things

So i have a question, can a python script have this much potential that can actually disable a server, community or an account in another web application? Like sending a remote command to application servers. And yes the app's security sucks

And please ping me when anyone replies to it :D

hey guys. lemme ask a question: how many hours do you code? is it everyday or 5 times a week and many duration you guys code.

to start, i code for about 6 hours a day

3 hours at moring and 3 hours at evening

It depends on if I'm working on something. I'll usually program for 6-8 hours a day if I have an idea. Otherwise, I only practice about 30 mins a day (on new stuff).

Well for me tbh I code like 1 or 2 hours a day and if not I just code random things for testing for 30mins

Hellloooo

How much is/can python be used in cybersecurity?

how do you bind files with python?

no not python specificlly, thats how you would make an encrypted executable

yea ik that but how to do it in python

don't reinvent the wheel:
https://pyarmor.dashingsoft.com/

though pyarmor is still relatively easy to deobfuscate (compared to native code)

How many possible combination there can be in a 8 character password and a 6 character password? Also tell me how you caluculated

Password of what? Does this have numbers? Letters? Symbols? You can use combinatorics to solve this

What would you need to get into cyber security?

Interest and will is the must.

ah yes combinatorics

Rumour has it you need a secure password as well....

just number of possible characters ^ number of characters used
like if you could only use numbers, (0-9), you'd have 1,000,000 possible cases for a 6 digit password (10^6)

ohk

how a system do not detect when a brute force is happening

Is there a way I can check if a piece of HTML is safe? I'm currently using Mozilla's bleach library, but it can only sanitize strings not check them

I am currently just checking that bleach.clean(text) == text but that breaks in practice if text has been sanitized by a different version of bleach, for instance I have HTML documents with <br/> that don't pass validation because bleach now returns <br>

mozilla it's very safe because it already had been exploited in thousands of ways

I have no idea about this, i'm just giving a opinion based in random details that I saw in other people analysis

?

I don't understand how it works, so I will put it that way:

if a user tries a incorrect password one time, the server probably will receive that message. it's ok, everyone made mistakes... but no one can try 100000000 combinations differentes in 10 seconds

There are safe guards typically in place that if invalid attempts reach a certain threshold a lock out happens.

If there is a system between you and the encrypted data then you will most likely be throttled very quickly

most websites wont let you guess indefinitely

An email might be sent to the account holder after x invalid attempts

but you can guess indefinitely out of the system

but somehow with a "mirror system

but if you have direct access to the data store, there is nothing to prevent you from trying as fast as your hardware allows

?

If you had direct access to the system, yes you can never be locked out

but in most cases, if I tried to login to a gmail account that isn't mine. I will be locked out after a certain number of tries

the most random and extensive is better then

like a 4000 characters password

Technically true for security. Yet no one will want a password that long

but it will stores where?

A database

and it is hashed most of the time

yeah, that word appears a lot in links and files right here

other thing, I tried Kali Linux and everytime I used airodump-ng my machine freezes up

What are you trying to do?

crack hashed passwords?

what that means?

I was trying to get PMKID or something like that

a three handshake or something like that, but soon it appears the CPU usage go to the roof and the computer is locked

isn't that for wifi hacking

hey guys

how do i know which encryption is being used here?

'encrypt_msg': lnW7JzI1GT1RAlXrM7k3g88vmBXh6d1z6y+NSjUgoarr/4RC7j13cIi0jt22gU9j03dbt/p2mgPGf45lylOyezsa+EwJNaebR5ehxvKouOq1Qu6Jms1vFn68ucb+4c6wLkv2yqYRz8mOA7ur5rGwUNTIC7G9bFFcXRzWmfasoErc274R7WZBgEDLIm+cLnEs/tySydgajgsJVnMxsv+3uG78/y9hoG84/+MGVDvsaUexS1UUDOGRSn0+bKa6zun/ultnWMkR+Klzw3AaMKmFe5h3BtBaQA1p/P1WBWnmvEX5CcyEvRLwmAuanAr3AP0f8wtotKQDKkCOrfqmu/rCZgh1kj4daMk7Fy1cRK0EHroa95TD7c/jZY5O7PyPCzWUJJp6NerE3byba3L/EKgGbz6JEUXIJcWsdNU/w53rno3dolLwyFpfdLUAREhbsQTDfURMvx28q332CeLIVcpiceh5Sq5YgI2K/r1284NgmgxmeAivmaCbRMZWTb9WQvALm9T6Ye7sK8P+QnRGJO32WWFVV03s7xum5pJCJJndn2EFqejN7bfERFDe9I5KvYaG

i want to reverse engineer this and i also know the decrypted message

5178661735
I know for sure this number is in the message

not without any context on what this is from

a good encryption algorithm will produce ciphertext as good as random. there's no real way to know which cipher is being used from ciphertext

@fading plaza its from a get request to a server

https://www.midasbuy.com/midasbuy/my/buy/pubgm This page

in this input

i want to make a get request from python but my lack of knowledge forbids me

is this the right place to ask about permissions issues?

Either here or #unix, depending what kinds of permissions you are talking about

What is the difference between Science Comp, Cyber Security & IT

I'm having a windows permissions issue when running some code. Can anyone help?

I've spent a few hours trying to resolve PermissionError: [WinError 5] Access is denied

@robust stratus did you try to run the program as administrator?

I need to make a private api that is only used by the application. How do I do that? I don’t want anyone to call the api outside the application.

Are you setting up a microservice for a larger application that is hosted in a different container or server?

It will be hosted on Google cloud platform along with the database

https://tenor.com/view/tonton-tonton-sticker-no-nope-gif-13636081

?

i have a question related to networking/packets/cybersec
lets say that i own a car and i use my wireless key to open my car

key -> send data to car -> car -> open doors

ive heard people could grab the radio frequency (packets) and copy it and use it to unlock my car

how could someone defend themselves from this?
i dont know how to explain it a little better since im dumb

#help-lemon

This is actually a really good question. There are a couple different methods. The most obvious one is to simply expand the length of the packets that need to be transferred, resulting in a longer key. This still faces the same problem, though, but it provides more opportunity for environmental error introduction. Another method is to increase the complexity of the key, in hopes that it'll make it more difficult for someone to essentially record the packets transmitted. The third option, and the one that would make it most secure is just adding more requirements to the key. Specifically, a lot of garage doors can actually be opened with minimal hardware by simply playing through all the possible frequency combinations, essentially brute-forcing it. The simple requirement that there is no information transmitted before the key begins can multiply the duration of that brute-forcing tenfold. Adding on other requirements, like distinct product recognition, can help to reduce that. In this case, a very simple method would be adding a counter that changes the "key" slightly every time, transmitting say "236467256a-1" followed by "236467256a-2", and then -3, and so on.

thanks for the great explanation, cant we just encrypt the traffic between these devices/keys?

like the key sends a car a request to send data

the car creates a session with new keys and sends the public key to the Key device

key device receives it, encrypts the data needed to unlock the car and send it

a new session or a new request to send data will have different keys to deter hackers from snooping in the traffic

that would only really work if the car created a distinct session each time, with a different key system for each

lmao, that's what you just said

the main point is that that process involves a whole lot more hardware than just receiving a set signal

and a whole lot more software as well

keeping things in security as simple as possible is desirable, especially when a thing as costly as a car hangs in the balance, since more complicated systems have proportionately more bugs

true that

the lost is efficiency and cost
the gain is security

the chances of a hacker stealing your car is slim

very slim

hackers were already able to take control of internet-linked cars in 2015. That includes all systems, from steering to radio, heating, and locks.

the fact the car industry is very unregulated is scary

did u know ur car manufacturer could listen on ur calls,etc...

they can do whatever the fuk they way

and get a way with it

If a person is already investing sufficiently to get hardware that's capable of recording and re-transmitting a key, they'll likely be able and willing to invest time, effort, and money into achieving that same goal through other means.

I mean, theoretically there are privacy laws to protect you, but a lot of car manufacturers have you agree to terms of service that basically waive those rights.

thanks for the chat dude, do u know how someone could protect themselves from this sort of attacks?

throw car keys away and use phones as general keys :D

an encryption function could easily be built

a phone can be a general purpose device as a key

In addition to that, it's really hard to regulate past transmissions and vehicle data, since data privacy rights get kinda blurred. If you have a vehicle that's collecting data like addresses you commonly visit in order to help you navigate in the future is also communicating with other personal devices of yours, like your phone if you're playing music or on a call, the storage of that data, at least temporarily, is necessary, and establishing any sort of hard regulation on when to get rid of that data can be tricky for safety reasons, like sending a text as soon as someone is in cell range, which could be necessary in an emergency.

agreed

I literally built my own AES-like encryption in Python a while back. I have the theoretical (and practical) capability of encrypting information to as many bits as I want.

could i take a look?

And the thing is, it's really not that hard.

im not that good at data encryption, i only know some protocols

ye its not

multiple modules these days

fun fact, sharing encryption software that can encrypt beyond 256-bits internationally is a felony in most countries

that does the maths for ya

bruh

pgp email time

jkjk

is there an already made list?

Sadly, I don't think I can share my program for this reason, but there are ample resources online, and it's really just basic syntax.

so technically someone can frame me and put aes512 encryption code on my computer

smh not pog

The other side to that is that most computers are capable of encrypting way beyond 256 bits anyways

is there more then AES512?

Theoretically, yes, but most commercial encryption programs don't really go beyond 10 or 12-cycle aes256

it just really isn't necessary

cracking 8-cycle aes256 already takes multiple centuries with a supercomputer

and actually, I saw a thread about this, if one were to store all of the possible decryptions, there wouldn't be enough atoms in the universe to store that information, even if each atom were able to represent a bit, or even a byte

plus, the energy costs for that storage of information already exceed the total energy contained within our solar system at something like 16-cycle 128-bit

then again, it doesn't really make sense to store all of that, but it's a fun thought experiment

and it makes the cia's employment of ~5k mathematicians far more logical

anyway, gtg, nice talking to you

same! have a nice day

great talk

e

n

Anyone know how to make an Akamai gen?

Before you learned ethical hacking what IT skills did you need to learn first? I'm very new to all of these things and im trying to get started. Im trying to find a foundation for learning ethical hacking.

Alright, I've found these things are good to learn. Networking skills, Learning to operate with Linux, using Kali Linux, and what else?

@thorn obsidian i highly recommend using an existing crypto protocol like ssl/tls or ssh

no

https://docs.python.org/3/library/ssl.html

Isnt ssh a protocol ?
As i remember, u cant use it as an encryption system, no ?

Ok, data are crypted, using ssh, sorry !

Alright, I've found these things are good to learn in IT before I learn cyber security. Networking skills, Learning to operate with Linux, and using Kali Linux. What else is there?( Sorry for repeatedly posting this but Im trying to learn the stuff I should learn as soon as possible)

Looking for advice: I'm working on a project that will allow me to schedule recurring buys using the coinbase api. Using OAuth2 I'm given an access token that expires after 2 hours. This means my program will not be able to complete a scheduled buy in the future unless I store the refresh token and get a new access token before each buy. This sounds like a security issue, but I'm not sure of a safe solution really.

use binance

Can anyone solve this puzzle?

←←↓→↑↑←↓
↑←→↓←↑↑→ ↑←↓→↑↑↓↑
←↑↓↓↑↑↑↓ ↑←→→↑→↑→
↑↑↓→↑↑↓← ↑↑↓↓↑↓↑→

Info:
It's not a Konami code
All you need to solve it is the cipher itself
It's not FNF
It's not a cheat code
It's not 84210 or 9602
It's not an arrow alphabet
The answer is not 7 words or letters long
It's 100% original, you won't find anything about it anywhere else
The final result is text, not numbers.

numbers are text

Yeah but switching up APIs in the middle of this project will be a hassle

dude

why are u complaining about APIs

those are easy

ur not changing ur whole code

nerd

ok

I'm not complaining hahaha I'm trying to work with an api and I asked a question.

The current "norm" for RSA is using an n that is at least 2048 bits-long

Cybersecurity is all about working in companies?

There are no freelance?

@wild dagger there are freelance bug bounty programs. Look up hackerone and bugcrowd to start

yo does anyone know if theres a function that can convert characters like "ÆØÅ" into their counterpart Æ becomes AE

I know

def convert_ae(string:str):
    return "".join(["ae" for char in string if char=="æ"])

For "æ" character only

https://pypi.org/project/Unidecode/ @thorn obsidian

https://www.thisworldthesedays.com/math-equation-explenation.html

???

def convert_ae(string:str):
return "".join(["ae" for char in string if char=="æ"])

what

hard

I now player

?

hello I was wondering how i can make sure a link is safe

i currently use virustotal.com

are there other tools i can use to further protect myself

Idk, screwing ass in bug bounty and there is very low chance to find vulnerability in game or else software.
I think only super pro's can work in this freelance section

is hacking and ethical hacking the same?

no

https://www.kaspersky.com/resource-center/definitions/hacker-hat-types

I'd argue ethical hacking is a subdomain within hacking. not even that, they are the same thing with different intentions and permissions

Hey guys so I'm interested in cybersecurity and want to start the basics so I can get a head start before college, where should I start? I have no knowledge at all and there's just a ton of information out there all saying different things.

I also want to learn cybersecurity

pls can anyone help me

Great idea, I also want to learn more about security with Python, are there any references, books, blog post, or website that newbies like me can learn from? thank you!

first you need to know a software language, then you should take cyber security lessons from youtube or udemy, then you need to install linux-based operating systems and try yourself

thats all

if i post all my personal information to internet will it be impossible to doxx me because i already doxxed myself?

oml

well

yeah

@cedar imp

just you'lll be dead

@cedar imp no, sometimes doxing includes looking at social media

ok

Is anyone here familiar with the "privacy engineering" field? Please DM me, I have some questions 😄

hey

someone here ? dm please

Hackthebox

Same, hackthebox

This can be used for illegal purposes, so please don't ask people about it here

idt htb is that good for beginners

picoctf, overthewire and tryhackme are good

oh okay, im sorry

Hello smart people!
Can you solve this simple challenge i made

↑, ↓, →, →

Hint:
It use tab to work :)

DM for more clue or straight up a answer

Well, it selects your message, but other than that, nothing

Its a alphabet challenge

?

Just write your question here! What do you mean by "privacy engineering"?

What's up?

Well it's a specific field focused on implementing legal and ethical privacy requirements into software development

I am wondering if anyone works in that field and knows more about the type of work it entails exactly

As I am interested in that direction since I have a background in privacy law

I am afraid that I am not familiar with this area But it would be nice to read some blog post or short article if you have something interesting

This is a nice example 😄 https://iapp.org/resources/article/privacy-engineer-sample-job-description/

that's what I did

oh, what a surprise

can someone help me decrypt something
It's a message I did 2 years ago and I forgot how to decrypt it

no unfortunately no one can magically read what the message was if you dont provide it

yes but pls share the message

so we can help you out by decrypting

Do you know the encryption scheme? If not it's almost impossible to decrypt ciphertext

I'm fooling around with some reverse engineering tools like ghidra and ida at the moment and I'm wondering how you would "hide" a string? For example if I have a secret api key thats part of a compiled .exe that I give out to other people, how can I prevent them from reading the api key from the executable?

In general, that will never be safe. You can always just monitor network requests.

or dump the entire memory of a process

Hmm I see, but there are probably other situations where hiding a string would help, is there any way to do this?

dm u bout what

what

Different users should have different secret API keys, you shouldn't share your secret token in that way (compiling it into binary) if you don't want to share this token with users. Regardless of method which you use to "protect" your token you should have assumed that this "secret" is publicly available then.

if the program has to send the api key with a request, it is impossible to prevent people from extracting it

Yes. If the program is running on the user's hardware, they can figure out what it's doing.

Yeah I got it, it's never secure when the key is transmitted over the internet anyway, but I'm talking about a fictive use case where the key is only used within the application. Is there any way to at least make it harder for an attacker to find it?

Nope

um help

how do I kill a python process in the terminal in kali linux?

I ran a file, and now can't get out of it without closing the terminal

and I don't want to reopen terminal alot of times for testing my code

Does Ctrl+C not work?

no it doesn't

I think it's because of the connection

is there any way I can fix it?

I don't really want to scan 500 ports now

Use htop and kill it using SIGTERM signal

umm how do you do that?

Type htop in terminal, find process and then press F9, select SIGTERM and kill with Enter

it doesn't work

First of all, install htop

Secondly, I think it's not related to channel's topic

!rule 7

oh yes

Errrr... Is it a super big pain in the booty to create a VPN? I'm honestly not quite sure... It sounds like it could, but to be perfectly honest i don't know. I dont have money to buy one and honestly i dont know if just downloading free ones would be better or making my own

Making your own vpn wont necessarily decrease any costs, in fact it may makes thing more expensive. You will need some kind of place to route traffic through which is usually servers at remote locations, and renting existing ones costs money.

Ah... Good point... 😬 damn... Well I cannot pay for one under any circumstances unfortunately so well... Er... Do you know any good free ones? 😂

ProtonVPN is decent, you can also look into some free proxies options if you want, which might be helpful

Hmmm okay, thank you. What about others like Norton and Nord?

probably good too, dont have too much experience with them

Everybody seems to really like Proton for some reaosn

it's free with no data limit

not many VPNs like that at the moment

Why is that so... Rare?

because there's very little profit there, and at the end of the day companies are there to make money

it's hard to generate profit the usual free usage methods, advertisements aren't particularly easy to implement, and selling data would defeat the purpose of a VPN (admittedly they probably don't care about that, but if it became public they would probably go out of business)

hi

Hello. I'm impleneting jwt using the jose-jwt library. In my API I have two endpoints:

/login
<credentials>
(validate credentials)
return access_token: token, refresh_token: token

/refresh
<refresh_token>
(validate refresh_token)
return access_token: token

lets say user-A logins and gets a refresh token and access token. Then his refresh token gets leaked somehow and user-B generates an another access_token via the /refresh endpoint, now there would be two access tokens. Is there a way to make the first access token not usable any longer? I found a way to make the second one not usable but that means that even user-A cant generate a new one after a session, which is not right.
Ideally the refresh token would also reset, causing all users to authorize themselves again.

how can i find md5 hashes for a dictionary file i have made with random phrases and words

what discord.cpp:111 means?

line 111 of file discord.cpp, I suppose?

and after that JS Console

are you sure it's relevant to this channel's topic?

no, I don't know what it is

Well, the JS Console is a Javascript console... like a Python console/REPL

so DIscord it's running from two different sources?

or the cpp code it's passing to the JS console

there's probably a couple or more languages used to make Discord run indeed

Hi I have a class project of 3-4 months that should focus on a specific field in cs and do a deep research about it. I am really interested in 'data security' encryption types ans so on... if any of you have a good project idea with somewhat of a wow factor it would be greatly appreciated!(I'm quite fluent in python and cpp).

implementing cryptographic primitives can be somewhat interesting, especially when following a standard. So if you want to go that way, implementing correctly something like AES, RSA, SHA-2, maybe even SHA-3 if you have time, is at least interesting, but (except SHA-3) not does not have that much of a wow factor

Implementing AES efficiently with several block encryption modes is not easy, testing it correctly is hard (especially if you try to implement it securely)

yeah I agree that to study the math of the encryption algos is quite fun I researched about the math behind RSA cause it's quite simple, I thought about implementing a tor messaging app which has somewhat of a wow factor to it

If you use encryption libraries for your school project, you are somewhat doing it wrong, sadly. The problem is that you'd need to implement (corectly) all the relevant algorithms beforehand to use the same algorithms in a library for your project, just to ensure that you've done it correctly. And Elliptic Curve Cryptography is not an easy thing to use (and it's pretty much everywhere in key exchanges)

gotcha thx for the info

Odd, well that's weird 0.o

What are you mean? If you have list of phrases in a file read it line-by-line and hash it to get hashes

Downloading the open source one will be better than making your own, definitely

What’s the best library for encryption/decryption?

hashlib

Does it have the key thingy?

what key

So I can decrypt things using a key.

Kinda like a password.

https://docs.python.org/3/library/hashlib.html

Yes you can give it a password and it decrypts it for you

I see. Thank you!

cryptography.io?

Hashlib is not for encrypting/decrypting as far as I know

Whatever

It not "decrypts", it makes hash

Nope

There is big difference between ciphers and hash functions

If the owner of a platform can decrypt a password, then you should never use the platform in the first place, because it's pretty much as good as plaintext passwords from the point of view of the attacker

they'd just need to find the encryption key and the deed is done

Wow, what an original name just saying. Anyway, thank you! Now I can curse at people without them knowing.

lmao

yTs~Q!}Ho%xv0KUN<4AL

Fick.

The key/password is 9 by the way everyone! So whoever said just know the key and you are set goodluck xd

I don’t know what to do with it

depends what the algorithm is. I won't try to reverse that, while an attacker would (and that's the difference between an attacker and some random person in the internet)

Yes but to try reverse it you would need to know the algorithm I used and how it is implemented.

Before you could bruteforce the key/use other attack methods.

you only need to brute-force algorithms and wait until you get an English word or sentence

By that logic your answer would be every possible English sentence that fits within the length of that ciphertext.

Unless you are saying once you know the algorithm, in which case you are agreeing with me.

Well algorithm and implementation*

if you know the algorithm and the key, you immediately get the plaintext

I mean replace immediately with can and you are correct. Though no one disagreed with that...

if you know the key, just brute-force usual algorithms before trying exotic ones

If we don't consider implementation, sure.

There are cryptography analysis methods which treats attacked algorithm as a black box - so you don't need to know any details

However I am not sure what them do in details, I only heard about them

black box analysis is a kind of side-channel analysis. However, since we don't have any implementation, we can't use side-channel. This is a cryptanalysis challenge

Hmm, right. Black box analysis looks like method to get the key, not the algorithm itself

You usually don't even know the algorithm in black-box analysis, you need to reverse it first

Like Enigma?

that would be a cryptanalysis challenge rather than a black-box challenge

With black-box analysis, you have a device that does an encryption, and you can record pretty much everything about the behaviour of the device. You can record a power trace, an electromagnetic trace, analyse each layer of the device's main silicon chip, glitch it to see what happens, etc.

from what you get, you can reverse the encryption algorithm and maybe find the key from other identical devices

👍

The most common analysis is grey-box analysis: you have some information about the device's behaviour, maybe you have the algorithm, maybe parts of the protection, things like that

And then you have white-box, where you have everything

I am doing an internship at a company that does hardware security evaluations, most commonly grey-box evaluation (including analysis) because clients usually don't want to give details of their code to evaluators (and thus it's not white box), or there is no unsecured version to compare against (thus you can't evaluate the strength of the protections themselves)

Good to know, I know this kind of analysis only from academical point of view

web scraping

is it dangerous storing a serialized file containning password hashes in google drive?

You shouldn't store secrets in plaintext (serialization is treated as plaintext)

You should encrypt it for example

the files content is encrypted

user inputs: input gets hashed -> salt is added -> serialized into a file

Encrypted or hashed?

If user input is hashed it is okay too

hashed

Which hash function are you using?

whats the difference between encryption and hashes

oh

is hashing 1 way only

Encryption is reversible

gotchu

👍

doesnt that mean that if there is a popular encryption algorithm it can easily be decrypted by potentioal attackers?

They need to guess or crack the key

o

so like

a different key

gives diferent encryption?

Yep

!e

import cryptography

@lapis radish :x: Your eval job has completed with return code 1.

001 | Traceback (most recent call last):
002 |   File "<string>", line 1, in <module>
003 | ModuleNotFoundError: No module named 'cryptography'

Sorry, I cannot show it with bot

@spark acorn

sha156

with salt

Random salt per every entry, right?

yes

I think that SHA-2 256 can be not strong enough if you want to store users' passwords All depends on informations which you want to hash

well isnt the biggest flaw with hashes rainbowtables?

with a lil bit of salt shouldnt I bee good to go?

As far as I know rainbow tables is not the problem when you are using unique and long enough salts

Currently you should focus on taking hash function which performance will be low on GPU and FPGA/ASIC devices

im not really that concerned as I am just using it for the codejam submission

very simple passwords are easily cracked

you're most safe if you salt + pepper it

For example performance of some hashes on Nvidia GeForce RTX 3080

MD5                        58814.9 MH/s
SHA-1                      18828.4 MH/s
SHA-2 256                   8120.5 MH/s
scrypt (Iterations: 16384)    2450  H/s
bcrypt (Iterations: 32)      77226  H/s

pepper eliminates offline guessing

https://www.youtube.com/watch?v=FvstbO787Qo @lapis radish @spark acorn this goes over it pretty quickly and accurately

watched it already 🙂

then you're good to go imo :)

ok ty

You need to store pepper somewhere so how it eliminates offline guessing?

watch the video

the point of the pepper is to store it differently than a salt

in an ideal scenario, the attacker would never even have access to your user/password hashes

in addition to that, you'd implement hash/salt/pepper

in case of an employee gone mad, for example

Right, but when algorithm is poor attacker still can guess a pepper so from my point of view good algorithm is more important than adding a pepper

In an ideal scenario the database shouldn't contain hash of the password but public key and you should authenticate by using your private one 🙂

You are correct

I'd say all 3 are important

how python can help in ethical hacking

I am new in hacking world

and someone said learn python first

You can easily automate your work with Python and shell scripts

Hey guys can anyone tell me how can I make a python script that caan encode and decode a image

oh thanks

can you tell me how I will learn python here

!resources

What do you mean? To bytes or what?

How many categories r there

@lapis radish

Tell me please what do you want to do

Expected input and output

i want to make a encoder and decoder

but how

what are you encoding to

encode just means to convert from one format to another

Does anyone know how to make a token without accessing a route
For example in my application of two types of user. Client user and admin user. both the client token and the ADM token are able to access all end-points
How do I make the client's token not be authorized in the user's route

I'd like to test if my encoding algorithm is strong, how can I do that?

You can write C2 servers really easily using python, you can write security scripts such as vulnerability scanners, web crawlers, spoofing and much more.

find out how many permutations there are

permutations?

How many possibilties/combinations there are, u have to use a mathematical formula i believe, but with the AES 128 bits, to calculate 2^128 = 3.4028237e+38 permutations, so 3.4028237e+38 possible combinations which for the most powerful computer will take 885 quadrillion years to crack

I don't use any mathematical formula ._.

But I get the idea yeah

Thanks

np

So I've made an header for my API and because I don't want it to be reverse engineered I encrypted it

b'\x80\x05\x95\xb7\x00\x00\x00\x00\x00\x00\x00}\x94(\x8c\x01p\x94\x8cwN]125xz&5b8xSlok13&w0&63gl3f@$K$2\rO\x08\x03\x15\x10#,\x0fB\x02Fs\x05\x17\\bo(i).b\x13y\x1d\x119\x0b\x03y\x03@$iF\x10\x1dU\x034 \x1fm\x08:xih9;1\x19\x1e\nq\x0c;)x3Xnh]_ZBlB9d(b@4!_n8pn4%@3\x94\x8c\x01m\x94C\x1ctN)\x19\x17H\x02_!\x15\x05\x0e\n\x07v\x054A:.2\x0bUX\x1a\x13\x15p\x94\x8c\x01t\x94\x8c\n1626150368\x94u.'

This is how it look and the key to decode the message is inside the request so, everything to decode is here, no need of any key or else

And I wanted to know if it's possible to break it

Encoding or encrypting?

Encoding =/= encrypting, decoding =/= decrypting

Encoding

Encoding:

Purpose: The purpose of encoding is to transform data so that it can be properly (and safely) consumed by a different type of system.

Used for: Maintaining data usability i.e., to ensure that it is able to be properly consumed.

Data Retrieval Mechanism: No key and can be easily reversed provided we know what algorithm was used in encoding.

Algorithms Used: ASCII, Unicode, URL Encoding, Base64.

Example: Binary data being sent over email, or viewing special characters on a web page.

Encryption:

Purpose: The purpose of encryption is to transform data in order to keep it secret from others.

Used for: Maintaining data confidentiality i.e., to ensure the data cannot be consumed by anyone other than the intended recipient(s).

Data Retrieval Mechanism: Original data can be obtained if we know the key and encryption algorithm used.

Algorithms Used: AES, Blowfish, RSA.

Example: Sending someone a secret letter that only they should be able to read, or securely sending a password over the Internet.

Since the key to decode is in the message...

Then the key of encoding is to produce the smallest possible output afaik

I cannot find trait such as "being secure" in case of encoding

Hmmm

What is this then? ._.

When you have ciphertext then we can talk about security

Yeah, this was the purpose

I'm lost 😅

Sorry

Wait, this is dumps with pickle

gimme a sec

{'p': 'N]125xz&5b8xSlok13&w0&63gl3f@$K$2\rO\x08\x03\x15\x10#,\x0fB\x02Fs\x05\x17\\bo(i).b\x13y\x1d\x119\x0b\x03y\x03@$iF\x10\x1dU\x034 \x1fm\x08:xih9;1\x19\x1e\nq\x0c;)x3Xnh]_ZBlB9d(b@4!_n8pn4%@3', 'm': b'tN)\x19\x17H\x02_!\x15\x05\x0e\n\x07v\x054A:.2\x0bUX\x1a\x13\x15p', 't': '1626150368'}

this is how the header look normaly

wait if the key is within the request thats easily decrypted

unless you're rolling your own or something

which is also bad

Try to decrypt the message

well i can't without any context

i dont even know what the key is

(which can be easily obtained if an attacker monitors the network)

why do you want to prevent someone from reverse engineering your api anyways

it should be properly protected with authentication

wdym? with a lot of request you can get the key?

the key to decode the message is inside the request so
am i right in assuming that:

• client makes request to server, request includes the encryption key
• server sends response, that is encrypted with the key from the client
• client decrypts with said key

im not exactly sure what the encryption is supposed to accomplish

because https is already a thing

some software can reverse it apparently

???

charles proxy

xd thats a client side thing

Ahhh

You talk server sided xD

Okk

your attacker already has access to the client side code, they can read the messages after the client decrypts it anyways

Yeah, but the client sided is compiled/protected like a normal "good" software

I just want that if the request is catch by someone else, it won't be decoded and cannot be read

https already prevents that

Ok

But, is it breakable by any way?

Never mind, thanks guys for your answers, I guess I'll have to do more research on the subject x)

Thanks

np

that does absolutely nothing

Hello everyone,
Quick question - If I wanted to safely install Kali Linux on my Windows laptop, is the best way to do it to use vmware? I'm not planning on becoming a cybersec expert, just want to get familiar with the tools. So preferably I'd have something I can easily uninstall/delete after

virtualbox is better I think

Oracle VirtualBox?
Would you say it's easier to manage/use than the other methods of installing Kali?

it's all nmap scripts and google posting

.

We are not going to help you with cracking programs.

!rule 5

@high kettle and please do not spam your messages across multiple channels. It's annoying

sorry

can you guys help me

if you know

okay sorry

This looks like a question for #databases . Feel free to ask there.

if you know

can we talk

in dms?

i'll show

you

basically python used for exploits

le nmap scripting engine

NES

oh thanks pls help me

I'm pretty sure u know this but it is not only used for exploits

Hello, does anybody here know how to pen test?

if so can you teach me?

What do you want to pentest?

a website

Yours?

!rule 5

If it's not yours, you really need to provide a proof of having the owner's permission

here is my situation

i have been given creative liberty to test a webstite

i am to record its flaws and provide suggestions

this includes security

however i do not know how to test the security

so here is my question, can i be provided help, or does this breach the server's rules

?

Assuming the owner's permission extends to any you would employ to help you, you cannot ask for this to be a paid job (because of the server's rules), but that obviously needs paying (because pentesting a whole application is a full-on job)

!rule 9

for reference

oh

If the owner's consent does not extend to someone you'd ask for help (and you really need to ask them before giving someone access to your application), then that's also against the server's rules

!rule 5

but i am not asking to employ someone

i am asking to be taught

so then what is to be made of my situation

However, pentesting is difficult (I have a colleague that is learning to pentest, and it's going to take months for him to get good at it). I'm not sure you can learn within the given deadlines.
I'd recommend watching the LiveOverflow Youtube channel. I think for a web app, you probably want to start with his "Web Hacking" playlist (link to the first video in the playlist here: https://www.youtube.com/watch?v=jmgsgjPn1vs&list=PLhixgUqwRTjx2BmNF5-GddyqZcizwLLGP)
I'm not a pentester, and I can't really judge his content's usefulness for future pentesters, but I think you'll get the basics with those, though maybe a little late (depending on you deadlines)

Thank you B)

Your help is well appreciated

Yes