#cybersecurity

cookies contain secure encryption which JWT lacks

haha. or perhaps use both as you mentioned

although i wouldn't save the JWT on the client for security reasons

final_token = self.encode_jwt({"login": {"username": "shadykaty"}})
self.jwt_token = final_token
Server.session["cookie_jwt"] = self.jwt_token

???

If you have security concerns about distributing JWTs then I don't think you understand cryptographic signing.

the whole point of a JWT is you don't have to cram it into the session.

If you're going to use the session, why not just store the data there as a dictionary instead of a jwt?

clients cannot forge signed jwts.

like the 9th time

Unless for some reason the client has your private key, they can't sign JWTs as you.

Any JWT which is not properly signed, you discard.

If you want to use the session that's fine, but if you want to use the session then why are you using JWTs at all?

Providing an authenticating JWT to the client is literally wikipedia's example of a use-case for JWTs.

For example, a server could generate a token that has the claim "logged in as administrator" and provide that to a client. The client could then use that token to prove that it is logged in as admin. The tokens can be signed by one party's private key (usually the server's) so that party can subsequently verify the token is legitimate. If the other party, by some suitable and trustworthy means, is in possession of the corresponding public key, they too are able to verify the token's legitimacy.

Server signs the JWT

Server can then check the legitimacy of the JWT

does python work for OS like Linux?

Are you asking if Python runs on Linux? Yes, very nicely.

oh nice

ive done a tutorial book on python

but after reading it i was like, ok i get how the tools work

but how can i learn how to build a house with these tools so to speak?

what is a good path for me to actually build a piece of software? if there a sort of software project one can start with?

Do you want to build something like Linux in Python, or just want to run Python on a computer that runs Linux?

the latter. i dont have the competency to make a linux type os by far

Best way after getting the basics of the language is to build something you want to use.

i just want to learn how to sse python in general as a whole

A simple game maybe, some automation tool for personal use.

ok i see

building real software takes more knowledge than you'll get from an introductory book, but small projects are a good way to start even if they're not actually very useful

you'll get a feel for how to design logic from scratch which is what matters

Man you can do it easily using regex and dictionaries I think

how do u give an exe file to someone and they think its a virus

If you like working with data, make some analysis tool or cipher. If you like internet stuff, get your local weather data or something from an API. If you like the idea of getting current news or something, make a web scraper.

Lots you can do.

?

Misinformation and old attacks. Executables are generally known as a magic block that can do a lot of potentially bad things, in the eyes of the general public. Also yes, now days just about any anti virus can stop a bad executable but still it is the perceptions.

Do we need maths in oder to work in cyber security field?

It depends on what you want to do, but you may need some heavy math to solve some problems

probably not

I mean you need really really basic math

but that's pretty much it. It's not like you need trig

i see, thanks. Im thinking about doing master in CC in my college, although they focus a lot of math, so i wanted to check >.<

yea colleges often want you to do calculus and stuff

yeah, linear algebra and so on...

im a little bit pissed tbh, im in a college, they learn us to code, tons of maths etc, but in the end after a get Bsc, people have 0 knowledge how to install Linux for example, it sucks

From my point of view universities are not to learn you how to install Linux or how to code

Universities are to learn you how to think like engineer, how to do your work good whatever language you pick

can be, lets take coding only for example. We have python course for 3 months (once a week), after those 3 months we just rapidly switch to C#, so we are kinda not sure if you can even understand basics of python. C# also lasts for 3 months, same story for it. So kinda we know something, but know nothing xD

I don't like courses, I prefer to learn with my pace 👍

thats a very good decision, i f'd myself up with the idea of taking all these courses

Also there is a point that you will be that you can't find any course at your experience so finally you will need to learn from docs and so on

It's probably good place to start but when you know the basics then you should learn on your own

yeah, that would be the only positive thing lol

@jade rover Going back to your question - math is not necessary when you want to be a cybersec expert (still depends what do you mean by cybersecurity) but it's really nice to have math background

lets say ethical hacking for example

From my point of view hacking requires math skills

Strong math skills to be precise

Still depends what do you want to hack but generally imho you should know at least algebra and statistics

algebra and statistics are cool, but trigonometry is the real devil 😄

idk if trigonometry is involved there

I think that trigonometry is so universal that can be used somewhere but I cannot remember any trigonometry exercises from my studies

Mostly number theory, probabilistics and algebra

lol for what?

cryptography, brute forcing, understanding algorithms etc etc

You don't need math to use cryptography, only to design it.

not a lot of math skills for brute forcing, except to figure out how many billions of years it'll take

You don't need math for brute force either, and brute force is pretty much dead anyways.

Like @vagrant mist noticed, it's necessary to understand the algorithms and protocols

"understanding algorithms" is more of a CS thing. Handy to know but not necessary

I can't see much application in terms of most protocol either, speaking as someone who basically swims in protocols for a living

From my point of view is difficult to understand crypto algorithms without math skills

Like basic math sure

Who cares?

You think I understand how curve25519 works? Fuck no lol, I'm way too dumb.

how are you supposed to understand and apply security flaws in protocols and algorithms if you don't understand the protocols and algorithms?

Do you know how elliptic curves work at all?

Anyway, I am not a hacker, I done few CTFs so...

Nope. That's for cryptographers to study. But I still know how to design secure cryptosystems using the features of 25519

I'm way too dumb for that, I failed calc 1 twice.

So you know that EC are secure but you don't understand why when you don't have in-depth knowledge

Besides, most hackers will never have to actually exploit protocols.

Like at the level of the protocol implementation.

You'll often exploit application layer logic

but that's the bulk of it. Shit like SSTI

Not much math there

Agree but when you will have a need to break algorithm or protocol what do you say? "I am not this type of hacker"? It's not personal or offensive, I am just curious 👍

Breaking cryptographic algorithms I'll leave up to cryptographers. There are already way smarter people trying to break those all the time, I can't contribute anything there.

I pretty much swim in protocols tho

Love protocols. But most people don't.

So, ask people who don't understand protocols I guess.

Protocols are just algorithms with few sides lol
How can anyone doesn't like it?

¯_(ツ)_/¯

Anyway, thanks for your input but imho math skills can be useful when you want to understand some deep mechanisms

Like electronic skills can be useful when you are doing some time/energy consumption attacks

I mean sure, literally any skill can be useful at least some of the time

👍

But their question wasn't "Can math possibly benefit me in this field?". The question was "Do you need it?"

And the answer to that is no.

Hmm, depends? From my point of view

well obviously you don't need it, you just need it to be good at it

Anyway, I am glad that this channel is going to be quite more active 😂

Going sleep rn , will read your conversation tomorrow

.rtfm pyc channel_type

.rftm pyc channel_type

hi hi o/ wondering if because of the GIL, python based web apps like FastAPI are more resilient against buffer overflow attacks or something similar?

The two are irrelevant to eachother

Python uses reference counting and garbage collection to determine when to free memory. When an object is no longer referenced by any other object, it is deleted.

That's all well and good

But when you have multiple threads trying to work at the same time, you get race conditions.

Specifically, you get race conditions when two threads both try to edit reference counts at once.

The GIL was created to solve this problem.

The GIL ensures only one thread can modify the state of the interpreter at once. Meaning only one thread can change reference counts at once.

Also, worth noting that this only prevents race conditions in the interpreter's internal state. It will not prevent race conditions in the programmer's code.

Buffer overflow is a wholly separate class of bug to race conditions. A buffer overflow occurs when more data is written to or read from an address than should be allowed

This causes the read / write to continue past the end of the buffer and into adjacent memory

Either writing memory outside of the buffer which might be needed for other things, or reading memory outside of the buffer which might contain things that shouldn't be read.

Python source itself is more or less "immune" in the sense that all raw memory access is handled through the interpreter.

Usually (we'll get to that)

However, the interpreter of course does have to handle all that raw memory correctly

So if the interpreter has a fault in how it handles memory somewhere, then memory based bugs can occur.

Also

Certain python libraries are implemented in C and have Python bindings which call into the C code.

So if that C code has a fault in how it handles memory somewhere, then memory based bugs can occur there too.

As an example, there was recently a bug fixed in the code which implements generators in Python.

Generators have a method called raise which raises an exception from within the generator, and this method is written in C.

It requires you to pass an Exception class to the raise function

raise will then call the constructor and generate an exception from whatever the constructor returned.

However, it had a bug. Raise's C implementation would call the constructor, receive back a pointer, and then immediately try to use this pointer as a pointer to an Exception structure.

If the constructor returned a different kind of object, raise would get a pointer to a different structure, and accessing it as if it were an exception structure resulted in a null pointer deref bug.

In fixed releases, raise checks the type of the object returned by the constructor, and raises TypeError if the object was not an exception as expected.

mb, the method isn't raise, it's throw

You can reproduce it in unpatched releases though:

def mk_generator():
    yield

class NotException(BaseException):
    def __new__(*_):
        return 0

gen = mk_generator()
gen.throw(NotException)

On patched versions this will say something like "Should have returned instance of BaseException not int"

On unpatched versions, the interpreter will most likely just crash since dereferencing a null pointer is typically a segment violation.

oh my glob what an amazing answer, you are amazing @nimble lily

AES-256

best method of encryption rn.

not for everything

So I went to my download files and saw a cr download file that has been on my computer since 2018 and was deleted in 2019, so it has been in my computer for a year and when I scanned it, it said potentially unwanted application. But it was a cr download file, so was it in my system for me to even worry from the beginning?

for row in cursor.fetchall(): origin_url = row[0] action_url = row[1] username = row[2] password = decrypt_password(row[3], key) date_created = row[4] date_last_used = row[5] if username or password: print(f"Origin URL: {origin_url}") print(f"Action URL: {action_url}") print(f"Username: {username}") listas = [] username = ''.join(listas) print(listas) print(f"Password: {password}") when I use command print(listas) it prints listas[]

maybe you guys know whats wrong?

Wrong channel but I'll bite... You define listasas an empty list and you never add anything to it so it remains []. Not sure what you are trying to do but your code works as I would expect.

Why? How 256 variant is stronger than 128 or 192?

why do you think

At least you are processing 128-bit blocks, regardless of key size

I don't know any proof that 256 is stronger than 192 and 192 is stronger than 128 so if you have any - feel free to share it with me! 🙂

google is ur friend

AES 128 uses 10 rounds, AES 192 uses 12 rounds, and AES 256 uses 14 rounds. The more rounds, the more complex the encryption, making AES 256 the most secure AES implementation. It should be noted that with a longer key and more rounds comes higher performance requirements.29 Jul 2019

from my understanding AES 256 is more about future proofing, it's considered secure against most theoretical attacks involving quantum computing, whereas AES 128 is not

Grover's algorithm reduces the quantum computer
attack time against any AES implementation to the square root of the brute force time for a binary computer. Taking that into consideration, 256 still holds up really well while 128 is a bit sus. 192 is probably fine. For any of them, it's just a matter of time.

All security is designed to do is delay. :)

preferably until well past the end of the universe

Lol indeed

Hello, is there anything related to code injection/memory modification/hooking in any python libraries or frameworks? I need something that does what cheat engine does.

What cheat engine does is basically directly write values-change bits in memory by address where other processes occupy.

Ofc, it also has builtin dissassembler, debugger and code injector tools.

It is %100 not for cheat.

I just wanted to know because I play around with dissassemblers for now but I don't know any assembly

you don't need to know as well

I don't specifically ask for law breaking either so...

it has nothing to do with rules

ok

This is my question for everybody else

!voicevertify

!voicevertify

wrong channel.....

there are lots of such things

I asked a question about pwntools and someone flagged in the help channel that it was illegal - I thought it was just a pen testing library can anyone explain?

Why would someone flag that as illega?

Especially if this channel is for security.

It isn't illegal, whoever told you it is, is a moron

Or at the very least doesn't know what they're talking about.

Ask here.

Getting help with specific functionality of the library might be against rule 5 despite being perfectly legal, for r e a s o n s

However

Just installing it via pip isn't even that.

What is rule 5?

If someone isn't trying to malicious but trying to understand the code it seems redundant to not help.

Especially if there is more skilled people using this for malicous reasons. It would make sense to try and educate more people -- again a security channel

I completely agree

Regardless, if you're having trouble installing the library, just provide some more info and I'll try to look

Hey glad to hear haha I was a bit confused like…it’s a library dude you can do what ya want with it I’m not planning on a heist or asking you to help!

I actually learned in the meantime that there’s only a “light” version of pwntools for windows so I went ahead and did a virtual machine Kali install on my way to running it!

Anyone have experience with pwntools? Found it on picoCTF primer still just figuring the basics

I've used it a bunch

Would like to explore the debugger spawning functionality so I can make it work nice with radare2

haven't really yet

Mostly I use it for the binary data packing and unpacking, and for the nice pipe system for talking to and receiving from applications

And for the nice abstractions when making structs

like yea I could just go to the sigreturn documentation to see what the struct fields are and encode them manually, but having a Python class that produces it is nice.

anyone know the best encryption algorithm for veracrypt?

just use AES if you dont know

homomorphic encryption is quantum-resistant to attacks https://en.wikipedia.org/wiki/Homomorphic_encryption#:~:text=Homomorphic encryption is a form,data without first decrypting it.&text=This allows data to be,for processing%2C all while encrypted.

Let's say someone finds a remote execution vulnerability or some unrestricted file upload vulnerability, they assume it might be patched eventually and decide to make themselves a backdoor.

For example, let's just say he makes some abc.php file that looks fine in the editor until you realize there's 1000 spaces and the code for a shell, or some other obfuscated code.

How would they actually "immortalize" the backdoor? What I mean is - if they just add a new file and leave it at that - the devs will notice it as soon as they're pushing a new update to the production branch when they get an error from their VCS stating that there are unstaged/uncommitted changes.

Would the hacker normally have to commit the change with a real-looking commit message? What if the repo has commit signatures turned on?

Cool! Can you show me a working implementation I can use in a real world scenario?

I wonder if there are multiple microservices distributed on different machines, and I have to protect those endpoints by access_token, then what is the best practice (or common implementation) to do so?

for example, i have microservices A, B, C
now, service A have to send request to protected service B (with access_token)

i am not sure how can i complete this workflow 😣

my current thought is use client_credential to grant all services, each service will verify token before send request to another service endpoint, if the token expired or not existed, then create it at first, after we get access token from this authorization server, send request with access token and target service will verify this access token before data processing.

would appreciate for any advice 🙏🙏🙏

Yes sure https://github.com/binary-signal/some-what-homomorphic-encryption

Isn't rail fence homomoephic

Idk why that idea is in my brain

Oh I guess it is for substitution

No idea just read some papers and implemented the algos ,just a reminder practically speaking complexity and run time can be really high orders of magnitude from typical encryption algorithms

I am not sure if I am in the correct channel but how can I start an .exe without opening console everytime( I used ```py
def startProgram(programpath):
SW_HIDE = 0
info = subprocess.STARTUPINFO()
info.dwFlags = subprocess.STARTF_USESHOWWINDOW
info.wShowWindow = SW_HIDE
subprocess.Popen(programpath, startupinfo=info)

startProgram(program)

tag me please

would i be right to say that TOTP uses HOTP which in turn uses HMAC? and in turn TOTP uses time as the message for HMAC?

yes

Time-based One Time Password, uses the current time as a source of uniqueness, an extension of Hmac-based One Time Password

cool thanks

also is there like a bible for cryptography that yall recommend, ideally something exhaustive and covers stuff like TOTP

i wouldn't mind if it was a textbook

They could make a backdoor by installing a reverse shell in the case of RCE, or a web shell in the case of a file upload vulnerability. Probably best to steer clear of any vc-controlled dir because the alarm bells will probably ring on the next deploy, if the hacker has made any file changes or commits there.

So they'd have to find out which directories are under .gitignore (or some gitignore equivalent of other VCS), right?

Yep. Best would be to stay out of VC-controlled dirs entirely, as the gitignore could change eventually

Gotcha, thanks for your input!

Thanks

is usb stick of 4gb enough for installing kali linux?

i'd say 16 minimum

kali is not at all lightweight

it comes with a lot of pre-installed tools

I Think it is okay

I’m creating an API that requires authorization.
Should I use JWT or an API key?

Requires authorization to do...

Do you just want a login session or are you attaching different perms to different sessions?

Use the simplest solution that works.

Login session

If you don't need any of the features of JWT then don't use them. API key is simpler.

Agreed. But what I like about jwt is that I don’t need a DB

If I go with the API key approach then do I need a secret and an api key or just an api key?

An API key is the secret

Isn’t there sometimes two keys?

Sometimes, but you don't need two keys.

You need something for identity, and something to prove ownership of that identity.

Humans like identities which are easy to remember, so that's where usernames are from.

Computers have no such need, so the secret can also be the identity.

So why do some services have both a secret and api key? Unless I’m mistaken

so that you can have revokable secrets

and so that you can have many secrets for the same identity.

e.g: I have two servers which both need to log into AWS and pull some logs from cloudwatch, so I made a user for pulling those logs and put creds on both servers. They used the same identifier but different secret keys.

One server was compromised, so I revoked its secret key. The other server kept chugging along and I didn't need to revoke its key because it wasn't compromised.

This didn't actually happen ofc, just an example.

So why not just have a different identifier for each server and then don’t bother with any secret keys?

Because then I'd have to make two accounts and give both of them the same permissions.

And if I wanted to change permissions I'd have to change permissions for both of them, not just one.

Ok, I think I understand.
Basically the api key is like the username and the secret is like the password.

yea

Ok got it.

some services roll them into one thing, some don't.

Ok, so if I create an API the. I have to store it in a database and tie it to a users account

Yes. If that sounds annoying then you can use JWTs if you want

Then when they try to access a service I have to check their key against the DB just like a password

yeah

Yeah, one of the reasons I wanted to use jwt was so that I don’t have to store anything

However then I cannot revoke a compromised JWT if it’s not sorted

Sure you can, but it somewhat brings the database problem back in.

You just need different keys for different JWTs

and then if a jwt is compromised you revoke the key and it's no longer valid. But then ofc you need to store keys

So then there’s really no benefit of jwt once your storing them like one does with api keys?

Yeah to a degree. The nice thing about jwts is that they can be stateless, but if you need revokability you need state.

there is still some advantage to them because you don't need to store as much stuff

You would have to store a list of all revoked keys

More like you'd store a list of valid keys and check if the JWT was in one

Why

Because it's easier.

Why not store all invalid keys this way you have fewer

how are you going to check if a key is valid if you don't store it?

Then check if it’s not in there

If I make up a randomass key, and it's not in your list of revoked keys, how do you know whether I made it up or it's a real key you came up with?

By decoding the key with the servers secret and checking if the initial data is there

The server's secret? That sounds like you're storing valid keys, not just revoked ones.

anyways, if all you need to store for each jwt is whether it's valid or not, that's a really simple database schema. You don't have to store anything else. So jwts still have that benefit.

The servers has one secret in like an environment variable

That’s what is used to encrypt the jwt when it’s initially handed off to the client

you mean encrypt

Yep

whichever works.

Alrighty thanks

👍

One more thought

shoot

What about simply storing all invalid JWT keys in a simple file. This way there’s no need for even a DB

It’s just a list of invalid tokens

You can do that. The main issue is you have to search the file content which is not really very efficient

Good point

but it's dummy simple and if you only have like 15 users the load doesn't matter at all

so it's a perfectly valid option

Exactly. Really small use case

Alright, appreciate it

👍

was checking out this secure folders feature and it seems many proccess are blocked....

So i was wondering if i give access to python for the secure folders will by safe cause I have Seen many ransomeware starting from python scripts.

I am so new to such security things so it would be great if someone can help me with this. "Allow python to secure folders or not???"

Can someone reply and help

i wonder when to use HMAC, and why not just using SHA, it seems like they are both hash some message and give the hashed string to user or frontend and compare that hashed string in backend server

. hmm

a MAC isn't just authentication

it's also proof of data integrity.

an hmac is derived from not just the secret key, but the message content

ok thanks for your reply 🤗

should i become a white hat?

dont run strange code this way...

good question, great answer. making this channel a good read

It's actually my discord bot trying to access to the cache files

But the secure folder feature it stoping it

move the directory somewhere else or allow.. but i still dont like running untrusted scripts directly on your machine. its a no no @lean trench

How can I allow another server to call my (Python) API by authenticating with certificates. No username or password just certificates?

can i do like Custom model using turtle im making a crossy road game using only turtle

Sorry wrong channel

want a python encryption library for quick use, what are some of the best around ?

cryptography

https://cryptography.io/en/latest/index.html

there's plenty of warnings on hazardous this, land mines that, make sure to ignore these completely

if you partially know what you're doing :P

guys what does 1024-bit prime mean ?

A prime number that requires 1,024 bits to represent.

So I understand how this is 1024 bits because there is 32 hex numbers and each hex is 32 bits (32 x 32 = 1024) but how do you figure out this is a prime number from this ```The prime modulus p is the following 1024-bit prime (given in hexadecimal):

b59dd795 68817b4b 9f678982 2d22594f 376e6a9a bc024184 6de426e5 dd8f6edd
ef00b465 f38f509b 2b183510 64704fe7 5f012fa3 46c5e2c4 42d7c99e ac79b2bc
8a202c98 327b9681 6cb80426 98ed3734 643c4c05 164e739c b72fba24 f6156b6f
47a7300e f778c378 ea301e11 41a6b25d 48f19242 68c62ee8 dd313474 5cdf7323```

try to factor it?

(mostly kidding)

I just dont fully understand what prime modulus p is the following 1024-bit prime means to be exact

where is that coming from? it sounds like they're saying, here's a big prime number, enjoy! in fact, as I understand it, exactly because factoring big numbers is extremely hard (i.e. hard enough to be the basis for a lot of modern cryptography) when they find these big primes they're actually doing statistical tests that make it extremely likely but not 100% guaranteed that the number is prime. For more see https://en.wikipedia.org/wiki/Primality_test

Okay thanks for the insight , im learning about ElGammal signature scheme. Would you be familiar with it ?

i prefer 80 gb for my kali linux vm, but i dont think that would be enough as you want to use it for "bitcoin" stuff so...

hello

Volcyy cryptography moment

Hello volcyy

hahahaha hello

what can u do with security in python

and what imports

/ libraries

to use

[Asking for help]

I found that most of articles/projects to verify google safetynet attestation response inputs structure are like this one

{
    rawId: "...",
    id: "...",
    response: {
        clientDataJSON: "...",
        attestationObject: "..."
    }
};

in those articles, we need clientDataJSON to verify some data like nonce and so on...

but in fact, the official api response is nothing more than a jws token (big long long string)

even I decode the jws token from google's response, there are no fields like above (i.e. neither clientDataJSON nor attestationObject in the response)

does anyone know what's wrong goes there 🥺?

Not strictly python-related: are table names considered as sensitive data? Are there any dangers in disclosing them in the clear?

i'd say depends on domain context

i wouldnt say sensitive

e.g. if your at a tech company running some crazy cool new market breaking solution

showing your tables names could easily give away a lot of details about your solution/architecture etc

but they are not sensitive as in, customer details or anything that would get you legally in trouble

Nah, I wouldn't share anything that might hint to bits of the architecture itself (just generic names I'd say)

Has someone made this in python? https://www.youtube.com/watch?v=2x796Q8YsT8&t=390s

voice

verify

pleasde

@thorn obsidian wrong channel I'm afraid

guys i have a doubt
I had an interview question today on quantum cryptography - which one is not affected by quantum cryptography:
SHA hashing based schemes? ECDSA scheme or elliptical curve cryptography?

elliptic curve cryptography is definitely vulnerable to quantum computing (and by connection ECDSA), SHA hashing algorithms are considered secure against quantum computing

In a simple way, how will quantum computing affect cryptography? I understand using entangled photons to generate random key, but what about for breaking crypto?

yeah thought the same, sha way more secure

Hello everyone, I have just started a foundation year course for Networking & Cyber Security and I am totally new to coding, networking and etc.

How important is it to learn Python as well as HTML for Pen Testing or Ethical Hacking jobs.

Hi, Im watching a tutorial about rsa (a python module for encrypting) and I dont understand why Im getting a UnicodeDecodeError when trying to decode my encrypted string. The guy in the tutorial encoded the encrypted string into base64 first and then decoded it and it started working, which makes me even more confused.

🐧

How to run arp command through python and print output

Some algorithms are secure, others are not

Pretty much every symmetric algorithm in common use is secure against quantum

however, asymmetric elliptic curve ciphers are not.

I cannot anywhere

on the internet see how async encryption works

all it says is what it does

and has stupid examples of me passing notes to my friend

but it doesn't explain the math behind it

i want to know how to the math works

I think RSA is a good place to start. There's probably no shortage of decent resources on the actual math behind how RSA works, but perhaps the material is a bit steep for a beginner. You might need to dig into some books on modular arithmetic or something. I don't think it's the sort of thing someone could explain over a few discord messages, but maybe someone better than me could lol 🤷‍♀️

at the very least, I can offer up a small code-snippet as an example of RSA, but i doubt it explains much sorry

!e

# Generating some parameters and the public-private key-pair
p, q = 997, 991  # Two "big" secret prime numbers
N = p * q  # This is public
phi = (p - 1) * (q - 1)  # This *must* be private!
public = 65537  # Choose some prime that's not a factor of `phi`
assert phi % public != 0
# Inverse of `e` mod `phi` found using Euclidean algo
# The important part is that you *need* `phi` to calculate this
private = 919313
assert (private * public) % phi == 1  # Make sure it's the inverse

# Some actual encryption and decryption
to_encrypt = b"here is some plain-text"
print(f"{to_encrypt=}")
encrypted = [pow(x, public, N) for x in to_encrypt]
print(f"{encrypted[:4]=}...")  # Looks pretty encrypted :P
decrypted = bytes(pow(x, private, N) for x in encrypted)
print(f"{decrypted=}")
assert to_encrypt == decrypted  # It works!

@haughty whale :white_check_mark: Your eval job has completed with return code 0.

001 | to_encrypt=b'here is some plain-text'
002 | encrypted[:4]=[835030, 291699, 50428, 291699]...
003 | decrypted=b'here is some plain-text'

also, just in case it isn't obvious for anyone, pleasseee do not use this for actual encryption purposes

How do I use a PublicKey in nacl.signing.VerifyKey which is more than 32 bytes long? I want to verify a crypto currency signature, and the PublicKey for that is the wallet address which doesn't have the length as 32 bytes.

public_key = b"B3BhJ1nvPvEhx3hq3nfK8hx4WYcKZdbhavSobZEA44ai"
msg = "hi"
x = await request.body() # the signauture in bytes

vk = VerifyKey(pk) # Throws error about length not being exactly 32 bytes

nacl.exceptions.ValueError: The key must be exactly 32 bytes long

that looks like an encoded public_key

What about that?

I need to decode it? how?

is it base64 encoded?

I'm not sure, it's just the default wallet address

anyone know how to use the hashlib and hmac library?

What algorithm?

The crypto signing algo is probably different form the signing algo you're trying to use.

You have to use the same algorithm.

The js equavalent to what I'm trying to do is literally this

const signature = new Uint8Array(req.body.signature.signature.data)
const stringPublicKey = req.body.publicKey
const publicKey = new PublicKey(stringPublicKey).toBytes()

const message = new TextEncoder().encode('super_secret_message')
const verified = nacl.sign.detached.verify(message, signature, publicKey)```
I can't see any specific algorithm being used here.

Then they happen to be using the same algo

Whatever algorithm was used to sign the data is what you have to use to verify the signature.

That is just how it works.

You don't see the algorithm because it's abstracted away by the class, which is the point of a class.

secrets was added in PEP 506. However, the PEP itself says secrets is there to try to counter the "attractive nuisance" that causes many inexperienced python developers to use random to generate security sensitive data, despite the docs which prominently warn it is unsuitable for this purpose. Instead, cryptography.io is recommended.

Yet, in the docs for secrets there's a recipe for creating a password that goes like this:

password = ''.join(secrets.choice(alphabet) for i in range(10))

Is secrets appropriate for doing what this recipe does, or should one use cryptography in literally every case instead?

Relevant PEP: https://www.python.org/dev/peps/pep-0506/#frequently-asked-questions
Doc with recipe: https://docs.python.org/3/library/secrets.html#recipes-and-best-practices

I'm confused about the "yet"

Why wouldn't the secret docs show you how to generate a passphrase using secret?

cryptography.io is all well and good, but if I'm reading the secrets doc it's to know how secrets works.

I don't think having that example in the docs is inconsistent with anything that PEP says.

secrets is fine if you want stdlib and don't want to have to deal with external packages.

Though cryptography is also, as the PEP says, a fully featured cryptographic library, whereas secrets is not.

secrets is for generating secrets. That's all.

It's not for encryption, authentication, or anything like that.

If you need any of those, then secrets will not get you there.

secrets is for generating secrets. That's all.
It's not for encryption, authentication, or anything like that.
If you need any of those, then secrets will not get you there.
that's what I needed. Thanks for the explanation

👍

Hey guys, I have a linx VPS and I'm wondering what are the steps to take in order to make my server secure. I was wondering if stopping ssh completely would be good for my server, but after some search on Google I found no one mentioned it.

I have installed fail2ban to reduce the brute force attack. I'm also thinking to change ssh port to a random one, change root username and take out the password authentication and make it based on RSA key.

What else I should do for more security?

This is my first go to when setting up a new server.

Looks like the original article is gone but I think that this is a copy/paste:
https://sollove.com/2013/03/03/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers/

i watched a YouTube video of a teacher who i thought explained it well and even did the math on a whiteboard for everything. i followed along on python and to no surprise his math works but i just realized right now that the public key could be used as a private key and vise versa

he started with 2 and 7

made mod 14

in the end private key is 11 and public is 5

why did it do that

I don't think those numbers check out, but in any case, the general idea is to just choose some public key number, and then determine the unique modular multiplicative inverse (i.e. (public * private) mod phi == 1) as the private key number. This can be computed using the extended Euclidean algo. The phi value is part of the private key, so it can't be done (easily) using public info.

the "Operation" section on the wikipedia page for RSA is pretty decent imo

Thank you! Do you only follow that to make your server secure or you would recommend some more steps to do?

I started off with Python using the https://blog.miguelgrinberg.com/post/the-flask-mega-tutorial-part-i-hello-world tutorial so I use a bastardised version of that, the article I linked before and the Digital Ocean tutorials for the servers taht I use

Sorry, nothing specific, but they were an excellent starting point

I see what you mean, thank you so much!

is https://github.com/Veil-Framework still being developed. Or should I learn some other useful shit @ me if you have any info on it

Could someone tell me how does salting + hash works exactly in bcrypt?
Lets assume i have salt and hash stored in db, and the user inputs the password.

I call the py bcrypt.checkpw(password, hash) function which returns true/false. How does it know which salt to compare the password to?

Since i dont see it taking salt as a parameter

Iirc the salt is readable from the hash

the salt is stored alongside the digest

you shouldn't use hash for your variable name since that's a builtin.

Salt is stored in plain text. The purpose of the salt is to change the input in order to make it unique

since hashing is a deterministic operation which always results in the same output for the same input, two identical inputs will have the same digest.

Therefore if you know that a specific input makes a specific digest, and you see that digest, you can guess the input

Which is bad

Salt is used to fix this. It doesn't need to be stored in a protected format because its only point is to change what the digest will be.

That's also why you need the special checkpw function and can't make a new bcrypt from the same password, then compare them with ==

I just used it here on discord for demonstration purposes :D

Thanks for taking the time to explain all of this

is it possible to ignore ERR_UNSAFE_PORT on brave and open the links anyways when opening addresses with selenium?

how can i decode this b64 back into a string

MTQ2ODQ1OTQ5NjYwMjU1MDc1OTg3ODcwNzIzMjA1NDQzNjQzMDMxMzA1NTkyOTE2ODYwODI1MDA3MTkzODk0MDc3ODY0Mjc3MDY4OTQwNzE0MDE2OTEzMjE1NTM3MDk5NDQ0NTU4ODExNzY4ODgzMDQ5MTUwOTM3ODQyOTE1OTQ4NjA0MjEzNzM3NTc0OTc4MTUyODM3OTkxMTk5OTU0MzQ1MDM4NTQ2MzY1MTg2MDExMDIwNzU4MjMwNzQxOTQ0NDk4NTI0ODY1NTI4MjczMjgwMzU5ODg4MTg0MjczODY5NDIyMDUzMDY2NDc5NzY3MzY2ODQyNzE4MDQ1MjYwNDUzNzc4MDI4NTU2NTI1NjYyODY4MTM0NzQ2MzQ5MzE0NTMxMDE5NDcxNjQyNjYzODc2NjY

Hey is someone german and want to work together?

I'm 19 and want to learn python, to make some security stuff like a bug finder or backdoor finder.

Maybe we can connect

using an online converter it works

but WILL NOT in python

Isnt there a built in function? Or use stackoverflow or whatever the name was

base64.b64decode(x)

Yea

And it wont work?

    return binascii.a2b_base64(s)
binascii.Error: Incorrect padding```

Hm

Idk if it help but try to print numbers like 1 2 3 4 in some lines of code and look if some number wont print

And maybe you can see why

But idk im just learning and never did anything in python

    x = int(base64.b64decode(bytes(x.encode('ascii')).decode('utf-8')))``` that doesn't work

You want to make a string right

base64.b64encode(str(msg).encode('ascii')).decode('utf-8')``` works fine to encode it

Then whats the problem

decoding is the problem

Ah yea

If u want to make a string then why do you have int in front of the code

Ah nvm

i would encode the normal number but b64 only takes bytes

Yea

bytes wont take an int that is 14684594966025507598787072320544364303130559291686082500719389407786427706894071401691321553709944455881176888304915093784291594860421373757497815283799119995434503854636518601102075823074194449852486552827328035988818427386942205306647976736684271804526045377802855652566286813474634931453101947164266387666

In garrys mod i would say wait.... lemme check

Ok wait

x = tostring(int(base64.b64decode(bytes(x.encode('ascii')).decode('utf-8'))) )

To convert byte to string u know

But idk if tostring exists in python

haha yeah that's why i love python you can do str()

i've done stuff in java

oh my gosh it's such a pain to convert anythng

Yea xD

Maybe copy paste the error in google and look foe answers

I dont think that u are the first person ever with this error

bruh python is a joke

if i add == to the end of the string it works

I mean, that's called padding

something as simple as ```py
import base64

encrypted_string = "MTQ2ODQ1OTQ5NjYwMjU1MDc1OTg3ODcwNzIzMjA1NDQzNjQzMDMxMzA1NTkyOTE2ODYwODI1MDA3MTkzODk0MDc3ODY0Mjc3MDY4OTQwNzE0MDE2OTEzMjE1NTM3MDk5NDQ0NTU4ODExNzY4ODgzMDQ5MTUwOTM3ODQyOTE1OTQ4NjA0MjEzNzM3NTc0OTc4MTUyODM3OTkxMTk5OTU0MzQ1MDM4NTQ2MzY1MTg2MDExMDIwNzU4MjMwNzQxOTQ0NDk4NTI0ODY1NTI4MjczMjgwMzU5ODg4MTg0MjczODY5NDIyMDUzMDY2NDc5NzY3MzY2ODQyNzE4MDQ1MjYwNDUzNzc4MDI4NTU2NTI1NjYyODY4MTM0NzQ2MzQ5MzE0NTMxMDE5NDcxNjQyNjYzODc2NjY"

print(base64.b64decode(encrypted_string + "="*(len(encrypted_string) % 4)).decode())```

That's not python's fault lol

Cli tools and online tools exist for user convenience and will correct malformed input if the correction is obvious.

A library for programming should not do that.

Silently making magic changes to the data supplied by the programmer, is not a good idea.

Two bytes of padding is the greatest amount of padding which is ever required, so appending two bytes of padding will always result in a base64 encoded value with correct padding.

But if you want that to happen, you need to be explicit about it. Its by design, not by accident that the language refuses to silently do that for you without telling you.

does anyone know how to scan memory process from a vm

and also scan the pointers of the process from the vm (ubuntu)

dont trust anyone on discord

https://pastebin.com/HPwrfVhR
I get this error UnicodeDecodeError

anyone can help me?

Show the full Traceback?

what does pseudorandomly generate mean ?

ok

Traceback (most recent call last): File "/data/user/0/ru.iiec.pydroid3/files/accomp_files/iiec_run/iiec_run.py", line 31, in <module> start(fakepyfile,mainpyfile) File "/data/user/0/ru.iiec.pydroid3/files/accomp_files/iiec_run/iiec_run.py", line 30, in start exec(open(mainpyfile).read(), __main__.__dict__) File "<string>", line 112, in <module> File "/data/user/0/ru.iiec.pydroid3/files/aarch64-linux-android/lib/python3.8/site-packages/openpyxl/worksheet/worksheet.py", line 665, in append cell = Cell(self, row=row_idx, column=col_idx, value=content) File "/data/user/0/ru.iiec.pydroid3/files/aarch64-linux-android/lib/python3.8/site-packages/openpyxl/cell/cell.py", line 116, in __init__ self.value = value File "/data/user/0/ru.iiec.pydroid3/files/aarch64-linux-android/lib/python3.8/site-packages/openpyxl/cell/cell.py", line 215, in value self._bind_value(value) File "/data/user/0/ru.iiec.pydroid3/files/aarch64-linux-android/lib/python3.8/site-packages/openpyxl/cell/cell.py", line 194, in _bind_value value = self.check_string(value) File "/data/user/0/ru.iiec.pydroid3/files/aarch64-linux-android/lib/python3.8/site-packages/openpyxl/cell/cell.py", line 156, in check_string value = str(value, self.encoding) UnicodeDecodeError: 'utf-8' codec can't decode byte 0xce in position 0: invalid continuation byte

Remember to use ```

openpyxl only supports text in cells

You'll need to base64 encode (or similar) your encrypted data

You'll likely be better off with fernet though

i'll try it

thx

Hi

hi

hi

bro

Are you sure?

i get the error

  File "c:\Users\XxHEROSOLDIERxX\Desktop\Davide\VS code\Code\sus.py", line 50
    wb = load_workbook("C:\Users\XxHEROSOLDIERxX\Desktop\vario\Userdata (1).xlsx")
                                                                                 ^
SyntaxError: (unicode error) 'unicodeescape' codec can't decode bytes in position 2-3: truncated \UXXXXXXXX escape

from openpyxl import Workbook, load_workbook
from cryptography.fernet import Fernet
 
 
file = open('sd.key', 'rb')
key = file.read()
file.close

#login username encryptor
def encryptor_username_login(key, user):
    encoded_user = user.encode()
    f = Fernet(key)
    token_user = f.encrypt(encoded_user)
    return token_user

#login password encryptor
def encryptor_password_login(key, user_password):
    encoded_password = user_password.encode()
    f = Fernet(key)
    token_password = f.encrypt(encoded_password)
    return token_password

#register username encryptor
def encryptor_username_register(key, new_user):
    encoded_user_reg = new_user.encode()
    f = Fernet(key)
    token_user_reg = f.encrypt(encoded_user_reg)
    return token_user_reg

#register password encryptor
def encryptor_password_register(key, new_pass):
    encoded_pass_reg = new_pass.encode()
    f = Fernet(key)
    token_pass_reg = f.encrypt(encoded_pass_reg)
    return token_pass_reg

 
 
print('Welcome to the access portal!')
a = input('[L]ogin [R]egister or [Q]uit?\n').upper()
 
 
# Login conditions
if a == 'L':
  user = str(input('Username: '))
  user_password = str(input('Password: '))
 
  
  #Check if user and password match data in excel file
  wb = load_workbook("C:\Users\XxHEROSOLDIERxX\Desktop\vario\Userdata (1).xlsx")
  sheet = wb.active
  
  encrypted_user_out = encryptor_username_login(key, user)
  print(encrypted_user_out)
  exit()

this is only for debug

but it doesn't work

That's the "C:\U..."

It thinks the \U is a unicode escape character

It's a SyntaxError when python tries to parse your code

https://stackoverflow.com/a/1347854

wb = load_workbook("C:\\Users\\XxHEROSOLDIERxX\\Desktop\\vario\\Userdata (1).xlsx")

Also remember to use a key derivation function if you're going to use user supplied passwords https://cryptography.io/en/latest/fernet/#using-passwords-with-fernet

now i get this error

Traceback (most recent call last):
  File "c:\Users\XxHEROSOLDIERxX\Desktop\Davide\VS code\Code\tempCodeRunnerFile.py", line 1, in <module>
    wb = load_workbook("C:\\Users\\XxHEROSOLDIERxX\\Desktop\\vario\\Userdata (1).xlsx")
NameError: name 'load_workbook' is not defined

Show the full code and full Traceback

ik, but I don't think I use a password, I think I use a simple key file

from openpyxl import Workbook, load_workbook
from cryptography.fernet import Fernet
 
 
file = open('sd.key', 'rb')
key = file.read()
file.close

#login username encryptor
def encryptor_username_login(key, user):
    encoded_user = user.encode()
    f = Fernet(key)
    token_user = f.encrypt(encoded_user)
    return token_user

#login password encryptor
def encryptor_password_login(key, user_password):
    encoded_password = user_password.encode()
    f = Fernet(key)
    token_password = f.encrypt(encoded_password)
    return token_password

#register username encryptor
def encryptor_username_register(key, new_user):
    encoded_user_reg = new_user.encode()
    f = Fernet(key)
    token_user_reg = f.encrypt(encoded_user_reg)
    return token_user_reg

#register password encryptor
def encryptor_password_register(key, new_pass):
    encoded_pass_reg = new_pass.encode()
    f = Fernet(key)
    token_pass_reg = f.encrypt(encoded_pass_reg)
    return token_pass_reg

 
 
print('Welcome to the access portal!')
a = input('[L]ogin [R]egister or [Q]uit?\n').upper()
 
 
# Login conditions
if a == 'L':
  user = str(input('Username: '))
  user_password = str(input('Password: '))
 
  
  #Check if user and password match data in excel file
  wb = load_workbook("C:\\Users\\XxHEROSOLDIERxX\\Desktop\\vario\\Userdata (1).xlsx")
  sheet = wb.active
  
  encrypted_user_out = encryptor_username_login(key, user)
  print(encrypted_user_out)
  exit()

Traceback (most recent call last):
  File "c:\Users\XxHEROSOLDIERxX\Desktop\Davide\VS code\Code\tempCodeRunnerFile.py", line 1, in <module>
    wb = load_workbook("C:\\Users\\XxHEROSOLDIERxX\\Desktop\\vario\\Userdata (1).xlsx")
NameError: name 'load_workbook' is not defined

[Done] exited with code=1 in 0.2 seconds

Wait are you using an xlsx file as a user database? You don't want to encrypt usernames or passwords then, you want to hash them

what is hash

The line numbers in your traceback don't match the lines in your file

I'm using an Excel file as a kind of local database

I wanted to encrypt cell data

this is the complete error

load workbook is part of the openpyxl module, I never needed to define it

Try putting your code in a def main():

all my code?

Everything except imports and other defs

https://docs.python.org/3/library/__main__.html#idiomatic-usage

def __main__():

No

def main():

ok

Show your new code and Traceback?

I'm indenting

?

ok

I'm sending the code

9k what?

from openpyxl import Workbook, load_workbook
from cryptography.fernet import Fernet

def main(): 

 
    file = open('sd.key', 'rb')
    key = file.read()
    file.close

    #login username encryptor
    def encryptor_username_login(key, user):
        encoded_user = user.encode()
        f = Fernet(key)
        token_user = f.encrypt(encoded_user)
        return token_user

    #login password encryptor
    def encryptor_password_login(key, user_password):
        encoded_password = user_password.encode()
        f = Fernet(key)
        token_password = f.encrypt(encoded_password)
        return token_password

    #register username encryptor
    def encryptor_username_register(key, new_user):
        encoded_user_reg = new_user.encode()
        f = Fernet(key)
        token_user_reg = f.encrypt(encoded_user_reg)
        return token_user_reg

    #register password encryptor
    def encryptor_password_register(key, new_pass):
        encoded_pass_reg = new_pass.encode()
        f = Fernet(key)
        token_pass_reg = f.encrypt(encoded_pass_reg)
        return token_pass_reg

 
 
    print('Welcome to the access portal!')
    a = input('[L]ogin [R]egister or [Q]uit?\n').upper()
 
 
    # Login conditions
    if a == 'L':
        user = str(input('Username: '))
        user_password = str(input('Password: '))
 
  
    #Check if user and password match data in excel file
    wb = load_workbook("C:\\Users\\XxHEROSOLDIERxX\\Desktop\\vario\\Userdata (1).xlsx")
    sheet = wb.active
  
    encrypted_user_out = encryptor_username_login(key, user)
    print(encrypted_user_out)
    exit()

  File "c:\Users\XxHEROSOLDIERxX\Desktop\Davide\VS code\Code\sus.py", line 77
    wb = load_workbook('C:\Users\XxHEROSOLDIERxX\Desktop\vario\Userdata.xlsx')
                                                                             ^
SyntaxError: (unicode error) 'unicodeescape' codec can't decode bytes in position 2-3: truncated \UXXXXXXXX escape

[Done] exited with code=1 in 0.2 seconds

Oh you put all your defs in main?

didn't you mean this?

🙃

☝️

Your traceback still doesn't match the code you posted

wait

maybe I fixed it

And you forgot the sys.exit(main())

https://docs.python.org/3/library/__main__.html#idiomatic-usage did you see this?

Your file should end:

    return 0

if __name__ == '__main__':
    sys.exit(main())

it work

I have another question

the terminal of Vs code is read-only

how do I enter input?

What do you mean?

I see the output

how do I enter an input

in output I can not write

You probably want #editors-ides ?

I fixed it

will I always need the main loop or is it just for debugging?

Which loop?

@obtuse carbon I don't see a loop?

I was wrong

main def

What about it?

Did you read https://docs.python.org/3/library/__main__.html#idiomatic-usage ?

@obtuse carbon ?

finally works

yes I read

Great stuff

You pretty much always need it, in this case I suggested it because I suspected you were pasting parts of the code elsewhere and not running the whole file

I'm not copy pasting

however I have a new problem

if the key doesn't change it shouldn't change the encrypted message either, right?

No

Otherwise you get a plaintext attack

The ciphertext is different every time

how do I check if the input is equal to the data contained in the database?

do I have to decrypt the data?

You decrypt it

It still sounds like you're storing passwords in your database

I'm going to send the code again, should I extract all the data and decrypt it? Wouldn't that make the program very slow?

It depends what you're trying to do

What's your threat model?

I don't know

excel files are not password protected

so I just wanted to encrypt the data so they can't read it easily

without encryption it works

Who are "they"

general people

And what's the data you're encrypting?

username and password

Which username and password?

And why are you encrypting the username?

Why would you need to look up an encrypted password?

oh if I don't encrypt the username I can use it as a search id to decrypt only the passwords of the same line

I'm not following

Which username?

the project is just a hobby, I won't apply it to anything

Ok but what are you trying to build?

A login username and password database?

to learn how to use better the functions and some logical operations of Python

yes

a local Excel database

Right so you don't actually want to encrypt passwords at all

You need to store them in a non-reversible format

https://passlib.readthedocs.io/en/stable/narr/quickstart.html#creating-and-using-a-cryptcontext

And you use the hash and verify methods rather then encrypt and decrypt

oh

so

I just have to check if it's true or false

I'll try

Make sure to read the whole page

I read

but

pwd_context.verify(secret, hash)
requires unencrypted secrecy

so

?

in my case

That's the password that the user enters

pwd_context.verify(user_password, hash)

my hash would be in the database

Yeah

it needs to check cell by cell

right?

will the program be slow?

Just the one for the username

You store the username in plaintext

do you recommend encrypting only 1 column data?

There's no encryption here, it's a password hash

ok

I'll try it

thx

Is there a reason you're using pyxl btw?

You might prefer sqlite?

I prefer MySQL

but I'm still studying it

so at the moment I'm practicing with some sort of easy local database

sqlite is an easy local database

does not recognize the username now

from openpyxl import Workbook, load_workbook
from hash import pwd_context
import sys

def main(): 
 
    print('Welcome to the access portal!')
    a = input('[L]ogin [R]egister or [Q]uit?\n').upper()
 
 
    # Login conditions
    if a == 'L':
        user = str(input('Username: '))
        user_password = str(input('Password: '))

        hash = pwd_context.hash(user_password)
  
        #Check if user and password match data in excel file
        wb = load_workbook("C:\\Users\\XxHEROSOLDIERxX\\Desktop\\vario\\userdata.xlsx")
        sheet = wb.active
  

        encrypted_password_out = pwd_context.hash(user_password)
        print(encrypted_password_out)

        for i in range(2, sheet.max_row + 1):
            if user == str(sheet.cell(row = i, column = 1).value):
                if pwd_context.verify(str(sheet.cell(row = i, column = 2).value), hash) == True:
                    print('Login successful!')
                    sign_in = True
                    break
                else:
                    print('Incorrect password!')
                    break
            elif i == sheet.max_row:
                print('User not found!')

sys.exit(main())

I insert username 1 as input, in the Excel file there is, but the elif condition is activated anyway

Why did you do:

hash = pwd_context.hash(user_password)

?

You need the user_password to verify the password hash in the database

You have the args to pwd_context.verify the wrong way around too

It should be pwd_context.verify(user_password, sheet.cell(row=i, column=2).value)

Also why do you have an encrypted_password_out? There's no encryption

@obtuse carbon ^

ik, I'm using old variable

I fixed some things but I get syntactic error even if the syntax is correct, I send the code

How can the syntax be correct if you get a SyntaxError

What's a syntactic error?

there was a missing parenthesis

it doesn't work one thing though

I send the code

!paste

https://paste.pythondiscord.com/ubifehonok.py

@obtuse carbon you missed this message?

yes

And this message?

hash should be

hash = str(sheet.cell(row = i, column = 1).value)

No need to assign it though

Also pretty sure it's already a str

    if a == 'L':
        user = str(input('Username: '))
        user_password = str(input('Password: '))
 
        hash = pwd_context.hash(user_password)
        print(hash)

        #Check if user and password match data in excel file
        wb = load_workbook("C:\\Users\\XxHEROSOLDIERxX\\Desktop\\userdata.xlsx")
        sheet = wb.active
  

        encrypted_password_out = pwd_context.hash(user_password)
        print(encrypted_password_out)

        for i in range(2, sheet.max_row + 1):
            if user == str(sheet.cell(row = i, column = 1).value):
                password_db = str(sheet.cell(row = i, column = 2).value)
                if pwd_context.verify(hash, password_db) == True:
                    print('Login successful!')
                    sign_in = True
                    break
                else:
                    print('Incorrect password!')
                    break
            elif i == sheet.max_row:
                print('User not found!')

focus on this

it's correct no?

No

First answer this

i followed the basic example

from hash import pwd_context

hash = pwd_context.hash("123456789")
print(hash)

pwd_context.verify("123456789", hash)

Right that's just an example

You're supposed to store the hash in a database

Then use it to verify plaintext later

Ok now answer this

I reversed the variables by mistake

The plaintext goes first then the hash from the database

But still you're putting the hash from the database first

Oh you did swap it, in this most recent version

Ok

Ok what about this

row
must be
row = i

?

You're not supposed to put spaces around = in kwargs

But that's beside the point

you wrote row = 1 but that won't work

Ah indeed

Fixed it

Ok show the new code? Does it work?

@obtuse carbon

    # Login conditions
    if a == 'L':
        user = str(input('Username: '))
        user_password = str(input('Password: '))
 
        us_password = pwd_context.hash(user_password)
        print(hash)

        #Check if user and password match data in excel file
        wb = load_workbook("C:\\Users\\XxHEROSOLDIERxX\\Desktop\\userdata.xlsx")
        sheet = wb.active
  

        for i in range(2, sheet.max_row + 1):
            if user == str(sheet.cell(row = i, column = 1).value):
                password_db = str(sheet.cell(row = i, column = 2).value)
                if pwd_context.verify(us_password, sheet.cell(row=i, column=2).value) == True:
                    print('Login successful!')
                    sign_in = True
                    break
                else:
                    print('Incorrect password!')
                    break
            elif i == sheet.max_row:
                print('User not found!')

What's us_password?!?!

user password

renamed hash

Why

You need to write this ^

I had an error understanding the module I think

Which module?

now work

hash

I don't see that module

I still thought the same way about cryptographic modules

I don't understand

!paste

You wrote a module called hash.py right?

https://paste.pythondiscord.com/ivusaqibuh.py

yes

What didn't you understand about it, I'm not really following

it was just a misunderstanding of pwd_verify

Also you pretty much never need if ... == True:

You can just use if ...:

I thought i should convert the input to hash as well and compare the two hashes

^

I did not know

If it was required you'd need to write x == True == True == True ... forever

right

thx for your help

maybe I'll come back here when I'm done with base of SQLite or MySQL

Hi guys, I wanted to know if anyone knows how to download .xz files? I'm trying to download the CTU-13 44 dataset here, https://www.stratosphereips.org/datasets-ctu13 to use in my project but it's not working. I even tried linux commands too.

Download or open?

File roller supports tar.xz out the box for me

I use 7zip on windows because it comes with chocolatey

Here you can download the big file with all the dataset: CTU-13-Dataset.tar.bz2 (1.9GB

This thing?

That's bz2 not xz

Sorry I already got it open.

Okay

idk

i downloaded my to windows

How did you use the dataset? I'm trying to create a ml model for it.

havent used it yet, im learning how to use tensorflow lol.

my boss told me to use CNN and SNN with it

hi

Can anyone help me with Burp suit i wanna to Check my Internet side but i Neuer habe yoused it

internet side?

??

hello, does any guys know where can find the ANSI x9.24 implementation with python3?

I've tried multiple keywords to find sample projects, what I found is just an out of date dukpt tiny sample 🥲 🥲 🥲

I'm not sure if this is the correct channel, but could someone please point me in the right direction for encrypting and decrypting text so that I can, for example, store passwords for my Python application encrypted in a database?

how can I do that if the login is incorrect stops the program?

You might prefer using keyring

https://pypi.org/project/keyring/

Depends what you're doing, looking to make a password manager or looking to make a user registration database for logins

Do what?

login(console)

Do you get an error message?

My plan is to save passwords encrypted in a database

For what purpose?

So its not plain text

IF someone gets into the database they cant really do anything with the saved passwords

Ah I see

Are you making a web application eg using django or flask or FastAPI?

Or something else?

There's passlib https://passlib.readthedocs.io/en/stable/narr/quickstart.html

But django has a built in one

Yea something else

Okay i will try to look into it later, thanks.

https://youtu.be/8ZtInClXe1Q and this

no just that I don't know how to do it(I did esle: exit) #non I put the brackets

Show your full code?

yes

password =  input("insert password:")

if password == "password":
    print(":{")
else:
    exit```

And what are you trying to achieve?

Remember to use ```python

why do people use python for hacking? Shouldn't we use a low level language like c, asm, cpp, rust. Can someone tell why people use python for hacking over those languages? Also for security

you don't need low level access to do exploitation.

mostly you just need to be able to automate a bunch of stuff in a specific order.

which turns out Python is great at. C, not so much.

..ah sorry

?

hi, could someone please suggest me the best way to learn ethical hacking? thanks

Is there a recommended module/library for encryption/decryption wich works nicely with crypto.sublte from JS?

(further details atm in #help-pear )

There's not shortage of free learning materials, just find whatever engages you and keep practicing. In addition to books and videos there are interactive platforms like https://www.hackthebox.com/

thank u! 🙂

nice username😁

A lot of people in pentesting are more or less professional script kids. If you want to be really good, it's mostly just general computer science and systems admin knowledge.

So I wouldn't seek out only resources that are security focused. Those are good for developing security-specific skills, but you'll also want to get a decent background in programming and admin

thx!

okay great, i really appreciate the help

also, learn C

If you have any interest in binexp or malware I mean

Eventually assembly

you can probably skip those if you're only really interested in say, web.

what about C++? can it be useful? ‘cause that’s what they’re gonna teach us in college

It can, but it's probably one of the worst languages you can learn as a beginner.

It's also a completely different language from C with nearly zero practical similarity.

The reason I suggest C is because it has fewer abstractions than most other languages.

It helps introduce you to concepts that either wont' be covered at all in other langauges, or won't be covered well.

oh i see
alright then, i’m gonna give it a chance

thanks a lot!:)

Please note i'm not a professional just a hobbyist.

Python isn't typically used for hardcore malware like worms because it's an interpreted language. Using something like C/C++ will be used more often for this type of stuff. Python is more used for the automation of tasks because it's so simple. So stuff like sending HTTP requests or brute-forcing is where python shines.

capture the flag is a great way to start

Some software that I own saves everything in a sqlite database. I want to write my own API for this software. I can connect to the database (which is my data on my computer), but I'm not sure what to do from there.

• The data is compressed with zlib (I know that I can import zlib)
• The data is then encrypted with 128-bit AES (not sure what to do with this information)
• The encryption keys, password salts, and cipher initialization vectors are made with Windows CryptGenRandom, which you can get in Python using os.urandom

do you have the keys?

it doesn't matter where the keys came from unless you're trying to attack those cryptographically. You'll need the keys to decrypt the data, which you can decrypt with AES.

I have my own password. I assume the key is created from the password

probably

but if you don't know then this will probably require some reverse engineering.

You can create a symmetric key from a password using a hash algorithm

for example, the sha128 of a string can be used as a 128 bit symmetric key.

this is how encrypted at rest services like key managers and protonmail work - symmetric key is derived from passphrase using a hash algo.

@nimble lily can you infer how the keys are created from the details in my original comment?

No.

it sounds like the software is creating keys and encrypting the data using those keys

But I would have to reverse engineer the software to be sure, as well as figure out the actual encryption scheme.

It says that the encryption keys are made with "Windows GenCryptRandom" though

I guess that's just for creating arbitrary bitstrings

that doesn't tell me anything...

it doesn't tell me which keys are actually used when and where and to do what.

idgaf where the keys came from unless I'm trying to rederive them or smth

no idea about trying to attack the database/encryption itself but perhaps it's possible to read the memory of the software and find out what you need to know from there?

low key kinda curious what this software is that keeps state in an encrypted db on your computer that also lacks an export or a save function

I am new to learn Python

How do i start

P!help

p!help

Wrong channel try #python-discussion

Ok

it's a text editor. You can build all the documents into a pdf/txt/rtf if you want, and you can export the database (for example, I save backups on a cloud service), but it would appear that one can't crack the database without the software even if you know the password for the software.

I have a question do you guys think that opera gx is safe to use

Yes

Hey @deep adder!

hello all, I am trying to be able to connect to my application with google authentication. With the tokens I don't have too many worries, but where I block is that I would like to recover the email and the name of the users, and I can't find on the internet how to do it. A lot of documentation but not to recover a name and a google mail for a desktop application in python

:incoming_envelope: :ok_hand: applied mute to @halcyon cosmos until <t:1638402229:f> (9 minutes and 59 seconds) (reason: duplicates rule: sent 4 duplicated messages in 10s).

I need some help

I searched for the fixes for this but nothing seems to be related to my error

wondering if there is a guide where i can get myself started on learning how to bypass antibots such as cloudflare akamai etc
Never understood how these stuff works.

any ideas of how to add a license to my program so it won't resell and etc?
should I use database or is there something more simple?

add a login system

or a key system

whenever someone buys your software give them a 1 time use key they can use

then make them use that key to verify that you actually bought the software

if I'll add a login system then they can send the program to someoen with their login credentials

do u know how to do it in python?

uh maybe

you could just make a script that checks a non-used password and if it matches it gives the computer access and deletes the key from the database and puts it in a used key database

how can the program know what are the non used password, and that would be really bad because everytime the client needs to change password?

make an if statement asking if the key matches with any key in the database

do u know databases?

you can use sql or mongo

ideally all the keys in the database should be encrypted tho

y?

So no one can look at the keys and have access to people's software

Or resell the keys on other websites

how can someone even look at my database tho

Get access to it

Many different ways

This probably has been asked, before , but I cannot find the write answer. I need to connect to a postgress database, and I want to avoid hard-codding the user logins, what library or process can I use to avoid this

With this type of python can I hack things?

!rule 5

:incoming_envelope: :ok_hand: applied mute to @frozen shore until <t:1638545756:f> (9 minutes and 59 seconds) (reason: newlines rule: sent 110 newlines in 10s).

Ahh gotcha

Hello guys. I made a small hashing algorithm. It might look really shitcoded so please review it and point at my mistakes

https://github.com/FunDan3/MPH/

What abt environment variables?

I thought of it, I wasn't sure how secure it is, if someone were to hack the machine

@smoky turtle I forgot to start with thank you *

Not sure in that scenario. However this is generally the accepted way of using credentials in code. Maybe you could look into setting up better security measures for your machine. Setup disk encryption and good permissions on the sensitive files along with other policies.

@smoky turtle , thank you I really appreciate your help. Will do

Show your full code and traceback?

'str' object has no attribute 'n'

getting this error when receiving file through socket programming.

import socket
import rsa
from pathlib import Path


s=socket.socket()
host = input(str("Please enter the host address of the sender: (DESKTOP-RVQHIFC) "))
port=8899
s.connect((host,port))
print("Connected..")

filename= input(str("Please enter a filename in which data has to be stored (encrypted.txt) : "))
file = open(filename, 'wb')
file_data=s.recv(1024)
file.write(file_data)
file.close()
print("File has been received successfully. ")

file= open(filename,'rb')
encmessage=file.read()
file.close()



data_folder = Path("D:\RSA - Copy/")
file_to_open = data_folder / "private.txt"

f = open(file_to_open)
privatekey = f.read()



decmessage = rsa.decrypt(encmessage, privatekey)
print(decmessage)




    

You need to load your key file into a private key first

https://stuvel.eu/python-rsa-doc/usage.html#generating-keys

import socket
import rsa

#connection
s= socket.socket()
host = socket.gethostname()
port= 8899
s.bind((host,port))
s.listen(1)
print(host)
print("Waiting or any incoming connections...")
conn, addr = s.accept()
print(addr, "Has connected to the server")


#openfile
filename= input(str("Please enter the filename of the file to be transferred (transferfile.txt): "))
file= open(filename,'rb')
file_data=file.read()

#generate keys
publickey, privatekey = rsa.newkeys(512)

#store publickey
file= open('public.txt','w')
file.write(str(publickey))
file.close()

#store privatekey
file= open('private.txt','w')
file.write(str(privatekey))
file.close()

#encrypt
encmessage = rsa.encrypt(file_data, publickey)




conn.send(encmessage)
print("Data has been transmitted successfully")

it is in privatekey.txt

@fading plaza can you look into this please?

read linked docs

i did. but i cant fix it still.

#sending side

import socket
import rsa

#connection
s= socket.socket()
host = socket.gethostname()
port= 8899
s.bind((host,port))
s.listen(1)
print(host)
print("Waiting or any incoming connections...")
conn, addr = s.accept()
print(addr, "Has connected to the server")


#openfile
filename= input(str("Please enter the filename of the file to be transferred (transferfile.txt): "))
file= open(filename,'rb')
file_data=file.read()

#generate keys
publickey, privatekey = rsa.newkeys(512)

#store publickey
file= open('public.pem','wb')
file.write(publickey)
file.close()

#store privatekey
file= open('private.pem','wb')
file.write(privatekey)
file.close()

#encrypt
encmessage = rsa.encrypt(file_data, publickey)




conn.send(encmessage)
print("Data has been transmitted successfully")

import socket
import rsa
from pathlib import Path

#connection
s=socket.socket()
host = input(str("Please enter the host address of the sender: (DESKTOP-RVQHIFC) "))
port=8899
s.connect((host,port))
print("Connected..")

#store received ciphertext
filename= input(str("Please enter a filename in which data has to be stored (encrypted.txt) : "))
file = open(filename, 'wb')
file_data=s.recv(1024)
file.write(file_data)
file.close()
print("File has been received successfully. ")

#store ciphertext in variable
file= open(filename,'rb')
encmessage=file.read()
file.close()


#access privatekey
data_folder = Path("D:\RSA - Copy/")
file_to_open = data_folder / "private.txt"

#store privatekey in variable
f = open(file_to_open)
privatekey = f.read()


#decrypt message using private key
decmessage = rsa.decrypt(encmessage, privatekey)
print(decmessage)




    

bytes like required not publickey at file.write(publickey)

please helpp

@fading plaza

?

also you probably want to use cryptography and not rsa

@errant yoke why? encyrption is working. only problem in decryption.

Question: how does the browser know how to encrypt a password being sent over the network, for example when logging in instagram or w/e .

C++ is good to learn for beginners but don't try to grasp all things at once, C++ can take lots of your time than you think. Still good, if you don't touch templates too much or some higher abstractions with low level code.

I've written some code that is only compatible with Pycryptodome, as opposed to the old Pycrypto. I would like to check that pycryptodome is being used at install-time, so that I can give a nice error message (as opposed to the confusing ones that occur due to pycrypto being broken)

does anyone know how I can either a) explicitly import from pycryptodome b) check whether pycrypto or pycryptodome is being used at rutime?

(oops the answer was staring me in the face the whole time - pycryptodomex)

It doesn't

The entire connection is encrypted, not just the transmission of the password.

Transmitting the password is done no differently in terms of security from transmitting the GET /login or whatever

You cant? Thats the point

lol sure... it's impossible 😉
Probably won't find a published guide, though

You can't. Someone else maybe can.

They're not magic, the cloudflare edge points still have to reach the origin server to fetch content from it.

The point is just that the origin server is not known to you.

And ideally that it's firewalled to reject any traffic NOT coming from the CDN, though many admins won't configure this because it's slightly difficult.

Cloudflare is exposing their own servers and proxying content from the origin server, unless you can have the power to ddos and take down a multi billion dollar corporation then theres no way to get around it, hats how it works except if the admin made some errors and accidently exposed their dns history/ip history or whatever since cloudflare hsitory is public

And I am not understanding your point. Yes? Thats how it works and thats how cloudflare protects the origin server

There is no way to "bypass" cloudflare and other services unless you already know the ip of the origin server beforehand somehow

So then there is a way

There's just not a way if the system is configured perfectly and has no vulnerabilities, is that what you're saying?

Go apply for your turing award.

Shittily configured origins leak their IPs often.

And obviously a shittily configured origin won't be firewalled properly, so you can just send traffic to it.

I can only imagine you're typing some long winded rebuttal but I've got four letters for you:

SSJS.

SSRF as a feature

No? When have I said that? Theres not a way if are using cloudflare out of the box. And the OP meant how to bypass it proactively, not depending on the owner to mishandle their firewall manually, it comes set out of the box. It proxies data, from the origin server, to the client, and you can only obviously see the proxy, what do you not understand? Again, OP is asking for bypassing Cloudflare/akamai actively and it shouldnt depend on a mistake from the other person, it needs to be in their control not something you need to pray for that the owner manually .

SSJS

LOL I was right.

Sanatorio San José Satélite hospital

Step 1: Register shittydomain.tld

Step 2: sign up for whatever service the website offers

Step 3: configure SSJS to make a request to shittdomain.tld

Step 4: Cause SSRF through SSJS and look at your logs to see the origin's public IP.

Obviously it doesn't work for every service, but nothing does.

You do know that you are intentionally not clarifying what it is and being obsecure?

If you're not clear on what a commonly used acronym is you can feel free to ask

But since you know so much about cloudflare and security I assumed you knew those.

I am looking from the OP's pov

He asked the question

OP is a script kid wanting to LOIC some random service, so I consider that a feature.

I just wanted to point out that "you can't bypass it" is simplistic and even wrong.

You can test this proof of concept yourself

They probably just want to explore how these things work, they might be thinking their question might let them know more about the subject so I am just asnwering their question

"You cannot bypass a proxy server unless you already know the IP of the origin server or the owner has gone out of their way and accidently or purposefully leaked it themselves. Not under your control"

@grizzled tinsel Heres your answer

What might you be typing now 🤔

unless you already know the IP of the origin server or the owner has gone out of their way and accidently or purposefully leaked it themselves. Not under your control
So you can't do it unless they make any number of common fuckups.

That turing award is waiting for you my man

Obviously you can't attack a system with no vulnerabilities, but how many systems like that exist on Earth?

If you are going to discuss or even argue try to understand the other person's statement..

You can't force them to fuck up, but they will often do it for you. That's what makes it a fuckup.

Bypassing any security is pretty much just a matter of discovering fuckups.

Which fuckups exist, and which of those you can find, determines what is possible.

So "You can't do it unless they fuck up" is a useless thing to say.

Obviously you can't do anything unless they fuck up. That applies to literally anything, not just CDNs.

its not under their control, they cant "bypass" by them selves and it depnds on things that are out of their control which might or might not happen

No shit

I already addressed every part of that sentence.

They arent going to find arbitary code executions

I am talking about the more common but very preventable errors

You don't need one

Where did I say RCE? I said SSRF, not RCE.

That depends on the app they are running, OP hasnt provided any in context and is just asking for a way to bypass the cloudflare service

which there is none by itself

it highly depends on the app itself. diid he say he wanted to “bypass” an app proxied by cloudflare that was prone to ssrf? i am just answering what is within his frame of context, and you are going out of picture. if he wants to add further context he is welcome to. i rest my case

Alright, I give up, you win

In a perfect fucking universe, there is no way to avoid the CDN and reach the origin server

And since obviously we live in that universe and I have 3 tits and my own helicopter, I have to go fly somewhere now.

I'll come pick you up in my helicopter to take you to your turing award ceremony

Congrats