https://en.wikipedia.org/wiki/Zero-knowledge_password_proof

in this scenario, does the verifier know the password?

wikipedia worded it weird so im not sure

if they do know, or if they have a hash of it, 0 knowledge proofs would be a bit redundant

in my case, i want only the prover to know the password

but that seems pretty complicated

According to the article, yeah

Doesn’t that defeat the purpose? Only the verifier knows the password for a reason, is up to the “prover” to prove he knows it as well, I think that’s the stragedy to prevent any guesses.

The Wikipedia explains the difference between ZKPP and zero knowledge proof

hmm thats what i was thinking, it would be cool if what i mentioned was possible

anyone have any complicated mathematic problems in python that return the number 1

hey what vulnerability could it bring for my website password field to not have a lenght maximum when registering an account

Definitely DDoS

Or it could lead to it

yeah thats what i was thiking too

ty

np

i mean

not really

I’ve seen a few vulnerabilities like this, it definitely could lead to a DDoS.

Anyone here want a lesson on 802.11 packet injection right now?

@thorn obsidian yess

Hey guys I wanted to ask, how difficult is it to make this encryption algo into code?

Hi! just wondering if anybody knows of a cool list of cyber projects to write in Python? I'm a total noob and I'm still learning!

maybe a simple spyware in python, with a keylogger, screenshot grabber etc.

ofc all for educational purposes and dont use that on people lol

only on you

Epik#0168

Hi

cybersecurity projects? it depends, is it for blue team, read team and etc.. If it's more towards pentesting you can look at the Black Hat Python books.

port scanner?

Meh lol

I mean if he’s a beginner than yeah, you’ll learn some socket programming in the process

And intrusion detection system would be better, something similar to snort

I’ve coded a few tools for bug bounty like a directory bruteforcer, a crawler, a tool that can manipulate headers and etc..

@sour wind Learning network is a very beneficial thing.

Like @deft flare mentioned, an IDS is a very good approach as far as "harder to do". A library like scapy can easily make an IDS.

Definitely, having knowledge of TCP/IP, OSI Model and etc.. is very beneficial for hacking.

I love being able to tear apart a packet in scapy.

You always talk about scapy lol

Yep.

It's that powerful. Almost like a dash of LSD mixed in with redbull and a couple steroids.

802.11 is unique in itself. Leverage something like scapy and you can see like you were superman, xray vision and all. It's an awesome technique for CVE reverse engineering, etc.

As an example, IDS work. I wrote my own IDS using scapy and the UDP logs already being fed to our SIEM.

It keeps up with "enterprise" level traffic, etc.

I just wish I could get the timing right to spark a discussion on how to do X with a tool like scapy. Love teaching it.

https://arstechnica.com/information-technology/2022/01/a-bug-lurking-for-12-years-gives-attackers-root-on-every-major-linux-distro/

patch your shit.

local priv esc, no RCE angle.

Try base64 encoding, it's more like to be encoded than encrypted

Hello, I've always wanted to get into cybersecurity tho I don't know if python is a good language for that or any other things like what type of skillset I have to ahve to even begin this journey.

Howdy, I'm wondering if there's anyone here that works with django who could answer some questions about secrets. Currently I'm testing a django project with a docker container, and I've been putting my secrets in a git ignored file, for it to draw from.

However when services like travis-ci or, if I deployed this to AWS or something, this file wouldn't exist on the repository, how would I pass my secrets when I can't use this file reference method I'm using locally? Or is there a way to implement that I don't know about?

My 3 hunches of methods were:

• Maybe have a seperate private github repo and somehow pull the key data from there
• Insert the key as an environmental variable for docker/travis-ci(though in those .yaml files the data is just as exposed)
• Make a django project that has all my keys in it, and have my other project perform a get request to get the secrets. I feel like for a big team this would be the way(though where do you store that project's secrets...) but it might be thinking too much about it for just me. There's got to be something I'm overlooking. Thanks.

If you have anything to say on this matter, I'd really appreciate hearing about it. Thanks for your time.

could someone help me find resources for hacking most of those i find are security and prevention against hacking but that's clearly not what i want

Does anyone know if a rubber ducky attack will fail if the user has an alternate keyboard layout? Mostly asking out of curiosity since I use an alternate keyboard layout 😂

Hey @distant vessel!

https://paste.pythondiscord.com/oyilisuxef.php

thats very good encrypted isnt it?

https://en.wikipedia.org/wiki/Kerckhoffs's_principle

I want to start to learn cyber security on my own. What would you recommend to learn, which books to buy etc.? So far i am good in python and shell scripting and maths...

Does anyone here know how the Azure Key Vault service functions? Not about how to set one up I just mean how are they keeping their secrets?

and there's already a PoC code 😐

Python is definitely a good programming language for hacking. The most common type of skillset that you need is coding, networking, and learning the fundamentals. Having hand on experience is major, try playing CTF on hackthebox or tryhackme and keep learning from there

I'm a noobie with this python shtuff and was if I could make anything kinda cyber-sec related but didn't know where to start, any pointers?

Okay thanks. Imma try ctf but idk any networking guides or fundamentals ig. Can you maybe give me a direction?

There's tons of books you can search online and a lot of materials as well. Check out things like Udemy, hackthebox, youtube channels like iipsec, john hammond, nahamsec. Also sites like portswiggers academy, hackerone, bugcrowd, pentesterslab and etc..

looks like someone beat me to my own question

Black Hat Python 2nd edition is one of the best books for creating hacking tools.

The Hacker Playbook 2 & 3 are pretty good as well

which is why you patch

because there's a patch.

right 😛

some help

File "/usr/lib/python3/dist-packages/PyInstaller/building/build_main.py", line 243, in init
self.postinit()
File "/usr/lib/python3/dist-packages/PyInstaller/building/datastruct.py", line 158, in postinit
self.assemble()
File "/usr/lib/python3/dist-packages/PyInstaller/building/build_main.py", line 575, in assemble
self._check_python_library(self.binaries)
File "/usr/lib/python3/dist-packages/PyInstaller/building/build_main.py", line 666, in _check_python_library
python_lib = bindepend.get_python_library_path()
File "/usr/lib/python3/dist-packages/PyInstaller/depend/bindepend.py", line 914, in get_python_library_path
python_libname = findLibrary(name)
File "/usr/lib/python3/dist-packages/PyInstaller/depend/bindepend.py", line 778, in findLibrary
utils.load_ldconfig_cache()
File "/usr/lib/python3/dist-packages/PyInstaller/depend/utils.py", line 375, in load_ldconfig_cache
path = m.groups()[-1]
AttributeError: 'NoneType' object has no attribute 'groups'

hey, how can we store a session's infos in a python desktop app (windows) like that when you re-open the app it automatically log you on your session?

store it physically maybe? in a json or a text file, and then just have the app read the creds from there. Make sure to have some type of encryption if you store it physically.

or have it fetch it from some where more secure

like a databse or something

I already have it in a json file

But the problem is that it's in plain text so anyone can just change the ids and log to any account

Encrypt it

Like how?

Do i encrypt the json file?

Or just the values in it?

And how do i decrypt it after

with a private key if you use asymmetric encription

And the key where do i store it?

anyone knows any good VMs?

hey

anyone knows of a python script that checks if a list of subdomains is alive or dead (200 or no response)

a questionn guys ,

The following message contains the email address to contact us. It has been encrypted using
XOR and put in base64. Retrieve the plaintext content, and follow the instructions.
Tip: the resolution of challenges 1 to 6 of http://cryptopals.com/sets/1 will be useful.

NwMDXGRwQB0wcB1MHBw0PHFMVGhkLUFExAAAUwcCxYXFgUaFlNEVSkXBRwcEBZZBRwRBwlZM
CVFBhkLUxD0KAR4cUxIBBwkKABAZFGA0QH1MBEEEaGxIXDA4dFl4AEG0EKEAoJGQ05EAoHEB4OE
gcGHUIfAV9FFA8aHB4VFAsXsNpFERlZEBwBEEwIBhZFAFwMMAFMEAwkDUwYRHAAQZALDMVRw
WBgFFGg4NFh0MB0waFlMIEB8KEhQAW0Fw3HAYWVRoWBgBFBwkaHB0RFA8NFgEZKGx9ZFxILBk
wVFgBFBQDAMAFMHBwkfADFMBtsUVEhoWVQ0PFhBFAAIcUwMXGhDwWABoRHAMXUxcAVR4cHRc
AD0EPHCAYWWw==

what to do after reverse basing64?

For?

I made one a long time ago but you can use httpx or httprobe

thanks

https://github.com/tomnomnom/httprobe

yeah looking at it rn

np

I made this one which scans for subdomains and then it probes the list of subdomains https://github.com/gotr00t0day/subrecon/blob/main/subrecon.py

It doesn’t have any threading or multiprocessing so httprobe is probably better and faster lol

It gives you the IP address for the domains as well

I guess it will just be better to store the credentials in a secure database and fetch it from there?

yeah true

ill try both

Might have bugs, I haven’t updated it in a year lol

I have too many projects

Not sure yet, but for getting linux or smth

But i already have that

I use it when i log in

To verify the connection with a hashed password

But i want to do a "don't forget me" button that when activated it automatically log me in my account when i start the app next time

Does anyone use scapy?

when i do "sniff(iface="eth0", count=5)" in the scapy cli i get this error....

OSError: b'eth0: No such device exists (No such device exists)'```

i was just following some geeks https://www.geeksforgeeks.org/packet-sniffing-using-scapy/

you need to listen from a network interface that your computer has

to get a list of all of them, ip link show in command line for linux

i don't have linux

netsh interface show interface then

lmao kali user

so i should do iface="Wi-Fi"?

yea

guys does the instashell work?

i was checking an article of realpython abt scapy and i changed sniff(filter="port 80", prn=process_packet, iface=eth0, store=False) to iface=Wi-Fi and got this error
@fading plaza

it worked in the cli though

Could anyone please explain me what does this part of an HTTP header does :

X-Original-URL: /e08f3mfu6x?e08f3mfu6x=1
X-Rewrite-URL: /e08f3mfu6x?e08f3mfu6x=1

e

does anyone know?

Hi there, anyone willing to help me a bit with AnonymousUser permissions? 😄 I'm lost and the deadline is getting shorter

Problem is I have to use the User model

Due to GraphQL right?

Those are non standard headers (made up headers) what they do is override the URL.

ahhh thanks

@deft flare hi brother, i need some help regarding a project. i want to build a project which uses face as a key so when u move away from a pc it autolocks the computer.

does anyone know about instashell guys?

also that is fairly simple you just use cv or FR and os

OpenCV is the library you're looking for

maybe this example can guide you https://realpython.com/face-detection-in-python-using-a-webcam/

If you're into pentesting / cybersecurity than install Kali Linux in VMWare or VirtualBox.

and if you're looking for virtual machines to hack into, try vulnhub.com , they have a whole bunch of ctf machines you can try.

if you're not into CTF, try DVWA or metasploitable.

Aight ty. I tried somewhat of a ctf, but i juat have no knowledge of hacking n cybersecurity, i tried looking on youtube google but everyone says different skillsets n stuff. I looked into cryptology but i didnt have enough time to get deeper. Im not sure what to learn and learning everything seems a little too hard.

Start with the fundamentals, you can start off with tryhackme they will guide you / hold your hand through most of the east machines, and also watch videos or walkthroughs

Okay tysm

I have a log file which it has a line of report which a module try to run this python code:

python -c 'import crypt; print crypt.crypt("bmp","$5$n0Gdq6e8")'

why a linux module try to use this code? is it suspicious?

https://docs.python.org/2/library/crypt.html

this function just produces a hash

of the word "bmp"

you can look up hashing online, its easy, but the general idea is, you take a word such as "bmp", pass it through the function and as the output you get a random string of characters, a gibberish

but that gibberish is a signature of this word, and you cant reverse the process, so you cant get the original word from the gibberish, this is mostly used for storing passwords (we store hashes of passwords instead of actual passwords)

hey guys from yall personal experiences do you prefer parrotOS or kali linux as an installation on a VM

I prefer Kali Linux, but everyone is different and it all comes down to preference, there's also Black Arch Linux which is another pentesting distro. You can use a normal linux distro and install pentesting tools as well.

bet ty ill take a look at all 3 and make a decision based on the pros and cons

probably to dual boot tho

with windows

I need to store and use multiple SMTP credentials, so how should I go about securely storing passwords in a way that I can decode them?

i guess you could hash and salt them and store them in a sqlite db

How do I decode them later?

ah

use a encryption key

you later decrypt with the key

https://www.geeksforgeeks.org/how-to-encrypt-and-decrypt-strings-in-python/

I thought about that or using something like RSA

Maybe I’m stupid but one thing I’ve been rly confused on is how two parties are able to encrypt and decrypt a message without the decryption key being intercepted. I tried to read about public and private keys, but I don’t understand how the keys are communicated between the parties / how the keys are established or set

In asymmetric encryption you generate two keys - a public one which you can give anyone, and a private one which you must keep to yourself. Data can be encrypted using the public key, but it can only be decripted with the private key which is again kept secret. If you want, for example, exchange messages with someone, both of you will have to generate a pair of keys. You'll encrypt your message with your friend's public key, and decrypt the messages they send to you with your own private key

So in total are there two public keys and two private keys?

In this example, yes

I have a public and private key and my friend has the same?

Ok

Makes sense lmao maybe I just needed to read it in simpler terms

Thank you

👍

The public key works like a lock, and the private key is, well, the key

is it technicly possible to make a spyware for ios with python?

Technically but I would not recommend it you could get in trouble.

Anyone interested in participating in a network CTF?

yes, me

@thorn obsidian YES,ME

@thorn obsidian you are here

Hi guys, Django beginner here. I want to salt and hash my password but I don't know how to compare a password that was input from the frontend against the salted password stored in the DB?

!rule 5

I understand that we send a post request but how do I compare the plaintext string in the request with the hashed password in the backend?

i recommand you read this https://docs.djangoproject.com/en/4.0/topics/auth/passwords/

Thanks, mate. Reading it

can i change system settings even without actiaved windows license? i was going to use kali linux, but somehow i get error when i activate windows support for linux systems

Are you talking about WSL?

!e

a = "a"

while a = "a":
print("1")

if you are talking about WSL as c0deninja said i personally was able to activate it even without have windows 10 activated

anyobody has scripting experience here

I want to make a script that runs skipfish and stores the output file in my local machine

Ppl will guide you but you ll have to do the work yourself.

As far as i understood you can use the subprocess module and then run skipfish using the subprocess.run(['skipfish','parameters','go','here',])

Skipfish accepts an -o flag so u can use tht so save the output

Hi all! Would it be suggested that I make my own password manager using python? And what are its drawbacks if I do make it? Compared to a let’s say a free version ??

Unless you are learning app development you need to be really good at security and software development to build something that is resilient and secure.

If its to learn then go ahead. But if you want to use a good password manager look into bitwarden. Its open source and free

Yeah sure man

Yeah but I was unable to figure out how to get the script to press a key so the scan can begin
Later on I found out that input parameter can be used for that and I got the desired result
Thanks for the help

Just a quick question
I wasn't able to get any stdout on my terminal after running my python script even though I did stdout=subprocess.PIPE and the skipfish report was also fine but no output on my terminal

I havent used the subprocess module in a while so i ll have to look but if i remember correctly the stdout is stored in an attribute of the created object and tht you just have to print that attribute

@zenith dagger its object.stdout

but its a bytes object so u can do a print(object.stdout.decode()) to get clean output

I did that and was able to get output for ls and whoami

But not for skipfish

@zenith dagger can u share the subprocess.run command you are executing?

I've been hearing recently about "image loggers" which are pretty scary. I saw this one video and it could be fake but it got me thinking about all of this. Supposedly they can remotely execute code on your pc, with you only clicking an image. I don't know if it's fake to just scam people. But if it's real, how would that work and how can I avoid it?

usually only happens if there's a zero day exploit in the image parser

should be fine if you keep updated to latest and be aware of related news

sorry but what do you mean with " zero day exploit in the image parser"

Zero day means a newly discovered exploit

Just for learning purposes tbh

I'll share in some time

oh alr

ty for telling 😄

e!

Dead

how is python good for hacking

quick development time and strong networking capabilities. You can develop very specific tools very quickly to leverage basically any exploit

import random

c = int(input("How many characters do you want?"))
i = 0
l = ["1", "2", "3", "4", "5", "6", "7", "8", "9", "0"
                                                  "a", "b", "c", "d", "e", "f", "g", "h", "i", "j", 'k', "l", "m", "n",
     "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z"]
with open("password.txt", "r") as f:
    z = (len(f.readlines()))
if z > 0:
    f = open("password.txt", 'r+')
    f.truncate(0)
while i < c:
    l1 = (random.choice(l))
    f = open("password.txt", "a")
    f.write(l1)
    f.close()
    i = i + 1
x = open("password.txt", "r")
s = (x.read())
print("your password is", s)

password generator

would you like me to give feedback?

yup

sure

you need a file named password.txt

import random
import string
c = int(input("How many characters do you want?"))
pwd = "".join(random.choices(string.ascii_lowercase + string.digits, k=c))
with open("password.txt", "w") as f:
  f.write(pwd)
print("your password is", pwd)

is all you need

so first of all, the random module is not cryptographically secure, see https://security.stackexchange.com/questions/242492/is-pythons-secrets-module-using-the-same-code-as-the-random-module

You might want to use the secrets module, its an in-built module in python, see https://docs.python.org/3/library/secrets.html

Second of all, instead of truncating the file, then opening it in a mode, a lot of code can be eliminated by just doing

open("password.txt","w").write(password)

Then, it creates a new file if there is not an existing password file.

Also, manually writing all the characters l you can do:

import string
l = string.ascii_letters + string.digits + string.punctuation 

open("password.txt","w").write(password)
-1, use with instead

ok

will take that into account

thank u

Hi, does anyone know where I can find a Python implementation of the SHA3 algorithm (in pure python, without C libraries) ? I'm trying to implement it myself using the official NIST documentation but I can't make it work properly and I would like to check my code by comparing it to a working code. Thank you !

https://github.com/bjornedstrom/python-sha3

The source code is in C, I want a python only implementation

ah

sorry

I am interested in python programming

most people in here are too 🙂

Cool

This password generator does it work as smtp scanner

Hello, does anyone know encode data with a private key and decrypt it with a public key? It would be very much appreciated if you could give me a short and easy code but you could also give me a longer one.

https://nitratine.net/blog/post/asymmetric-encryption-and-decryption-in-python/

Thanks but it is encrypting the data with the public key and decrypting it with the private one. I need the oposite.

Now that i think about it, i could use signatures.

To explain what i am doing:

I am coding an advanced form of cryptocurrency that need less computing power. I need a way to check if you are the owner of a coin.

I was thinking that i could use either a signature function or an encryption function. Sadly, I can't find a way to implement the stuff to my code.

Could you help me?

am not really knowledgeable when it comes to cryptography but am sure that if you post your issue in a help channel someone with the knowledge will come and give you a hand 🙂 #❓｜how-to-get-help

Ok, but I have already tryed 2 times in the help channels: help-kiwi and help-candy

my software is reday

Hey, i'm Mathis, a middle schooler, so yeah i'm pretty young and i'm trying to learn Python, sooo
Basically, i don't know anything about it, where should I start ? How to learn ?

Basic tutorials on Youtube are great, that's how I learned the basics

True

i started with tutorials on youtube

Alright, i'll give it a look, thank you

I am designing an account system for a web app I have, and I'm looking to use bcrypt to salt/hash passwords. Is there any way to lock other data and encrypt it such that it can only be decrypted with the salt/hash/something generated from the user's password?

As the app owner, I want to have no way to access these tidbits of information except through the user's login.

you cannot decrypt a (secure) hash, that's kinda the point........

That's not what I was wanting to do at all. I wanted to use the password or some intermediary data as an encryption/decryption key.

This is the python discord actually.

Pick something you want to make as a first project as well. Could scrape news data, make a game, make a temperature monitor with a raspberry pi, or do something crazy and make an encryption tool like I did!

This way you aren't just learning a bunch of coding concepts but you have direction in your learning and can explore how other people did what you want to do.

I am developing a chat app and I want to make it such that users' direct messages are encrypted, so that I cannot read them from the database. As of now, my train of thought is that I would generate an RSA keypair for each direct message "room", with the public key stored in it and a copy of the private key stored in the accounts of all users who have access to it. That way, the users could request the data from that room and the server would retrieve it, retrieve the key from the user's account, and fetch & decrypt the requested data.
The fly in my ointment is storing the private keys in user accounts. How can I generate an encryption/decryption key from the user's password? I am already using bcrypt for the salting/hashing for logins, but that's not really helpful here.

I’ll give it a try too, thank you for the advice !

Question for code obfuscation, can I have a txt file with all the imports, read it, exec() it, and use it in the py file as though I had imported it from the actual code

Since its a hash there is no way back to the plain password. Can’t you just use the hash as the key?

Keep in mind that if you let the users change they passwords you could have problems in the future

a key derivation function is what you want but this scheme is just one-step removed from storing the messages in plaintext, since the information needed to decrypt them is stored alongside it. As per the usual don't roll your own crypto advice, I would recommend looking at libsignal for end to end chat encryption

I dunno if there's any good python bindings for libsignal though

Could make your own?

Assuming you have some sort of c/cpp knowledge

In theory you could write the wrapper using PyBind11.

I don't need it all encrypted end-to-end, I just need to encrypt the data stored on the database

it is called asymmetric cryptography https://medium.com/@ashiqgiga07/asymmetric-cryptography-with-python-5eed86772731

you can encrypt anything by public key, but you cannot decrypt

and private key can encrypt AND decrypt 😉 (+generating new public keys)

Yes, I am aware of asymmetric cryptography. Still doesn't explain how to generate keypairs from passwords, unless I can simply encode the password in utf and use it as a seed for the random number generator, but I doubt that will yield the same primes or anything like that every time

Generate the keypair on the client

https://www.pycryptodome.org/en/latest/src/faq.html

I have a goal to generate RSA key pair, that can be used for encryption decryption in a code, and as a SSH private/public pair at the same time

I achieved goal to generate RSA key pair, that can encrypt and decrypt

I achieved goal to save public key in OpenSSH format (similar to what linux in ssh-keygen generates)

I have the problem to save private key in a format compatible to connect the server now %

I am working from this example

from Crypto.Cipher import PKCS1_OAEP
from Crypto.PublicKey import RSA
from binascii import hexlify

#The message to be encrypted
message = b'Public and Private keys encryption'

#Generating private key (RsaKey object) of key length of 1024 bits
private_key = RSA.generate(4096)

#Generating the public key (RsaKey object) from the private key
public_key = private_key.publickey()
print(type(private_key), type(public_key))

#Converting the RsaKey objects to string 
private_pem = private_key.export_key().decode()
public_pem = public_key.export_key().decode()
print(type(private_pem), type(public_pem))
#Writing down the private and public keys to 'pem' files
with open('private_pem.pem', 'w') as pr:
    pr.write(private_pem)
with open('public_pem.pem', 'w') as pu:
    pu.write(public_pem)
    
#Importing keys from files, converting it into the RsaKey object   
pr_key = RSA.import_key(open('private_pem.pem', 'r').read())
pu_key = RSA.import_key(open('public_pem.pem', 'r').read())

print(type(pr_key), type(pu_key))
#Instantiating PKCS1_OAEP object with the public key for encryption
cipher = PKCS1_OAEP.new(key=pu_key)
#Encrypting the message with the PKCS1_OAEP object
cipher_text = cipher.encrypt(message)
print(cipher_text)
#Instantiating PKCS1_OAEP object with the private key for decryption
decrypt = PKCS1_OAEP.new(key=pr_key)
#Decrypting the message with the PKCS1_OAEP object
decrypted_message = decrypt.decrypt(cipher_text)
print(decrypted_message)

Exported public OpenSSH key with

public_key.export_key("OpenSSH").decode()

Question, how to save private key in the way that will work for linux Unubuntu 20.04 default SSH application to connect the server

nvm

I succeded

used answer for python generating ssh key pair from cryptography

and used it to be imported as a key for the thing above, with skipping the generation, it worked fine

is there any more secure way of storing passwords other then

random = 2 digit random number
salt = random 10 chars base 64
pepper = read_secret_from_file()
result = hash(password + salt + pepper + random)

for x in range(1000):
    result = hash(result + salt + pepper + random)
database.insert(f"{result},{salt}")

I mean this is still reversable

hard to do but it is

even more so if we are let's say hashing user names from another platform

so there is like only 3000 possible values

Can you guys ping me if you find out?

what is "random"

this just seems like pbkdf2

but roll-your-own

should still be secure assuming hash isn't something bad, though you should really use something from a trusted library

other methods: https://passlib.readthedocs.io/en/stable/narr/quickstart.html

pbkdf2 doesn't have pepper tho

the random is just randomly generate number

what's not clear about that?

well it's not secure

since it's pretty easily reversable

if you have list of possible values

hash changes its values between runs

so it just won't work

Just use something battle-tested like bcrypt

Bcrypt is easily reversible

Yeah but it would not metter

the passwords will be dropped when you restart the program?

I challenge you to reverse $2b$12$Lzy3MHBNMx8uftQHizmrDeZmf/S5EwKUuLOGroUneJqIryx2DyJIK

If you have a list of known values, there is no way to make it non-reversible

I mean, just logically

about pepper: https://security.stackexchange.com/questions/21263/how-to-apply-a-pepper-correctly-to-bcrypt

For example secret pepper would make un reversible

what's preventing you from using a pepper with bcrypt?

Nop you would have to brute force those 2 digits

wdym?

hash will produce different results when you restart the program, so hashes will no longer work

!e

print(hash("foo"))

@last ivy :white_check_mark: Your eval job has completed with return code 0.

7814480978635085837

!e

print(hash("foo"))

@last ivy :white_check_mark: Your eval job has completed with return code 0.

-1907129312318368269

On verification you would try all 100 combinations

I am not asking for implantation

I am asking for theoretically unbreakable hash method

If even possible which I doubt

Give list of 300 000 possible values and 2 minutes

A peppered hash isn't really "uncrackable". It is very crackable if you find the pepper.

Similarly, storing passwords in plain text is not a vulnerability on its own, if there is mathematical certainty that an attacker can't get hold of the passwords.

ok took me longer then I would like to admit but the python script is running

that's why I am asking for better alternative

Should take about 20 hours

Unless you're parallelizing

I am

24 threads

but still it will take some time that's true I don't argue with that

I am just saying it is reversible

I was sugggesting having it in file loading it into RAM and the unplugging the USB with the file

You can still dump the memory of a process if you have access to the server. Or leak the contents due to a vulnerability

that's my point

that's exactly what I mean

how do I make it more secure

I am glad we are on the same line now

What are your threat models?

non

I am doing this for my self out of interest 😄

I am just student

Well, you can't make an application abstractly secure 🙂

Well I just want to be more secure

😄

then what I have now

ok maybe 300 000 was way to much but I am pretty much done

it will take 30 minutes

but in real word scenario you could limit that number of entries to something like 3 000

or order them from lowest to highest chance of success

xor with urandom

that would not work

it would generate random hash

well you asked for theoretically unbreakable

that's your answer

wait hash here is a crypto function, right?

not the hash built-in

what can I do with python as far as hacking the local pizza place and getting fr ee piozza deliveries ?

What can I do with python as far as hacking the local pizza place and getting free pizza deliveries?

!rule 5

LMFAO

Find a job in Python, earn the money to buy a pizza.

That was a really wholesome answer, I respect that

Step 1: Become a black hat hacker.
Step 2: ???
Step 3: Profit

Step 2.5: go to jail

rofl

is python good for cryptocurrency? I heard it's no great for security

python is great for security

cool

yes

there are many projects for security aspect too

it depends: a programming language designed for security is rust.

Can anyone help me please?

How can I check my private browsing history? and how to stop someone who is tracking my history remotely?

One of the features of "private browsing" is that it doesn't record history.

You can't track someone else's history, even if you intercept all their network traffic, as long as they are using HTTPS.

technically speaking dns requests can still be tracked

and mitm is also possible

Yeah, you can record which IP addresses someone talks to

whats the name of this part of a script

what's the best tool to obfuscate code (free or paid)

https://en.wikipedia.org/wiki/Kerckhoffs's_principle

security by obscurity is bad

I just saw one of the best ways to patch social engineering-based security holes! This is what you get when you hit F12 on Discord in a browser (access to console, element inspector, etc):

will that even work on the target audience of those scams

also easily bypassed by javascript: urls

is there a way in which i can have users input username & password in the safest way such that I do not have access to it but I can use the username/password into my code?

by using I mean; a simple request to a certain API

how can i host a server then so people can have access to my code without having access to my code?

what

Hello!

I have a keyring question!

Is this the correct place to ask?

How good is pyarmor

Like any flaws I wanna know what they are

there's plenty of methods to deobfuscate it

a search on Google turns up quite a few, though I can't vouch for any of them

K

eh

Hi guys I really don't know where to start To learn how to protect python Source code so if I send for example my code to a friend he\she can't change or see my source code ,
I read that cython can convert python code and from there I can decrypt the source code is it true?

That where the use of Api you cant host your project in a server and create an API so the user will get use for your code throw it .

Then why sending source code lol?

i thought everybody knew that

@thorn obsidian

same, it's been there since late 2018

or just disable the console altogether

You partially can, SNI is public and visible, it can be used to track all addresses you talk to

This is how websites are blocked and censored within isps

anyone here

help me airecrack-ng

showing wlan0 is on channel 1 but AP is on channel 3

I'm trying to figure out what I want to do for my senior project. I'm majoring in computer science but have a minor in computer security. I want to do some project with cybersecurity and programming of some sorts. Any of you guys have any ideas for a project?

Have you looked into previous similar projects and/or do you have any personal projects that have to do with cs security? I've absolutely no clue but feel obliged to answer something to an open eded question like this before asking mine xD

So, I've heard eval is a big baddie when it comes to security, and ast.literal_eval is much better. I'm using literal_eval in my code currently, and I guess it's the best alternative after looking a bit into it, but call me out if I'm wrong!

I get a 2d-list from from a text file written by another program which is already formatted like a python file, literally [[1,2],[3,4]]-style.

What I currently do (basically):

from ast import literal_eval

filepath = "in.txt"
with open(filepath, 'r', encoding="utf8") as text_file:
    text_file_data = text_file.read()

the_list = literal_eval(text_file_data)

Thanks for answering. It’s a little bit of a hard question to answer. Thanks for your response🙂

use json.load instead?

^ your goal is serialising data to disk, and then deserialising it into memory at a later point. using json works a lot better for this kind of data storage

Does sharing a IDENTITY column number of DB rows in a server response pose a vulnerability?

I mean, i query the db based on clients request and provide them also my IDENTITY number to track any changes between the data sent and in the DB

!rule 5

You can use a packager like pyoxidizer that packges the whole python interpreter to bypass and mitigate the problem that fundamentally python is an interpreted language that can only be converted into bytecode which is also a giant flaw because your packaged binary could be reverse engineered with uncompyle6 and then the memory representation of the code could be unmarshalled.. If you want to know more: https://nedbatchelder.com/blog/200804/the_structure_of_pyc_files.html

Not really, but if your database system's unique id generation system is incremental then yes, a user could simply lookup other records which would be a huuuuuuuuge privacy issue, or someone could write up a program to incrementally log everything in your database (which is visible to the user)

All right, yes, my id generation is incremental, so I should switch to, e.g. UUID? Could you point me to some resources about it, or write some keywords for googling? I don't understand how can user look up other records if i'm spoon feeding him only his own data

Thanks bro , it is a good point to start with 👍

Hey guys I trying to make a login in and username password this is what I've done so far, i can't seem to figure out how to make sure when your asked to enter your password and username the programme checks that the password you've used is correct here's what I've wrote so far

CODE -

import time
print('Welcome to Login V.1')
print('-----------------')
time.sleep(1)
username = input("Enter your username ")
print('-----------------')
time.sleep(2)
password = input("Enter your password ")
print('-----------------')
time.sleep(3)
print("Your username is "+ username)
print('-----------------')
time.sleep(3)
print("Your password is "+ password)
print('-----------------')
time.sleep(3)
print('Please remember these credentials!')
print('-----------------')
time.sleep(3)
print(' --- Login --- ')
print('-----------------')
time.sleep(2)
attempts=0
while attempts<3:
username=input(' please enter your username ')
password=input(' please enter your password ')
if username== '+ password' and password=='correctpassword':
print('you are in!')
else:
attempts+=1
print('incorrect!')
if attempts==3:
print('too many attempts')

You should assign a variable to the username and password and check if they are the same using if statement

Thankyou!

I'm sure this will work right?

while userName == userName and password == password: # The Input will always lead to this while loop, so we can see if their username and password is wrong or correct.

If I change the variables that's should work?

I think so

Is there any error you are getting

Thank you for help! Yes there is but that's because of the issue here --

if username== '+ password' and password=='correctpassword':

That's the issue. But I believe I can resolve it :)

The code is working fine but when I put the right password and username it says 'you are in!' But... it continuously spams 'you are in!'

import time
print('Welcome to Login V.1')
print('-----------------')
time.sleep(1)
username = input("Enter your username ")
print('-----------------')
time.sleep(2)
password = input("Enter your password ")
print('-----------------')
time.sleep(3)
print("Your username is "+ username)
print('-----------------')
time.sleep(3)
print("Your password is "+ password)
print('-----------------')
time.sleep(3)
print('Please remember these credentials!')
print('-----------------')
time.sleep(3)
print(' --- Login --- ')
print('-----------------')
time.sleep(2)
attempts=0
while attempts<3:
username=input(' please enter your username ')
password=input(' please enter your password ')
while username == username and password == password:
print('you are in!')
else:
attempts+=1
print('incorrect!')
if attempts==3:
print('too many attempts')
print('-----------------')
print('Exiting programme...')
quit(1)

Use break

print(“you are in”)
break

Should I use that instead of quit() ?

Thankyou!

It’s optional

u can use break or quit

It's still spams you are in!

import time
print('Welcome to Login V.1')
print('-----------------')
time.sleep(1)
username = input("Enter your username ")
print('-----------------')
time.sleep(2)
password = input("Enter your password ")
print('-----------------')
time.sleep(3)
print("Your username is "+ username)
print('-----------------')
time.sleep(3)
print("Your password is "+ password)
print('-----------------')
time.sleep(3)
print('Please remember these credentials!')
print('-----------------')
time.sleep(3)
print(' --- Login --- ')
print('-----------------')
time.sleep(2)
attempts=0
while attempts<3:
username1 = input(' please enter your username ')
password1 = input(' please enter your password ')
if username == username1 and password == password1:
print('you are in!')
break
else:
attempts+=1
print('incorrect!')
if attempts==3:
print('too many attempts')

I tested it, it shouldn’t spam the you are in message

send me ur code

Alright 👍

Just sent you it via dm

In your question you said how you will give the user the id number so that they can lookup their record, if not then please correct me. So for example, someone has an id number of 10, and it is incrementally generated then they could loop up everything from 0-10 and further if the data has been created. Switching id systems would depend on your database

Can anyone tell me some basic security based project i can do with python?

Google has some great answers for that question. Any reason they don't work for you?

Ok, let me clarify. Idea is to have a web app in which users can import their bank statements, and have full overview of their transaction history, with dynamic filtering, some summarization and so on. Additionally, they should be able to manually change some details of these transactions, in case bank statements were not complete in information, or if they want to, e.g. categorize these transactions. Till now, I've queried these transactions from DB and provided all the details about transaction to the user, except of transaction ID. Now, when the user can modify few values of transaction, I need a way to recognize which transaction was modified, to subsequently update it in the DB (and for this I want to use transaction ID, but now i have to include it into web response sent to the user)

As I am a complete newbie, I've read somewhere that passing ID of records from table to the clients could be a dangerous thing to do, altho I have no idea if this applies to my case. To my feeling, not really.

This should all be done with HTTPS of course and two factor authentication since it is a banking app

Yeah I get it previously it was read only and now it will be read write making it necessary to expose the transaction ID... it is a risk to expose the ID but you need it

Maybe implement a tranaction hash

https://tandhconsult.com/blog/what-is-a-cryptocurrency-transaction-hash-hash-id/

Making a login in and password script it a basic, it can become advanced depending on how your planning to use it :")

@solid agate, looks like you posted a Discord webhook URL. Therefore, your message has been removed, and your webhook has been deleted. You can re-create it if you wish to. If you believe this was a mistake, please let us know.

aww

i wanted to share my virus

no harm

https://cdn.discordapp.com/emojis/310219883252154369.webp?size=48

heyy!
i wanna learn cyber security!

is anyone here can help me with it?

Not sure what you need help with.

Hey you guys wants to laugh? https://www.newsweek.com/exclusive-fbi-warns-russia-may-launch-cyber-attacks-us-ukraine-tensions-rise-1681012

An FBI report obtained by Newsweek has called on the U.S. private sector to be prepared for potential state-sponsored cyber attacks to be launched by Russia as tensions over Ukraine threaten to spill into an all-out conflict in Eastern Europe.

hahahaha

The US private sector... prepared... for russian cyber attacks 😆 😂 🤣

Okay i will try to make the basic version first. Thanks for the advice!

Look at Tryhackme and Hackthebox. Good introduction to cybersec topics

where can i get that?

Rule no1 in tech. Google it my friend

:)))

If you need any help or advice dm me and ill help you out

Whats a good way to start getting into cyber security

?

!rule

@dire osprey dm me

Lol💀

if a system is attacked by ransomware while a py script is running, and encrypts any file regarding the python language, or c language files etc, will it continue to run on ram?

O_o

If you're playing a game and get attacked by ransomware, (which includes the files the game is currently depending on, with memory in RAM) does the game keep running?

in python yes, but i dont know about source files, aka not the ones i wrote

like the actual language

Why is Linux the preferred os when it comes to cybersecurity?

The number of open source tools specially crafted for cybersecurity tasks and plus many servers run on linux

I think one of the reasons is the flexibility that Linux gives you in terms of what runs in your system. You can have a barebones install with only minimal packages of even recompile the kernel to remove all the unnecesary modules you wont need for your purpose... You can basically customize any part of a Linux system to your needs... The less software you have running, the harder it will be to exploit.

Ah cool. I'm currently using windows, is it adviced and possible for me to use Linux instead?

Using it for what?

If you are interested in cybersec then yes it is better to start using linux distros

سلام دوستان burp suite رو کجا میتونم یاد ب

گیرم؟

ممنون میشم اگه منبع خوبی میشناسید معرفی کنید.

can anyone assist me with some dnspython issues regarding docker?

im trying to get the dnskey from a website, however it cant seem to establish a connection to the dns server from docker but runs locally, does anyone have any suggestions and or has dealt with this directly?

I have a few questions about asymmetric encryption

A key is applied to an algorithm to encrypt some data. That encrypted data can be used as a key to the algorithm run in reverse to produce the original key.

With asymmetric encryption — reverse application of the algorithm will yield the original key used. But all one has at that point is the key and and the encrypted data, not the original copy.

So, having the key is useless.

That's how that is supposed to work, right?

i am not the cryptography expert

but that doesn't sound right

you can't get the original "key"

you can get the original plaintext data

before encryption

for asymmetric encryption, all you do is generate 2 keys, then choose which one will be "public" and which one will be "private", then you take a simple plaintext data such as "my secret message", pass it through the encryption algorithm while providing the "private" key

as a result you get a gibberish

then to decrypt that gibberish into "my secret message" you can use the "public" key

aka the other key you had unused

All of that is well and good

Aghghghghg

XD I need to study the concepts more before I can proper phrase my questions

I'l be back, perhaps

all you do is generate 2 keys, then choose which one will be "public" and which one will be "private"

there's multiple asymmetric crypto schemes out there but in general you generate them as a pair and you don't get to pick which one is public and which is private

Okay, so...

I guess my question is this

If I apply a key to an algorithm to encrypt some text

How is it that, if I apply the steps of the algorithm in reverse, I do not yield the original text?

hm, i heard the opposite, thanks, good to know

because when you go one way, you use key #1

and when you go the other way

you use key #2

Yes, but how

how what exactly?

I do not yield the original text? - if you call encryption() function and provide key #1 to it, then calling decryption() and proving the same key #1 will not yield the original text, thats expected behaviour

thats why its asymmetric encryption, not symmetric

instead when you call decrypt() you provide key #2

then it will yield the original data

I think you're asking why the encryption is not reversible with just the public key. The answer to that depends on the exact scheme you're using, to make this more concrete I would fix one to study like RSA

def step_1(key, text):
  """some sequence of steps"""

def step_1_reversed(key, text):
  """every line of code in step 1, reverse order"""

def step_2(key, text):
  """some sequence of steps"""

def step_2_reversed(key, text):
  """every line of code in step 2, reverse order"""

def step_3(key, text):
  """some sequence of steps"""

def step_3_reversed(key, text):
  """every line of code in step 3, reverse order"""

def encrypt(key, decrypted):

  tmp = step_1(key, decrypted)
  tmp = step_2(key, tmp)
  tmp = step_3(key, tmp)

  return tmp

def decrypt(key, encrypted):

  tmp = step_1_reversed(key, encrypted)
  tmp = step_2_reversed(key, tmp)
  tmp = step_3_reversed(key, tmp)

  return tmp

Somehow, the steps in the decryption would have to fail if the original key is provided instead of the secret key

because thats the way its supposed to work

you can't just encrypt and decrypt data

using just one key

thats why its called asymmetric encryption

King, bro

You're really not helping

to encryp() you'd pass key #1 and to decrypt() you'd pass key #2

then everything will work

You're just saying "it just works"

as you're expecting

if you want a rundown on the way how encryption and decryption works

at the level of manipulating bytes

then you can find some good articles online

but it's not what you are asking is it?

i think you are just not understanding the keys

would have to fail if the original key is provided instead of the secret key

can you elaborate on that

so you are passing same key to both encrypt and decrypt right?

they understands how asymmetric schemes works, they're just asking what properties make it possible for you to write a function that you can go encrypt(data, key) without being able to reverse it with that same key

and the answer is: it depends on the scheme

and the scheme can only be explained at the lower level

RSA uses prime factors and exponentiation to achieve it

😛 Thanks y'all

was it clarified to you

or not

cause it don't seem that way

Ohhhhhhhhkay.... so....

The number 12

Can be produced by multiplying the numbers 4 and 3, or the numbers 2 and 6

So if I'm looking at the number 12, I have no way of knowing which two numbers were used to produce it

Is it a bit like that?

yup exactly, it's a similar process to that

2 seconds

def encrypt(key, data):
  return str([chr(ord(character) * key) for character in data])

obviously this one can be trivially reversed with the key in hand

just divide each ciphertext character by key

to obtain the original

Well that's what I'm getting at. Without the key, every character could be the result of pretty much any character multiplied by pretty much any key

But with the key, easy peasy

Can you think of just a simple example of a function with one way properties?

heh it's easy to make one that's one way, but going back the other way with a linked key is the hard part

and is the crux of asymmetric cryto

consider a hash function like sha1 for example, it'll go one way

good luck finding what was the input

but in an asymmetric crypto scheme we do want to be able to reverse it with a corresponding private key

and that usually needs some hard math problem backing it like prime factorization or discrete logarithms

Okay, cool

XD I'm tasked with writing a few paragraphs about Kerchoff's Principle

And I could bullshit my way through it — the principal is sound even if I don't know exactly how the math waorks

But as a matter of good faith, I want to do some studying just so I can say I actually learned something

So, I think I've come to the conclusion

Lemme make sure this is right

Any encryption algorithm can by definition be cracked. However, the time it takes to crack the algorithm increases to a prohibitive amount given sufficient complexity

Even if all the steps are known, if it will take a million years for a super computer to crack an encryption then it is effectively uncrackable

So, the fundamental problem becomes the sharing of the keys

Using the same key for every communication is obviously out of the question

But if you want to establish a secure line of communication with anyone who wants it, you must generate a new password randomly each time

The problem becomes this: there is no way to prevent the generated key from being intercepted in transmission, or knowing if the receiving party's "infrastructure" is compromised (malware could be watching, they could be deceived into sharing their key, etc) [you yourself could in theory be compromised, but you have the agency over yourself to take the appropriate steps, you have no way of knowing if the other party is doing the same]

The only way to ensure a password remains secure, therefore, is to never share the password.

With asymmetric encryption, a password is shared which can encrypt, but cannot decrypt

To achieve this, some kind of operation is perform which transforms a bit of information according to a key, but which cannot be reversed using that same key

But which can be reversed using a different key, one which is never shared

The nature of the math involved in these operations is complex — but perfectly possible in a broad sense

And so the important factors in these steps are:
A relationship must exist between two randomly generated passwords
Some operation must exist which can be performed in one direction with one key, but cannot be reversed using that same key
That same operation can be reversed using the second key

Is that the jist of it?

That, at least to me, would be the jist of it

How can I remove and scan for malware?

Depends on the nature of the malware imo. If you got some known malware not specifically targeted at you, you should be able to see least scan and detect it with a modern anti-virus program (try several), at least of you scan your disk from a Linux boot session(e.g. a USB boot disk).

It's recommended you copy what data you need and then do a clean reinstall though, you can't be sure what's lurking in your system after an infection imo. :(

https://www.theverge.com/2022/2/25/22951376/nvidia-incident-alleged-cyberattack-february-2022
Maybe hold off updating or installing stuff for a while?

Ok Ty

In general you should scan downloaded files you don't trust, especially executable ones. You can use https://www.virustotal.com for instance by uploading them to have them scanned by several scanners. Personally I don't trust files if they get even just one or two detections on there.

Anyone here know about implementing Diffie-Hellman key exchange end to end encryption? I am trying to get multiple clients in a chat room to share a secret key. The wikipedia article outlines a method of distributing the public keys in an iterative process, but It seems pretty complicated to implement. I had another idea of simply caching the public key of each client so that when a new user join a chat room, the client can add its public key to the cache. After the new public key is cached, the new set of public keys is pushed to each client so that they can regenerate there secrets keys using the combined public keys. Wikipedia article for reference: https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange#Operation_with_more_than_two_parties

Just wondering if what I outlined is possible and secure

It would have to be asymmetric otherwise Alice removes Alice's public key from shared secret and uses Bob's private key to authorise a transfer of some currency from Bob to Alice.

Do you know any tutorials on how to do it?

The best advice I can give is really to search for tutorials or how to's. Sorry

https://cdn.discordapp.com/emojis/690266333308649487.webp?size=48&quality=lossless

Sorry not sure I understood you. Alice should not have access to Bob's secret key in this situation (I think) she should only get access to g**b where b is bob's secret. But you can't separate bob's secret easily after g**b % p

My plan is to regenerate the secret key for each user by recombining all of the public keys when a user join or leaves

Then all new messages will be sent using the new secret as a password

do you mean that Alice will still have access to Bob's secret key that they generated together? I think I can get around this by regenerating the shared secret whenever someone leaves or joins a room. (Client stores one secret key per chat channel, this can be removed from memory at any time and replaced with a new key)

Okk soo scrap that key cache idea. There is no way to make g^a and g^b become g^(ab)^c... because it just results in g^(a+b)^c

Aww yiss now just time to implement it on a server 😅

!e ```py
class PartialKey:
"""Class to represent a public key which is built up by multiple clients"""
def init(self, base: int, prime: int):
self.base = base
self.prime = prime
self.value: int = pow(base, 1, prime)

def mix_paint(self, private_key: int):
    self.value: int = pow(self.value, private_key, self.prime)
    return self.value

g = 2
p = 997
a, b, c = 80085, 1337, 69420

carol

partial_key = PartialKey(g, p)
partial_key.mix_paint(a)
partial_key.mix_paint(b)
c_secret = partial_key.mix_paint(c)

alice

partial_key = PartialKey(g, p)
partial_key.mix_paint(b)
partial_key.mix_paint(c)
a_secret = partial_key.mix_paint(a)

bob

partial_key = PartialKey(g, p)
partial_key.mix_paint(a)
partial_key.mix_paint(c)
b_secret = partial_key.mix_paint(b)

print(c_secret, b_secret, a_secret)

@proper idol :white_check_mark: Your eval job has completed with return code 0.

888 888 888

!e

hi, how long does python take to learn from zero. for cybersecurity

So my company is slow to adopt pretty much anything, and they've been using Java 4 / 6 for some apps that I am convincing them to let me rewrite in modern Python (3.9 / 3.10)
They asked on how I could secure the source files from being read in the case of a security intrusion on the server, and I don't actually know the answer to that
Is there a process by which a python file can be encrypted and still usable? I'm sure there's still security considerations for the Python runtime being able to decrypt the code, and then you could read that from the system memory, but I figure

1. these servers are internal only, so external security issues aren't really a factor (unless the intruder got in to our entire network, which itself is a minefield)
2. encryption and setting the right read/write/execute permissions on the server would be enough

You could take a look at this:

https://dev.to/richard_scott/encryption-for-protecting-python-source-code-4ckg

Pretty sure this thing has a dependency that decrypts the source code before using it, haven't gotten a good look at it, I suppose that can help you find a reasonable solution somehow.

Hey that's pretty much what I'm looking for!
It does work on a paid subscription, or otherwise the trial version limits the amount of time your encryption will last to be 24 hours - but I'm sure that either my company would be willing to pay for it, or I'll just re-encrypt the files every 24 hours
Thanks again!

If I wanted to go full-bore on preventing a user from reading my files. I figure I could do something like this:

1. obfuscate code with some obfuscation library
2. encrypt with source defender
3. compile to C or C++ with Cython
4. generate executable with pyinstaller

Step #4 also means I don't need to have a Python installation on the machine itself

i have some handshakes file and i am not able to crack them can anyone here do that

pls dm me

so why not just something simple like chmod 600 your_python_files? I'm legitimately curious about why you think that doesn't suit your use case

Already doing that, but management wants to add more security in case an intruder can somehow gain root access
It's not likely but you never know what new vulnerability gets found

that's... pretty silly

if an intruder gains root access it doesn't matter if your files are encrypted. They do a remote backup, wipe the server, and demand a few dozen bitcoin

IMO the marginal cost in operational complexity from encrypting your source files is probably much higher than the amortized cost of a potential source code leak over the same time period

but like, it actually should barely matter. If you're storing your secrets with a secretsmanager, and not in the source code, you in theory can just give away your source code for the asking and nobody can hurt you with it

this is like putting the keys to the safe in another safe that's in the same place. Either way all the intruder has to do is search your house for one set of keys.

:v

!e import sourcedefender
from os import environ
environ["SOURCEDEFENDER_PASSWORD"] = "1234abcd"
environ["SOURCEDEFENDER_SALT"] = "dcba4321"
import mycode

@formal mauve :x: Your eval job has completed with return code 1.

001 | Traceback (most recent call last):
002 |   File "<string>", line 1, in <module>
003 | ModuleNotFoundError: No module named 'sourcedefender'

!e pip install sourcedefender

@formal mauve :x: Your eval job has completed with return code 1.

001 |   File "<string>", line 1
002 |     pip install sourcedefender
003 |         ^^^^^^^
004 | SyntaxError: invalid syntax

:V

!e

!e while True:
print("hello world")

@frank charm :x: Your eval job has completed with return code 143 (SIGTERM).

001 | hello world
002 | hello world
003 | hello world
004 | hello world
005 | hello world
006 | hello world
007 | hello world
008 | hello world
009 | hello world
010 | hello world
011 | hello world
... (truncated - too many lines)

Full output: too long to upload

I suppose this is something I have to talk about with the team that manages OpenShift at my work place. I know you can set up secret stores, so as long as that's set I'd get the clearance from upper management

Seems that management doesn't because of some built-in security measures that the OpenShift team is using, so less work for me!

Can I get a check on this answer?

The question: What are the steps, from the instantiation of a secure communication channel to the decryption of a message, of an asymmetric encryption scheme?

what package would you guys recommend from encryption and decryption for fun? I want to try to make my own symmetric ciphers (i know this is bad idea generally speaking and inefficient)

or some kind of encryption algorithms with adjustable parameters like custom block size or variable key length or rounds that i can play around with.

you mean use ssl package for non https use?

hmm cool never even considered that before thanks!

guys

help

all my files

is turning into .qbaa files

;-;

hello everyone
🧬 : 4 / 61

⛔️ APEX
╰ Malicious
⛔️ SentinelOne
╰ Static AI - Suspicious PE
⛔️ Webroot
╰ W32.Malware.Gen
⛔️ MaxSecure
╰ Trojan.Malware.300983.susgen
is it danger?

Hey, anyone would like to join me for a matrix (messaging protocol not the movie) inspired project?

Hey all

Could someone give this a look-see and let me know if I'm missing anything?

Question: What are the steps, from the instantiation of a secure communication channel to the decryption of a message, of an asymmetric encryption scheme?

· Party-A requests secure communication with party B
· Party-B generates a pair of public and private encryption keys (these keys may already exist)
· Party-B transmits its public key to Party-A
· Party-A generates a third key, a session key, for use in subsequent encryption
· Party-A encrypts the session key with the public key
· Party-A transmits the encrypted session key to Party-B
· Party-B decrypts the session key with its private key
· Party-A encrypts and transmits a message with the session key
· Party-B receives and decrypts the message with the session key
· Everyone goes out for beers

that looks good

:incoming_envelope: :ok_hand: applied mute to @compact hearth until <t:1646332317:f> (9 minutes and 59 seconds) (reason: discord_emojis rule: sent 69 emojis in 10s).

!unmute 713003400547270676

:incoming_envelope: :ok_hand: pardoned infraction mute for @compact hearth.

please don't spam emojis

thank you

оk

My teacher really needs to be more specific with his questions

What he actually wanted was this:

· Parties A and B both exchange their public keys
· Party-A encrypts a message with Party-B's public key
· Party-B decrypts the message with its private key
· Party-B encrypts a reply with Party-A's public key
· Party-A decrypts the reply with its private key

So, a two-pair scheme

-_-

Hi , I wanted some resources/techniques on finding the actual IP addresses behind a proxy/VPN IP address. Its for a project Im working for, not getting much info regarding this.

in a sense RSA?

hi guys

You can use the Fritz vpn from a Fritzbox, If you have one, this is a free VPN created by your router

!e print("Hello world")

@shell depot :white_check_mark: Your eval job has completed with return code 0.

Hello world

!e import tkinter as tk
from tkinter import *

@shell depot :x: Your eval job has completed with return code 1.

001 |   File "<string>", line 2
002 |     from tkinter import *
003 | IndentationError: unexpected indent

!e import tkinter as tk
from tkinter import *
root=tk.Tk()
root.mainloop()

@shell depot :x: Your eval job has completed with return code 1.

001 |   File "<string>", line 2
002 |     from tkinter import *
003 | IndentationError: unexpected indent

!e import tkinter as tk
from tkinter import * root=tk.Tk()
root.mainloop()

@shell depot :x: Your eval job has completed with return code 1.

001 |   File "<string>", line 2
002 |     from tkinter import * root=tk.Tk()
003 |                           ^^^^
004 | SyntaxError: invalid syntax

!e import tkinter as tk
from tkinter import *
root=tk.Tk()
root.mainloop()

@shell depot :x: Your eval job has completed with return code 1.

001 | Traceback (most recent call last):
002 |   File "<string>", line 1, in <module>
003 |   File "/usr/local/lib/python3.10/tkinter/__init__.py", line 37, in <module>
004 |     import _tkinter # If this fails your Python may not be configured for Tk
005 | ImportError: libtk8.6.so: cannot open shared object file: No such file or directory

Hey @shell depot!

hmm... opera vpn? but its only in the opera browser and very slow... tor vpns(like orbot) would also work, but are a little bit slow

orbort is a relativly good coice for vpn, because its based on the tor system

what are you willing to do with it, if its browsing try the tor browser(also win linux etc.)

Hmm... sorry, for desktop I don't know anymore who are free, the problem is that most of the free use data to pay their servers, what isn't that what you want(I guess) 😦 only vpns based on tor would work, but are slowww...

I dont know much about proxies sorry... I don't want to tell you false stuff xD

uhh... MS defender is relatively good, if you are connected to the internet, otherwise it is 💩 When I used free antivirus stuff, I used Kaspersky Free, but with the Russia war... I don't trust kaspersky anymore... but that is only my opinion. Kaspersky free is creatively good rated by chip etc. but I don't remember if it had real time protection

because MS defender uses AI when you have Internet

best approach to validate that a string is a valid bitcoin address of any address type?

pls help

1093241-323452-0887352134

244267995-294514-965345

sir

-882253-284945-24526

download openvpn and download a free courvix server config

protonvpn

oh wait that needs registration

https://www.vpngate.net/en/

and downlaod openvpn

windows defender, malwarebytes

Hey guys, I'm not into the security side of python so I don't know anything about it really but i stumbled over this discord bot RAT thingy (https://github.com/moom825/Discord-RAT). How does this work? You can't just add this bot to a server and it gives you access to other people's computers, right? That would seem like a bit easy

So the person has to run the file

?

Okay thx

ayoo

Ask away

Is using keyrings safe to store a master password that is used to access an encrypted database?

As long as the password is encrypted then you should be fine, but I would double check with someone else to make sure that I’m correct.

Hey how can i take a forensic image of a android device, without using ADB or rooting my phone, just need a method name to look into

Can one of you help me out in #help-candy real quick? I'm trying to make a buffer overflow exploit for a cybersecurity class, but I'm running into issues setting it all up. My sys.stdout.write statements are being displayed out of order..

Hi, I would like to make a system that translates messages, and that people themselves can host, but how to make sure that the host (the people who translate) can't read the message, but only the code? Because a message can contain personal information. Or a way to check that he didn't modify the code for read message.

I can't encrypt the message, because it will need the key to decrypt the message for translate

What u mean u can’t ?

well I can but the one who translates the message must have the key, so it is useless

Yes but why useless ? For example if I’m sniffing the network I won’t be available to decrypt because I don’t have the key

yes it is used for this case, but it can simply modify the code that translates to retrieve the messages

The person who translates is not necessarily reliable

so if I encrypt the message, he just has to modify the code that translates to get the decryption key

I need that even the translator can't get the key

only the "code"

or else a way for example by looking at the hash of the code, and therefore can not use that user who has modified the data

I can post the key on the first connection, but it can sniff the traffic to see it, or read the ram, or edit the code for print the key.

I'm not sure if this is the right place to ask, but I'm not sure how I'm going to be dealing with sending and storing of passwords for my App, it's got a Python FastAPI backend.

My idea was to encrypt it front end (and salt and hash) on the App, and then when logging in, compare that email and hashed+salted password against the local API copy, does this sound like a decent idea?

Since the passwords will be encrypted and salted, there should be no point at which passwords are vulnerable right?
I only need one way encryption for this right?

Please ping me if you have any thoughts

you have an app, and you want user accounts to register and save a file locally with their hashed password, and compare their credentials to that on login? is that right

@celest gyro

Sorry, I meant locally on the API server

So you log in, type your password

It gets bcrypt hashed on the app side, sent over to the API, which either puts it in the database (if it's account creation), or compares it against a previously put in hash, to see if they're logging in correctly (compares email and hashed password to verify log in)

sounds like normal practice to me

Is there better ways to do it?

Hello, my gentleman

Can any of you could me informe how much a pentester or ethical hacker earn per years ?

Its is worth all the study and sacrifice ?

Isn't that what he's doing now? Conducting research on how much he should expect in that position?

To see if it's worthwhile?

🤨

Depends where u live what will be a bug bounty or a binary exploitation

Yes company’s hier them to improve there system from black hats

Whats is the difference betweein bug bounty and a binary exploitation ?

Is a kind of thing that grey hats do ?

Bug bounty is web penetration testing (ez to learn)

but binary exploitation is not ez

here u have to change the behavior of the binary

and here u have use ur brain

u have to understand the program how it’s working and how can I break it? Where is the loop hole?

but web penetration is mostly found in market

So, binary exploration, is harder but pays better than bug bounty? Because a less demand at the market

And are rare to finds this kind of professionals,like Cobol senior's

Has less**

@thorn obsidian

! rule5

!rule5

!rule

!rule5

we won't answer this

!rules5

! Rule 5

Do not provide or request help on projects that may break laws, breach terms of services, or are malicious or inappropriate.

Yes, but as I said salary depends

This is a joke

smhhhh

How useful is Python for cyber security ?

It's the most common scripting language for security tools/libraries and the main scripting language of IDA.
For almost any role in computers nowadays, you should have a basic ability to read and write object-oriented Python,
but for security it's usually not necessary to have an advanced knowledge of it (e.g. few security tools use its parallelism features)

Woah

Hello People I'am new

And I'am No american

I'am Turkish

But I know small english Language

Not used translate

Hello!

hi!

your english is good, but "I'am" -> "I'm" and "small english language" -> "not much English"/"a little English" is better

or "I'am" -> "I am"

Hi

se'u'i'ty

can someone help with SSL

Hi, any pentesters here???

dont ask to ask, just ask

dont ask to ask, just ask

dont ask to ask, just ask

who wants to pentest my site I made in python

this is not really what the channel‘s purpose is, it‘s rather for asking questions regarding security aspects of specific parts of your code, or e.g. how to implement cryptographic functionality in python. if you ask in one of the off-topic channels, someone may want to take a look at it though

if you have nothing useful to contribute to the conversation then why contribute in the first place?

absolutely, i buy all of that.

Hello can someone learn me how to recover ur own password?

forget password

I am taking over a project at work that deals with webscraping from a website that requires login credentials. I would like to make sure that in the process I am storing the password safely and inputting in the login portal.
Is pycryptodome a way to solve this issue?
I know that azure key vault is a safe way to do it with cloud but was wondering if there was an alternative for on-prem.

Hi, is there someone who has experience with the MVT tool from amnesty international? (docs.mvt.re) or maybe with adb in python?

Hi,

i wanted to perform an encryption/decryption on a file

client side encryption
server side decryption

[ Jinja2Template/FastAPI ]
How do I get the bearer token in the header from the local storage?

@router.get("/dashboard", status_code = 200)
def dashboard_page(request: Request, token: str = Depends(auth_handler.oauth_scheme)):
    return templates.TemplateResponse("dashboard.html", {
        "request": request
    })

If I want to protect my Python code from being read,
What options should I use of Pyinstaller?

is there any way to make a script which can detect python malwares? if so what approach should I take to make such script

Is tempfile.mktemp really that unsafe? The chance of a collision between two names is 1 in 3.5 trillion

Make it Obfuscated

What does it mean and how can I do that?

Hey guys I have a text file on my server and I just want it to be accessible by a python file on the same server.....people cant view it....as in if some1 types its address its unviewable so should I set the file permission as 700...will that help?

I think I understand what you mean but im not sure... do you have an error message from the terminal when someone uses your command ?

Umm am not using any command am currently using cpanel to manage it

you just need to not host the text file

assuming you want the python program to be able to access it as a file, not as a URL

how do i prevent select statements from being sql injected into?
with insert it goes like this:sql VALUES (%s, %s, %s, %s)", (interaction.guild.id, channel.id, message, round(T.time())))
but with insert would i do the same thing to just go like this?

mycursor.execute("SELECT * FROM `uploads` WHERE serverid = `uploads`(`id1`, `id2`, `id3`) VALUES (%s, %s, %s)", (value1,value2,value3)));```

You have the right idea, but is that a valid select statement?

@orchid oriole

figured it out already

oh nice

having another error now

i thought this was correct

mycursor.execute("SELECT * FROM uploads WHERE short_id = %s", (img_id))```error:```mysql.connector.errors.ProgrammingError: 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%s' at line 1```

how can i decrypt passwords obtained from my computer with sqlite3 using win32cryPT?

what are the chances to repeat a uuid4 sequence

!d uuid.uuid4

def get_auth(env_user_key: str,
             env_pass_key: str) -> tuple:
    """
    :param env_user_key: Access username from .env
    :param env_pass_key: Access password from .env
    :return: Tuple of strings
    """
    return (
        os.getenv(env_user_key),
        os.getenv(env_pass_key)
    )

is this bad?

like, in the way of accessing the environment based on input?

without any extra checks

so that sensetive info doens't get leaked

yes

its quite bad

what are you trying to achieve with this?

Based on https://datatracker.ietf.org/doc/html/rfc4122.html ..
128 bit .
Extremely low if implemented right

Lol it says
This specification defines a Uniform Resource Name namespace for UUIDs (Universally Unique IDentifier), also known as GUIDs (Globally Unique IDentifier). A UUID is 128 bits long, and can guarantee uniqueness across space and time. UUIDs were originally used in the Apollo Network Computing System and later in the Open Software Foundation's (OSF) Distributed Computing Environment (DCE), and then in Microsoft Windows platforms.

wow

time to make it go wrong

thanks

hi

can somebody explain to me

https://news.ing.nl/bess/get?id=12494.-1:jgw8tn5u what does get to in this url

and why is this a real url

just having variable info in the .env for different sites.
After writing it i realized that's kinda bad, so i'll undo that.

This is my first attempt at incorporating proxies and other 'unnecessary' request context specified in the requests. I tried to make it able to handle anything

def get_response(
        test_url: str = "https://ipv4.webshare.io/",
        protocol: Optional[str] = WEBSHARE_IO_PROTOCOL,
        env_auth_prefix: Optional[str] = None,
        additional_headers: Optional[dict] = None,
        cookies: Optional[object] = None
) -> requests.Response:
    """
    Send a web request with auth, headers, and proxies. Take a protocol to add proxies, a dotenv prefix to access
    auth info, and a dict to add additional headers to boilerplate headers
    :param test_url: web address
    :param protocol: 'http' or 'sock5' or None
    :param env_auth_prefix: prefix for accessing username and password for .env file
    :param additional_headers: None or a dict with modifying headers
    :param cookies: optional requests.RequestsCookieJar object
    :return: requests.Response object
    """
    r = requests.get(
        test_url,
        headers=get_headers(
            additional_headers=additional_headers
        ) if additional_headers is not None else get_headers(),
        proxies=None if protocol is None else get_proxies(protocol),
        auth=None if env_auth_prefix is None else get_auth(
            f"{env_auth_prefix}_USERNAME",
            f"{env_auth_prefix}_PASSWORD"
        ),
        cookies=None if cookies is None else cookies
    )
    r.raise_for_status()
    return r

this is where it comes from https://github.com/shaenr/proxy-requests-template

I tried to make a request wrapper to have some built in defaults

def get_proxies(
        proxy_protocol: str = WEBSHARE_IO_PROTOCOL
) -> dict:
    """
    Get context info for proxy requests: uses dotenv for https://proxy.webshare.io/
    :param proxy_protocol: 'http' or 'sock5'
    :return: dict of proxy addresses and credentials
    """
    dotenv.load_dotenv()
    proxy_address = os.getenv('PROXY_ADDRESS')
    proxy_port = os.getenv('PROXY_PORT')
    proxy_username = os.getenv('PROXY_USERNAME')
    proxy_password = os.getenv('PROXY_PASSWORD')
    assert proxy_protocol == "http" or proxy_protocol == "socks5"
    return {
        "http": f"{proxy_protocol}://{proxy_username}:{proxy_password}@{proxy_address}:{proxy_port}/",
        "https": f"{proxy_protocol}://{proxy_username}:{proxy_password}@{proxy_address}:{proxy_port}/"
    }


def get_headers(
        ua: str = UserAgent().chrome,
        additional_headers: Optional[dict] = None
) -> dict:
    """
    Boilerplate headers context.
    :param ua: a user-agent string
    :param additional_headers: optional dict to update the boilerplate headers with
    :return: a headers dict
    """
    headers = {
        "User-Agent": ua,
        "Accept-Language": "en-gb",
        "Accept-Encoding": "br,gzip,deflate",
        "Accept": "test/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Referer": "http://www.google.com"
    }
    if additional_headers is not None:
        headers.update(additional_headers)
    return headers

(This one turned out better, less over engineering for no reason https://github.com/shaenr/cli-tool-template)

what does color of hat mean?

how to encrypt data in python

whats the encoding for this? "\xb1v\xa5P\xb8\x8cD\xc8\xae~\x8c\xd5=\x05\xfe\xab\xa0\xcf\xa7\x89\xf2\xb8b\xc0\x0eCW#x\xe2\xd8E"

can someone exopain encrypt date

anybody can recommend where to start learning cyber security? hackthebox and tryhackme are pretty restrictive for non premium accounts

@raw mango I would highly recommend getting a subscription to either of the services

They are phenomenal

I can’t really recommend other ways, I’m sure there is a plethora of ways to learn but in my opinion, hands on is the best way to learn for this type of field

i mean, there got to be another (also free) way, how did the ones before learn?

I recommend the IBM cybersec course available at coursera.org

You can watch all the courses for free, or pay for the course and get a certificate

udemy usually has sales and offers. there are a few CompTIA courses to prepare you for cybersec

Just looked into that and it looks great

it is for entry level, but has a good content to get started and familiarized with concepts and terms

And it’s rated for 4 hours a week @ 8 months so it can obviously be finished quicker

Yes, I did it in two months

It really is up to your pace. You can pay for a month and complete like half of the course

Only thing bad about udemy is the plague of emails I receive from them 😂

@raw mango check https://www.youtube.com/watch?v=a83ASGn_V_s. basically: get certified

I opted-out of all emails as soon as I made my account hehe

have you tried typing "what skills are required to work in IT security" or smth like that in your browser?

literally my HEAD~3 msg

what do

print(colored(...))

Hello uhh how would I go about speeding up my hash brute forcer?

https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_to_create_more_work_for_full_speed

Ok great another question io or cpi bound

Cpu*

just sharing a very interesting talk about the security of smart cards:
https://www.youtube.com/watch?v=ET0MFkRorbo

hey guys anyone has any idea how do i access all utf-8 encoding characters?

can u give me a link to that pls there is a lot of similar ones

I dmed you

Which ones are you having trouble accessing?

Would encryption of a folder be a good way to store personal data?