#cybersecurity

I will use SHA256 so 64 characters. I'm not terribly concerned about collisions because the hash is only used to obfuscate/authenticate a relatively small amount data.

BTW I watched a short HAMC explainer on youtube and yes this is pretty much what I was thinking.

64 characters for 256 bit, i guess you are going with hex encoding then

just generate a 256 bit key of sufficiently good [pseudo] randomness quality for each user then

you could store the key directly as 32 bytes if the storage can store 8 bit data per byte without doing anything fancy with it or you could hex encode it and store it as a 64 character string

does anyone know if there is a bypass for this regex : /["'&<>]/ to filter the xss?

to little context, and it depends on what how the data will be used by the application
it's generally more dangerous to try to filter out bad things than just filter specifying what you allow

uhuh, but my question in general was is there a way to generate the strings that doesnt match this regex but includes the character <>" '?

ig not?

your regex will match any of those characters once, and that's it, you don't give any example of how you are using the regex or how the data is used after that
what if you after filtering try to decode strings in one way of the other, or you send those strings to the client which might do url decoding of the string #26 which is a &

im using it something like this:

const matchHtmlRegExp = /["'&<>]/;

function escape(string) {
  const str = '' + string;
  const match = matchHtmlRegExp.exec(str);

  if (!match) {
    return str;
  }
.... do other filterings

and its like taking input from the client and directly showing it on the website

that looks like javascript, i'm not that good with javascript but i think i understand what your trying to do there
even if you filter client side you should be filtering server side as well

ah yes good point

client side filtering is just a way to give quick feedback to the user, but they can always circumvent that and send what ever they want to the server, hence the filtering on the server side is what really matters

Never trust the client, always validate server sid

You don't control the client after it's distributed

"Never trust user input"

Golden rule

yeah, or even, never trust users 😉

They're a tricky bunch

Complain to much in my experience!

code

Hey @gray narwhal!

https://paste.pythondiscord.com/sobotudosu

That’s tab error

how to fix it?

sorry i don't understand python

https://stackoverflow.com/questions/1024435/how-to-fix-python-indentation

U should use a editor that converts tabs to spaces

Might be a better topic for another channel

As I look for an appropriate channel though I don't really see one like "learn python"

Probably #python-discussion tho

Yes but as u see he’s new so that’s ok

Yeah it's okay he just may get more help somewhere else

And it wasn’t a big topic

@gray narwhal probably first thing to do is turn on whitespace rend[er]ing in whatever editor you have too. Will help you spot this, but converting tabs to spaces is probably the best advice

well now i try to fix code and get this error

Hey @gray narwhal!

https://paste.pythondiscord.com/ikaxilevuy

Alright, well a big part of learning to write code, (and I'm kind of assuming this is your first language) is reading the errors from compilers and interrupters and fixing things. This is telling you there's an issue on line 31, you think config is a dictionary, but its null / none

So you need to trace the how your code executes and find out why that is

it's not my code , it's from github

Same difference

somehow code is 8 year old and it's broken

and when i fix one error i get another

Given it's quality that's not surprising

well i try to convert a51tables with kraken

https://github.com/joswr1ght/kraken/blob/master/indexes/Behemoth.py

Oh that's why you're in security

yes

Yeah, so if this code ever worked it seems like it might be an issue with how you invoked it.

potentially

well i download kraken and i try to run ./Behemoth.py /root/a51tables and get error

Alright, well I'm not going to go through and review some rando's fork of a package I've never heard of. Ill say this looks like someone playing around on an afternoon and you might want to look for something else to use

well there is second option with phone connected to rpi but if i connect phone minicom somehow won't connect phone with minicom interface

Hmm I get the sense you're doing something I may not want to help with

Don't crack your GF's phone, they always find out ;)

(wild speculation based on personal experience, don't take it as an accusation)

Oh, I see its WPA GSM cracking

WPA not WPA

GSM

only for personal use

i have 40 = 1.6TB rainbow tables

i follow crazy danish hacker tutorial

I think this might be a place for talking about how to secure code, vs cracking/hacking.

Or, Ill say even if it isn't I don't know you and won't give you help with the latter

😦

I work for a sec company I need to keep my nose clean

oh ok

do they teach the Linux command line in Cybersecurity classes?

some do

not a whole lot

so do I have to learn it before I enter CyberSec

depends on course, but they'll likely cover it a bit. like how to use: man, cd, maybe setuid and chown, etc. nothing in depth, though, like bash scripting

if there's no linux-y course listed as a prereq, than linux-y stuff required in the course will likely be taught as well. can always ask instructor for details of expected knowledge

Alright thanks man

I have the opinion learning linux is extremely extremely important for cybersecurity. Your question would be like asking is physical fitness a pre requisite for playing sports at the high level. Good news is that using a gnu/linux operating system isnt hard at all.

Eh it can be hard, it’s just not always hard 🙂

Also some things you should just learn on your own. I mean I don’t know about you but I was interested in computing because I was interested in computing, not because it was on some syllabus. Eventually in your career you will need to do something that you were never formally taught, so knowing how to learn independently is important.

Some of the best engineers I’ve known just tinker a lot. They don’t just wait around for some course.

Whats the prerequisites for cyber security and how do I get started with it?

The link I usually give to start is https://github.com/DFIRmadness/5pillars/blob/master/5-Pillars.md

What does general computing mean?

If you take the time to read the file, you can see it's listed below.

that depends i think

cybersecurity is really a broad term for a range of jobs

like are you trying to be a cybersecurity analyst? ethical hacker? pentester? cybersecurity engineer?

You need to learn a lot about computing in general, but especially networking IMO and these days ... cloud infrastructure (AWS / Azure / Google Cloud)

I would say people with strong networking backgrounds have a leg up, but specifically application testing doesn't require it as much. Ill say the last line of defense for most compromised entities are well segmented networks

a little bit of programming

Yeah

Especially for specific app testing, instead of like ... 'holistic" security

But you don't have to be a Staff Engineer or anything :D

Also I gave you info for the jobs that pay a lot $$$, so its geared towards corporate america. Consumer grade still is kind of a different beast

IE phones, consumer grade net gear, etc. I have a few freinds that go nutz and segment their networks at home, don't use wifi, have wire racks and shielded CAT in their house, but I have ... strange friends.

my friend be like that

So it depends on which area you're interested in and want to specialize in.

Well we are in a sec channel, haha I hope it would occur with higher incidence here

yeeeh my friend is in college for sec i think??

he already has a good starting point though

he's certified in python, C++, and java

not certified in ethical hacking but im 99% sure when he gets certified he will be able to get that certificate

but he wants to get his degree first

I went into software eng and then just happened to know a guy who ended up working for one of the big 3 "vulnerability management" software providers

I'm not much of like hacker/cracker guy, I can fsk about but he's the real deal

His first job he asked an ecom store if he could pen test their site for free then emailed them a list of all their customers CCs

lolol

holy

that's badass lmao

Yeah I worked for them too for a bit after school, it wasn't like amazon, this was a "mom and pop" store, though it was doing mulitimillion $$ business online

Their code was a shit show

i feel a lot of smaller companies either don't want to pay the money for cybersecurity or they think they have good enough code to protect themselves because nothing bad has happened to them yet... until something happens

in the upcoming years more and more companies will want more protective measures

as technology advances and hackers get smarter

I mean log4shell was pretty bad

only thing worse was maybe heartbleed, shellshock really sucked

I was at this sec company for all of those

and back then I was one of the guys who wrote checks for this stuff

Got assigned to do shellshock for smtp servers, and I'd only been on the job for like 6 mo at that point

You probably need to define "worse".

Eternal Blue was way worse in some terms/points compared to the ones you've listed, as of today's data.

Same for Kaminsky

Those are weapons grade things, yeah its not good but these [the three I listed] were just, dumb as shit, easy to exploit and ubiquitous

That's what I mean

And the things you mentioned use like a constellation of exploits IIRC , yeah the NSA made them push button, but they're not the same, where as a script kiddie could go fuz 1000s of IPs for log4shell

Oh sorry you mentioned Kaminsky, yeah that sucks but that was before my time in the industry

shit was heaven for script kiddies

I mean the GD thing turned up on fucking MC servers first

well first rep'd

I lawld

"hacking java for budder and ice in MC"

ngl my friend told me the best way to get into ethical hacking/pentesting is to start off as a script kiddie but analyze how scripts are made until you learn how to make your own scripts

that's what he did apparently

It's not a bad thing, just like for coding, you just need to at least have some fundamentals.

and don't take other mfs scripts and call yourself a master hacker

bc you know how to launch the scripts and use them

And even as a professional pentester you use pre-made scripts and tools. So it's not a drama to use them.

yeah

you just get honored more i guess if you make your own scripts and use those

Not really no

oh idk

im relatively new to cybersecurity

You won't remake Burpsuite just because you don't want to be a script kiddie.

true

How you conduct your tests is irrelevant for the companies. As long as you have a professional and full result they're fine with it.

i see

because the company just wants the job done

In your results however, you will have to explain steps to how you got to that result. Which will then give a score of how dangerous the vulnerability is.

If you ran a simple command like anyone could do in 2 seconds, it will be easy for anyone to remake, hence it will be marked as very important.

Sometimes it's not even that bad to run basic tools everyone knows on the targets you're given.

and the harder it was for you to exploit the vulnerability the less dangerous it is

?

Not really

How easily doable it is, is one factor

There are other factors to take in consideration

A pentesting report is really long and detailed

Yeah if you need a bank of super computers to crack weak encryption that is not the same as an RCE on a network service

But nationstates are all out there being shitters, and can throw some serious hardware and brain power at stuff now, so "dangerous" might be relative to the client and their likely exposure to that kind of attack

wait i thought pentesters didn't have to write as long reports as ethical hackers?

What is the difference for you.

what ive learned is pentesters usually are exploiting a specific thing the company is asking for while ethical hackers have access to everything

Not really no

Pentesters are nothing but a subset of all ethical hacking techniques

Mainly focused on system weaknesses

oh i see

Pentesters still have to write reports

so ethical hackers do other things such as trying to socially engineer employees to give critical data?

that's just what i've read online

any attack vector
I don't really like this

When you're given a pentest you have a meeting with people in the company which then also defines your scope and/or targets.

Social engineering is typically directly removed from the techniques allowed to be used in a pentest

oh i see

some websites say sometimes ethical hackers are sometimes required to socially engineer employees

this is also another thing i found

and thanks for having patience with me because im inexperienced with this

Yeah well, you can't really specifically say which technique is (not) allowed to be used.

Everything is clarified during the meeting, along with the authorized targets.

Yeah no worries, everyone needs to start somewhere :)

Based on that definition a pentester and ethical hacker are the same ubtil the first meeting

You might be allowed to conduct tests on everything you want using anything you want, or not

Who here is into pentesting?

Yo guys

What tool should i learn after nmap ?

@thorn obsidian

@pale briar

@wise pecan

i am very confused right now

some people tells to learn metasploit, others aircrack-ng, and others tells me to learn a programmming language such py or c

I'd vote Metasploit but you should learn to program

You don't really need to learn any tool specifically. Knowing how to interact with it is sufficient.

And if you learn to program but only as a skill vehicle for sec, scripting is best, and say python to boot

I would definitely learn programming first, lots of people use C or Python yet it's a personal choice at the end.

Yeah i already know python

basics

And of course learn the fundamentals first, this will be 90% theory. But it is needed theory to know.

Fundamentals like what ?

https://github.com/DFIRmadness/5pillars/blob/master/5-Pillars.md

Like these 5 pillars

You mostly will see what you should start to learn and focus on, before "learning" a tool.

Just knowing how to use tools basically makes you a script kiddie. Same if you only know the theory but can't understand it correctly and still learn the tools one by one, try to learn the theory and make, for example, nmap by yourself to see how you would do it.

You mean i write tools with my own programming skills

@thorn obsidian

Kind of, yeah

Having these 5 pillars of knowledge will help you increase your knowledge and get yourself more involved

Are you an expert in hacking ?

@thorn obsidian

Anyways would you tell the sources to learn the fundementals

Lots of them are listed here https://github.com/DFIRmadness/5pillars/blob/master/5-Pillars.md

Remember that cyber security is not running around tools or scripts only. There is a lot of theory you need to know.

Thanks a lot @thorn obsidian

No problem

I will message you when i need

Sure thing

Forgot to reply to that.
I personally don't consider myself an expert in case you're still wondering

I tooked a look about the 5 pillars and i found what i was searching about

@thorn obsidian

Nice nice

now i'm wondering if i should learn them in oprder or what

I'd personally follow them

in order ?

Yeah

How long you've been in this field

Quite some time 😅

xD

I'd guess around 5-6 years?

At the beginning of course not that much active as nowadays

How old are you then ?

19

Started early, same for coding (11 years old)

And if i may ask where are you from ?

Switzerland

Ohh, beautiful country you have there

Yup, and you?

Im russian

and i m 15 years old

Nice nice, also starting early :D

i just started my career

i think its the time

Yep

It seemes that learning gonna take a while

It does, it's a long time

I'm ready for the journey

Then that's good, motivation is the key

no doubt

I will start from tommorw

Wdym certified? Are there industry standards for programming?

Nice I’m in my 30s and I also started at that age. I didn’t do it the entire time but it does come back to you when you start that early pretty much forever

Yep, it's also basically one of my only way to spend my time on things - along with cyber security

How would you go about using Python for ethical hacking? Are there certain useful modules or how does one use it

Yes there are, depending on what you need Python can help you automate some small things and exploits

Such as?

That would go against the channel topic.

Wdym

Is it not related?

Securing code against hacking through techniques such as data sanitization and encryption, and protecting yourself and your devices.

It's about securing, not really about a tutorial on how to exploit or use a library to do so

I'm sure you can find enough resources on the Internet about the libraries often used

Does one not need to learn the exploits to be able to defend against them?

That is your job to do

Yeah Im not going to get into it for the same reason I didn't help that person looking at GSM hacking yesterday

I dunno you and this aint the channel for it

We won't teach you how to exploit something

Ah I see, ty anyways :)

@dire osprey go get books like black hat Python and gray hat Python but otherwise that’s off topic here

Man I think I see more people asking about how to hack in here than how to secure. That right there shows you the world is doomed lmao 🤣

The thing is that this channel is technically not even about general security knowledge, which is sad, it's just oriented to securing your Python code.

nawh TV just made it seem mysterious and dangerous like being a gangster but as with most things like that the truth is a lot more mundane and weeds people out

TPH has a 'kind of' a better channel for that

On a more serious note though, people come into this thinking hacking is this flashy sexy thing and in reality it’s not - it’s extremely difficult and requires tens, hundreds, or thousands of hours of failing over and over and trying to find weaknesses.

Just throw them some assembly

lololol

I remember one time I was working trying to reproduce an exploit. Across the street were some roofers. They finished the entire roof before I got it working. That’s hacking

"you must know ASM or GTFO, what do you mean you dont have a copy of IDA!?!?"

Wdym secure python code? I thought python made sure you cant overflow memory and cause undefined behavior?

That’s just barely scratching the surface man

That’s only one type of vuln - memory vulns

There are many others. Logic bugs, input sanitization, path traversal

Might want to take a look at web vulnerabilities - for example in Flask code

Even still, Cpython is implemented in C which IS subject to memory vulns, so it’s possible to write a script which exploits a memory vuln in the Python interpreter anyway

I’ve had to analyze those type of vulns before at work

Yeah there alot I wanna do. I'm trying to learn as much as possible to be able to test into a cybersoldier course

GTFO is a game right?

That's nice

Yeah atleast I'm hoping to get in

Best of luck

Ty

of hours of failing over and over
General tip for your younger channel members, this is also life, it's learned fault tolerance, you're going to fail a lot at a lot of things

Learning from failing

I can relate that

When I started to solve CTF challenges at first it’s was hard but I learned new stuffs there and I move on

And I have to say still tonnes of things to learn

Yeah, CTFs you just got to play more and more

Yeah it’s annoying that a lot of those type of competitions get this stigma that they are measurement of pure intelligence and those who are good are just “smarter” and while intelligence helps a ton of it is just domain specific knowledge, experience and practice just like anything else. It’s like who do you think will ace the binary search tree interview? Someone who writes them every day for fun who has a normal programmers IQ or someone who has one of the highest IQs but has never written anything like that? I bet on the former.

Hello

I need help with a script

For us to help you we need the script and the issue you're facing. Otherwise nobody will be able to help you.

Okay, so what do you think about the advice about "setting up a lab" I just gave that to someone. Basically you've got your main PC you can do research, and if you can swing it setup a second one to run VMs / software on to tinker and toy with. Screw up the lab? no problem just jump on your main and research how to fix this

But this how I learned Linux OSes, networking and info sec in general like 15 years ago now

(I also STILL do this but work is pretty satisfying for this now)

I dunno if someone would give different advice now

Actually the whole set it up -> break it on accident -> research the fix, rinse repeat was basically how I learned everything, and also similar to how I write software (write -> test -> tweak -> repeat)

I think that’s an effective way to learn. If I break a VM and I don’t have time to try to fix it I just restore a snapshot though 😆 but yeah if I were new it would be more valuable to try and fix it

yeah

there's industry standards for everything in computers

certifications matter more than college degrees

That’s definitely not a hard rule by any means and it varies vastly

Ha I wish. There’s a lot of stuff in security space where there aren’t really any industry standards but it’s been getting better, especially since Biden’s executive order.

Anyone hearing chatter about DDOS going on right now

Eh nothing probably my provider, just some goofy shit going on with my cnx over here

and a few other people in my area

oh i didn't know that's just what ive been told

Heh 15 years ago it was a bit harder to get VM software for free

I bet it wasn’t as nice of software either. I vaguely remember getting more VM crashes (due to the VM itself) years ago

Yup

I ran everything right on the metal when I started out, madness!

hi

i hope everyone okay

i have been Learning OSINT for the past 2 years

been applying for some remote jobs and they mentioend about programming skills to automate tasks

im new to programming too

didnt know how to get started to automate OSINT with python

any suggestion related to this will help alot

Figure out some tasks you need to do in OSINT that are boring or repetitive or don’t scale well, then write a script to do it.

There isn’t like a OSINT.do() method, it’s a bunch of different things that can be automated to various degrees probably using beautiful soup, and various web APIs

lmao

Is A+ course enough to teach me general comouting which is the first pillar ?

@thorn obsidian

Good question, what exactly do you mean with "A+"?

In order to start in security area, do you guys have any advice or docs for me?

I mean, to get started

Yep, that's a link I give to everyone new https://github.com/DFIRmadness/5pillars/blob/master/5-Pillars.md

Thank you. I aprecciate that

The first pillar " General Computing " is related with the A+ course

I mean is A+ enough for "**General Computing **"

I have auth that begins with "Basic".
I was able to decode it using base64 decoder to see what the username and password is.

I have another auth which begins with "Espresso".
Wondering what decoder I can use to decode this "Espresso" auth?

can someone help me

never heard of it and i don't think it's something that the general web browser will know about it either:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication
https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml

not unless you ask your question as well as you can

So is basic/base64 the only type of authentication then?

Yeah, I didnt find anything on Espresso either when I searched for it online.

if you read the links you'll see there are more then just basic, but never seen one named espresso

Oh that was my bad, when I saw Bearer and Digest earlier I thought it was steps for authentication/hashing.
But all those are different authentication methods

correct

I'd personally not put a limit to how much you want to learn. Stopping at, for example, A+ because you think it's enough is not a good idea and not a way to learn I personally like. It's never enough when it comes to learning, you will never know too much or everything. And you shouldn't try to learn the least possible by thinking something like "Yeah A+ is enough for that".

interesting, is this 5 pillars thing common?

Pretty much, yeah

Certifications are a necessity in this industry. They are far more valuable than a college degree.
ehhhhh

I make employers pay for them if they want them

(None of mine have lol)

hello, do u know file label

for exp : very secret , secret vs.

What exactly do you mean?

Does anyone know how I can protect my website and secure it like a cybersecurity tutorial?

never trust input from the user

does anyone know good reference material for the cissp certification?

How do I start learning how to bypass firewalls for example?

!rule 5 we don't discuss such things here

my bad

But isn’t that a part of security

U should start learning the basics and understand the theory after having knowledge u will understand how u can bypass a firewall

Like networking, headers, etc

I used firewall as an example so u guys can understand

But is there a way to just learn how to bypass almost anything

that question is just to big to answer.

there isn’t one way to learn and do it

Alright

Thanks

Do u have any websites that I can learn

learning firewall bypass,

yeah

I don’t know any website related to this topic

it's not like in the movies, you can't just hack your way through a firewall which has a very strict firewall policy and correctly configured

The way you asked the question does not really show it's for a good cause. Therefore we don't provide help for that as per rule 5.

You don't learn how to bypass anything. You learn multiple parts and put them together.

As said above, don't expect it to be like in movies where they bypass something within a few seconds. That is just totally unrealistic, or the firewall is completely wrongfully set-up.

I'm working on a web app using flask. I was wondering if this login system is considered secure, or shall I employ another strategy?

@app.route("/login", methods=["POST"])
def login():
    # already logged in
    if "key" in session and session["key"] in app.sessions:
        return redirect(url_for("index"))
    else:
        user = get_user_info(request.form["username"])
        if user is None:
            return render_template("login.html", failed=True)
        else:
            if user["password"] == hasher(request.form["password"], user["username"]):
                session["key"] = secrets.token_hex()
                app.sessions[session["key"]] = datetime.utcnow()
                return redirect(url_for("index"))
            else:
                return render_template("login.html", failed=True)

get_user_info will fetch the user profile from the database, this is username, email and salted + hashed password (plus a few unrelated bits and pieces)
hasher is this simple helper function:

def hasher(pw: str, salt: str) -> str:
    return hashlib.sha512((pw + salt).encode("utf-8")).hexdigest()

feel free to @ me if you reply

Not related to your question but usually you go for stateless nowadays

I would say that depends om the systems security requirements and how important it is that a user is immediately fully logged out when they request a logout

but generally it's more and more stateless like jwt:s and the like, might even be short lived that are renewed ever so often during the lifetime of the session

def login():
    username = input('Enter username: \n')
    cur.execute(f"SELECT * FROM users WHERE username = '{username}'")
    
    if not cur.fetchone():
        print('Username does not exists')
        login()
        
    user = cur.execute(f"SELECT * FROM users WHERE username = '{username}'").fetchall()
    
    entered_password = input('Enter password: \n')
    
    d = check_password_hash(entered_password, user[0][2])

why this always return false even if the passwords are the same?

don't do it like that, you will eventually get"hacked" if you do it like you showed in your code, use sql placeholders/bind variables instead, never ever use user input in that way in your sql statements

i also often advise against using select *, it's better to specify the columns that you want and in which order, which is even more important when you access the columns by array index instead of column names (dict or attributes)

can you explain?

if you include strings that a user can control directly into the query in one way or another (with interpolation like you are, or with any of the format methods), the user can launch what is called a sql injection attack
i will not go in to how one does that, but that is very easy to find online, just know that you will be vulnerable if any of your sql statements look even remotely like what you showed from your code

so what would you suggest I should do?

to avoid sql injection vulnerabilities you should always use sql placeholders, for most database connectors/drivers you do it like this:

def login():
    username = input('Enter username: \n')
    user = cur.execute('SELECT password FROM users WHERE username = ?', (username, )).fetchone()
    
    if not user:
        print('Username does not exists')
        login()
    
    entered_password = input('Enter password: \n')
    
    d = check_password_hash(entered_password, user[0])

now, i have quite a few issues with the code beside that, but i only went in and fixed the database related stuff
for example, i wouldn't tell the user that the username does not exist, i would let them enter both username and password, then check them both (even if i don't have a password to match against i would hash the input password to avoid side-channel timing attacks), and if anything went wrong i would just report back to the user that the login failed without revealing anything more than that

the side-channel timing attack is a more advanced topic and might be overkill for your purposes
for me it's more a force of habit to try to include protections to whatever i can

Sanitize the input 😄

To prevent them escaping the statement to the file's code or executing something in the database if you give the raw input to the db

Yeah that's actually 1 to 1 exactly what they explained above just paraphrased..

lol

something could slip trough if you just rely on sanitizing of input when there are better techniques available such as sql placeholders in this case
but yes, one should never ever trust user input/data and always sanitize it as thoroughly as one can

well thank you so match, btw what are the other problems?

i would also prefer to close the cursor, but i don't know how the rest of your code looks like and i would use something strong like argon2id probably through passlib or similar for the password "hashing" instead of a simple hash (but now i'm just assuming that is a simple hash because of the function name) and would use a salt for the password as well

Well, I don't know where you plan to use this but input() seems like a locally executed script.

Which then contains the database credentials, just don't distribute the files randomly

yeah, why try to crack the user password when you can just read the whole database locally 😉
have not seen the connection string so don't know if it is a local database, i was just assuming it was, like sqlite3 or something
probably just a toy project to start to learn python and databases i'm guessing

Most likely, hence my warning to not distribute files

it is sqlite3

I'm just doing a password manager, nothing crazy
its not the most secure app ever created but I'm trying to make it somewhat secure

if it's a password manager that you are actually going to use you really should consider one that has been built with security in mind from the start by experts, as your passwords are important and should be kept secure
but if it's just a toy project to learn thing, go right ahead, but i wouldn't trust it with anything important when it comes to security

should be toy project for no
I would make it secure later

is this the last one?

!rule 8

For anybody seriously vested in security, has learning and becoming proficient in python been an irrevocable benefit?

My exams are in person this is actually practice problems

it depends on what you are going to do within security
for technical positions it really helps knowing one or even a few programming languages
just like having a deep understanding of how computers actually work and the same goes for network protocols

Cyber Security is one of those fields where the more you know the better you're prepared for a given challenge. Programming and Python in particular are not requirements for the vast majority of the jobs in InfoSec, however it may benefit you anywhere from a small amount to being the difference between being successful in an engagement or not.

That said, knowing how programs work because you know how they might be programming is a tremendous help when trying to evaluate the security (or lack thereof) in a program or system of programs.

For most position I would say that knowing programming well is a nice bonus, but not what separates a good <title here> from a mediocre one.

(Source: I've worked as a security consultant and am a certified penetration tester, but also biased towards my own personal experience from work, training and my own conversations with my peers and friends.)

Can someone tell me what modifications look suspicious using RPM how do I know whats good or bad what am I looking for???

It shows several changes made but I dont know what is okay and what is not

Thanks for the well constructed reply. Really tied it all together phenomenally

From my experience I wouldn't say it was an irrevocable benefit.

we all make mistakes

?

My point was that learning Python was a benefit but not a super duper mega benefit.

ahh, thought you were taking aim as to it not being the proper word to use in the context lol. Sorry I tend to over analyze.

Ah no not at all

over analyze == be dumb

lol

Put in italic to show that it wasn't that much of a benefit but still somewhat useful

Yeah, slight misunderstanding. I have to work on putting things in the best light possible first before jumping the gun. I'm a good portion into a course a this point. Seems easy enough. Readability wise.

All good

Honestly learning how to program is the difference between the best cyber guys and the basic dudes in a way like you can be good without knowing programming but its easier to be pretty good with it

What is for you a "best cyber guy"

the ability to modify and create your own material for security without using someone elses stuff

Interesting definition

Some sets of people would then be excluded, such as myself, from your definition. I don't consider myself a "best cyber guy" but you get my point

And do note that the original question was about Python, not programming overall

Can penetration tests be efficiently conducted with an automated program? I believe PTaaS companies promote this but it's kind of hard to believe unless they use it as a baseline of assessment

Anytime 🙂

@thorn obsidian you doing the cyber apocalypse ctf? 👀

Nope, focusing on other stuff right now

Might do some more in the future

same lol

Yes you can automate just about all processes if you know what your looking for and you can even create your own programs to run all your needs effectively that’s the benefit it gives you but it is also hard to get to that point another benefit is the ability to change and modify already existing programs that already do that and you can change it to work more for you then everyone if that makes sense

Yeah, perfectly. I find all of this so d@mn interesting. Hopefully in time I'll gain the knowledge to give back to this server what you helpful people have given me :)

CC @cerulean sphinx

You can automate only to the point that you're working with something standardised

You can automate testing for SQL Injections for example, but you can't (easily) automate performing a pentest on, say, Microsoft Word or Our New Game Client.exe

I see you're already on Try Hack Me - it's a nice platform for complete beginners (it's helpful and provides a fair bit of tips, nudges and even help sometimes). Not a bad pick for starting out

Yes I understood the question as it would be on a company network you are working for you

A Nesus report is not a pentest

Mk I would also like to point out programming your own pen testing software is op

I wanna a virus file... so send me it asap

Hey anyone alive?

I want to test it on my VM

We will not send viruses to other people as it breaches the Terms of Service of Discord and can get our account terminated.

If you need virus samples you can find a ton on the Internet by searching, but we will not give you any.

!rules

In your opinion do you think finding viruses easy online just curious?

Yes.

What are some good material for studying the cissp certification?

sa

Those are good books to start

• https://www.amazon.com/Certified-Information-Security-Professional-Official/dp/1119786231
• https://www.amazon.com/Certified-Information-Security-Professional-Official/dp/1119787637
• https://www.amazon.com/CISSP-All-One-Guide-Ninth/dp/1260467376

Thank you!

Can anyone explaines to me the " sudo " command?

it gives a user with sudo rights possibly restricted temporary root privileges

All the root privileges ?

@sinful cliff

that depends on how you configure sudo, but many distributions default sudo configurations allow full root privileges to any user that is a member of the wheel user group, but this can be changed and be much more restricted with reconfiguration of sudo

Can someone explain me how can I wrie AES 128 from scratch in python, I watched some videos and some documents from our good old fellow, google, but I couldn't find anything useful...
Note: I'm a begginer in python

You definitely don't want to make your own implementation of AES 128 as a Python beginner.

other then for learning about cryptography, but don't use it for anything else than that, it will be inherently insecure and with very bad performance as it will not utilize hardware offloading available in the cpu

Well I have to. My teacher assigned me this project and if I don't get it done, he'll failed me.

What should i do 😑?

Tell him it's not normal to have to make an AES implementation in a language you are a beginner in

exactly what was the wording of the assignment?
wondering if it's to actually implement the algorithm from scratch or if it is to implement something that uses the algorithm

if it in fact is to implement the algorithm from scratch; sure, do the assignment, but at the same time it's not an implementation that should be used for anything else then just completing the assignment, never ever use it in the real world

I wouldn't even understand why a teacher asks someone who is a beginner in a language to make their implementation of AES 128

That doesn't help you learn the language or anything, it will just make you confused and demotivated

maybe the class is more about cryptography then programming and python is just chosen because it's one of the easier programming languages to learn 🤷

nah, it's not about cryptography or anything like that. my teacher just told us to make an implementation of aes and that's it. https://www.youtube.com/watch?v=NHuibtoL_qk i watched this and kinda understood how the thing works on paper, but i have no idea how to write the thing, I also checked this https://github.com/Joshua-Riek/AES-128bit and i just cant understand it. :|

also, he told us about toy cipher or smth like that, which we can make instead of AES. what's that then, I thought they were the same thing @sinful cliff

Toy ciphers are "much" easier to make compared to AES, same for the CTC cipher

But what kind of teacher asks you to do that if it's not a cryptography class and you have a beginner level of Python

Makes no sense at all

I have bad teachers but never someone like that

He's crazy man

encryption and decryption with a toy substitution ciphers like rot13 https://en.wikipedia.org/wiki/ROT13 will be much much simpler to implement than AES

there is even something easier that that which just happens to be the most secure cipher in the world
the one-time pad which is basically just a bitwise xor operation, but it's only secure if it's handled correctly and it's unfeasible to use most of the time https://en.wikipedia.org/wiki/One-time_pad

The teacher eventually meant the CTC cipher, not a toy cipher.
For the one-time pad, just make sure you use it correctly to not make it vulnerable to very basic attacks. I wouldn't call them "the most secure cipher in the world" because of multiple attacks that can be done if used incorrectly, which must be taken in consideration.

oh, CTC is certainly more specific and more involved then just any toy cipher such as rot13

i didn't have time to go into length about using true random as the key and never ever reuse the key stream as well as the problem with secure key distribution and exchange with such keys
but given that you can handlel those challenges it is the only cipher known to be totally unbreakable (mathematically proven) given even huge amounts of only cipher text and endless computational power and time and even future developments in cipher analysis or new technologies such as quantum computers
that's why I stand by the statement that it is the most secure cipher in the world, but I agree that it isn't without its challenges

it should probably be added that by it self it only provides confidentiality, nothing more, which of course can be seen as a drawback and something other algorithms addresses

Guys i need an explainig of the application layer in OSI model ?

I'm facing some problems to understand the term end-user

It’s just the application ur using like http,ftp,ssh anything interaction

Hey @thorn obsidian!

Hey random question what would be the benefit to double encrypting something like you write code to encrypt then just do the same thing again or even put it on a while loop?

Do ethical hacker use python?

Depends

Depends

If you take the same algorithm and the same key it won't change a lot, it will in fact just make it slower during bruteforce.

Encrypting multiple times is also pretty much useless, if you have heard of Kerckhoff.

The security of a message does not rely on how strong the algorithm is, but the key.

A very basic example would be a Caesar cipher, you can encrypt the message as many times as you want, in the end 1 out of 25 keys will be valid.

In some algorithms, such as Caesar or RSA, if you encrypt with key A and then with key B, the result will be just like encrypting with key C.

If you plan to do that for passwords or similar think about the following:
Encrypting a second time makes the password two times harder to bruteforce it.
Adding one character to the password makes it around 50-60 times harder to bruteforce it.

thank you that was a pretty good explanation

are there any good obsfucators

Yes, if you use the correct settings

Just Python is not really made to be obfuscated

It's just like JavaScript

Can be reverted to semi readable code easily

@thorn obsidian if you still need a hand, https://www.youtube.com/playlist?list=PLKK11LigqitiRH57AbtyJyzsfbNfA8nb-

he goes over implementation too. It is in C++ but it'll be easy to port that to Python.

what was said about the time for a brute-force attack was very simplified but true under the assumption that the same key is used for the iterations
using the same algorithm a number of times will only make the brute-force attack take that many times longer, just like the encryption and decryption will also that an equal amount of times longer

regarding kerckhoff, that is not at all what it's about
what kerckhoff said is that one should never rely on the secrecy of the algorithm to keep a crypto system secure
one should assume that an adversary will learn about the algorithms and the methods used
the only part of the crypto system that should be required to be kept secret is the key

different algorithms are of different strengths
using more than one algorithms for different passes will add protection if someone found a flaw or shortcut in one of the algorithms as they would need to find similar flaws in the other(s) as well, but only if used with separate keys

@thorn obsidian Christof Paar is great but as you stated it's mostly the "on paper"/academic/design stuff

the videos are also indexed now, so you can easily skip around

And that's exactly the point of kerckhoff, if the algorithm gets public it shouldn't be that much of a big deal as it's not what makes the algorithm secure, but the key itself. It doesn't matter how strong the algorithm is, what matters is the key - so the secrecy of the algorithm must not be an issue if once made public.

If you didn't managed to understand that, in that case copy pasting what he said won't change anything

What he said is exactly

The security of a message does not rely on how strong the algorithm is, but the key.
formulated with the secrecy, hence the strength and security of the algorithm
So yes, if you blindly read and learn, or search, words by words what he said you won't come to that. That goes into the blindly learning by heart category.

i'm a 100% with you on:

if the algorithm gets public it shouldn't be that much of a big deal as it's not what makes the algorithm secure, but the key itself.
as well as:
so the secrecy of the algorithm must not be an issue if once made public
the part i don't agree with is when you say:
It doesn't matter how strong the algorithm is

he never says that the strength of the algorithm doesn't matter, but that the security of the algorithm should/must not require the algorithm to be secret
otherwise we would all be fine with using ciphers now deemed insecure as long as we are using a secret key, which we aren't
of course the security (not secrecy) and strength of the cipher matters, the algorithm must be able to withstand basic crypto analysis such as frequency analysis and so on

i'm a strong advocate of only using publicly known and well studied algorithms, which from what i've seen in this channel, you are too

@sinful cliff @thorn obsidian hi again
I changed my assignment and this time my T told me to make my custom encryption algorithm with the help of s-box or something like this. so i did some research and made this. i guess it's ok for a beginner however i kinda feel it's become somehow messy. anyway here is my code https://gist.github.com/IamYousef/e550192e0a5142ec2a2b761246cd012f
also, i know how my encryption system works but i just can figure out how to make a decryption algorithm. can u help?

my T told me to make my custom encryption algorithm
Here we go again

yeah

Okay so what if you generate a new key upon every time you encrypt the data and do that multiple times so instead of encrypting with the same key you are created another layer to make a new encryption per say would that make it harder still or the same as before where it really does not change and it is bases on the algorithm?

@thorn obsidian This is for you too if you want to answer?

literally undo what ever you did?

Well that comes under one of my points

In some algorithms, such as Caesar or RSA, if you encrypt with key A and then with key B, the result will be just like encrypting with key C.

So depending on the algorithm you use, you can encrypt 100 times with a different key, it won't be any harder to bruteforce

okay okay that makes plenty of sense I understand fully

Can't really take a look at that sorry, got to learn for my exams 😄

it depends on the algorithm used, just like @thorn obsidian has already pointed out to you, for quite a few algorithms key A + B will be the same as using the unknown key C, for those algorithms brute-forcing two perfectly random keys will be the same as brute-forcing another unknown random key

Can make a very basic example, if you encrypt "Hello world" 2 times with the Caesar cipher, once with shift 4 (key A) and once with shift 6 (key B) it will result to "Rovvy gybvn". Now if you were to bruteforce the last string

https://i.imgur.com/TEQyDWY.png

It's just like using key C, so 10 (6+4)

Yes thank you using more then one key is just making 1 new key thank you

Not always, depends on the algorithm used

Yeah I got that thanks although Im not familiar with a lot of the different popular used algorithms It makes sense

3DES (encrypt-decrypt-encrypt or decrypt-encrypt-decrypt using three different keys for the operations) which is not recommended anymore, it's not a very secure algorithm in today's world), is still quite a bit stronger then just using DES, so doesn't hold true for all ciphers

in that example, decrypting with a wrong key is more or less another round of encryption as it mutates the data

and it's using one 168 bit key that is cut up in 56 bit slices where one is used for each pass

Okay so I guess in the realm of safety in encryption I would think symmetric encryption methods are the best way to achieve that and just depends on the algorithm you use however not practical in some situations

while normal single DES is just using one 56 bit key

and just going with the best method on the first go around is the best way about going about it

but due to vulnerabilities in the DES algorithm you will not get even close to 56 bits of security per pass

Okay so going back to the method you would use one that would support more bits per pass or once again just using a symmetric encryption?

but still 3DES is significantly stronger then DES even if they are the same algorithm, so here is an example where multiple passed if done right will help with better security

i would say longer keys for one pass is better then two passes with half the key length per pass

Okay and I think DES is only considered good if 3 different keys are used per pass but still once again its smaller keys

one pass of Rijndael 256 is probably better then two passes of Rijndael 128 even with two different keys (Rijndael is the original name of the cipher we all now know as AES, because it was the winner of the AES competition)

okay thats fair but what if you used DES on an AES encrypted file could you double stack encryptions like that?

sure, but never reuse the same key
because DES is much weaker then AES, if one was to break the key for the outer weaker layer DES one would have compromised the key or at least part of the key that was reused and the next layer will be easier to brute-force
and i would never encourage anyone to use DES or even 3DES today

Okay thats pretty cool thank you

something which is crucial to the strength of the encryption is the mode of operations that you use

Mode of operation?

i'm talking about https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
and that page also mention initialization vectors and padding which is also crucial to the security of the cipher

Any interesting blog or feed people follow when it comes to sast or dast?

@thorn obsidian @thorn obsidian I think the idea is to just get you thinking. I doubt the teacher expects any real scheme or anything perfect by any means.

old versions of SSL/TLS has had vulnerabilities just by getting the padding wrong for example, among other problems

I think it's a case of "its about the journey, not the destination"

most probably, yes

That being said, is it a brutal thing to ask a python beginner to start with encryption? yes. But hey, we live in a brutal world.

🙂

okay after reading that yes it is very important to the situation but I think that would be something for someone making a cipher but yes I guess the padding is like salting a hash but just everywhere

or you learn the hard way why you shouldn't attempt to implement ciphers or crypto systems your self 😉

Sometimes pain is the best teacher

this teacher is probably a genius actually

hes showing his students by example why they probably never want to write their own crypto again lol

and if they do, they can go on to be cryptographers lol

pain it's a very special case of first hand experience

I consider myself pretty decent with physics, but I got a whole lot better after flying over the handlebars of my bike a few times. 🙂

kind of but not really like salting, this is way worse
and IV and the chosen mode of operations are even more important

okay

Hey, how do call a password that is true/legit/that matches the username?

Assuming you have already verified the password is true and legit when you make the user name and password it should be stored in a table to be called upon later and you can match to see if the username was with the password

more context please, if you can describe what you want/trying to do with more words that would be helpful

I was looking for a specific word. Like "calling" a word. The word i was looking for was "valid". But thank you for trying to answer my nonsense question

do you salt the hash?

encrypted, hashed, salted, scattered, covered

As said above, either use a hashing algorithm that is strong enough or a salt.
Saving them in a separate table is simply useless.
I don't really get by "encrypting the vps" - you can't just encrypt whatever you want as you wish. But yes, you might want to secure your VPS.

Lets say I have a website

And I have an SSL cert

And someone can be connected through a proxy

So an MITM attack can happen

So the attacker can give the client a fake SSL cert and decrypt the traffic then encrypt it again with the actual SSL cert

How would I prevent that?

If possible?

i would recommend using both salting and a strong one-way function such as Argon2id for the passwords, i believe pythons passlib has support that
secure programming practices are also very important, for example be vigilant about not using any user provided input for sql queries unless using placeholders and bind variables to avoid sql injection attacks that could easily extract the full content of your database

not using self signed certificates for the website and using HSTS is a good start and will mitigate quite a few such attempts as long as the client has visited the site previously before the MITM attempt and it wasn't far in the past so that the HSTS has expired

mutual TLS (mTLS) is also an option (even if a very advanced and cumbersome one), where you would require the client to use client certificates that you can trust that only the user can get hold of and not an adversary, which will be quite a bar to entry for anyone wanting to use the service and also presents problems with certificate enrollment for the users as well as the one running the service/server

however, even without such measures the client will be made aware of the fact that they are not connecting to the real site as the adversary will most probably not present a certificate issued by a valid certificate authority for that domain, but the user may ignore those warnings and click through them and access the site anyways, it will depend on the vigilance of the user (which isn't reliable)

Alright thanks! Really appreciate it.

How should I start learning about cryptography?😑

if you really want to dive in to the subject i would say the number one text book is: https://www.wiley.com/en-us/Applied+Cryptography%3A+Protocols%2C+Algorithms+and+Source+Code+in+C%2C+20th+Anniversary+Edition-p-9781119096726
if you want to start with a lighter read with some historic perspective the following might be a better candidate: https://simonsingh.net/books/the-code-book/the-book/

should i really pay $42 for a book?

they are both really good books in their own right, i think it's only fair to support creators for their time if one consume their product, but you do you
i think there are free samples like the first few chapters that you can read online to form an opinion of what you think of the book before you buy
there might be used books to buy cheaper or electronic versions which might be cheaper
these books should also be available in libraries if you want to lend them for a while to read

@thorn obsidian didnt you say you saw Christof Paar's course?

Thats honestly a great way to start, its comprehensive. The entire university lessons are online

https://www.youtube.com/channel/UC1usFRN4LCMcfIV7UjHNuQghttps://www.youtube.com/channel/UC1usFRN4LCMcfIV7UjHNuQg

Also get: https://www.amazon.com/Understanding-Cryptography-Textbook-Students-Practitioners/dp/3642446493 it goes with the course itself and it's ~$30. I own it and have read it, its a great book

Thats (applied crypto, that course, your python experiments) really it, the rest is up to you reading and having patience/persistence.

When learning that stuff, you will hear about certain types of math such as Galois fields for example, and probably want to go and learn about those too, you can always look them up, find out about literature about that type of math, etc...

I also own and have used the book Serious Cryptography. It's a great book written by an expert but it's more hands-on and less background/theory

https://www.amazon.com/Serious-Cryptography-Practical-Introduction-Encryption/dp/1593278268/ref=sr_1_1?crid=1VX502BO9HU9J&keywords=serious+cryptography&qid=1652974413&s=books&sprefix=serious+cryptograph%2Cstripbooks%2C365&sr=1-1

It really depends what you want to know about cryptography, you don't need to know exactly how it works to use it.

yes, bestMiguel serious crypto is a better book for that, whereas those other books are for people who want to be cryptographers or just understand the math behind it more

I do agree that it's probably not a good idea to take Christof Paar's course unless you really want to learn crypto. If you just want to know a few things about how to use Python lib or something, thats way overkill.

Anyone good at cryptography in python here?

ask your question and see if anyone might be able to help you

I want to be able to encrypt binary files but I don’t know how to change my code to allow for this to happen. The files that get encrypted from the terminal with the -e flag it turns into an automatic metadata file that includes the salt validator Mac and searchterms but the searchterms should not produce the hashes for binary files

https://paste.pythondiscord.com/gumatakogi

This is what I have so far

sorry, i don't have the time to go through that amount of code right now
just skimming through it a bit i think ECB mode sticks out like a sore thumb, wouldn't you like to use one of the AEAD modes instead?
and their are better algorithms available today then pbkdf2
also, i still don't understand exactly the problem that you are having and was trying to describe

I tried to make a function to ensure if the file is in bytes or not like this and then later on i used the function and said if its binary to not do the search terms list when encrypting and when it is not to put inputs inside the search terms

def is_binary(file):
try:
with open(file, 'tr') as check_file:
check_file.read()
return False
except:
return True

yeah my ctr mode is also not encrypting big files

def one_ctr_block(key, nonce_plus_ctr):
ctx = AES.new(key, mode=AES.MODE_ECB)
return ctx.encrypt(nonce_plus_ctr)

maybe i should change to AES instad

anyone can help take a look at my cryptography code in python?

If you don't share it, nobody will

you can't salt it after, salting is a part of the hashing operation, unless of course you hash the password again, but then the result of the first round of hashing that is done on the client side essentially becomes the password from the view of the server side code

s

I'm not sure if this is for a school project but I think if you use Fernet encryption its far easier to use and understand as well as it is pretty good and I could help show you how to use fernet but I am not familiar with using AES

Lololololol

if you where responding to @carmine sparrow question just above your own, @carmine sparrow actually did share the code just a handful of messages above: #cybersecurity message
i have not had time to look in to it and don't think i will have time for quite a few days, at the earliest

Didn't see as it wasn't using code blocks
Also can't help or inform anything for the next 3 weeks

it's because of your exam right?

does anyone here use vmware

Yup

what is the subject of your exam?

Basically more than one

Like Math, Physics, Chemistry, etc.

oh, sounds like a lot, best of luck (well, luck doesn't actually have that much to do with it, it's mostly a lot of work and effort, but you know what i mean)

Yeah it's quite painful, thanks a lot :D

I always feel like I know nothing before these exams

yes

#python-discussion

@thorn obsidian heres another great resource for ya: https://www.crypto101.io/

@carmine sparrow Why are you using ECB?? Its not super clear from what you stated above. Because "CTR mode isn't encrypting big files?" Also, what do you mean "maybe I should change to AES instead?" This is AES.

In that code above that sentence, you are literally using AES already.

ANother question - what type of salt are you providing? I see it comes from a file... Is it a constant salt? How is it created? Whats the length etc

This is a sorta random nitpick too but, what is the purpose of this:

def createmasterkey(password, salt):
    pw = password # <--------
    salt = salt # <------
    key = pbkdf2_hmac('sha256', pw, salt, iterations=250000)
    return key

That just seems like a waste of space with no added value to me.

thats all I got time for right now, will check back later

Thanks man

Also ppl wanting their crypto checked, you can do some self checking if you go to https://cwe.mitre.org/data/definitions/699.html and open the “cryptographic issues” area and then you can learn about all the issues with examples of how to audit

what are some good books to read to get better at the Linux command like system?

Linux Basics for Hackers by OccupyTheWeb is a really good one to start. It helped me a ton!
https://nostarch.com/linuxbasicsforhackers

Yeah there’s another no starch one called “the Linux command line” or something like this from same publisher as that one. Maybe look at the TOC of both

Basically the command line is nothing more than a bunch of small independent programs that you can work together in a system

Those books cover a great handful of them

alright thanks guys

You're welcome!

Hello guys

Im in the moderate level in python, can i jump to bash script or complete python untill getting pro in it ?

what do you mean with "complete python"?

Becoming a professional python programmer in term of security ofc

@sinful cliff

okay, but I still don't understand the question "can i jump to bash script or complete python..."

nvm

if the question is what you can write software in for sec stuff, i would say that you can use any programming or scripting language that you like as with any programming, just that some languages are better suited for different situations

Guys i converted a py file to an exe file and the process went good, but the problem is when the program is finishd the cmd disapears immediatly without i can see the output!

Yeah you would have to hold it open (get user input) most likely

For example if you call the input() function it’ll probably hold the CLI open until you hit enter. Thats what I used to do in my c programs sometimes. But since I run Linux I never have this issue now since the terminal didn’t just close when stuff is done. If you’re on windows you could also try to run the program in powershell.

However I just realized that the above isn’t a #cybersecurity matter so maybe try one of the help channels or #python-discussion if you need more assistance @cedar junco

Okay, thanks for helping

any1 know anything abt reversing apks?

(not sure if the channel is meant for python side of cybersecurity)

it's an archive just like jar files

the process is very similar

Yeah, but my problem is handling a bundled apk

I pulled the folder from /data/app/ and it contains base.apk and other apks like split_config.apk, I'm not sure how to handle that

do I just decompile the base.apk and sign it or do I need to build one apk containing all others and signing that

your both talking about "revers" apks and "decompiling" stuff and at the same time you are talking about the opposite when you mention package them up to one single file and singing stuff
an apk file can be opened just like a zip file
if you instead want to bundle them up in to one you can use a the google bundletool from the android development kit
but this doesn't sound like it's about#cybersecurity or even python really

actually I just want to know what kind of http requests the app sends but I did not succeed at using a proxy to find it out so I figured I could decompile the app and inject bytecode to log the request data, so I figured it would go to security

That indeed does kind of fit to security, but not really to the channel topic

if you use asymmetric public-private key encryption, is it possible to deduce the private key if you have the encrypted message and you know the message content

nevermind, ofc it isnt. stupid question lol

if it were possible then anyone who knew the public key could deduce the private key 🤦

Not in any production crypto system. Maybe in a high school project one 🙂

well by design asymmetric public-private key encryption doesnt allow this, i dont know why i asked this in the first place lol, i could have realised the answer if i gave any ounce of thought

that is not true at all, in that case all our private keys for our TLS certificates would be compromised

oh, now i see what your end goal was 💡

Is hackthebox academy a good source to learn from?'

Never used it, so can't say it's good or bad

I've looked at a little of it and it seems really good.

So interestingly I've been happening upon this common theme of security being an especially difficult area of software development because it is "impossible to thoroughly test" since it relies on an infinite possibilities of things not happening, rathert than a finite list of things happening. I suppose this also depends on one's definition of "security." I feel that as subcomponents of security become more defined, requirements are more easily met.

One thing that security defense has as an advantage too is for a vulnerability to be actively damaging, it also must be found and exploited. Of course in the field we assume that this will happen with every vuln but in actuality, it probably won't.

Sometimes I wonder if security is actually that bad or if every subdiscipline/group of software developers see all of the hardest parts of whatever they are working on, and inherently claim it to be harder than others, or at least hard. I'm sure there is some name for this type of bias.

Perhaps what people mean is that “the consequences of bad security can be higher than the consequences of bad other areas of software” which seems more realistic if you’re talking about say a mass data breach. But even still, has anyone actually compared the monetary implications behind that with say they cost of a huge spaghetti codebase over time?

depending on your business a breach could mean the company loss their license to operate and hence all of their business in one blow, just like a catastrophic failure in any critical area of compliance
a spaghetti codebase can lead to increased costs and stagnated development of the business and even lost of some of the customers or contracts as a consequence of that stagnation, but i have a hard time seeing that it would have the same ultimate and immediate consequences

I agree in concept, but do you know of any well-known businesses in which the former occurred? I am less educated than I’d like to be in this way mostly because the industry analysis provided by eg Forrester and such are above my pay grade and I usually just focus on the technical “in the trenches” stuff

Also note they often have insurance, not saying there isn’t a cost though

Former being large company actually loses their license or is shut down etc

I haven't seen it first hand but know of businesses in the financial sector that has lost their license to operate due to compliance issues and all of their assets has been sold on executive auction to a [former] competitor, i highly doubt any insurance will cover such an eventuality and it doesn't help most people in the company other then maybe the majority owners

Anyone know what lang they couldve used for this? Its old 2005-2007.

Analyze the file. A random guess would be Winforms w/ C#

With the exception of Rust, nearly all popular programming languages were around back in 2005-2007, so it could have been anything

do you have the binary

I’m gonna be bold here and say probably not python, possibly java but still unlikely, or some language under C, C#, C++, or a windows centralized language

It most definitely is not JavaScript, HTML, CSS, Golang, Rust, Bash/Batch/ZSH/Shell, Haskell. I don’t know about Ruby, Visual Basic, Elixir, etc

Is there any difference between **Ssh **and Openssh?

yes

@visual oriole SSH is a networking protocol

wrong person

@cedar junco

OpenSSH is an application level implantation of that protocol

so you use OpenSSH to which uses SSH protocol

and the openssh client application/command is named ssh just like some other alternative client implementations

Hello, I am building an application which will make users able to write their own extensions in Python, the problem is some of that code should get executed on client's PC directly, this of course means I need to sandbox the app so that it can't access any of the stuff on the computer.

I know about PyPy sandbox but as I read it's only secure for Python 2, other stuff I read about was using AppArmor, the problem is that I need it to work on Windows and without user having to do anything.

The implementation doesn't need to be written in Python, I can also use C++ or C, but it has to be invokable from a code. Also I need the code being ran to use one lib I wrote. So that it can access the interface of the application it should extend.

I have no idea if it's even possible or if I want too much. I also thought about stuff like using the sys audit hooks but I don't think that would be 100% secure.

Thanks for any answer.

@solid hinge

hi

@deep rapids

Now

so what first happened that made you suspect you had a virus @deep rapids ?

Have any sussy things been happening on your pc?

resetting the passwords atm, brb

kk

Alr

OK so

Lean

yeah

Do you think it's a spear phishing

Cause if it is

Then it is kinda bad prob

indeed i do

I would take it to law enforcement

but i dont have any evidence to back up my claim

Same

I would say they investigate

First

And try to log the IP

indeed

Check if it's a tor node

try typing "wmic startup get caption,command"

in cmd

Them tor nodes be doing sussy things

we need more information though

or "get-service | foreach-object{ if ($.status -eq "stopped") {write-host -f red $.name $.status}` else{ write-host -f green $.name $_.status}} "

for services

it could not be a spear phishing

^

Thing is

Malware might have spread over their pc

So resetting passworss

Passwords

wont work

Might not be helpful

well most of important passwords are now done, and nothing sussy really been going on afaik

Check task manager

if its spear phishing they wont take browser creds

they enumerate first

then log admin creds

kk

I didn't suspect one until a few minutes ago in general after someone told me what the "BEEFHOOK" cookie thing is

Check task manager for powershell or cmd

and maybe

maybe you have the everCookie as well

its a cookie that dosent get deleted

invented by some dude in a basement now the NSA uses it

seems clean

check background processes

Is there anything by the name

RemoteDesk.exe?

also check your performance

^

Also open cms

Cmd

Do

As adminstrator*

And do

netstat -b

nope

and finally

go to startup

and see if theres anything sussy in there

Hey @thorn obsidian!

Check startup

clean as well

What's that txt file

use hastebin

go to details

it was how a targeted cyber attack would work step by step taken from the conti hacker training of the initial actions u should watch out for

and see if anything is running on a sussy username

I see

don't see anything sus

https://paste.pythondiscord.com/hunerosomo

here it is

Check for XXHackerLOLKidXX ig in the usernames

Check for any sussy usernames

ill send a list of all normal usernames

YOUR USER

Alright

SYSTEM

LOCAL SERVICE

And uhh

iirc

ADMIN

And

NETWORKING

PROCESS?

i have UMFD

I remember that being a thing

is that sussy?

well I assume there's nothing sus going on the laptop, thx!

nw

dont put any personal credentials on your laptop anyways

atleast not for a month or so

^

until you know its clean

Also

I would say use the cloud incase of ransomeare

Ransomware

Anyways

Anything happens ping me

same

Or call law enforcement ig

Lol

there's very minimal personal info on this laptop, I have a personal one with secured stuff

because im prob always here

get rid of it maybe

I have exams atm so might not be very active

this is school laptop ;-;

oh then let the school handle it

2 days to go

no more days to go for me

today i graduated

congrats

thanks

Congrats

indeed

congrats

congrats

🎉

im gonna go back to #python-discussion

Alr

Hello, I'm trying to create a secure socket using SSL/TLS. I'm using self-signed certificates but I got this error :

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)

When I generate self-signed certificate with openssl req -x509 ... I don't have this issue. I got this problem when I use self-signed certificates generated with PyOpenSSL.

Does someone know how am I supposed to verify my self-signed certs with load_verify_locations and load_cert_chain ?

Thank you in advance.

no matter how or with what piece of software you generate your self signed certificate you would get the same kind of problem unless you use also validate against that certificate specifically as it has signed it self

you won't get any errors such errors when you generate the certificate, it's when the client tries to verify the certificate that problem would appear, just like you are experiencing, it's normal

there are examples of how to use load_verify_location and load_cert_chain at https://docs.python.org/3/library/ssl.html#functions-constants-and-exceptions, example 2 and 3
for path/to/cabundle.pem and /path/to/certchain.pem in those examples you would instead put the your certificate that you just generated
and /path/to/private.key would be the private key that belongs to that certificate

Thank you very much !

In fact, I just realized that it still works for one of my sockets.

I have re-tested by regenerating self-signed and for one of my three TLS sockets, I can verify the certificates. Now that I understand why I can't do it. I don't understand why it works for one of my sockets...

i can't understand either why it would have worked for one of your sockets if it was using that certificate and key on the server but not using that certificate on the client to verify the server certificate

I'm doing load_cert_chain on the server and load_verify_location on the client

pointing to the same file (or an exact copy of it) in both, right?

Exactly

and it's working as expected now?

No, it's not working. It's only working for one of the three sockets I'me doing SSL

how does the server side and client side code look like for the three sockets?

Working Server-side Socket 2 :
def __init__(self, cert="certs/server-cert.pem", priv="certs/server-priv.pem") -> None: 
        self.context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
        self.context.set_ciphers('ECDHE-RSA-AES256-GCM-SHA384')
        self.context.load_cert_chain(cert, priv)

Not Working Server-side Socket 2 :
      cert_path = f"certs/{self.username}-cert.pem"
      priv_path = f"certs/{self.username}-priv.pem"
      context_recv = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
      context_recv.set_ciphers('ECDHE-RSA-AES256-GCM-SHA384')
      context_recv.load_cert_chain(cert_path, priv_path)

Dude, I just found my mistake

and if you print cert_path and priv_path, do they contain what you expect them to contain?

I'm so sorry for the inconvenience

no worries 🙂

I made a mistake about the ports, I was connecting twice on the same port. So, the second certificate didn't match with the first one

i see, good catch 👍 🙂
and as you didn't post that part of the code it would have been hard for me to find 😉

Of course. But a big thank you anyway for the help. 😄

you're welcome 🙂

Has anyone brought this up: https://www.securityweek.com/pypi-served-malicious-version-popular-ctx-python-package ? Is this affecting discord bots?

I don't think any discord bot library uses the ctx package lol

https://github.com/advisories/GHSA-ffqj-6fqr-9h24
suggested upgrade for affected repositories to v2.4.0.

I am reviewing this encryption example, does anyone know what the \033[1;32m --- \033[0m is for?

plaintext = b'this is the correct plaintext!'
print(f'plaintext: \033[1;33m{utf8(plaintext)}\033[0m')
encrypted = base64.b64encode(public_key.encrypt(
    plaintext,
    padding.OAEP(
        mgf=padding.MGF1(algorithm=hashes.SHA256()),
        algorithm=hashes.SHA256(),
        label=None
    )
))
print(f'encrypted: \033[1;32m{utf8(encrypted)}\033[0m')

from what I can tell it seems they relate to color code outputs, what is their purpose in an encryption sequence??

Absolutely nothing

Purely design and layout

No Discord bot library uses such a package, if your bot is affected then you have added it for your usage on top of the library. The Ctx library is not the same at all as the ctx variable you often see in commands, it's just a variable name.

That was my first thought, my second thought was that it was a color wrap encryption that could be used to identify categorical data based on a paired color class object (pre-decrypt).

Don't really think so, the colors aren't really chosen in a good way. But can be possible

that is known as an ANSI escape code.

https://en.wikipedia.org/wiki/ANSI_escape_code

Yeah they know that, see at the bottom of the message

Ah I see

Hi, im starting Security, what do you guys recommend?

Process process = new Process();
ProcessStartInfo startInfo = new ProcessStartInfo();
startInfo.FileName = "nmap.exe";
startInfo.Arguments = "-p " + port + " --script http-sql-injection " + address;

I can run nmap like this using C#, how can I do the same in python?

That's a link I give to everyone new https://github.com/DFIRmadness/5pillars/blob/master/5-Pillars.md

Can try the python-nmap library, or use subprocess

Alright

Thanks

Online platforms like Try Hack Me (more approachable for complete beginners) or Hack The Box (has beginner content but is best enjoyed with a little bit of experience)

oh, ill definitely try those

thanks

im already loving Try Hack me

Hi, does anyone got source for process hollowing / run pe file in memory without any write to the disk for 64 / 32 bit payload ? thx

I don't believe that fits the channel's purpose at all. Therefore I don't recommend asking that, and didn't recommend anyone to respond.

!rule 5 sounds like it would be very applicable here

i dont plane to use that for malicious activities just for learning

the rules of the server still applies and we can't have any real guaranties for what you say is true
besides, this channel as the topic suggests is about securing your python code in different ways

Htop 😛

Hello folks, I am looking for some help with pip install.

https://old.reddit.com/r/learnpython/comments/uz0732/how_to_timeout_pip_install_when_the_module_is/

is this at all #cybersecurity related?
sound like it might belong to #python-discussion or a #❓｜how-to-get-help channel

Well, such behavior is often exhibited by malicious packages. So, I thought people here might have come across the same issue.

ah, now i read the post too
i think the pip option --timeout only controls the sockets that pip use to fetch packages for installation, nothing more
i would be lazy and just wrap it up with a timeout command with enough of a timeout for all the installation steps

Said no nefarious person ever 🤣

is there any way I can detect if a specific driver is loaded?

gonna need way more context. what OS are you on, for one?

windows

https://www.nirsoft.net/utils/driverview.html

I would like to make something similar to this, finding loaded drivers on windows

I don’t know if Python would be my first choice for kernel programming lol

C or c++ is better ofc

I would just like to find a way to do it in python

Yeah it’s less about preference and more about being able to interact with the OS/kernel the way you need to. I know there are also c bindings for Python too though

why not just query wmi?

Does vscode track user data and send them to MS?

https://code.visualstudio.com/docs/getstarted/telemetry

unless you turn it off, but it's trivial to turn off