#general

like holes in the bottom worn out

Yeah but my running shoes always fall apart so damn quickly

couldn't live without em. not tryna walk through 6-8" of mud in vans

Like the front toe bit always starts to peel, the heel wears and the underlying fabric starts to show where the toes bend

So I feel like something without the front toe and a proper fabric will last a bit longer potentially, I never have issues with the soals

Soles*

inverse exp

my brooks are solid tho. not planning on even trying another runner. very comfortable + some good impact absorption

guys,
how to get email extension @dawn bronzecom

That's fair man

Buy a domain and set it up for email

doesn't github provide email services?

Not that I know of

Github gives you email aliases

IIRC

something something hide primary email something

Yeah I really should invest in Timberlands so I can get away with saying I'm 5'10 and put the 5'7/5'8 in the small print

I thought that was specifically when putting issues etc. down, it's not a full email alias

i dont remember. been a long time since i used github but that checks out

afaik the only aliases github gives most users is their anon one -- but that's not a pretty "jdoe[@]github[.]com", it has a fuckton of random numbers of nonsense too

yeah don't believe you can send from it, just a relay

ehm, tims or tim pros

Morning

m

how're you doing today?

less productive than i had hoped but not unproductive

i need to reset --- it's 2am and i'm wide tf awake

sleep 👀

just close your eyes and relax

can't

too much stuff needs doing

👀

reset == sleep

reset == don't sleep tonight so that i can go to sleep at a normal time for once tomorrow(/today) and have a normal sleep schedule again

makes sense

coffee 👀

already wide awake tho

I mean after

well yeah, religiously

yes

I have messed up my sleep schedule

It's 7:30 am and I've failed to sleep yet

I may as well wait till 8 so I can call the bank

I went to sleep at 10 am yesterday and woke up at 8pm, been awake since then 😄

Bank is open on Sunday?

For calls yeah they're available 24/7 with mine

Facebook marketplace scams making their rounds again

Feel like I should let people know around me but think they know if it's too good to be true it probably is

Guis

https://tenor.com/view/bruce-almighty-morgan-freeman-i-am-god-hello-hey-gif-4743445

gg

morning guys

morning bois

How to find an SSID from BSSID?

in my website what data should i be basing my auth token off of? should i use the username or smth like a uuid?

for the record, usernames can be uuids

i never liked doing it that way tho

shouldn't auth tokens be fairly random

yup

unless you're seeding with the uuid ig idk 🤷‍♂️

so should i be randomly generating it then storing it alongside the users data in the db

and also giving it as a cookie

I would go with a session instead tbh
https://www.geeksforgeeks.org/session-vs-token-based-authentication/

Lumpy porridge, 4/10

not a web dev so don't take anything i say as gospel btw lol
should it really be stored at all?

should be short lived for the sesh

why store tokens?

i was imaging session this entire time lol forgot they were different

wait im talking about session tokens my bad

sorry?

you don't store session tokens on client

I'm eating lumpy porridge, it's 4/10.

i thought you do on cookies

what's the difference between porridge and oatmeal i forget

nvm

But the main difference between porridge and oatmeal is that porridge is made with a variety of whole grains, cereal or legumes, and oatmeal is made with oats

that's just a key

oh so do you store the key on the clients cookies, and the session token on the servers db

the cookie stores id, generation time and expiration time

and the server validates this and logs you in if it isn't expired

|| wait til you start with anti csrf toks ||

wait till you hear about certificate based
https://www.geeksforgeeks.org/what-is-certificate-based-authentication/?ref=ml_lbp

yeah currently im using jwt.sign() with my secret key and the username of the user to generate one, then i pass it to the client to store as a secure cookie with 10 days expiry and then when they send a request i decode the cookie, i get the users data from the decoded username

ewww, not jwt

what’s the better alternative

sounds like what the district here used for their transparent proxy on student/faculty machines back when they didn't hate dealing with proxies

let me introduce you to php

as much as php annoys me, php.

https://dev.to/codeparrot/jwt-vs-session-authentication-1mol

I best hurry and re-new

https://x.com/vxunderground/status/1794415129334829260

😂

oh right, so is the main advantage that you can invalidate any users session if needed and it’s more safe from XSS attacks

basically, yes

ok cool thanks imma try implement that

reset = sleeeeeeeeeeeeep

TypeError

skill issue

i get my sleep during holidays

the extra 1 hr sleep

u shd sleep too

@bitter apex JWTs are fine.

Storing a JWT as a cookie as basically as safe. Keep the lifetime short, keep it httpOnly

Renew it

Short being like 5mins

imma try php anyway

That is not a good thing.

PHP is not an alternative to JWTs

how do website keep you logged in then

for days

PHP is a backend language. PHP can do JWTs yoo

I didn't say it was impossible

I said it wasn't a good thing

You'll quickly learn that user convenience is prioritised over security, and that leads to loads of security issue

yeah true

but if i do php can i hold the cookie for like 10 days and if they go back on the website i can refresh the session identifier

You can do that with JWTs

You can do that with JWTs in PHP, or Node JS, or Python, or Ruby

Do you mean PHP session storage? That's nothing special really

yeah i kinda just wanna try it for practice as well

Don't rebuild your app in PHP just to get a basic key-value store

doesnt express have some kinda session thing as well

so does this mean that imma have to refresh the jwts every 5 mins

I think so

I'd recommend that

Defense in depth, minimises attack window for a bunch of stuff

if i do that then i won’t be able to keep users logged in hm

ig it’s a trade

well, they will still be logged in if they keep the session open

yeqh but like between days

Again, that isn't a good thing.

https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
This doesn't include JWTs but it's important

Also oauth2/oidc is super easy if you want to offload almost all the authentication stuff

yeah ofc imma prolly just login with google on my acc website

but just for practice i wanna try sessions

wouldn’t that be harder to implement, security-wise?

Huh?

I have no idea what you mean

Building an OAuth flow versus using your own framework’s session management for authentication

Use a trusted library?
But oauth/oidc with external identity providers means you don't implement the authentication

Don't make your app an identity provider

Let Google or Microsoft or Github or Twitter etc do all the heavy authentication lifting

Yeah you could def do that but one wrong implementation and you could be leaking OAuth tokens for user PII against those providers.

The whole point is that the tokens aren't for the platform, they're only acting as the identity provider

This goes back to what I opened with anyway. Use a trusted library.

OIDC definitely works this way at bare minimum
https://www.microsoft.com/en-us/security/business/security-101/what-is-openid-connect-oidc#:~:text=OIDC stands for OpenID Connect,information without compromising user credentials.

I get that, but it doesn’t necessarily mean the flow would be robust too. But it is true that Oauth type vulns may need some other type of vulns to also be viable.

The tokens aren't valid for the idp, there's no way you can trace them back

This isn't like the Teams exploitation with Microsoft graph

You just ask for the right set of claims etc

Do you mean like logging in on the IdP like Facebook for example?

You authenticate with the idp, and the idp tells the app only the info that is in the scope

The app doesn't get a token that's valid for your, eg, facebook account

Oh yeah definitely

So this ain't a thing

This is still a thing though. https://hackerone.com/reports/665651

Isn't that the idp?

Its not necessarily an issue with the IdP but with the OAuth flow itself of the application

The example there is with the IdP not verifying the redirect URL

You register the redirect URLs with the idp

I've set up a bunch of them

Why would someone like Facebook, Google etc open themselves up to a scenario like this?

It's in their interest to prevent malicious applications

Even then, the token issued doesn't allow control of the Facebook account etc unless you scope it for that

OIDC and Oauth are pretty well thought out

The oauth token goes to the attacker and then the attacker can use it against your application? That's basically the scenario.
No PII leaked except what you're requesting and storing

Isn’t that the PII leak itself? Gaining access to someone’s account. I did not mean PII leak in terms of IdP but PII leak generally. Gaining access of someone else’s oauth token already allows for PII leak.

It's a misconfiguration in the IDP there though

Yes yes definitely

But we're talking about the end app

Jeez, absolutely do not build an IDP yourself

Authelia/keycloak/etc for that, even AD Federation

Aws has some interesting stuff in cognito

might be thinking of robocopy? Windows is fine with large file transfers, just not via GUI/Windows explorer in my experience (especially over shares, etc)

It's large copies of small files that really suck

Big files are fine

yes^

Robocopy is really nice

Depends what's in the token (and the token type) as well. An access token should never store user info. A client token should never store sensitive user info. If the IdP returns a token containing sensitive info then that's something which can be reported on, yes.

The issue there is that client tokens are designed to return basic user info (username, first name, last name, email, etc).

That's the one!

I say "issue" -- it's not really an issue any more than if an API returned the same information, as the client token is only meant to be used by the client, e.g., to fill in information for the user's profile. It shouldn't be sent elsewhere, etc.

I've had weird smb issues where copy failed but robocopy just did it

Can't remember the scenario aside from it being some real hacker nonsense

Only becomes an issue if you can intercept it (and yes, an open redirect in this instance could potentially do that)

(Which is why the idp makes you register the redirect URLs and enforces them)

It's really worth messing around with these solutions, Oauth2-proxy is good fun

Run some stuff internally, run a keycloak or AD Federated Web Services or whatever

Ooo raindrop.io got some AI feature now, hopefully able to help cleanup my tags a bit more

ok listen it's either that or I manually sift through them (~1K) and I don't have the time for that

yeah bun that

Yeah somewhat

Spf - what IPs can send email for this domain
DKIM - public key cryptography to make sure emails are authentic
Dmarc - what to do with emails that fail spf or dkim

Is there a more specific question that I can help you with or were you just after an ELI5 of them?

Not exactly for "outbound" email, it's enforced by the recipient but the policy is from the sender

how do you implement the jwt refreshes? do you create a second refresh jwt with a longer expiry and when the first one expires you use that refersh jwt to generate a new normal jwt?

Just give them a new JWT with a new expiry?

yeah but then they have to login every 5 mins surely

No?

It's an authenticated session, you just update the cookie

SPF, DMARC, and DKIM are all for spoofing, not for spam

Granted spammers might not set them up, or they might spoof, but...

Arguably it's in the spammer's interest to have valid spf/dmarc/dkim anyway

Dunno whether you thought of this yourself, but refresh tokens are actually a thing.

but for me the cookie is the only thing that allows the user to stay logged in

so if it expires theyd have to login again

I don't think they're particularly good in this case, seeing as the refresh token is dangerous to leak

You update it before it expires?

but how do u know its gonna expire

Because that's in the JWT?

That's the "exp" field

You check the expiration time stamp of the token with every request, I suppose. And if it is about to expire, set a new one.

so if u dont request for 5 mins ur gonna have to login again

So you write some JS to make sure it gets renewed, and you can even implement idle timeouts there

so to make sure its renewed before the 5 mins is up imma have to implement some timer

The main thing this works to prevent is reusing a token after the user logs out

In JS, trivial.

yeah

Every token is dangerous to leak tho.
If someone gets their hands on a normal JWT in your case, they can theoretically stay logged in forever, no?

I added tahin to my noodles, tastes amazing

yeah true cuz the JWT is based off the user id

Yep but the 5min window minimises the likelihood, hence reducing the risk.

Session tokens are also the same

currently every jwt made for the same user is the same, so i should prolly change the secret each refresh

Nope.

The exp should be different

The iat should be different

And with a refresh token you reduce the risk by not sending the refresh token with every request and attackers being locked out after a few minutes when stealing the normal token. IDK, I don‘t see one being particularly better then the other.

You can add jti if you wanna be fancy

So you can't store the refresh token as a cookie or it'd get sent every time
So you have to store it in sessionstorage or localstorage where it's immediately stealable with XSS

Plus refresh tokens will still require you to input a password every few hours instead of minutes and not keep you logged in forever.

A proper refreshing JWT implementation doesn't make you enter your password every few minutes

oh ofc

The session doesn't just remove itself

That‘s not what I mean.
When the JWT refreshes itself, you don‘t need to enter your creds again at all, unless the server implements specific logic that blocks refreshes after x times.

Yep even without the refresh token pattern that's true.

With refresh tokens you would need to log in again after a day, maybe a week, up to the dev.

And an attacker would get locked out after that time, because a refresh token should not refresh itself.

👍

so if u go off the website for loinger than 5 mins then it logs u out

Which is a good thing

yeah

You can go up to 15 etc

but its only a game website so im thinking refresh tokens are more the play

cuz i feel like user experience > security of their account

cuz whos gonna wanna get access to it

I‘d argue refresh tokens are not less secure.

Bad people

noo not my daily streak

It might just be easier to implement with the solution Ninja suggested, however.

but i wanna be able to keep users logged in for a week

And obviously require less manual logins.

You can do that with both solutions.

yeah ig

I'd recommend offloading authentication to like oauth for that.
Session for your application ends but they just click on sign in with $PLATFORM

When the token refreshes itself tho, expiry times will be atrociously long.

Also a very valid approach.

Plus pretty secure, 'cus now e.g. Google will now handle the authentication part.

yeah but with the other solution the actual token itself will have to be long

You misunderstood, I was talking about that exact case.

ohh yeah

Don't leave sessions alive for a week

Just... So many issues with that

looks at netflix

yeah i get that but i think for my website cuz its just really ur game stats and i dont really think it matters

Game stats? See if the game platform offers a developer API with oauth

Anyhow, I will go look for a nice café to work in now.
See you guys around. ^_^

its my own game

on the website

Do you reallt need authentication then? You just let them enter a username to lookup their stats

Is that why I get signed out of some websites if I don’t log in for a long time

@queen dune hai

guys... i found the dumbest way to fuck a pc... but its fucked

windows didnt think this through 💀 like they thought about it but then didnt

im baffled

Heyyy, can ask for sum help? From any python coders?

do u have to pay to implement a sign in with google

So basically, one of my family relatives got her house broken into, and then they put there rubbish in [her] skip; I want to make a py-program/bat, to find out who the person is (since, the persons face did flash in the cam. And it was *night.)
*Black and white cam since night.
So any tips or code to make this possible and easier to report to the police I would greatly be thankful!

i swear the attackbox things are so buggy lately

Innit

Why not just give the footage to the police and let them do their job?

i mean either it refuses to launch or refuses to load after it launched

Because, my family is threatened and the police don't do nout' unless there is more evidence

Then what do you expect to do if you find who they are?

You won't be able to get the dataset you'd need for facial recognition either...

This is more than likely also false.

Ikik...

It's not, the police where i live don't care unless they have face/name or proof of them, and on the video all the police will do is wait. Whilst I will get data and report it with Proof. I just don't have a py data or programs to get all the data i need for the file

As James said, I doubt you'd get it.

Ik.

U just gatta at least try yk

You can try, I'd ask you don't ask for help in this server however.

Any madam

Is is with you and trying to find a girl in this server

What

funeh

Can you please stop asking for women in this server please.

No

Ok

I have a small question that way I will ask

Also scrub check @ justmahirs description

What is the question.

It's a movie quote from American Psycho.

Ah

No its c++

I see

Then ask the question in #programming you may get help in that channel please.

Is there a way you can see how many points a room will earn you?

No, but this could be a good addition to the over all experience, I'd suggest you use #feedback-and-ideas

(although the age of the room may dictate the points)

sweet

Well, you kind of can derive it from API...

Api isn't documented for member use though.

I even remember making JS script to find the rooms for cheese

Does it need to be?

when did it stop anyone?

Ok

By counting.
30pts/q for a challenge, 8pts/q for a walkthrough

No, but members probably don't know how to use it though.

It's stopped plenty of people I'm sure.

As damning a feedback for the usefulness of the content as ever I've seen lmfao

do u have to pay to implement a sign in with google in a website

you can probably google that pretty easy

Plus, I'm sure Tim has asked people/person(s) to stop before.

No

As long as it's in line with the terms of the bug bounty program/tos, they can knock themselves out on it

Hi

I mean, you can't expose an API as part of your service offering and then tell people not to use it 🤷‍♂️
It's literally the backbone of the application

hiya does any1 here have a broadcom account?

Yeah.

Could arguably make it a ToS breach to connect to it using unapproved clients (i.e., anything that isn't the web frontend), but that does absolutely nothing to prevent people from using it to their own ends.

It's also very much against the spirit of "hacking", and guts the bug bounty programme. Surely you would want to encourage your students to practice responsibly in a real environment

Pretty sure it's self-sign-up for broadcom?

Yup!

im unable to create one do you mind sending me the vmware workstation installer?

Why cant you create one?

the problem is the website is an indecipherable maze and i keep running into one error after other

idk why whenever i create one it makes me manually log back in and when i do it gives me an error

it's incredibly frustrating

and I cant even ask for support cause it just redirects me to it's homepage

it's a clunky bloated mess

Look up at my previous messages, I've sent a direct link and screenshot of the version needed.

cheers mate

ugh it makes me sign in I'll try to create another account

Try to use different browser and/or proxy, changing something might help

perhaps

I'm just baffled by why they migrated from a perfectly functional site to a half assed one

Are you trying to download VMware?

yep

vmware workstation

atp it doesnt even seem to be worth it lmao

Hold on, I'll spare you the hassle

❤️

Here you go

Slightly older version, but it'll auto-update anyway

oh god i accidently deleted my desktop

how?

IDK

cheers

its just missing

ur a legend

This is why you use VMs for messing about

it is a VM im fine

its just interesting

Revert snapshot ezpz

i never made a snapshot 💀

then use your custom image with everything setup

Well, lesson learnt

i dont have that either-

but its just a fresh windows install

just takes forever to get another T-T

How'd you delete your desktop on Windows?

IDKKKKK

ill show the error

some file is just missing

i didnt even delete any files

Windows. The operating system which throws a hissy fit if you uninstall a freaking web browser.

well ye but

apparently it doesnt care if you delete important things

@mossy river y'all switched away from Stripe entirely, right?

that file is apparently gone

so now it looks like this 🤣

been using win11 ltsc for a week now it's rock solid im pleasantly surprised but then again ltsc hasnt let me down in years I'd check that out if i were u

well....that's still usable I guess 😂

its not

the taskbar is purely cosmetic

oh

lmfao

Where did you get the iso from?

wait IT IS usabel

but i have to use windows r to start stuff

lol

cuz explorer is kind of broken too

oh it was normal

is explorer.exe running

it is

Could check event viewer

xd i wonder what happens if i end explorer

cuz like

its already gone

ok now its all gray

fair

well restarting explorer gave me my desktop shortcuts back

its funny lol

Hi yall

New role I see 👀

Yeah true, omw to the 0xD

But with mostly walkthrough rooms it lasts some time

still triggers me that E and F isnt a thing 💀

Yeah imma do a suggestion in #feedback-and-ideas

Or is there a specific reason there are no E and F?

Maybe they should be something like 25k points and 30k

https://tenor.com/view/coffee-koala-coffee-time-cute-caffeine-gif-20268883

Hello Im in the intro to offensive security course some commands arent working like 1s

or the passwords they give me

Nmap done: 1 IP address (1 host up) scanned in 1.83 seconds
root@ip-10-10-6-82:~# ftp 10.10.199.195.
Connected to 10.10.199.195.
220 (vsFTPd 3.0.3)
Name (10.10.199.195.:root): anonymous
530 This FTP server is anonymous only.
Login failed.
ftp>

the anonmyous command is supposed to work

There shouldn't be a dot at the end of the ip

But please use #room-help

fraaack... i overlap two models on 3d printer and now they are printed as one thing =/ so 5hrs in waste

that worked thanks

Gave +1 Rep to @naive violet (current: #2 - 2141)

sorry im new I just joined

tou can #start-here . also might be ok to verify to have full access into things

how do websites normally handle if an account already exists with an email, but then they try to log in with google using the same email?

do they just log into the same account cuz their emails are the same?

it'll probably return with an email already registered error

https://book.hacktricks.xyz/pentesting-web/oauth-to-account-takeover

I love the internet

oh so the email account needs to be email verified, and then if it is the OAuth will just link back to that account

makes sense

what if its the other way around

if youve logged in with google and try to make an account then itll just say email already registered

For a task I was looking for when a powershell downgrade attack happened. first I used trusty mitre for the event id. Then I was looking through the logs but I didn’t really know what I was looking for. Mitre said to look at the processes it’s created and the powershell versions and that’s exactly what I did. So fun

nvm

Mitre has a special place in my heart

So helpful

The people that add new vulns and stuff to it are awsome

True

Day 1 with no caffeine, so sleepy

hour 5 (or something) with no nicotine

can't focus on work, my brain needs stimulance

Chew nicotine gum

Went to get snus

do some pushups and so to get some adrenaline and so

yes

situps also

or whatever is english word

Got plenty of adrenaline, just can't focus

does music help

You can do this! 💪

you got this

i'm almost 2 months

Drink tea jabba

Atleast it’s not bad chemicals

that had caffeine

Yeah

I mean caffeine isn’t bad in small amounts

@mossy river find something with B vitamins. Helped me quit

Depends if Jabba is going cold turkey or not.

It’s just the Red Bull is filled with chemicals

True

Just drink water for the energy

Like I’m drinking coffee right now

It’s not the best tho

eat some feuits

Water on top 🔝

great

Favorite fruit Darek?

Hey there THM 👋

pineapple

A pineapple, the fruit the eats you back.

Yall seen pineapple under a microscope

It’s like tiny needles

Kiwi is my favourtie fruit

Kiwi is good

I looovvvveeee apples

I love putting apples in my chicken nuggets.

Yup, you heard that right.

hi

when you watch to much of horror movies and then you meet girl named Carrie. frack

Oh my

when you know you've taken on a biiiiig project

this is going to be fun to finish soon™️

Good job :)

zipping 64gb of pdf's with 30mb speed =/

HI world and officials , I just have a question .. Does is it hard to make a OS that works and survive themselves ... Any GUIDE to make a OS + ARTIFICIAL Intelligence + botnet + CYbersecurity + rescource montinoring and helping people by themselves and maintain peace in furture ... IF we combine all this software and make a program that works on my system and help humanity ..

Why would you need a botnet? 🤔

i need only guiidlines and discussion about it nothing else

In order to have that discussion, I'd like to know why you want something that can be illegal.

its not illegal ...

If you create a botnet without the owners permission, yes it is. 🙂

And the most use case of botnets is also illegal.

What's your defenition of botnet then?

Maybe ur thinking about something different

that was also mi toight. wrong definition

botnet is a like for me group of computer that is infected by my program and they monitor all resources and all working all around the world and they activate themselves when user types something illegal or do something illegal ..

why is this so haaaard

"infected" is a suspicious word there.

I keep running into learning opportunities

the infected part is issue as scrub says.

This is bad idea from the get go, and I'd be surprised if anybody would let you "infect" them

Please don't ask in this server.

got up

sorry

Scruuubz help me, I don't know kotlin or enough in android development to solve this

This server is for TryHackMe, a website which is dedicated to teaching Cyber-Security in ethical and legal standards, methods..

if you pc or so is infected without you knowledge or you didn't alloved is illegal

as i think hacking is a art . THe things we read or see is just a part of our imagination ..

Nah, the last part no

you can make you own os and so what you stated. the botnet is illegal

It's an art, but must be so legally and ethically.

ik can u tell me any book

im working hard on C

you can buy/rent servers and so to have that thing in larger power and so. but botnet is not legal

google

i have a question CAn i build my own hardware server

it seems excited ..

You can build your own server very easily.

Of course that's possible

That's the way I became interested in computers / cyber

Virtual box?

I built my own pc

VB can be used, yeah.

You can create a "virtual" server on your laptop.

That's what I done for my AD network.

are u in windows or linuxc

Windows as daily

how

But there are many people who use Linux as daily

u have to purchase it i think

Yes

if u build ur own system

Usually your computer comes with windows right

Yep

Usually.

Self-built, no

lmao i dont have money ...

You can buy hardware which don't have an OS, or created pc's.

i am out of money here ..

what made u interested in digital forencis

i think u are like me ..

I like both Red and blue team.

Blue team because I like peicing together the narratrive and means for criminals doing what they do.

i like both too but interested in foreincs science

i have reading a article about hacking in ToR and some people has installed some hardware on keyboard that collect every key stroke .. how to detect them ..

AV is a good way to detect them, assuming they're in the database.

nahhh they use hardware not software and creates a funnel through ur system

ubuntu 24.04 install setup kinda fire

The traffic for that has to go through your computer. (Assuming they just sell the keyboards) So there is a high chance something / someone detects it

yeah when i see that stuff it made me worried did someone is seeing me through my keyboard and my private life ..

True

Last help before i got to study

Go ahead

suppose we have a wireshark can we add wireshark and load a script into it to break firewall of any system ..

and how to create own defensive system i read all books available online ..

This isn't what Wireshark is used for.

wireshark is hard to understood

You got me confused

Wireshark is for monitoring traffic

does its possible

And blocking traffic

All kinds of stuff

It’s more used as a blue team tool.

we can attach a script of data frames and try to make a digital signature ..

Wat?

Yeah it can't block traffic right?

wireshark doesn't do IPS stuff

Nope.

I’m thinking of zeek then

neither does zeek lol

Hm

Nvm

Snort

snort / suricata

Ignore the blocking traffic part

u all are confusing me i think i have too again start with OSI model

Sorry

I’m confusing you

Start with the fundementals, you seem entirely new to this.

hello, I can't use the code I received because I have a £5 reward because I used a link from my friend to sign up, how do I please? (I've spent 3 hours on it and I can't do it)

i am not new

@rapid merlin

@rapid merlin Wireshark is just a piece of software for monitoring network traffic, that's all

please ^^

can we upgrade them for our purposes just as all defense agency do ...

The $5 is a discount for a premium subscription, and should be applied automatically to your credit

No...

ok

You have other tools for that kind of things

name them

Depends. What do you want it to do?

I'd like to buy the premium, it has to “enter the coupon” but when I put it in it's invalid.

u tell me tools

is that where the name comes from? lol

that's the only thing that give it name

I’m trying to think how I thought wireshark was blocking traffic. I remember blocking and dropping packets. That might be snort and I’m getting them mixed up

thoes data must taste great

that being said you can see a lot with wireshark and there's so so many options to play with, the stuff on THM barely scratches the surface

nom

So I looked into this

Nmap / metasploit for scripts

It isn't the fibre they like, it's the electricity that runs alongside it to power the amplifiers

I'm not sure sorry, you'll have to contact the team at support@tryhackme.com

yes. i was reading of it. the electricity of it. they can "smell" it. or smth like that

they have that sensors thing

ok ok

@rapid merlin Please do not spread unfounded conspiracy theories here.

Darpa is not even the right organization, at least get the basics if you want to be belivable

ik

but i am curious who is behind the walls and watching everything and protecting world

"wireshark is too hard to understand"
"i studied at the top agencies"

I doubt they studied at DARPA for a few reasons but I'll keep those to myself

ooooh looking forward to see the room in room testing release

this was a fun one

SHADOWW! Long time!

*and says no more then this

ello ello vain

how're you doing today?

kinda tired.... and slightly drenched.... and very spooked from lightning bolt that struck closer then 500 meters away when shadow was outside

the heck?

so damn close

you good?

yeah

just huge amounts of adrenaline

lol, happens

adrenaline saves lives

how does the bot assign roles? Y'all have like wizard and God roles and i have a different one

Based on tryhackme activities?

it goes by your level on tryhackme

0day and johnMohomaad are they real ...

oh

yeah...

I wonder why anyone would ask that...

no they're AI generated

cool i have seem on yt

johnMOhamaad give too muchb sponsorship and make their videos boring ..

i knew it... all the time

Hey Alex 👋

so where are theyy

somewhere in the US

whats the best library in js to send verification emails?

i try to investigate and its hard but no difficult

ik where 0day is. prob bussy

yeah a pure white hacker

what are you trying to do...

in a bunch of data centers owned by Microsoft

let me try my luck... @hasty sand are you AI generated person?

okk

0day was here in chat just a few hours ago getting asked about pentester.com and how it works and if he created it

got up

i have a questions

if all are white hat hackers here who are then black

the ones not here...

ok

the unethical hackers which yeah are not in here

👀

i think they are

STart people watch and respond when they have a right mood to win the match

as we known as active reconn

There are definitely grey/black hat hackers here

I even got blue and green hats in my closet. 😎

They just don't expose themselves

okkk

Discussion of illegal or unethical activities are not allowed here.
What people do outside of here is left to the proper authorities, as it should be.

Why it's saying virus?

Firefox browser

Usually because there's a command in there in text that it doesn't like

but it's just a pdf

is it ?

If it acts like malware it will be treated as such.

It's scanning the text in pdf??

Which has text in it

The PDF file actually has the text in the raw bytes

it svans more than just a text

oh

If you don't trust it, simply do not download it

in short it looks for all the things, no meather what extension is

I downloaded it from chrome didn't detected it

Ok but it's still the same file

So again, if you don't trust it, don't download it.

k

GTA VI radio is savage af =/

how do you know 👀

i listen it

👀

can anyone know how this ussd code works

and how specfic number like calling police or medical help done ..

You dial your local emergency phone number...

how our phone knows its a local number

where the number has to be procceed

magic

magic radio stuff

magic

Funny enough you can call 911 and if your country is in another country apart from the US it will auto route it to the respective emergency number

same with 112

Yeah that's what i meant

https://tenor.com/view/the-studio-whats-up-losers-the-mentor-whats-up-losers-gif-17315226

yup, it intercepts and reroutes

is it possible to create own emergency number

no

No

no. if you are not gov

why

Why would you do that anyway

cos you are not gov

And it would be considered illegal

tell me about the book i gain information about my own

What?

huh

🤨

How will it actually work when there is no emergency service to help u out in case of an emergency

Read about how telephone exchanges work

what the fresh turkey

tyy

We get some silly geese in here lol

Creating a phone number for your own use with an IVR on it isn't illegal

It'll be a long number though

https://tenor.com/view/01189998819991197253-maurice-moss-the-it-crowd-emergency-gif-15186743

tyy

I think at that rate id just dial 911

bro u are genuis

Hey they didn't ask if it was a good idea

Fair kek

ah yes from the epsiode where emailing the fire department about a fire works out

and creating numbers for use like business and stuff is not super hard either but yeah area codes

with email verifications, what do they normally put after in the parameter of the verification url, is it just random bytes?

for example if you decide to open up a pizzeria

Have you researched this?

what ive found is just random bytes

"Email verification implementations"
"Email verification security"

"what is email"

“is email?”

email == epost

A very specific epost

https://tenor.com/view/you-have-mail-mailbox-gif-11623462

as everyone knows the best encryptions methods in cryptography does anyone know latest one on this field ..

that is hard to crack

md5

isnt that a hash?

md4 better

Let's not troll users...

Or am i silly?

fair yea

One Time Pads

google it lol

well... veracrypt do the pretty good job

Not the latest but fully impossible to crack

How is it impossible to crack?

yeah one time pads is basically the best if you need aboslute protection against decryption

cool i want to try on it

but it is not very convienet

AES with a sufficiently long key.

random key and the key is only used once for one message after which it is never used again.... making it virtually impossible to crack

If you are talking about device or drive encryption, veracrypt as ralex suggested.

https://tenor.com/view/dumb-and-dumber-lloyd-theres-a-chance-jim-carrey-gif-11098164

Drawback is that the key is the same size as the cipher, so encrypting large things with it becomes very difficult.

With all this talk about encryption anyone have good videos for learning this stuff a little better?

I can offer you cryptohack.org, which is not a video but good for learning.

kk thanks!

I‘m personally more of a bang-my-head-against-the-problem-until-I-win-kind of guy.

Nature of XOR with key length = plaintext length
You can make it say anything you want.
I could give you two different keys for the same ciphertext and you'd get two different messages

Wait the same data can be decrypted into two messages?

I'd demonstrate but my laptop is off

With one time pads

Oo thats really cool

It's as many plaintexts as there are permutations of the input

Let me do the honors then, I suppose.

it seems like they use a random string then assign that to a whole new token db and when u click on the link it checks if the parameter matches with the one in the db then their account is set to verified, but i couldnt find how to make it time sensitive, so ig is it that they just add the time of sending to the db and if it is longer than 30s away then the link is made invalid?

You just store a timestamp?

yeah tahts what i thought

Storing Unix timestamps is easy

yeah

is it nessesary to use a whole other db for the tokens

u seems pro in cybersecurity .. I want to match with u in furture

A whole other table

and scrub too

I am a pro, by the definition of professional

It's what I do for money

oh yeah ofc

I'm nowhere near a pro.

As in know what i do, or professional.

But that time will come.

https://tenor.com/view/snicker_doodle7-chips-man-eating-chips-dude-eating-chips-gif-22845702

Eh I don't doubt we'd hire you immediately, sadly there's the geographical challenges

'Hello TryHackMe'
XORed with
'af48e8d9f82a6d' (key in hex)
becomes
ç-„µ—
7¦Ö�‰º“g

Do it with hex but yeah

Add a cheeky tohex on the end in cyberchef

Feel like this shows it better. ;)

In hex, the result would be e72d84b5970a37a6d60089ba936706.

Also my key is too short.

I'm silly.

do it with cryptographical tokens, this way you can reduce load on DB and add time limit as well

Would need to be twice as long for it to be a true OTP.

Aw man 😦

Your company should move up here then 😄

Depends if its treating the hex string as UTF8 or decoding to raw bytes

I treated it as hex input. 😅

So 15 nibbles, which doesn't even go up to 8 full bytes, lmao.

surely id have to save it to the db anyway, no?

nope

someone hired me too if one's place is left tho as i am mostly foodie ...

That's the bonus of cryptography, you can remove some load from the DB

oh so i like encrypt the email of the user put it in the verification link, then when they open it it just verifies that email

protonmail offers some encryption by default

Check it out
https://jwt.io/

ohh use jwt

got it

i have a question i am using virus total to scan an exectutable my problem is that some av engines found it as malware but virus total dont let me to click on thoose to see more details? Do i need to have any paid versions of virus total?

it depend if signature is on that AV

and many other things

IIRC you can't click on the vendor analysis

how to contact facebook? regarding in this...

Regarding what?

ok thnx

could not send a pic

You need to be verified to do that.

Description can work.

or

https://snipboard.io/EkQBaI.jpg

i use snipboard then

What's the query?

ah, I see

Meta/Facebook support.

But, frankly, using JWT might overcomplicate things too much. Pretty much almost any cryptographically signed token would be enough, you should just verify it on the server side.

It says "Review requested", I assume you've requested one alredy?

o ffc... i was try to click logout... dear lord

i think its over a month based on what i read on some acticle that it also consist of 30days

A month often is 30 days

Wise words

If you broke Facebook's rules though, there's nothing you can do

You broke their ToS, so they're enforcing it

i think i did not because i only use messenger not really much used..

Then your appeal should be successful

But there is nothing more you can do.

yeah probably but it was over a month this time

Ok, so?

It's their platform

i mean its litch just 1 line of code basically so isnt that complicated

trying to email the facebook support but i got no response hhehe

Wait patiently "hhehe".

same i did on my past account same situation

You broke the ToS on two accounts?

💀 That's not looking good.

but based on rules that i read from fb maybe the violation i get are not using my real name on it

Love me some damn fine mead on a Sunday afternoon

or i think i'm being mass report from the user

Ususally they send you a mail to change it.

for unknown reason

https://tenor.com/view/cheers-dwight-the-general-manfredi-sylvester-stallone-tulsa-king-s1e6-gif-27284894

I FOUND THE SOLUTION

nope the past account i talk that already gone was year 2021

🥳

they did not hahah

finally gotten past an issue I have been sitting with for hours

🤷 Not much we can suggest then.

found a new interesting website: https://roadmap.sh/

@chilly veldt You'd be proud of me as a Scandanavian. Got a glass of mead in my hand

ew

just need an arrow to the knee.

WYM EW

drinking on a sunday?

that's not scandinavian

yeah drinking on sundays is eeeew

At that point. Lemme just throw in some juniper berries

sunday is the recovery from hangover day

we got work tomorrow

Well, US got memorial day tomorrow

We got a bank holiday tomorrow.

Not that it means anything to me, I don't have any classes until September.