Nytro

CRYPTOGRAPHY CHEAT SHEET FOR BEGINNERS 1 What is cryptography? Cryptography is a collection of techniques for: concealing data transmitted over insecure channels validating message integrity and authenticity 2 Some cryptographic terms plaintext – a message or other data in readable form ciphertext – a message concealed for transmission or storage encryption – transforming plaintext into ciphertext decryption – transforming ciphertext back into plaintext key – an input to an encryption or decryption algorithm that determines the specific transformation applied hash – the output of an algorithm that produces a fixed N-bit output from any input of any size entropy – the number of possible states of a system, or the number of bits in the shortest possible description of a quantity of data. This may be less than the size of the data if it is highly redundant. 3 Basic cryptographic algorithms 3.1 symmetric ciphers A symmetric cipher uses the same key for encryption and decryption. In semi-mathematical terms, encryption: ciphertext = E(plaintext, key) decryption: plaintext = D(ciphertext, key) Two parties that want to communicate via encryption must agree on a particular key to use, and sharing and protecting that key is often the most difficult part of protecting encryption security. The number of possible keys should be large enough that a third party can’t feasibly try all of the keys (“brute-forcing”) to see if one of them decrypts a message. 3.2 block ciphers A block cipher works on fixed-size units of plaintext to produce (usually) identically-sized units of ciphertext, or vice-versa. Example block ciphers: DES (the former Data Encryption Standard) with a 64-bit block and 56-bit keys, now obsolete because both the block size and key size are too small and allow for easy brute-forcing) AES (Advanced Encryption Standard, formerly known as Rijndael) with 128-bit blocks and keys of 128, 192, or 256 bits 3.3 stream ciphers A stream cipher produces a stream of random bits based on a key that can be combined (usually using XOR) with data for encryption or decryption. Example stream ciphers: Chacha20 RC4 (now considered too weak to use) 3.4 public-key (or asymmetric) ciphers A public-key cipher has two complementary keys K1 and K2 such that one can reverse what the other one does, or in symbolic terms: ciphertext = E(plaintext, K1) or E(plaintext, K2) plaintext = D(ciphertext, K2) or D(plaintext, K1) Unlike a symmetric cipher, where the key must be kept secret between parties at all times, a public-key algorithm allows one (but only one!) of the keys to be revealed in public, making it possible to send encrypted messages without having previously arranged to share a key. Example public-key algorithms: RSA (from the initials of its creators Rivest, Shamir, Adelman) based on modular arithmetic using large prime numbers and the difficulty of factoring large numbers. At this time 2048-bit primes are considered necessary to create secure RSA keys (factorization of keys based on 512-bit primes has already been demonstrated and 1024-bit keys appear feasible) Elliptic Curve algorithms based on integers and modular arithmetic satisfying an equation of the form y^2 = x^3 + a*x + b. Elliptic curve keys can be much shorter (256-bit EC keys are considered roughly equivalent to 3072-bit RSA keys). However, public-key algorithms are much (hundreds to thousands) of times slower than symmetric algorithms, making it expensive to send large amounts of data using only public-key encryption. However, public-key algorithms do provide a secure way to transmit symmetric cipher keys. 3.5 Diffie-Hellman key exchange An algorithm that allows two parties to create a shared secret through a public exchange from which an eavesdropper cannot feasibly infer the secret. Useful for establishing a shared symmetric key for encrypted communication. Diffie-Hellman can be peformed using either modular arithmetic with large prime numbers or with elliptic-curve fields. Diffie-Hellman is also usually the basis of “forward secrecy”. One method of key exchange possible in SSL/TLS is simply using a public-key algorithm to send a key between a client and a server. However, if the private key of that SSL/TLS certificate is later exposed, someone who monitored and recorded session traffic could decrypt all the keys used in the sessions they recorded. Forward secrecy not only involves setting up unique, random session keys for each communication session, but also using an algorithm like Diffie-Hellman which establishes those keys in a way that is inaccessible to an eavesdropper. 3.6 hash algorithms A hash (or cryptographic checksum) reduces input data (of any size) to a fixed-size N-bit value. In particular for cryptographic use a hash has these properties: two different inputs are very unlikely to produce the same hash (“collision”). it should be very difficult to find another input that produces any specified hash value (“preimage”) even a one-bit change in the input should produce a hash that is different in about N/2 bits Note that because the possible number of inputs to a hash function is much larger than the hash function output, there is always some small probability of collision or of finding a preimage. In the ideal case an N-bit hash has a 2^-(N/2) probability of collision for two randomly-chosen large inputs (look up the “birthday problem” for why it is N/2 and not N), and a 2^-N probability of a random input producing a specified hash value. Example hash algorithms: MD5 produces a 128-bit hash from its input. It has demonstrated collisions and feasible preimage computation and should not be used. SHA1 produces 160-bit hashes but has at least one demonstrated collision and is also deprecated for cryptographic use (however, it is still used in git because it is still workable as a hash function). SHA-256 produces 256-bit hashes. SHA-224 is basically a SHA-256 hash truncated to 224 bits. Similarly, SHA-512 produces a 512-bit hash and SHA-384 truncates a SHA-512 hash to 384 bits. 3.7 cryptographic random number generators Many cryptographic methods require producing random numbers (such as for generating unique keys or identifiers). Traditional pseudo-random number generators produce output that can be highly predictable, as well as often starting from known states and having relatively small periods (such as 2^32). A cryptographic random number generator must make it very difficult to determine the prior (or future) state of the generator from its current output, as well as have enough entropy to generate sufficiently large random numbers. Once the Debian maintainers made a seemingly innocuous patch to the OpenSSL random number generator initialization. The unintended consequence was that it effectively seeded the generator with only about 16 bits of entropy, meaning that in particular ssh-keygen generated only about 2^16 possible 2048-bit SSH host keys when it really should have been capable of generating over 2^2000. Once this was discovered and patched a lot of people had to change their host keys (or risk “man-in-the middle” impersonation attacks). Finding useful random input to make a cryptographic random number generator truly unpredictable can be difficult. Many systems attempt to collect physically random input (such as timing of disk I/O, network packets, or keyboard input) that is “mixed” into existing random state using a cipher or cryptographic hash. 4 Cryptographic Protocols The algorithms described above are building blocks for methods of secure communication. A particular combination of these basic algorithms applied in a particular way is a cryptographic protocol. 4.1 cipher modes The simplest thing you can do with a block cipher is break plaintext up into blocks, then encrypt each block with your chosen key (also called ECB for “Electronic Code Book”, by analogy with codes that simply substituted code words). Unfortunately this leads to a weakness: if you a particular plaintext block is repeated in the input the ciphertext block also repeats in the output. This can easily happen in English text if a phrase just happens to line up with a block the same way more than once. There are other ways to use block ciphers to avoid this. The simplest is CBC or “Cipher Block Chaining” where the previous ciphertext block is XORed with the current plaintext block before encrypting it. This is reversible by decrypting a ciphertext block, then XORing the previous ciphertext block with that to recover the plaintext. There are other modes like OFB (“Output FeedBack”) that combine ciphertext and plaintext in more complicated but reversible ways so that repeated plaintext blocks won’t result in repeated ciphertext blocks. These modes also often depend on an “initialization vector” which is typically some cryptograpically random value that makes the initial state of the encryption unpredictable to an outside observer. 4.2 message signing Someone who has created a public key pair (K1, K2) and published a public key (let’s say that’s K2) can encrypt a message using their private key K1, and anyone can validate that the message came from that sender by decrypting it with the public key K2. Due to the much higher computational cost of encrypting data with public-key algorithms, usually the signer actually encrypts only a cryptographic hash of the original message. A sender can also send a plaintext message along with a signature created with their private key if the privacy of the message is not important but validating the identity of the sender is. Message signing is also the basis of SSL/TLS certificate validation. A certificate contains a public key and a signature of that key generated with the private key of a trusted certificate authority. An SSL/TLS client (such as a web browser) can confirm the authenticity of the public key by validating the certificate signature using the public key of the certificate authority that signed it. An SSL/TLS client can validate the identity of a server by encrypting a large random number with the public key in the server certificate. If the server can decrypt the random number with its private key and return it, the client can assume the server is what it says it is. “Self-signed” certificates are merely public keys signed with the corresponding private key. This isn’t as trustworthy (assuming you have reasons to trust a certificate authority) but also doesn’t require interaction with a certificate authority. However, ultimately the buck has to stop somewhere and even certificate authority “root certificates” are self-signed. Rather than the centralized certificate authority model (where certain authorities are trusted to sign certificates) email encryption tools like GPG have a “web of trust” model where someone’s public key can be signed by many other individuals or entities, so that if you trust at least some of those others it gives you greater assurance that a public key is valid and belongs to the indicated person. Without any such signatures, someone could presumably publish a key purporting to be someone else and there’d be no easy way to validate it. 4.3 secure email If you want people to be able to send you secure email (such as with PGP, GPG, or S/MIME) you create a public key pair (K1, K2) and publish the public key K2. Someone who wants to send you mail picks a cipher and generates a unique, random key for that cipher. They encrypt their plaintext message with that cipher and key and encrypt the key with your public key, and send you a message containing the ciphertext, the cipher algorithm they used, and the encrypted cipher key. You can decrypt the cipher key with your private key, and then decrypt their message from the ciphertext and indicated cipher. Note that for this model to work everyone who wants to receive encrypted email has to publish a public key. 4.4 SSL/TLS SSL (Secure Sockets Layer, now deprecated) and TLS (Transport Layer Security) use all of the above cryptographic primitives to secure data sent over a network. As a result the protocol is rather complicated, but in summary does these things: client and server agree on a “cipher suite” to use, which consists of: a method for key exchange (via the public/private key pair in a certificate or Diffie=Hellman key exchange) a method for server validation (based on the public-key algorithm used in its certificate) a symmetric cipher for bulk data encryption a hash algorithm to use for message authentication, actually an HMAC or “Hashed Message Authentication Code” that hashes a combination of a secret key and the data) establish random shared key for the symmetric cipher and HMAC using the specified key exchange method transmits data using the specified symmetric cipher and HMAC algorithms 5 Cryptanalysis Cryptanalysis is the study of weaknesses in cryptographic algorithms and protocols. In general, good algorithms and protocols have been subjected to lots of public cryptanalysis that has not resulted in attacks that are significantly better than brute-force. It’s a complex topic, and this is a pretty good introduction: https://research.checkpoint.com/cryptographic-attacks-a-guide-for-the-perplexed 6 Cryptographic tools 6.1 OpenSSL Although it’s taken a lot of heat for some of its previous security issues (particularly “Heartbleed”), it’s still the most widely used cryptographic library because of its portability and completeness. The openssl command-line utility also provideas a lot of useful functionality. It can be used to create certificate requests or even to sign certificates, encrypt/decrypt files, transform several kinds of file formats used for cryptographic data, and more. Of particular use is the openssl s_client command which can initiate an SSL/TLS client connection, but more importantly shows a lot of useful debugging data about the protocol negotiation including the certificate and cipher suite properties. 6.2 gnutls The GNU Project’s SSL/TLS library, which includes a gnutls-cli utility with similar (but less extensive) functionality for SSL/TLS client connections and encryption/decryption. 6.3 gnupg Primarily intended for encrypting or decrypting secure mail messages, it also provides some functionality for encrypting or decrypting files and creating or validating signatures. 7 General cryptographic advice 7.1 Use established, publicly analyzed algorithms and tools Schneier’s Law: “Anyone can create an algorithm that they can’t break.” https://www.schneier.com/blog/archives/2011/04/schneiers_law.html Resist the urge to create and use your own cryptographic algorithms and protocols. Cryptography is hard and even expert cryptographers have created methods that, once exposed to public analysis, have turned out to be easy to break. 7.2 Zealously protect keys and credentials Often the easiest way to break a cryptographic system is to find the keys being used. This may be easier than you think. What if you left that certificate private key in a publicly-readable file? What if it’s copied into backups that are available to other untrusted users? Think carefully about how you handle and store that kind of sensitive material. Sursa: https://cybercoastal.com/cryptography-cheat-sheet-for-beginners/

Pff, ai scos layer-ul pe care l-am pus in Photoshop Microsoft Power!

Salut, nu ai ce face cu un botnet, sugestia noastra e sa iti gasesti ceva mai util de facut. Nu mai suntem prin anii 2000, haideti sa evoluam si noi.

Gata, sunt vaccinat cu prima doza. Abia am simtit cand mi-au facut vaccinul. Nu am putut sa fac poza/filmez ca doamna de acolo nu a fost de acord si nu am insistat. A fost totul OK pana am plecat de acolo, apoi am crezut ca nu mai ajung in viata acasa... Conducea tipul de pe Uber de parca era la raliu. Stiam eu ca vaccinul ii afecteaza si pe cei din jur! Nu am avut febra sau alte simptome dupa, deloc. Doar o mica durere la locul injectarii cand apasam pe zona.

Cel mai probabil trebuie sa prinzi pachetele care cu (SRC IP: al tau si DST PORT 80) + (DST IP: al tau si SRC PORT 80), adica request-urile si response-urile. Cred ca e deajuns daca cauti pachetele pe portul 80 (si src si dst). Intra in browser si scrie http://blabla.com - sa pui acel http inainte, ca sa fortezi traficul pe http. Si ar trebui sa apara, doar sa te asiguri ca sniffing-ul se face pe interfata corecta (eth0 sau ce o fi).

Salut, nu stiu daca am inteles unde ai probleme, mi se pare ca esti pe drumul cel bun.

Exemplu https://portswigger.net/support/configuring-an-android-device-to-work-with-burp

Da, mai am un prieten care a avut simptome similare. PS: Nu face "submarin" (shot pus in halba) cu bere si gin, e crunt.

Saptamana asta ma vaccinez. O sa fie Pfizer. Nu am stiut asta cand am ales centrul, dar de ceva timp, pe harta cu centrele, apare si vaccinul care se foloseste in fiecare centru de vaccinare. Incerc sa fac poza cand ma vaccinez.

Sincer, in loc sa te chinui asa, vorbeste frumos cu tanti aia si convinge-o ca ea oricum plateste netul si ca nu are nimic de pierdut ca il folosesti.

Salut, o mica problema, cei care mi-au trimis donatii sa imi dea PM in care sa imi zica numele cu care au trimis. Ideea e ca nu stiu exact care useri au trimis, vreau sa postez lista de useri care au donat, nu numele lor. Datele CTF: 17-18 aprilie Categorie: Incepatori Tip: Individual Premii: 3500 RON+ Platforma are inregistrarile deschise: https://ctf.rstforums.com/ Daca sunt persoane care pot ajuta cu exercitii, nu foarte dificile, astept PM.

Sunt programat saptamana asta. Sper sa pot face poza/video. De unde ai scos tu procentul de 50%? Suna a Antena3/Romania TV/Realitatea sau chiar ortodoxinfo. Tocmai am intrat pe mizeria aia de site, ai nevoie de maxim 2 clase ca sa citesti ce scrie acolo. Ar trebui sa iti alegi si tu niste surse de informare mai bune sau sa discuti cu niste medici. Da un telefon la medicul de familie si vezi ce zice macar. Banuiesc ca nu ai prieteni mai educati cu care sa discuti, sau doctori. Eu cunosc si doctori si s-au vaccinat si ei si familiile lor si recomanda tuturor sa faca asta. Dar tot nu aduci argumente. Argumente. Stii ce zic? Adica nu idei idioate, fara nicio baza reala. Trebuie sa crezi ce zic, eu sunt la conducerea Noii Ordini Mondiale. Daca nu crezi, demonstreaza ca nu sunt.

Salut, nu ar fi o mutare rea, cererea de persoane in domeniu e in crestere, inclusiv in Romania. Interviurile contin tot felul de intrebari, atat generale de security din orice ramura a acesteia, cat mai ales din ce are nevoie fiecare firma in parte. Cele mai multe firme cred ca lucreaza cu aplicatii web si acolo sunt necesare cunostiinte detaliate de vulnerabilitati web. Nu stiu cat de mult ajuta un master, cel putin in tara. E bine sa il ai daca nu te incurca cu nimic, daca doar mergi acolo din cand in cand si la examene. Cam asa e cu partea de security, job-uri pe parte de defensive, de analiza de atacuri, SOC (Security Operations Center) si altele unde ajuta cunostiintele de administrator de sistem si parte de offensive unde skill-urile necesara sunt putin diferite, dar nu cu mult - putina programare ajuta aici, destul de mult, protocoale si multe altele.

SUSPECTE. Daca cineva se vaccineaza si ulterior moare, din orice fel de conditie medicala, se ia in considerare si vaccinul. Asta nu inseamna ca vaccinul e de vina. "99 circumstanțe sociale incl. 2 decese 138 Proceduri chirurgicale și medicale incl. 4 decese 1.977 Tulburări oculare incl. 1 moarte 2.676 Tulburări de metabolism și nutriție incl. 5 decese" Sunt cateva exemple. Totusi, vaccinul asta e super-criminal daca ucide din tot felul de astfel de motive. Apoi: - 4000 de decese POSIBIL (desi slabe sanse) - 138 de MILIOANE de vaccinari - Decese Covid-19 - 2.84 MILIOANE Covid: Cases 130M 130,000,000 Recovered 73.9M 73,900,000 Deaths 2.84M 2,840,000 Adica, pe scurt, pentru cei care nu stiu sa citeasca: - 130 de milioane de cazuri de Covid rezulta in 2,84 MILIOANE de morti. Adica 2840000. - 130 de milioane de vaccinari anti-covid rezulta in POATE 4000 de morti. Adica 4000. Hai sa nu ne vaccinam, nu? Multi oameni fara simt elementar de logica. Va meritati soarta.

Salut, nu poti sa il decriptezi pentru ca nu e criptat. E probabil un format binar, acei bytes in hex au ceva insemnatate. E dificil sa faci "reversing" pe un astfel de text, poti sa deduci anumite lucruri, dar complet e foarte greu. O solutie ar fi sa stii ce program in genereaza si reverse engineering pe el ar trebui sa spuna cam ce contine fisierul.

Nu e o prostie, o sa iti dovedesc, iti dau un link prin care sa te inregistrezi. Si va puteti inregistra toti, o sa ploua cu bani pe voi!!! PS: Glumesc, evident Da, nu am idee daca se poate face ceva. Nu stiu daca incalca ceva legi si nici ce s-ar putea face in aceasta privinta, desi e o forma de inselaciune. Pana la urma, Darwin stia ce zice.

Cica documentul ar fi semnat de anumiti medici doar ca ei nu stiu ca au facut asta. Penibil, fake news De fapt textul se vede ca e scris de o Karen pe WC, nu de medici.

Poate asta: https://chrome.google.com/webstore/detail/tweetbot-marketing-bot-fo/lnafpokcmhignpnlaphmibphikenilin?hl=en

Optiunea 1: Instaleaza o masina virtuala cu Linux: gratuit Optiunea 2: Cumpara un VPS de la DigitalOcean sau Vultr: 5$ pe luna

Cred ca pe orice Android se poate instala un root CA care sa permita interceptarea traficului pentru aplicatiile care nu au SSL/TLS Pinning.

Poate merge si fara sa modifici codul. Intercepteaza traficul si vezi cum obtine datele. Apoi faci un script cu care le iei in acelasi mod si le stochezi cum vrei tu local.

La noi in echipa nu facem dezvoltare, noi doar crapam lucrurile

Am gasit coleg, doar ca am asteptat o gramada dupa el (sper sa merite, ba!). In prezent suntem 4 boschetari de pe forum in echipa. RST nu moare!

Lipseste o acolada. Foloseste un IDE decent si te ajuta.

Super. Da-mi PM, am doar cont bancar si Paypal. PS: Am strans ceva, merge bine treaba, cand ma intorc in oras ma apuc de treaba. De asemenea, oricine vrea sa faca exercitii, de orice fel, sa imi dea PM.