User Controls
Posts by Sophie
-
2021-12-20 at 4:49 PM UTC in Shadow Courts on the Dark Web
Originally posted by vindicktive vinny maybe i would.
i've bought a few fake stuffs online simply because i was gambling on the chances that the seller could be authentically honest, decent person.
The red flags are the fact the source code is heavily obfuscated, and the fact you're just supposed to take someone's word for it. If i were to send you offensive security tooling i wouldn't obfuscate the source code. But the onus is still kind of on you if you can't read the source. -
2021-12-20 at 4:16 PM UTC in Shadow Courts on the Dark Web
Originally posted by vindicktive vinny the unlucky ones.
Luck has nothing to do with it, if you're an idiot and don't know what you are doing. Don't have the ability to read/interpret the source code of whatever it is that you are purchasing, fail to take precautions and suck at RE, then it's not so much a matter of luck as it is a matter of incompetence.
Imagine if i posted a heavily obfuscated Shell Script, and i told you it did X, would you just blindly trust me and run it?
If a person is a Black Hat they should know that all other Black hats are just as much their potential adversaries as anyone. -
2021-12-20 at 4:12 PM UTC in i got a coil of steel wire
-
2021-12-20 at 4:05 PM UTC in Vaccine certificate securityWhile we're on the topic of QR codes i recently got tooling that allows for the fuzzing of various QR Code readers for vulnerabilities. It seems to be geared towards web apps that can read QR codes, but it provides capabilities to fuzz for command injection and allows you to include your own custom list of paylaods as well. It would be dope if we were able to have the verification app read a malicious QR code, that forces the app to always approve it no questions asked. But that seems rather unlikely, we may be able to simply crash the app or something of the sort. That would be cool.
In the last couple of weeks i have been gathering all the appropriate tooling for QR Code shenanigans, and reading up on the general security concepts surrounding it. Personally i think it's pretty fascinating. And with time i am sure i can comr up with at least some shenanigans with regards to this whole subject of research. That said i am far from an expert in this particular niche, so if anyone wants to collab on something of the sort at a secure venue, please feel free to hit me up as well. -
2021-12-20 at 3:16 PM UTC in Vaccine certificate securityHit me up if you want the sauce in question.
-
2021-12-20 at 3:15 PM UTC in Vaccine certificate securityUpdate. I got full source code on the verification app, both for apple and Android. I also have a number of test domains and examples used for development, plus a script that will independently retrieve certain resources related to the verification process and the way in which the QR Codes are structured and encoded.
The app requires the phone to be connected to the internet to verify the QR Code in question that is being scanned. -
2021-12-20 at 3:02 PM UTC in Grabbing Crypto Addresses with regex. And more.Preamble
I'd like to use this thread as a bit of a resources to post regex that may be useful in filtering and identifying crypto addresses and other strings with regards to financial information.
regex
py_dict= {'legacy_btc': '^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$',
'segwit_btc': '^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$',
'xmr': '4[0-9AB][123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]{93}',
'eth': '^0x[a-fA-F0-9]{40}$',
'lite': '^[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}$',
'dash': '^X[1-9A-HJ-NP-Za-km-z]{33}$',
'ripple': '^r[0-9a-zA-Z]{24,34}$',
'doge': '^D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}$'}
This is a Python dictionary object that has regex for the crypto coins you can see defined. Dictionaries like this are handy for a number of reasons not least of all since it allows you to easily read/write JSON files. Therefore when it comes to any program that needs the ability to recognize certain strings as valid crypto addresses you can easily write a config file in JSON format to specify the types of coins you're after.
You could also have a dictionary like this in your malware, say a keylogger, so it can automatically recognize/grab/copy/replace any strings like this by comparing the keystrokes to your regexes. If you're gonna make a python keylogger though i do suggest you sue the Ctypes lib, and create a proper keymap, like you would in a C or C++ based malware instead of relying on PyHook and such to hook the keyboard. On that note handling registry operations in Python with Ctypes is definitely the way to go as well.
Below is a small sample of regex, that should work with C++.
regex bitpat{ "^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$" };
regex litpat{ "^[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}$" };
regex monpat{ "^4([0-9]|[A-B])(.){93}" };
regex ethpat{ "^0x[a-fA-F0-9]{40}$" };
I had a bunch more regexes for CC info, important strings to do with banking such as IBAN and SEPA, but i got those on a box, that is currently offline and in need of some repairs i can't be assed to get the HDD and look for the specific files in question.
This is just a small sample size, please feel free to add some more.
Moar
Related to this, if you'e in the business of hijacking API keys for payment processors the following might be for you. not exactly regex but ways to verify the API tokens/secrets you may come across.
API verify and info
Paypal
Paypal client id and secret key
curl -v https://api.sandbox.paypal.com/v1/oauth2/token \
-H "Accept: application/json" \
-H "Accept-Language: en_US" \
-u "client_id:secret" \
-d "grant_type=client_credentials"
The access token can be further used to extract data from the PayPal API. More info
This can be verified using:
curl -v -X GET "https://api.sandbox.paypal.com/v1/identity/oauth2/userinfo?schema=paypalv1.1" -H "Content-Type: application/json" -H "Authorization: Bearer [ACCESS_TOKEN]"
Stripe
Stripe Live Token
curl https://api.stripe.com/v1/charges -u token_here:
Keep the colon at the end of the token to prevent cURL from requesting a password.
The token is always in the following format: `sk_live_24charshere`, where the `24charshere` part contains 24 characters from `a-z A-Z 0-9`. There is also a test key, which starts with `sk_test`, but this key is worthless since it is only used for testing purposes and most likely doesn't contain any sensitive information. The live key, on the other hand, can be used to extract/retrieve a lot of info — ranging from charges to the complete product list.
Keep in mind that you will never be able to get the full credit card information since Stripe only gives you the last 4 digits.
More info/complete documentation https://stripe.com/docs/api/authentication.
Razorpay
Razorpay API key and Secret key
This can be verified using:
curl -u <YOUR_KEY_ID>:<YOUR_KEY_SECRET> \
https://api.razorpay.com/v1/payments
Anyway figured i'd post it here to get a good list going and provide those that are/were unaware, with this information for your enjoyment. Got anything interesting to add? Please feel free to do so. -
2021-12-20 at 11:39 AM UTC in If this little bitch wants to show off let her show off
Originally posted by Wariat me and her wre talking right now shes sending me voice messages.
Assuming this thread is a truthful account of events, me saying you are not emotionally equipped to not damage this girl if you are to pursue a relationship with her, is not just for her benefit it's for yours too. From what you've posted she sounds like she has a pretty severe case of Borderline with Bipolar elements. If you are unable to navigate such an emotional state especially as they occur in teenagers, you won't just end up making her life more miserable, there is a good chance she is going to make your life miserable as well.
If you think teenagers are hard to deal with, a teenager with BPD/Bipolar is on another level. Do the both of you a favor, and drop this. If you pursue it anyway and it spectacularly backfires, don't say i didn't warn you. -
2021-12-20 at 9:35 AM UTC in The fat pigs upstairs aka my neighbors
Originally posted by aldra have you ever put something metal in the microwave? results are pretty funny
in one episode of archer they open the gas line, freeze a fork in a block of ice and put the block in the microwave as a sort of makeshift timer (ice melts, metal in microwave causes flare-up ignition of gas)
obviously not meant to be taken seeiously but I still wonder if it'd work
Only one way to find out. I got a couple microwaves laying about for the high voltage circuitry and the magnetrons. I could probably set up some sort of test. -
2021-12-20 at 8:36 AM UTC in If this little bitch wants to show off let her show offYou're not mentally equipped to appropriately deal with her emotional well being.
-
2021-12-20 at 8:29 AM UTC in Ghislaine maxwell trial odd af
-
2021-12-20 at 6:59 AM UTC in Ghislaine maxwell trial odd af
-
2021-12-20 at 6:58 AM UTC in I think I lost my Health InsuranceIk spreek geen deens moederneuker. Denen zijn de homos van Europa.
-
2021-12-20 at 6:56 AM UTC in I think I lost my Health Insurance
-
2021-12-20 at 6:48 AM UTC in I think I lost my Health InsuranceLosing health insurance is impossible in my country. The law requires everyone to have health insurance, if you can't pay you get put in some government mutual fund and your fees double, you do not get a say in this. If you get hurt or sick the government will pay the bills from that mutual fund. They'll only send our equivalent of the IRS after you when you go for benefits, or get a salary above a certain threshold.
-
2021-12-20 at 6:45 AM UTC in Ghislaine maxwell trial odd af
-
2021-12-20 at 6:41 AM UTC in The fat pigs upstairs aka my neighbors
-
2021-12-20 at 6:32 AM UTC in Sudo is full of gloom & doom...Let me cast this intricate byzantine web of emotional tests to see if you're allowed into the inner sanctum of my mind. I will judge you and you will be found wanting. Unless you are extraordinary.
I can see my folly. Yet it traps me as much as it traps those around me.
BPD Wisdom, yo. -
2021-12-20 at 6:29 AM UTC in Sudo is full of gloom & doom...Anyway, i'm about to pick up a bottle of fentanyl solution. Word up.
-
2021-12-20 at 6:27 AM UTC in Sudo is full of gloom & doom...
Originally posted by Sudo I went to a psychologist the other day for the first time so was going over a timeline of my life and when I mentioned opiate addiction she interrupted me to tell me about thr time she broke her wrist skiing then got injected with fentanyl and loved it. Then she told me the same story again later in the session.
I think she was trying to see if I would offer to get her fentanyl
Psychology departments get filled with neuro-deficients. I went to a psychologist once, she was this brunette straight outta college. She was hot so i couldn't help myself and charmed her. She wanted the D. this is going to sound silly but after i charmed her i was kind of disappointed. I thought you're supposed to help me bitch, if you can't see through the smoke and mirrors, you ain't gonna manage that. i realize that's a very borderline line of thinking but that's why i was there in the first place.