• Home
  • Hacking & Security
    • Network Hacking
    • Web Hacking
    • Social Engineering
    • Kali Linux
    Submit An Article
  • Courses
    • All Courses
    • Bundles
    • Masterclass
    • VIP Membership
    • FAQ

    Popular Courses

  • Shop
    • Hardware Bundles
    • Wireless Adapters
    • Pentesting Tools
    • Security
    • Accessories
    • Clothing
    • Books
    • All
  • Competition
  • Services
    Penetration Testing
    Consulting
    Code Review
    One on one Training
    Online Courses
    VPN
  • Blog
      • Cart

    VIP Membership Masterclass
    Got a question?
    [email protected]
    RegisterLogin
    zSecurity
    • Home
    • Hacking & Security
      • Network Hacking
      • Web Hacking
      • Social Engineering
      • Kali Linux
      Submit An Article
    • Courses
      • All Courses
      • Bundles
      • Masterclass
      • VIP Membership
      • FAQ

      Popular Courses

    • Shop
      • Hardware Bundles
      • Wireless Adapters
      • Pentesting Tools
      • Security
      • Accessories
      • Clothing
      • Books
      • All
    • Competition
    • Services
      Penetration Testing
      Consulting
      Code Review
      One on one Training
      Online Courses
      VPN
    • Blog
        • Cart

      Bartosz

      Home
      • Profile
      • Topics Started
      • Replies Created
      • Engagements
      • Favorites

      Forum Replies Created

      Viewing 7 posts - 1 through 7 (of 7 total)
      • Author
        Posts
      • January 19, 2021 at 9:31 pm in reply to: bypassing https #51239
        Bartosz
        Participant

        Sorry, I rushed with my reply there! πŸ™‚

        I see mitmproxy attempts to do exactly that. I thought you just listed other similar ways of downgrading the connection. Thanks, I will look into that. And I’ll be on the lookout for your posts on the topic πŸ™‚

        Another thing, just a quick suggestion. Everyone is doing courses on “the cool stuff” like gaining access and hijacking webcams. But there is very little accessible knowledge on covering our tracks afterwards. Clearing logs etc. I’m not sure why, for me this concept is also fascinating, and regardless, it is very important. Maybe you guys would like to focus a little on that at some point πŸ˜‰
        I know it’s beside the scope of this thread, but it’s all connected, and I won’t be creating another post just to suggest this to you, you obviously know stuff πŸ˜‰

        Anyways, thanks again!

        January 19, 2021 at 9:22 pm in reply to: bypassing https #51238
        Bartosz
        Participant

        Hey, thanks for the comprehensive response!

        What I mean concerns more the client (target) side, not the server side. If you’re ever so kind to donate even more of your time to my question, here it is more detailed:

        // Let’s assume we want to become the MITM to gain access to the target. So no backdoors etc (if we already have access, we can pretty much do whatever anyways, right? :))

        So regardless of what method we choose as MITM, the target still connects through http. We can use SSLstrip or any other method, and sure it will work with many (most?) websites. But “work” means we will establish a connection, and as far as the server is concerned, we’re the client, so for them it looks like a legitimate https connection.

        But the client machine knows it’s connected through http. And that’s what concerns me. If the client is using any modern browser, it will surely let him know that this is not a private connection with flashy alerts and this pretty much raises a red flag. Even if the user has no knowledge of http(S) protocols, he or she will think twice before going further. If I remember right, on Chrome for example you need to click “advanced” and than “allow the connection anyways”, stating that you’re aware of how dangerous it might be.

        So that’s what I meant in the original question. Is there a way to fool the target into thinking it is actually connecting through https? (without having access to the target machine).

        April 26, 2020 at 9:09 am in reply to: backdoor: subprocess.Popen vs subprocess.check_output #34984
        Bartosz
        Participant

        I see.
        Makes sense πŸ™‚
        Thank you!

        April 19, 2020 at 10:44 pm in reply to: socket.send() with Python3: encoding/decoding str to bytes, JSON problem #34454
        Bartosz
        Participant

        Ok, I figured it out πŸ™‚
        For anyone interested, here goes the solution that worked for me:

        #####
        # json.dumps() takes a string, returns a string
        # json.loads() takes a string, bytes or bytearray, returns string
        # .encode() takes a string, return bytes
        # .decode() takes bytes, returns a string
        #####

        so the simplified working version (just one message from host to client); This is the code after establishing connection:
        <<HOST>>
        msg = input(“>> “) #(msg is a STRING)
        msg_json = json.dumps(msg) #msg_json is a (serialized) STRING
        connection.send(msg_json.encode()) #since the socket.send() in Python3 requires bytes, we use the .encode() function –> sending BYTES
        <<CLIENT>>
        msg_json_encoded = connection.recv(1024) #we receive the json-formatted BYTES
        ***msg_json_encoded.decode()*** – this step is not necessary, explained below*
        msg = json.loads(msg_json_encoded) #jason.loads() does all the magic
        print(msg)

        * This is what json.loads() does: “Deserialize s (a str, bytes or bytearray instance containing a JSON document) to a Python object” Therefore it can handle bytes, we don’t need to use .decode() first. Learned that by accident πŸ˜€

        Ok, so not only does it work, it’s actually not that complicated πŸ˜€
        Still, if I may, I would like to know if it’s “right”?
        Meaning, is there a more elegant/efficient way of dealing with json and sockets in Python3?

        Thanks, sorry again for all the trouble!

        April 9, 2020 at 8:08 pm in reply to: error while using scapy.ARP #33527
        Bartosz
        Participant

        …but so may other features still don’t, that I’ve decided to roll back to 2.4.0, as you suggested πŸ™‚

        Just wanted to share in case others experience similar issues.
        Thanks again!

        April 9, 2020 at 7:45 pm in reply to: error while using scapy.ARP #33525
        Bartosz
        Participant

        RESOLVED, thank you very much!

        version 2.4.2 works as well

        April 8, 2020 at 1:32 pm in reply to: error while using scapy.ARP #33431
        Bartosz
        Participant

        IMPORTANT NOTE:

        i just realized that feeding the function just a single IP works.

        So instead of using the range:
        scan(β€œ10.0.2.1/24”)

        using just:
        scan(β€œ10.0.2.1.X”)

        works as expected.
        How can I translate this functionality to use IP ranges?

      • Author
        Posts
      Viewing 7 posts - 1 through 7 (of 7 total)

      Categories

      • Cryptography
      • Cryptography
      • CTF
      • Forensics
      • Hacking & Security
      • Hardware
      • IOT
      • Kali Linux
      • Network Hacking
      • News
      • OSINT
      • Post Exploitation
      • Post Exploitation
      • Privacy
      • Programming
      • Security
      • Social Engineering
      • Uncategorized
      • Web Hacking

      Popular Posts

      Got a Blank Screen After Importing Kali in Virtual Box ? Here’s How To Fix It
      25Jan2018

      Connect with us

      • Facebook
      • Twitter
      • LinkedIn
      • Instagram
      • Youtube

      β€œEverything related to ethical hacking

      & cyber security in one place.”

      Quick Links

      • Home
      • About Us
      • Hacking & Security
      • Download Custom Kali
      • Contact
      • FAQ

      Services

      • Penetration Testing
      • Consulting
      • Code Review
      • One on one training
      • VPN
      • VIP Membership

      Company

      • About Us
      • Contact
      • Vulnerability Disclosure

      Support

      • FAQ
      • Forums

      Copyright Β© 2022 Z IT SECURITY LTD t/a zSecurity. All rights reserved.

      • Privacy
      • Shipping
      • Refunds
      • Terms

      Contribute

      Share your knowledge with the world

      SUBMIT AN ARTICLE

      Login with your site account

      Lost your password?

      Not a member yet? Register now

      Register a new account


      Are you a member? Login now

      Enroll in this course to access this lesson!

      All of our courses include:

      βœ” Lifetime, unlimited access to course materials & training videos.

      βœ” Watch online or download lectures for offline use.

      βœ” Verifiable certificate of completion from zSecurity, signed by the course instructor, Zaid.

      βœ” Get answers from our Support Team within a maximum of 15 hours.

      βœ” Unlimited Updates.

      Get free 1 month VIP membership per course with:

      βœ” Live mentorship and Q&A session with the course instructor, Zaid.

      βœ” Instant support from community members through our private discord channel.

      βœ” Daily updates with the latest tutorials & news in the hacking world.

      βœ” Daily resources like CTFs, bug bounty programs, onion services and more!

      βœ” Access our VIP community & connect with like-minded people.

      βœ” Discounts on other zSecurity products and services.

      We are using cookies to give you the best experience on our website. This includes but is not limited to:

      • Storing your settings and preferences.
      • Remember your access information
      • Track website performance and make our website more relevant to you.

      You can find out more about which cookies we are using or switch them off in settings.

      Privacy Overview

      This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

      Strictly Necessary Cookies

      Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

      3rd Party Cookies

      This website uses Google Analytics and Linkedin to collect anonymous information such as the number of visitors to the site, and the most popular pages.

      Keeping this cookies enabled helps us to improve our website.

      Please enable Strictly Necessary Cookies first so that we can save your preferences!

      Powered by  GDPR Cookie Compliance