Skip to content

Instantly share code, notes, and snippets.

View BenBE's full-sized avatar

BenBE

120 followers · 72 following
View GitHub Profile
@achillean
achillean / ssh-fingerprints.csv
Created February 17, 2015 20:11
Top 1,000 Duplicate SSH Fingerprints on the Internet
dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0 245272
32:f9:38:a2:39:d0:c5:f5:ba:bd:b7:75:2b:00:f6:ab 197846
d0:db:8a:cb:74:c8:37:e4:9e:71:fc:7a:eb:d6:40:81 152046
34:47:0f:e9:1a:c2:eb:56:eb:cc:58:59:3a:02:80:b6 140777
df:17:d6:57:7a:37:00:7a:87:5e:4e:ed:2f:a3:d5:dd 91904
81:96:a6:8c:3a:75:f3:be:84:5e:cc:99:a7:ab:3e:d9 80499
7c:a8:25:21:13:a2:eb:00:a6:c1:76:ca:6b:48:6e:bf 78172
1c:1e:29:43:d2:0c:c1:75:40:05:30:03:d4:02:d7:9b 71851
8b:75:88:08:41:78:11:5b:49:68:11:42:64:12:6d:49 70786
c2:77:c8:c5:72:17:e2:5b:4f:a2:4e:e3:04:0c:35:c9 68654
@rmhrisk
rmhrisk / WebPKI Business Sales.md
Last active March 25, 2024 17:33

WebPKI and Digital Signature related M&A + Investment + Public Offerings

  • This was inspired by Matt Suiche's great post on cyber security M&A related activity; there is some overlap but not much.
  • This is all public data.
  • I have also intentionally excluded sales of WebPKI key material, not only are these prices not public but they are usually very special cases that are in-essence impossible to compare effectively.
  • I have also included HSMs, Smart card, Digital signatures and CA related software companies in this list as it seems relevant.
Purchased Purchaser Date Price Structure Notes
@EdOverflow
EdOverflow / github_bugbountyhunting.md
Last active May 22, 2024 09:01
My tips for finding security issues in GitHub projects.

GitHub for Bug Bounty Hunters

GitHub repositories can disclose all sorts of potentially valuable information for bug bounty hunters. The targets do not always have to be open source for there to be issues. Organization members and their open source projects can sometimes accidentally expose information that could be used against the target company. in this article I will give you a brief overview that should help you get started targeting GitHub repositories for vulnerabilities and for general recon.

Mass Cloning

You can just do your research on github.com, but I would suggest cloning all the target's repositories so that you can run your tests locally. I would highly recommend @mazen160's GitHubCloner. Just run the script and you should be good to go.

$ python githubcloner.py --org organization -o /tmp/output
@benaryorg
benaryorg / cat.hs
Last active September 20, 2017 22:55
#!/usr/bin/env stack
-- stack --install-ghc runghc -- -Wno-tabs
data Event
= Noop
| Noise
| Pats
deriving (Show,Read)
data Action
@robstradling
robstradling / roca.c
Last active December 28, 2018 22:14
/* roca.c - ROCA (CVE-2017-15361) fingerprint checker.
* Written by Rob Stradling (based on https://github.com/crocs-muni/roca/blob/master/roca/detect.py)
* Copyright (C) 2017-2018 Sectigo Limited
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
@truemongo
truemongo / gist:7aea60f80f6aa9b79cc9509b633557c9
Last active October 20, 2017 06:55
Infineon TPM fake buggy key generator
#!/usr/bin/python2
from random import randint, choice
from gmpy2 import is_prime # pip install gmpy2
import operator
### Code from ROCA
primes = [3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101,
103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167]
prints = [6, 30, 126, 1026, 5658, 107286, 199410, 8388606, 536870910, 2147483646, 67109890, 2199023255550,
@hannob
hannob / infineon-roca.md
Last active October 25, 2020 15:55
Affected Products and Keys by Infineon RSA vulnerability
@mgeeky
mgeeky / xml-attacks.md
Last active April 13, 2024 15:52
XML Vulnerabilities and Attacks cheatsheet

XML Vulnerabilities

XML processing modules may be not secure against maliciously constructed data. An attacker could abuse XML features to carry out denial of service attacks, access logical files, generate network connections to other machines, or circumvent firewalls.

The penetration tester running XML tests against application will have to determine which XML parser is in use, and then to what kinds of below listed attacks that parser will be vulnerable.

@tinyfpga
tinyfpga / HardwareC_uart_example.hc
Created January 21, 2018 23:04
/**
* Simple UART module to explore basic HardwareC concepts.
*
* HardwareC is a working name for a new hardware description language. The
* goal is to make FPGAs easier for hobbyists to take advantage of. To achieve
* this goal, some design choices have been made:
*
* 1. Use familiar syntax. C/C++ syntax is borrowed everywhere, no reason to
* reinvent the wheel. Where C/C++ falls short, borrow from Verilog/SystemVerilog.
* 2. Interrop with C/C++. A HardwareC module should be able to be used seamlessly
@lynn
lynn / shy-sort.html
Last active April 26, 2019 20:51
<!doctype html>
<!-- This is just a very slightly modified tracking.js demo: https://trackingjs.com/examples/face_camera.html -->
<html>
<head>
<meta charset="utf-8">
<script src="https://cdnjs.cloudflare.com/ajax/libs/tracking.js/1.1.3/tracking-min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/tracking.js/1.1.3/data/face-min.js"></script>
<style>
video, canvas {
margin-left: 100px;