Skip to content

Instantly share code, notes, and snippets.

📃
Also in git.rlab.be/hackan

HacKan HacKanCuBa

📃
Also in git.rlab.be/hackan
Block or report user

Report or block HacKanCuBa

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@HacKanCuBa
HacKanCuBa / gunicorn.py
Last active Oct 1, 2019 — forked from kodekracker/gunicorn.py
A config file of gunicorn(http://gunicorn.org/) contains fundamental configuration.
View gunicorn.py
"""Gunicorn config file.
by HacKan (https://hackan.net)
Find it at: https://gist.github.com/HacKanCuBa/275bfca09d614ee9370727f5f40dab9e
Based on: https://gist.github.com/KodeKracker/6bc6a3a35dcfbc36e2b7
"""
# Gunicorn (v19.9) Configuration File
# Reference - https://docs.gunicorn.org/en/19.9.0/settings.html
#
# To run gunicorn by using this config, run gunicorn by passing
@HacKanCuBa
HacKanCuBa / cypher.py
Created Sep 26, 2019
Python3 OTPCypher (toy module)
View cypher.py
from typing import Tuple
from typing import Union
TParam = Union[bytes, str, bytearray]
class OTPCypher:
"""One-time pad cypher (use with extreme care!).
There are several restrictions for this to work: both parameters must have
@HacKanCuBa
HacKanCuBa / crack_nid.py
Created Jul 16, 2019
Bruteforce a numeric ID from a SHA256 hash using every CPU core available
View crack_nid.py
#!/usr/bin/env python3
# ***************************************************************************
# Bruteforce a numeric ID from a SHA256 hash.
# Copyright (C) <2019> <Ivan Ariel Barrera Oro>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
@HacKanCuBa
HacKanCuBa / replacing_openpgp_2019.md
Last active Jul 17, 2019
Replacing OpenPGP in 2019
View replacing_openpgp_2019.md

Replacing OpenPGP in 2019

It's 2019, and OpenPGP has to die already (for very many reasons I won't list, but see 1, 2 and 3). At least for most uses.
I'll try to list here some replacements categorized by usage (also see 5), because there's no one single-do-all app, and there shouldn't be!

All of this resurfaced because of a vuln exploited recently on SKS keyservers (that has NOTHING to do with OpenPGP nor GnuPG but yes, they're related to the environment) (see 4).

Note: only FOSS software listed (although some server-side implementations could be closed, where applicable).

Listed apps are in no particular order. You should analyze your threat model to know which one to prefer, but as a rule of thumb, go for an easy-to-use one than doesn't let you make a mistake an lose security.

@HacKanCuBa
HacKanCuBa / settings.py
Created Mar 13, 2019
Django 2 + REST Framework 3 generic settings: it uses env vars with mostly safe defaults (replace PROJNAME for the name of your project; read through the settings and change what you need)
View settings.py
"""
Django settings for PROJNAME project.
Generated by 'django-admin startproject' using Django 2.1.5.
For more information on this file, see
https://docs.djangoproject.com/en/2.1/topics/settings/
For the full list of settings and their values, see
https://docs.djangoproject.com/en/2.1/ref/settings/
@HacKanCuBa
HacKanCuBa / cached.py
Last active Nov 8, 2019
Django Cached: simple cache abstract classes to create and use cached objects.
View cached.py
"""Handle object caching and data retrieval from API endpoints.
These abstract classes makes it easy to use Django's cache with a custom
object, and are very flexible. It support slots natively, and logs cache
hits/misses.
:Requirements:
- Django 2.0+
- Python 3.6+
View connectors.py
"""Wrappers around Python 3 Requests library.
This lib will log errors, warnings and request duration, not raising any
exception: in such error cases, an empty dict is returned. To identify, if
necessary, that there where errors, a with_error flag must be set in the
arguments so that the methods return a tuple in the form of
(response_data: any, error: bool).
If there's any response expected from the endpoint, it will be returned
JSON-converted as-is, which means it's either valid JSON (string, number,
@HacKanCuBa
HacKanCuBa / phpinfo.php
Last active Sep 14, 2018
Safe phpinfo file
View phpinfo.php
<?php
// Safe PHPInfo file by HacKan
// You should prefer to delete it after using it, but we know how that can go... at least, be safe
// create passwd with:
// php -r '$pass = bin2hex(random_bytes(10)); echo "Plain: ", $pass, PHP_EOL, "Encrypted: ", password_hash($pass, PASSWORD_DEFAULT), PHP_EOL;'
define('PASSWD','');
$p = filter_input(INPUT_GET, 'p', FILTER_SANITIZE_STRING);
if (!empty(PASSWD) && !empty($p) && password_verify($p, PASSWD)) {
@HacKanCuBa
HacKanCuBa / exfiltrate.html
Created May 15, 2018
PoC to exfiltrate signal-desktop messages exploiting CVE-2018-11101 or CVE-2018-10994
View exfiltrate.html
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<!--
DO NOT USE THIS IN REAL LIFE, IT'S JUST A POC! Be nice, don't hack activists :)
by HacKan: https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection-variant-2
under GNU GPL v3.0+
-->
</head>
@HacKanCuBa
HacKanCuBa / properly-signing-gh-release-packages.md
Last active Jun 25, 2019
Properly signing Github releases
View properly-signing-gh-release-packages.md

Github automatically generates .tar.gz and .zip packages of the repository when a release or pre-release is created under releases. However, these packages are not signed! The tag might be signed but if a user downloads one of those, there's no true certification of its content, rather than pure trust on Github.

However, you can edit a release after it's generated to upload files, and this is how you upload signature files for those packages (as I usually do). But, to sign them, you need to first download them and, of course, verify them! Otherwise, you'll be signing your trust to Github without checking!

I will be using a tool I created to do recursive blake2 checksums called b2rsum. You can use any other tool that does the same if you want.

To properly verify those packages, do the following:

  1. Create a temporal directory to store all files, lets call it /tmp/github.
  2. Copy your source code to a subdirectory there: cp -r ~/code/myproject /tmp/github/orig.
You can’t perform that action at this time.