Skip to content

Instantly share code, notes, and snippets.


Aaron Zauner azet

Block or report user

Report or block azet

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
# Author : peternguyen
from Pwn import *
# p = Pwn(mode=1,port=8887)
p = Pwn(mode=1,host='',port=56746)
def select(op):
p.read_until('Your choice: ')

This was a comment I posted on (before I realized that issue was 5 years old!) which got deleted so I moved it here.

Let's make the attack concrete to see if it works. I have a dictionary of 232 candidate passwords I want to try against a user account. I know the user's salt. There is no rate limiting. Ideally, it should take 232 online queries to search through all of my candidate passwords. Here's the attack:

  1. Using my knowledge of the salt, I hash ~216 random preimages until I find one for every possible 2-byte prefix of the hash.
  2. Now I send each of those 216 preimages in turn to the server and observe the side-channel. I may have to repeat this a few times in order to improve the SNR, let's say 100 times. So in 100*216 online queries I learn the first 2 bytes of the hash.
  3. Now that I know the first 2 bytes of the hash, I do 232 offline work to hash all of my candidate passwords a
defuse /
Created Mar 20, 2017
Test OpenSSL RSA Random Number Generator
# -- @DefuseSec
echo -n >/tmp/primes.txt
# Generate 1000 primes.
for i in {1..500}; do
# Use 192-bit keys for speed (could potentially mask RNG bugs that only affect bigger keys)
openssl genrsa 192 2>/dev/null | \
openssl rsa -text 2>/dev/null |\
View gist:bec563b6b09c23c6e037f994df0a820d
"uniqid": "umich-sandy",
"name": "Hurricane Sandy ZMap Scans",
"status": "production",
"short_desc": "TCP SYN scans of the public IPv4 address space on port 443 completed on October 30-31, 2012 in order to measure the impact of Hurricane Sandy. The initial results from these scans were originally released as part of \"ZMap: Fast Internet-Wide Scanning and its Security Applications\" at USENIX Security 2013. The dataset consists of the unique TCP SYN-ACK and RST responses received by ZMap in CSV format.",
"long_desc": "The dataset is composed the ZMap CSV output of full TCP SYN scans of the IPv4 address against port 443. All files contain the following fields: response, saddr, daddr, sport, dport, in_cooldown, timestamp. The output contains any TCP SYN-ACK or TCP RST responses. We acknowledge that there are several hours that are missing from the dataset.",
azet / get_alexa_1m_mx_rrs
Last active Sep 6, 2017
Retrieves MX and A records for 'Alexa Top 1 Million' hosts and prints them as pretty formatted JSON objects to stdout.
View get_alexa_1m_mx_rrs
#!/usr/bin/env bash
# Retrieves MX and A records for 'Alexa Top 1 Million' hosts
# and prints them as pretty formatted JSON objects to stdout.
# *Optional* parallelism support with GNU Parallel (recommended):
# $ sudo apt-get install parallel
# Authors: Aaron Zauner <>
# License: CC0 1.0 (
nabla-c0d3 / gist:715cdfe2ffb9d13726eb
Created Mar 2, 2015
MitM Script for XMPP StartTLS Stripping
View gist:715cdfe2ffb9d13726eb
#!/usr/bin/env python
import sys, socket, thread, ssl
from select import select
HOST = ''
PORT = 5222
BUFSIZE = 4096
# Change this with the first two bytes of the SSL client hello
View gist:883ac85fa9d9fa80f74a
printf("%s -> %s\n", dictGetKey(entry), dictGetVal(entry));
printf("* %s\n", dictGetKey(entry2));
View tag-version
#!/usr/bin/env bash
set -e
if [ ! -f debian/changelog ]; then
echo "E: debian/changelog not found, aborting." >&2
exit 1
if [ "$1" == "--help" ] || [ "$1" == "-h" ]; then
echo "This is a simple wrapper script; all arguments are passed on to git dch."
echo "Use git dch --help for help."
import sys
from scapy.all import *
from scapy.utils import rdpcap
class HttpRequest(object):
def __init__(self, method, url, version, headers, body):
self.method = method
self.url = url
self.version = version
View file_permissions.txt
# This is well-known behavior, it's just interesting.
$ mkdir a
$ echo "hello!" > a/file.txt
$ cat a/file.txt
$ chmod 000 a/file.txt
# Now I don't expect to be able to change a/file.txt...
$ echo "GOODBYE" > a/file.txt
bash: a/file.txt: Permission denied
# Okay, good, I can't modify the file directly.
You can’t perform that action at this time.