Skip to content

Instantly share code, notes, and snippets.


Aaron Zauner azet

View GitHub Profile
# Author : peternguyen
from Pwn import *
# p = Pwn(mode=1,port=8887)
p = Pwn(mode=1,host='',port=56746)
def select(op):
p.read_until('Your choice: ')

This was a comment I posted on (before I realized that issue was 5 years old!) which got deleted so I moved it here.

Let's make the attack concrete to see if it works. I have a dictionary of 232 candidate passwords I want to try against a user account. I know the user's salt. There is no rate limiting. Ideally, it should take 232 online queries to search through all of my candidate passwords. Here's the attack:

  1. Using my knowledge of the salt, I hash ~216 random preimages until I find one for every possible 2-byte prefix of the hash.
  2. Now I send each of those 216 preimages in turn to the server and observe the side-channel. I may have to repeat this a few times in order to improve the SNR, let's say 100 times. So in 100*216 online queries I learn the first 2 bytes of the hash.
  3. Now that I know the first 2 bytes of the hash, I do 232 offline work to hash all of my candidate passwords a
defuse /
Created Mar 20, 2017
Test OpenSSL RSA Random Number Generator
# -- @DefuseSec
echo -n >/tmp/primes.txt
# Generate 1000 primes.
for i in {1..500}; do
# Use 192-bit keys for speed (could potentially mask RNG bugs that only affect bigger keys)
openssl genrsa 192 2>/dev/null | \
openssl rsa -text 2>/dev/null |\
azet / get_alexa_1m_mx_rrs
Last active Sep 6, 2017
Retrieves MX and A records for 'Alexa Top 1 Million' hosts and prints them as pretty formatted JSON objects to stdout.
View get_alexa_1m_mx_rrs
#!/usr/bin/env bash
# Retrieves MX and A records for 'Alexa Top 1 Million' hosts
# and prints them as pretty formatted JSON objects to stdout.
# *Optional* parallelism support with GNU Parallel (recommended):
# $ sudo apt-get install parallel
# Authors: Aaron Zauner <>
# License: CC0 1.0 (
nabla-c0d3 / gist:715cdfe2ffb9d13726eb
Created Mar 2, 2015
MitM Script for XMPP StartTLS Stripping
View gist:715cdfe2ffb9d13726eb
#!/usr/bin/env python
import sys, socket, thread, ssl
from select import select
HOST = ''
PORT = 5222
BUFSIZE = 4096
# Change this with the first two bytes of the SSL client hello
View gist:883ac85fa9d9fa80f74a
printf("%s -> %s\n", dictGetKey(entry), dictGetVal(entry));
printf("* %s\n", dictGetKey(entry2));
View tag-version
#!/usr/bin/env bash
set -e
if [ ! -f debian/changelog ]; then
echo "E: debian/changelog not found, aborting." >&2
exit 1
if [ "$1" == "--help" ] || [ "$1" == "-h" ]; then
echo "This is a simple wrapper script; all arguments are passed on to git dch."
echo "Use git dch --help for help."
import sys
from scapy.all import *
from scapy.utils import rdpcap
class HttpRequest(object):
def __init__(self, method, url, version, headers, body):
self.method = method
self.url = url
self.version = version
View file_permissions.txt
# This is well-known behavior, it's just interesting.
$ mkdir a
$ echo "hello!" > a/file.txt
$ cat a/file.txt
$ chmod 000 a/file.txt
# Now I don't expect to be able to change a/file.txt...
$ echo "GOODBYE" > a/file.txt
bash: a/file.txt: Permission denied
# Okay, good, I can't modify the file directly.
zeha /
Created Apr 9, 2014
gpg-agent integration with gpg CLI for OS X
# add to ~/.zshrc or ~/.profile
agentpid=$(pgrep gpg-agent)
if [ ! -z "$agentpid" ]; then
export GPG_AGENT_INFO=${HOME}/.gnupg/S.gpg-agent:${agentpid}:1
You can’t perform that action at this time.