Skip to content

Instantly share code, notes, and snippets.

💭
:cheeeeeese:

Royce Williams roycewilliams

💭
:cheeeeeese:
Block or report user

Report or block roycewilliams

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@roycewilliams
roycewilliams / real-world-initialism-passwords.txt
Last active Sep 29, 2019
real-world-initialism-passwords.txt
View real-world-initialism-passwords.txt
# Simple sample of real-word passwords that are initialisms of known phrases.
# Inspired by discussion at https://twitter.com/TychoTithonus/status/1170724414431715329
# Base "words" (can you tell what quotes / songs they're from?)
1mp&1c11wt
1mp@1c11wt
1mpa1c11wt
Batmf,tsite
Batmftsite
Batp,ftsbccog
View Android-10--add-user-from-lock-screen-issue.md

Android 10 "add users from lock screen" issue

Issue

On my Pixel 3 XL with new Android 10, even with "add users from lock screen" disabled, I discovered that I could reliably create a new user from the lock screen (swipe down the top menu, select blue user icon, and the "Add user" plus-sign icon is available).

I've posted this publicly - at first because I thought I must be mistaken, but then expanded later because the issue is not exploitable remotely, can only be carried out after authorized-equivalent access to the device has been achieved, is trivial to recreate with normal UI interaction, and would very likely have been disclosed by others in the very short term.

Status

@roycewilliams
roycewilliams / babe-ruth-passwords.txt
Last active Aug 31, 2019
babe-ruth-passwords.txt
View babe-ruth-passwords.txt
# All case-insensitive 'babe.*ruth' founds from hashes.org (through August 2019)
# As part of this tweet thread: https://twitter.com/TychoTithonus/status/1167820683541282819
# Sorted in length order (the longer passwords are the ones more supportive of my argument)
# Under almost no circumstances should a passwords "formula" like the one described be used.
BABERUTH
BaBeRuTh
BabeRuth
Baberuth
bAbErUtH
baberuth
@roycewilliams
roycewilliams / netmux-survivor-masks.txt
Last active Aug 29, 2019
netmux-survivor-masks.txt
View netmux-survivor-masks.txt
# As noted in https://www.netmux.com/blog/survivor-password-hashes
# and https://twitter.com/netmux/status/1166688841111150597
# as of 2019-08-28
#
# (UPDATE: should be unnecessary - use https://github.com/netmux/survivor-hashes instead)
#
llllldddddddddd
llllllllddddd
lllllllllll
ddddddddddllllll
@roycewilliams
roycewilliams / benchmark_hashcat-v5.1.0-1387-gec987e68_irongiant_2019-08-18.txt
Last active Aug 18, 2019
benchmark_hashcat-v5.1.0-1387-gec987e68_irongiant_2019-08-18.txt
View benchmark_hashcat-v5.1.0-1387-gec987e68_irongiant_2019-08-18.txt
# benchmark_hashcat-v5.1.0-1387-gec987e68_irongiant_2019-08-18.txt
# https://gist.github.com/roycewilliams/702e5cdce0a506eb5c5a8e9cd7ebb6d8
$ hashcat -b -w 4 -O
hashcat (v5.1.0-1387-gec987e68) starting in benchmark mode...
CUDA API (CUDA 10.1)
====================
* Device #1: GeForce GTX 1080, 8119 MB, 20MCU
@roycewilliams
roycewilliams / hexify.pl
Created Jul 6, 2019
HEX-ify plains that need it
View hexify.pl
#!/usr/bin/env perl
#-----------------------------------------------------------------------
# Created: 2017-11-21
# $Id: hexify,v 1.2 2017/11/22 06:29:35 root Exp root $
#-----------------------------------------------------------------------
# FIXME - special cases:
# - Single \x0a is valid utf8, but should be hexed
#-----------------------------------------------------------------------
while (<>) {
@roycewilliams
roycewilliams / hashcat-markov-ends.txt
Last active Jul 8, 2019
A survey of the last string tried by hashcat's Markov for standard masks
View hashcat-markov-ends.txt
$ cat hashcat-markov-ends.sh
#!/bin/bash
# Ref: https://github.com/hashcat/hashcat/issues/1058
echo "# A survey of the last string tried by hashcat's Markov for standard masks"
echo -n '# hashcat version: '
hashcat --version
[ -f hashcat-markov-ends.list ] && rm hashcat-markov-ends.list
@roycewilliams
roycewilliams / bcrypt-ascending.txt
Last active Jun 1, 2019
bcrypt hashes for 'password', all costs (4 through 31)
View bcrypt-ascending.txt
#-----------------------------------------------------------
# bcrypt hashes for the plain 'password', costs 4 through 31
#-----------------------------------------------------------
#
# htpasswd version matters - this one is from apache2-utils (2.4.18-2ubuntu3.10)
# Note that the official Apache version now stops at bcrypt cost 18:
#
# https://bz.apache.org/bugzilla/show_bug.cgi?id=62078
#
# I am not sure if the Ubuntu version is being modified downstream.
@roycewilliams
roycewilliams / nested-bcrypt-examples.txt
Last active Mar 23, 2019
nested-bcrypt-examples.txt
View nested-bcrypt-examples.txt
------------------------------------------------------------------------------
# Examples of nested bcrypt
# using both binary (expected) and ASCII (naive) forms of each core hash
#
# Last updated 2019-03-23
------------------------------------------------------------------------------
Types most likely to encounter in the wild:
* bcrypt(base64(sha256_bin(password))) - passlib 'bcrypt-sha256' format
@roycewilliams
roycewilliams / benchmark_hashcat-v5.1.0-597-g9b916918_irongiant_2019-02-23.txt
Created Feb 23, 2019
benchmark_hashcat-v5.1.0-597-g9b916918_irongiant_2019-02-23.txt
View benchmark_hashcat-v5.1.0-597-g9b916918_irongiant_2019-02-23.txt
hashcat (v5.1.0-597-g9b916918) starting in benchmark mode...
OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU
* Device #2: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU
* Device #3: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU
* Device #4: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU
* Device #5: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU
* Device #6: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU
You can’t perform that action at this time.