Skip to content

Instantly share code, notes, and snippets.

💭
:cheeeeeese:

Royce Williams roycewilliams

💭
:cheeeeeese:
Block or report user

Report or block roycewilliams

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View clientside-software-update-verification-failures.md

Client-side software update verification failures

Exploitable vulnerabilities in client-side software update mechanisms that could have been mitigated by secure transport (TLS). Contributions welcome. All text taken from the vulnerability descriptions themselves, with additional emphasis mine.

In scope:

  • I consider exploitation or privilege escalation of the package tool/system itself (that would have been mitigated by secure transport) to be in scope.
  • Issues only described as being triggered by malicious mirrors are assumed to also be vulnerable to MITM.
  • Failure to verify the software update at all is currently provisionally in scope if it could have been mitigated by secure transport, but I'm waffling about it. Most of these are actual signature verification failures, and my original purpose was to highlight cases where claims of "It's OK to be HTTP because verification!" seem to me to be specious.

Out of scope:

  • Transport downgrade attacks - that force a connection from being e
@roycewilliams
roycewilliams / pwnedpasswords-v2-top20k.txt
Last active Jul 9, 2019
pwnedpasswords-v2-top20k.txt
View pwnedpasswords-v2-top20k.txt
This file has been truncated, but you can view the full file.
# Top 20K hashes from the Troy Hunt / haveibeenpwned Pwned Passwords list v2 (2018-02-21)
# Original raw as published is at https://gist.github.com/roycewilliams/eef06c1148707ce8c8a1dea85768b207
20760336:7c4a8d09ca3762af61e59520943dc26494f8941b:123456
7016669:f7c3bc1d808e04732adf679965ccc34ca7ae3441:123456789
3599486:b1b3773a05c0ed0176787a4f1574ff0075f7521e:qwerty
3303003:5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8:password
2900049:3d4f2bf07dc1be38b20cd6e46949a1071f9d0e3d:111111
2680521:7c222fb2927d828af22f592134e8932480637c0d:12345678
2670319:6367c48dd193d56ea7b0baad25b19455e529f5ee:abc123
@roycewilliams
roycewilliams / hashcat-markov-ends.txt
Last active Jul 8, 2019
A survey of the last string tried by hashcat's Markov for standard masks
View hashcat-markov-ends.txt
$ cat hashcat-markov-ends.sh
#!/bin/bash
# Ref: https://github.com/hashcat/hashcat/issues/1058
echo "# A survey of the last string tried by hashcat's Markov for standard masks"
echo -n '# hashcat version: '
hashcat --version
[ -f hashcat-markov-ends.list ] && rm hashcat-markov-ends.list
@roycewilliams
roycewilliams / mdxfind-is-awesome.txt
Last active Jul 8, 2019
mdxfind-is-awesome.txt
View mdxfind-is-awesome.txt
#
# The word 'password', hashed with many unsalted hash types, up to 5 iterations deep
# Courtesy MDXfind - https://hashes.org/mdxfind.php
#
$ echo -n 'password' | mdxfind -h ALL -h '!salt,!user' -z -f /dev/null -i 5 stdin 2>&1| fgrep password | sort
BLAKE224x01 22203351651fef303ceb8adcfbfdd90a773ea6c0f388ce2441f380d9:password
BLAKE224x02 16dc83c641636911098c1981ce16a540abd77b3b995d122ec010bfbe:password
BLAKE224x03 8077f5d701e755474cd8fab0d9a5fab019ff8046c020f0c3802c8c17:password
BLAKE224x04 30f749a577f685801423e9434ab95610c8c8c5464d8865c62d379bc6:password
BLAKE224x05 e34ed3bdce2557bc6246f9a3cc50bbf6c78bdcefa5a8960f9cba8f04:password
@roycewilliams
roycewilliams / md5-10k-rounds-password.txt
Last active Jul 8, 2019
The first 10,000 rounds of MD5("password")
View md5-10k-rounds-password.txt
#
# Courtesy MDXfind - https://hashes.org/mdxfind.php
#
$ echo -n 'password' | mdxfind -h '^MD5$' -z -f /dev/null -i 10000 stdin 2>&1 | fgrep password | sort -tx -n -k 2 | align
MD5x01 5f4dcc3b5aa765d61d8327deb882cf99:password
MD5x02 696d29e0940a4957748fe3fc9efd22a3:password
MD5x03 5a22e6c339c96c9c0513a46e44c39683:password
MD5x04 e777a29bee9227c8a6a86e0bad61fc40:password
MD5x05 7b3b4de00794a247cf8df8e6fbfe19bf:password
MD5x06 20ffe80a69fbe8ce4d848eef461b3e39:password
@roycewilliams
roycewilliams / hexify.pl
Created Jul 6, 2019
HEX-ify plains that need it
View hexify.pl
#!/usr/bin/env perl
#-----------------------------------------------------------------------
# Created: 2017-11-21
# $Id: hexify,v 1.2 2017/11/22 06:29:35 root Exp root $
#-----------------------------------------------------------------------
# FIXME - special cases:
# - Single \x0a is valid utf8, but should be hexed
#-----------------------------------------------------------------------
while (<>) {
@roycewilliams
roycewilliams / bcrypt-ascending.txt
Last active Jun 1, 2019
bcrypt hashes for 'password', all costs (4 through 31)
View bcrypt-ascending.txt
#-----------------------------------------------------------
# bcrypt hashes for the plain 'password', costs 4 through 31
#-----------------------------------------------------------
#
# htpasswd version matters - this one is from apache2-utils (2.4.18-2ubuntu3.10)
# Note that the official Apache version now stops at bcrypt cost 18:
#
# https://bz.apache.org/bugzilla/show_bug.cgi?id=62078
#
# I am not sure if the Ubuntu version is being modified downstream.
View bcrypt-example
$ cat ~/bcrypt.hash
$2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6
$ cat ~/bcrypt.dict
hashcat
$ ./hashcat64.bin -a 0 -m 3200 ~/bcrypt.hash ~/bcrypt.dict
hashcat (v3.10-143-g7f59a82) starting...
OpenCL Platform #1: NVIDIA Corporation
@roycewilliams
roycewilliams / nested-bcrypt-examples.txt
Last active Mar 23, 2019
nested-bcrypt-examples.txt
View nested-bcrypt-examples.txt
------------------------------------------------------------------------------
# Examples of nested bcrypt
# using both binary (expected) and ASCII (naive) forms of each core hash
#
# Last updated 2019-03-23
------------------------------------------------------------------------------
Types most likely to encounter in the wild:
* bcrypt(base64(sha256_bin(password))) - passlib 'bcrypt-sha256' format
You can’t perform that action at this time.