Skip to content

Instantly share code, notes, and snippets.

View stefanesser's full-sized avatar

Stefan Esser stefanesser

View GitHub Profile
@stefanesser
stefanesser / BHEU.markdown
Last active July 8, 2024 08:41
BlackHat EU - Wrong information in Talk "Eternal War in XNU Kernel Objects"

It has come to my attention that BlackHat EU had talks from Alibaba Security about iOS security topics. It seems to be from the same people that have previously presented at DEFCON. Back then I had publicly discussed how their talk is basically just a summary of other people's work that is heavily miscredited to the wrong people.

Considering this history it is surprising that BlackHat would allow the same people to give a talk again on iOS security topics. But I have given up a long time ago on the BlackHat review board and their decisions, which is one of the reasons why I have stopped submitting to them years ago.

But I am digressing from the actual reason for this GIST. And no it is not about the fact that the talk once again starts with summarizing other people's work and crediting the wrong parties for the work done. In this GIST I want to go over one of the slides from the "summary part" of the talk, because not a single item on that slide is correct information.

So here is the offending slide:

![Fr

@stefanesser
stefanesser / gist:99bfd31455ee8ebd37e86a290db63968
Last active September 22, 2018 11:12
Real world example why you should not ask #haveibeenpwned during password entry if password is compromised.
After a debate on Twitter how secure or insecure it is to ask #haveibeenpwned with their
k-anonymity check if passwords are compromised (while you are entering the password) I
have hacked together a small python script that without optimization tries to answer this
question.
We are testing a 20 character password: bananenBrot4321Alarm
Assumption is that the website uses the k-anonymity check that leaks 5 SHA1 characters to
#haveibeenpwned with every attempt. Assumption is that first query happens after X characters
have been entered as password. And then every Y characters another check is executed.
@stefanesser
stefanesser / gist:3b8911f6e9798daf8e0fcd469b7ceea8
Created June 20, 2018 15:47
Cracking a 20-char password from repeated #haveibeenpwned k-anonymity hashes [4, 2, 2, 2, 2, 2, 2, 2, 2]
$ python crack-k-anonymity.py
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Converting calls: 4,2 for password: bananenBrot4321Alarm (len: 20)
[4, 2, 2, 2, 2, 2, 2, 2, 2]
First call to API: bana (d33a7) ---> this takes long but can be precomputed
... loading precalculated result instead of bruteforcing the first prefix
@stefanesser
stefanesser / gist:eef8c046c82a6f1fd47aaaf25e87f698
Created June 20, 2018 15:45
Cracking a 20-char password from repeated #haveibeenpwned k-anonymity hashes [5, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]
$ python crack-k-anonymity.py
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Converting calls: 5,1 for password: bananenBrot4321Alarm (len: 20)
[5, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]
First call to API: banan (4eb10) ---> this takes long but can be precomputed
... loading precalculated result instead of bruteforcing the first prefix
@stefanesser
stefanesser / gist:f643f87dc88bbdc7b22594b7d7f67bd2
Created June 20, 2018 15:43
Cracking a 20-char password from repeated #haveibeenpwned k-anonymity hashes (5,2,2,2,2,2,2,2,1)
$ python crack-k-anonymity.py
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Converting calls: 5,2 for password: bananenBrot4321Alarm (len: 20)
[5, 2, 2, 2, 2, 2, 2, 2, 1]
First call to API: banan (4eb10) ---> this takes long but can be precomputed
... loading precalculated result instead of bruteforcing the first prefix