dmattera

This list was auto-generated on macOS 10.15 (Catalina) using a script that did the following:

1. grabbed the name of all the .plist files located in the 5 folders used by launchctl:

• ~/Library/LaunchAgents Per-user agents provided by the user.
• /Library/LaunchAgents Per-user agents provided by the administrator.
• /Library/LaunchDaemons System wide daemons provided by the administrator.
• /System/Library/LaunchAgents OS X Per-user agents.
• /System/Library/LaunchDaemons OS X System wide daemons.

steipete

//
//  OSLogStream.swift
//  LoggingTest
//
//  Created by Peter Steinberger on 24.08.20.
//

// Requires importing https://github.com/apple/llvm-project/blob/apple/master/lldb/tools/debugserver/source/MacOSX/DarwinLog/ActivityStreamSPI.h via bridging header
import Foundation

mlosapio

#!/usr/bin/env python
# Based on https://www.openwall.com/lists/oss-security/2018/08/16/1
# untested CVE-2018-10933 

import sys, paramiko
import logging

username = sys.argv[1]
hostname = sys.argv[2]
command = sys.argv[3]

salrashid123

#!/usr/bin/python
# https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials

import logging
import os
import sys
import json
import time
import pprint

jhaddix

## AWS
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories

http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

gdamjan

# -*- encoding: utf-8 -*-
# requires a recent enough python with idna support in socket
# pyopenssl, cryptography and idna

from OpenSSL import SSL
from cryptography import x509
from cryptography.x509.oid import NameOID
import idna

from socket import socket

rain-1

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

• Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
• Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
• Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
• Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
• Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

jaredcatkinson

function Get-InjectedThread
{
    <# 
    
    .SYNOPSIS 
    
    Looks for threads that were created as a result of code injection.
    
    .DESCRIPTION
    

clong

#! /bin/bash

sudo su
apt-get update && apt-get upgrade -y && apt-get install -y build-essential golang git jq auditd
cd /root

# Update Golang from 1.2 to 1.7 or compilation of go-audit will fail
wget https://storage.googleapis.com/golang/go1.7.linux-amd64.tar.gz
tar -xvf go1.7.linux-amd64.tar.gz
mv go /usr/local

unfo

How to pass the OSCP

1. Recon
2. Find vuln
3. Exploit
4. Document it

Recon

Unicornscans in cli, nmap in msfconsole to help store loot in database.