- Recon
- Find vuln
- Exploit
- Document it
Unicornscans in cli, nmap in msfconsole to help store loot in database.
## IPv6 Tests | |
http://[::ffff:169.254.169.254] | |
http://[0:0:0:0:0:ffff:169.254.169.254] | |
## AWS | |
# Amazon Web Services (No Header Required) | |
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories | |
http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy | |
http://169.254.169.254/latest/user-data | |
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] |
# Simulate fake processes of analysis sandbox/VM that some malware will try to evade | |
# This just spawn ping.exe with different names (wireshark.exe, vboxtray.exe, ...) | |
# It's just a PoC and it's ugly as f*ck but hey, if it works... | |
# Usage: .\fake_sandbox.ps1 -action {start,stop} | |
param([Parameter(Mandatory=$true)][string]$action) | |
$fakeProcesses = @("wireshark.exe", "vmacthlp.exe", "VBoxService.exe", | |
"VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe", |
#!/usr/bin/python | |
import netaddr | |
import json | |
import DNS # dns-python in ubuntu http://sourceforge.net/projects/pydns/ | |
import urllib | |
awstotal = 0 | |
gcptotal = 0 | |
AWSURL = 'https://ip-ranges.amazonaws.com/ip-ranges.json' |
#! /bin/bash | |
sudo su | |
apt-get update && apt-get upgrade -y && apt-get install -y build-essential golang git jq auditd | |
cd /root | |
# Update Golang from 1.2 to 1.7 or compilation of go-audit will fail | |
wget https://storage.googleapis.com/golang/go1.7.linux-amd64.tar.gz | |
tar -xvf go1.7.linux-amd64.tar.gz | |
mv go /usr/local |
function Get-InjectedThread | |
{ | |
<# | |
.SYNOPSIS | |
Looks for threads that were created as a result of code injection. | |
.DESCRIPTION | |
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).update: A minor variant of the viru
# -*- encoding: utf-8 -*- | |
# requires a recent enough python with idna support in socket | |
# pyopenssl, cryptography and idna | |
from OpenSSL import SSL | |
from cryptography import x509 | |
from cryptography.x509.oid import NameOID | |
import idna | |
from socket import socket |
## AWS | |
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories | |
http://169.254.169.254/latest/user-data | |
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] | |
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME] | |
http://169.254.169.254/latest/meta-data/ami-id | |
http://169.254.169.254/latest/meta-data/reservation-id | |
http://169.254.169.254/latest/meta-data/hostname | |
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key |
#!/usr/bin/python | |
# https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials | |
import logging | |
import os | |
import sys | |
import json | |
import time | |
import pprint |