Skip to content

Instantly share code, notes, and snippets.


Adel K 0x4D31

View GitHub Profile
View CVE-2018-10933-test
#!/usr/bin/env python
# Based on
# untested CVE-2018-10933
import sys, paramiko
import logging
username = sys.argv[1]
hostname = sys.argv[2]
command = sys.argv[3]
salrashid123 /
Created Jul 1, 2018
GCP impersonation with IAMCredentials
import logging
import os
import sys
import json
import time
import pprint
jhaddix / cloud_metadata.txt
Last active Oct 3, 2022 — forked from BuffaloWill/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
View cloud_metadata.txt
## AWS
gdamjan /
Last active Oct 3, 2022
Python script to check on SSL certificates
# -*- encoding: utf-8 -*-
# requires a recent enough python with idna support in socket
# pyopenssl, cryptography and idna
from OpenSSL import SSL
from cryptography import x509
from cryptography.x509.oid import NameOID
import idna
from socket import socket

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

jaredcatkinson / Get-InjectedThread.ps1
Last active Oct 5, 2022
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
View Get-InjectedThread.ps1
function Get-InjectedThread
Looks for threads that were created as a result of code injection.
clong /
Last active Mar 17, 2017
go-audit and osquery bootstrap script
#! /bin/bash
sudo su
apt-get update && apt-get upgrade -y && apt-get install -y build-essential golang git jq auditd
cd /root
# Update Golang from 1.2 to 1.7 or compilation of go-audit will fail
tar -xvf go1.7.linux-amd64.tar.gz
mv go /usr/local

How to pass the OSCP

  1. Recon
  2. Find vuln
  3. Exploit
  4. Document it


Unicornscans in cli, nmap in msfconsole to help store loot in database.

import netaddr
import json
import DNS # dns-python in ubuntu
import urllib
awstotal = 0
gcptotal = 0
View fake_sandbox.ps1
# Simulate fake processes of analysis sandbox/VM that some malware will try to evade
# This just spawn ping.exe with different names (wireshark.exe, vboxtray.exe, ...)
# It's just a PoC and it's ugly as f*ck but hey, if it works...
# Usage: .\fake_sandbox.ps1 -action {start,stop}
$fakeProcesses = @("wireshark.exe", "vmacthlp.exe", "VBoxService.exe",
"VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe",