Skip to content

Instantly share code, notes, and snippets.

Avatar

Richard Davis 13Cubed

112 followers · 3 following · 38
View GitHub Profile
@13Cubed
13Cubed / update_dnsbl.sh
Last active Oct 23, 2020
Download DNS adware and malware blacklists in BIND format and add them to a blacklist zone file. This is a modified version of the script from Paul's Security Weekly (http://wiki.securityweekly.com/wiki/index.php/Episode472).
View update_dnsbl.sh
#!/bin/bash
HOME=/var/named
ADLISTURL="https://pgl.yoyo.org/adservers/serverlist.php?hostformat=bindconfig;showintro=0;mimetype=plaintext"
MWLISTURL="http://mirror1.malwaredomains.com/files/spywaredomains.zones"
ADLISTFILE=/tmp/adlistfile
MWLISTFILE=/tmp/mwlistfile
# Download newest blacklists
curl -s -o $ADLISTFILE $ADLISTURL
@13Cubed
13Cubed / update_aws.sh
Last active Mar 30, 2020
Update AWS Route 53 and EC2 Security Group upon change in dynamic IP address. Roll your own dynamic DNS service, and update associated security groups by adding the new IP and cleaning up the previous IP to prevent unauthorized access to EC2 instances. Note: calls AWS CLI, and cli53 to make Route 53 changes (https://github.com/barnybug/cli53).
View update_aws.sh
#!/bin/bash
ZONE="example.com"
HOSTNAME="test"
SGROUP="my_security_group"
CURRENT_IP=$(dig @resolver1.opendns.com myip.opendns.com +short)
OLD_IP=$(dig @resolver1.opendns.com $HOSTNAME.$ZONE +short)
if [[ $CURRENT_IP =~ [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ ]] ; then
@13Cubed
13Cubed / conkyrc
Created Oct 21, 2016
A simple and clean Conky config that displays system, processors, memory, disks, and top processes.
View conkyrc
# .conkyrc
background yes
use_xft yes
xftfont Droid:normal:size=10
xftalpha 1
update_interval 1.0
top_cpu_separate true
total_run_times 0
own_window yes
@13Cubed
13Cubed / dns-sniffer.sh
Last active Mar 2, 2017
A Bash script to call tcpdump for DNS traffic capture.
View dns-sniffer.sh
#!/bin/bash
# Note: Do not run this script as root. You know better than that. Allow the standard user under which it runs the ability to execute /usr/sbin/tcpdump.
# Example: setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/sbin/dumpcap
/usr/sbin/tcpdump -i [INTERFACE] -s0 -G 300 -w '/capture/dns_%Y-%m-%d_%H:%M:%S.pcap' 'port 53'
@13Cubed
13Cubed / dns-analyzer.sh
Last active Mar 2, 2017
A Bash script to parse DNS PCAPs with tshark and write space-delimited values to a log file (useful for SIEM ingestion). This script ensures a given PCAP is not in use (via fuser) prior to analyzing and moving the file.
View dns-analyzer.sh
#!/bin/bash
# Note: Do not run this script as root. Allow the standard user under which it runs the ability to execute /bin/fuser without entering credentials.
# Example: username ALL = (root) NOPASSWD: /bin/fuser
cd /capture
for file in dns*.pcap;
do
if ! sudo fuser -s $file; then
/usr/bin/tshark -n -t ad -r $file | awk '{ if ($10 !="query") print $2, $3, "ERROR: " $0; else if ($11 == "response") print $2, $3, $12, "R", $4, $6, substr($0, index($0,$13)); else print $2, $3, $11, "Q", $4, $6, $12, $13, $14 }' 1>>/var/log/dns/query.log 2>/dev/null;
mv $file /capture/processed/$file
fi
@13Cubed
13Cubed / dns-sniffer.service
Last active Mar 1, 2017
A systemd service file that calls dns-sniffer.sh.
View dns-sniffer.service
[Unit]
Description=DNS Sniffer
[Service]
User=[USERNAME_HERE]
ExecStart=/usr/local/bin/dns-sniffer.sh
[Install]
WantedBy=multi-user.target
@13Cubed
13Cubed / ticketbleed.go
Last active Feb 9, 2017 — forked from FiloSottile/ticketbleed.go
Check for Ticketbleed (CVE-2016-9244) vulnerability.
View ticketbleed.go
package main
import (
"crypto/tls"
"fmt"
"log"
"strings"
"os"
)
@13Cubed
13Cubed / checknet.sh
Last active Jan 23, 2017
A simple Bash script to monitor a remote address and send an email when it goes down.
View checknet.sh
#!/bin/bash
# If the file that holds the flag doesn't exist, create it with default of 0
if [ ! -f /tmp/checknet.tmp ]
then
echo 0 > /tmp/checknet.tmp
fi
target=TARGET_GOES_HERE
@13Cubed
13Cubed / bashrc
Last active Feb 26, 2016
Custom bash prompt. Can be placed in /etc/bashrc (or /etc/bash.bashrc).
View bashrc
# If this is an interactive shell, customize the prompt
if [[ $- == *i* ]]; then
echo
if [ $(id -u) -eq 0 ]; then # Root user prompt
PS1="\[\033[38;5;31m\][\[$(tput sgr0)\]\[\033[38;5;166m\]\u\[$(tput sgr0)\]\[\033[38;5;31m\]@\h\[$(tput sgr0)\]\[\033[38;5;15m\] \[$(tput sgr0)\]\[\033[38;5;34m\]\W\[$(tput sgr0)\]\[\033[38;5;31m\]]\[$(tput sgr0)\]\[\033[38;5;15m\]\\$ \[$(tput sgr0)\]"
else # Normal user prompt
PS1="\[\033[38;5;31m\][\[$(tput sgr0)\]\[\033[38;5;99m\]\u\[$(tput sgr0)\]\[\033[38;5;31m\]@\h\[$(tput sgr0)\]\[\033[38;5;15m\] \[$(tput sgr0)\]\[\033[38;5;34m\]\W\[$(tput sgr0)\]\[\033[38;5;31m\]]\[$(tput sgr0)\]\[\033[38;5;15m\]\\$ \[$(tput sgr0)\]"
fi
fi
@13Cubed
13Cubed / iptohex.py
Created Feb 20, 2016
Convert IPv4 decimal (base 10) addresses to hex (base 16). Useful for 6to4 tunnel configs.
View iptohex.py
#!/usr/bin/python
import sys
import re
def DecToHex(dec_ip):
dec_octets = str.split(dec_ip, '.')
hex_octets = []
if len(dec_octets) != 4: