Skip to content

Instantly share code, notes, and snippets.

View useragent_smuggling_examples.sh
curl -s -A "smuggled message" http://canarytokens.com/tokenurl
wget -U "smuggled message" http://canarytokens.com/tokenurl
exec 3<>/dev/tcp/canarytokens.com/80
echo -e "GET /articles/traffic/guln4qekd7zjfd4thw5sw48uh/post.jsp HTTP/1.1\r\nUser-Agent: If i trip my own token, i can pass it any useragent info i want to, effectively smuggling data in a token\r\nHost: canarytokens.com\r\nAccept: */*\r\n\r\n">&3
View nc.sh
declare -a sshclient
sshclient=($SSH_CLIENT)
args="$@"
curl -s -A "Someone just ran nc $args as User:$USER on Hostname:$HOSTNAME from SourceIP: ${sshclient[0]}" http://7c589debfgpn.o3n.io/files/dkgs6rpqh7nyjrf1hr1pabc7u/logo.gif > /dev/null
/bin/nc "$@"
View canarygen_awscreds_auto.py
# Generate AWS Creds 0.1
# canarygen_awscreds.py
#
# This is the "auto" version of this script. Run it unattended and it will
# automatically grab username and hostname variables from the system it is
# run on.
#
# PREREQS
# python 3
# pip3 install canarytools
@Sawaba
Sawaba / delete_tokens.py
Created Nov 8, 2019
Quick python script to delete all tokens from a Canary console
View delete_tokens.py
import requests
import sys
import re
def main(args):
if len(args) < 2:
print("usage: python delete_tokens.py <console_url> <api_key>")
auth = args[1]
console = args[0]
get_url = "{base}/api/v1/canarytokens/fetch?auth_token={auth}".format(
View canarygen_awscreds.cmd
@echo off
REM Test script to generate AWS creds
REM Requires curl and jq. Customize name/path to EXEs below.
set curl=curl
set jq=jq-win64.exe
REM Grab the date and time for creating unique files
for /f "tokens=1,2,3,4 delims=/ " %%a in ('date /t') do set currdate=%%d%%c%%b
for /f "tokens=1,2,3,4 delims=.:" %%a in ("%time%") do set currtime=%%a%%b%%c
View canary_alert_extract.sh
#!/bin/bash
# Create a CSV with the last week's worth of alerts from your Canary console
# Requires curl and jq to be in the path
# Set this variable to your API token
export token=deadbeef12345678
# Customize this variable to match your console URL
export console=ab123456.canary.tools
@Sawaba
Sawaba / javainstall.sh
Created Mar 6, 2019
Java JDK 11 install script for Windows Subsystem for Linux (WSL)
View javainstall.sh
#!/bin/bash
# This script adapted from an older post on StackOverflow by user fieldju
# https://stackoverflow.com/questions/36478741/installing-oracle-jdk-on-windows-subsystem-for-linux
# The script was for JDK 8.
# Due to major changes with JDK 11 (no JRE, no Derby, Unlimited Strength included), it was necessary to update the entire script.
set -ex
# UPDATE THESE URLs (this one updated as of 2019-03-06)
export JDK_URL=http://download.oracle.com/otn-pub/java/jdk/11.0.2+9/f51449fcd52f4d52b93a989c5c56ed3c/jdk-11.0.2_linux-x64_bin.tar.gz
@Sawaba
Sawaba / Scan-Discovery-Networks-Internal.cmd
Last active Feb 20, 2018
The beginning of a project to try to discover all active networks on an internal LAN. I hadn't figured out how to do the 10.0.0.0 class A, so it currently looks for all RFC1918 ranges EXCEPT the largest of the bunch. Sorry :( Without access to a large LAN, it was hard to continue development.
View Scan-Discovery-Networks-Internal.cmd
@echo off
goto begin
+-----------------------------------------------------------------------------+
| Internal Network Discovery Scan |
| |
| DESCRIPTION: This script discovers NETWORKS, not hosts. It attempts to find |
| every class C in use throughout the enterprise. Note that, on larger ranges,|
| we're sampling IPs to save time. This is a calculated time/accuracy tradeoff|
| |
@Sawaba
Sawaba / CVE2017-11937-check.cmd
Created Dec 9, 2017
Script to determine if Windows systems are vulnerable to CVE-2017-11937
View CVE2017-11937-check.cmd
@echo off
REM Local Windows check to ensure we're safe from CVE-2017-11937
REM https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11937
cls
ECHO.
ECHO CVE-2017-11937 Vulnerability Check version 1.0
ECHO Checking to make sure your antivirus isn't going to sell you out to cyberbaddies.
ECHO The last vulnerable version was 1.1.14306.0 - anything newer should be safe.
ECHO.
View keybase.md

Keybase proof

I hereby claim:

To claim this, I am signing this object:

You can’t perform that action at this time.