Aruba produces two different software loads for their Access Point hardware. The first is called ArubaOS and the second is called Aruba Instant. With ArubaOS, the AP requires a Mobility Controller (hardware) to be installed in the network. With the Aruba Instant it is possible to run AP’s independently (standalone mode) or in a cluster, with no Mobility Controller in the network.
filipesam
filipesam
/ pcap_replay.py
Created
September 9, 2022 08:01
— forked from danielinux/pcap_replay.py
replay a captured pcap stream
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| from scapy.all import * | |
| import time, sys | |
| pkts = rdpcap(sys.argv[1]) | |
| clk = pkts[0].time | |
| for p in pkts: | |
| time.sleep(p.time - clk) | |
| clk = p.time | |
| sendp(p) |
filipesam
/ Reversing Aruba Instant.md
Created
September 8, 2022 14:17
Reversing Aruba Instant Firmware
filipesam
/ namemash.py
Created
August 17, 2022 16:01
— forked from superkojiman/namemash.py
Creating a user name list for brute force attacks.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| ''' | |
| NameMash by superkojiman | |
| Generate a list of possible usernames from a person's first and last name. | |
| https://blog.techorganic.com/2011/07/17/creating-a-user-name-list-for-brute-force-attacks/ | |
| ''' |
filipesam
/ tcp_flags.txt
Created
August 11, 2022 06:39
— forked from tuxfight3r/tcp_flags.txt
tcpdump - reading tcp flags
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ##TCP FLAGS## | |
| Unskilled Attackers Pester Real Security Folks | |
| ============================================== | |
| TCPDUMP FLAGS | |
| Unskilled = URG = (Not Displayed in Flag Field, Displayed elsewhere) | |
| Attackers = ACK = (Not Displayed in Flag Field, Displayed elsewhere) | |
| Pester = PSH = [P] (Push Data) | |
| Real = RST = [R] (Reset Connection) | |
| Security = SYN = [S] (Start Connection) |
filipesam
/ huaweiDecrypt.py
Created
July 13, 2022 16:18
— forked from staaldraad/huaweiDecrypt.py
Decrypt Huawei router/firewall passwords. Huawei stores passwords using DES encryption when the crypted option is enabled.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| """ | |
| Simple tool to extract local users and passwords from most Huawei routers/firewalls config files. | |
| Will extract plain-text passwords and crypted credentials. Huawei config files use DES encryption with | |
| a known key. Using this information, the script will decrypt credentials found in the config file. | |
| Author: Etienne Stalmans (etienne@sensepost.com) | |
| Version: 1.0 (12/01/2014) | |
| """ | |
| from Crypto.Cipher import DES |
filipesam
/ java_download.sh
Created
May 31, 2022 14:56
— forked from wavezhang/java_download.sh
download java from oracle without login
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| wget -c --no-cookies --no-check-certificate --header "Cookie: oraclelicense=accept-securebackup-cookie" https://download.oracle.com/otn-pub/java/jdk/12.0.2+10/e482c34c86bd4bf8b56c0b35558996b9/jdk-12.0.2_linux-x64_bin.tar.gz |
filipesam
/ Workstation-Takeover.md
Created
April 18, 2022 10:07
— forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
filipesam
/ customqueries.json
Created
April 12, 2022 08:13
— forked from seajaysec/customqueries.json
bloodhound custom queries
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "queries": [{ | |
| "name": "List all owned users", | |
| "queryList": [{ | |
| "final": true, | |
| "query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m" | |
| }] | |
| }, | |
| { | |
| "name": "List all owned computers", |
filipesam
/ AD notes.md
Created
February 22, 2022 10:50
— forked from ivanitlearning/AD notes.md
Some notes I took while learning about Active Directory
- NetBIOS name should match your forest FQDN. So if
FQDN=adlunches.net, NetBIOS name isADLUNCHES - Every AD forest has a server which indexes all the objects in the forest. This is known as the Global Catalog server.
- Each domain needs at least 1 GC server, can have more for redundancy. This is so it can find objects in other domains.
- Any DC can be GC.
- By default all DCs will be GCs. GCs take up disk space and bandwidth, but both are plentiful.
- Microsoft Exchange requires GC server to run.
- Allow logins via UPN eg. user@highcosttraining.com, which may be on same domain.
- GC servers should be deployed at sites with poor WAN links or filtered connections.
filipesam
/ plink_socks_proxy.bat
Created
January 24, 2022 09:04
— forked from moshekaplan/plink_socks_proxy.bat
plink SOCKS proxy short guide
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| :: plink from here: http://the.earth.li/~sgtatham/putty/latest/x86/plink.exe | |
| :: Guide available here: http://blog.buttewifi.com/2010/01/dynamic-ssh-tunneling-with-putty-to-secure-web-traffic/ | |
| :: Connects to 192.168.1.2 on port 5900. Sets up a SOCKS proxy that listens on 127.0.0.1 port 9876 and forwards all connections through the connection to 192.168.1.2. | |
| :: You then need to configure your system to use 127.0.0.1:9876 as a SOCKS proxy. | |
| putty\PLINK.EXE 192.168.1.2 -P 5900 -D 127.0.0.1:9876 -N | |
| :: Gotcha: In Windows, you need to specifically enable it as a SOCKS proxy, and disable all other proxies. |