Skip to content

Instantly share code, notes, and snippets.

View gist:70ae3df90c5a532baaf7
### Keybase proof
I hereby claim:
* I am gfoss on github.
* I am heinzarelli (https://keybase.io/heinzarelli) on keybase.
* I have a public key whose fingerprint is 3DC9 DCF4 C0A3 7206 C45B 66FB C2DE DD96 D935 5D0E
To claim this, I am signing this object:
@gfoss
gfoss / ssh-alert-cronjob
Last active Dec 12, 2015
simple cronjob to alert on 'unknown/unexpected' access to a system.
View ssh-alert-cronjob
0 */1 * * * last -5 | grep -v '[user]\|wtmp\|reboot\|shutdown' && last -10 | grep -v '[user]\|wtmp\|reboot\|shutdown' >> ~/Desktop/ALERT && wall -g [group] ~/Desktop/ALERT
@gfoss
gfoss / netcat heartbeat
Last active May 30, 2016
NetCat based heartbeat one-liner, great for pentesting to let you know if the service you are testing has crashed.
View netcat heartbeat
$ while `nc -nn -vv -z -w3 [ip-address] [port] > /dev/null`; do echo "OK"; sleep 1; done; echo "DOWN"; while (true); do echo "***DOWN***"; sleep 5; done
@gfoss
gfoss / autopeep.sh
Last active Jul 20, 2016
Simple script used to set peepingtom.py to run automatically via bash script + cronjob, serve up the content and send out e-mail notifications.
View autopeep.sh
#!/bin/bash
#
# Utilizing LaNMaSteR53's peepingtom.py script to auto-scrape web servers and send out notifications.
# Optimized for Kali Linux
# greg.foss[at]owasp.org
#
# cronjob to run this script once a week every Sunday at Midnight
# 0 0 * * 0 /usr/share/peepingtom/autopeep.sh
# prepare storage location, remove old data, and migrate existing folders
@gfoss
gfoss / command injector
Created Sep 10, 2014
script to assist in exploiting command injection vulns / interacting with simple webshells
View command injector
#!/bin/bash
#
# Command Injector v0.1
# greg.foss[at]owasp.org
# modified version of dirtshell by 'superkojiman' to exploit command injection vulnerabilities / access web shells via cli
# dirtshell.sh => http://blog.techorganic.com/2012/06/lets-kick-shell-ish-part-1-directory.html
function usage {
echo "usage: -u URL"
echo "eg : -u \"http://site.com/index.php?cmd=\""
@gfoss
gfoss / nmap-os-detection
Created Aug 28, 2013
OS-detection. Run this nmap command to count OS's and view the os.txt output file to see the results per-system.
View nmap-os-detection
$ sudo nmap -F -O [IP-RANGE] | grep "scan report\|Running: " > os.txt; echo "$(cat os.txt | grep Apple | wc -l) OS X devices"; echo "$(cat os.txt | grep Linux | wc -l) Linux devices"; echo "$(cat os.txt | grep Windows | wc -l) Windows devices"
@gfoss
gfoss / ssh-attempts.txt
Last active Dec 30, 2018
grep IP addresses from auth logs to see attempted ssh attempts into your box w/ invalid creds {ubuntu}
View ssh-attempts.txt
#search for invalid logon attempts, pull out IP, remove dupes, sort...
$ grep -rhi 'invalid' /var/log/auth.log* | awk '{print $10}' | uniq | sort > ~/ips.txt
#look em up
$ for i in `cat ~/ips.txt`; do @nslookup $i 2>/dev/null | grep Name | tail -n 1 | cut -d " " -f 3; done > ~/who.txt
# :-) #
$ do moar things...
@gfoss
gfoss / auto-hydra.sh
Created Aug 3, 2017
Simple Masscan + Hydra wrapper used to perform automated scans by group (organization, unit, team, etc) and generate a report on the results.
View auto-hydra.sh
#!/bin/bash
#
# @heinzarelli
# greg . foss [at] logrhythm . com
# v0.1 - May 2017
#
function usage {
echo ""
@gfoss
gfoss / nslookup loops
Last active Nov 3, 2019
Basic nslookup loops for Windows and Linux
View nslookup loops
*****WINDOWS*****
//nslookup - subnet range
c:\>for /L %i in (1,1,255) do @nslookup 10.10.10.%i [server to resolve from] 2>nul | find "Name" && echo 10.10.10.%i && @echo [ctrl+g]
//nslookup - file of ip's
NAME c:\>for /F %i in ([file.txt]) do @nslookup %i [server to resolve from] 2>nul | find "Name" && echo %i
ADDRESS c:\>for /F %i in ([file.txt]) do @nslookup %i [server to resolve from] 2>nul | find "Address" && echo %i
Or just run c:\>nslookup and paste in the list
@gfoss
gfoss / Enable-PSRemoting.ps1
Last active Nov 6, 2019
quickly enable psremoting on Windows Hosts via PowerShell
View Enable-PSRemoting.ps1
function enablePSRemoting {
Enable-PSRemoting –force
Set-Service WinRM -StartMode Automatic
Get-WmiObject -Class win32_service | Where-Object {$_.name -like "WinRM"}
Set-Item WSMan:localhost\client\trustedhosts -value *
Get-Item WSMan:\localhost\Client\TrustedHosts
}
You can’t perform that action at this time.