Skip to content

Instantly share code, notes, and snippets.

View jbfuzier's full-sized avatar

jbfuzier

5 followers · 1 following
View GitHub Profile
@WarFox
WarFox / ace_editor_in_bootstrap_3_container.html
Last active October 27, 2016 08:12
Ace Editor Embedding in Bootstrap 3 container
<!DOCTYPE html>
<html lang="en">
<head>
<title>ACE in Action</title>
<style type="text/css" media="screen">
#editor {
height: 300px;
}
</style>
</head>
@jbfuzier
jbfuzier / gist:7ee6ecdb716f8bb69c8555b437abef08
Created February 13, 2017 17:32
Python Timezone conversion
from dateutil import tz
tzone = tz.gettz('Europe/Paris')
utc = tz.gettz('UTC')
# Make datetime object timezone aware
datetime_local = datetime_local.replace(tzinfo=tzone)
# Do the timezone change
date_utc = datetime_local.astimezone(utc)
@Neo23x0
Neo23x0 / config-client.xml
Last active May 17, 2021 04:14
Sysmon Base Configuration - Workstations
<!--
This is a Microsoft Sysmon configuration to be used on Windows workstations
v0.2.1 December 2016
Florian Roth (with the help and ideas of others)
The focus of this configuration is
- malware detection (execution)
- malware detection (network connections)
- exploit detection
It is not focussed on
@bkifft
bkifft / amiiscript.sh
Created September 24, 2016 18:34
#!/bin/bash
#requirements:
#sha1sum (part of coreutils)
#xxd (part of vim)
#https://github.com/socram8888/ulread
#https://github.com/socram8888/amiitool
#put ulread, ulwrite and amiitool in the same directory as this script
if [ $# -ne 2 ]
@marcan
marcan / smbloris.c
Last active November 22, 2022 08:32
SMBLoris attack proof of concept
/* SMBLoris attack proof-of-concept
*
* Copyright 2017 Hector Martin "marcan" <marcan@marcan.st>
*
* Licensed under the terms of the 2-clause BSD license.
*
* This is a proof of concept of a publicly disclosed vulnerability.
* Please do not go around randomly DoSing people with it.
*
* Tips: do not use your local IP as source, or if you do, use iptables to block
@duzun
duzun / arch_enable_bbr.sh
Last active March 3, 2023 09:07
Enable TCP BBR
#!/bin/bash
#
# A script to enable TCP BBR on a Linux system.
#
# @author Dumitru Uzun (DUzun.Me)
# @version 1.0.0
# @distro ArchLinux/Manjaro
#
old_cc=`sysctl net.ipv4.tcp_congestion_control | awk -F= '{print $2}' | sed -e s/\^\\s//`
@Neo23x0
Neo23x0 / log4j_rce_detection.md
Last active January 28, 2024 08:19
Log4j RCE CVE-2021-44228 Exploitation Detection

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
@tothi
tothi / krbrelay_privesc_howto.md
Last active March 1, 2024 12:26
Privilege Escalation using KrbRelay and RBCD

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

  • LDAP signing not required on Domain Controller (default!)
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active March 7, 2024 21:57
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@rain-1
rain-1 / Wannacrypt0r-FACTSHEET.md
Last active March 10, 2024 11:03 — forked from Epivalent/Wannacrypt0r-FACTSHEET.md

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru