gbaman

Raspberry Pi Zero OTG Mode

Simple guide for setting up OTG modes on the Raspberry Pi Zero - By Andrew Mulholland (gbaman).

The Raspberry Pi Zero (and model A and A+) support USB On The Go, given the processor is connected directly to the USB port, unlike on the B, B+ or Pi 2 B, which goes via a USB hub.
Because of this, if setup to, the Pi can act as a USB slave instead, providing virtual serial (a terminal), virtual ethernet, virtual mass storage device (pendrive) or even other virtual devices like HID, MIDI, or act as a virtual webcam!
It is important to note that, although the model A and A+ can support being a USB slave, they are missing the ID pin (is tied to ground internally) so are unable to dynamically switch between USB master/slave mode. As such, they default to USB master mode. There is no easy way to change this right now.
It is also important to note, that a USB to UART serial adapter is not needed for any of these guides, as may be documented elsewhere across the int

ttimasdf

Usage

curl -sSL https://gist.githubusercontent.com/ttimasdf/ef739670ac5d627981c5695adf4c8f98/raw/autossh@host1 | \
  sudo tee /etc/default/autossh@example
curl -sSL https://gist.githubusercontent.com/ttimasdf/ef739670ac5d627981c5695adf4c8f98/raw/autossh@.service | \
  sudo tee /etc/systemd/system/autossh@.service

sudo useradd -g nogroup -s /bin/false -m tunnel
sudo -u tunnel mkdir -p ~tunnel/.ssh # and copy your private key here

exp0se

# Logparser 


###############
# Security Log
###############

# Find Event id
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5038'"

Neo23x0

<!--
   This is a Microsoft Sysmon configuation to be used on Windows server systems
   v0.2.1 December 2016
   Florian Roth

   The focus of this configuration is
   - hacking activity on servers / lateral movement (bad admin, attacker)
   It is not focussed on
   - malware detection (execution)
   - malware detection (network connections)

frxstrem

'''
Establish a socket connection through an HTTP proxy.

Author: Fredrik Østrem <frx.apps@gmail.com>

License:
  Copyright 2013 Fredrik Østrem

  Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
  documentation files (the "Software"), to deal in the Software without restriction, including without

rain-1

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

• Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
• Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
• Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
• Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
• Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

gladiatx0r

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

• Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
• Relaying that machine authentication to LDAPS for configuring RBCD
• RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

tothi

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

• LDAP signing not required on Domain Controller (default!)

Neo23x0

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log

duzun

#!/bin/bash
#
# A script to enable TCP BBR on a Linux system.
#
# @author Dumitru Uzun (DUzun.Me)
# @version 1.0.0
# @distro ArchLinux/Manjaro
#

old_cc=`sysctl net.ipv4.tcp_congestion_control | awk -F= '{print $2}' | sed -e s/\^\\s//`