Skip to content

Instantly share code, notes, and snippets.

joswr1ght /
Created May 10, 2021
Linux server-side connection logging
# Create a chain that logs new connections:
iptables -N LOGNEW
iptables -A LOGNEW -j LOG --log-prefix ' INBOUND TCP ' --log-level 4
iptables -A LOGNEW -j ACCEPT
# Accept packets on existing connections without any fuss:
iptables -A INPUT -p tcp -m state \! --state NEW -j ACCEPT
# Log incoming packets on new connections:
iptables -A INPUT -p tcp -j LOGNEW -m limit --limit 100/sec
# Examine logs
joswr1ght /
Created Mar 31, 2021
Check PATH for Writable Directories for Privesc Opportunity
IFS=:; set -o noglob; for dir in $PATH""; do ls -ld $dir; done
joswr1ght /
Created Mar 16, 2021
SQL Injection Vulnerable Code Scanning Shell Command
# This heinous command searches for SQL injection vulnerable code:
# 1. Use awk to convert multiline strings into a single line
# 2. Fix things up with sed to make line endings normal again
# 3. Search for SQL-related statements
# 4. Search for lines where there are two or more $ variable indicators
# This is a hack. Please don't let this be my legacy.
awk -F"\"" '!$NF{ print; next }{ printf("%s ", $0) }' *.php | sed 's/;/;\n/g;s/}/}\n/g' | grep -iE "select|insert|update|delete" | grep -E "\\$.*\\$"
joswr1ght /
Last active Apr 23, 2021
Extract TLS-Scan Hostnames from Certificate Records
#!/usr/bin/env python3
# Mark Baggett @MarkBaggett graciously wrote this script.
# Minor changes by Joshua Wright @joswr1ght.
# Use it to retrieve host name information from the JSON output of tls-scan
# ( in the subjectCN and subjectAltName
# fields.
import json
import re
import sys
joswr1ght /
Last active Feb 18, 2021
Read a file of network + CIDR masks, one per line; count the number of IP addresses it represents
#!/usr/bin/env python
import sys
def countips(netblock):
cidr = int(netblock.split('/')[1])
return 2**(32 - cidr)
if (len(sys.argv) != 2):
print(f"Usage: {sys.argv[0]} <file with CIDR masks>")
joswr1ght / targetnetworks.txt
Created Feb 18, 2021
A list of netblocks with CIDR masks (the AWS us-east-1 range as of 2/17/2021)
View targetnetworks.txt
joswr1ght /
Created Feb 16, 2021
Get AWS IP Addresses for a Specified Area
wget -qO- | jq '.prefixes[] | if .region == "us-east-1" then .ip_prefix else empty end' -r | head -3
joswr1ght /
Created Dec 22, 2020
Get AWS IP list, filtered by region
# This isn't so much of a script as it is a placeholder for something I don't want to forget
wget -qO- | jq '.prefixes[] | if .region == "us-east-1" then .ip_prefix else empty end' -r

HID/ProxCard Cheat Sheet

Joshua Wright | | DRAFT/Work-in-Progress

Proxmark3 Iceman Edition Command Function
lf hid read Read from a nearby HID/ProxCard card
wiegand list Display a list of supported Wiegand data formats used by HID cards
lf hid sim -r 2006ec0c86 Simulate a HID/ProxCard with the Wiegand value 2006ec0c86; supply the appropriate Wiegand value for the card you wish to impersonate
lf hid sim -w H10301 --fc 118 --cn 16612 Simulate the card number 16612 with facility code 118 using the H10301 (26-bit HID) format (same as the command above but specifying the FC and CN explicitly)
joswr1ght / checkhiddensvc.ps1
Last active Oct 27, 2020
Identify Hidden Windows Services
View checkhiddensvc.ps1
Compare-Object -ReferenceObject (Get-Service | Select-Object -ExpandProperty Name | % { $_ -replace "_[0-9a-f]{2,8}$" } ) -DifferenceObject (gci -path hklm:\system\currentcontrolset\services | % { $_.Name -Replace "HKEY_LOCAL_MACHINE\\","HKLM:\" } | ? { Get-ItemProperty -Path "$_" -name objectname -erroraction 'ignore' } | % { $_.substring(40) }) -PassThru | ?{$_.sideIndicator -eq "=>"}