Skip to content

Instantly share code, notes, and snippets.

View keyboardcrunch's full-sized avatar

keyboardcrunch keyboardcrunch

90 followers · 334 following
View GitHub Profile
@gmurdocca
gmurdocca / socat_caesar_dpi.md
Last active June 28, 2024 15:53
Circumventing Deep Packet Inspection with Socat and rot13

Circumventing Deep Packet Inspection with Socat and rot13

I have a Linux virtual machine inside a customer's private network. For security, this VM is reachable only via VPN + Citrix + Windows + a Windows SSH client (eg PuTTY). I am tasked to ensure this Citrix design is secure, and users can not access their Linux VM's or other resources on the internal private network in any way outside of using Citrix.

The VM can access the internet. This task should be easy. The VM's internet gateway allows it to connect anywhere on the internet to TCP ports 80, 443, and 8090 only. Connecting to an internet bastion box on one of these ports works and I can send and receive clear text data using netcat. I plan to use good old SSH, listening on tcp/8090 on the bastion, with a reverse port forward configured to expose sshd on the VM to the public, to show their Citrix gateway can be circumvented.

Rejected by Deep Packet Inspection

I hit an immediate snag. The moment I try to establish an SSH or SSL connection over o

@mgraeber-rc
mgraeber-rc / EventDiff.ps1
Created May 28, 2021 14:45
Display only new event log events - I refer to this as event log differential analysis
# Log the time prior to executing the action.
# This will be used as parth of an event log XPath filter.
$DateTimeBefore = [Xml.XmlConvert]::ToString((Get-Date).ToUniversalTime(), [System.Xml.XmlDateTimeSerializationMode]::Utc)
# Do the thing now that you want to see potential relevant events surface...
$null = Mount-DiskImage -ImagePath "$PWD\FeelTheBurn.iso" -StorageType ISO -Access ReadOnly
# Allow a moment to allow events to populate
Start-Sleep -Seconds 5
@mgraeber-rc
mgraeber-rc / MITRE_Attack_WindowsAppControl.csv
Created February 8, 2021 18:58
Windows-specific MITRE ATT&CK techniques application control prevention assessment. This is a first attempt to assess the extent to which application control solutions would mitigate/prevent attack techniques. Note: this highly subjective assessment assumes a system that enforces an application control solution that at a minimum allows all Windo…
ID Name MitigatedByAppControl Notes
T1001 Data Obfuscation Not Applicable Relevant sub-techniques addressed below
T1001.001 Junk Data No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1001.002 Steganography Limited If custom attacker code were necessary to perform this technique, it would be prevented.
T1001.003 Protocol Impersonation Limited If custom attacker code were necessary to perform this technique, it would be prevented.
T1003 OS Credential Dumping Not Applicable Relevant sub-techniques addressed below
T1003.001 LSASS Memory Limited Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.002 Security Account Manager Limited Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.003 NTDS Limited Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.004 LSA Secrets Limited Built-in utilities exist to perform this technique.
@jdgregson
jdgregson / email-switch.html
Last active January 9, 2022 05:25
HTML which allows you to present different email content to Outlook and OWA/Outlook for iOS/Outlook for Android. See here for reference: https://twitter.com/jdgregson/status/1356444039445237760
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--[if gte mso 9]><!-->
<meta http-equiv=3D"X-UA-Compatible" content=3D"IE=3Dedge">
<!--[if !mso]><!-->
<!--<!-->
<!--[if gte mso 9]><!-->
<h1>You're viewing this in one of the following:
<ul>
@michaelweber
michaelweber / Aug 10 ZLoader vs Aug 8 Zloader.md
Last active August 12, 2020 15:23
Comparing ZLoader XLM Content

Here's a rough dump of the macros for these two ZLoader payloads using my tool Macrome. One was first seen on August 8th by Abuse.ch, the other was identified by @jcarndt on August 10th. The files are functionally identical, but there are some minor differences that have probably contributed to signature evasion:

  1. User defined functions are being passed random arguments - this changes the BIFF record signature entirely. Note that the arguments aren't actually used. In the Aug 8 sample you'd see something like Formula[GK11912]: EokdmdoLRXOG(), in the Aug 10 sample we see Formula[DK4376]: SnJUk(81003). That value 81003 is used purely to change the look of the invocation on disk - if you were trying to count a bunch of user defined f
@mattifestation
mattifestation / XLM_Analysis_Notes.md
Last active September 13, 2022 19:03
Excel 4 Macro Analysis Notes

Excel Spreadsheet Hash

VT Link: https://www.virustotal.com/gui/file/d9f00024784af858627a44731950ccb50fe3f37bf940ed47ae7b1ca35ac5ceff/detection

SHA256: D9F00024784AF858627A44731950CCB50FE3F37BF940ED47AE7B1CA35AC5CEFF

File Name: 2aKqjPrdo1-7192.xls

Analysis Code

@Castaldio86
Castaldio86 / [May 2020] Patch Tuesday RCE Hunt Query
Created May 13, 2020 11:37
let MayRCE = dynamic(["CVE-2020-0901","CVE-2020-1023","CVE-2020-1024","CVE-2020-1028","CVE-2020-1035","CVE-2020-1037","CVE-2020-1051","CVE-2020-1058","CVE-2020-1060","CVE-2020-1061","CVE-2020-1062","CVE-2020-1064","CVE-2020-1065","CVE-2020-1067","CVE-2020-1069","CVE-2020-1092","CVE-2020-1093","CVE-2020-1096","CVE-2020-1102","CVE-2020-1117","CVE-2020-1126","CVE-2020-1136","CVE-2020-1150","CVE-2020-1153","CVE-2020-1171","CVE-2020-1174","CVE-2020-1175","CVE-2020-1176","CVE-2020-1192"]);
DeviceTvmSoftwareInventoryVulnerabilities
| where CveId in (MayRCE)
| summarize CVECount = dcount(CveId) by DeviceName, OSPlatform
@0xtornado
0xtornado / 0_CyberChef_CobaltStrike_Shellcode_Decoder_Recipe
Created April 30, 2020 14:11
CyberChef recipe to extract and decode Shellcode from a Cobalt Strike beacon
[{"op":"Conditional Jump","args":["bxor",false,"Decode_Shellcode",10]},{"op":"Label","args":["Decode_beacon"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Decode text","args":["UTF-16LE (1200)"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Gunzip","args":[]},{"op":"Label","args":["Decode_Shellcode"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"Conditional Jump","args":["",false,"",10]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"XOR","args":[{"option":"Decimal","string":"35"},"Standard",false]}]
@mvelazc0
mvelazc0 / GetSystem.cs
Last active December 7, 2020 15:42
Escalates to SYSTEM leveraging OpenProcess, OpenProcessToken and ImpersonateLoggedOnUser. https://attack.mitre.org/beta/techniques/T1134/. Needs to run as a High Integrity proc. Needs SeDebugPrivilege
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Security.Principal;
//Based on https://0x00-0x00.github.io/research/2018/10/17/Windows-API-and-Impersonation-Part1.html
namespace GetSystem
{
class Program
{
@bontchev
bontchev / unhide.py
Last active February 16, 2024 15:55
A script for unhiding hidden Excel sheets
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from __future__ import print_function
import os
import sys
try:
import olefile