Skip to content

Instantly share code, notes, and snippets.

@milo2012
milo2012 / CVE-2018-15473.py
Created Jun 1, 2020
SSH Username Enumeration (CVE-2018-15473) - Supports IPv6
View CVE-2018-15473.py
# Exploit: OpenSSH 7.7 - Username Enumeration
# Author: Justin Gardner
# Date: 2018-08-20
# Software: https://ftp4.usa.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.7.tar.gz
# Affected Versions: OpenSSH version < 7.7
# CVE: CVE-2018-15473
###########################################################################
# ____ _____ _____ _ _ #
# / __ \ / ____/ ____| | | | #
@milo2012
milo2012 / extractHTTPfromNmap.py
Last active Sep 17, 2019
This script parses nmap XML file and extract HTTP/HTTPs servers. The problem with Nmap scanning is that it doesn't correctly identify all hosts running HTTP/HTTPS services. This script attempts to fix this issue
View extractHTTPfromNmap.py
from libnmap.parser import NmapParser
import requests, optparse, os, sys, glob, multiprocessing
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
requests.packages.urllib3.disable_warnings()
timeout=1.0
numOfThreads=2
#This script parses nmap XML file and extract HTTP/HTTPs servers.
#The problem with Nmap scanning is that it doesn't correctly identify all hosts running HTTP/HTTPS services.
View gist:96ab77e05714915ea22f8c214f838aac
$ sudo python msfHelper1.py nmap__190723_132536.xml
[*] Launching Metasploit msfrpcd
[*] Reading from msfHelper.db
[*] Loaded 474 URI paths from msfHelper.db
[*] Loaded 2982 modules from Metasploit
[List of Unique Service Banners]
-------- ----------------------------------------------------------------------------
21/tcp vsftpd version: 2.3.4 ostype: Unix
@milo2012
milo2012 / checkSSHCiphers.py
Created May 22, 2019
Check SSH Ciphers (works with IPv6)
View checkSSHCiphers.py
import paramiko, sys, logging, optparse, os
sys.tracebacklimit = 0
logging.raiseExceptions=False
acceptedCipherList=[]
acceptedMacList=[]
acceptedKeyList=[]
acceptedKexList=[]
cipherList = (
"aes128-ctr",
@milo2012
milo2012 / checkScopeWithNmap.py
Created May 10, 2019
for segmentation tests - compare nmap xml files with scope and check which scopes were accessible and which weren't
View checkScopeWithNmap.py
#!/usr/bin/python -tt
# -*- coding: utf-8 -*-
import sys, glob, optparse
reload(sys);
from netaddr import IPNetwork
from libnmap.parser import NmapParser
ipDict={}
scopeDict={}
accessibleList=[]
@milo2012
milo2012 / exploit_notes_Exploit Notes: CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002.txt
Last active Feb 22, 2019
Exploit Notes: CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002
View exploit_notes_Exploit Notes: CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002.txt
Exploit Notes: CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002
#Install vulnerable docker version of Jenkins
$ docker run -p 8080:8080 -p 50000:50000 jenkins/jenkins:2.121.2
- Go to http://127.0.0.1:8080
- Install suggested plugins
- Create a user account (admin|admin)
- Click "New Item"
- Under Item Name, enter 'Helloworld', choose 'Pipeline' and click 'OK'
- Under 'Pipeline', untick 'Use Groovy Sandbox' and click 'Save'
@milo2012
milo2012 / sniffCert.py
Created Sep 27, 2018
Sniff and extract server SSL certificate of wireless access point (EAP)
View sniffCert.py
#!/usr/bin/python
'''
$ python sniffCert.py -h
Usage: sniffCert.py [options]
Options:
-h, --help show this help message and exit
-i INTERFACENO Interface to sniff
$ python sniffCert.py -i en0
@milo2012
milo2012 / pentesting_ios_apps_on_electra.txt
Last active Nov 4, 2019
Pentesting IOS Applications on Electra 11.1.2
View pentesting_ios_apps_on_electra.txt
#Burp SSL Certificate on IOS 11
On iOS 11 you can't just install your MITM root cert, you also need to explicitly trust it.
You can do this by:
Settings -> General -> About -> Certificate Trust Settings -> Flip the switch on your cert
----------------------------------------------------------------------------------------------------------------
#GDB on IOS 11
Source: https://shmoo419.github.io/
gdb
ps -ax | grep -i appName
attach [processNo]
View Backdoor Notes
#Creating signed and customized backdoored macOS applications by abusing Apple Developer tools
https://medium.com/@adam.toscher/creating-signed-and-customized-backdoored-macos-applications-by-abusing-apple-developer-tools-b4cbf1a98187
Notes:
Include 1) 1Password 7.app (Gatekeeper Approved) 2) StuffIt Expander.app/Backdoor (Not Approved) in /tmp/apps. You will be allowed to run both 1) and 2) (Gatekeeper bypass)
Alternative one liner:
$ pkgbuild --root /tmp/apps --identifier com.microsoft --install-location /Applications mypackage.pkg
View scada_password_recovery_list.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 8 should actually have 1 column, instead of 8. in line 7.
Yokogawa;CENTUM CS 3000 DCS;CENTUM:CENTUM
Yokogawa;EJX910A Multivariable Transmitter HART Communication Type;YOKOGAWA. (to release the Write Protect mode)
Yokogawa;WT 3000 Driver;anonymous:blank (Ethernet access)
Yokogawa;DX1000/DX1000N/DX2000 Advanced;Administrator 1:Admin1 etc./ User 1:User01 etc.
Yokogawa;YFGW410 gateway;admin:!admin
Wonderware;System Platform/Archestra;administrator:blank
Wonderware;Intouch;Administrator:Wonderware
Wonderware;Historian;SQL Server Login: aadbo:pwddbo, wwdbo:pwddbo, aaAdmin:pwAdmin, wwAdmin:wwAdmin, aaPower:pwPower, wwPower:wwPower, aaUser:pwUser, wwUser:wwUser
Westermo;TDW 33;no password, just return, Hardcoded password: n3Y9kA6otYZu8, (?? TD-36)
Westermo;MRD-305-DIN/MRD-310/MRD-315/MRD-330/MRD-355/MRD-350/MRD-455;admin:westermo
You can’t perform that action at this time.