n0ncetonic

// ninjaVanish hides from webdriver/headless browser detection
//
// Focused specifically on HeadlessChrome / Puppeteer.
// When using Puppeteer this should be instrumented with the
// `Page.evaluateOnNewDocument()` method which injects our code
// after the document loads but before any scripts run
//
// Techniques leveraged are:
// - Removes "Headless" from User-Agent
// - Deletes `navigator.webdriver` to mimick standard navigator object properties

n0ncetonic

property delayInterval : 15 -- seconds
on run
	activate
	tell application "System Events" to set UIAccessStatus to UI elements enabled
end run

on idle
	try
		tell application "System Events"
			tell process "NotificationCenter"

n0ncetonic

#!/bin/bash
# Command Injection via Homebrew $PATH trickery
# n0ncetonic
# Blacksun Research Labs 2019
# https://github.com/n0ncetonic
# https://github.com/BlacksunLabs

banner=$(/bin/cat <<EOF

n0ncetonic

	RewriteEngine On
	
	# Uncomment the below line for verbose logging, including seeing which rule matched.
	#LogLevel alert rewrite:trace5
	
	# BURN AV BURN
	
	# AWS Exclusions. Cloudfronted requests by default will have a UA of "Amazon Cloudfront". More info here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html#header-caching-web-device
	RewriteCond                             expr                                    "-R '54.0.0.0/8'" [OR]
        RewriteCond                             expr                                    "-R '52.0.0.0/8'" [OR]

n0ncetonic

vim -c 'execute "silent !echo " . &fileencoding | q' {filename} # Extremely good file encoding detection

n0ncetonic

Strings dump of TCC.framework as a starting point

$ strings /System/Library/PrivateFrameworks/TCC.framework/TCC | grep kTCCService

kTCCServiceAll
kTCCServiceAddressBook
kTCCServiceCalendar
kTCCServiceReminders
kTCCServiceTwitter
kTCCServiceFacebook

n0ncetonic

var detectExt = {
    is_install: "",
    /**
     * поиск расширения в chrome
     * @param onload
     * @param onerror
     */
    detect_ext_chrome: function (onload, onerror) {
        var detect = function (base, if_installed, if_not_installed) {
            var s = document.createElement('script');

n0ncetonic

#!/bin/bash
#filename      :gimmeAuthToken 
#description   :macOS < 10.13 Keychain-less Passwordless iCloud authentication token dumper 
#author        :noncetonic
#date          :20180614
#version       :0.1
#usage         :./gimmeAuthToken
#notes         :Leverages the Accounts(3|4).sqlite file to dump cached plaintext iCloud tokens
#copyright     :© 2018 Blacksun Labs
#===============================================================================

n0ncetonic

Intercepts HTTPs Traffic with Python & mitmproxy

Introduction

Modern applications usually make use of back-end API servers to provide their services. With a non-transparent HTTPs proxy, which intercepts the communication between clients and servers (aka the man-in-the-middle scheme), you can easily manipulate both API requests and responses.

This manual helps you create your own proxy with Python and mitmproxy/libmproxy. Mitmproxy ships with both a standalone command-line tool (mitmproxy) and a Python library (libmproxy).

n0ncetonic

# hax hax hax hax hax

import ctypes, os, sys
newstderr = os.dup(2)                          # This is to mute dyld LC_RPATH warnings
os.dup2(os.open('/dev/null', os.O_WRONLY), 2)  # because we're loading Xcode frameworks from python
CM = ctypes.CDLL('/Applications/Xcode.app/Contents/SharedFrameworks/DVTMarkup.framework/Versions/A/Frameworks/CommonMark.framework/CommonMark')
sys.stderr = os.fdopen(newstderr, 'w')         # This restores stderr

cmark_markdown_to_html = CM.cmark_markdown_to_html
cmark_markdown_to_html.restype = ctypes.c_char_p