Skip to content

Instantly share code, notes, and snippets.

View raystyle's full-sized avatar

ray raystyle

45 followers · 21 following
  • beijing
View GitHub Profile
@raystyle
raystyle / protoanomalies.rules
Created April 30, 2024 06:10 — forked from mpurzynski/protoanomalies.rules
Suricata rules for protocol anomalies
alert tcp any any -> any !80 (msg:"SURICATA HTTP on unusual port"; flow:to_server; app-layer-protocol:http; threshold: type limit, track by_src, seconds 60, count 1; sid:2271001; rev:1;)
alert tcp any any -> any 80 (msg:"SURICATA non-HTTP on TCP port 80"; flow:to_server; app-layer-protocol:!http; threshold: type limit, track by_src, seconds 60, count 1; sid:2271002; rev:1;)
alert tcp any any -> any ![443,465,587] (msg:"SURICATA TLS on unusual port"; flow:to_server; app-layer-protocol:tls; threshold: type limit, track by_src, seconds 60, count 1; sid:2271004; rev:1;)
alert tcp any any -> any [443,465] (msg:"SURICATA non-TLS on TLS port"; flow:to_server; app-layer-protocol:!tls; threshold: type limit, track by_src, seconds 60, count 1; sid:2271003; rev:1;)
alert tcp any any -> any ![20,21] (msg:"SURICATA FTP on unusual TCP port"; flow:to_server; app-layer-protocol:ftp; threshold: type limit, track by_src, seconds 60, count 1; sid:2271005; rev:1;)
alert tcp any any -> any [20,21] (msg:"SURICATA non-FTP on TCP
@raystyle
raystyle / Invoke-GhostTask.ps1
Created January 5, 2024 09:13 — forked from Workingdaturah/Invoke-GhostTask.ps1
A PS1 Script intended to edit Scheduled Tasks via Registry Keys
function Invoke-GhostTask {
param (
[string]$TaskName,
[switch]$ShowTasks,
[string]$Id,
[string]$TargetTask,
[string]$TargetBinary,
[string]$Date,
[string]$Help
)
@raystyle
raystyle / decryptKerbTicket.py
Created December 13, 2023 10:33 — forked from xan7r/decryptKerbTicket.py
Decrypt kerberos tickets and parse out authorization data
#!/usr/bin/env python2
# NOTE: this script was created for educational purposes to assist learning about kerberos tickets.
# Likely to have a few bugs that cause it to fail to decrypt some TGT or Service tickets.
#
# Recommended Instructions:
# Obtain valid kerberos tickets using Rubeus or mimikatz "sekurlsa::tickets /export"
# Optionally convert tickets to ccache format using kekeo "misc::convert ccache <ticketName.kirbi>"
# Obtain appropriate aes256 key using dcsync (krbtgt for TGT or usually target computer account for Service Ticket)
# Run this script to decrypt:
# ./decryptKerbTicket.py -k 5c7ee0b8f0ffeedbeefdeadbeeff1eefc7d313620feedbeefdeadbeefafd601e -t ./Administrator@TESTLAB.LOCAL_krbtgt~TESTLAB.LOCAL@TESTLAB.LOCAL.ccaches
@raystyle
raystyle / 2003build.md
Last active September 6, 2023 17:46
@raystyle
raystyle / rpc_dump_august.txt
Created October 24, 2018 08:17 — forked from masthoon/rpc_dump_rs4.txt
RPC interfaces dump August 2018
--------------------------------------------------------------------------------
<WinProcess "smss.exe" pid 520 at 0x5db0c50L>
64
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ff868230000
--------------------------------------------------------------------------------
<WinProcess "csrss.exe" pid 776 at 0x5db0908L>
64
Interfaces :
Endpoints :
@raystyle
raystyle / cloudflare.sh
Created August 4, 2023 02:14 — forked from Manouchehri/cloudflare.sh
Allow CloudFlare only
# Source:
# https://www.cloudflare.com/ips
# https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-CloudFlare-s-IP-addresses-in-iptables-
for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done
for i in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done
# Avoid racking up billing/attacks
# WARNING: If you get attacked and CloudFlare drops you, your site(s) will be unreachable.
iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP
@raystyle
raystyle / tls-keylogger.ps1
Created July 31, 2023 04:23 — forked from jborean93/tls-keylogger.ps1
Logs Wireshark compatible TLS keys like the SSLKEYLOGFILE env var
#Requires -Module PSDetour
[CmdletBinding()]
param (
[Parameter(Mandatory)]
[string]
$LogPath
)
$LogPath = $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($LogPath)
@raystyle
raystyle / Pwn2Own2021MSExchangeExploit.py
Created January 6, 2023 06:25 — forked from rskvp93/Pwn2Own2021MSExchangeExploit.py
import base64
import re
import xml.dom.minidom
import json
import uuid
import struct
import string
import random
import hashlib
import time
@raystyle
raystyle / log4j_rce_check.py
Created December 10, 2021 08:28 — forked from byt3bl33d3r/log4j_rce_check.py
Python script to detect if an HTTP server is potentially vulnerable to the log4j 0day RCE (https://www.lunasec.io/docs/blog/log4j-zero-day/)
#! /usr/bin/env python3
'''
Needs Requests (pip3 install requests)
Author: Marcello Salvati, Twitter: @byt3bl33d3r
License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License)
This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021.
@raystyle
raystyle / jupyter.md
Created December 1, 2021 02:51 — forked from gist4ray/jupyter.md
ngnix双向https配置