Skip to content

Instantly share code, notes, and snippets.

@rvrsh3ll

rvrsh3ll/FireDrill.ps1

Last active May 16, 2024 23:58
Show Gist options
  • Save rvrsh3ll/aca6920e3546c8be18ffb63454058c14 to your computer and use it in GitHub Desktop.
Save rvrsh3ll/aca6920e3546c8be18ffb63454058c14 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
FireDrill.ps1
<#
The purpose of this script is to attempt to set off alarms on security products.
#>
function Get-RandomString {
# Get-RandomString.ps1
# Written by Bill Stewart (bstewart@iname.com)
#requires -version 2
<#
.SYNOPSIS
Outputs random strings.
.DESCRIPTION
Outputs one or more random strings containing specified types of characters.
.PARAMETER Length
Specifies the length of the output string(s). The default value is 8. You cannot specify a value less than 4.
.PARAMETER LowerCase
Specifies that the string must contain lowercase ASCII characters (default). Specify -LowerCase:$false if you do not want the random string(s) to contain lowercase ASCII characters.
.PARAMETER UpperCase
Specifies that the string must contain upercase ASCII characters.
.PARAMETER Numbers
Specifies that the string must contain number characters (0 through 9).
.PARAMETER Symbols
Specifies that the string must contain typewriter symbol characters.
.PARAMETER Count
Specifies the number of random strings to output.
.EXAMPLE
PS C:\> Get-RandomString
Outputs a string containing 8 random lowercase ASCII characters.
.EXAMPLE
PS C:\> Get-RandomString -Length 14 -Count 5
Outputs 5 random strings containing 14 lowercase ASCII characters each.
.EXAMPLE
PS C:\> Get-RandomString -UpperCase -LowerCase -Numbers -Count 10
Outputs 10 random 8-character strings containing uppercase, lowercase, and numbers.
.EXAMPLE
PS C:\> Get-RandomString -Length 32 -LowerCase:$false -Numbers -Symbols -Count 20
Outputs 20 random 32-character strings containing numbers and typewriter symbols.
.EXAMPLE
PS C:\> Get-RandomString -Length 4 -LowerCase:$false -Numbers -Count 15
Outputs 15 random 4-character strings containing only numbers.
#>
param(
[UInt32] $Length=8,
[Switch] $LowerCase=$TRUE,
[Switch] $UpperCase=$FALSE,
[Switch] $Numbers=$FALSE,
[Switch] $Symbols=$FALSE,
[Uint32] $Count=1
)
if ($Length -lt 4) {
throw "-Length must specify a value greater than 3"
}
if (-not ($LowerCase -or $UpperCase -or $Numbers -or $Symbols)) {
throw "You must specify one of: -LowerCase -UpperCase -Numbers -Symbols"
}
# Specifies bitmap values for character sets selected.
$CHARSET_LOWER = 1
$CHARSET_UPPER = 2
$CHARSET_NUMBER = 4
$CHARSET_SYMBOL = 8
# Creates character arrays for the different character classes,
# based on ASCII character values.
$charsLower = 97..122 | foreach-object { [Char] $_ }
$charsUpper = 65..90 | foreach-object { [Char] $_ }
$charsNumber = 48..57 | foreach-object { [Char] $_ }
$charsSymbol = 35,36,42,43,44,45,46,47,58,59,61,63,64,
91,92,93,95,123,125,126 | foreach-object { [Char] $_ }
# Contains the array of characters to use.
$charList = @()
# Contains bitmap of the character sets selected.
$charSets = 0
if ($LowerCase) {
$charList += $charsLower
$charSets = $charSets -bor $CHARSET_LOWER
}
if ($UpperCase) {
$charList += $charsUpper
$charSets = $charSets -bor $CHARSET_UPPER
}
if ($Numbers) {
$charList += $charsNumber
$charSets = $charSets -bor $CHARSET_NUMBER
}
if ($Symbols) {
$charList += $charsSymbol
$charSets = $charSets -bor $CHARSET_SYMBOL
}
# Returns True if the string contains at least one character
# from the array, or False otherwise.
function test-stringcontents([String] $test, [Char[]] $chars) {
foreach ($char in $test.ToCharArray()) {
if ($chars -ccontains $char) { return $TRUE }
}
return $FALSE
}
1..$Count | foreach-object {
# Loops until the string contains at least
# one character from each character class.
do {
# No character classes matched yet.
$flags = 0
$output = ""
# Create output string containing random characters.
1..$Length | foreach-object {
$output += $charList[(get-random -maximum $charList.Length)]
}
# Check if character classes match.
if ($LowerCase) {
if (test-stringcontents $output $charsLower) {
$flags = $flags -bor $CHARSET_LOWER
}
}
if ($UpperCase) {
if (test-stringcontents $output $charsUpper) {
$flags = $flags -bor $CHARSET_UPPER
}
}
if ($Numbers) {
if (test-stringcontents $output $charsNumber) {
$flags = $flags -bor $CHARSET_NUMBER
}
}
if ($Symbols) {
if (test-stringcontents $output $charsSymbol) {
$flags = $flags -bor $CHARSET_SYMBOL
}
}
}
until ($flags -eq $charSets)
# Output the string.
$output
}
}
function Start-DNSC2 {
<#
.SYNOPSIS
Something something dark side....
Author: Steve Borosh (@rvrsh3ll)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
a
.PARAMETER ComputerName
a
.PARAMETER Method
a
.PARAMETER Command
a
.EXAMPLE
a
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory = $false, Position = 0)]
[string]
$Domain,
[Parameter(Mandatory = $false, Position = 1)]
[string]
$SubDomainLength,
[Parameter(Mandatory = $false, Position = 2)]
[int]
$Requests = 1,
[Parameter(Mandatory = $false, Position = 3)]
[int]
$DelaySeconds = 120
)
Begin {
}
Process {
if (!$SubDomainLength) {
#Total length of a domain name can be 255 characters so, lets do the math
$SubdomainLength= 255 - $Domain.length
}
Write-Output "[*] Emulating DNS C2 Traffic.."
$Counter = 1
Do {
# Get Random sub-domain of x length
$SubDomain = Get-RandomString -Length $SubDomainLength -Uppercase
Write-Verbose "[*] Resolving $Subdomain.$Domain"
Resolve-DnsName -Name "$Subdomain.$Domain" -Type TXT -DnsOnly 2> $null
$Counter++
if ($DelaySeconds) {
Start-Sleep -Seconds $DelaySeconds
}
} While ($Counter -lt $Requests)
Write-Output "[*] Done!"
}
End {
}
}
function Start-APTDNSLookups {
<#
.SYNOPSIS
Something something dark side....
Author: Steve Borosh (@rvrsh3ll)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
.PARAMETER ComputerName
a
.PARAMETER Method
a
.PARAMETER Command
a
.EXAMPLE
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory = $True, Position = 0)]
[ValidateSet("APT28","APT32")]
[string]
$APTGroup = "APT28",
[Parameter(Mandatory = $false, Position = 1)]
[int]
$Requests = 1,
[Parameter(Mandatory = $false, Position = 2)]
[int]
$DelaySeconds = 120
)
Begin {
# APT28 https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
$apt28domains = @("standardnevvs.com","novinitie.com","n0vinite.com","q0v.pl","mail.q0v.pl","poczta.mon.q0v.pl","kavkazcentr.info","mil.am")
# APT32 https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
$apt32domains = @("blog.docksugs.org","blog.panggin.org","contay.deaftone.com","check.paidprefund.org","datatimes.org","docksugs.org","economy.bloghop.org","emp.gapte.name","facebook-cdn.net","gap-facebook.com","gl-appspot.org","help.checkonl.org","high.expbas.net","high.vphelp.net","icon.torrentart.com","images.chinabytes.info","imaps.qki6.com","img.fanspeed.net","job.supperpow.com","lighpress.info","menmin.strezf.com","mobile.pagmobiles.info","news.lighpress.info","notificeva.com","nsquery.net","pagmobiles.info","paidprefund.org","push.relasign.org","relasign.org","share.codehao.net","seri.volveri.net","ssl.zin0.com","static.jg7.org","syn.timeizu.net","teriava.com","timeizu.net","tonholding.com","tulationeva.com","untitled.po9z.com","update-flashs.com","vieweva.com","volveri.net","vphelp.net","yii.yiihao126.net","zone.apize.net")
}
Process {
Write-Output "[*] Emulating DNS Lookups for $APTGroup"
$Counter = 1
Do {
$Domain = Get-Random $apt28domains
Write-Verbose "[*] Resolving $Domain"
Resolve-DnsName -Name $Domain -Type TXT -DnsOnly 2>&1> $null
$Counter++
if ($DelaySeconds) {
Start-Sleep -Seconds $DelaySeconds
}
} While ($Counter -lt $Requests)
Write-Output "[*] Finished!"
}
End {
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment