Skip to content

Instantly share code, notes, and snippets.

Avatar

Thomas Patzke thomaspatzke

  • Code published here is private and not affiliated with my employer.
  • Germany
View GitHub Profile
View mitre_attack_oneliners.sh
# Requires: curl, jq
# Download MITRE ATT&CK data from GitHub repository
curl -o enterprise-attack.json https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json
# List all ATT&CK object types
jq -r '[ .objects[].type ] | unique | .[]' enterprise-attack.json
# List all ATT&CK technique identifiers
jq -r '[ .objects[] | select(.type == "attack-pattern") | .external_references[] | select(.source_name == "mitre-attack") | .external_id ] | sort | .[]' enterprise-attack.json
View Kill-Ransomware.ps1
# Ransomware Killer v0.1 by Thomas Patzke <thomas@patzke.org>
# Kill all parent processes of the command that tries to run "vssadmin Delete Shadows"
# IMPORTANT: This must run with Administrator privileges!
Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action {
# Kill all parent processes from detected vssadmin process
$p = $EventArgs.NewEvent.TargetInstance
while ($p) {
$ppid = $p.ParentProcessID
$pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid"
Write-Host $p.ProcessID
@thomaspatzke
thomaspatzke / Burp-CSRFRandomName.py
Created Feb 15, 2017
Burp Session Handling Extension: CSRF tokens with random parameter names
View Burp-CSRFRandomName.py
from burp import (IBurpExtender, IBurpExtenderCallbacks, ISessionHandlingAction, IHttpListener)
import re
class BurpExtender(IBurpExtender, ISessionHandlingAction, IHttpListener):
def registerExtenderCallbacks(self, callbacks):
self.callbacks = callbacks
self.helpers = callbacks.getHelpers()
callbacks.setExtensionName("Handling of CSRF Tokens with Random Names")
self.callbacks.registerSessionHandlingAction(self)
self.callbacks.registerHttpListener(self)
@thomaspatzke
thomaspatzke / proxy_http_connect-portscanner.sh
Created Sep 1, 2016
Simple HTTP CONNECT Proxy Portscanner
View proxy_http_connect-portscanner.sh
for (( p=0; p <= 65535; p++ )); do echo "Probing port $p"; echo -n "Port $p: " >> portscan.log; (echo CONNECT targethost:$p HTTP/1.1; echo) | nc -q 3 proxyhost proxyport | head -1 >> portscan.log; done
@thomaspatzke
thomaspatzke / nmap-open-ports.sh
Last active Nov 6, 2019
Extract all open ports in Host:Port format from nmap XML output
View nmap-open-ports.sh
xmlstarlet sel -t -m '//port/state[@state="open"]/parent::port' -v 'ancestor::host/address/@addr' -o : -v './@portid' -n nmap-output.xml
@thomaspatzke
thomaspatzke / create_deleter.py
Created Jan 30, 2016
Create file deletion script from two 'openssl sha1' outputs. Deletions are done in files referenced in source hash file.
View create_deleter.py
#!/usr/bin/python3
from sys import argv, exit
import re
hashline_re = re.compile('^SHA1\((.*?)\)= (.*)$')
dsthashes = dict()
if len(argv) < 4:
@thomaspatzke
thomaspatzke / net-config.sh
Created Jan 19, 2016
Shell script to quickly switch between real Internet connection (NAT) and simulated (INetSim)
View net-config.sh
#!/bin/bash
case "$1" in
router)
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
systemctl start dnsmasq.service
;;
router-stop)
sysctl -w net.ipv4.ip_forward=0
@thomaspatzke
thomaspatzke / hexdump.py
Last active Aug 29, 2015
Hex-only dump in Python in one line
View hexdump.py
print("\n".join([" ".join(["{:02x}".format(c) for c in bin[i:i+16]]) for i in range(0, len(bin), 16)]))
@thomaspatzke
thomaspatzke / CSRFToken.py
Created Feb 3, 2015
Burp extension: extract CSRF tokens from responses of selected Burp tools and update them with a custom session handling rule.
View CSRFToken.py
from burp import (IBurpExtender, IBurpExtenderCallbacks, ISessionHandlingAction, IHttpListener)
import re
class BurpExtender(IBurpExtender, ISessionHandlingAction, IHttpListener):
def registerExtenderCallbacks(self, callbacks):
self.callbacks = callbacks
self.helpers = callbacks.getHelpers()
callbacks.setExtensionName("Session CSRF Token Handling")
self.callbacks.registerSessionHandlingAction(self)
self.callbacks.registerHttpListener(self)
@thomaspatzke
thomaspatzke / Burp-SessionHandlingActionReplaceIDInResponse.py
Created Feb 2, 2015
This is a template for a Burp extension that can be used as session handling macro action. It pulls an identifier (here: last part of location header from redirection response) from the first macro response and puts it in the given place of the current request (here: last URL path component). Adapt as needed at the places marked with "CONFIG" co…
View Burp-SessionHandlingActionReplaceIDInResponse.py
from burp import (IBurpExtender, ISessionHandlingAction)
import re
class BurpExtender(IBurpExtender, ISessionHandlingAction):
def registerExtenderCallbacks(self, callbacks):
self.callbacks = callbacks
self.helpers = callbacks.getHelpers()
callbacks.setExtensionName("Path Parameter Session Handling Action")
self.callbacks.registerSessionHandlingAction(self)
self.out = callbacks.getStdout()
You can’t perform that action at this time.