Friday, July 6, 2018

Powershell to lookup abuse emails for an IP address

#$ErrorActionPreference= 'silentlycontinue'
$k = Get-Content "H:\PowershellPlayground\IPAbuseLookup\IPs.txt"
foreach($i in $k)
{
    $original = $i
    $reversed = $i -replace '^(\d+)\.(\d+)\.(\d+)\.(\d+)$','$4.$3.$2.$1.abuse-contacts.abusix.org'
    try
    {
        Resolve-DnsName -Type TXT $reversed -DnsOnly -ErrorAction Stop | select @{l='IP';e={$original}}, @{l='AbuseEmail';e={$_.Strings}}, @{l='Status';e={"SUCCESS"}}
    } Catch{
        [pscustomobject]@{
            IP = $original
            AbuseEmail = ''
            Status = "ERROR"
        }
    }
}

Tuesday, July 3, 2018

Powershell to download emotet word docs

#$ErrorActionPreference= 'silentlycontinue'
foreach($url in Get-Content .\urls.txt) {
    $uri = $null
    $lastfolder = ""
    $StringBuilder = $null
    $StringBuilder2 = $null
    $lastfoldermd5 = ""
    $lastfolderdoublemd5 = ""
    $statsurl = ""
    $domain = ""
    $savelocation = ""
    $hash = ""
    $size = 0
    $ip = ""
    $reversed = ""
    $nslookup = ""
    $abuseemail = ""
    $stats = ""
    $alive = ""
    $response = ""
    $index = 0

    $uri = [System.Uri]$url
    $lastfolder = $uri.Segments[$uri.Segments.Length-1]
    $lastfolder = $lastfolder -replace "/", ""
    $StringBuilder = New-Object System.Text.StringBuilder
    [System.Security.Cryptography.HashAlgorithm]::Create("MD5").ComputeHash([System.Text.Encoding]::UTF8.GetBytes($lastfolder))|%{ [Void]$StringBuilder.Append($_.ToString("x2")) }
    $lastfoldermd5 = $StringBuilder.ToString()
    $StringBuilder2 = New-Object System.Text.StringBuilder
    [System.Security.Cryptography.HashAlgorithm]::Create("MD5").ComputeHash([System.Text.Encoding]::UTF8.GetBytes($lastfoldermd5))|%{ [Void]$StringBuilder2.Append($_.ToString("x2")) }
    $lastfolderdoublemd5 = $StringBuilder2.ToString()
    $statsurl = $url + "." + $lastfolderdoublemd5
    $domain = $uri.Host
    $savelocation = "c:\users\win732\desktop\docs\" + $domain + ".doc"
    (New-Object System.Net.WebClient).DownloadFile($url, $savelocation)
    $hash = (get-filehash $savelocation -algorithm md5).hash
    $size = (Get-Item $savelocation).length
    if($size -gt 5000) { $alive = "UP" } else {$alive = "DOWN"}
    $ip = [System.Net.Dns]::GetHostAddresses($domain).IPAddressToString
    $reversed = $ip -replace '^(\d+)\.(\d+)\.(\d+)\.(\d+)$','$4.$3.$2.$1.abuse-contacts.abusix.org'
    $nslookup = &nslookup.exe -q=TXT $reversed
    $abuseemail = [regex]::matches($nslookup,'(?<=\").+?(?=\")').value
    if($abuseemail -eq "") { $abuseemail = "NONE" }
    $stats = "NONE"
    if($alive -eq "UP"){
        $response = (Invoke-Webrequest $statsurl).RawContent
        $index = $response.IndexOf("UN:")
        if($index -gt 0){ $stats = $response.Substring($index) }
    }
    write-host $alive","$size","$url","$hash","$ip","$abuseemail","$stats

}

Sunday, June 24, 2018

Infosec quotes - all https

“...
all websites should use HTTPS, even if they don't include private content, sign-in pages, or credit card details
...”




https://twitter.com/troyhunt/status/1010962299123712000?s=21

Saturday, June 23, 2018

Infosec quotes - win 7 and 2008 end of support

571 Days was until Server 2008/2008R2 and Windows 7 end of support.

Infosec quotes - remove FileZilla

Andrew Case:
“...
After reading this thread
https://forum.filezilla-project.org/viewtopic.php?t=48441
I would strongly suggest removing FileZilla from enterprise systems: 
...”

https://twitter.com/attrc/status/1010334619986808832?s=21


Friday, June 22, 2018

Infosec quotes - new nist

“...
NIST plans to publish the final public draft of Special Publication 800-53, Revision 5 (Security and Privacy Controls for Information Systems and Organizations) on 09-04-18. Final publication expected on 12-27-18.
...”



https://twitter.com/ronrossecure/status/1010005046405287941?s=21 

Thursday, June 21, 2018

Infosec quotes - admin rights

“...
If you want to be secure, users cannot be logged in as an administrator
...”


https://twitter.com/avecto/status/1009357705524514816?s=21