neonprimetime security , just trying to help

Monday, December 23, 2019

navigator DOM keys

document.write("navigator.appName = " + navigator.appName + " ")
document.write("navigator.appCodeName = " + navigator.appCodeName + " ")
document.write("navigator.appVersion = " + navigator.appVersion + " ")
document.write("navigator.platform = " + navigator.platform + " ")
document.write("navigator.vendor = " + navigator.vendor + " ")
document.write("navigator.vendorSub = " + navigator.vendorSub + " ");
document.write("navigator.buildID = " + navigator.buildID + " ");
document.write("navigator.oscpu = " + navigator.oscpu + " ");
document.write("navigator.product = " + navigator.product + " ");
document.write("navigator.productSub = " + navigator.productSub + " ");

-----------------
sample output
-----------------
Google Chrome on 64bit Windows 10
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
navigator.platform = Win32
navigator.vendor = Google Inc.
navigator.vendorSub =
navigator.buildID = undefined
navigator.oscpu = undefined
navigator.product = Gecko
navigator.productSub = 20030107

-----------------
Internet Explorer on 64bit Windows 10
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; wbx 1.0.0; rv:11.0) like Gecko
navigator.platform = Win32
navigator.vendor =
navigator.vendorSub = undefined
-----------------
Microsoft Edge on 64bit Windows 10
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763
navigator.platform = Win32
navigator.vendor =
navigator.vendorSub =
-----------------
FireFox ESR on 64bit Kali Linux
-----------------

navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (X11)
navigator.platform = Linux x86_64
navigator.vendor =
navigator.vendorSub =

Friday, December 20, 2019

Virtual Box local contained lab, VM to VM

network for both kali & windows
"internal network"

on kali type
ifconfig eth0 169.254.18.XXX netmask 255.255.0.0 up

on kali
ping windows

on windows
ping kali

Thursday, December 5, 2019

yaraOneLiner.py

# Run Yara Rules against a file ONE LINE AT A TIME instead of against the whole file

import os
import subprocess
import traceback
import argparse
import sys

yaraParams = "-s"
tempFileName = "yaraOneLiner.tmp"
lineNumber = 1
output = ""

arguments = argparse.ArgumentParser("yaraOneLine.py -e yara64.exe -f input.csv -r rule.yar")
arguments.add_argument("-e", "--yaraExe", type=str, required=True, help="Yara executable to use")
arguments.add_argument("-f", "--inputFileName", type=str, required=True, help="Input file to yara scan")
arguments.add_argument("-r", "--yaraRuleFile", type=str, required=True, help="Yara rule file to scan against")
arguments.add_argument("-d", "--debug", action="store_true", required=False, help="Enable debugging messages")
arguments.add_argument("-s", "--status", action="store_true", required=False, help="Enable status tracking for large files")
settings = arguments.parse_args()

with open(settings.inputFileName, "r") as lines:
for line in lines:
line = line.rstrip()
if settings.debug:
print("\r\n---\r\nLINE %s: %s" % (str(lineNumber) , line))
if settings.status:
if (lineNumber % 50) == 0 and lineNumber != 0:
print("STATUS: processing line %s" % (str(lineNumber)))
with open(tempFileName,"w") as tempfile:
tempfile.write(line)
try:
yaraCommand = ("%s %s %s %s" % (settings.yaraExe, yaraParams, settings.yaraRuleFile, tempFileName))
if settings.debug:
print("ABOUT TO RUN: %s" % yaraCommand)
if settings.debug:
pause = input()
if settings.debug:
print("STARTED: YARA")
output = subprocess.check_output(yaraCommand, shell=True)
if settings.debug:
print("OUTPUT: %s" % str(output))
except Exception as e:
error = str(e)
print("COMMAND: %s" % yaraCommand)
print("OUTPUT: %s" % output)
print("ERROR: %s" % error)
output = ""
if output is None or len(output) == 0:
if settings.debug:
print("MATCHES: 0 (no output)")
else:
output = str(output).replace("b'","").rstrip()
if output[-1:] == "'":
output = output[:-1]
if tempFileName in output:
if settings.debug:
print("MATCHES: 1+")
print("MATCH LINE NUMBER %s:" % str(lineNumber))
print(" LINE: %s" + line)
print(" YARA:")
for row in output.split("\\r\\n"):
row = row.replace("\\r\\n", "")
if row.startswith("0x"):
print(" %s" % row)
else:
print(" %s" % row)
else:
print("MATCHES: 0 (with output)")
lineNumber = lineNumber + 1

Neo23x0 Sigma Proxy Rules converted to simple Yara

rule Neo23x0SigmaUserAgentMatch
{
meta:
author = "@neonprimetime"
description = "@Neo23x0 Proxy User Agent Rules https://github.com/Neo23x0/sigma/tree/master/rules/proxy"
strings:
$string1 = "(compatible;MSIE"
$string2 = "BFAC"
$string3 = "BGroom"
$string4 = "CholTBAgent"
$string5 = "Havij"
$string7 = "adlib/"
$string8 = "arachni/"
$string9 = "asd"
$string10 = "brutus"
$string11 = "cgichk"
$string12 = "changhuatong"
$string13 = "crimscanner/"
$string14 = "inspath"
$string15 = "mdms"
$string16 = "metis"
$string17 = "pxyscand"
$string18 = "tiny"
$string19 = "vega/"
$string20 = "whcc/"
$string21 = "zmeu"
$string22 = "(Charon; Inferno)"
$string23 = "(hydra)"
$string24 = ".0;Windows NT"
$string25 = "<|>"
$string26 = "Bot"
$string27 = "Microsoft Internet Explorer"
$string28 = "Telegram"
$string29 = "absinthe"
$string30 = "bsqlbf"
$string31 = "core-project/1.0"
$string32 = "datacha0s"
$string33 = "dirbuster"
$string34 = "domino hunter"
$string35 = "dotdotpwn"
$string36 = "exploit"
$string37 = "floodgate"
$string38 = "get-minimal"
$string39 = "gootkit auto-rooter scanner"
$string40 = "grendel-scan"
$string41 = "internet ninja"
$string42 = "jaascois"
$string43 = "masscan"
$string44 = "morfeus fucking scanner"
$string45 = "mysqloit"
$string46 = "n-stealth"
$string47 = "nsauditor"
$string48 = "pangolin"
$string49 = "pmafind"
$string50 = "security scan"
$string51 = "springenwerk"
$string52 = "sql power injector"
$string53 = "sqlmap"
$string54 = "sqlninja"
$string55 = "teh forest lobster"
$string56 = "toata dragostea"
$string57 = "uil2pn"
$string58 = "voideye"
$string59 = "webshag"
$string60 = "webvulnscan"
$string61 = "wordpress hash grabber"
$string62 = "zeroup"
$string63 = "AutoIt"
$string64 = "CertUtil URL Agent"
$string65 = "DotDotPwn v2.1"
$string66 = "FHScan Core"
$string67 = "HttpBrowser/1.0"
$string68 = "IczelionDownLoad"
$string69 = "Internet Explorer"
$string75 = "Moxilla"
$string78 = "Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1"
$string79 = "Mozilla v5.1"
$string80 = "Mozilla/1.0"
$string81 = "Mozilla/2.0"
$string83 = "Mozilla/4.0 (compatible; MSI 6.0;"
$string84 = "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)"
$string85 = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
$string86 = "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
$string87 = "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)"
$string88 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
$string89 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
$string90 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)"
$string91 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)"
$string92 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)"
$string93 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)"
$string94 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
$string95 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
$string96 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR = {7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N"
$string97 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)"
$string98 = "Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)"
$string99 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"
$string100 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)"
$string101 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)"
$string102 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
$string103 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)"
$string104 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)"
$string105 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"
$string106 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)"
$string107 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)"
$string108 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)"
$string109 = "Mozilla/4.0 (compatible; Metasploit RSPEC)"
$string110 = "Mozilla/4.0 (compatible; RMS)"
$string111 = "Mozilla/4.0 (compatible; SPIPE/1.0"
$string112 = "Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)"
$string114 = "Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)"
$string115 = "Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)"
$string117 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)"
$string118 = "Mozilla/5.0 (Windows NT 5.1 ; v."
$string119 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
$string120 = "Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko"
$string121 = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0"
$string122 = "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/"
$string123 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
$string124 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
$string125 = "Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0"
$string126 = "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2"
$string127 = "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0"
$string128 = "Mozilla/5.0 (Windows NT 9;"
$string129 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13"
$string130 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1"
$string131 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)"
$string132 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)"
$string133 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)"
$string134 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200"
$string135 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7"
$string136 = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
$string137 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0"
$string138 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
$string139 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)"
$string140 = "Mozilla/5.0 WinInet"
$string142 = "Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)"
$string143 = "Netscape"
$string144 = "O/9.27 (W; U; Z)"
$string146 = "Opera/8.81 (Windows NT 6.0; U; en)"
$string147 = "RookIE/1.0"
$string148 = "SIPDROID"
$string149 = "SJZJ (compatible; MSIE 6.0; Win32)"
$string150 = "Sametime Community Agent"
$string151 = "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC"
$string152 = "Wget/1.9+cvs-stable (Red Hat modified)"
$string154 = "X-FORWARDED-FOR"
$string155 = "XMRig"
$string157 = "backdoorbot"
$string158 = "ccminer"
$string159 = "hots scot"
$string160 = "nocase"
$string161 = "nsis_inetc (mozilla)"
$string162 = "ruler"
$string163 = "sample"
$string164 = "user-agent"
condition:
1 of them
}

Generic Triage Yara Rules

rule RemoteControlUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Cloud Remote Control Url Accessed"
strings:
$string0 = "teamviewer" nocase
$string1 = "splashtop" nocase
$string2 = "ammyy" nocase
$string3 = "mikogo" nocase
$string4 = "uvnc" nocase
$string5 = "gbchcmhmhahfdphkhkmpfmihenigjmpp" nocase
$string6 = "logmein" nocase
$string7 = "join.me" nocase
$string8 = "realvnc" nocase
$string9 = "dameware" nocase
$string10 = "dwservice" nocase
$string11 = "anydesk" nocase
condition:
1 of them
}

rule WebMailUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Web Mail Url Accessed"
strings:
$string0 = "mail.yahoo.com" nocase
$string1 = "@gmail.com" nocase
$string2 = "outlook.live.com" nocase
$string3 = "mail.protonmail.com" nocase
$string4 = "zoho.com" nocase
$string5 = "yandex.com" nocase
$string6 = "tutanota.com" nocase
$string7 = "kolbanow.com" nocase
$string8 = "fastmail.com" nocase
$string10 = "posteo.de" nocase
$string11 = "startmail.com" nocase
$string12 = "runbox.com" nocase
$string13 = "mailfence.com" nocase
$string14 = "countermail.com" nocase
condition:
1 of them
}

rule CloudFileStorageUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Cloud File Storage Url Accessed"
strings:
$string0 = "dropbox.com" nocase
$string1 = "drive.google.com" nocase
$string2 = "wetransfer.com" nocase
$string3 = "pcloud.com" nocase
$string4 = "tresorit.com" nocase
$string5 = "sync.com" nocase
$string6 = "onedrive.live.com" nocase
$string7 = ".box.com" nocase
$string8 = "spideroak.com" nocase
$string9 = "mega.nz" nocase
$string10 = "jottacloud.com" nocase
$string11 = "teamdrive.com" nocase
$string12 = "mediafire.com" nocase
$string13 = "cloudup.com" nocase
$string14 = "cloudme.com" nocase
condition:
1 of them
}

rule LateralMovementAttempt
{
meta:
author = "@neonprimetime"
description = "Lateral Movement Attempt"
strings:
$string0 = "mstsc" nocase
$string1 = "psexec" nocase
$string2 = "\\nc.exe" nocase
$string3 = "/nc.exe" nocase
$string2 = "\\nc64.exe" nocase
$string3 = "/nc64.exe" nocase
$string2 = "\\netcat.exe" nocase
$string3 = "/netcat.exe" nocase
$string4 = "putty.exe" nocase
$string5 = "mobax" nocase
$string6 = "securecrt" nocase
$string7 = "ssh.exe" nocase
$string8 = "winrs" nocase
condition:
1 of them
}

rule ShortExecutableName
{
meta:
author = "@neonprimetime"
description = "Short Executable Name"
strings:
$string0 = "/0.exe" nocase
$string1 = "/1.exe" nocase
$string2 = "/2.exe" nocase
$string3 = "/3.exe" nocase
$string4 = "/4.exe" nocase
$string5 = "/5.exe" nocase
$string6 = "/6.exe" nocase
$string7 = "/7.exe" nocase
$string8 = "/8.exe" nocase
$string9 = "/9.exe" nocase
$string10 = "\\0.exe" nocase
$string11 = "\\1.exe" nocase
$string12 = "\\2.exe" nocase
$string13 = "\\3.exe" nocase
$string14 = "\\4.exe" nocase
$string15 = "\\5.exe" nocase
$string16 = "\\6.exe" nocase
$string17 = "\\7.exe" nocase
$string18 = "\\8.exe" nocase
$string19 = "\\9.exe" nocase
$string20 = "/a.exe" nocase
$string21 = "/b.exe" nocase
$string22 = "/c.exe" nocase
$string23 = "/d.exe" nocase
$string24 = "/e.exe" nocase
$string25 = "/f.exe" nocase
$string26 = "/g.exe" nocase
$string27 = "/h.exe" nocase
$string28 = "/i.exe" nocase
$string29 = "/j.exe" nocase
$string30 = "/k.exe" nocase
$string31 = "/l.exe" nocase
$string32 = "/m.exe" nocase
$string33 = "/n.exe" nocase
$string34 = "/o.exe" nocase
$string35 = "/p.exe" nocase
$string36 = "/q.exe" nocase
$string37 = "/r.exe" nocase
$string38 = "/s.exe" nocase
$string39 = "/t.exe" nocase
$string40 = "/u.exe" nocase
$string41 = "/v.exe" nocase
$string42 = "/w.exe" nocase
$string43 = "/x.exe" nocase
$string44 = "/y.exe" nocase
$string45 = "/z.exe" nocase
$string46 = "\\a.exe" nocase
$string47 = "\\b.exe" nocase
$string48 = "\\c.exe" nocase
$string49 = "\\d.exe" nocase
$string50 = "\\e.exe" nocase
$string51 = "\\f.exe" nocase
$string52 = "\\g.exe" nocase
$string53 = "\\h.exe" nocase
$string54 = "\\i.exe" nocase
$string55 = "\\j.exe" nocase
$string56 = "\\k.exe" nocase
$string57 = "\\l.exe" nocase
$string58 = "\\m.exe" nocase
$string59 = "\\n.exe" nocase
$string60 = "\\o.exe" nocase
$string61 = "\\p.exe" nocase
$string62 = "\\q.exe" nocase
$string63 = "\\r.exe" nocase
$string64 = "\\s.exe" nocase
$string65 = "\\t.exe" nocase
$string66 = "\\u.exe" nocase
$string67 = "\\v.exe" nocase
$string68 = "\\w.exe" nocase
$string69 = "\\x.exe" nocase
$string70 = "\\y.exe" nocase
$string71 = "\\z.exe" nocase
condition:
1 of them
}

rule PolicyViolation
{
meta:
author = "@neonprimetime"
description = "Policy Violation"
strings:
$string0 = "disableuac" nocase
condition:
1 of them
}

rule LivingOffLandCommand
{
meta:
author = "@neonprimetime"
description = "Living Off the Land Command"
strings:
$string0 = "mshta.exe" nocase
$string1 = "nbstat.exe" nocase
$string5 = "/query.exe" nocase
$string6 = "\\query.exe" nocase
$string8 = "bitsadmin.exe" nocase
$string9 = "curl.exe" nocase
$string10 = "wget.exe" nocase
$string11 = "systeminfo.exe" nocase
$string12 = "certutil.exe" nocase
condition:
1 of them
}

rule PhishingAttachmentThemePossible
{
meta:
author = "@neonprimetime"
description = "Phishing Attachment Theme Possible"
strings:
$string0a = "invoice." nocase
$string0b = "invoice " nocase
$string1 = "factura" nocase
$string2 = "wiretransfer" nocase
$string4a = "payment" nocase
$string4b = "payment." nocase
$string6a = "eFAX " nocase
$string6b = "eFAX." nocase
$string7 = "Fattura" nocase
$string8 = "Enquiry" nocase
$string9 = "QUOTATION" nocase
$string10 = "receipt " nocase
$string10 = "receipt." nocase
$string11a = "payroll." nocase
$string11b = "payroll " nocase
$string12 = "PO#" nocase
$string13 = "Proforma" nocase
$string14 = "Purchase." nocase
$string14 = "Purchase " nocase
$string14 = "PurchaseOrder" nocase

condition:
1 of them
}

rule ClearTextPasswordFile
{
meta:
author = "@neonprimetime"
description = "Clear Text Password File"
strings:
$string0 = "password.txt" nocase
$string1 = "pwd.txt" nocase
$string2 = "passwd.txt" nocase
$string3 = "password.doc" nocase
$string4 = "pwd.doc" nocase
$string5 = "passwd.doc" nocase
$string6 = "password.xls" nocase
$string7 = "pwd.xls" nocase
$string8 = "passwd.xls" nocase
$string9 = "passwords.txt" nocase
$string10 = "pwds.txt" nocase
$string11 = "passwds.txt" nocase
$string12 = "passwords.doc" nocase
$string13 = "pwds.doc" nocase
$string14 = "passwds.doc" nocase
$string15 = "passwords.xls" nocase
$string16 = "pwds.xls" nocase
$string17 = "passwds.xls" nocase
$string18 = "web.config" nocase
$string19 = "application.config" nocase
condition:
1 of them
}

rule AdminUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Admin Web Pages"
strings:
$string0 = "/admin/" nocase
$string1 = "/wp-admin/" nocase
condition:
1 of them
}

rule HackingToolFound
{
meta:
author = "@neonprimetime"
description = "Hacking Tool Found"
strings:
$string0 = "kali.exe" nocase
$string2 = "wireshark" nocase
$string3 = "bloodhound" nocase
$string4 = "obfuscation" nocase
$string5 = "shellcode" nocase
$string6 = "keylogger" nocase
$string7 = "bypassuac" nocase
$string8 = "tokenmanipulation" nocase
$string10 = "passhash" nocase
$string11 = "kerberoast" nocase
$string12 = "ninja" nocase
$string13 = "memorynps" nocase
$string14 = "metasploit" nocase
$string15 = "smbexec" nocase
$string16 = "gpppassword" nocase
$string17 = "arpscan" nocase
$string18 = "dnscat" nocase
$string19 = "aircrack" nocase
$string20 = "bulletspassview" nocase
$string21 = "chromepass" nocase
$string22 = "credentialsfileview" nocase
$string23 = "echo.exe" nocase
$string24 = "hydra.exe" nocase
$string25 = "iepv.exe" nocase
$string26 = "inssidersetup" nocase
$string28 = "mailpv.exe" nocase
$string29 = "ministumblersetup" nocase
$string33 = "netpass.exe" nocase
$string34 = "netstumbler" nocase
$string35 = "nltest.exe" nocase
$string36 = "ophcrack" nocase
$string37 = "rdpv.exe" nocase
$string38 = "setspn" nocase
$string39 = "sniffpass" nocase
$string40 = "vaultpasswordview" nocase
$string41 = "\\ver.exe" nocase
$string42 = "vncpassview" nocase
$string43 = "webbrowserpassview" nocase
condition:
1 of them
}

rule HackingCodeFound
{
meta:
author = "@neonprimetime"
description = "Hacking Code Found"
strings:
$string0 = "WriteProcessMemory" nocase
$string1 = "VirtualAlloc" nocase
$string2 = "SetWindowsHook" nocase
$string3 = "SHCreateThread" nocase
$string4 = "FromBase64String" nocase
$string5 = "PromptForCredential" nocase
$string6 = "AdjustTokenPrivileges" nocase
$string7 = "KerberosRequestorSecurityToken" nocase
$string8 = "UnsafeNativeMethods" nocase
$string9 = "ReadProcessMemoryMiniDumpWriteDump" nocase
$string10 = "TOKEN_ADJUST_PRIVILEGES" nocase
$string11 = "TOKEN_IMPERSONATE" nocase
$string12 = "TOKEN_ELEVATION" nocase
$string13 = "TOKEN_ALL_ACCESS" nocase
condition:
1 of them
}

rule PasswordDumpAttempt
{
meta:
author = "@neonprimetime"
description = "Password Dump Temp"
strings:
$string0 = "mimikatz" nocase
$string1 = "procdump" nocase
$string3 = "hashdump" nocase
$string4 = "pwdump" nocase
$string5 = "lsadump" nocase
condition:
1 of them
}

rule ExternalDriveAccessed
{
meta:
author = "@neonprimetime"
description = "External Drive Accessed"
strings:
$string4 = "file:///f:/" nocase
$string6 = "file:///g:/" nocase
$string8 = "mfeprom" nocase
condition:
1 of them
}

rule HackerOutputFile
{
meta:
author = "@neonprimetime"
description = "Hacker Output Files"
strings:
$string0 = "acls.csv" nocase
$string1 = "bloodhound.csv" nocase
$string2 = "dump.csv" nocase
$string3 = "dump.xml" nocase
$string4 = "dump.zip" nocase
$string5 = "firewall.txt" nocase
$string6 = "group_memberships.csv" nocase
$string7 = "hashdump.txt" nocase
$string8 = "local_admins.csv" nocase
$string9 = "lsadump.txt" nocase
$string10 = "lsass.dmp" nocase
$string11 = "lsassdump.dmp" nocase
$string12 = "mimikatz.xls" nocase
$string13 = "mini.dmp" nocase
$string14 = "netscan.xml" nocase
$string15 = "nmap.csv" nocase
$string16 = "nmap.txt" nocase
$string17 = "nmap.xml" nocase
$string18 = "openvas.csv" nocase
$string19 = "pwdump.txt" nocase
$string20 = "secretsdump.txt" nocase
$string21 = "targets.txt" nocase
$string22 = "trusts.csv" nocase
$string23 = "user_sessions.csv" nocase
$string24 = "bloodhound.bin" nocase
$string25 = ".gnmap" nocase
$string26 = ".nessus" nocase
$string27 = ".nmap" nocase
$string28 = "p0wn" nocase
condition:
1 of them
}

rule HackerUrl
{
meta:
author = "@neonprimetime"
description = "Hacker Url"
strings:
$string1 = "kali." nocase
$string2 = "/kali/" nocase
$string3 = "kali-" nocase
$string4 = "backbox." nocase
$string5 = "/backbox/" nocase
$string6 = "backbox-" nocase
$string7 = "blackarch." nocase
$string8 = "/blackarch/" nocase
$string9 = "blackarch-" nocase
$string10 = "caine-live." nocase
$string11 = "/caine-live/" nocase
$string12 = "caine-live-" nocase
$string13 = "deftlinux." nocase
$string14 = "/deftlinux/" nocase
$string15 = "deftlinux-" nocase
$string16 = "parrotsec." nocase
$string17 = "/parrotsec/" nocase
$string18 = "parrotsec-" nocase
$string19 = "altlinux./altlinux/" nocase
$string20 = "altlinux-" nocase
$string21 = "digi77." nocase
$string22 = "/digi77/" nocase
$string23 = "digi77-" nocase
$string24 = ".paterva." nocase
$string25 = "portswigger." nocase
$string26 = "exploit-db." nocase
$string27 = "/exploit-db/" nocase
$string28 = "exploit-db-" nocase
$string29 = "parrot.sh" nocase
$string30 = "/parrot.sh/" nocase
$string31 = "basealt.ru" nocase
$string32 = "/basealt.ru/" nocase
$string33 = "basealt.ru-" nocase
$string34 = "0day.today" nocase
$string35 = "/0day.today/" nocase
$string36 = "0day.today-archstrike." nocase
$string37 = "/archstrike/" nocase
$string38 = "archstrike-" nocase
condition:
1 of them
}

rule PUPSoftware
{
meta:
author = "@neonprimetime"
description = "Potentially Unwanted Software"
strings:
$string0 = "adusetup" nocase
$string1 = "advanced driver" nocase
$string2 = "anytimeastrology" nocase
$string3 = "aplusgamer" nocase
$string4 = "apnsetup" nocase
$string5 = "apnstub" nocase
$string6 = "ascsetup" nocase
$string7 = "astromenda" nocase
$string8 = "atozmanuals" nocase
$string9 = "atwrun" nocase
$string10 = "audiotoaudio" nocase
$string11 = "bringmesports" nocase
$string12 = "bytefence" nocase
$string13 = "calendarspark" nocase
$string14 = "ccleaner" nocase
$string15 = "citysearch" nocase
$string16 = "convertpdfsnowtooltab" nocase
$string17 = "coupon companion" nocase
$string18 = "couponscom" nocase
$string19 = "cursormania" nocase
$string20 = "dailybibleguide" nocase
$string21 = "dailyrecipeguidetooltab" nocase
$string22 = "dailywellnessguide" nocase
$string23 = "dictionaryboss" nocase
$string24 = "directionsandmap" nocase
$string25 = "discoverancestry" nocase
$string26 = "discoverliveradio" nocase
$string27 = "disk-defrag-setup" nocase
$string28 = "downspeedtest" nocase
$string29 = "driver-updater-setup" nocase
$string30 = "driver.talent" nocase
$string31 = "driverassist-setup" nocase
$string32 = "driverdoc" nocase
$string33 = "drivereasy" nocase
$string34 = "driverrestore" nocase
$string35 = "driversupport" nocase
$string36 = "drivertalent" nocase
$string37 = "drivertoolkit" nocase
$string38 = "driverupdate-" nocase
$string39 = "driverupdate-downloader" nocase
$string40 = "driverupdate-setup" nocase
$string41 = "driverwhiz" nocase
$string42 = "easeware" nocase
$string43 = "easydriverpro" nocase
$string44 = "easyhomedecorating" nocase
$string45 = "easypdfcombine" nocase
$string46 = "easyphotoedit" nocase
$string47 = "eliteunzip" nocase
$string48 = "emailaccessonline" nocase
$string49 = "everyday lookup" nocase
$string50 = "everydaylookup" nocase
$string51 = "filefanatic" nocase
$string52 = "filesharefanatic" nocase
$string53 = "flashplayerpro" nocase
$string54 = "flightsearchapp" nocase
$string55 = "freemakevideoconvertersetup" nocase
$string56 = "freemanuals" nocase
$string57 = "freeradiocast" nocase
$string58 = "fromdoctopdftooltab" nocase
$string59 = "funcustomcreations" nocase
$string60 = "gamingassassin" nocase
$string61 = "gamingwonderland" nocase
$string62 = "garden enthusiast" nocase
$string63 = "gardeningenthusiast" nocase
$string64 = "getflightinfo" nocase
$string65 = "getformsonline" nocase
$string66 = "gettvstreamnow" nocase
$string67 = "gifables" nocase
$string68 = "happinessinfusion" nocase
$string69 = "headlinealley" nocase
$string70 = "howtosimplified" nocase
$string71 = "howtosuite" nocase
$string72 = "inboxace" nocase
$string73 = "internetspeedtracker" nocase
$string74 = "knowthebible" nocase
$string75 = "localcrimewatcher" nocase
$string76 = "mapsgalaxy" nocase
$string77 = "marineaquariumlite" nocase
$string78 = "mergedocsonline" nocase
$string79 = "mydailyrunway" nocase
$string80 = "myeasylotto" nocase
$string81 = "myformsfinder" nocase
$string82 = "myfuncards" nocase
$string83 = "mynewsguide" nocase
$string84 = "mypcbackup" nocase
$string85 = "myradioplayer" nocase
$string86 = "myscrapnook" nocase
$string87 = "mysocialshortcut" nocase
$string88 = "mytelevisionhq" nocase
$string89 = "mytransitguide" nocase
$string90 = "myweatherradar" nocase
$string91 = "mywebface" nocase
$string92 = "notehomepage" nocase
$string93 = "onlinemapfinder" nocase
$string94 = "openfreely" nocase
$string95 = "packagetracer" nocase
$string96 = "pckeeper" nocase
$string97 = "pdfconverterhq" nocase
$string98 = "photofriendzy" nocase
$string99 = "playpoptrivia" nocase
$string100 = "playthruplayer" nocase
$string101 = "popularscreensavers" nocase
$string102 = "ppc-software" nocase
$string103 = "premierdownloadmanager" nocase
$string104 = "procleaningsoftware" nocase
$string105 = "productivityboss" nocase
$string106 = "productmanualsfinder" nocase
$string107 = "propccleaner" nocase
$string108 = "puzzlegamesdaily" nocase
$string109 = "quotationcafe" nocase
$string110 = "qyuninst" nocase
$string111 = "radiorage" nocase
$string112 = "readingfanatic" nocase
$string113 = "registry-cleaner" nocase
$string114 = "regservo" nocase
$string115 = "removedt" nocase
$string116 = "safepcrepair" nocase
$string117 = "scenichomepage" nocase
$string118 = "searchbar" nocase
$string119 = "searchformsonline" nocase
$string120 = "searchpredict" nocase
$string121 = "slimcleanerplus" nocase
$string122 = "smsfrombrowser" nocase
$string123 = "snapmyscreen" nocase
$string124 = "soccerinferno" nocase
$string125 = "spyhunter" nocase
$string126 = "studyhq" nocase
$string127 = "sweepstakesalley" nocase
$string128 = "tbieaddin.dll" nocase
$string129 = "televisionfanatic" nocase
$string130 = "ticketxplorer" nocase
$string131 = "timewhackers" nocase
$string132 = "tooltabextension.dll" nocase
$string133 = "totalrecipesearch" nocase
$string134 = "trackapackage" nocase
$string135 = "translationbuddy" nocase
$string136 = "unifiedlogger.dll" nocase
$string137 = "utility chest" nocase
$string138 = "videodownloadconverter" nocase
$string139 = "votinstw" nocase
$string140 = "votprx" nocase
$string141 = "wb-setup" nocase
$string142 = "web_bar" nocase
$string143 = "webdiscover" nocase
$string144 = "webdiscoverbrowserdownloaderwebesc" nocase
$string145 = "webext_dl" nocase
$string146 = "winwb" nocase
$string147 = "yourtemplatefindertooltab" nocase
$string148 = "ysearchsettool" nocase
$string149 = "ysearchutilsvc" nocase
condition:
1 of them
}

rule ActiveDirectoryDomainFlag
{
meta:
author = "@neonprimetime"
description = "AD domain flag"
strings:
$string0 = " /domain " nocase
condition:
1 of them
}

rule ActiveDirectoryCreateFlag
{
meta:
author = "@neonprimetime"
description = "AD Create flag"
strings:
$string0 = " /add " nocase
$string1 = " /create " nocase
condition:
1 of them
}

rule MetasploitPort
{
meta:
author = "@neonprimetime"
description = "Metasploit Port"
strings:
$string0 = ":4444" nocase
condition:
1 of them
}

rule AdminFileShareAccess
{
meta:
author = "@neonprimetime"
description = "Admin File Share Access"
strings:
$string0 = "admin$" nocase
condition:
1 of them
}

rule TeamViewerPort
{
meta:
author = "@neonprimetime"
description = "TeamViewer Port"
strings:
$string0 = ":5938" nocase
condition:
1 of them
}

rule ActiveDirectoryCriticalGroup
{
meta:
author = "@neonprimetime"
description = "Critical AD groups"
strings:
$string0 = "domain admins" nocase
$string1 = "enterprise admins" nocase
$string2 = "schema admins" nocase
$string3 = "workstation admins" nocase
$string4 = "dns admins" nocase
$string5 = "server admins" nocase
condition:
1 of them
}

rule NewUser
{
meta:
author = "@neonprimetime"
description = "New User Commands"
strings:
$string0 = "new-localuser" nocase
$string1 = "new-aduser" nocase
condition:
1 of them
}

rule WebDownloader
{
meta:
author = "@neonprimetime"
description = "Web Downloader"
strings:
$string0 = "DownloadFile(" nocase
$string1 = "DownloadString" nocase
$string2 = "WebRequest" nocase
$string3 = "wget" nocase
$string4 = "bitstransfer" nocase
condition:
1 of them
}

rule McAfeeQuarantineFile
{
meta:
author = "@neonprimetime"
description = "McAfee Quarantine File"
strings:
$string0 = "\\quarantine\\" nocase
$string1 = ".bup" nocase
condition:
1 of them
}

rule VulnerabilityScanner
{
meta:
author = "@neonprimetime"
description = "Vulnerability Scanner"
strings:
$string0 = "AngryIP" nocase
$string1a = "\\Nmap " nocase
$string1b = "/Nmap." nocase
$string1c = " Nmap " nocase
$string1d = " Nmap." nocase
$string2 = "Nessus" nocase
$string3 = "sqlmap" nocase
$string4 = "nikto" nocase
$string5 = "wpscan" nocase
$string6 = "hyrda" nocase
$string7 = "dirbuster" nocase
$string8 = "masscan" nocase
$string9 = "morfeus" nocase
$string10 = "sqlninja" nocase
condition:
1 of them
}

rule SqlInjection
{
meta:
author = "@neonprimetime"
description = "Sql Injection"
strings:
$string0 = "UNION+ALL+SELECT" nocase
$string1 = ",NULL,NULL" nocase
$string2 = "AND+SLEEP" nocase
$string3 = "PG_SLEEP" nocase
$string4 = "WAITFOR+DELAY" nocase
$string5 = "CONCAT(0x" nocase
$string6 = "UNION+SELECT" nocase
$string7 = "--+" nocase
$string8 = "')UNION ALL SELECT" nocase
$string9 = ",NULL,NULL" nocase
$string10 = "AND SLEEP" nocase
$string11 = "WAITFOR DELAY" nocase
$string12 = "CONTACT(0x" nocase
$string13 = "UNION SELECT" nocase
$string14 = "UNION+ALL+SELECT" nocase
$string15 = "AND+SLEEP" nocase
$string16 = "WAITFOR+DELAY" nocase
$string17 = "UNION+SELECT)" nocase
condition:
1 of them
}

Monday, November 25, 2019

kali update apt-get upgrade

apt-get update (gets the sources lists for packages)
apt-get upgrade (upgrade tools)
apt-get dist-upgrade (entire kali rolling)
apt-get autoremove (removes dependencies no longer needed)

Wednesday, November 6, 2019

Python IoT search with Wget and Yara Rules

# Given a list of urls, determine what type of IoT device (or any device for that matter) they are based on you plugging in Yara rules into the .yar files

import os
import subprocess
import traceback

debug = "false"
skipDownload = "false"
input = "urls.txt"
yaraSpecificRuleFile = "IoTSpecific.yar"
yaraGenericRuleFile = "IoTGeneric.yar"
wgetParams = "--quiet --no-check-certificate --timeout=2 --tries=3"
yaraParams = ""
outputExt = ".html"
urls = open(input, "r")

if skipDownload == "false":
for url in urls:
url = url.rstrip()
cleanurl = url.rstrip().replace('/','_').replace('\\','_').replace(':','_').replace('.','_').replace('&','_').replace('?','_').replace('=','_').replace('%','_') + outputExt
wgetCommand = ("wget %s --output-document=%s %s 2>/dev/null" % (wgetParams, cleanurl, url))
if(debug == "true"):
print(("DEBUG,Starting Download of '%s' to '%s'" % (url, cleanurl)))
try:
output = subprocess.check_output(wgetCommand, shell=True)
if "error" in output:
print(("ERROR,Unable to download '%s' error '%s'" % (wgetCommand, output)))
except Exception:
print(("ERROR,Unable to download '%s' error '%s'" % (wgetCommand,traceback.print_exc())))
if(debug == "true"):
print(("DEBUG,Finished Download of '%s' to '%s'" % (url, cleanurl)))

for htmlfile in os.listdir('.'):
if htmlfile.endswith(".html"):
if os.stat(htmlfile).st_size == 0:
print(("NoResponse,%s" % (htmlfile)))
else:
yaraCommand = ("yara %s %s %s" % (yaraParams, yaraSpecificRuleFile, htmlfile))
if(debug == "true"):
print(("DEBUG,Starting Scanning: '%s'" % (htmlfile)))
try:
output = subprocess.check_output(yaraCommand, shell=True)
if "error" in output:
print(("ERROR,Unable to Scan '%s' error '%s'" % (yaraCommand, output)))
if output:
output = output.rstrip()
print(output.replace(" ",","))
else:
yaraRescanCommand = ("yara %s %s %s" % (yaraParams, yaraGenericRuleFile, htmlfile))
if(debug == "true"):
print(("DEBUG,Starting ReScanning: '%s'" % (htmlfile)))
try:
output = subprocess.check_output(yaraRescanCommand, shell=True)
if "error" in output:
print(("ERROR,Unable to ReScan '%s' error '%s'" % (yaraCommand, output)))
if output:
output = output.rstrip()
print(output.replace(" ",","))
else:
print(("NoMatch,%s" % (htmlfile)))
except Exception:
print(("ERROR,Unable to ReScan '%s' error '%s'" % (yaraCommand,traceback.print_exc())))
if(debug == "true"):
print(("DEBUG,Finished ReScanning: '%s'" % (htmlfile)))
except Exception:
print(("ERROR,Unable to Scan '%s' error '%s'" % (yaraCommand,traceback.print_exc())))
if(debug == "true"):
print(("DEBUG,Finished Scanning: '%s'" % (htmlfile)))

urls.close()