├── Networking ├── pfsense_template └── vyos_template ├── d3adzo └── files │ ├── Autoruns.exe │ ├── Procmon.exe │ ├── all_fw.bat │ ├── procexp.exe │ ├── secure.bat │ ├── sigcheck64.exe │ └── wfc6setup.exe ├── linux ├── Firewall │ ├── reference.sh │ └── script1.sh ├── inventory.sh └── placeholder.txt └── windows ├── firewalls.bat ├── information.bat ├── krbtgt.bat └── secure.bat /Networking/pfsense_template: -------------------------------------------------------------------------------- 1 | #template script for pfSense firewall rules 2 | #written on 1/12/2021 for the NECCDC Qualifer Compeition 3 | 4 | #blocking 5 | #easyrule block 6 | 7 | easyrule block wan 8.8.8.8 8 | 9 | #passing 10 | #easyrule pass [destination port] 11 | easyrule pass wan tcp 1.2.3.4 192.168.0.4 80 12 | 13 | 14 | #lan rules 15 | 16 | 17 | 18 | #cloud rules 19 | -------------------------------------------------------------------------------- /Networking/vyos_template: -------------------------------------------------------------------------------- 1 | #template script for vyos firewall rules 2 | #written on 1/12/2021 for the NECCDC Qualifer Compeition 3 | 4 | 5 | #IN rules 6 | #Set firewall name _IN rule destination port 7 | #Set firewall name _IN rule destination address 8 | #Set firewall name _IN rule action accept 9 | #Set firewall name _IN rule protocol 10 | #Set firewall name _IN default-action drop 11 | #Set interfaces ethernet firewall in name _IN 12 | 13 | 14 | #Set firewall name router_IN rule 1 destination port [22, 80, 445] 15 | #Set firewall name router_IN rule 1 destination address 192.10.1.1 16 | #Set firewall name router_IN rule 1 action accept 17 | #Set firewall name router_IN rule 1 protocol tcp_udp 18 | #Set firewall name router_IN default-action drop 19 | #Set interfaces ethernet eth01 firewall in name router_IN 20 | 21 | 22 | #Out rules 23 | #Set firewall name _OUT rule source port 24 | #Set firewall name _OUT rule source address 25 | #Set firewall name _OUT rule action accept 26 | #Set firewall name _OUT rule protocol 27 | #Set firewall name _OUT default-action drop 28 | #Set interfaces ethernet firewall in name _OUT 29 | 30 | #Set firewall name router_OUT rule 1 source port [22, 80, 445] 31 | #Set firewall name router_OUT rule 1 source address 192.10.1.1 32 | #Set firewall name router_OUT rule 1 action accept 33 | #Set firewall name router_OUT rule 1 protocol tcp_udp 34 | #Set firewall name router_OUT default-action drop 35 | #Set interfaces ethernet eth01 firewall in name router_OUT 36 | 37 | 38 | 39 | 40 | #LAN rules 41 | 42 | 43 | 44 | #Cloud Rules 45 | -------------------------------------------------------------------------------- /d3adzo/files/Autoruns.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RIT-CCDC/Scripts/5522d76558c139164995f62c567a1cb49364f8f9/d3adzo/files/Autoruns.exe -------------------------------------------------------------------------------- /d3adzo/files/Procmon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RIT-CCDC/Scripts/5522d76558c139164995f62c567a1cb49364f8f9/d3adzo/files/Procmon.exe -------------------------------------------------------------------------------- /d3adzo/files/all_fw.bat: -------------------------------------------------------------------------------- 1 | netsh advfirewall set allprofiles state off 2 | netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound 3 | netsh advfirewall firewall delete rule name=all 4 | 5 | netsh adv f a r n="WSA-LoopOut" dir=out act=allow remoteip=127.0.0.1 6 | netsh adv f a r n="WSA-LoopIn" dir=in act=allow remoteip=127.0.0.1 7 | 8 | netsh adv firewall a r n="WSA-PingIn" dir=in act=allow prof=any prot=icmpv4:8,any 9 | netsh adv firewall a r n="WSA-PingOut" dir=out act=allow prof=any prot=icmpv4:8,any 10 | 11 | netsh adv f a r n="WSA-HTTP-Client" dir=out act=allow prof=any prot=tcp remoteport=80,443 12 | netsh adv f a r n="WSA-HTTP-Server" dir=in act=allow prof=any prot=tcp localport=80,443 13 | 14 | netsh adv f a r n="WSA-SMB-Server" dir=in act=allow prof=any prot=tcp localport=445 15 | 16 | netsh advfirewall firewall add rule name="WSA-RDP-TCP-Server" dir=in protocol=tcp localport=3389 action=allow 17 | netsh advfirewall firewall add rule name="WSA-RDP-UDP-Server" dir=in protocol=udp localport=3389 action=allow 18 | 19 | netsh adv f a r n="WSA-DNS-Client" dir=out act=allow prof=any prot=udp remoteport=53 20 | netsh adv f a r n="WSA-DNS-Server" dir=in act=allow prof=any prot=udp localport=53 21 | 22 | netsh adv f a r n="WSA-DomainClient TCP" dir=out act=allow prof=any prot=tcp remoteport=88,135,389,445,636,3268,10000-11000 remoteip=10.10.1.10 23 | netsh advf f a r n="WSA-DomainClient-UDP" dir=out act=allow prof=any prot=udp remoteport=88,123,135,389,445,636 remoteip=10.10.1.10 24 | 25 | netsh adv f a r n="WSA-DC-TCP-In" dir=in act=allow prof=any prot=tcp localport=88,135,139,389,445,636,3268 26 | netsh adv f a r n="WSA-DC-UDP-In" dir=in act=allow prof=any prot=udp localport=88,123,135,139,389,445,636 27 | 28 | netsh advfirewall firewall add rule name="WSA-GP" dir=out program="C:\Windows\System32\svchost.exe" remoteip=10.10.1.10 action=allow enable=yes profile=any 29 | netsh advfirewall firewall add rule name="WSA-GP" dir=out program="C:\Windows\System32\lsass.exe" remoteip=10.10.1.10 action=allow enable=yes profile=any 30 | 31 | netsh interface ipv4 set dynamicportrange tcp 10000 1000 persistent 32 | netsh advfirewall set allprofiles firewallpolicy blockinbound,blockinbound 33 | 34 | netsh advfirewall set allprofiles state on 35 | 36 | -------------------------------------------------------------------------------- /d3adzo/files/procexp.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RIT-CCDC/Scripts/5522d76558c139164995f62c567a1cb49364f8f9/d3adzo/files/procexp.exe -------------------------------------------------------------------------------- /d3adzo/files/secure.bat: -------------------------------------------------------------------------------- 1 | REM Run this script in an elevated CMD prompt 2 | REM This does not include firewall rules 3 | REM Comment out any sections that do not apply to a certain service (ex. SMB scored box) 4 | REM Don't forget to use msconfig 5 | 6 | 7 | REM sc.exe config “wfcs” displayname= “wfcservice” 8 | REM sc.exe description wfcs “wfcservice description” 9 | REM perm charlie delta 10 | @echo off 11 | 12 | REM rename admin acct + disable default accounts 13 | REM wmic useraccount where "name='Administrator'" rename Admin 14 | REM net user Administrator /active:no 15 | net user Guest /active:no 16 | net user DefaultAccount /active:no 17 | net user WDAGUtilityAccount /active:no 18 | 19 | 20 | REM Enable full auditing 21 | auditpol /set /category:* /success:enable /failure:enable 22 | 23 | 24 | REM delete scheduled tasks (might break AD box) 25 | REM schtasks /delete /tn * 26 | 27 | 28 | REM Secure RDP 29 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 2 /f 30 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f 31 | 32 | 33 | REM Disable RDP 34 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f 35 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v fLogonDisabled /t REG_DWORD /d 1 /f 36 | 37 | 38 | REM Disable Admin Shares (psexec defense) 39 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0 /f 40 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /t REG_DWORD /d 0 /f 41 | reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /d 0 /f 42 | 43 | 44 | REM WinRM Killer (only uncomment if winrm is not needed) 45 | cd C:\Windows\System32 46 | net stop winrm 47 | sc config winrm start=disabled 48 | takeown.exe /f WsmSvc.dll 49 | icacls WsmSvc.dll /grant "Administrator:(F)" 50 | del WsmSvc.dll /f 51 | 52 | 53 | REM SMBv1 Disable 54 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Services\LanmanServer\Parameters" /v SMB1 /t REG_DWORD /d 1 /f 55 | 56 | 57 | REM Temp Folder Permissioning (might break installers) 58 | icacls C:\Windows\Temp /inheritance:r /deny "Everyone:(OI)(CI)(F)" 59 | 60 | 61 | REM Hashing 62 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v NoLMHash /t REG_DWORD /d 1 /f 63 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LMCompatibilityLevel /t REG_DWORD /d 5 /f 64 | 65 | 66 | REM Anon Login 67 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v restrictanonymous /t REG_DWORD /d 1 /f 68 | reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v disableRestrictedAdmin /t REG_DWORD /d 0 /f 69 | 70 | 71 | REM Disable Keys 72 | reg add "HKCU\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f 73 | reg add "HKCU\Control Panel\Accessibility\ToggleKeys" /v Flags /t REG_SZ /d 58 /f 74 | reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v Flags /t REG_SZ /d 122 /f 75 | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" /v ShowTabletKeyboard /t REG_DWORD /d 0 /f 76 | 77 | 78 | REM pagefile wipe on shutdown (causing issues) 79 | REM reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 1 /f 80 | 81 | 82 | REM disable floppy disk remoting 83 | reg ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AllocateFloppies /t REG_DWORD /d 1 /f 84 | 85 | 86 | REM Enable SMB Signing (prevent smb ntlm relaying attacks) 87 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Services\LanmanServer\Parameters" /v EnableSecuritySignature /t REG_DWORD /d 1 /f 88 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Services\LanmanServer\Parameters" /v RequireSecuritySignature /t REG_DWORD /d 1 /f 89 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters" /v EnableSecuritySignature /t REG_DWORD /d 1 /f 90 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters" /v RequireSecuritySignature /t REG_DWORD /d 1 /f 91 | 92 | 93 | 94 | REM Prevent print driver installs 95 | reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" /v AddPrinterDrivers /t REG_DWORD /d 1 /f 96 | 97 | 98 | REM local account blank passwords 99 | reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 1 /f 100 | 101 | 102 | REM enable full uac 103 | reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t REG_DWORD /d 1 /f 104 | 105 | 106 | REM BITS transfer disable 107 | reg add HKLM\Software\Policies\Microsoft\Windows\BITS /v EnableBITSMaxBandwidth /t REG_DWORD /d 0 /f 108 | reg add HKLM\Software\Policies\Microsoft\Windows\BITS /v MaxDownloadTime /t REG_DWORD /d 1 /f 109 | 110 | 111 | REM Enable installer detections 112 | reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 1 /f 113 | 114 | 115 | REM anon enumeration prevention 116 | reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymous /t REG_DWORD /d 1 /f 117 | reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymoussam /t REG_DWORD /d 1 /f 118 | 119 | 120 | REM domain cred storing 121 | reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v disabledomaincreds /t REG_DWORD /d 1 /f 122 | 123 | REM no perms to anons 124 | reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v everyoneincludesanonymous /t REG_DWORD /d 0 /f 125 | 126 | 127 | REM smb strengtheners 128 | reg ADD HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters /v EnablePlainTextPassword /t REG_DWORD /d 0 /f 129 | reg ADD HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters /v NullSessionPipes /t REG_MULTI_SZ /d "" /f 130 | reg ADD HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters /v NullSessionShares /t REG_MULTI_SZ /d "" /f 131 | 132 | 133 | REM remote registry path denial 134 | reg ADD HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedExactPaths /v Machine /t REG_MULTI_SZ /d "" /f 135 | reg ADD HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths /v Machine /t REG_MULTI_SZ /d "" /f 136 | 137 | 138 | REM Disable IPv6 139 | reg ADD HKLM\SYSTEM\CurrentControlSet\services\tcpip6\parameters /v DisabledComponents /t reg_dword /d 255 /f 140 | 141 | 142 | REM No process RunOnce List 143 | reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableLocalMachineRunOnce /t REG_DWORD /d 1 /f 144 | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableLocalMachineRunOnce /t REG_DWORD /d 1 /f 145 | 146 | 147 | REM Require UAC 148 | reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f 149 | reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 0 /f 150 | 151 | 152 | REM Enable LSASS Memory Protection 153 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f 154 | 155 | 156 | REM Enable Credential Guard 157 | reg add "HKLM\SYSTEM\CurrentControl\Control\Lsa" /v LsaCfgFlags /t REG_DWORD /d 1 /f 158 | 159 | 160 | REM Disable plain text passwords stored in LSASS 161 | reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f 162 | 163 | 164 | REM Enable PowerShell Logging 165 | reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" /v EnableModuleLogging /t REG_DWORD /d 1 /f 166 | reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 /f 167 | 168 | 169 | net share admin$ /del 170 | net share c$ /del 171 | reg delete hklm\software\microsoft\windows\currentversion\runonce /f 172 | reg delete hklm\software\microsoft\windows\currentversion\run /f 173 | del /S "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*" 174 | del /S "C:\Users\LocalGuard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*" 175 | REG delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /f 176 | REG delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger /f 177 | 178 | 179 | 180 | REM Turn off Test Mode (in case they set the flag) 181 | bcdedit /set testsigning off 182 | -------------------------------------------------------------------------------- /d3adzo/files/sigcheck64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RIT-CCDC/Scripts/5522d76558c139164995f62c567a1cb49364f8f9/d3adzo/files/sigcheck64.exe -------------------------------------------------------------------------------- /d3adzo/files/wfc6setup.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RIT-CCDC/Scripts/5522d76558c139164995f62c567a1cb49364f8f9/d3adzo/files/wfc6setup.exe -------------------------------------------------------------------------------- /linux/Firewall/reference.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## May Have to mess around with firewalld ## 4 | # sudo systemctl stop firewalld 5 | # sudo sysytemctl disable firewalld 6 | 7 | # If this Script is not Working check .bashrc or aliases 8 | 9 | ########################### 10 | ## Must run as superuser ## 11 | ########################### 12 | 13 | if [ "$EUID" -ne 0 ] 14 | then echo "Must run as superuser" 15 | exit 16 | fi 17 | 18 | 19 | ################ 20 | ## Main Rules ## 21 | ################ 22 | 23 | # Flush Tables 24 | echo "> Flushing Tables" 25 | iptables -F 26 | iptables -X 27 | 28 | # Accept by default in case of flush 29 | echo "> Applying Default Accept" 30 | iptables -P INPUT ACCEPT 31 | iptables -P OUTPUT ACCEPT 32 | 33 | # Allow ICMP 34 | echo "> Allow ICMP" 35 | iptables -A INPUT -p ICMP -j ACCEPT 36 | iptables -A OUTPUT -p ICMP -j ACCEPT 37 | 38 | # Allow Loopback Traffic 39 | echo "> Allow Loopback Traffic" 40 | iptables -A INPUT -i lo -j ACCEPT 41 | iptables -A OUTPUT -o lo -j ACCEPT 42 | 43 | # Allow Incoming SSH 44 | echo "> Allow Inbound SSH" 45 | iptables -A INPUT -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT 46 | iptables -A OUTPUT -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT 47 | 48 | 49 | ######################## 50 | # OTHER OPTIONAL RULES # 51 | ######################## 52 | 53 | # # Iptables Ranges 54 | # iptables -A INPUT -s 10.5.1.0/24 -j ACCEPT 55 | # iptables -A INPUT -s 10.5.2.0/24 -j ACCEPT 56 | # iptables -A INPUT -s 10.x.x.0/24 -j DENY 57 | # iptables -A OUTPUT -s 10.x.x.0/24 -j DENY 58 | 59 | # # Allow HTTP Outgoing 60 | # echo "> Allow Outbound HTTP" 61 | # iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT 62 | # iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT 63 | 64 | # # Allow HTTP Incoming 65 | # echo "> Allow Inbound HTTP" 66 | # iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT 67 | # iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT 68 | 69 | # # Allow DNS Outgoing (UDP) 70 | # echo "> Allow Outbound DNS (UDP)" 71 | # iptables -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 72 | # iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT 73 | 74 | # # Allow DNS Incoming (UDP) 75 | # echo "> Allow Inbound DNS (UDP)" 76 | # iptables -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 77 | # iptables -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT 78 | 79 | # # Allow SSH Outgoing 80 | # echo "> Allow Outbound SSH" 81 | # iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 82 | # iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT 83 | 84 | # # Accept Various Port Incoming 85 | # echo "> Allow Inbound Mayan MDMS" 86 | # iptables -A INPUT -p tcp --dport 8000 -m state --state NEW,ESTABLISHED -j ACCEPT 87 | # iptables -A OUTPUT -p tcp --sport 8000 -m state --state ESTABLISHED -j ACCEPT 88 | 89 | # # Allow Various Port Outgoing 90 | # iptables -A OUTPUT -p udp --dport 3000 -m state --state NEW,ESTABLISHED -j ACCEPT 91 | # iptables -A INPUT -p udp --sport 3000 -m state --state ESTABLISHED -j ACCEPT 92 | 93 | 94 | ################## 95 | ## Ending Rules ## 96 | ################## 97 | 98 | # Drop All Traffic If Not Matching 99 | echo "> Drop non-matching traffic : Connection may drop" 100 | iptables -A INPUT -j DROP 101 | iptables -A OUTPUT -j DROP 102 | 103 | # Backup Rules (iptables-restore < backup) 104 | echo "> Back up rules" 105 | iptables-save >/etc/ip_rules 106 | 107 | # Anti-Lockout Rule 108 | sleep 3 109 | iptables -F 110 | echo "> Anti-Lockout executed : Rules have been flushed" 111 | -------------------------------------------------------------------------------- /linux/Firewall/script1.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## May Have to mess around with firewalld ## 4 | # sudo systemctl stop firewalld 5 | # sudo sysytemctl disable firewalld 6 | 7 | # If this Script is not Working check .bashrc or aliases 8 | 9 | ########################### 10 | ## Must run as superuser ## 11 | ########################### 12 | 13 | if [ "$EUID" -ne 0 ] 14 | then echo "Must run as superuser" 15 | exit 16 | fi 17 | 18 | 19 | ################ 20 | ## Main Rules ## 21 | ################ 22 | 23 | # Flush Tables 24 | echo "> Flushing Tables" 25 | iptables -F 26 | iptables -X 27 | 28 | # Accept by default in case of flush 29 | echo "> Applying Default Accept" 30 | iptables -P INPUT ACCEPT 31 | iptables -P OUTPUT ACCEPT 32 | 33 | 34 | # Allow ICMP 35 | echo "> Allow ICMP" 36 | iptables -A INPUT -p ICMP -j ACCEPT 37 | iptables -A OUTPUT -p ICMP -j ACCEPT 38 | 39 | # Allow Loopback Traffic 40 | echo "> Allow Loopback Traffic" 41 | iptables -A INPUT -i lo -j ACCEPT 42 | iptables -A OUTPUT -o lo -j ACCEPT 43 | 44 | # Allow Incoming SSH 45 | echo "> Allow Inbound SSH" 46 | iptables -A INPUT -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT 47 | iptables -A OUTPUT -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT 48 | 49 | 50 | ######################## 51 | # OTHER OPTIONAL RULES # 52 | ######################## 53 | 54 | # # Iptables Ranges 55 | # iptables -A INPUT -s 10.5.1.0/24 -j ACCEPT 56 | # iptables -A INPUT -s 10.5.2.0/24 -j ACCEPT 57 | # iptables -A INPUT -s 10.x.x.0/24 -j DENY 58 | # iptables -A OUTPUT -s 10.x.x.0/24 -j DENY 59 | 60 | # # Allow HTTP Outgoing 61 | echo "> Allow Outbound HTTP" 62 | iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT 63 | iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT 64 | 65 | # # Allow DNS Outgoing (UDP Only) 66 | echo "> Allow Outbound DNS (UDP)" 67 | iptables -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 68 | iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT 69 | 70 | # # Allow SSH Outgoing 71 | # echo "> Allow Outbound SSH" 72 | # iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 73 | # iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT 74 | 75 | # # Accept Various Port Incoming 76 | echo "> Allow Inbound Mayan MDMS" 77 | iptables -A INPUT -p tcp --dport 8000 -m state --state NEW,ESTABLISHED -j ACCEPT 78 | iptables -A OUTPUT -p tcp --sport 8000 -m state --state ESTABLISHED -j ACCEPT 79 | 80 | # # Allow Various Port Outgoing 81 | # iptables -A OUTPUT -p udp --dport 3000 -m state --state NEW,ESTABLISHED -j ACCEPT 82 | # iptables -A INPUT -p udp --sport 3000 -m state --state ESTABLISHED -j ACCEPT 83 | 84 | 85 | ################## 86 | ## Ending Rules ## 87 | ################## 88 | 89 | # Drop All Traffic If Not Matching 90 | echo "> Drop non-matching traffic : Connection may drop" 91 | iptables -A INPUT -j DROP 92 | iptables -A OUTPUT -j DROP 93 | 94 | # Backup Rules (iptables-restore < backup) 95 | echo "> Back up rules" 96 | iptables-save >/etc/ip_rules 97 | 98 | # Anti-Lockout Rule 99 | sleep 3 100 | iptables -F 101 | echo "> Anti-Lockout executed : Rules have been flushed" 102 | -------------------------------------------------------------------------------- /linux/inventory.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # OS 3 | echo -e "[OS]\n`cat /etc/os-release`\n" 4 | # Hostname 5 | echo -e "[Hostname]\n`hostname`\n" 6 | # Admin Users 7 | echo -e "[Admins]\n`for g in adm sudo wheel; do getent group $g; done`\n" 8 | # Users 9 | echo -e "[Users]\n`getent passwd | cut -d':' -f1,7`\n" 10 | # IP Address/MACs 11 | echo -e "[IP/MAC]\n`ip -br -c a || ip a`\n" 12 | # Routes 13 | echo -e "[Routes]\n`ip r`\n" 14 | # Services/Ports 15 | echo -e "[Services]\n`ss -tulpan`\n" 16 | -------------------------------------------------------------------------------- /linux/placeholder.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RIT-CCDC/Scripts/5522d76558c139164995f62c567a1cb49364f8f9/linux/placeholder.txt -------------------------------------------------------------------------------- /windows/firewalls.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | 3 | :: Drop all rules 4 | netsh advfirewall reset 5 | netsh advfirewall set allprofiles state on 6 | netsh advfirewall firewall delete rule name=all 7 | 8 | :: Set default drop 9 | netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound 10 | 11 | :: Configure logging 12 | netsh advfirewall set allprofiles logging filename C:\Windows\fw.log 13 | netsh advfirewall set allprofiles logging maxfilesize 32676 14 | netsh advfirewall set allprofiles logging droppedconnections enable 15 | netsh advfirewall set allprofiles logging allowedconnections enable 16 | 17 | :: Loopback 18 | netsh adv f a r n=Loop-Out dir=out act=allow remoteip=127.0.0.1 19 | netsh adv f a r n=Loop-In dir=in act=allow remoteip=127.0.0.1 20 | 21 | :: Ping is good. They've never had a ping beacon. 22 | netsh adv f a r n=Ping-Out dir=out act=allow prof=any prot=icmpv4:8,any 23 | netsh adv f a r n=Ping-In dir=in act=allow prof=any prot=icmpv4:8,any 24 | 25 | :: dynamic port range limiting 26 | netsh interface ipv4 set dynamicportrange tcp 10000 1000 persistent 27 | 28 | :: server rules, change the protocol and port number 29 | netsh adv f a r n=add-comment-here dir=in act=allow prof=any prot=udp localport=67 30 | 31 | :: client rules, change protocol and port number 32 | netsh adv f a r n=add-comment-here dir=out act=allow prof=any prot=udp remoteport=68 33 | 34 | :: Lockout prevention - put this at the end if you're logged in remotely 35 | timeout 5 36 | netsh advfirewall reset 37 | -------------------------------------------------------------------------------- /windows/information.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | 3 | call :sub >output.txt 4 | exit /b 5 | 6 | :sub 7 | ::basic inventory 8 | hostname 9 | ipconfig /all 10 | systeminfo | findstr OS 11 | 12 | ::users and groups 13 | net user 14 | net localgroup 15 | 16 | ::check for listening ports 17 | netstat -ano | findstr LIST | findstr /V ::1 | findstr /V 127.0.0.1 18 | 19 | ::looking for network shares 20 | net share 21 | 22 | ::Check startup programs 23 | reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 24 | reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 25 | reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 26 | reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce -------------------------------------------------------------------------------- /windows/krbtgt.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | for /L %a in (1,0,2) do @(set rand=%RANDOM% & net user krbtgt %rand% & net user krbtgt %rand%) & timeout /t 120 3 | -------------------------------------------------------------------------------- /windows/secure.bat: -------------------------------------------------------------------------------- 1 | REM Run this script in an elevated CMD prompt 2 | REM This does not include firewall rules 3 | REM Comment out any sections that do not apply to a certain service (ex. SMB scored box) 4 | @echo off 5 | 6 | REM rename + disable administrator account 7 | wmic useraccount where "name='Administrator'" rename Admin 8 | net user Admin /active:no 9 | 10 | 11 | REM Enable full auditing 12 | auditpol /set /category:* /success:enable /failure:enable 13 | 14 | 15 | REM delete scheduled tasks 16 | schtasks /delete /tn * 17 | 18 | 19 | REM Disable RDP 20 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f 21 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v fLogonDisabled /t REG_DWORD /d 1 /f 22 | 23 | 24 | REM Disable Admin Shares (psexec) 25 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\" /v AutoShareWks /t REG_DWORD /d 0 /f 26 | 27 | 28 | REM SMBv1 Disable 29 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Services\LanmanServer\Parameters" /v SMB1 /t REG_DWORD /d 0 /f 30 | 31 | 32 | REM Temp Folder Permissioning (might break installers) 33 | icacls C:\Windows\Temp /inheritance:r /deny "Everyone:(OI)(CI)(F)" 34 | 35 | 36 | REM Hashing 37 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v NoLMHash /t REG_DWORD /d 1 /f 38 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LMCompatibilityLevel /t REG_DWORD /d 5 /f 39 | 40 | 41 | REM Anon Login 42 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v restrictanonymous /t REG_DWORD /d 1 /f 43 | 44 | 45 | REM Disable Keys 46 | reg add "HKCU\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f 47 | reg add "HKCU\Control Panel\Accessibility\ToggleKeys" /v Flags /t REG_SZ /d 58 /f 48 | reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v Flags /t REG_SZ /d 122 /f 49 | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" /v ShowTabletKeyboard /v REG_DWORD /d 0 /f 50 | 51 | 52 | REM pagefile wipe on shutdown 53 | reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 1 /f 54 | 55 | 56 | REM disable floppy disk remoting 57 | reg ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AllocateFloppies /t REG_DWORD /d 1 /f 58 | 59 | 60 | REM Prevent print driver installs 61 | reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" /v AddPrinterDrivers /t REG_DWORD /d 1 /f 62 | 63 | 64 | REM local account blank passwords 65 | reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 1 /f 66 | 67 | 68 | REM enable full uac 69 | reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t REG_DWORD /d 1 /f 70 | 71 | 72 | REM BITS transfer disable 73 | reg add HKLM\Software\Policies\Microsoft\Windows\BITS /v EnableBITSMaxBandwidth /t REG_DWORD /d 0 /f 74 | reg add HKLM\Software\Policies\Microsoft\Windows\BITS /v MaxDownloadTime /t REG_DWORD /d 1 /f 75 | 76 | 77 | REM Enable installer detections 78 | reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 1 /f 79 | 80 | 81 | REM anon enumeration prevention 82 | reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymous /t REG_DWORD /d 1 /f 83 | reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymoussam /t REG_DWORD /d 1 /f 84 | 85 | 86 | REM domain cred storing 87 | reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v disabledomaincreds /t REG_DWORD /d 1 /f 88 | REM no perms to anons 89 | reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v everyoneincludesanonymous /t REG_DWORD /d 0 /f 90 | 91 | 92 | REM smb strengtheners 93 | reg ADD HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters /v EnablePlainTextPassword /t REG_DWORD /d 0 /f 94 | reg ADD HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters /v NullSessionPipes /t REG_MULTI_SZ /d "" /f 95 | reg ADD HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters /v NullSessionShares /t REG_MULTI_SZ /d "" /f 96 | 97 | 98 | REM remote registry path denial 99 | reg ADD HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedExactPaths /v Machine /t REG_MULTI_SZ /d "" /f 100 | reg ADD HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths /v Machine /t REG_MULTI_SZ /d "" /f 101 | 102 | 103 | REM Enable LSASS Memory Protection 104 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f 105 | 106 | 107 | REM Turn off Test Mode (in case they set the flag) 108 | bcdedit /set testsigning off 109 | --------------------------------------------------------------------------------