DonnchaC’s gists

DonnchaC / tor-hs-cell-patterns.txt

Last active May 7, 2016 17:22

Circuits and cell patterns for a Tor hidden service client connection

	Circuit 6 - HS_DESC facebookcorewwwi [OPEN]
	Circuit events:
	- EXTENDED ['0CA305E63C99FB8E2E1C6CA11CD1E569E780C691', '51BD833B86D556EE968CDFFFD79592BE56761238', 'FC9AC8EA0160D88BCCFDE066940D7DD9FA45495B', '2F5E1DAAD1388F7DBECCF6C4E839098C88BA3D2A']
	- BUILT ['0CA305E63C99FB8E2E1C6CA11CD1E569E780C691', '51BD833B86D556EE968CDFFFD79592BE56761238', 'FC9AC8EA0160D88BCCFDE066940D7DD9FA45495B', '2F5E1DAAD1388F7DBECCF6C4E839098C88BA3D2A']
	Cells:
	- <Cell RELAY_EARLY OUT 2016-05-07 17:10:27.954415>
	- <Cell RELAY IN 2016-05-07 17:10:28.485182>
	- <Cell RELAY_EARLY OUT 2016-05-07 17:10:28.485466>
	- <Cell RELAY_EARLY OUT 2016-05-07 17:10:28.485479>
	- <Cell RELAY IN 2016-05-07 17:10:28.995197>

DonnchaC / fetch-hs-descriptor.py

Created December 17, 2015 15:49

A simple script which demonstrates how to retrieve hidden service descriptors via the HSFETCH Tor control port command

	import sys
	import argparse

	import stem
	from stem.control import Controller

	def main():

	parser = argparse.ArgumentParser(description="%s fetches a Tor hidden "
	"service descriptor." % sys.argv[0])

DonnchaC / relay-monitor.py

Last active December 17, 2015 22:46

Simple script to monitor a Tor relay and report any warning via email.

	# -- coding: utf-8 --
	"""
	Monitors Tor control port and sends email notifications for
	log events NOTICE, WARN, and ERROR.
	"""
	import os
	import time
	import datetime
	import argparse
	import logging

DonnchaC / onion-address-calculate.py

Created August 25, 2015 14:24

Simple script to calculate the onion address from a Tor hidden service descriptor or public key

	import hashlib
	import base64
	import argparse
	import sys

	from Crypto.PublicKey import RSA


	def calculate_onion(pem_key):
	key = RSA.importKey(pem_key)

DonnchaC / sni-proxy.py

Last active May 12, 2019 11:54

This is a proof-of-concept tool which demonstrates transparent proxying of SSL connections from an entry server to a hidden servce with end-to-end encryption. The SNI extension in the SSL ClientHello is used to determine the destination. Further info in the Tor2web ticket: https://github.com/globaleaks/Tor2web/issues/252

	#!/usr/bin/env python
	"""
	Proxy an SSL connection to a Twisted endpoint based on the SNI extension

	Allows for end-to-end encrypted connections from a browser to a Tor hidden
	service.

	Proxy code based on
	http://blog.laplante.io/2013/08/a-basic-man-in-the-middle-proxy-with-twisted/

DonnchaC / ip-selection.txt

Created July 7, 2015 13:35

Confimation of introduction point selection algorithim in OnionBalance. 2 IPs selected from each of the 5 backend instances

	3 introduction-point g246pla6g23cvhlpgmfl5nqbfot7bvaa
	ip-address 37.187.22.87
	onion-port 9001
	onion-key
	-----BEGIN RSA PUBLIC KEY-----
	MIGJAoGBAMdEmLQDuMItvkVj43VzG/gyOR9bgJ5l32+ZlwXxwbBSIaGqD5dRZf+I
	RCY1g44V/LDjgFykM0WaTYF3u4zZCZtqX3z8PymLozQIxdRW0rSQZWaStJ2XOt0p
	h7dK9ONxWNt5EALzT6uxIOmfMllF0FWVJ1Tx9R0ylxxdJ5S95sC3AgMBAAE=
	-----END RSA PUBLIC KEY-----
	service-key

DonnchaC / onionbalance-ip-counts

Created July 3, 2015 23:59

OnionBalance Master Descriptor and Backend Instance IP counts

	python descriptor-fetcher.py --onion-list onion-list.txt
	2015-07-03 23:58:01,916 [DEBUG]: Successfully connected to the Tor control port
	2015-07-03 23:58:06,924 [INFO]: Sending HS descriptor fetch for eujuuws2nacz4xw4.onion
	2015-07-03 23:58:07,863 [INFO]: Storing new descriptor with 10 introduction points for HS eujuuws2nacz4xw4
	2015-07-03 23:58:11,937 [INFO]: Sending HS descriptor fetch for nkcoog3avb3iwels.onion
	2015-07-03 23:58:12,982 [INFO]: Storing new descriptor with 3 introduction points for HS nkcoog3avb3iwels
	2015-07-03 23:58:16,945 [INFO]: Sending HS descriptor fetch for le3jeksfogq2zrpx.onion
	2015-07-03 23:58:17,474 [INFO]: Storing new descriptor with 3 introduction points for HS le3jeksfogq2zrpx
	2015-07-03 23:58:21,953 [INFO]: Sending HS descriptor fetch for ymiwfpbw32xai4ko .onion
	2015-07-03 23:58:22,475 [INFO]: Storing new descriptor with 3 introduction points for HS ymiwfpbw32xai4ko

DonnchaC / logilab-common-1.0.0-crash

Last active August 29, 2015 14:24

logilab-common: No module named __pkginfo__

	Successfully installed pluggy-0.3.0 tox-2.1.1 virtualenv-13.0.3
	travis_time:end:02c07eb8:start=1435681975354987862,finish=1435681976720017413,duration=1365029551
	[0Ktravis_fold:end:install
	[0Ktravis_time:start:01a7769f
	[0K$ tox
	[1mGLOB sdist-make: /home/travis/build/DonnchaC/onionbalance/setup.py[0m
	[1mstyle create: /home/travis/build/DonnchaC/onionbalance/.tox/style[0m
	[1mstyle installdeps: pylint, flake8[0m
	[1mstyle inst: /home/travis/build/DonnchaC/onionbalance/.tox/dist/OnionBalance-0.1.0.dev0.zip[0m
	[1mstyle installed: astroid==1.3.6,flake8==2.4.1,future==0.14.3,logilab-common==1.0.0,mccabe==0.3.1,OnionBalance==0.1.0.dev0,pep8==1.5.7,pycrypto==2.6.1,pyflakes==0.8.1,pylint==1.4.3,PyYAML==3.11,schedule==0.3.1,six==1.9.0,stem==1.4.1,wheel==0.24.0[0m

DonnchaC / hola-rce-poc.html

Created June 3, 2015 09:55

Hola Remote Code Execution Proof-Of-Concept

	<!--
	This proof-of-concepts exploits a file move command, and an execute-with-controlled-arguemnts command to get code execution on a remote system. Only an executable in app/vlc.exe can be executed with controlled argument. This binary could be replaced with cmd.exe to be able to pass a /C argument for code execution. However due to lack of permission it is not possible to directly move cmd.exe. Instead a copy-like operation is needed to replace vlc.exe with cmd.exe. A 7-zip binary is shipped with Hola and located in the application directory. After replacing vlc.exe with 7za.exe it is possible to call 7zip to create and archive containing cmd.exe, extract the archive and move cmd.exe to vlc.exe. Commands can then be executed by calling vlc.exe with the /C option.

	I'd be interested in hearing any other methods people can think of to get code execution from these issues.
	-->
	<!doctype html>
	<html lang="en">
	<head>
	<meta charset="utf-8">
	<title>Hola Vulnerability Proof-of-Concept</title>

DonnchaC / remote-exploit.py

Last active August 29, 2015 14:19

Simple remote exploit for an exploitation challange

	#!/usr/bin/env python2
	try:
	import binexpect
	except ImportError:
	exit("""
	pexpect sucks for sending binary data. binexpect fixes this and can be
	found at this url: http:#darksaber.tk/wapiflapi/binexpect.py Not sure
	if the file will be there for ever, but you don't need this anyway.
	""")

Donncha Ó Cearbhaill DonnchaC