Skip to content

Instantly share code, notes, and snippets.

View Spix0r's full-sized avatar
🕷️
Crawling...

Spix0r Spix0r

🕷️
Crawling...
94 followers · 11 following
View GitHub Profile
@Spix0r
Spix0r / out-of-band-dns-bind-setup.md
Created September 21, 2024 07:15
This guide offers step-by-step instructions for setting up an out-of-band DNS server using BIND, covering installation, configuration, zone file creation, logging, and validation. It's a practical resource for cybersecurity professionals and system administrators managing DNS infrastructure in controlled environments.

Out-of-Band DNS Bind Server Setup (Manual Guide)

Note: Be sure to replace all instances of example.com with your actual domain and <Your Server IP> with your server IP address during configuration.

Overview

Out-Of-Band (OOB) techniques offer attackers a strategic approach to confirm and exploit vulnerabilities that might be otherwise classified as "blind." In scenarios where direct responses to requests are not available, OOB methods leverage the capability of vulnerable systems to generate outbound traffic, such as TCP, UDP, or ICMP requests. This allows an attacker to exfiltrate data discreetly, utilizing the inherent behavior of the target to bypass conventional security measures.

In the context of DNS, setting up an OOB server can facilitate data exfiltration by encoding sensitive information within DNS queries. Since DNS traffic often escapes scrutiny from firewalls and intrusion detection systems, this approach presents a unique opportunity for attackers. The effectivene

@Spix0r
Spix0r / dns-data-exfiltration-oob.md
Last active October 29, 2024 13:53
This gist outlines a method for data exfiltration using DNS in Out-Of-Band (OOB) scenarios. It explains how to utilize DNS queries to transmit sensitive information, such as system details, when direct communication is unavailable. The guide covers both simple queries (e.g., exfiltrating the username) and more complex data (e.g., output of the u…

Data Exfiltration Using DNS (Out-Of-Band)

Description

In an Out-Of-Band (OOB) situation where direct responses to requests are unavailable, we can leverage DNS (specifically UDP) to exfiltrate data. In this example, we'll demonstrate how to use dig to query DNS and exfiltrate information such as the username (whoami), and how to handle more complex data like the output of uname -a by encoding it before exfiltration.

Prerequisites

If you haven't configured your OOB server yet, you can follow this guide:
https://gist.github.com/Spix0r/9661d448a08bf0703b005c3c64aef560

@Spix0r
Spix0r / 403-Bypass-Headers-List.txt
Created October 3, 2024 15:24
I’ve analyzed numerous tools, blogs, tweets, and other resources on bypassing 403 Forbidden errors using HTTP Headers Fuzzing techniques. After extensive research, I’ve compiled a list of headers you can fuzz to potentially bypass 403 restrictions.
Allow: CONNECT
Allow: GET
Allow: HEAD
Allow: POST
Allow: TRACE
Client-IP: 0
Client-IP: 0177.0000.0000.0001
Client-IP: 0x7F000001
Client-IP: 10.0.0.0
Client-IP: 10.0.0.1
@Spix0r
Spix0r / download.py
Last active November 5, 2024 16:30
A Python script for fetching and decrypting M3U8 playlists from a secured streaming site. It automates extracting embed codes, handling cookies and referers, downloading key and .ts files, and modifying the playlist to use local resources. Ideal for decrypting and organizing streaming content for offline playback.
import requests
import re
import base64
import json
# Step 1: Fetch main page HTML from a user-provided link.
page_content = requests.get(input("Enter URL: ")).text
# Step 2: Extract the 'embed_code' from the page.
embed_code = re.search(r'<script src="https://example.com/(.*)/embed', page_content).group(1)