Tim Brown timb-machine
timb-machine
/ Looking for Log4J dependents with Yara
Created
December 12, 2021 18:28
Looking for Log4J dependents with Yara
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ sudo yara -r yara/log4j.yara /usr/local | |
| log4jjavaclass /usr/local/java/ghidra_9.1.2_PUBLIC/Ghidra/Framework/Generic/lib/log4j-api-2.8.2.jar | |
| log4jjavasrc /usr/local/java/ghidra_9.1.2_PUBLIC/Ghidra/Framework/Generic/lib/log4j-api-2.8.2.jar | |
| log4jjavaclass /usr/local/java/ghidra_9.1.2_PUBLIC/Ghidra/Framework/Generic/lib/log4j-core-2.8.2.jar | |
| log4jjavasrc /usr/local/java/ghidra_9.1.2_PUBLIC/Ghidra/Framework/Generic/lib/log4j-core-2.8.2.jar |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ./packet-monkey.sh --type all --pcapfilename packets-hostname-xxx.pcap | |
| _ _ _ | |
| _ __ __ _ ___| | _____| |_ _ __ ___ ___ _ __ | | _____ _ _ | |
| | '_ \ / _` |/ __| |/ / _ \ __|____| '_ ` _ \ / _ \| '_ \| |/ / _ \ | | | | |
| | |_) | (_| | (__| < __/ ||_____| | | | | | (_) | | | | < __/ |_| | | |
| | .__/ \__,_|\___|_|\_\___|\__| |_| |_| |_|\___/|_| |_|_|\_\___|\__, | | |
| |_| |___/ | |
| =[ @timb_machine ]= |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule pscan_or_luckscan { | |
| meta: | |
| author = "Tim Brown @timb_machine" | |
| description = "Hunts for references to pscan_or_luckscan" | |
| strings: | |
| $getopt = "%s <a-block> <port> [b-block] [c-block]" | |
| $vulnerable = "Lets try to root the %s" | |
| condition: | |
| $getopt or $vulnerable | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # setup webex bot auth token env var - get auth here: https://developer.webex.com/my-apps/new/bot | |
| export WEBEX_TOKEN="GET_TOKEN_ABOVE" | |
| # get room id | |
| WEBEX_ROOMID=$(curl --request GET --header "Authorization: Bearer $WEBEX_TOKEN" https://webexapis.com/v1/rooms |jq -r '.items[] | select(.title == "Room Name") | .id') | |
| # post message | |
| WEBEX_MSG="notification here" | |
| curl --request POST --header "Authorization: Bearer $WEBEX_TOKEN" --form "roomId=$WEBEX_ROOMID" --form "text=$WEBEX_MSG" https://webexapis.com/v1/messages |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ dig any wearekuiper.com | |
| ; <<>> DiG 9.10.6 <<>> any wearekuiper.com | |
| ;; global options: +cmd | |
| ;; Got answer: | |
| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11921 | |
| ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 13 | |
| ;; OPT PSEUDOSECTION: | |
| ; EDNS: version: 0, flags:; udp: 4000 |
timb-machine
/ macOS-IR-Forensics.md
Created
August 3, 2021 08:24
— forked from 0xmachos/macOS-IR-Forensics.md
If someone wants to learn MacOS IR/forensics what’s the best resource for that?
timb-machine
/ Yo Samba, what files do you have?
Last active
September 19, 2022 18:25
Yo Samba, what files do you have?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ echo netfilegetsec 'IPC$' /etc/shadow | rpcclient -U '%' 10.10.10.3 | |
| revision: 1 | |
| type: 0x9004: SEC_DESC_DACL_PRESENT SEC_DESC_DACL_PROTECTED SEC_DESC_SELF_RELATIVE | |
| DACL | |
| ACL Num ACEs: 3 revision: 2 | |
| --- | |
| ACE | |
| type: ACCESS ALLOWED (0) flags: 0x00 | |
| Specific bits: 0x1ff | |
| Permissions: 0x1e01ff: SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS |
timb-machine
/ Workstation-Takeover.md
Created
July 26, 2021 09:13
— forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
timb-machine
/ JavascriptRecon.md
Created
July 25, 2021 17:24
My Javascript Recon Process - BugBounty
timb-machine
/ dump-authentication-state.patch
Created
July 21, 2021 13:25
dump-authentication-state.patch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Description: Dump the authentication state to understand the hashing algorithms | |
| Dump the authentication state to understand the hashing algorithms. | |
| Specifically, caching_sha2_password and mysql_native_password. | |
| . | |
| mysql-8.0 (8.0.23-0ubuntu0.20.04.1) focal-security; urgency=medium | |
| . | |
| * SECURITY UPDATE: Update to 8.0.23 to fix security issues | |
| - CVE-2021-2002, CVE-2021-2010, CVE-2021-2011, CVE-2021-2021, | |
| CVE-2021-2022, CVE-2021-2024, CVE-2021-2031, CVE-2021-2032, | |
| CVE-2021-2036, CVE-2021-2038, CVE-2021-2046, CVE-2021-2048, |