Howto Install the Pupy Post Exploitation Kit on Kali Linux

Overview

Pupy is a Remote Access/Post Exploitation tool.

Here are some of my favorite features:

All-in-memory execution A windows payload that can load the entire Python interpreter from memory using a reflective DLL Execute non-interactive commands on multiple hosts at once. Reflectively migrate into other processes. Interactive shells (cmd.exe, /bin/bash, etc) can be opened . . . → Read More: Howto Install the Pupy Post Exploitation Kit on Kali Linux

List all Public IP Addresses Across All of your AWS Accounts

Gathering all EC2 Public IPs

Recently I needed to automate pulling all public IP addresses across all of the EC2 accounts I have access to. I wrote the following script to deal with that problem.

Note: Thank you to Daniel Miessler for the script to pull the IPs. My Script makes that work across . . . → Read More: List all Public IP Addresses Across All of your AWS Accounts

Upgrade dummy terminal to tty

If you have ever gotten a webshell and wanted an interactive terminal this post is for you!.

With Python python -c ‘import pty;pty.spawn(“/bin/bash”)’ Without Python script -qc /bin/bash /dev/null (inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export TERM=xterm-256color export SHELL=bash

Creating a Windows Bind Shell Using C

Creating a Windows Bind Shell Using C

I’m studying for the OSCP and needed to replace the exe file of a Windows service with a new .exe file. On reboot my goal is to have a shell as NT Authority/System

Source Code

Filename: winshell.c

This file will:

Using the native “certuil.exe”, download nc.exe.txt from the . . . → Read More: Creating a Windows Bind Shell Using C

Ingesting Okta logs in to Graylog

After many failed attempts to import Okta logs in to Graylog (using some PowerShell scripts I found online) I decided to take a different approach. Here is what my final Dashboard and view ended up looking like:

Prerequisites

To ingest Okta logs in to Graylog you will need the following:

. . . → Read More: Ingesting Okta logs in to Graylog

Disable Screen Lock on Kali Linux 2020

Problem

Kali Linux keeps locking the screen when not used for a short period of time

Solution

You need to configure “Light Locker” to stop automatically locking the session.

Steps Click the icon at the top left of the screen (Kali Linux Logo) From the popup menu, click “Settings” From the next popup menu, click . . . → Read More: Disable Screen Lock on Kali Linux 2020

How to scan top 100 ports with masscan

If you have ever wanted to scan the top 100 ports with masscan here are the instructions:

masscan -p7,9,13,21-23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157 10.11.1.0/24 –rate=1000 -e tun0 –router-ip 10.11.0.1

You will need to replace the following:

tun0 with your interface router-ip with the router of the subnet you are scanning 10.11.1.0/24 with the subnet you are scanning

I obtain . . . → Read More: How to scan top 100 ports with masscan

Parse fully qualified domain names from file

I ran in to a situation where i needed to parse all fully qualified domain names (FQDN) from bunch of files in the same directory.

Here is how to do that:

grep -R -h -Eo ‘(http|https)://[^/”]+’ . | awk -F’/’ ‘{ print $3 }’ | sort | uniq

CrowdStrike SIEM Connector Grok Rules

I couldn’t find a good set of Grok rules for the CrowdStrike SIEM connector so I wrote my own.

You need two rule sets.

Set1:

%{IPV4:source_collector_ip} CEF: 0\|CrowdStrike\|FalconHost\|1.0\|%{WORD:event_type}\|%{GREEDYDATA:event_subtype}\|%{INT:event_tactic}\|externalId=%{HOSTNAME:externalID} cn2Label=%{WORD:cn2Label} cn2=%{WORD:cn2} cn1Label=%{WORD:cn1Label} cn1=%{WORD:cn1} dhost=%{HOSTNAME:dhost} duser=%{DATA:duser} msg=%{GREEDYDATA:msg} fname=%{DATA:fname} filePath=%{GREEDYDATA:filepath} cs5Label=%{DATA:cs5Label} cs5=%{GREEDYDATA:cs5} fileHash=%{DATA:fileHash} dntdom=%{DATA:dntdom} cs6Label=%{DATA: cs6Label} cs6=%{GREEDYDATA:cs6} cn3Label=%{DATA: cs3Label} cn3=%{DATA:cn3} rt=%{DATA:rt} src=%{IP:src} smac=%{MAC:smac} cat=%{GREEDYDATA:cat} act=%{GREEDYDATA:act} reason=%{GREEDYDATA:reason} outcome=%{DATA:outcome} CSMTRPatternDisposition=%{GREEDYDATA:CSMTRPatternDisposition} . . . → Read More: CrowdStrike SIEM Connector Grok Rules

Automating Setting up Tenable.io AWS Connector Role

I recently had to set up quite a few AWS Connectors in Tenable.io for various AWS accounts.

This can become quite a cumbersome task so I decided to automate it.

Prerequisites ~/.aws/config with multiple profiles trustpolicy.json (shown below) trustpolicy.json

This will be used by our script for the initial role creation. The account # referenced . . . → Read More: Automating Setting up Tenable.io AWS Connector Role