Read on Twitter
Hey.
You can use whatever OS you want.
But I& #39;ve watched first hand as I complete offensive security / recon tasks 10x quicker than anybody using Wind0ze can ever dream of.
Not saying you can& #39;t do it, just saying I know what I& #39;ve seen ;)
You can use whatever OS you want.
But I& #39;ve watched first hand as I complete offensive security / recon tasks 10x quicker than anybody using Wind0ze can ever dream of.
Not saying you can& #39;t do it, just saying I know what I& #39;ve seen ;)
A good collection of ZSH functions, Dockerfiles, packer images and i3wm shortcuts are unstoppable.
Shit just works.
make
sudo make install
bundle install
pip install -r requirements.txt
OUT OF THE BOX.
Shit just works.
make
sudo make install
bundle install
pip install -r requirements.txt
OUT OF THE BOX.
Now I& #39;m on my Mac right now - same exact point stands.
DNS enumerate http://spotify.com"> http://spotify.com and upload the IP& #39;s to a public pastebin.
DNS enumerate http://spotify.com"> http://spotify.com and upload the IP& #39;s to a public pastebin.
subfinder -d " http://spotify.com"> http://spotify.com " | zdns A | jq -r & #39;select(.data.answers[0].type == "A") | .data.answers[].answer& #39; | nc http://termbin.com"> http://termbin.com 9999
Pop open my terminal, I type "sub" and press the up arrow, then I modify the domain and pipe to termbin. DONE.
Pop open my terminal, I type "sub" and press the up arrow, then I modify the domain and pipe to termbin. DONE.
Take this link that contains a list of IP& #39;s and do a GeoIP lookup on each IP address, and give it back to me in a parsable format.
https://termbin.com/whka
Watch,">https://termbin.com/whka"... I& #39;ll do it right now.
https://termbin.com/whka
Watch,">https://termbin.com/whka"... I& #39;ll do it right now.
for ip in $(curl -s https://termbin.com/whka );">https://termbin.com/whka"... do curl http://ipinfo.io/$ip ">https://ipinfo.io/$ip"... >> data.txt; done
Right, next task, once you& #39;ve shared this list to your colleagues, get all the IP& #39;s that are in California.
curl -s https://termbin.com/uc9c ">https://termbin.com/uc9c"... | jq & #39;select(.region == "California")& #39;
Now we have a list of all IP& #39;s that reside in Cali, oh you want a list of JUST the IPs?
curl -s https://termbin.com/uc9c ">https://termbin.com/uc9c"... | jq -r & #39;select(.region == "California") | .ip& #39;
curl -s https://termbin.com/uc9c ">https://termbin.com/uc9c"... | jq -r & #39;select(.region == "California") | .ip& #39;
Oh - you want that converted into an excel sheet because apparently reading JSON is really hard on Windows?
No problem.
curl -s https://termbin.com/uc9c ">https://termbin.com/uc9c"... | jq -r & #39;select(.region == "California") | [.ip, .region, .country] | @csv& #39; > ips.csv
No problem.
curl -s https://termbin.com/uc9c ">https://termbin.com/uc9c"... | jq -r & #39;select(.region == "California") | [.ip, .region, .country] | @csv& #39; > ips.csv
Ok, time for some more & #39;taxing& #39; examples.
Take screenshots of every easily discoverable asset of http://spotify.com"> http://spotify.com . Go.
Take screenshots of every easily discoverable asset of http://spotify.com"> http://spotify.com . Go.
subfinder -d " http://spotify.com"> http://spotify.com " | zdns A | jq -r & #39;select(.data.answers[0].type == "A") | .data.answers[].name& #39; | aquatone -ports 80,443,8080,8081,8000,8443,8001,9000 -scan-timeout 20000 -debug
This will, do some low-level DNS enum, check they resolve, and then parse the JSON to only run Aquatone on the hosts that resolve.
That was easy.
That was easy.
Ok. If my point isn& #39;t already made.
"Whats your SSH pubkey?"
Windows users: Stumble around in Putty for 10 minutes trying to find the pubkey, turns out the export is this freaky format nobody ever uses.
Linux users: cat ~/.ssh/id_rsa.pub | nc http://termbin.com"> http://termbin.com 9999
"Whats your SSH pubkey?"
Windows users: Stumble around in Putty for 10 minutes trying to find the pubkey, turns out the export is this freaky format nobody ever uses.
Linux users: cat ~/.ssh/id_rsa.pub | nc http://termbin.com"> http://termbin.com 9999
Ok - you want to do some HTML parsing on the fly?
So I& #39;m on my mac right now - pup is not installed.
Go to github, find go command, great.
go get http://github.com/ericchiang/pup ">https://github.com/ericchian...
So I& #39;m on my mac right now - pup is not installed.
Go to github, find go command, great.
go get http://github.com/ericchiang/pup ">https://github.com/ericchian...
Find the latest kernel version programmatically,
curl -s https://www.kernel.org/ ">https://www.kernel.org/">... | pup & #39; #latest_link json{}& #39; | jq -r & #39;.[].children[].text& #39;
That was really fucking easy.
curl -s https://www.kernel.org/ ">https://www.kernel.org/">... | pup & #39; #latest_link json{}& #39; | jq -r & #39;.[].children[].text& #39;
That was really fucking easy.
I& #39;m running out of ideas for examples, but this has been done many times just chilling on calls.
Some tasks people would "quote out" and have an entire lifecycle of 3 weeks where I can do a lot of manipulation with text/data in 5 minutes with Bash and utils.
Some tasks people would "quote out" and have an entire lifecycle of 3 weeks where I can do a lot of manipulation with text/data in 5 minutes with Bash and utils.
