Skip to content

amplify your terminal for security research 🏎 πŸ–₯️

License

Notifications You must be signed in to change notification settings

joshhighet/kerchow

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

kerchow

kerchow is a collection of shortcuts/binfiles/scripts to speed up common tasks

these are intended to be added to your PATH to shorthand various workflows - see setup.zsh for an example

each script is noted below alongside a brief description of what it does. where applicable, example outputs are shown


boing

πŸ”— makes an audible boing noise (can be useful for long-running scripts)

example:
➜  labs boing
πŸ”Š

c

πŸ”— pbcopy shortcut

cats

πŸ”— print the source code of any kerchow shortscripts

example:
➜  labs cats cats
#!/bin/bash
# print the source code of any kerchow shortscripts

if [ -z "$1" ]; then
    echo "usage: cats <binfile>"
    exit 1
fi

shortscript=`which $1`

if [ -z "$shortscript" ]; then
  echo "unable to find $1"
  exit 1
fi

if ! command -v bat >/dev/null 2>&1
then
  cat $shortscript
else
  bat -pp $shortscript
fi

certinfo

πŸ”— returns x509 data in json for a given url

example:
➜  labs certinfo dotco.nz | jq
{
  "subject": {
    "commonName": "dotco.nz"
  },
  "issuer": {
    "countryName": "US",
    "organizationName": "Google Trust Services LLC",
    "commonName": "GTS CA 1P5"
  },
  "version": 3,
  "serialNumber": "A936F40B7782FFCA110322E22CA11D03",
  "notBefore": "May 22 23:43:14 2023 GMT",
  "notAfter": "Aug 20 23:43:13 2023 GMT",
  "subjectAltName": [
    "dotco.nz",
    "*.dotco.nz"
  ],
  "OCSP": [
    "http://ocsp.pki.goog/s/gts1p5/JNQ39h5OCqA"
  ],
  "caIssuers": [
    "http://pki.goog/repo/certs/gts1p5.der"
  ],
  "crlDistributionPoints": [
    "http://crls.pki.goog/gts1p5/UMpHrkS7PMY.crl"
  ]
}

cfssh

πŸ”— use the cloudflared tunnel agent to ssh onto a target fqdn

checkmsuser

πŸ”— check if a given email address has a connected m365 account

example:
➜  labs checkmsuser [email protected]
{
  "external_idp": true,
  "valid_account": true
}

colortest

πŸ”— test colors on a shell

example:
➜  labs colortest
            40m   41m   42m   43m   44m   45m   46m   47m
    m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
  1;m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
  30m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
1;30m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
  31m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
1;31m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
  32m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
1;32m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
  33m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
1;33m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
  34m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
1;34m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
  35m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
1;35m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
  36m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
1;36m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
  37m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
1;37m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw

crtsh

πŸ”— use the crt.sh ct api to discover other web services for an apex domain

example:
➜  labs crtsh dotco.nz
*.dotco.nz
dotco.nz
s.dotco.nz
www.dotco.nz

cruises

πŸ”— fetch incoming auckland port ship data

curltor

πŸ”— wrapper for curling onionsites with a local/remote tor client over socks5

example:
➜  labs curltor -I ciadotgov4sjwlzihbbgxnqg3xiyrg7so2r2o3lt5wz5ypk4sxyjstad.onion
Connection to telemetry.dark port 9050 [tcp/*] succeeded!
HTTP/1.1 301 Moved Permanently
Date: Thu, 20 Jul 2023 08:08:53 GMT
Content-Length: 0
Location: http://ciadotgov4sjwlzihbbgxnqg3xiyrg7so2r2o3lt5wz5ypk4sxyjstad.onion/index.html
Connection: keep-alive
Set-Cookie: _session_={xxx}; path=/; domain=ciadotgov4sjwlzihbbgxnqg3xiyrg7so2r2o3lt5wz5ypk4sxyjstad.onion; secure; HttpOnly

dehashed-email

πŸ”— get dehashed results for an email

desktopicons

πŸ”— show/hide desktop icons on/off on macOS

dex

πŸ”— get a shell in the latest built docker container

digall

πŸ”— perform a dig ANY lookup using google DNS for a given domain

example:
➜  labs digall google.com
172.217.167.78
2404:6800:4006:80a::200e
"globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8="
"onetrust-domain-verification=de01ed21f2fa4d8781cbc3ffb89cf4ef"
ns4.google.com.
"v=spf1 include:_spf.google.com ~all"
ns1.google.com.
"MS=E4A68B9AB2BB9670BCE15412F62916164C0B20BB"
\# 13 00010000010006026832026833
ns2.google.com.
ns1.google.com. dns-admin.google.com. 549264082 900 900 1800 60
"google-site-verification=wD8N7i1JTNTkezJ49swvWW48f8_9xveREV4oB-0Hf5o"
"apple-domain-verification=30afIBcvSuDV2PLX"
0 issue "pki.goog"
10 smtp.google.com.
"atlassian-domain-verification=5YjTmWmjI92ewqkx2oXmBaD60Td9zWon9r6eakvHX6B77zzkFQto8PQ9QsKnbf4I"
ns3.google.com.
"docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e"
"facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95"
"docusign=1b0a6754-49b1-4db5-8540-d2c12664b289"
"webexdomainverification.8YX6G=6e6922db-e3e6-4a36-904e-a805c28087fa"
"google-site-verification=TV9-DBe4R80X4v0M4U_bd_J9cpOJM0nikft0jAgjmsQ"

dim

πŸ”— list all docker images on current system

dnsprop

πŸ”— simple nameserv propogation check util

example:
➜  kerchow git:(main) βœ— dnsprop AAAA dotco.nz
checking DNS propagation for 'AAAA' record of 'dotco.nz' against top 10 resolvers:
checking resolver 1.1.1.1 (Cloudflare): reply received (2606:4700:3035::ac43:b7a5,2606:4700:3035::6815:4bef,)
checking resolver 8.8.8.8 (Google): reply received (2606:4700:3035::6815:4bef,2606:4700:3035::ac43:b7a5,)
checking resolver 8.8.4.4 (Google Secondary): reply received (2606:4700:3035::6815:4bef,2606:4700:3035::ac43:b7a5,)
checking resolver 9.9.9.9 (Quad9): reply received (2606:4700:3035::ac43:b7a5,2606:4700:3035::6815:4bef,)
checking resolver 208.67.222.222 (OpenDNS): reply received (2606:4700:3035::ac43:b7a5,2606:4700:3035::6815:4bef,)
checking resolver 208.67.220.220 (OpenDNS Secondary): reply received (2606:4700:3035::ac43:b7a5,2606:4700:3035::6815:4bef,)
checking resolver 77.88.8.8 (Yandex.DNS): reply received (2606:4700:3035::ac43:b7a5,2606:4700:3035::6815:4bef,)
checking resolver 64.6.64.6 (Verisign): reply received (2606:4700:3035::6815:4bef,2606:4700:3035::ac43:b7a5,)
checking resolver 64.6.65.6 (Verisign Secondary): reply received (2606:4700:3035::6815:4bef,2606:4700:3035::ac43:b7a5,)
checking resolver 74.82.42.42 (Hurricane Electric): reply received (2606:4700:3035::ac43:b7a5,2606:4700:3035::6815:4bef,)

dol

πŸ”— get logs of the latest or specified container

down

πŸ”— take down the current dir docker compose instance

dps

πŸ”— list current running docker containers

drm

πŸ”— kill latest or specified docker container

dup

πŸ”— advanced shortcut for docker compose up

edns

πŸ”— displays your current external/upstream dns resolver

example:
➜  labs edns
{
  "dns": {
    "geo": "New Zealand - Cloudflare, Inc.",
    "ip": "198.41.237.25"
  }
}

enable-touchid-sudo

πŸ”— enable touch-id for sudo operations on macOS

example:
➜  labs enable-touchid-sudo
setting pam tid for sudo...
Password:
done.

feedread-certnz

πŸ”— show the latest posts on the certnz advisories page

finfo

πŸ”— returns useful file information & hashes

example:
➜  labs finfo /usr/bin/curl
info     | [x86_64:Mach-O 64-bit executable x86_64] [arm64e:Mach-O 64-bit executable arm64e]
/usr/bin/curl (for architecture x86_64):	Mach-O 64-bit executable x86_64
/usr/bin/curl (for architecture arm64e):	Mach-O 64-bit executable arm64e
size     | 292K
modified | 06/15/2023 22:08:29
created  | 06/15/2023 22:08:29
sha1     | 3f6ea6f27592759fdb2df2943d6a5117cacb58c5
sha2     | 361822e42482e3197de5cac35029c4cd08deb89f4118a014cdc13ca6f3456ead
sha5     | 6a3d0fd105095beee01f149eff4ed39eacf5cf01bedba1fae220c56ce1904291143135fd0bbe0d40b6c6bf91c93c9209235480071d2a4476ae2ad918b3e3ea68
md5      | 3541bb282be981fa399ff60764709988
crc32    | 66b11e8a

fixairplay

πŸ”— fix a broken airplay2 session

flushdns

πŸ”— flush dns cache on macOS

freewilly

πŸ”— clean all docker images and networks

ga

πŸ”— git add shortcut for all files or the specified ones

gb

πŸ”— list current git branches - if given var1 then change to or create that branch name

gc

πŸ”— clone a remote repo to local into current dir

get-urlscansubs

πŸ”— build datasets of active url's from urlscan

example:
➜  labs get-urlscansubs
WARNING:root:no api key supplied with --api, once we are rate limited i will die
INFO:root:saved urlscan-submissions.json
INFO:root:working on: https://status.solidvpn.org/

getMBscreenState

πŸ”— check if clamshell mode on

getfavicon

πŸ”— get favicon data; hash (md5 & mmh3), full path location, external search urls (shodan, censys, binaryedge, zoomeye, fofa)

example:
➜  labs getfavicon https://ransomwatch.telemetry.ltd
INFO: shodan: https://www.shodan.io/search?query=http.favicon.hash%3A-1066837762
INFO: censys: https://censys.io/ipv4?q=services.http.response.favicons.md5_hash%3A44e50f01227802a40685221310e42355
INFO: binaryedge: https://app.binaryedge.io/services/query?query=web.favicon.mmh3%3A-1066837762
INFO: zoomeye: https://www.zoomeye.org/searchResult?q=iconhash%3A-1066837762
INFO: fofa: https://en.fofa.info/result?qbase64=aWNvbl9oYXNoPS0xMDY2ODM3NzYy

favicon mmh3 hash: -1066837762
favicon md5 hash: 44e50f01227802a40685221310e42355
favicon location: https://ransomwatch.telemetry.ltd/favicon.ico

getlargefiles

πŸ”— returns a list of the largest files on disk (top 5 unless arg1 set)

getmstenant

πŸ”— get the microsoft 365 tenantid for a given domain

example:
➜  labs getmstenant apple.com
ba8f4151-ab0e-4da6-862d-68b05906e887

getshbanner

πŸ”— fetch a ssh banner from a given server

example:
➜  labs getshbanner telemetry.dark

 _     _       _                _
| |__ (_) __ _| |__  _ __   ___| |_
| '_ \| |/ _` | '_ \| '_ \ / _ \ __|
| | | | | (_| | | | | | | |  __/ |_
|_| |_|_|\__, |_| |_|_| |_|\___|\__|
         |___/	      telemetry.dark

getsitetitle

πŸ”— return the title of a site from the html

example:
➜  labs curl -sL https://apple.com/iphone | getsitetitle
iPhone - Apple

getwordlists

πŸ”— fetch a TON of wordlists for... science

ginfo

πŸ”— get basic into on the git repo you are within (upstream url, description)

example:
➜  kerchow git:(main) βœ— ginfo
url: https://github.com/joshhighet/kerchow
last author: josh!
description: amplify your terminal for security research  🏎 πŸ–₯️
last commit: 2023-05-15 17:48:03 +1200

git-updatesubmodules

πŸ”— update all submodules within a git project recursivley

gitcreds

πŸ”— use trufflehog to search the current working dir for creds

gitgetcontributors

πŸ”— return a list of emails that have contributed to a git project

github-get-all-repo-for-profile

πŸ”— print all the public repositories for a given github username

example:
github-get-all-repo-for-profile apple | grep darwin
https://github.com/apple/darwin-libplatform
https://github.com/apple/darwin-libpthread
https://github.com/apple/darwin-xnu

github-rm-workflowruns

πŸ”— will go through a github repository and remove all previous workflow data

gitsubrm

πŸ”— remove a git submodule from a git repo

gitsubs

πŸ”— initalise and update submodules within a git repository (git submodule init & update)

gl

πŸ”— git pull the updates of the current dir structure

google

πŸ”— make google query from terminal

gp

πŸ”— auto commit and push changes. var1 can be commit message or it will prompt for one. dont use spaces

grepapp

πŸ”— search for a string in public source repositories with grep.app

example:
➜  labs grepapp joshhighet.com
{
  "facets": {
    "count": 1,
    "lang": {
      "buckets": [
        {
          "count": 1,
          "val": "Shell"
        }
      ]
    },
    "path": {
      "buckets": [
        {
          "count": 1,
          "val": "sbin/"
        }
      ]
    },
    "repo": {
      "buckets": [
        {
          "count": 1,
          "owner_id": "17993143",
          "val": "joshhighet/kerchow"
        }
      ]
    }
  },
  "hits": {
    "hits": [
      {
        "branch": {
          "raw": "main"
        },
        "content": {
          "snippet": "<table class=\"highlight-table\"><tr data-line=\"6\"><td><div class=\"lineno\">6</div></td><td><div class=\"highlight\"><pre>    <span class=\"nb\">echo</span> <span class=\"s1\">&#39;domain &amp; path required&#39;</span></pre></div></td></tr><tr data-line=\"7\"><td><div class=\"lineno\">7</div></td><td><div class=\"highlight\"><pre>    <span class=\"nb\">echo</span> <span class=\"s1\">&#39;http-scanner https://cdn.<mark>joshhighet.com</mark> /images/me.png&#39;</span></pre></div></td></tr><tr data-line=\"8\"><td><div class=\"lineno\">8</div></td><td><div class=\"highlight\"><pre>    <span class=\"nb\">exit</span> <span class=\"m\">1</span></pre></div></td></tr></table>"
        },
        "id": {
          "raw": "g/joshhighet/kerchow/main/sbin/http-scanner"
        },
        "owner_id": {
          "raw": "17993143"
        },
        "path": {
          "raw": "sbin/http-scanner"
        },
        "repo": {
          "raw": "joshhighet/kerchow"
        },
        "total_matches": {
          "raw": "1"
        }
      }
    ],
    "total": 1
  },
  "partial": false,
  "time": 78
}

greps

πŸ”— search the scripts directory for keyword

gs

πŸ”— shortcut git status info

gsa

πŸ”— shortcut git submodule add

hackertarget

πŸ”— lookup assets with hackertarget for a given domain name

example:
➜  kerchow git:(main) βœ— hackertarget apple.co.nz
store.apple.co.nz
shop.apple.co.nz
consultants.apple.co.nz

hashdir

πŸ”— show sha2 checksums for all files within a directory (full depth)

example:
➜  labs cd ransomwatch/assets
➜  assets git:(main) hashdir
a1b42b4205b39fb07788449efd84cf2946e5e1d31e8d53f0d896c591982e0bf1  ./browse-hosts.sh
9d4d2e7832f3941012efa7b545a408b18ddfaa5a145762b0204044af8bf803e9  ./chromium.py
5b3572e75c5777ca02c6c918a1b993c83a7d20096a130976d853600fb02de0b6  ./dir
8dee5e8d9c7e5b6a56bf8326007c9803b701e28d7b419a6f62f4b89a623b37dd  ./groups-kv.json
fb1511c92b385d0fbc6bb175113500ef092608163c9e700b3b6d1ac18ffbc74a  ./groups-kv.py
d4cca1ef5d96b2f001cfd58c5aff006af9b88f7d230ae617b6701485e3b0590a  ./iter_headers.sh
f73838fc8d471824802cdebdfd648d09ced9ac4b91e42697bbfb2373b532b9f9  ./parsers.sh
ce38889f509e8ecc9866a28671b0b10ba99a501a00f1070ef672ef73cffa9c1e  ./screenshotter.py
810000cc8fa3a548ffde013b3fed619b69665b87109b7fa4e73662ce097d455f  ./sources.exclusions
dfd2e463400e07b83446e68895ca87d432ee4cfab3de76232484cc03c6ad22fb  ./sources.zsh
56687410895543af2665b7031d9e0f8d9769fa6974808d3ce355b47409b9ec75  ./srcanalyser.py
c0b64148c45d6cb751b6b56277b4654d7f626dc53436a1d2033d622ca97daba4  ./uptimekuma-importer.py
e2654ba7d11b67dda187f2bb4a2b68b22f4c064fcc4a90aa074a7a69e8d55015  ./useragents.txt

headers

πŸ”— show the headers returned by a URI (GET)

example:
➜  labs headers google.com
HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-AdeI7EpTrBpQWpoLjaWhwg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Thu, 20 Jul 2023 21:32:27 GMT
Expires: Sat, 19 Aug 2023 21:32:27 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 219
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN

http

πŸ”— python3 simple http server

http-loadtest

πŸ”— make requests with apachabench

http-responder

πŸ”— simple webserver to validate ownership checks (used for Splunk HEC with Meraki Local Analytics API)

http-scanner

πŸ”— run a suite of url checks for the cyber ??

intip

πŸ”— try determine current internal ip

ipgrep

πŸ”— search input for ipv4 and ipv6 addresses

example:
➜  labs echo '''<!DOCTYPE html>
<html>
<head>
  <title>hello</title>
</head>
<body>
  <h1>2001:db8:3333:4444:5555:6666:7777:8888</h1>
  <h2>192.168.1.6</h2>
</body>
</html>''' | ipgrep
2001:db8:3333:4444:5555:6666:7777:8888
192.168.1.6

ipgrepv4

πŸ”— read stdin and list any IPv4 addresses

example:
➜  labs echo '''<!DOCTYPE html>
<html>
<head>
  <title>hello</title>
</head>
<body>
  <h1>10.23.24.25</h1>
</body>
</html>''' | ipgrepv4
10.23.24.25

ipgrepv6

πŸ”— read stdin and list any IPv6 addresses

example:
➜  labs echo '''<!DOCTYPE html>
<html>
<head>
  <title>hello</title>
</head>
<body>
  <h1>2001:db8:3333:4444:5555:6666:7777:8888</h1>
</body>
</html>''' | ipgrepv6
2001:db8:3333:4444:5555:6666:7777:8888

ipi

πŸ”— query IP API for any IP details - beware, ip-api believe TLS is a premium feature

example:
➜  labs ipi 1.1.1.1
{
  "status"       : "success",
  "continent"    : "Oceania",
  "continentCode": "OC",
  "country"      : "Australia",
  "countryCode"  : "AU",
  "region"       : "QLD",
  "regionName"   : "Queensland",
  "city"         : "South Brisbane",
  "district"     : "",
  "zip"          : "4101",
  "lat"          : -27.4766,
  "lon"          : 153.0166,
  "timezone"     : "Australia/Brisbane",
  "offset"       : 36000,
  "currency"     : "AUD",
  "isp"          : "Cloudflare, Inc",
  "org"          : "APNIC and Cloudflare DNS Resolver project",
  "as"           : "AS13335 Cloudflare, Inc.",
  "asname"       : "CLOUDFLARENET",
  "mobile"       : false,
  "proxy"        : false,
  "hosting"      : true,
  "query"        : "1.1.1.1"
}

ipinfo

πŸ”— basic cli netaddress enrichment with greynoise, virustotal & ipinfo

example:
➜  labs ipinfo 1.1.1.1

hostname  one.one.one.one
anycast   true
country   US
loc       34.0522,-118.2437
postal    90076
timezone  America/Los_Angeles
harmless    67
malicious   2
suspicious  0
undetected  19
timeout     0

rgcrjsqaalucmmlfom3s26bygywtmna.h.nessus.org
rgcrjsqaalucmelfom3s26bygywtmna.h.nessus.org
microsoft.amch-1dnj.sbs
www.microsoft.amch-1dnj.sbs
this.www.microsoft.amch-1dnj.sbs
with.this.www.microsoft.amch-1dnj.sbs
want_to.with.this.www.microsoft.amch-1dnj.sbs
do_yo.want_to.with.this.www.microsoft.amch-1dnj.sbs
uk.do_yo.want_to.with.this.www.microsoft.amch-1dnj.sbs
co.uk.do_yo.want_to.with.this.www.microsoft.amch-1dnj.sbs

noise           false
riot            true
classification  benign
link            https://viz.greynoise.io/riot/1.1.1.1
last_seen       2023-07-20

ipinfo.io

πŸ”— __

iptables-clear

πŸ”— drop all iptables chains

kserve

πŸ”— list all defined kubernetes deployments

l

πŸ”— list current directory

maclean

πŸ”— macos: empty trash, clear system logs & clear download history from quarantine

macupd

πŸ”— macos: update os, applications, homebrew etc

mailcheck

πŸ”— lookup SPF, MX & DMARC records for a domain

example:
➜  labs mailcheck apple.com
SPF: "v=spf1 include:_spf.apple.com include:_spf-txn.apple.com ~all"
DMARC: "v=DMARC1; p=quarantine; sp=reject; rua=mailto:[email protected]; ruf=mailto:[email protected];"
MX: mx-in.g.apple.com.
MX: mx-in-vib.apple.com.
MX: mx-in-mdn.apple.com.
MX: mx-in-rno.apple.com.
MX: mx-in-hfd.apple.com.

mgrep

πŸ”— best attempts grep for email

example:
➜  labs echo '''<!DOCTYPE html>
<html>
<head>
  <title>hello</title>
</head>
<body>
  <h1>[email protected]</h1>
</body>
</html>''' | mgrep
[email protected]

myip

πŸ”— return my current IP address

n

πŸ”— nano shortcut

npmaudit

πŸ”— auto audit the local package.json and produce 'report.html' output

nz-companiesdirectory

πŸ”— search the NZ companies directory

onionscan

πŸ”— netscan an onion address with proxychains, jsonified output

openh

πŸ”— open an fqdn in a browser

osq-usb

πŸ”— use osquery to return a list of attached removable usb devices

osv

πŸ”— return a known OS version string

ouilookup

πŸ”— lookups a mac address in attempt to vendor correlate

example:
➜  labs ouilookup 00-B0-D0-63-C2-26
00B0D0 (base 16) Dell Inc.

pans

πŸ”— list valid NZ PANs forever or until var1=numberToReturn

phishreport

πŸ”— report a URL to phish.report

pihole-disable

πŸ”— disable pihole filtering

pihole-enable

πŸ”— enable pihole filtering

pihole-lastblock

πŸ”— show the last domain blocked by pihole

pihole-stat

πŸ”— get basic stats of a pihole instance from the php api

pireq

πŸ”— shortcut to install python3 deps from requirements.txt

ports

πŸ”— shows running service network interaction (listening ports)

pping

πŸ”— pingsweep (or tcp chek if port provided as arg1)

pubkey

πŸ”— print my public keys

pullallrepos

πŸ”— enter into all folders within the current working directory - if the folder is a git repo pull the latest from remote

ransomwatch-groupcounts

πŸ”— return a list of all online ransomwatch hosts

ransomwatch-online

πŸ”— return a list of all online ransomwatch hosts

ransomwatch-posts

πŸ”— return a list of posts in ransomwatch

redirect

πŸ”— follow a URL and return all the redirects

example:
➜  kerchow git:(main) βœ— redirect google.com/images
< Location: http://www.google.com/images
< Location: http://www.google.com/imghp
< Location: https://www.google.com/imghp?gws_rd=ssl

reversewhois

πŸ”— perform reverse whois lookup using the viewdns.info api

example:
➜  labs reversewhois [email protected]
applecare.pro
applecare.promo
applecare.qpon
applecare.quebec
applecare.rent
applecare.review
applecare.services
applecare.site
applecare.soy
applecare.space
applecare.store
applecare.study
applecare.sucks
applecare.sydney
applecare.taipei
applecare.tech
applecare.tel
applecare.tokyo
applecare.university
applecare.us
applecare.vegas
applecare.wang

rgroups

πŸ”— return ransomwatch groups

searchcode

πŸ”— search for a string in public source repositories with searchcode

servicescan

πŸ”— use nmap to run a service identification scan (ip and optional port)

example:
➜  labs servicescan 1.1.1.1 53
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-21 09:19 NZST
Nmap scan report for one.one.one.one (1.1.1.1)
Host is up (0.0083s latency).

PORT   STATE SERVICE VERSION
53/tcp open  domain  Unbound

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.44 seconds

shodanme

πŸ”— shodan your current egress address

ssh-nokey

πŸ”— ssh to rogue hosts without presenting a local key

sshmd5

πŸ”— generate an md5 signature of a ssh server

example:
➜  labs sshmd5 sftp.uber.com 2222
57:57:72:2f:89:e2:99:5b:19:91:1e:6e:03:a8:cc:cd

sssh

πŸ”— multi-host ssh controller

tor-getLatestConsensus

πŸ”— fetch the latest consensus file from metrics.torproject.org for processing

tor-readyyet

πŸ”— this checks if a tor circuit has been completed by polling the controlport

torexits-jsonarray

πŸ”— returns a JSON array of public Tor exit nodes

tornz

πŸ”— return overview on tor bridges, exits & open relays [nz netspace]

urld

πŸ”— decode a url

example:
➜  labs urld https%3A%2F%2Fdotco.nz%2Fsearch%3Fquery%3Dexe.png
https://dotco.nz/search?query=exe.png

urlg

πŸ”— grep for http(s) URLs

utc

πŸ”— list given date as UTC time

validpan

πŸ”— check if a given credit card number (var1) passes mod10 checksum

wa

πŸ”— colorful watch wrapper for localhost (local http develop) - takes port as $1

webspeed

πŸ”— website speed tests (response time analytics)

example:
➜  labs webspeed dotco.nz
report: http://dotco.nz/

lookup time:		0.008208
connect time:		0.116452
appcon time:		0.000000
redirect time:		0.000000
pre-transfer time:	0.116502
start-transfer time:	0.162668

total time:		0.162746

wgetspider

πŸ”— spider/download a site using wget into './downloaded'

whatazuresvc

πŸ”— use azure public ip tag data to correlate an address to a service

example:
➜  labs whatazuresvc 20.70.246.20
ip: 20.70.246.20
name: AzureCloud.australiaeast
region: australiaeast
system service: Not specified
address prefix: 20.70.128.0/17

whatmydns

πŸ”— show current dns servers

whatport

πŸ”— search for common port usages (what does port X typically correspond to)

example:
➜  labs whatport 1230
{
  "udp": {
    "service": "periscope",
    "name": "Periscope"
  },
  "tcp": {
    "service": "periscope",
    "name": "Periscope"
  }
}

zonetransfer

πŸ”— attempt an DNS AXFR (zone transfer) with dig on arg1

example:
➜  labs zonetransfer zonetransfer.me
attempting zone txfr on zonetransfer.me, nameserver nsztm2.digi.ninja.
zonetransfer.me.	7200	IN	SOA	nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
zonetransfer.me.	300	IN	HINFO	"Casio fx-700G" "Windows XP"
zonetransfer.me.	301	IN	TXT	"google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"
zonetransfer.me.	7200	IN	MX	0 ASPMX.L.GOOGLE.COM.
zonetransfer.me.	7200	IN	MX	10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me.	7200	IN	MX	10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	A	5.196.105.14
zonetransfer.me.	7200	IN	NS	nsztm1.digi.ninja.
zonetransfer.me.	7200	IN	NS	nsztm2.digi.ninja.
_acme-challenge.zonetransfer.me. 301 IN	TXT	"2acOp15rSxBpyF6L7TqnAoW8aI0vqMU5kpXQW7q4egc"
_acme-challenge.zonetransfer.me. 301 IN	TXT	"6Oa05hbUJ9xSsvYy7pApQvwCUSSGgxvrbdizjePEsZI"
_sip._tcp.zonetransfer.me. 14000 IN	SRV	0 0 5060 www.zonetransfer.me.
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200	IN PTR www.zonetransfer.me.
asfdbauthdns.zonetransfer.me. 7900 IN	AFSDB	1 asfdbbox.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200	IN	A	127.0.0.1
asfdbvolume.zonetransfer.me. 7800 IN	AFSDB	1 asfdbbox.zonetransfer.me.
canberra-office.zonetransfer.me. 7200 IN A	202.14.81.230
cmdexec.zonetransfer.me. 300	IN	TXT	"; ls"
contact.zonetransfer.me. 2592000 IN	TXT	"Remember to call or email Pippa on +44 123 4567890 or [email protected] when making DNS changes"
dc-office.zonetransfer.me. 7200	IN	A	143.228.181.132
deadbeef.zonetransfer.me. 7201	IN	AAAA	dead:beaf::
dr.zonetransfer.me.	300	IN	LOC	53 20 56.558 N 1 38 33.526 W 0.00m 1m 10000m 10m
DZC.zonetransfer.me.	7200	IN	TXT	"AbCdEfG"
email.zonetransfer.me.	2222	IN	NAPTR	1 1 "P" "E2U+email" "" email.zonetransfer.me.zonetransfer.me.
email.zonetransfer.me.	7200	IN	A	74.125.206.26
Hello.zonetransfer.me.	7200	IN	TXT	"Hi to Josh and all his class"
home.zonetransfer.me.	7200	IN	A	127.0.0.1
Info.zonetransfer.me.	7200	IN	TXT	"ZoneTransfer.me service provided by Robin Wood - [email protected]. See http://digi.ninja/projects/zonetransferme.php for more information."
internal.zonetransfer.me. 300	IN	NS	intns1.zonetransfer.me.
internal.zonetransfer.me. 300	IN	NS	intns2.zonetransfer.me.
intns1.zonetransfer.me.	300	IN	A	81.4.108.41
intns2.zonetransfer.me.	300	IN	A	52.91.28.78
office.zonetransfer.me.	7200	IN	A	4.23.39.254
ipv6actnow.org.zonetransfer.me.	7200 IN	AAAA	2001:67c:2e8:11::c100:1332
owa.zonetransfer.me.	7200	IN	A	207.46.197.32
robinwood.zonetransfer.me. 302	IN	TXT	"Robin Wood"
rp.zonetransfer.me.	321	IN	RP	robin.zonetransfer.me. robinwood.zonetransfer.me.
sip.zonetransfer.me.	3333	IN	NAPTR	2 3 "P" "E2U+sip" "!^.*$!sip:[email protected]!" .
sqli.zonetransfer.me.	300	IN	TXT	"' or 1=1 --"
sshock.zonetransfer.me.	7200	IN	TXT	"() { :]}; echo ShellShocked"
staging.zonetransfer.me. 7200	IN	CNAME	www.sydneyoperahouse.com.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A	127.0.0.1
testing.zonetransfer.me. 301	IN	CNAME	www.zonetransfer.me.
vpn.zonetransfer.me.	4000	IN	A	174.36.59.154
www.zonetransfer.me.	7200	IN	A	5.196.105.14
xss.zonetransfer.me.	300	IN	TXT	"'><script>alert('Boo')</script>"
zonetransfer.me.	7200	IN	SOA	nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600

attempting zone txfr on zonetransfer.me, nameserver nsztm1.digi.ninja.
zonetransfer.me.	7200	IN	SOA	nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
zonetransfer.me.	300	IN	HINFO	"Casio fx-700G" "Windows XP"
zonetransfer.me.	301	IN	TXT	"google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"
zonetransfer.me.	7200	IN	MX	0 ASPMX.L.GOOGLE.COM.
zonetransfer.me.	7200	IN	MX	10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me.	7200	IN	MX	10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	A	5.196.105.14
zonetransfer.me.	7200	IN	NS	nsztm1.digi.ninja.
zonetransfer.me.	7200	IN	NS	nsztm2.digi.ninja.
_acme-challenge.zonetransfer.me. 301 IN	TXT	"6Oa05hbUJ9xSsvYy7pApQvwCUSSGgxvrbdizjePEsZI"
_sip._tcp.zonetransfer.me. 14000 IN	SRV	0 0 5060 www.zonetransfer.me.
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200	IN PTR www.zonetransfer.me.
asfdbauthdns.zonetransfer.me. 7900 IN	AFSDB	1 asfdbbox.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200	IN	A	127.0.0.1
asfdbvolume.zonetransfer.me. 7800 IN	AFSDB	1 asfdbbox.zonetransfer.me.
canberra-office.zonetransfer.me. 7200 IN A	202.14.81.230
cmdexec.zonetransfer.me. 300	IN	TXT	"; ls"
contact.zonetransfer.me. 2592000 IN	TXT	"Remember to call or email Pippa on +44 123 4567890 or [email protected] when making DNS changes"
dc-office.zonetransfer.me. 7200	IN	A	143.228.181.132
deadbeef.zonetransfer.me. 7201	IN	AAAA	dead:beaf::
dr.zonetransfer.me.	300	IN	LOC	53 20 56.558 N 1 38 33.526 W 0.00m 1m 10000m 10m
DZC.zonetransfer.me.	7200	IN	TXT	"AbCdEfG"
email.zonetransfer.me.	2222	IN	NAPTR	1 1 "P" "E2U+email" "" email.zonetransfer.me.zonetransfer.me.
email.zonetransfer.me.	7200	IN	A	74.125.206.26
Hello.zonetransfer.me.	7200	IN	TXT	"Hi to Josh and all his class"
home.zonetransfer.me.	7200	IN	A	127.0.0.1
Info.zonetransfer.me.	7200	IN	TXT	"ZoneTransfer.me service provided by Robin Wood - [email protected]. See http://digi.ninja/projects/zonetransferme.php for more information."
internal.zonetransfer.me. 300	IN	NS	intns1.zonetransfer.me.
internal.zonetransfer.me. 300	IN	NS	intns2.zonetransfer.me.
intns1.zonetransfer.me.	300	IN	A	81.4.108.41
intns2.zonetransfer.me.	300	IN	A	167.88.42.94
office.zonetransfer.me.	7200	IN	A	4.23.39.254
ipv6actnow.org.zonetransfer.me.	7200 IN	AAAA	2001:67c:2e8:11::c100:1332
owa.zonetransfer.me.	7200	IN	A	207.46.197.32
robinwood.zonetransfer.me. 302	IN	TXT	"Robin Wood"
rp.zonetransfer.me.	321	IN	RP	robin.zonetransfer.me. robinwood.zonetransfer.me.
sip.zonetransfer.me.	3333	IN	NAPTR	2 3 "P" "E2U+sip" "!^.*$!sip:[email protected]!" .
sqli.zonetransfer.me.	300	IN	TXT	"' or 1=1 --"
sshock.zonetransfer.me.	7200	IN	TXT	"() { :]}; echo ShellShocked"
staging.zonetransfer.me. 7200	IN	CNAME	www.sydneyoperahouse.com.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A	127.0.0.1
testing.zonetransfer.me. 301	IN	CNAME	www.zonetransfer.me.
vpn.zonetransfer.me.	4000	IN	A	174.36.59.154
www.zonetransfer.me.	7200	IN	A	5.196.105.14
xss.zonetransfer.me.	300	IN	TXT	"'><script>alert('Boo')</script>"
zonetransfer.me.	7200	IN	SOA	nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600

About

amplify your terminal for security research 🏎 πŸ–₯️

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published