kerchow

kerchow is a collection of shortcuts/binfiles/scripts to speed up common tasks

these are intended to be added to your PATH to shorthand various workflows - see setup.zsh for an example

each script is noted below alongside a brief description of what it does. where applicable, example outputs are shown

---

boing

🔗 makes an audible boing noise (can be useful for long-running scripts)

example:

➜  labs boing
🔊

c

🔗 pbcopy shortcut

cats

🔗 print the source code of any kerchow shortscripts

example:

➜  labs cats cats
#!/bin/bash
# print the source code of any kerchow shortscripts

if [ -z "$1" ]; then
    echo "usage: cats <binfile>"
    exit 1
fi

shortscript=`which $1`

if [ -z "$shortscript" ]; then
  echo "unable to find $1"
  exit 1
fi

if ! command -v bat >/dev/null 2>&1
then
  cat $shortscript
else
  bat -pp $shortscript
fi

certinfo

🔗 returns x509 data in json for a given url

example:

➜  labs certinfo dotco.nz | jq
{
  "subject": {
    "commonName": "dotco.nz"
  },
  "issuer": {
    "countryName": "US",
    "organizationName": "Google Trust Services LLC",
    "commonName": "GTS CA 1P5"
  },
  "version": 3,
  "serialNumber": "A936F40B7782FFCA110322E22CA11D03",
  "notBefore": "May 22 23:43:14 2023 GMT",
  "notAfter": "Aug 20 23:43:13 2023 GMT",
  "subjectAltName": [
    "dotco.nz",
    "*.dotco.nz"
  ],
  "OCSP": [
    "http://ocsp.pki.goog/s/gts1p5/JNQ39h5OCqA"
  ],
  "caIssuers": [
    "http://pki.goog/repo/certs/gts1p5.der"
  ],
  "crlDistributionPoints": [
    "http://crls.pki.goog/gts1p5/UMpHrkS7PMY.crl"
  ]
}

cfssh

🔗 use the cloudflared tunnel agent to ssh onto a target fqdn

checkmsuser

🔗 check if a given email address has a connected m365 account

example:

➜  labs checkmsuser bill.gates@microsoft.com
{
  "external_idp": true,
  "valid_account": true
}

colortest

🔗 test colors on a shell

example:

➜  labs colortest
            40m   41m   42m   43m   44m   45m   46m   47m
    m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
  1;m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
  30m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
1;30m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
  31m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
1;31m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
  32m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
1;32m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
  33m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
1;33m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
  34m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
1;34m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
  35m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
1;35m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
  36m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
1;36m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
  37m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw
1;37m gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw   gYw

crtsh

🔗 use the crt.sh ct api to discover other web services for an apex domain

example:

➜  labs crtsh dotco.nz
*.dotco.nz
dotco.nz
s.dotco.nz
www.dotco.nz

cruises

🔗 fetch incoming auckland port ship data

curltor

🔗 wrapper for curling onionsites with a local/remote tor client over socks5

example:

➜  labs curltor -I ciadotgov4sjwlzihbbgxnqg3xiyrg7so2r2o3lt5wz5ypk4sxyjstad.onion
Connection to telemetry.dark port 9050 [tcp/*] succeeded!
HTTP/1.1 301 Moved Permanently
Date: Thu, 20 Jul 2023 08:08:53 GMT
Content-Length: 0
Location: http://ciadotgov4sjwlzihbbgxnqg3xiyrg7so2r2o3lt5wz5ypk4sxyjstad.onion/index.html
Connection: keep-alive
Set-Cookie: _session_={xxx}; path=/; domain=ciadotgov4sjwlzihbbgxnqg3xiyrg7so2r2o3lt5wz5ypk4sxyjstad.onion; secure; HttpOnly

dehashed-email

🔗 get dehashed results for an email

desktopicons

🔗 show/hide desktop icons on/off on macOS

dex

🔗 get a shell in the latest built docker container

digall

🔗 perform a dig ANY lookup using google DNS for a given domain

example:

➜  labs digall google.com
172.217.167.78
2404:6800:4006:80a::200e
"globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8="
"onetrust-domain-verification=de01ed21f2fa4d8781cbc3ffb89cf4ef"
ns4.google.com.
"v=spf1 include:_spf.google.com ~all"
ns1.google.com.
"MS=E4A68B9AB2BB9670BCE15412F62916164C0B20BB"
\# 13 00010000010006026832026833
ns2.google.com.
ns1.google.com. dns-admin.google.com. 549264082 900 900 1800 60
"google-site-verification=wD8N7i1JTNTkezJ49swvWW48f8_9xveREV4oB-0Hf5o"
"apple-domain-verification=30afIBcvSuDV2PLX"
0 issue "pki.goog"
10 smtp.google.com.
"atlassian-domain-verification=5YjTmWmjI92ewqkx2oXmBaD60Td9zWon9r6eakvHX6B77zzkFQto8PQ9QsKnbf4I"
ns3.google.com.
"docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e"
"facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95"
"docusign=1b0a6754-49b1-4db5-8540-d2c12664b289"
"webexdomainverification.8YX6G=6e6922db-e3e6-4a36-904e-a805c28087fa"
"google-site-verification=TV9-DBe4R80X4v0M4U_bd_J9cpOJM0nikft0jAgjmsQ"

dim

🔗 list all docker images on current system

dnsprop

🔗 simple nameserv propogation check util

example:

➜  kerchow git:(main) ✗ dnsprop AAAA dotco.nz
checking DNS propagation for 'AAAA' record of 'dotco.nz' against top 10 resolvers:
checking resolver 1.1.1.1 (Cloudflare): reply received (2606:4700:3035::ac43:b7a5,2606:4700:3035::6815:4bef,)
checking resolver 8.8.8.8 (Google): reply received (2606:4700:3035::6815:4bef,2606:4700:3035::ac43:b7a5,)
checking resolver 8.8.4.4 (Google Secondary): reply received (2606:4700:3035::6815:4bef,2606:4700:3035::ac43:b7a5,)
checking resolver 9.9.9.9 (Quad9): reply received (2606:4700:3035::ac43:b7a5,2606:4700:3035::6815:4bef,)
checking resolver 208.67.222.222 (OpenDNS): reply received (2606:4700:3035::ac43:b7a5,2606:4700:3035::6815:4bef,)
checking resolver 208.67.220.220 (OpenDNS Secondary): reply received (2606:4700:3035::ac43:b7a5,2606:4700:3035::6815:4bef,)
checking resolver 77.88.8.8 (Yandex.DNS): reply received (2606:4700:3035::ac43:b7a5,2606:4700:3035::6815:4bef,)
checking resolver 64.6.64.6 (Verisign): reply received (2606:4700:3035::6815:4bef,2606:4700:3035::ac43:b7a5,)
checking resolver 64.6.65.6 (Verisign Secondary): reply received (2606:4700:3035::6815:4bef,2606:4700:3035::ac43:b7a5,)
checking resolver 74.82.42.42 (Hurricane Electric): reply received (2606:4700:3035::ac43:b7a5,2606:4700:3035::6815:4bef,)

dol

🔗 get logs of the latest or specified container

down

🔗 take down the current dir docker compose instance

dps

🔗 list current running docker containers

drm

🔗 kill latest or specified docker container

dup

🔗 advanced shortcut for docker compose up

edns

🔗 displays your current external/upstream dns resolver

example:

➜  labs edns
{
  "dns": {
    "geo": "New Zealand - Cloudflare, Inc.",
    "ip": "198.41.237.25"
  }
}

enable-touchid-sudo

🔗 enable touch-id for sudo operations on macOS

example:

➜  labs enable-touchid-sudo
setting pam tid for sudo...
Password:
done.

feedread-certnz

🔗 show the latest posts on the certnz advisories page

finfo

🔗 returns useful file information & hashes

example:

➜  labs finfo /usr/bin/curl
info     | [x86_64:Mach-O 64-bit executable x86_64] [arm64e:Mach-O 64-bit executable arm64e]
/usr/bin/curl (for architecture x86_64):	Mach-O 64-bit executable x86_64
/usr/bin/curl (for architecture arm64e):	Mach-O 64-bit executable arm64e
size     | 292K
modified | 06/15/2023 22:08:29
created  | 06/15/2023 22:08:29
sha1     | 3f6ea6f27592759fdb2df2943d6a5117cacb58c5
sha2     | 361822e42482e3197de5cac35029c4cd08deb89f4118a014cdc13ca6f3456ead
sha5     | 6a3d0fd105095beee01f149eff4ed39eacf5cf01bedba1fae220c56ce1904291143135fd0bbe0d40b6c6bf91c93c9209235480071d2a4476ae2ad918b3e3ea68
md5      | 3541bb282be981fa399ff60764709988
crc32    | 66b11e8a

fixairplay

🔗 fix a broken airplay2 session

flushdns

🔗 flush dns cache on macOS

freewilly

🔗 clean all docker images and networks

ga

🔗 git add shortcut for all files or the specified ones

gb

🔗 list current git branches - if given var1 then change to or create that branch name

gc

🔗 clone a remote repo to local into current dir

get-urlscansubs

🔗 build datasets of active url's from urlscan

example:

➜  labs get-urlscansubs
WARNING:root:no api key supplied with --api, once we are rate limited i will die
INFO:root:saved urlscan-submissions.json
INFO:root:working on: https://status.solidvpn.org/

getMBscreenState

🔗 check if clamshell mode on

getfavicon

🔗 get favicon data; hash (md5 & mmh3), full path location, external search urls (shodan, censys, binaryedge, zoomeye, fofa)

example:

➜  labs getfavicon https://ransomwatch.telemetry.ltd
INFO: shodan: https://www.shodan.io/search?query=http.favicon.hash%3A-1066837762
INFO: censys: https://censys.io/ipv4?q=services.http.response.favicons.md5_hash%3A44e50f01227802a40685221310e42355
INFO: binaryedge: https://app.binaryedge.io/services/query?query=web.favicon.mmh3%3A-1066837762
INFO: zoomeye: https://www.zoomeye.org/searchResult?q=iconhash%3A-1066837762
INFO: fofa: https://en.fofa.info/result?qbase64=aWNvbl9oYXNoPS0xMDY2ODM3NzYy

favicon mmh3 hash: -1066837762
favicon md5 hash: 44e50f01227802a40685221310e42355
favicon location: https://ransomwatch.telemetry.ltd/favicon.ico

getlargefiles

🔗 returns a list of the largest files on disk (top 5 unless arg1 set)

getmstenant

🔗 get the microsoft 365 tenantid for a given domain

example:

➜  labs getmstenant apple.com
ba8f4151-ab0e-4da6-862d-68b05906e887

getshbanner

🔗 fetch a ssh banner from a given server

example:

➜  labs getshbanner telemetry.dark

 _     _       _                _
| |__ (_) __ _| |__  _ __   ___| |_
| '_ \| |/ _` | '_ \| '_ \ / _ \ __|
| | | | | (_| | | | | | | |  __/ |_
|_| |_|_|\__, |_| |_|_| |_|\___|\__|
         |___/	      telemetry.dark

getsitetitle

🔗 return the title of a site from the html

example:

➜  labs curl -sL https://apple.com/iphone | getsitetitle
iPhone - Apple

getwordlists

🔗 fetch a TON of wordlists for... science

ginfo

🔗 get basic into on the git repo you are within (upstream url, description)

example:

➜  kerchow git:(main) ✗ ginfo
url: https://github.com/joshhighet/kerchow
last author: josh!
description: amplify your terminal for security research  🏎 🖥️
last commit: 2023-05-15 17:48:03 +1200

git-updatesubmodules

🔗 update all submodules within a git project recursivley

gitcreds

🔗 use trufflehog to search the current working dir for creds

gitgetcontributors

🔗 return a list of emails that have contributed to a git project

github-get-all-repo-for-profile

🔗 print all the public repositories for a given github username

example:

github-get-all-repo-for-profile apple | grep darwin
https://github.com/apple/darwin-libplatform
https://github.com/apple/darwin-libpthread
https://github.com/apple/darwin-xnu

github-rm-workflowruns

🔗 will go through a github repository and remove all previous workflow data

gitsubrm

🔗 remove a git submodule from a git repo

gitsubs

🔗 initalise and update submodules within a git repository (git submodule init & update)

gl

🔗 git pull the updates of the current dir structure

google

🔗 make google query from terminal

gp

🔗 auto commit and push changes. var1 can be commit message or it will prompt for one. dont use spaces

grepapp

🔗 search for a string in public source repositories with grep.app

example:

➜  labs grepapp joshhighet.com
{
  "facets": {
    "count": 1,
    "lang": {
      "buckets": [
        {
          "count": 1,
          "val": "Shell"
        }
      ]
    },
    "path": {
      "buckets": [
        {
          "count": 1,
          "val": "sbin/"
        }
      ]
    },
    "repo": {
      "buckets": [
        {
          "count": 1,
          "owner_id": "17993143",
          "val": "joshhighet/kerchow"
        }
      ]
    }
  },
  "hits": {
    "hits": [
      {
        "branch": {
          "raw": "main"
        },
        "content": {
          "snippet": "<table class=\"highlight-table\"><tr data-line=\"6\"><td><div class=\"lineno\">6</div></td><td><div class=\"highlight\"><pre>    <span class=\"nb\">echo</span> <span class=\"s1\">&#39;domain &amp; path required&#39;</span></pre></div></td></tr><tr data-line=\"7\"><td><div class=\"lineno\">7</div></td><td><div class=\"highlight\"><pre>    <span class=\"nb\">echo</span> <span class=\"s1\">&#39;http-scanner https://cdn.<mark>joshhighet.com</mark> /images/me.png&#39;</span></pre></div></td></tr><tr data-line=\"8\"><td><div class=\"lineno\">8</div></td><td><div class=\"highlight\"><pre>    <span class=\"nb\">exit</span> <span class=\"m\">1</span></pre></div></td></tr></table>"
        },
        "id": {
          "raw": "g/joshhighet/kerchow/main/sbin/http-scanner"
        },
        "owner_id": {
          "raw": "17993143"
        },
        "path": {
          "raw": "sbin/http-scanner"
        },
        "repo": {
          "raw": "joshhighet/kerchow"
        },
        "total_matches": {
          "raw": "1"
        }
      }
    ],
    "total": 1
  },
  "partial": false,
  "time": 78
}

greps

🔗 search the scripts directory for keyword

gs

🔗 shortcut git status info

gsa

🔗 shortcut git submodule add

hackertarget

🔗 lookup assets with hackertarget for a given domain name

example:

➜  kerchow git:(main) ✗ hackertarget apple.co.nz
store.apple.co.nz
shop.apple.co.nz
consultants.apple.co.nz

hashdir

🔗 show sha2 checksums for all files within a directory (full depth)

example:

➜  labs cd ransomwatch/assets
➜  assets git:(main) hashdir
a1b42b4205b39fb07788449efd84cf2946e5e1d31e8d53f0d896c591982e0bf1  ./browse-hosts.sh
9d4d2e7832f3941012efa7b545a408b18ddfaa5a145762b0204044af8bf803e9  ./chromium.py
5b3572e75c5777ca02c6c918a1b993c83a7d20096a130976d853600fb02de0b6  ./dir
8dee5e8d9c7e5b6a56bf8326007c9803b701e28d7b419a6f62f4b89a623b37dd  ./groups-kv.json
fb1511c92b385d0fbc6bb175113500ef092608163c9e700b3b6d1ac18ffbc74a  ./groups-kv.py
d4cca1ef5d96b2f001cfd58c5aff006af9b88f7d230ae617b6701485e3b0590a  ./iter_headers.sh
f73838fc8d471824802cdebdfd648d09ced9ac4b91e42697bbfb2373b532b9f9  ./parsers.sh
ce38889f509e8ecc9866a28671b0b10ba99a501a00f1070ef672ef73cffa9c1e  ./screenshotter.py
810000cc8fa3a548ffde013b3fed619b69665b87109b7fa4e73662ce097d455f  ./sources.exclusions
dfd2e463400e07b83446e68895ca87d432ee4cfab3de76232484cc03c6ad22fb  ./sources.zsh
56687410895543af2665b7031d9e0f8d9769fa6974808d3ce355b47409b9ec75  ./srcanalyser.py
c0b64148c45d6cb751b6b56277b4654d7f626dc53436a1d2033d622ca97daba4  ./uptimekuma-importer.py
e2654ba7d11b67dda187f2bb4a2b68b22f4c064fcc4a90aa074a7a69e8d55015  ./useragents.txt

headers

🔗 show the headers returned by a URI (GET)

example:

➜  labs headers google.com
HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-AdeI7EpTrBpQWpoLjaWhwg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Thu, 20 Jul 2023 21:32:27 GMT
Expires: Sat, 19 Aug 2023 21:32:27 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 219
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN

http

🔗 python3 simple http server

http-loadtest

🔗 make requests with apachabench

http-responder

🔗 simple webserver to validate ownership checks (used for Splunk HEC with Meraki Local Analytics API)

http-scanner

🔗 run a suite of url checks for the cyber ??

intip

🔗 try determine current internal ip

ipgrep

🔗 search input for ipv4 and ipv6 addresses

example:

➜  labs echo '''<!DOCTYPE html>
<html>
<head>
  <title>hello</title>
</head>
<body>
  <h1>2001:db8:3333:4444:5555:6666:7777:8888</h1>
  <h2>192.168.1.6</h2>
</body>
</html>''' | ipgrep
2001:db8:3333:4444:5555:6666:7777:8888
192.168.1.6

ipgrepv4

🔗 read stdin and list any IPv4 addresses

example:

➜  labs echo '''<!DOCTYPE html>
<html>
<head>
  <title>hello</title>
</head>
<body>
  <h1>10.23.24.25</h1>
</body>
</html>''' | ipgrepv4
10.23.24.25

ipgrepv6

🔗 read stdin and list any IPv6 addresses

example:

➜  labs echo '''<!DOCTYPE html>
<html>
<head>
  <title>hello</title>
</head>
<body>
  <h1>2001:db8:3333:4444:5555:6666:7777:8888</h1>
</body>
</html>''' | ipgrepv6
2001:db8:3333:4444:5555:6666:7777:8888

ipi

🔗 query IP API for any IP details - beware, ip-api believe TLS is a premium feature

example:

➜  labs ipi 1.1.1.1
{
  "status"       : "success",
  "continent"    : "Oceania",
  "continentCode": "OC",
  "country"      : "Australia",
  "countryCode"  : "AU",
  "region"       : "QLD",
  "regionName"   : "Queensland",
  "city"         : "South Brisbane",
  "district"     : "",
  "zip"          : "4101",
  "lat"          : -27.4766,
  "lon"          : 153.0166,
  "timezone"     : "Australia/Brisbane",
  "offset"       : 36000,
  "currency"     : "AUD",
  "isp"          : "Cloudflare, Inc",
  "org"          : "APNIC and Cloudflare DNS Resolver project",
  "as"           : "AS13335 Cloudflare, Inc.",
  "asname"       : "CLOUDFLARENET",
  "mobile"       : false,
  "proxy"        : false,
  "hosting"      : true,
  "query"        : "1.1.1.1"
}

ipinfo

🔗 basic cli netaddress enrichment with greynoise, virustotal & ipinfo

example:

➜  labs ipinfo 1.1.1.1

hostname  one.one.one.one
anycast   true
country   US
loc       34.0522,-118.2437
postal    90076
timezone  America/Los_Angeles
harmless    67
malicious   2
suspicious  0
undetected  19
timeout     0

rgcrjsqaalucmmlfom3s26bygywtmna.h.nessus.org
rgcrjsqaalucmelfom3s26bygywtmna.h.nessus.org
microsoft.amch-1dnj.sbs
www.microsoft.amch-1dnj.sbs
this.www.microsoft.amch-1dnj.sbs
with.this.www.microsoft.amch-1dnj.sbs
want_to.with.this.www.microsoft.amch-1dnj.sbs
do_yo.want_to.with.this.www.microsoft.amch-1dnj.sbs
uk.do_yo.want_to.with.this.www.microsoft.amch-1dnj.sbs
co.uk.do_yo.want_to.with.this.www.microsoft.amch-1dnj.sbs

noise           false
riot            true
classification  benign
link            https://viz.greynoise.io/riot/1.1.1.1
last_seen       2023-07-20

ipinfo.io

🔗 __

iptables-clear

🔗 drop all iptables chains

kserve

🔗 list all defined kubernetes deployments

l

🔗 list current directory

maclean

🔗 macos: empty trash, clear system logs & clear download history from quarantine

macupd

🔗 macos: update os, applications, homebrew etc

mailcheck

🔗 lookup SPF, MX & DMARC records for a domain

example:

➜  labs mailcheck apple.com
SPF: "v=spf1 include:_spf.apple.com include:_spf-txn.apple.com ~all"
DMARC: "v=DMARC1; p=quarantine; sp=reject; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com;"
MX: mx-in.g.apple.com.
MX: mx-in-vib.apple.com.
MX: mx-in-mdn.apple.com.
MX: mx-in-rno.apple.com.
MX: mx-in-hfd.apple.com.

mgrep

🔗 best attempts grep for email

example:

➜  labs echo '''<!DOCTYPE html>
<html>
<head>
  <title>hello</title>
</head>
<body>
  <h1>bill.gates@microsoft.com</h1>
</body>
</html>''' | mgrep
bill.gates@microsoft.com

myip

🔗 return my current IP address

n

🔗 nano shortcut

npmaudit

🔗 auto audit the local package.json and produce 'report.html' output

nz-companiesdirectory

🔗 search the NZ companies directory

onionscan

🔗 netscan an onion address with proxychains, jsonified output

openh

🔗 open an fqdn in a browser

osq-usb

🔗 use osquery to return a list of attached removable usb devices

osv

🔗 return a known OS version string

ouilookup

🔗 lookups a mac address in attempt to vendor correlate

example:

➜  labs ouilookup 00-B0-D0-63-C2-26
00B0D0 (base 16) Dell Inc.

pans

🔗 list valid NZ PANs forever or until var1=numberToReturn

phishreport

🔗 report a URL to phish.report

pihole-disable

🔗 disable pihole filtering

pihole-enable

🔗 enable pihole filtering

pihole-lastblock

🔗 show the last domain blocked by pihole

pihole-stat

🔗 get basic stats of a pihole instance from the php api

pireq

🔗 shortcut to install python3 deps from requirements.txt

ports

🔗 shows running service network interaction (listening ports)

pping

🔗 pingsweep (or tcp chek if port provided as arg1)

pubkey

🔗 print my public keys

pullallrepos

🔗 enter into all folders within the current working directory - if the folder is a git repo pull the latest from remote

ransomwatch-groupcounts

🔗 return a list of all online ransomwatch hosts

ransomwatch-online

🔗 return a list of all online ransomwatch hosts

ransomwatch-posts

🔗 return a list of posts in ransomwatch

redirect

🔗 follow a URL and return all the redirects

example:

➜  kerchow git:(main) ✗ redirect google.com/images
< Location: http://www.google.com/images
< Location: http://www.google.com/imghp
< Location: https://www.google.com/imghp?gws_rd=ssl

reversewhois

🔗 perform reverse whois lookup using the viewdns.info api

example:

➜  labs reversewhois domains@apple.com
applecare.pro
applecare.promo
applecare.qpon
applecare.quebec
applecare.rent
applecare.review
applecare.services
applecare.site
applecare.soy
applecare.space
applecare.store
applecare.study
applecare.sucks
applecare.sydney
applecare.taipei
applecare.tech
applecare.tel
applecare.tokyo
applecare.university
applecare.us
applecare.vegas
applecare.wang

rgroups

🔗 return ransomwatch groups

searchcode

🔗 search for a string in public source repositories with searchcode

servicescan

🔗 use nmap to run a service identification scan (ip and optional port)

example:

➜  labs servicescan 1.1.1.1 53
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-21 09:19 NZST
Nmap scan report for one.one.one.one (1.1.1.1)
Host is up (0.0083s latency).

PORT   STATE SERVICE VERSION
53/tcp open  domain  Unbound

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.44 seconds

shodanme

🔗 shodan your current egress address

ssh-nokey

🔗 ssh to rogue hosts without presenting a local key

sshmd5

🔗 generate an md5 signature of a ssh server

example:

➜  labs sshmd5 sftp.uber.com 2222
57:57:72:2f:89:e2:99:5b:19:91:1e:6e:03:a8:cc:cd

sssh

🔗 multi-host ssh controller

tor-getLatestConsensus

🔗 fetch the latest consensus file from metrics.torproject.org for processing

tor-readyyet

🔗 this checks if a tor circuit has been completed by polling the controlport

torexits-jsonarray

🔗 returns a JSON array of public Tor exit nodes

tornz

🔗 return overview on tor bridges, exits & open relays [nz netspace]

urld

🔗 decode a url

example:

➜  labs urld https%3A%2F%2Fdotco.nz%2Fsearch%3Fquery%3Dexe.png
https://dotco.nz/search?query=exe.png

urlg

🔗 grep for http(s) URLs

utc

🔗 list given date as UTC time

validpan

🔗 check if a given credit card number (var1) passes mod10 checksum

wa

🔗 colorful watch wrapper for localhost (local http develop) - takes port as $1

webspeed

🔗 website speed tests (response time analytics)

example:

➜  labs webspeed dotco.nz
report: http://dotco.nz/

lookup time:		0.008208
connect time:		0.116452
appcon time:		0.000000
redirect time:		0.000000
pre-transfer time:	0.116502
start-transfer time:	0.162668

total time:		0.162746

wgetspider

🔗 spider/download a site using wget into './downloaded'

whatazuresvc

🔗 use azure public ip tag data to correlate an address to a service

example:

➜  labs whatazuresvc 20.70.246.20
ip: 20.70.246.20
name: AzureCloud.australiaeast
region: australiaeast
system service: Not specified
address prefix: 20.70.128.0/17

whatmydns

🔗 show current dns servers

whatport

🔗 search for common port usages (what does port X typically correspond to)

example:

➜  labs whatport 1230
{
  "udp": {
    "service": "periscope",
    "name": "Periscope"
  },
  "tcp": {
    "service": "periscope",
    "name": "Periscope"
  }
}

zonetransfer

🔗 attempt an DNS AXFR (zone transfer) with dig on arg1

example:

➜  labs zonetransfer zonetransfer.me
attempting zone txfr on zonetransfer.me, nameserver nsztm2.digi.ninja.
zonetransfer.me.	7200	IN	SOA	nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
zonetransfer.me.	300	IN	HINFO	"Casio fx-700G" "Windows XP"
zonetransfer.me.	301	IN	TXT	"google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"
zonetransfer.me.	7200	IN	MX	0 ASPMX.L.GOOGLE.COM.
zonetransfer.me.	7200	IN	MX	10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me.	7200	IN	MX	10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	A	5.196.105.14
zonetransfer.me.	7200	IN	NS	nsztm1.digi.ninja.
zonetransfer.me.	7200	IN	NS	nsztm2.digi.ninja.
_acme-challenge.zonetransfer.me. 301 IN	TXT	"2acOp15rSxBpyF6L7TqnAoW8aI0vqMU5kpXQW7q4egc"
_acme-challenge.zonetransfer.me. 301 IN	TXT	"6Oa05hbUJ9xSsvYy7pApQvwCUSSGgxvrbdizjePEsZI"
_sip._tcp.zonetransfer.me. 14000 IN	SRV	0 0 5060 www.zonetransfer.me.
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200	IN PTR www.zonetransfer.me.
asfdbauthdns.zonetransfer.me. 7900 IN	AFSDB	1 asfdbbox.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200	IN	A	127.0.0.1
asfdbvolume.zonetransfer.me. 7800 IN	AFSDB	1 asfdbbox.zonetransfer.me.
canberra-office.zonetransfer.me. 7200 IN A	202.14.81.230
cmdexec.zonetransfer.me. 300	IN	TXT	"; ls"
contact.zonetransfer.me. 2592000 IN	TXT	"Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes"
dc-office.zonetransfer.me. 7200	IN	A	143.228.181.132
deadbeef.zonetransfer.me. 7201	IN	AAAA	dead:beaf::
dr.zonetransfer.me.	300	IN	LOC	53 20 56.558 N 1 38 33.526 W 0.00m 1m 10000m 10m
DZC.zonetransfer.me.	7200	IN	TXT	"AbCdEfG"
email.zonetransfer.me.	2222	IN	NAPTR	1 1 "P" "E2U+email" "" email.zonetransfer.me.zonetransfer.me.
email.zonetransfer.me.	7200	IN	A	74.125.206.26
Hello.zonetransfer.me.	7200	IN	TXT	"Hi to Josh and all his class"
home.zonetransfer.me.	7200	IN	A	127.0.0.1
Info.zonetransfer.me.	7200	IN	TXT	"ZoneTransfer.me service provided by Robin Wood - robin@digi.ninja. See http://digi.ninja/projects/zonetransferme.php for more information."
internal.zonetransfer.me. 300	IN	NS	intns1.zonetransfer.me.
internal.zonetransfer.me. 300	IN	NS	intns2.zonetransfer.me.
intns1.zonetransfer.me.	300	IN	A	81.4.108.41
intns2.zonetransfer.me.	300	IN	A	52.91.28.78
office.zonetransfer.me.	7200	IN	A	4.23.39.254
ipv6actnow.org.zonetransfer.me.	7200 IN	AAAA	2001:67c:2e8:11::c100:1332
owa.zonetransfer.me.	7200	IN	A	207.46.197.32
robinwood.zonetransfer.me. 302	IN	TXT	"Robin Wood"
rp.zonetransfer.me.	321	IN	RP	robin.zonetransfer.me. robinwood.zonetransfer.me.
sip.zonetransfer.me.	3333	IN	NAPTR	2 3 "P" "E2U+sip" "!^.*$!sip:customer-service@zonetransfer.me!" .
sqli.zonetransfer.me.	300	IN	TXT	"' or 1=1 --"
sshock.zonetransfer.me.	7200	IN	TXT	"() { :]}; echo ShellShocked"
staging.zonetransfer.me. 7200	IN	CNAME	www.sydneyoperahouse.com.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A	127.0.0.1
testing.zonetransfer.me. 301	IN	CNAME	www.zonetransfer.me.
vpn.zonetransfer.me.	4000	IN	A	174.36.59.154
www.zonetransfer.me.	7200	IN	A	5.196.105.14
xss.zonetransfer.me.	300	IN	TXT	"'><script>alert('Boo')</script>"
zonetransfer.me.	7200	IN	SOA	nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600

attempting zone txfr on zonetransfer.me, nameserver nsztm1.digi.ninja.
zonetransfer.me.	7200	IN	SOA	nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
zonetransfer.me.	300	IN	HINFO	"Casio fx-700G" "Windows XP"
zonetransfer.me.	301	IN	TXT	"google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"
zonetransfer.me.	7200	IN	MX	0 ASPMX.L.GOOGLE.COM.
zonetransfer.me.	7200	IN	MX	10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me.	7200	IN	MX	10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	A	5.196.105.14
zonetransfer.me.	7200	IN	NS	nsztm1.digi.ninja.
zonetransfer.me.	7200	IN	NS	nsztm2.digi.ninja.
_acme-challenge.zonetransfer.me. 301 IN	TXT	"6Oa05hbUJ9xSsvYy7pApQvwCUSSGgxvrbdizjePEsZI"
_sip._tcp.zonetransfer.me. 14000 IN	SRV	0 0 5060 www.zonetransfer.me.
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200	IN PTR www.zonetransfer.me.
asfdbauthdns.zonetransfer.me. 7900 IN	AFSDB	1 asfdbbox.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200	IN	A	127.0.0.1
asfdbvolume.zonetransfer.me. 7800 IN	AFSDB	1 asfdbbox.zonetransfer.me.
canberra-office.zonetransfer.me. 7200 IN A	202.14.81.230
cmdexec.zonetransfer.me. 300	IN	TXT	"; ls"
contact.zonetransfer.me. 2592000 IN	TXT	"Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes"
dc-office.zonetransfer.me. 7200	IN	A	143.228.181.132
deadbeef.zonetransfer.me. 7201	IN	AAAA	dead:beaf::
dr.zonetransfer.me.	300	IN	LOC	53 20 56.558 N 1 38 33.526 W 0.00m 1m 10000m 10m
DZC.zonetransfer.me.	7200	IN	TXT	"AbCdEfG"
email.zonetransfer.me.	2222	IN	NAPTR	1 1 "P" "E2U+email" "" email.zonetransfer.me.zonetransfer.me.
email.zonetransfer.me.	7200	IN	A	74.125.206.26
Hello.zonetransfer.me.	7200	IN	TXT	"Hi to Josh and all his class"
home.zonetransfer.me.	7200	IN	A	127.0.0.1
Info.zonetransfer.me.	7200	IN	TXT	"ZoneTransfer.me service provided by Robin Wood - robin@digi.ninja. See http://digi.ninja/projects/zonetransferme.php for more information."
internal.zonetransfer.me. 300	IN	NS	intns1.zonetransfer.me.
internal.zonetransfer.me. 300	IN	NS	intns2.zonetransfer.me.
intns1.zonetransfer.me.	300	IN	A	81.4.108.41
intns2.zonetransfer.me.	300	IN	A	167.88.42.94
office.zonetransfer.me.	7200	IN	A	4.23.39.254
ipv6actnow.org.zonetransfer.me.	7200 IN	AAAA	2001:67c:2e8:11::c100:1332
owa.zonetransfer.me.	7200	IN	A	207.46.197.32
robinwood.zonetransfer.me. 302	IN	TXT	"Robin Wood"
rp.zonetransfer.me.	321	IN	RP	robin.zonetransfer.me. robinwood.zonetransfer.me.
sip.zonetransfer.me.	3333	IN	NAPTR	2 3 "P" "E2U+sip" "!^.*$!sip:customer-service@zonetransfer.me!" .
sqli.zonetransfer.me.	300	IN	TXT	"' or 1=1 --"
sshock.zonetransfer.me.	7200	IN	TXT	"() { :]}; echo ShellShocked"
staging.zonetransfer.me. 7200	IN	CNAME	www.sydneyoperahouse.com.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A	127.0.0.1
testing.zonetransfer.me. 301	IN	CNAME	www.zonetransfer.me.
vpn.zonetransfer.me.	4000	IN	A	174.36.59.154
www.zonetransfer.me.	7200	IN	A	5.196.105.14
xss.zonetransfer.me.	300	IN	TXT	"'><script>alert('Boo')</script>"
zonetransfer.me.	7200	IN	SOA	nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600