kerchow is a collection of shortcuts/binfiles/scripts to speed up common tasks
these are intended to be added to your PATH
to shorthand various workflows - see setup.zsh
for an example
each script is noted below alongside a brief description of what it does. where applicable, example outputs are shown
π makes an audible boing noise (can be useful for long-running scripts)
example:
β labs boing
π
π pbcopy shortcut
π print the source code of any kerchow shortscripts
example:
β labs cats cats
#!/bin/bash
# print the source code of any kerchow shortscripts
if [ -z "$1" ]; then
echo "usage: cats <binfile>"
exit 1
fi
shortscript=`which $1`
if [ -z "$shortscript" ]; then
echo "unable to find $1"
exit 1
fi
if ! command -v bat >/dev/null 2>&1
then
cat $shortscript
else
bat -pp $shortscript
fi
π returns x509 data in json for a given url
example:
β labs certinfo dotco.nz | jq
{
"subject": {
"commonName": "dotco.nz"
},
"issuer": {
"countryName": "US",
"organizationName": "Google Trust Services LLC",
"commonName": "GTS CA 1P5"
},
"version": 3,
"serialNumber": "A936F40B7782FFCA110322E22CA11D03",
"notBefore": "May 22 23:43:14 2023 GMT",
"notAfter": "Aug 20 23:43:13 2023 GMT",
"subjectAltName": [
"dotco.nz",
"*.dotco.nz"
],
"OCSP": [
"http://ocsp.pki.goog/s/gts1p5/JNQ39h5OCqA"
],
"caIssuers": [
"http://pki.goog/repo/certs/gts1p5.der"
],
"crlDistributionPoints": [
"http://crls.pki.goog/gts1p5/UMpHrkS7PMY.crl"
]
}
π use the cloudflared tunnel agent to ssh onto a target fqdn
π check if a given email address has a connected m365 account
example:
β labs checkmsuser bill.gates@microsoft.com
{
"external_idp": true,
"valid_account": true
}
π test colors on a shell
example:
β labs colortest
40m 41m 42m 43m 44m 45m 46m 47m
m gYw gYw gYw gYw gYw gYw gYw gYw gYw
1;m gYw gYw gYw gYw gYw gYw gYw gYw gYw
30m gYw gYw gYw gYw gYw gYw gYw gYw gYw
1;30m gYw gYw gYw gYw gYw gYw gYw gYw gYw
31m gYw gYw gYw gYw gYw gYw gYw gYw gYw
1;31m gYw gYw gYw gYw gYw gYw gYw gYw gYw
32m gYw gYw gYw gYw gYw gYw gYw gYw gYw
1;32m gYw gYw gYw gYw gYw gYw gYw gYw gYw
33m gYw gYw gYw gYw gYw gYw gYw gYw gYw
1;33m gYw gYw gYw gYw gYw gYw gYw gYw gYw
34m gYw gYw gYw gYw gYw gYw gYw gYw gYw
1;34m gYw gYw gYw gYw gYw gYw gYw gYw gYw
35m gYw gYw gYw gYw gYw gYw gYw gYw gYw
1;35m gYw gYw gYw gYw gYw gYw gYw gYw gYw
36m gYw gYw gYw gYw gYw gYw gYw gYw gYw
1;36m gYw gYw gYw gYw gYw gYw gYw gYw gYw
37m gYw gYw gYw gYw gYw gYw gYw gYw gYw
1;37m gYw gYw gYw gYw gYw gYw gYw gYw gYw
π use the crt.sh ct api to discover other web services for an apex domain
example:
β labs crtsh dotco.nz
*.dotco.nz
dotco.nz
s.dotco.nz
www.dotco.nz
π fetch incoming auckland port ship data
π wrapper for curling onionsites with a local/remote tor client over socks5
example:
β labs curltor -I ciadotgov4sjwlzihbbgxnqg3xiyrg7so2r2o3lt5wz5ypk4sxyjstad.onion
Connection to telemetry.dark port 9050 [tcp/*] succeeded!
HTTP/1.1 301 Moved Permanently
Date: Thu, 20 Jul 2023 08:08:53 GMT
Content-Length: 0
Location: http://ciadotgov4sjwlzihbbgxnqg3xiyrg7so2r2o3lt5wz5ypk4sxyjstad.onion/index.html
Connection: keep-alive
Set-Cookie: _session_={xxx}; path=/; domain=ciadotgov4sjwlzihbbgxnqg3xiyrg7so2r2o3lt5wz5ypk4sxyjstad.onion; secure; HttpOnly
π get dehashed results for an email
π show/hide desktop icons on/off on macOS
π get a shell in the latest built docker container
π perform a dig ANY lookup using google DNS for a given domain
example:
β labs digall google.com
172.217.167.78
2404:6800:4006:80a::200e
"globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8="
"onetrust-domain-verification=de01ed21f2fa4d8781cbc3ffb89cf4ef"
ns4.google.com.
"v=spf1 include:_spf.google.com ~all"
ns1.google.com.
"MS=E4A68B9AB2BB9670BCE15412F62916164C0B20BB"
\# 13 00010000010006026832026833
ns2.google.com.
ns1.google.com. dns-admin.google.com. 549264082 900 900 1800 60
"google-site-verification=wD8N7i1JTNTkezJ49swvWW48f8_9xveREV4oB-0Hf5o"
"apple-domain-verification=30afIBcvSuDV2PLX"
0 issue "pki.goog"
10 smtp.google.com.
"atlassian-domain-verification=5YjTmWmjI92ewqkx2oXmBaD60Td9zWon9r6eakvHX6B77zzkFQto8PQ9QsKnbf4I"
ns3.google.com.
"docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e"
"facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95"
"docusign=1b0a6754-49b1-4db5-8540-d2c12664b289"
"webexdomainverification.8YX6G=6e6922db-e3e6-4a36-904e-a805c28087fa"
"google-site-verification=TV9-DBe4R80X4v0M4U_bd_J9cpOJM0nikft0jAgjmsQ"
π list all docker images on current system
π simple nameserv propogation check util
example:
β kerchow git:(main) β dnsprop AAAA dotco.nz
checking DNS propagation for 'AAAA' record of 'dotco.nz' against top 10 resolvers:
checking resolver 1.1.1.1 (Cloudflare): reply received (2606:4700:3035::ac43:b7a5,2606:4700:3035::6815:4bef,)
checking resolver 8.8.8.8 (Google): reply received (2606:4700:3035::6815:4bef,2606:4700:3035::ac43:b7a5,)
checking resolver 8.8.4.4 (Google Secondary): reply received (2606:4700:3035::6815:4bef,2606:4700:3035::ac43:b7a5,)
checking resolver 9.9.9.9 (Quad9): reply received (2606:4700:3035::ac43:b7a5,2606:4700:3035::6815:4bef,)
checking resolver 208.67.222.222 (OpenDNS): reply received (2606:4700:3035::ac43:b7a5,2606:4700:3035::6815:4bef,)
checking resolver 208.67.220.220 (OpenDNS Secondary): reply received (2606:4700:3035::ac43:b7a5,2606:4700:3035::6815:4bef,)
checking resolver 77.88.8.8 (Yandex.DNS): reply received (2606:4700:3035::ac43:b7a5,2606:4700:3035::6815:4bef,)
checking resolver 64.6.64.6 (Verisign): reply received (2606:4700:3035::6815:4bef,2606:4700:3035::ac43:b7a5,)
checking resolver 64.6.65.6 (Verisign Secondary): reply received (2606:4700:3035::6815:4bef,2606:4700:3035::ac43:b7a5,)
checking resolver 74.82.42.42 (Hurricane Electric): reply received (2606:4700:3035::ac43:b7a5,2606:4700:3035::6815:4bef,)
π get logs of the latest or specified container
π take down the current dir docker compose instance
π list current running docker containers
π kill latest or specified docker container
π advanced shortcut for docker compose up
π displays your current external/upstream dns resolver
example:
β labs edns
{
"dns": {
"geo": "New Zealand - Cloudflare, Inc.",
"ip": "198.41.237.25"
}
}
π enable touch-id for sudo operations on macOS
example:
β labs enable-touchid-sudo
setting pam tid for sudo...
Password:
done.
π show the latest posts on the certnz advisories page
π returns useful file information & hashes
example:
β labs finfo /usr/bin/curl
info | [x86_64:Mach-O 64-bit executable x86_64] [arm64e:Mach-O 64-bit executable arm64e]
/usr/bin/curl (for architecture x86_64): Mach-O 64-bit executable x86_64
/usr/bin/curl (for architecture arm64e): Mach-O 64-bit executable arm64e
size | 292K
modified | 06/15/2023 22:08:29
created | 06/15/2023 22:08:29
sha1 | 3f6ea6f27592759fdb2df2943d6a5117cacb58c5
sha2 | 361822e42482e3197de5cac35029c4cd08deb89f4118a014cdc13ca6f3456ead
sha5 | 6a3d0fd105095beee01f149eff4ed39eacf5cf01bedba1fae220c56ce1904291143135fd0bbe0d40b6c6bf91c93c9209235480071d2a4476ae2ad918b3e3ea68
md5 | 3541bb282be981fa399ff60764709988
crc32 | 66b11e8a
π fix a broken airplay2 session
π flush dns cache on macOS
π clean all docker images and networks
π git add shortcut for all files or the specified ones
π list current git branches - if given var1 then change to or create that branch name
π clone a remote repo to local into current dir
π build datasets of active url's from urlscan
example:
β labs get-urlscansubs
WARNING:root:no api key supplied with --api, once we are rate limited i will die
INFO:root:saved urlscan-submissions.json
INFO:root:working on: https://status.solidvpn.org/
π check if clamshell mode on
π get favicon data; hash (md5 & mmh3), full path location, external search urls (shodan, censys, binaryedge, zoomeye, fofa)
example:
β labs getfavicon https://ransomwatch.telemetry.ltd
INFO: shodan: https://www.shodan.io/search?query=http.favicon.hash%3A-1066837762
INFO: censys: https://censys.io/ipv4?q=services.http.response.favicons.md5_hash%3A44e50f01227802a40685221310e42355
INFO: binaryedge: https://app.binaryedge.io/services/query?query=web.favicon.mmh3%3A-1066837762
INFO: zoomeye: https://www.zoomeye.org/searchResult?q=iconhash%3A-1066837762
INFO: fofa: https://en.fofa.info/result?qbase64=aWNvbl9oYXNoPS0xMDY2ODM3NzYy
favicon mmh3 hash: -1066837762
favicon md5 hash: 44e50f01227802a40685221310e42355
favicon location: https://ransomwatch.telemetry.ltd/favicon.ico
π returns a list of the largest files on disk (top 5 unless arg1 set)
π get the microsoft 365 tenantid for a given domain
example:
β labs getmstenant apple.com
ba8f4151-ab0e-4da6-862d-68b05906e887
π fetch a ssh banner from a given server
example:
β labs getshbanner telemetry.dark
_ _ _ _
| |__ (_) __ _| |__ _ __ ___| |_
| '_ \| |/ _` | '_ \| '_ \ / _ \ __|
| | | | | (_| | | | | | | | __/ |_
|_| |_|_|\__, |_| |_|_| |_|\___|\__|
|___/ telemetry.dark
π return the title of a site from the html
example:
β labs curl -sL https://apple.com/iphone | getsitetitle
iPhone - Apple
π fetch a TON of wordlists for... science
π get basic into on the git repo you are within (upstream url, description)
example:
β kerchow git:(main) β ginfo
url: https://github.com/joshhighet/kerchow
last author: josh!
description: amplify your terminal for security research π π₯οΈ
last commit: 2023-05-15 17:48:03 +1200
π update all submodules within a git project recursivley
π use trufflehog to search the current working dir for creds
π return a list of emails that have contributed to a git project
π print all the public repositories for a given github username
example:
github-get-all-repo-for-profile apple | grep darwin
https://github.com/apple/darwin-libplatform
https://github.com/apple/darwin-libpthread
https://github.com/apple/darwin-xnu
π will go through a github repository and remove all previous workflow data
π remove a git submodule from a git repo
π initalise and update submodules within a git repository (git submodule init & update)
π git pull the updates of the current dir structure
π make google query from terminal
π auto commit and push changes. var1 can be commit message or it will prompt for one. dont use spaces
π search for a string in public source repositories with grep.app
example:
β labs grepapp joshhighet.com
{
"facets": {
"count": 1,
"lang": {
"buckets": [
{
"count": 1,
"val": "Shell"
}
]
},
"path": {
"buckets": [
{
"count": 1,
"val": "sbin/"
}
]
},
"repo": {
"buckets": [
{
"count": 1,
"owner_id": "17993143",
"val": "joshhighet/kerchow"
}
]
}
},
"hits": {
"hits": [
{
"branch": {
"raw": "main"
},
"content": {
"snippet": "<table class=\"highlight-table\"><tr data-line=\"6\"><td><div class=\"lineno\">6</div></td><td><div class=\"highlight\"><pre> <span class=\"nb\">echo</span> <span class=\"s1\">'domain & path required'</span></pre></div></td></tr><tr data-line=\"7\"><td><div class=\"lineno\">7</div></td><td><div class=\"highlight\"><pre> <span class=\"nb\">echo</span> <span class=\"s1\">'http-scanner https://cdn.<mark>joshhighet.com</mark> /images/me.png'</span></pre></div></td></tr><tr data-line=\"8\"><td><div class=\"lineno\">8</div></td><td><div class=\"highlight\"><pre> <span class=\"nb\">exit</span> <span class=\"m\">1</span></pre></div></td></tr></table>"
},
"id": {
"raw": "g/joshhighet/kerchow/main/sbin/http-scanner"
},
"owner_id": {
"raw": "17993143"
},
"path": {
"raw": "sbin/http-scanner"
},
"repo": {
"raw": "joshhighet/kerchow"
},
"total_matches": {
"raw": "1"
}
}
],
"total": 1
},
"partial": false,
"time": 78
}
π search the scripts directory for keyword
π shortcut git status info
π shortcut git submodule add
π lookup assets with hackertarget for a given domain name
example:
β kerchow git:(main) β hackertarget apple.co.nz
store.apple.co.nz
shop.apple.co.nz
consultants.apple.co.nz
π show sha2 checksums for all files within a directory (full depth)
example:
β labs cd ransomwatch/assets
β assets git:(main) hashdir
a1b42b4205b39fb07788449efd84cf2946e5e1d31e8d53f0d896c591982e0bf1 ./browse-hosts.sh
9d4d2e7832f3941012efa7b545a408b18ddfaa5a145762b0204044af8bf803e9 ./chromium.py
5b3572e75c5777ca02c6c918a1b993c83a7d20096a130976d853600fb02de0b6 ./dir
8dee5e8d9c7e5b6a56bf8326007c9803b701e28d7b419a6f62f4b89a623b37dd ./groups-kv.json
fb1511c92b385d0fbc6bb175113500ef092608163c9e700b3b6d1ac18ffbc74a ./groups-kv.py
d4cca1ef5d96b2f001cfd58c5aff006af9b88f7d230ae617b6701485e3b0590a ./iter_headers.sh
f73838fc8d471824802cdebdfd648d09ced9ac4b91e42697bbfb2373b532b9f9 ./parsers.sh
ce38889f509e8ecc9866a28671b0b10ba99a501a00f1070ef672ef73cffa9c1e ./screenshotter.py
810000cc8fa3a548ffde013b3fed619b69665b87109b7fa4e73662ce097d455f ./sources.exclusions
dfd2e463400e07b83446e68895ca87d432ee4cfab3de76232484cc03c6ad22fb ./sources.zsh
56687410895543af2665b7031d9e0f8d9769fa6974808d3ce355b47409b9ec75 ./srcanalyser.py
c0b64148c45d6cb751b6b56277b4654d7f626dc53436a1d2033d622ca97daba4 ./uptimekuma-importer.py
e2654ba7d11b67dda187f2bb4a2b68b22f4c064fcc4a90aa074a7a69e8d55015 ./useragents.txt
π show the headers returned by a URI (GET)
example:
β labs headers google.com
HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-AdeI7EpTrBpQWpoLjaWhwg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Thu, 20 Jul 2023 21:32:27 GMT
Expires: Sat, 19 Aug 2023 21:32:27 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 219
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
π python3 simple http server
π make requests with apachabench
π simple webserver to validate ownership checks (used for Splunk HEC with Meraki Local Analytics API)
π run a suite of url checks for the cyber ??
π try determine current internal ip
π search input for ipv4 and ipv6 addresses
example:
β labs echo '''<!DOCTYPE html>
<html>
<head>
<title>hello</title>
</head>
<body>
<h1>2001:db8:3333:4444:5555:6666:7777:8888</h1>
<h2>192.168.1.6</h2>
</body>
</html>''' | ipgrep
2001:db8:3333:4444:5555:6666:7777:8888
192.168.1.6
π read stdin and list any IPv4 addresses
example:
β labs echo '''<!DOCTYPE html>
<html>
<head>
<title>hello</title>
</head>
<body>
<h1>10.23.24.25</h1>
</body>
</html>''' | ipgrepv4
10.23.24.25
π read stdin and list any IPv6 addresses
example:
β labs echo '''<!DOCTYPE html>
<html>
<head>
<title>hello</title>
</head>
<body>
<h1>2001:db8:3333:4444:5555:6666:7777:8888</h1>
</body>
</html>''' | ipgrepv6
2001:db8:3333:4444:5555:6666:7777:8888
π query IP API for any IP details - beware, ip-api believe TLS is a premium feature
example:
β labs ipi 1.1.1.1
{
"status" : "success",
"continent" : "Oceania",
"continentCode": "OC",
"country" : "Australia",
"countryCode" : "AU",
"region" : "QLD",
"regionName" : "Queensland",
"city" : "South Brisbane",
"district" : "",
"zip" : "4101",
"lat" : -27.4766,
"lon" : 153.0166,
"timezone" : "Australia/Brisbane",
"offset" : 36000,
"currency" : "AUD",
"isp" : "Cloudflare, Inc",
"org" : "APNIC and Cloudflare DNS Resolver project",
"as" : "AS13335 Cloudflare, Inc.",
"asname" : "CLOUDFLARENET",
"mobile" : false,
"proxy" : false,
"hosting" : true,
"query" : "1.1.1.1"
}
π basic cli netaddress enrichment with greynoise, virustotal & ipinfo
example:
β labs ipinfo 1.1.1.1
hostname one.one.one.one
anycast true
country US
loc 34.0522,-118.2437
postal 90076
timezone America/Los_Angeles
harmless 67
malicious 2
suspicious 0
undetected 19
timeout 0
rgcrjsqaalucmmlfom3s26bygywtmna.h.nessus.org
rgcrjsqaalucmelfom3s26bygywtmna.h.nessus.org
microsoft.amch-1dnj.sbs
www.microsoft.amch-1dnj.sbs
this.www.microsoft.amch-1dnj.sbs
with.this.www.microsoft.amch-1dnj.sbs
want_to.with.this.www.microsoft.amch-1dnj.sbs
do_yo.want_to.with.this.www.microsoft.amch-1dnj.sbs
uk.do_yo.want_to.with.this.www.microsoft.amch-1dnj.sbs
co.uk.do_yo.want_to.with.this.www.microsoft.amch-1dnj.sbs
noise false
riot true
classification benign
link https://viz.greynoise.io/riot/1.1.1.1
last_seen 2023-07-20
π __
π drop all iptables chains
π list all defined kubernetes deployments
π list current directory
π macos: empty trash, clear system logs & clear download history from quarantine
π macos: update os, applications, homebrew etc
π lookup SPF, MX & DMARC records for a domain
example:
β labs mailcheck apple.com
SPF: "v=spf1 include:_spf.apple.com include:_spf-txn.apple.com ~all"
DMARC: "v=DMARC1; p=quarantine; sp=reject; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com;"
MX: mx-in.g.apple.com.
MX: mx-in-vib.apple.com.
MX: mx-in-mdn.apple.com.
MX: mx-in-rno.apple.com.
MX: mx-in-hfd.apple.com.
π best attempts grep for email
example:
β labs echo '''<!DOCTYPE html>
<html>
<head>
<title>hello</title>
</head>
<body>
<h1>bill.gates@microsoft.com</h1>
</body>
</html>''' | mgrep
bill.gates@microsoft.com
π return my current IP address
π nano shortcut
π auto audit the local package.json and produce 'report.html' output
π search the NZ companies directory
π netscan an onion address with proxychains, jsonified output
π open an fqdn in a browser
π use osquery to return a list of attached removable usb devices
π return a known OS version string
π lookups a mac address in attempt to vendor correlate
example:
β labs ouilookup 00-B0-D0-63-C2-26
00B0D0 (base 16) Dell Inc.
π list valid NZ PANs forever or until var1=numberToReturn
π report a URL to phish.report
π disable pihole filtering
π enable pihole filtering
π show the last domain blocked by pihole
π get basic stats of a pihole instance from the php api
π shortcut to install python3 deps from requirements.txt
π shows running service network interaction (listening ports)
π pingsweep (or tcp chek if port provided as arg1)
π print my public keys
π enter into all folders within the current working directory - if the folder is a git repo pull the latest from remote
π return a list of all online ransomwatch hosts
π return a list of all online ransomwatch hosts
π return a list of posts in ransomwatch
π follow a URL and return all the redirects
example:
β kerchow git:(main) β redirect google.com/images
< Location: http://www.google.com/images
< Location: http://www.google.com/imghp
< Location: https://www.google.com/imghp?gws_rd=ssl
π perform reverse whois lookup using the viewdns.info api
example:
β labs reversewhois domains@apple.com
applecare.pro
applecare.promo
applecare.qpon
applecare.quebec
applecare.rent
applecare.review
applecare.services
applecare.site
applecare.soy
applecare.space
applecare.store
applecare.study
applecare.sucks
applecare.sydney
applecare.taipei
applecare.tech
applecare.tel
applecare.tokyo
applecare.university
applecare.us
applecare.vegas
applecare.wang
π return ransomwatch groups
π search for a string in public source repositories with searchcode
π use nmap to run a service identification scan (ip and optional port)
example:
β labs servicescan 1.1.1.1 53
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-21 09:19 NZST
Nmap scan report for one.one.one.one (1.1.1.1)
Host is up (0.0083s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Unbound
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.44 seconds
π shodan your current egress address
π ssh to rogue hosts without presenting a local key
π generate an md5 signature of a ssh server
example:
β labs sshmd5 sftp.uber.com 2222
57:57:72:2f:89:e2:99:5b:19:91:1e:6e:03:a8:cc:cd
π multi-host ssh controller
π fetch the latest consensus file from metrics.torproject.org for processing
π this checks if a tor circuit has been completed by polling the controlport
π returns a JSON array of public Tor exit nodes
π return overview on tor bridges, exits & open relays [nz netspace]
π decode a url
example:
β labs urld https%3A%2F%2Fdotco.nz%2Fsearch%3Fquery%3Dexe.png
https://dotco.nz/search?query=exe.png
π grep for http(s) URLs
π list given date as UTC time
π check if a given credit card number (var1) passes mod10 checksum
π colorful watch wrapper for localhost (local http develop) - takes port as $1
π website speed tests (response time analytics)
example:
β labs webspeed dotco.nz
report: http://dotco.nz/
lookup time: 0.008208
connect time: 0.116452
appcon time: 0.000000
redirect time: 0.000000
pre-transfer time: 0.116502
start-transfer time: 0.162668
total time: 0.162746
π spider/download a site using wget into './downloaded'
π use azure public ip tag data to correlate an address to a service
example:
β labs whatazuresvc 20.70.246.20
ip: 20.70.246.20
name: AzureCloud.australiaeast
region: australiaeast
system service: Not specified
address prefix: 20.70.128.0/17
π show current dns servers
π search for common port usages (what does port X typically correspond to)
example:
β labs whatport 1230
{
"udp": {
"service": "periscope",
"name": "Periscope"
},
"tcp": {
"service": "periscope",
"name": "Periscope"
}
}
π attempt an DNS AXFR (zone transfer) with dig on arg1
example:
β labs zonetransfer zonetransfer.me
attempting zone txfr on zonetransfer.me, nameserver nsztm2.digi.ninja.
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
zonetransfer.me. 300 IN HINFO "Casio fx-700G" "Windows XP"
zonetransfer.me. 301 IN TXT "google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"
zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN A 5.196.105.14
zonetransfer.me. 7200 IN NS nsztm1.digi.ninja.
zonetransfer.me. 7200 IN NS nsztm2.digi.ninja.
_acme-challenge.zonetransfer.me. 301 IN TXT "2acOp15rSxBpyF6L7TqnAoW8aI0vqMU5kpXQW7q4egc"
_acme-challenge.zonetransfer.me. 301 IN TXT "6Oa05hbUJ9xSsvYy7pApQvwCUSSGgxvrbdizjePEsZI"
_sip._tcp.zonetransfer.me. 14000 IN SRV 0 0 5060 www.zonetransfer.me.
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200 IN PTR www.zonetransfer.me.
asfdbauthdns.zonetransfer.me. 7900 IN AFSDB 1 asfdbbox.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200 IN A 127.0.0.1
asfdbvolume.zonetransfer.me. 7800 IN AFSDB 1 asfdbbox.zonetransfer.me.
canberra-office.zonetransfer.me. 7200 IN A 202.14.81.230
cmdexec.zonetransfer.me. 300 IN TXT "; ls"
contact.zonetransfer.me. 2592000 IN TXT "Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes"
dc-office.zonetransfer.me. 7200 IN A 143.228.181.132
deadbeef.zonetransfer.me. 7201 IN AAAA dead:beaf::
dr.zonetransfer.me. 300 IN LOC 53 20 56.558 N 1 38 33.526 W 0.00m 1m 10000m 10m
DZC.zonetransfer.me. 7200 IN TXT "AbCdEfG"
email.zonetransfer.me. 2222 IN NAPTR 1 1 "P" "E2U+email" "" email.zonetransfer.me.zonetransfer.me.
email.zonetransfer.me. 7200 IN A 74.125.206.26
Hello.zonetransfer.me. 7200 IN TXT "Hi to Josh and all his class"
home.zonetransfer.me. 7200 IN A 127.0.0.1
Info.zonetransfer.me. 7200 IN TXT "ZoneTransfer.me service provided by Robin Wood - robin@digi.ninja. See http://digi.ninja/projects/zonetransferme.php for more information."
internal.zonetransfer.me. 300 IN NS intns1.zonetransfer.me.
internal.zonetransfer.me. 300 IN NS intns2.zonetransfer.me.
intns1.zonetransfer.me. 300 IN A 81.4.108.41
intns2.zonetransfer.me. 300 IN A 52.91.28.78
office.zonetransfer.me. 7200 IN A 4.23.39.254
ipv6actnow.org.zonetransfer.me. 7200 IN AAAA 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me. 7200 IN A 207.46.197.32
robinwood.zonetransfer.me. 302 IN TXT "Robin Wood"
rp.zonetransfer.me. 321 IN RP robin.zonetransfer.me. robinwood.zonetransfer.me.
sip.zonetransfer.me. 3333 IN NAPTR 2 3 "P" "E2U+sip" "!^.*$!sip:customer-service@zonetransfer.me!" .
sqli.zonetransfer.me. 300 IN TXT "' or 1=1 --"
sshock.zonetransfer.me. 7200 IN TXT "() { :]}; echo ShellShocked"
staging.zonetransfer.me. 7200 IN CNAME www.sydneyoperahouse.com.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A 127.0.0.1
testing.zonetransfer.me. 301 IN CNAME www.zonetransfer.me.
vpn.zonetransfer.me. 4000 IN A 174.36.59.154
www.zonetransfer.me. 7200 IN A 5.196.105.14
xss.zonetransfer.me. 300 IN TXT "'><script>alert('Boo')</script>"
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
attempting zone txfr on zonetransfer.me, nameserver nsztm1.digi.ninja.
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
zonetransfer.me. 300 IN HINFO "Casio fx-700G" "Windows XP"
zonetransfer.me. 301 IN TXT "google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"
zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN A 5.196.105.14
zonetransfer.me. 7200 IN NS nsztm1.digi.ninja.
zonetransfer.me. 7200 IN NS nsztm2.digi.ninja.
_acme-challenge.zonetransfer.me. 301 IN TXT "6Oa05hbUJ9xSsvYy7pApQvwCUSSGgxvrbdizjePEsZI"
_sip._tcp.zonetransfer.me. 14000 IN SRV 0 0 5060 www.zonetransfer.me.
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200 IN PTR www.zonetransfer.me.
asfdbauthdns.zonetransfer.me. 7900 IN AFSDB 1 asfdbbox.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200 IN A 127.0.0.1
asfdbvolume.zonetransfer.me. 7800 IN AFSDB 1 asfdbbox.zonetransfer.me.
canberra-office.zonetransfer.me. 7200 IN A 202.14.81.230
cmdexec.zonetransfer.me. 300 IN TXT "; ls"
contact.zonetransfer.me. 2592000 IN TXT "Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes"
dc-office.zonetransfer.me. 7200 IN A 143.228.181.132
deadbeef.zonetransfer.me. 7201 IN AAAA dead:beaf::
dr.zonetransfer.me. 300 IN LOC 53 20 56.558 N 1 38 33.526 W 0.00m 1m 10000m 10m
DZC.zonetransfer.me. 7200 IN TXT "AbCdEfG"
email.zonetransfer.me. 2222 IN NAPTR 1 1 "P" "E2U+email" "" email.zonetransfer.me.zonetransfer.me.
email.zonetransfer.me. 7200 IN A 74.125.206.26
Hello.zonetransfer.me. 7200 IN TXT "Hi to Josh and all his class"
home.zonetransfer.me. 7200 IN A 127.0.0.1
Info.zonetransfer.me. 7200 IN TXT "ZoneTransfer.me service provided by Robin Wood - robin@digi.ninja. See http://digi.ninja/projects/zonetransferme.php for more information."
internal.zonetransfer.me. 300 IN NS intns1.zonetransfer.me.
internal.zonetransfer.me. 300 IN NS intns2.zonetransfer.me.
intns1.zonetransfer.me. 300 IN A 81.4.108.41
intns2.zonetransfer.me. 300 IN A 167.88.42.94
office.zonetransfer.me. 7200 IN A 4.23.39.254
ipv6actnow.org.zonetransfer.me. 7200 IN AAAA 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me. 7200 IN A 207.46.197.32
robinwood.zonetransfer.me. 302 IN TXT "Robin Wood"
rp.zonetransfer.me. 321 IN RP robin.zonetransfer.me. robinwood.zonetransfer.me.
sip.zonetransfer.me. 3333 IN NAPTR 2 3 "P" "E2U+sip" "!^.*$!sip:customer-service@zonetransfer.me!" .
sqli.zonetransfer.me. 300 IN TXT "' or 1=1 --"
sshock.zonetransfer.me. 7200 IN TXT "() { :]}; echo ShellShocked"
staging.zonetransfer.me. 7200 IN CNAME www.sydneyoperahouse.com.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A 127.0.0.1
testing.zonetransfer.me. 301 IN CNAME www.zonetransfer.me.
vpn.zonetransfer.me. 4000 IN A 174.36.59.154
www.zonetransfer.me. 7200 IN A 5.196.105.14
xss.zonetransfer.me. 300 IN TXT "'><script>alert('Boo')</script>"
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600