GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → op7ic → RT-CyberShield

op7ic / RT-CyberShield

Licence: MIT License
Protecting Red Team infrastructure with cyber shield blocking AWS/AZURE/IBM/Digital Ocean/TOR/AV IP/ETC. ranges

Programming Languages

shell
77523 projects

Labels

red-teamsecurity-tools

Projects that are alternatives of or similar to RT-CyberShield

pwn-pulse
Exploit for Pulse Connect Secure SSL VPN arbitrary file read vulnerability (CVE-2019-11510)
Stars: ✭ 126 (+270.59%)
Mutual labels:  red-team
Bifrost
Bifrost C2. Open-source post-exploitation using Discord API
Stars: ✭ 37 (+8.82%)
Mutual labels:  red-team
CVE-2021-44228-PoC-log4j-bypass-words
🐱‍💻 ✂️ 🤬 CVE-2021-44228 - LOG4J Java exploit - WAF bypass tricks
Stars: ✭ 760 (+2135.29%)
Mutual labels:  red-team
Sub-Drill
A very (very) FAST and simple subdomain finder based on online & free services. Without any configuration requirements.
Stars: ✭ 70 (+105.88%)
Mutual labels:  red-team
MacOS-WPA-PSK
PoC script showing that MacOS leaves the wireless key in NVRAM, in plaintext and accessible to anyone.
Stars: ✭ 29 (-14.71%)
Mutual labels:  red-team
SharpUnhooker
C# Based Universal API Unhooker
Stars: ✭ 255 (+650%)
Mutual labels:  red-team
AutoWin
Autowin is a framework that helps organizations simulate custom attack scenarios in order to improve detection and response capabilities.
Stars: ✭ 18 (-47.06%)
Mutual labels:  red-team
link
link is a command and control framework written in rust
Stars: ✭ 345 (+914.71%)
Mutual labels:  red-team
juumla
🦁 Juumla is a python tool created to identify Joomla version, scan for vulnerabilities and search for config or backup files.
Stars: ✭ 107 (+214.71%)
Mutual labels:  red-team
paradoxiaRAT
ParadoxiaRat : Native Windows Remote access Tool.
Stars: ✭ 583 (+1614.71%)
Mutual labels:  red-team
metadata-one-liners
retrive metadata endpoint data with these one liners.
Stars: ✭ 38 (+11.76%)
Mutual labels:  red-team
Octopus
Octopus - Network Scan/Infos & Web Scan
Stars: ✭ 25 (-26.47%)
Mutual labels:  red-team
Galaxy-Bugbounty-Checklist
Tips and Tutorials for Bug Bounty and also Penetration Tests.
Stars: ✭ 34 (+0%)
Mutual labels:  red-team
ja3transport
Impersonating JA3 signatures
Stars: ✭ 200 (+488.24%)
Mutual labels:  red-team
anti-honeypot
一款可以检测WEB蜜罐并阻断请求的Chrome插件,能够识别并阻断长亭D-sensor、墨安幻阵的部分溯源api
Stars: ✭ 38 (+11.76%)
Mutual labels:  red-team
Kali-TX
Customized Kali Linux - Ansible playbook
Stars: ✭ 54 (+58.82%)
Mutual labels:  red-team
InMemoryNET
Exploring in-memory execution of .NET
Stars: ✭ 55 (+61.76%)
Mutual labels:  red-team
Sherlock
This script is designed to help expedite a web application assessment by automating some of the assessment steps (e.g., running nmap, sublist3r, metasploit, etc.)
Stars: ✭ 36 (+5.88%)
Mutual labels:  red-team
dorothy
Dorothy is a tool to test security monitoring and detection for Okta environments
Stars: ✭ 85 (+150%)
Mutual labels:  red-team
LiquidSnake
LiquidSnake is a tool that allows operators to perform fileless lateral movement using WMI Event Subscriptions and GadgetToJScript
Stars: ✭ 266 (+682.35%)
Mutual labels:  red-team
View All Similar Projects ➔

RT-CyberShield

Protecting Red Team infrastructure with red cyber shield. This simple bash script will block known ranges for cloud providers and some security vendors.

Prerequisites for Debian/Ubuntu based installations

The script will execute the following to get necessary packages installed:

apt-get -y update
apt-get install -y ipset iptables curl fontconfig libfontconfig

Prerequisites for Red Hat/Centos based installations

The script will execute the following to get necessary packages installed:

yum -y update
yum -y install ipset iptables curl fontconfig libfontconfig bzip2

Installation

git clone https://github.com/op7ic/RT-CyberShield.git
cd RT-CyberShield
chmod +x shieldme.sh
./shieldme.sh

shieldme.sh filter rules

The following providers/IP ranges are currently blocked:

  • Digital Ocean
  • IBM
  • Rackspace
  • Verizon
  • Cisco
  • Symantec
  • ForcePoint
  • Palo Alto
  • L3
  • AWS
  • TOR exit nodes
  • Azure
  • Cloudflare
  • Avast
  • Bitdefender
  • Fireeye
  • Fortinet
  • Kaspersky
  • ESET
  • McAfee
  • Sophos
  • OVH
  • WatchGuard
  • Webroot
  • Microsoft
  • Rapid7
  • Splunk
  • Raytheon
  • Mimecast
  • Lockheed Martin
  • Accenture
  • KPMG
  • BAE Systems
  • F-Secure
  • Trend Micro
  • NCC
  • eSentire
  • Alibaba
  • Hornetsecurity
  • InteliSecure
  • Masergy
  • NTT Security
  • Check Point
  • Atos
  • CGI
  • SecureWorks
  • TCS
  • Unisys

CRON job

In order to auto-update the blocks, copy the following code into /etc/cron.d/update-cybershield. Don't update the list too often or some providers will ban your IP address. Once a week should be sufficient.

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
0 0 * * 0      root /tmp/RT-CyberShield/shieldme.sh

Check for dropped packets

Using iptables, you can check how many packets got dropped using the filters:

iptables -L INPUT -v --line-numbers

The table should look similar to this:

Chain INPUT (policy ACCEPT 191 packets, 11656 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  any    any     anywhere             anywhere             match-set ncc src
2        0     0 DROP       all  --  any    any     anywhere             anywhere             match-set trendmicro src
3        0     0 DROP       all  --  any    any     anywhere             anywhere             match-set fsecure src
4        0     0 DROP       all  --  any    any     anywhere             anywhere             match-set bae src
5        0     0 DROP       all  --  any    any     anywhere             anywhere             match-set kpmg src
6        0     0 DROP       all  --  any    any     anywhere             anywhere             match-set accenture src
7        0     0 DROP       all  --  any    any     anywhere             anywhere             match-set lockheed src
8        0     0 DROP       all  --  any    any     anywhere             anywhere             match-set mimecast src
9        0     0 DROP       all  --  any    any     anywhere             anywhere             match-set raytheon src
10       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set Rapid7 src
11       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set Splunk src
12       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set Microsoft src
13       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set Webroot src
14       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set WatchGuard src
15       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set OVH src
16       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set McAfee src
17       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set Sophos src
18       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set ESET src
19       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set kaspersky src
20       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set fortinet src
21       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set fireeye src
22       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set bitdefender src
23       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set avast src
24       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set l3 src
25       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set barracuda src
26       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set paloalto src
27       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set forcepoint src
28       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set symantec src
29       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set rackspace src
30       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set verizon src
31       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set cisco src
32       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set cloudflare4 src
33       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set azure src
34       1    76 DROP       all  --  any    any     anywhere             anywhere             match-set digitalocean src
35       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set ibm src
36       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set aws src
37       1    76 DROP       all  --  any    any     anywhere             anywhere             match-set tor-individual-ip2 src
38       0     0 DROP       all  --  any    any     anywhere             anywhere             match-set tor-individual-ip1 src

Modify the blacklists you want to use

Edit shieldme.sh and add/remove specific lists. You can see URLs which this script feeds from. Simply modify them or comment them out. If you for some reason want to ban all IP addresses from a certain country, have a look at IPverse.net's aggregated IP lists which you can simply add to the list already implemented.

I don't want to run this script

IP blocks do not change that often so just copy ipset.conf to your local copy:

cp ipset-config/ipset.conf /etc/ipset.conf

You will then need to run following commands to ensure that ranges are dropped via iptables:

iptables -I INPUT -m set --match-set tor-individual-ip1 src -j DROP
iptables -I INPUT -m set --match-set tor-individual-ip2 src -j DROP
iptables -I INPUT -m set --match-set aws src -j DROP
iptables -I INPUT -m set --match-set ibm src -j DROP
iptables -I INPUT -m set --match-set digitalocean src -j DROP
iptables -I INPUT -m set --match-set azure src -j DROP
iptables -I INPUT -m set --match-set cloudflare4 src -j DROP
iptables -I INPUT -m set --match-set cisco src -j DROP
iptables -I INPUT -m set --match-set verizon src -j DROP
iptables -I INPUT -m set --match-set rackspace src -j DROP
iptables -I INPUT -m set --match-set symantec src -j DROP
iptables -I INPUT -m set --match-set forcepoint src -j DROP
iptables -I INPUT -m set --match-set paloalto src -j DROP
iptables -I INPUT -m set --match-set barracuda src -j DROP
iptables -I INPUT -m set --match-set l3 src -j DROP
iptables -I INPUT -m set --match-set avast src -j DROP
iptables -I INPUT -m set --match-set bitdefender src -j DROP
iptables -I INPUT -m set --match-set fireeye src -j DROP
iptables -I INPUT -m set --match-set fortinet src -j DROP
iptables -I INPUT -m set --match-set kaspersky src -j DROP
iptables -I INPUT -m set --match-set ESET src -j DROP
iptables -I INPUT -m set --match-set Sophos src -j DROP
iptables -I INPUT -m set --match-set McAfee src -j DROP
iptables -I INPUT -m set --match-set OVH src -j DROP
iptables -I INPUT -m set --match-set WatchGuard src -j DROP
iptables -I INPUT -m set --match-set Webroot src -j DROP
iptables -I INPUT -m set --match-set Microsoft src -j DROP
iptables -I INPUT -m set --match-set Splunk src -j DROP
iptables -I INPUT -m set --match-set Rapid7 src -j DROP
iptables -I INPUT -m set --match-set raytheon src -j DROP
iptables -I INPUT -m set --match-set mimecast src -j DROP
iptables -I INPUT -m set --match-set lockheed src -j DROP
iptables -I INPUT -m set --match-set accenture src -j DROP
iptables -I INPUT -m set --match-set kpmg src -j DROP
iptables -I INPUT -m set --match-set bae src -j DROP
iptables -I INPUT -m set --match-set fsecure src -j DROP
iptables -I INPUT -m set --match-set trendmicro src -j DROP
iptables -I INPUT -m set --match-set ncc src -j DROP
iptables -I INPUT -m set --match-set eSentire src -j DROP
iptables -I INPUT -m set --match-set alibaba src -j DROP
iptables -I INPUT -m set --match-set hornetsecurity src -j DROP
iptables -I INPUT -m set --match-set InteliSecure src -j DROP
iptables -I INPUT -m set --match-set Masergy src -j DROP
iptables -I INPUT -m set --match-set NTTSecurity src -j DROP
iptables -I INPUT -m set --match-set checkpoint src -j DROP
iptables -I INPUT -m set --match-set atos src -j DROP
iptables -I INPUT -m set --match-set CGI src -j DROP
iptables -I INPUT -m set --match-set SecureWorks src -j DROP
iptables -I INPUT -m set --match-set TCS src -j DROP
iptables -I INPUT -m set --match-set Unisys src -j DROP

TODO

  • IPv6 filter and ranges (ipset errors a lot right now)

Limitations

  • This script relies heavily on https://bgp.he.net portal.
  • If you have VPS-To-VPS communication (i.e. Cobalt Strike to Fronting Server on OVH) the range might get blocked. Be careful where/how you set this script up or comment out specific ranges from config file
  • The script relies on precompiled version of phantomjs
  • Need some "for" loops in there. Its very crude script for now.
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].