Skip to content

Main

  • Whoami


    Hi, I'm straysheep-dev.

    I'm here learning security from an offensive perspective and documenting things in a useful way as I go.

    I also focus on building defensive (or "visibility") tools, and configuration templates learned from applying offensive techniques to systems.

  • Connect


    https://github.com/straysheep-dev

    https://gitlab.com/straysheep-dev

    straysheep_dev

    straysheepdev

    straysheep.dev

    9906 9EB1 2D40 9EA9 3BD1 E52E B09D 00AE C481 71E0


  • Linux Configs


    Various configuration files for Unix/Linux operating systems

    Go to repo

  • Windows Configs


    Various configuration files for Microsoft Windows operating systems

    Go to repo

  • Ansible Configs


    A collection of ansible roles

    Go to repo

  • Terraform Configs


    Various configuration templates for terraform

    Go to repo

  • Vagrant Configs


    Various notes and configurations for Vagrant

    Go to repo

  • Alert Service


    Send an alert (to Discord, Slack, or any webhook) based on a condition

    Go to repo

  • OSCP


    OffSec Certified Professional

  • OSWP


    OffSec Wireless Professional

  • PNPT


    Practical Network Penetration Tester

  • eCMAP


    Certified Malware Analysis Professional

  • eCPPT


    Certified Professional Penetration Tester

  • eJPT


    Junior Penetration Tester

  • Linux Utils


    Visualization tools with built in parsing options in color. These tools are in the base of the linux-configs repo.

    check-auditd.sh Parse + search auditd

    check-baseline.sh Parse aide results

    check-baseline.sh rkhunter / chkrootkit in color

    check-processes.sh Dump system + network process in color

    check-strings.sh bstrings-like recursive string parser

    Go to blog post CHECK BACK LATER!

    Go to repo

  • VMware Kernel Module Signing


    To run VMware on Linux with SecureBoot enforced, the vmmon and vmnet modules require signing to load into the kernel.

    • Automates this process
    • Run after each kernel update

    Go to script

  • pfSense Administration


    This guide covers CLI usage and other things like:

    • Home office / lab use
    • pkgs for Zeek, sudo, and more
    • GUI and CLI quirks
    • External storage and ZFS

    Go to blog post

  • Deploy auditd


    Installs and configures auditd to adhear to a specified policy on Debian / RedHat family systems.

    • Use built in rules for PCI, STIG, OSPP
    • Load your own custom rules instead
    • Choose log size, number, and type
    • Locks rules to prevent live modification

    Go to ansible role

    Go to shell script

  • Deploy & Manage Sysinternals


    Interactive PowerShell script to load Sysinternals onto a Windows machine.

    • Deploys sysmon
    • Can update sysmon
    • Option to use SwiftOnSecurity config
    • Option to supply your own config instead
    • Option to add essential monitoring tools
    • Option to add entire suite (malware analysis)

    Go to ps1 script

  • Wireguard VPN / IDS Server


    Combines and automates a number of components to monitor traffic on a wireguard interface.

    Go to ansible role

  • Manage OpenSSH Server on Windows


    OpenSSH Server is not always available by default, and is time consuming to configure each deployment manually.

    • Installs + modifies OpenSSH Server
    • Enforces public key auth
    • Can change the listening port
    • Updates firewall rules
    • Imports public keys

    Go to ps1 script

  • Tail-EventLogs PS Module


    Windows has no tail -f equivalent to visualize live Event Logs. This is especially useful in tuning and testing sysmon rules locally.

    • Can tail any event log
    • Filter based on Event ID
    • Write to file with Tee-Object

    Go to ps1 module

  • Windows Sandbox Configs


    Detailed examples and premade .wsb files for:

    • Ephemeral environment
    • Development environment
    • Malware analysis

    The .wsb files and scripts are in the base of the windows-configs repo.

    Go to repo

  • Connect-UsbipSSHTunnel PS Module


    Convenience script to open a reverse ssh tunnel to the Windows host from WSL, giving WSL access to usbipd devices on localhost tcp/3240 without any inbound firewall rules active on the host.

    Requirements:

    • WSL is up to date
    • usbipd is version 4.0.0 or later
    • The Windows host has an ssh key that the target WSL instance will accept
    • The ssh identity is loaded into Windows ssh-agent
    • WSL accepts incoming ssh connections
    • You can execute commands as admin (this script can run as a normal user but you need to know an admin's credentials)
    • You have sudo privileges within WSL

    Go to ps1 module

  • About


    This site was created as a better way to document, maintain, and share notes with demonstrations or visual components, cross-platform.

    The blog section (at the top) is where this content lives, and is an easily searchable archive of anything I've found useful to demonstrate. Try using the search function at the top of the page. It autocompletes suggestions from all of my content.

    Using mkdocs to build this makes it both a searchable "database" with no backend, and an archive with everything in chronological order.